I was recently consolidating two active directory domains and to complete this task I used the following high level process:
The following is a brain dump of commands I've used:
######### Recreate OU Structure
######### Manipulate data in Excel
#Create OU
#Connect to the tenant
#Export GPO details to CSV
- Configure a trust relationship between the domains
- Configure AADC to synchronise accounts from both domains into an Office 365 tenant. (One of the domains were already using in cloud accounts for O365.)
- Use a PowerShell script to export the existing OU structure and recreate in the destination domain
- Use a PowerShell script (https://gallery.technet.microsoft.com/Migrate-Group-Policy-2b5067d8) to migrate Group Policy objects to the destination domain and link to the recreated OUs (also using FNR to manipulate the XML files)
- Use ADMT to migrate Groups
- Use ADMT to migrate User Accounts
The following is a brain dump of commands I've used:
First install
the Microsoft
Online Services
Sign-In Assistant
for IT
Professionals RTW
from the
Microsoft Download
Center. Then
install the
Azure Active
Directory Module
for Windows
PowerShell (64-bit version) and click Run to run the installer package.
#Install Module
Install-Module MSOnline
#Import Module
Import-Module MSOnline
#Connect to Office 365
$UserCredential = Get-Credential
Connect-MsolService -Credential $UserCredential
#Backup the existing Domain configuration
Get-MsolDomain | Select * | Export-csv $LogfileDir\O365_Get-MsolDomain.csv
-Append -NoTypeInformation
-Encoding Unicode
#Backup the properties of the domain
Get-MsolDomainFederationSettings -DomainName domain.onmicrosoft.com
| Select * | Export-CSV C:\logs\MsolDomainFederationSettings.csv
-Append -NoTypeInformation
Get-MsolDomainFederationSettings -DomainName domain.org.uk
| Select * | Export-CSV C:\logs\MsolDomainFederationSettings.csv
-Append -NoTypeInformation
Get-MsolDomainFederationSettings -DomainName domain.com
| Select * | Export-CSV C:\logs\MsolDomainFederationSettings.csv
-Append -NoTypeInformation
#Backup the properties of all MSOL Users to file
Start-Transcript
Get-MsolUser -All | Select *
Stop-Transcript
#Backup UPN and ImmutabledIDs - Single user
Get-MsolUser -UserPrincipalName
test.user0003@devpetersenit.ltd | FL
#Backup UPN and ImmutabledIDs - All Users
Get-MsolUser -All | Select-Object DisplayName,SignInName,UserprincipalName,@{name="ProxyAddresses";expression={$_.ProxyAddresses}},@{name="Licenses";expression={$_.licenses.AccountSku.SkuPartNumber}},ImmutableID,WhenCreated,LastDirSyncTime,IsLicensed |
Export-Csv C:\temp\MSOUsers3.csv
-NoTypeInformation
#get-license sku
Get-MsolAccountSku | Select * | Export-Csv C:\temp\sku.csv -NoTypeInformation
#Export Arributes to work with to CSV
Get-MsolUser -All | Select-Object DisplayName,SignInName,UserprincipalName,@{name="ProxyAddresses";expression={$_.ProxyAddresses}},@{name="Licenses";expression={$_.licenses.AccountSku.SkuPartNumber}},ImmutableID,WhenCreated,LastDirSyncTime,IsLicensed |
Export-Csv C:\temp\MSOUsers3.csv
-NoTypeInformation
######
# GET-AD Info
#######
Import-Module ActiveDirectory
Get-ADUser -Filter
* -SearchBase
"DC=INTERNAL,DC=domain,DC=COM"
-Properties Mail
| Select DistinguishedName,Enabled,GivenName,Name,ObjectClass,ObjectGUID,SamAccountName,SID,Surname,UserPrincipalName,Mail | Export-Csv ADUsers.csv
-NoTypeInformation
#Move the user/s AD account into an OU which is not
synchronised with Office 365 - Run Azure AD Connect and check sync status
#Force an AADC update
#Run the following to check the account has been marked as
deleted
Get-MsolUser -ReturnDeletedUsers
#Run the following to check the account has been marked as
deleted
Get-MsolUser -ReturnDeletedUsers
| Select-Object
userprincipalname | Export-Csv .\deletedusers01082018.csv
#Restore the account to a cloud account
Restore-MsolUser -UserPrincipalName "test.user0003@devpetersenit.ltd"
#Check the account is no longer synced with Active Directory
and is marked as a Cloud account
#Clear the users ImmutabledID
set-MsolUser -UserPrincipalName
test.user0003@devpetersenit.ltd -ImmutableId "$null"
#Migrate the user using ADMT and ensure the UPN is amended to
match the source UPN (might be worthwhile migrating into an OU that is not sync
or pause synchronisation during the migration)
#Change UPN if required
# get a user and change their UPN
Get-MsolUser –UserPrincipalName Test.User1@domain1.local | Set-MsolUserPrincipalName -UserPrincipalName "Test.User1@newdomain.com"
#Move account back into OU that has Syncing allowed
#Start a Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta
#Verify in O365 that account shows as "Synced with Active
Directory" rather than "In Cloud"
#Check Proxy addresses to ensure that all proxy addresses for
the account have been applied, if so then the user can continue to use the
account.
#get-license sku
Get-MsolAccountSku | Select * | Export-Csv C:\temp\sku.csv -NoTypeInformation
#Export Arributes to work with to CSV
Get-MsolUser -All | Select-Object DisplayName,SignInName,UserprincipalName,@{name="ProxyAddresses";expression={$_.ProxyAddresses}},@{name="Licenses";expression={$_.licenses.AccountSku.SkuPartNumber}},ImmutableID,WhenCreated,LastDirSyncTime,IsLicensed |
Export-Csv C:\temp\MSOUsers3.csv
-NoTypeInformation
######### Migrate Azure AD Connect if required
#Download AADC Documenter from -
https://github.com/Microsoft/AADConnectConfigDocumenter/releases
#instructions at -
https://github.com/Microsoft/AADConnectConfigDocumenter/blob/master/README.md
#Import AADC Module
Import-Module –Name "C:\Program Files\Microsoft Azure AD
Sync\Bin\ADSync" -Verbose
#Start a Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta
#Export the existing configuration
Get-ADSyncServerConfiguration -Path c:\temp\
#Copy the configuration export files produced in the previous
step to a folder under the "Data" directory of the Documenter tool.
#e.g. the "Pilot" configuration files for the
######### Recreate OU Structure
#Import AD Module
Import-Module activedirectory
#Get OU Structure to CSV
Get-ADOrganizationalUnit -filter * | select Name,DistinguishedName |
Export-csv -path
C:\Migration\ADOrganizationalUnitsexport.csv
-NoTypeInformation
######### Manipulate data in Excel
#Create OU
New-ADOrganizationalUnit -Name "OU1"
-Path "DC=domain2,DC=local"
-ProtectedFromAccidentalDeletion $False
#Connect to the tenant
Connect-MsolService -Credential $cred
#Backup the exisitng configuration
Get-MsolDomain | Select * | FL Out-GridView |
Export-Csv MsolDomainBefore.csv
-Append
#Backup the properties of the domain
Get-MsolDomainFederationSettings -DomainName domain.com
| Select * | Export-CSV MsolDomainFederationSettings.csv
-Append
#Convert the domain from federated to managed
Set-MsolDomainauthentication –Authentication Managed
–DomainName “domain.com”
#Export the domain configuration after
Get-MsolDomain | Select * | FL Out-GridView |
Export-Csv MsolDomainAfter.csv
-Append
#Migrate Group Policies to new domain Using - https://gallery.technet.microsoft.com/Migrate-Group-Policy-2b5067d8
#Use FNR.exe to cycle through the XML files and change the linked OU string https://archive.codeplex.com/?p=findandreplace & also find and remove the default domain policy and default domain controllers policy
Also you can use FNR to replace server names, UNC paths etc just make sure you test it when restoring the GPO
#Export GPO details to CSV
#Use FNR.exe to cycle through the XML files and change the linked OU string https://archive.codeplex.com/?p=findandreplace & also find and remove the default domain policy and default domain controllers policy
Also you can use FNR to replace server names, UNC paths etc just make sure you test it when restoring the GPO
#Export GPO details to CSV
Get-GPO -all | Select * | Export-Csv GPO.CSV
-NoTypeInformation
#Export GPO details to CSV
#Disabling SID Filtering - Domain Trust
netdom trust
{source-domain} /domain:{target-domain} /quarantine:No
userro:{username}
password:{password}
#Disabling SID Filtering - Forest Trust
netdom trust
{source-domain} /domain:{target-domain} /enablesidhistory:Yes
/userD:{username}
/passwordD:{password}
#PowerShell Display all Universal Groups
import-module activedirectory
Get-ADGroup –LDAPFilter
"(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483640))"
#PowerShell Display all Global Groups
import-module activedirectory
Get-ADGroup –LDAPFilter
"(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483646))"
#PowerShell Display all Domain Local Groups
import-module activedirectory
Get-ADGroup –LDAPFilter
"(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=-2147483644))"
REM from
the destination
domain where
ADMT is
installed create
the ADMT
password key
admt key
/option:create /sourcedomain:DOMAIN2.LOCAL
/keyfile:”C:\Logs\PES.pes” /keypassword:QwErtyUii34343
Comments
Post a Comment