Solved

Clarification on requirements to sync .local AD domain to Azure AD using the  AD connect tool

Posted on 2016-10-13
3
144 Views
Last Modified: 2016-10-13
We are undergoing the process of moving to an Office 365 solution from a single 'domain'.local  domain. I have already validated our routable 'domain'.com domain.
We are about to install Azure AD Connect to synchronize user accounts to our Azure AD presence. I understand that AD UPN's must use a routable domain and that as changing our primary AD domain (from .local) is not an action we want to take there is an option to update as following;

1) Add 'domain.com' as an Alternate UPN suffix (Domains & Trusts - applied only at new account creation)
2) Change the UPN suffix for existing users (to the routable 'domain'.com), or
3) Use PowerShell to change the UPN suffix for all users.

My questions are;
1) Has anyone used this, or another process
2) What has been the positive (or negative) experience
3) What are the risks involved

My challenge is that as Microsoft have changed the tools for synchronizing (eg from DirSync etc) it is difficult to find consistent and relevant information.

Thanks in advance.
0
Comment
Question by:agradmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 22

Accepted Solution

by:
Joseph Moody earned 500 total points
ID: 41842145
1. Yes - this is the normal way of handling this.

2. Use powershell to automate this. Either change the default UPN for your domain to your public one or setup a scheduled task to check for users without your public UPN and to change it.

3. Little or none (of course, test this out with a smaller set of users before rolling it out company wide).
0
 

Author Comment

by:agradmin
ID: 41842151
Thanks for the prompt response Joseph - now I can rest a bit easier :-)
0
 

Author Closing Comment

by:agradmin
ID: 41842153
I appreciate the prompt and thorough response!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question