DirSync provides synchronisation between on-premise Active Directory to Office 365 Azure AD.
So here is the scenario where will migrate Dirsync to Azure AD Connect in new Active Directory Forest. We have one of our customers using DirSync on old Active Directory domain. Users & Computers have been migrated to new Active Directory Forest. Now, it was the time to move from DirSync to Azure AD Connet onto the new forest. During the transition, we kept legacy domain dirsync turned on.
The high-level plan is as follow
- Stop DirSync
- In Office 365, clear ImmutableID on Synced Users
- Setup Azure AD Connect
- Sync pilot users, gauge the success
- Sync rest of the users.
Stop DirSync
On the DirSync server, stop the DirSync Services and set them to disable.
Disabled the DirSync tasks.
Connect to Office 365 online using PowerShell. Use the following command to get the status of Directory Synchronization
Get-MsolCompanyInformation
Login to Office 365 Admin Portal with Global Admin account.
Go to Health Report > Directory Sync Status
You would notice that you don’t see an option to Deactivate the Sync in New Admin Centre Preview. Instead, you need to go under Azure AD > Active Directory > YourDomain > Directory Integration
Important: Before you deactivate the sync, make sure you download the user data.
You can use the following Office365 powerShell command to dump the data.
Get-MsolUser | Where-Object{$_.immutableID -ne $null} | Select * | Sort-Object -Property userPrincipalName | Export-Csv -Path %UserProfile%\Documents\Temp\SyncedUsers.csv -NoTypeInformation
It would come handy if you want to go back and check which users were syncing initially.
Going forward, I am using Classic Admin Console for Deactivating the Dir Sync.
Switch to Classic Admin Console
You can cross check the same in Azure AD portal.
And via Office 365 PowerShell command
As per Microsoft, deactivation of DirSync may take between 24 – 72 hours, however, usually it’s much earlier.
Clear ImmutableID on Synced Users
ImmutableID attribute is responsible for linking your on-premise AD users objects to Office 365. If you don’t clear the immutableID, you will not be able to re-sync on-premise AD users with Office 365. Office 365 will perform a soft match and hence able to sync users.
You can use the following simple Office 365 PowerShell script to clear the ImmutableID.
$O365Users = import-csv %userprofile%\Documents\Temp\SyncedUsers.csv
foreach($usr in $O365Users) {
Set-MsolUser -UserPrincipalName $usr.userprincipalName -ImmutableId “$null“
}
Setup Azure AD Connect
Under the New Forest, use the appropriate server that will be hosting Azure AD Connect. I am not going into detailed requirements of AD Connect, however, some of the important things to keep in mind are Service Account Permission.
You need to a service account which a member of domain admin in local on premise and global admin on Office 365.
Download Microsoft Azure AD Connect and lets start the installation
https://www.microsoft.com/download/details.aspx?id=47594
Use Customize for custom settings as we will be syncing users selectively.
Enter Office 365 AD Connect Service account.
Use on-premise service account.
Leave the options default, Make sure your userPrincipalName UPN suffix is internet routable domain, verified in Office 365. In most of the cases, it’s same as email address to keep things simple.
Use default options, Don’t change Source Anchor to anything else if you have only single AD forest to deal with.
Once Installation and Initial Sync have been completed, you can see the status under Office 365 Admin portal.
By default, the Sync runs every 30 mins.
Get-ADSyncScheduler
In case, you don’t want to wait for the Sync Schedule and would like to force the Sync. You can use the following command
Start-ADSyncSyncCycle -PolicyType Initial/Delta
Azure AD Connect sync schedule can be adjusted using the PowerShell commands, and you can also specify your custom sync schedule if needed.
That’s it. Hope you find it useful.
RayL
Very good article. A question for you – I am migrating 15k users (all synced to O365 for Skype). Can I create a Group in my new AD (say AzureADSync) and only add users that I want to sync from the new domain (for testing). This way I can delete the ImmutableID for only a test group of users. I would then place the users in the group that I want to sync and do a soft match on email address and let it create the new ImmutableID. If all testing goes well then I could delete the rest of the ImmutableIDs and then add the rest of the users to the Synced Group or Re-Run the Azure AD Connect Tool and select the domain to sync all the users. What I am looking for is a way to fail back to the old domain if I have to.
AliveBits
Hi Ray,
You can use group to sync specific identities. You would need to use transform rules within AzureADConnect and bit of testing.
Erik N
Nice article! I was wondering, what does connecting to a new AD do to the permissions assigned to mailboxes using AD groups?
Alivebits
Hi Erik, The mailbox permissions specified via AD Group (synced groups) should remain as is. Though you can manually add in-cloud identities/group to the mailbox permissions.