PS - Domain Consolidation / Office 365 User Migration

I was recently consolidating two active directory domains and to complete this task I used the following high level process:


  1. Configure a trust relationship between the domains
  2. Configure AADC to synchronise accounts from both domains into an Office 365 tenant. (One of the domains were already using in cloud accounts for O365.)
  3. Use a PowerShell script to export the existing OU structure and recreate in the destination domain
  4. Use a PowerShell script (https://gallery.technet.microsoft.com/Migrate-Group-Policy-2b5067d8) to migrate Group Policy objects to the destination domain and link to the recreated OUs (also using FNR to manipulate the XML files)
  5. Use ADMT to migrate Groups
  6. Use ADMT to migrate User Accounts
When performing an AD domain consolidation you need to ensure that you have DomainA and DomainB which are trusted domains, and you have a single Azure AD Connect instance synchronising the accounts into a single tenant. 

The following is a brain dump of commands I've used:


First install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW from the Microsoft Download Center. Then install the Azure Active Directory Module for Windows PowerShell (64-bit version) and click Run to run the installer package.

#Install Module
Install-Module MSOnline

#Import Module
Import-Module MSOnline

#Connect to Office 365
$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential

#Backup the existing Domain configuration
Get-MsolDomain | Select * | Export-csv $LogfileDir\O365_Get-MsolDomain.csv -Append -NoTypeInformation -Encoding Unicode

#Backup the properties of the domain
Get-MsolDomainFederationSettings -DomainName domain.onmicrosoft.com | Select * | Export-CSV C:\logs\MsolDomainFederationSettings.csv -Append -NoTypeInformation
Get-MsolDomainFederationSettings -DomainName domain.org.uk | Select * | Export-CSV C:\logs\MsolDomainFederationSettings.csv -Append -NoTypeInformation
Get-MsolDomainFederationSettings -DomainName domain.com | Select * | Export-CSV C:\logs\MsolDomainFederationSettings.csv -Append -NoTypeInformation

#Backup the properties of all MSOL Users to file
Start-Transcript
Get-MsolUser -All | Select *
Stop-Transcript

#Backup UPN and ImmutabledIDs - Single user
Get-MsolUser -UserPrincipalName test.user0003@devpetersenit.ltd | FL

#Backup UPN and ImmutabledIDs - All Users
Get-MsolUser -All | Select-Object DisplayName,SignInName,UserprincipalName,@{name="ProxyAddresses";expression={$_.ProxyAddresses}},@{name="Licenses";expression={$_.licenses.AccountSku.SkuPartNumber}},ImmutableID,WhenCreated,LastDirSyncTime,IsLicensed | Export-Csv C:\temp\MSOUsers3.csv -NoTypeInformation

#get-license sku
Get-MsolAccountSku | Select * | Export-Csv  C:\temp\sku.csv -NoTypeInformation

#Export Arributes to work with to CSV
Get-MsolUser -All | Select-Object DisplayName,SignInName,UserprincipalName,@{name="ProxyAddresses";expression={$_.ProxyAddresses}},@{name="Licenses";expression={$_.licenses.AccountSku.SkuPartNumber}},ImmutableID,WhenCreated,LastDirSyncTime,IsLicensed | Export-Csv C:\temp\MSOUsers3.csv -NoTypeInformation



######
# GET-AD Info
#######
Import-Module ActiveDirectory
Get-ADUser -Filter * -SearchBase "DC=INTERNAL,DC=domain,DC=COM" -Properties Mail | Select DistinguishedName,Enabled,GivenName,Name,ObjectClass,ObjectGUID,SamAccountName,SID,Surname,UserPrincipalName,Mail | Export-Csv ADUsers.csv -NoTypeInformation

#Move the user/s AD account into an OU which is not synchronised with Office 365 - Run Azure AD Connect and check sync status

#Force an AADC update

#Run the following to check the account has been marked as deleted
Get-MsolUser -ReturnDeletedUsers

#Run the following to check the account has been marked as deleted
Get-MsolUser -ReturnDeletedUsers | Select-Object userprincipalname | Export-Csv .\deletedusers01082018.csv

#Restore the account to a cloud account
Restore-MsolUser -UserPrincipalName "test.user0003@devpetersenit.ltd"

#Check the account is no longer synced with Active Directory and is marked as a Cloud account

#Clear the users ImmutabledID
set-MsolUser -UserPrincipalName test.user0003@devpetersenit.ltd -ImmutableId "$null"

#Migrate the user using ADMT and ensure the UPN is amended to match the source UPN (might be worthwhile migrating into an OU that is not sync or pause synchronisation during the migration)

#Change UPN if required
# get a user and change their UPN
Get-MsolUser –UserPrincipalName Test.User1@domain1.local | Set-MsolUserPrincipalName -UserPrincipalName "Test.User1@newdomain.com"

#Move account back into OU that has Syncing allowed

#Start a Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta

#Verify in O365 that account shows as "Synced with Active Directory" rather than "In Cloud"

#Check Proxy addresses to ensure that all proxy addresses for the account have been applied, if so then the user can continue to use the account.


#get-license sku
Get-MsolAccountSku | Select * | Export-Csv  C:\temp\sku.csv -NoTypeInformation

#Export Arributes to work with to CSV
Get-MsolUser -All | Select-Object DisplayName,SignInName,UserprincipalName,@{name="ProxyAddresses";expression={$_.ProxyAddresses}},@{name="Licenses";expression={$_.licenses.AccountSku.SkuPartNumber}},ImmutableID,WhenCreated,LastDirSyncTime,IsLicensed | Export-Csv C:\temp\MSOUsers3.csv -NoTypeInformation

######### Migrate Azure AD Connect if required
#Download AADC Documenter from - https://github.com/Microsoft/AADConnectConfigDocumenter/releases
#instructions at - https://github.com/Microsoft/AADConnectConfigDocumenter/blob/master/README.md

#Import AADC Module
Import-Module –Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -Verbose

#Start a Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta

#Export the existing configuration
Get-ADSyncServerConfiguration -Path c:\temp\

#Copy the configuration export files produced in the previous step to a folder under the "Data" directory of the Documenter tool.
#e.g. the "Pilot" configuration files for the


######### Recreate OU Structure

#Import AD Module
Import-Module activedirectory

#Get OU Structure to CSV
Get-ADOrganizationalUnit -filter * | select Name,DistinguishedName | Export-csv -path C:\Migration\ADOrganizationalUnitsexport.csv -NoTypeInformation

######### Manipulate data in Excel

#Create OU
New-ADOrganizationalUnit -Name "OU1" -Path "DC=domain2,DC=local" -ProtectedFromAccidentalDeletion $False




#Connect to the tenant
Connect-MsolService -Credential $cred

#Backup the exisitng configuration
Get-MsolDomain | Select * | FL Out-GridView | Export-Csv MsolDomainBefore.csv -Append

#Backup the properties of the domain
Get-MsolDomainFederationSettings -DomainName domain.com | Select * | Export-CSV MsolDomainFederationSettings.csv -Append

#Convert the domain from federated to managed
Set-MsolDomainauthentication –Authentication Managed –DomainName “domain.com”

#Export the domain configuration after
Get-MsolDomain | Select * | FL Out-GridView | Export-Csv MsolDomainAfter.csv -Append


#Migrate Group Policies to new domain Using - https://gallery.technet.microsoft.com/Migrate-Group-Policy-2b5067d8


#Use FNR.exe to cycle through the XML files and change the linked OU string https://archive.codeplex.com/?p=findandreplace & also find and remove the default domain policy and default domain controllers policy

Also you can use FNR to replace server names, UNC paths etc just make sure you test it when restoring the GPO



#Export GPO details to CSV
Get-GPO -all | Select * | Export-Csv GPO.CSV -NoTypeInformation

#Export GPO details to CSV

#Disabling SID Filtering - Domain Trust
netdom trust {source-domain} /domain:{target-domain} /quarantine:No userro:{username} password:{password}

#Disabling SID Filtering - Forest Trust
netdom trust {source-domain} /domain:{target-domain} /enablesidhistory:Yes /userD:{username} /passwordD:{password}


#PowerShell Display all Universal Groups
import-module activedirectory
Get-ADGroup –LDAPFilter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483640))"

#PowerShell Display all Global Groups
import-module activedirectory
Get-ADGroup –LDAPFilter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483646))"

#PowerShell Display all Domain Local Groups
import-module activedirectory
Get-ADGroup –LDAPFilter "(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483644))"



REM from the destination domain where ADMT is installed create the ADMT password key
admt key /option:create /sourcedomain:DOMAIN2.LOCAL /keyfile:”C:\Logs\PES.pes” /keypassword:QwErtyUii34343







Comments