Tuesday, July 25, 2017

Sync local AD to office 365 In Cloud accounts

Environment:
In Cloud accounts for all local accounts.
Existing Exchange server
O365 tenant operating as EOP
AD and O365 tenant are different names (localcompany.com, cloudcompany.com)
Azure AD Connect on another domain (DNS entries so the servers can see eachother)

"cloudcompany.com" was added as a DNS suffix to localcompany.com AD

LogonName:
In AD Users and Computers, Account tab, User Logon Name.
In the drop down there will be an option for the O365 domain. In my case, the naming convention also changed from first initial last name to firstname.lastname. I changed the User Logon Name to match what was in Office 365, first.last@cloudcompany.com

Change Display name to match:
Another convention that changed was First Last on the local AD to Last, First in the cloud. I changed the Display Name to match what is going to be in Office 365.
NOTE:
All address fields and information in the local AD will overwrite anything you already have in Office 365, so make sure the local AD is clean and has the information you want in Office 365.

created a connection rule to forward all localcompany.com email to our local server, this was in addition to the regular connection rule.

Matched Primary SMTP of local account to Cloud account.
(this is what MS says to do, doing this fucks up the connection rule forward, adding the primary cloud SMTP as an alias is all you need.)


Went through the Azure AD connect Wizard to select the OUs that had the users I wanted to sync.

Previously synched office 365 accounts, like with OKTA for example, are fubared and won't sync.(fixed later) These accounts threw errors:
This object has been updated in your Azure Active Directory, but with some modified properties, because the following attributes are associated with another object [UserPrincipalName


Also, I ended up needing the Host domain as the primary SMTP in the cloud to add to Outlook using the O365 connector in Outlook. I had originally planned to have both internal and O365 accounts in the outlook client, but the matching names messed everything up. Then I thought I'd create a new account for access to public folders, this also didn't work. It worked for the first few people, but as it scaled out it became unusable. This may be due to session limitations on individual users.


All synced users were hidden from the O365 GAL... msExchHideFromAddressLists was null, changed to False and they started showing up. This change took 24hours to complete.

Fuck this shit, never again. This migration almost made me quit.


Tips:
DO NOT do a staged migration this way. If you are going to migrate from an On Prem to the cloud, do it like a bandaid, fast and on 2. (1...2...pull...3)

No comments:

Post a Comment

Pulling local admin accounts on a windows system WITH POWERSHELL

 There’s a couple ways to get them, I’m sure you’ve been around the internet looking. The Powershell scripts I use: Get-LocalGroupMember -Gr...