O365 AD Connect Question

For a new O365 tenant, the group would like AD connect to do a full sync of a single forest to Azure AD.

The tenant will have multiple domains.

My understanding is that AD Connect will sync with a single domain.

After sync, is it possible to move OUs and users from the sync'd domain to another domain on the tenant before license and mailbox assignment?  Or what is best practice for this type of situation?
Michael HerndonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
AADConnect supports multi-domain forests. It even supports multiple forests.

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael HerndonAuthor Commented:
Thank you for the reply, Cliff.

The existing on-prem AD is a single-forest, single domain. The group would like to sync that to Azure and then have certain OUs of that forest become user accounts of different domains.

Can the OUs be moved between domains after the sync to one domain?

This is our first ADConnect experience, and we're trying to understand the flow. Thanks for your advice.
0
Cliff GaliherCommented:
You can't even do that without AADConnect, at least not in the way you describe. The domain is a boundary.
1
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

Todd NelsonSystems EngineerCommented:
Is your original question a request asking if you can sync multiple AD domains to O365 or sync users with varying UPN suffixes?
0
Michael HerndonAuthor Commented:
Thanks for the feedback, Cliff.

So, the domain is a boundary for users within the tenant.

The idea is for the single tenant to have 3-4 domains, each with its own unique users and email.

Can you suggest how AD could be synced to a multi-domain single tenant?

Again, this is a learning experience for us, and any guidance is appreciated.
0
Cliff GaliherCommented:
If these are separate entities/businesses  which is what it sounds like  then they should be separate tenants as well. If you are a provider/MSP then there are partner programs for you to do thus properly don't cram multiple separate customers/businesses into a single tenant.

  If they aren't then why have separate domains? Understanding why you are wanting multiple Active Directory domains is important to providing an accurate solution.
0
Michael HerndonAuthor Commented:
It is a single organization with multiple departments, each requiring their own email identity.

Previously, it has been a single domain and single forest, with different POP3 email domain accounts for each group.

Now, the idea is to move the organization to the O365 platform and give each group Azure presence while preserving the original email identity in O365.  Maintaining the unique email identity is the main consideration for the separate domains under the single tenant.
0
Cliff GaliherCommented:
No need for separate domains in that scenario. Exchange on premises and Online have supported different email domains unrelated to active directory domains since active directory first existed.
1
Michael HerndonAuthor Commented:
I see. So would that be the email alias feature, or how would we create different primary email addresses for the From field for each group?

Thanks again for your time and responses and for pointing us in the right direction.
0
Todd NelsonSystems EngineerCommented:
At a high level...

  • Add domains for each email domain to a single O365 tenant.
  • Add UPN suffixes in AD for each email domain.
  • Update users' UPNs with the respective UPN suffix.
  • Sync to O365
1
Michael HerndonAuthor Commented:
Thanks, Todd. That's an interesting approach.

So, we'd have the multiple verified domains added on the O365 tenant. Then, update the UPN suffix list in the single forest AD and modify user UPNs as needed. Next, use ADConnect to sync from the single AD domain to Azure.

The imported account with email specific suffix should populate active users, and when it's been given a license and mailbox...and the verified domain MX record changed to reroute mailflow...mail directed to that user@UPN should flow into the O365 account.

I am following you correctly?
0
Todd NelsonSystems EngineerCommented:
So, we'd have the multiple verified domains added on the O365 tenant. Then, update the UPN suffix list in the single forest AD and modify user UPNs as needed. Next, use ADConnect to sync from the single AD domain to Azure.

Yes.


The imported account with email specific suffix should populate active users, and when it's been given a license and mailbox...and the verified domain MX record changed to reroute mailflow...mail directed to that user@UPN should flow into the O365 account.

Yes.  But you will need to keep in mind, if you do not have an Exchange organization on premises, you might need to update the Email Address field or the proxyAddresses attribute to ensure the email addresses for the users are correct when synced to O365 via AAD Connect.
0
Cliff GaliherCommented:
Unless you really like making management difficult, you don't even need multiple UPNs.  You can add verified domains to Office 365 and add one or more SMTP proxy addresses to user object on premises user. The proxy addresses sync, and Exchange Online will accept them just fine.  Multiple UPNs have a place, but not in this deployment.  UPNs don't impact the email addresses that will be accepted and doesn't change the default address.
0
Todd NelsonSystems EngineerCommented:
Agreed, Cliff.  However, would you agree that most customers like to have a user name in O365 that is the same or similar to their email address?
1
Cliff GaliherCommented:
Going all the way back to the NT3 days, Windows assumes the user signing into the domain that the machine is joined to and only tries another domain when specified using domain\username or username@upn

With that in mind, I can say a *vast* majority of organizations have users sign in simply with "username"
Of the remaining, most still use domain\username
The number of organizations that use username@upn is incredibly small.

For those orgs, sure, changing their UPN might be a convenience thing. But as presented, it implied that changing the UPN was required. And based on the followup question about mail to user@upn being "directed" to the user's mailbox, that implication was accepted as fact.  Should always be careful about such things. Even if you know that is the case, the OP may not.

UPNs have *NOTHING* to do with email delivery.
1
Michael HerndonAuthor Commented:
Thank you both for this wealth of information and your experience.  

I take your point that UPN has no impact on mail delivery and also that if the UPN is updated, it would only give an O365 username to match the email address.

So, following Todd's high level model:

1. Create and verify domains in O365 for each email domain required
2. Update UPNs and user assignments in local AD
3. Update user email field in local AD
3. Sync with AD Connect pointed to a single verified domain on Azure
4. The sync should bring all selected users over to the one domain in Azure as active users
5. Under that one O365 domain, the users would have different user names based on the UPN setup and their primary email defined from the email set in local AD
6. Assign users licenses for Exchange Online
7. Create Outlook profiles on client machines referencing that primary email address
8. When ready, update MX record for each verified O365 domain so that mailflow is re-routed to O365 from legacy POP3 mail servers

Am I understanding this flow as you guys have explained it?

Thanks again for sharing these best practices and offering your experience.
0
Michael HerndonAuthor Commented:
Also, there's no problem with the UPN and default email address, SMTP, being a different domain than the single domain imported to on Azure?

For instance, if local AD domain is "A"...and it's synced to Azure "A" via ADConnect with a UPN and default email address of domain "B", there's no concern over that difference?

Thank you again for the expert advice.
0
Cliff GaliherCommented:
Step 5 isn't really a step. It is also inaccurate.

The office 365 username and will be based on the UPN.

Their email addresses are created when an exchange license is assigned and that is based on the email properties.

The two things are basically unrelated.
1
Michael HerndonAuthor Commented:
Thank you again, Cliff.

So, the UPN will be the basis for O365 username.

When an Exchange license is assigned to a user, the email address and mailbox are created. That email address is based on the email properties of the user.

And as long the email domain is a verified domain on the O365 tenant with updated MX record, mail flow will go to O365.

Is that all correct?
0
Cliff GaliherCommented:
Yes
1
Michael HerndonAuthor Commented:
Thank you, Cliff. Your expertise is extremely helpful.

From a testing standpoint, before the MX record is updated for incoming mail, the O365 mail can be tested as far as log in, authentication, and sending a test message, just not as far as receiving mail.  Is that right?
0
Cliff GaliherCommented:
Yes
1
PberSolutions ArchitectCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Split:
-- Cliff Galiher (https:#a42405834)
-- Todd Nelson (https:#a42406004)


If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Pber
Experts-Exchange Cleanup Volunteer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Office 365

From novice to tech pro — start learning today.