How to Migrate DirSync to Azure AD Connect to New Active Directory Forest

DirSync provides synchronisation between on-premise Active Directory to Office 365 Azure AD.

So here is the scenario where will migrate Dirsync to Azure AD Connect  in new Active Directory Forest. We have one of our customers using DirSync on old Active Directory domain. Users & Computers have been migrated to new Active Directory Forest. Now, it was the time to move from DirSync to Azure AD Connet onto the new forest. During the transition, we kept legacy domain dirsync turned on.

The high-level plan is as follow

  • Stop DirSync
  • In Office 365, clear ImmutableID on Synced Users
  • Setup Azure AD Connect
  • Sync pilot users, gauge the success
  • Sync rest of the users.

Stop DirSync

On the DirSync server, stop the DirSync Services and set them to disable.

Stop DirSync service

Disabled the DirSync tasks.

disable dirsyn schedule tasks

Connect to Office 365 online using PowerShell. Use the following command to get the status of Directory Synchronization

Get-MsolCompanyInformation

Check DirSync status office 365 powershell

Login to Office 365 Admin Portal with Global Admin account.

Go to Health Report > Directory Sync Status

Dirsync status office 365 portal

You would notice that you don’t see an option to Deactivate the Sync in New Admin Centre Preview. Instead, you need to go under Azure AD > Active Directory > YourDomain > Directory Integration

Dirsync status office 365 new admin portal

Important: Before you deactivate the sync, make sure you download the user data.

You can use the following Office365 powerShell command to dump the data.

Get-MsolUser | Where-Object{$_.immutableID -ne $null} | Select * | Sort-Object -Property userPrincipalName | Export-Csv -Path %UserProfile%\Documents\Temp\SyncedUsers.csv -NoTypeInformation

It would come handy if you want to go back and check which users were syncing initially.

Going forward, I am using Classic Admin Console for Deactivating the Dir Sync.

Switch to Classic Admin Console

deactivate dirsync office 365 portal

deactivate dirsync office 365 portal message

You can cross check the same in Azure AD portal.

deactivate dirsync office 365 new admin portal

And via Office 365 PowerShell command

As per Microsoft, deactivation of DirSync may take between 24 – 72 hours, however, usually it’s much earlier.

Clear ImmutableID on Synced Users

ImmutableID attribute is responsible for linking your on-premise AD users objects to Office 365. If you don’t clear the immutableID, you will not be able to re-sync on-premise AD users with Office 365. Office 365 will perform a soft match and hence able to sync users.

You can use the following simple Office 365 PowerShell script to clear the ImmutableID.

$O365Users = import-csv %userprofile%\Documents\Temp\SyncedUsers.csv

foreach($usr in $O365Users) {

Set-MsolUser -UserPrincipalName $usr.userprincipalName -ImmutableId $null

}

Setup Azure AD Connect

Under the New Forest, use the appropriate server that will be hosting Azure AD Connect. I am not going into detailed requirements of AD Connect, however, some of the important things to keep in mind are Service Account Permission.

https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-accounts-permissions/

You need to a service account which a member of domain admin in local on premise and global admin on Office 365.

Download Microsoft Azure AD Connect and lets start the installation

https://www.microsoft.com/download/details.aspx?id=47594

Azure AD Connect Setup

Azure AD Connect Setup Customize settings

Use Customize for custom settings as we will be syncing users selectively.

Azure AD Connect Setup wizard

Enter Office 365 AD Connect Service account.

Azure AD Connect Connect to directory

Use on-premise service account.

Azure AD sign-in settings

Leave the options default, Make sure your userPrincipalName UPN suffix is internet routable domain, verified in Office 365. In most of the cases, it’s same as email address to keep things simple.

Use default options, Don’t change Source Anchor to anything else if you have only single AD forest to deal with.

Azure AD Connect setup wizard complete

Once Installation and Initial Sync have been completed, you can see the status under Office 365 Admin portal.

Azure AD Connect Sync Status

By default, the Sync runs every 30 mins.

Get-ADSyncScheduler

In case, you don’t want to wait for the Sync Schedule and would like to force the Sync. You can use the following command

Start-ADSyncSyncCycle -PolicyType Initial/Delta

Azure AD Connect sync schedule can be adjusted using the PowerShell commands, and you can also specify your custom sync schedule if needed.

That’s it. Hope you find it useful.

Previous

Access Windows File Server with Alternate Names

Next

Step by Step Install Office 365 on Remote Desktop Server

2 Comments

  1. Erik N

    Nice article! I was wondering, what does connecting to a new AD do to the permissions assigned to mailboxes using AD groups?

    • admin

      Hi Erik, The mailbox permissions specified via AD Group (synced groups) should remain as is. Though you can manually add in-cloud identities/group to the mailbox permissions.

Leave a Reply

Copyright © 2018, All Rights Reserved.