Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 620
  • Last Modified:

Powershell script to update UPN domain suffix for Azure AD synchronization

We are in the process of migrating users to Office 365 and I would like help updating AD users accounts so they will sync with Azure AD.

Traditionally we have used an internal/non-routeable domain ('company.local') as the domain suffix for our UPN's, but if course now we need to switch you our public/validated domain.

I have already added the alternate domain suffix of 'company.com', manually updated a number of test users and synchronized successfully with Azure AD. What I am looking for now is a Powershell script that has the flexibility to update either all user accounts or all accounts by OU (to allow for testing).

Thanks in advance
0
agradmin
Asked:
agradmin
  • 10
  • 7
2 Solutions
 
Joseph MoodyBlogger and wearer of all hats.Commented:
Here is a powershell script that I used for this task. It is limited to one OU right now.

$DC = 'DOMAIN CONTROLLER NAME'
$oldSuffix = 'test.local'
$newSuffix = 'public.com'

$Users = Get-ADUser -SearchBase "OU=Domain Users,DC=test,DC=local" -filter * | where UserPrincipalName -Like *test.local

ForEach ($User in $Users){
 $newUpn = $User.UserPrincipalName.Replace($oldSuffix,$newSuffix)
 $User | Set-ADUser -server $DC -UserPrincipalName $newUpn -whatif
 write-host $User.UserPrincipalName, $newUpn

 Clear-Variable $newUpn
 } 

Open in new window

2
 
Todd NelsonSystems EngineerCommented:
1
 
agradminAuthor Commented:
That is great but I am receiving errors when running on a 2016 server (DC is 2008, non-R2). Can you please review and point me in the right direction?
Apologies in advance as I have little familiarity with Powershell.

PS C:\Windows\system32> Import-Module ActiveDirectory
$oldSuffix = "co.local"
$newSuffix = "co.com"
$ou = "DC=co,DC=local"
$server = "DC-1"
Get-ADUser -SearchBase $ou -filter *Research | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn
}

Import-Module : The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory.
At line:1 char:1
+ Import-Module ActiveDirectory
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (ActiveDirectory:String) [Import-Module], FileNotFoundException
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
 
Get-ADUser : The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling
of the name, or if a path was included, verify that the path is correct and try again.
At line:6 char:1
+ Get-ADUser -SearchBase $ou -filter *Research | ForEach-Object {
+ ~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-ADUser:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 

PS C:\Windows\system32>
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
Todd NelsonSystems EngineerCommented:
I suppose you are running the script from an Exchange server without the remote AD admin tools installed.

Either run the script from a DC; or install the remote AD admin tools on the Exchange server per the system requirements ( https://technet.microsoft.com/en-us/library/bb691354(v=exchg.160).aspx ) and then run the script.
0
 
agradminAuthor Commented:
Actually no Todd - I am attempting to run remotely on a 2016 member server (actually hosts ADconnect). Is that possible?
Our domain Controllers are Win 2008, I believe Exchange is 2008 R2.
0
 
Todd NelsonSystems EngineerCommented:
You will need to run the script from a domain controller or a member server with the remote AD admin tools installed.  And the script cannot be run without importing the AD module first (Import-Module ActiveDirectory).

P.S.  On a side note, AAD Connect is not supported on Windows Server 2016 yet ... https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/#component-prerequisites
0
 
agradminAuthor Commented:
Import-Module ActiveDirectory fails on our 2008 DC;
PS C:\Users\me> import-module ActiveDirectory
Import-Module : The specified module 'ActiveDirectory' was not loaded because n
o valid module file was found in any module directory.

Should this work or is there something missing?

BTW - just as an FYI.  AAD Connect seems to be working OK, although perhaps not supported as you say. We are just using to sync accounts and passwords at this point, no ADFS
0
 
Todd NelsonSystems EngineerCommented:
That's odd.  Are you running the command while logged in as a domain admin?  Is that the only DC you have?

If you don't have another DC, install the remote AD tools on another member server (Install-WindowsFeature RSAT-ADDS) and restart the server.
0
 
agradminAuthor Commented:
Strange indeed..... I have run on a 2nd (WIn 2008) DC with the same result. I will look into using a (server 2016) member server as you suggest.
0
 
agradminAuthor Commented:
Todd,
It looks like this may not work on a 2008 server - see below. I now have the script running on a 2008R2 DC against a test OU & user but it is not making the change (no errors received). Does anything immediately jump to mind?
I am learning as I go, pointers are appreciated.
-------------
In PowerShell 2.0, a special module appeared that allowed to work with Active Directory — Active Directory Module for Windows PowerShell (announced in Windows Server 2008 R2), able to operate the AD directory objects using special cmdlets. To get information about users and their properties, there is a cmdlet Get-ADUser.
0
 
Todd NelsonSystems EngineerCommented:
Did you actually save the commands as a script (i.e. ChangeUPN.ps1)

Import-Module ActiveDirectory
$oldSuffix = "d2.local"
$newSuffix = "imchanged.com"
$ou = "OU=Users,OU=Test,DC=d2,DC=local"
$server = "D2-DC1"
Get-ADUser -SearchBase $ou -filter * | ForEach-Object { 
     $newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
     $_ | Set-ADUser -server $server -UserPrincipalName $newUpn
}

Open in new window


...and run that script (ChangeUPN.ps1) in PowerShell from a DC or a member server that has the "RSAT-ADDS" feature installed?

Also, did you create a new UPN suffix in AD Domains and Trusts that you want to change to?

The script works fine from both a DC and my Exchange server (both running PowerShell v2.0), provided all of these requirements are met.
0
 
agradminAuthor Commented:
Yes, I run the script as suggested but it does not update the DC. Is there as a way to prevent the window closing (like pause...) so I can see what may be going on?

I also tested variables etc by creating a modified script that just lists the UPN of a test user in the OU I am testing. In that I am presently just executing the commands within Powershell line by line - if you tell me/I have time to figure out how to keep the window open I will execute from a PS1.

Thanks for the help!
0
 
agradminAuthor Commented:
Todd,
I have figured out how to pause the script and prevent the window closing (read-host...).

I have added a command (-executionpolicy bypass) to allow the script to execute and now see that the script fails due to "Unable to contact server..........or does not have Active Directory Web Services running".

Can you confirm that this script SHOULD work on a 2008 AD server (non-R2)? We are looking at options but I have concerns that what we are trying to do is not possible.

Thanks!
0
 
Todd NelsonSystems EngineerCommented:
If that's not working for you, try ADModify.  Here are some references...

0
 
agradminAuthor Commented:
Hey Todd, we finally have SUCCESS!

We ended up having to contact Microsoft to obtain a specific patch to allow ADWS to run on our 2008 DC - after a reboot the script runs as intended (using the BYPASS command to get past the script execution security restrictions).

Thanks for your help!
0
 
agradminAuthor Commented:
Thanks for the help in obtaining a working solution!
0
 
Todd NelsonSystems EngineerCommented:
That's great!  What is the patch?

I was looking into this on a lab machine and the only thing I could think of was that with Windows 2008 (non-R2) that PowerShell is not installed by default.  And if it is installed as a feature it is only version 1.0 and Import-Module is not available.  However, it doesn't seem to be available with PowerShell v2.0 either on Windows 2008 (non-R2).
0
 
agradminAuthor Commented:
Another team member worked on this but I believe the patch was to .Net 3.5. He found an article online but had to call as there was no link to the patch.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 10
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now