• State Suggested Answer
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 113 subscribers
  • Views 118 views
  • Users 0 members are here
Options
Related

tenant to tenant migration with AD consolidation.

mohammed ghouse
18 days ago

Hi all,

I have a project to consolidate two tenants & AD due to a merger.  I am new to Quest as well as migration scenarios - hence would like to seek your thoughts on the proper approach.

Company-A has acquired Company-B.  Both companies have their own separate AD Forest, separate O365 tenants and separate AD connect.

The first priority is to consolidate Com-B tenant into Com-A tenant and later on also migrate/consolidate AD users into Com-A forest

My plan was to first utilize Com-A's AD connect to also connect with Com-B's forest - so both forest Identities are synced to Com-A tenant.  (of course the identities have to be unique, etc).

We will then utilize Quest ODM t2t to migrate mailboxes/teams, etc from Com-B Tenant to Com-A tenant.  So at this stage there is single tenant and two forests - and users continue to login their desktops/passwords in their original AD.

so far seems so good...

But the dilemma is what would happen when the AD users need to be migrated to Com-A forest.  We plan to utilize Quest DirSync / AD Migration tools.  Will the AD migrated accounts auto-match with already synced identities - since Quest will migrate all attributes from source to target.  Or do I need to first re-configure AD Sync to remove com-b in which case users get soft deleted - and then they get auto-matched / recovered by Quest migrated AD accounts.  

Or could there by a different or more seamless strategy?

Thanks to all.

  • 0 9 days ago

    We go through this exact scenario multiple times per year and it's highly subjective based on your configuration in the target forest/AD and the content in source. It's paramount to liaise with the business and understand how they work. There's no one size fits all in migrations!

    I would flip your plan on it's head, at a high level our workflow in a hybrid target environment is;

    • Create accounts for source users in Target AD forest/domain (You can use Quest Directory Sync to do this)
    • Allow Entra Connect Sync to create the connected cloud objects in Target Tenant and license them but hide from Address lists.
    • Migrate devices to be EIDJ in Target tenant (We manage via Intune and migrate them using Quest Directory Sync) At this point, assuming you're using cloud kerberos trust, users can access Active Directory Resources in Target AD Forest
    • Migrate content from Source Tenant (EXO, SPO & Teams) using Quest ODM
    • At a defined weekend, downtime is scheduled with the business to cutover and run final delta passes of content. (We're able to do this due to operating hours but this becoming more challenging with global teams)
    • Domains disconnected from source tenant and connected to target tenant
    • Old email aliases set on objects as primary SMTP assuming no rebrand at that point.
    • Use ODM DUA to reconfigure users office suite to target tenant.
    • After the dust has settled, random oddities that come out of the wood work are resolved, then decommissioning can begin.

    My plan was to first utilize Com-A's AD connect to also connect with Com-B's forest - so both forest Identities are synced to Com-A tenant. - This isn't a a possible scenario without changing to Microsoft Entra Cloud Sync. You cannot push multiple forest to a single tenant in Connect Sync. 

    Cloud Sync does not have feature parity to Connect Sync.

    I would strongly suggest reading the Quest documentation to understand the toolings as it's rather comprehensive and there are multiple migration guides and best practices. I would strongly advise to work with your Quest rep to have a more technical level workshop to help select the appropriate tooling.