AD Forest Merger

  • 31 Views
  • Last Post 4 weeks ago
Anthony.Vandenbossche posted this 4 weeks ago

Hi Guys, Me again J. This time a question concerning an AD Forest migration. A customer wants to migrate his environment towards a Green Field AD Forest, Great! However, I am wondering about the following. The source Forest contains an ADFS farm that is used for, among other things, federation of Azure AD and Office365. When we would migrate a user, and his PC, towards this new Forest, how would the authentication flow work? As we have Windows Authentication enabled, what would happen?  Kind regards, 
ANTHONY VAN DEN BOSSCHE
 

Order By: Standard | Newest | Votes
cduers posted this 4 weeks ago

If there is a two way trust, that will work. Without having to immediately move the farm.

Christopher Duers
XL Catlin, Identity and Security
203-979-3914
chris.duers@xxxxxxxxxxxxxxxx

On Oct 25, 2017, at 7:32 AM, Anthony Van den bossche <>> wrote:

Hi Guys,

Me again ☺. This time a question concerning an AD Forest migration. A customer wants to migrate his environment towards a Green Field AD Forest, Great! However, I am wondering about the following. The source Forest contains an ADFS farm that is used for, among other things, federation of Azure AD and Office365. When we would migrate a user, and his PC, towards this new Forest, how would the authentication flow work? As we have Windows Authentication enabled, what would happen?

Kind regards,


ANTHONY VAN DEN BOSSCHE

show

Anthony.Vandenbossche posted this 4 weeks ago

Even when there is a shared UPN namespace? Or will we need to transition with another UPN suffix?

show

cduers posted this 4 weeks ago

Yes the UPN question is trickier, but it can be accommodated, when the destination forest has a different UPN suffix. The trick with Azure is how you handle the forest transition re: AADConnect.

Christopher Duers
XL Catlin, Identity and Security
203-979-3914
chris.duers@xxxxxxxxxxxxxxxx

show

barkills posted this 4 weeks ago

At the heart of this are the documented concepts (https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-design-concepts) where the UPN or anchor (or proxyAddresses) need to match for an existing AAD user to be linked/matched with an on-premises AD user. Getting your anchor attribute configured so you can manage the transition will be one key. AAD Connect has switched from recommending the objectGUID to msDS-ConsistencyGuid as the anchor, and the rationale behind this change is so it can support scenarios like the one you have.

Brian

show

Close