Solved

Powershell script to update UPN domain suffix for Azure AD synchronization

Posted on 2016-10-24
18
43 Views
Last Modified: 2016-10-28
We are in the process of migrating users to Office 365 and I would like help updating AD users accounts so they will sync with Azure AD.

Traditionally we have used an internal/non-routeable domain ('company.local') as the domain suffix for our UPN's, but if course now we need to switch you our public/validated domain.

I have already added the alternate domain suffix of 'company.com', manually updated a number of test users and synchronized successfully with Azure AD. What I am looking for now is a Powershell script that has the flexibility to update either all user accounts or all accounts by OU (to allow for testing).

Thanks in advance
0
Comment
Question by:agradmin
  • 10
  • 7
18 Comments
 
LVL 22

Assisted Solution

by:Joseph Moody
Joseph Moody earned 100 total points
ID: 41857352
Here is a powershell script that I used for this task. It is limited to one OU right now.

$DC = 'DOMAIN CONTROLLER NAME'
$oldSuffix = 'test.local'
$newSuffix = 'public.com'

$Users = Get-ADUser -SearchBase "OU=Domain Users,DC=test,DC=local" -filter * | where UserPrincipalName -Like *test.local

ForEach ($User in $Users){
 $newUpn = $User.UserPrincipalName.Replace($oldSuffix,$newSuffix)
 $User | Set-ADUser -server $DC -UserPrincipalName $newUpn -whatif
 write-host $User.UserPrincipalName, $newUpn

 Clear-Variable $newUpn
 } 

Open in new window

2
 
LVL 14

Accepted Solution

by:
Todd Nelson earned 400 total points
ID: 41857854
1
 

Author Comment

by:agradmin
ID: 41859289
That is great but I am receiving errors when running on a 2016 server (DC is 2008, non-R2). Can you please review and point me in the right direction?
Apologies in advance as I have little familiarity with Powershell.

PS C:\Windows\system32> Import-Module ActiveDirectory
$oldSuffix = "co.local"
$newSuffix = "co.com"
$ou = "DC=co,DC=local"
$server = "DC-1"
Get-ADUser -SearchBase $ou -filter *Research | ForEach-Object {
$newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
$_ | Set-ADUser -server $server -UserPrincipalName $newUpn
}

Import-Module : The specified module 'ActiveDirectory' was not loaded because no valid module file was found in any module directory.
At line:1 char:1
+ Import-Module ActiveDirectory
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (ActiveDirectory:String) [Import-Module], FileNotFoundException
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
 
Get-ADUser : The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling
of the name, or if a path was included, verify that the path is correct and try again.
At line:6 char:1
+ Get-ADUser -SearchBase $ou -filter *Research | ForEach-Object {
+ ~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (Get-ADUser:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException
 

PS C:\Windows\system32>
0
 
LVL 14

Expert Comment

by:Todd Nelson
ID: 41859313
I suppose you are running the script from an Exchange server without the remote AD admin tools installed.

Either run the script from a DC; or install the remote AD admin tools on the Exchange server per the system requirements ( https://technet.microsoft.com/en-us/library/bb691354(v=exchg.160).aspx ) and then run the script.
0
 

Author Comment

by:agradmin
ID: 41859324
Actually no Todd - I am attempting to run remotely on a 2016 member server (actually hosts ADconnect). Is that possible?
Our domain Controllers are Win 2008, I believe Exchange is 2008 R2.
0
 
LVL 14

Expert Comment

by:Todd Nelson
ID: 41859344
You will need to run the script from a domain controller or a member server with the remote AD admin tools installed.  And the script cannot be run without importing the AD module first (Import-Module ActiveDirectory).

P.S.  On a side note, AAD Connect is not supported on Windows Server 2016 yet ... https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-prerequisites/#component-prerequisites
0
 

Author Comment

by:agradmin
ID: 41859359
Import-Module ActiveDirectory fails on our 2008 DC;
PS C:\Users\me> import-module ActiveDirectory
Import-Module : The specified module 'ActiveDirectory' was not loaded because n
o valid module file was found in any module directory.

Should this work or is there something missing?

BTW - just as an FYI.  AAD Connect seems to be working OK, although perhaps not supported as you say. We are just using to sync accounts and passwords at this point, no ADFS
0
 
LVL 14

Expert Comment

by:Todd Nelson
ID: 41859375
That's odd.  Are you running the command while logged in as a domain admin?  Is that the only DC you have?

If you don't have another DC, install the remote AD tools on another member server (Install-WindowsFeature RSAT-ADDS) and restart the server.
0
 

Author Comment

by:agradmin
ID: 41860125
Strange indeed..... I have run on a 2nd (WIn 2008) DC with the same result. I will look into using a (server 2016) member server as you suggest.
0
 

Author Comment

by:agradmin
ID: 41860808
Todd,
It looks like this may not work on a 2008 server - see below. I now have the script running on a 2008R2 DC against a test OU & user but it is not making the change (no errors received). Does anything immediately jump to mind?
I am learning as I go, pointers are appreciated.
-------------
In PowerShell 2.0, a special module appeared that allowed to work with Active Directory — Active Directory Module for Windows PowerShell (announced in Windows Server 2008 R2), able to operate the AD directory objects using special cmdlets. To get information about users and their properties, there is a cmdlet Get-ADUser.
0
 
LVL 14

Expert Comment

by:Todd Nelson
ID: 41860931
Did you actually save the commands as a script (i.e. ChangeUPN.ps1)

Import-Module ActiveDirectory
$oldSuffix = "d2.local"
$newSuffix = "imchanged.com"
$ou = "OU=Users,OU=Test,DC=d2,DC=local"
$server = "D2-DC1"
Get-ADUser -SearchBase $ou -filter * | ForEach-Object { 
     $newUpn = $_.UserPrincipalName.Replace($oldSuffix,$newSuffix)
     $_ | Set-ADUser -server $server -UserPrincipalName $newUpn
}

Open in new window


...and run that script (ChangeUPN.ps1) in PowerShell from a DC or a member server that has the "RSAT-ADDS" feature installed?

Also, did you create a new UPN suffix in AD Domains and Trusts that you want to change to?

The script works fine from both a DC and my Exchange server (both running PowerShell v2.0), provided all of these requirements are met.
0
 

Author Comment

by:agradmin
ID: 41861012
Yes, I run the script as suggested but it does not update the DC. Is there as a way to prevent the window closing (like pause...) so I can see what may be going on?

I also tested variables etc by creating a modified script that just lists the UPN of a test user in the OU I am testing. In that I am presently just executing the commands within Powershell line by line - if you tell me/I have time to figure out how to keep the window open I will execute from a PS1.

Thanks for the help!
0
 

Author Comment

by:agradmin
ID: 41862490
Todd,
I have figured out how to pause the script and prevent the window closing (read-host...).

I have added a command (-executionpolicy bypass) to allow the script to execute and now see that the script fails due to "Unable to contact server..........or does not have Active Directory Web Services running".

Can you confirm that this script SHOULD work on a 2008 AD server (non-R2)? We are looking at options but I have concerns that what we are trying to do is not possible.

Thanks!
0
 
LVL 14

Expert Comment

by:Todd Nelson
ID: 41862544
If that's not working for you, try ADModify.  Here are some references...

0
 

Author Comment

by:agradmin
ID: 41863836
Hey Todd, we finally have SUCCESS!

We ended up having to contact Microsoft to obtain a specific patch to allow ADWS to run on our 2008 DC - after a reboot the script runs as intended (using the BYPASS command to get past the script execution security restrictions).

Thanks for your help!
0
 

Author Closing Comment

by:agradmin
ID: 41863839
Thanks for the help in obtaining a working solution!
0
 
LVL 14

Expert Comment

by:Todd Nelson
ID: 41863888
That's great!  What is the patch?

I was looking into this on a lab machine and the only thing I could think of was that with Windows 2008 (non-R2) that PowerShell is not installed by default.  And if it is installed as a feature it is only version 1.0 and Import-Module is not available.  However, it doesn't seem to be available with PowerShell v2.0 either on Windows 2008 (non-R2).
0
 

Author Comment

by:agradmin
ID: 41863895
Another team member worked on this but I believe the patch was to .Net 3.5. He found an article online but had to call as there was no link to the patch.
0

Join & Write a Comment

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
In a previous video Micro Tutorial here at Experts Exchange (http://www.experts-exchange.com/videos/1358/How-to-get-a-free-trial-of-Office-365-with-the-Office-2016-desktop-applications.html), I explained how to get a free, one-month trial of Office …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now