Recently, I dealt with situation where a customer was migrating AD objects from one forest to another. Now, there are many situations why you would wish to do that. In my case , the person was decomissioning Server 2003 and had setup Server 2012 R2. In my previous article related to HardMatching the user accounts I had descibed that once a user is synced the ObjectGUID on the local AD is stamped on the cloud object as a source anchor as a base64 value. But this operation only occurs once during an object's lifetime.The problem is once you migrate the users to the new domain/forest the objectGUID also changes and you start getting errors as "Attribute Value Must Be Unique"
Reason being that in the Azure AD you already have a user provisioned account from the old domain which is linked using the old objectGUID. Now, the most logical answers to fix this issue would be to change the objectGUID to the new value but this isn't possible if DirSync is enabled. Now, in order to fix this issue you will have to follow the following steps:-
Disable DirSync once the migration is complete between domains. You cannot enable DirSync for another 72 hours, once you disable it. So make sure its planned.You don't lose data on the cloud (I am not discussing a hybrid environment) and the passwords remain the same after you disable dirsync, so ideally there is not an extensive impact upon your users. The only downside is that any changes in the directory wont be synced accross.
Run the following Azure AD Powershell commands to remove the old ObjectGUID or ImmutableID :-
Import-Module MSOnline;
Connect-MSOLService;
$Users=Get-MsolUser -all | select UserPrincipalName
foreach($User in $Users){Set-MsolUser -UserPrincipalName $User.UserPrincipalName -ImmutableID "$null"};
After 72 hours enable DirSync and configure AD connect in the new forest, the users will be matched to the cloud accounts automatically , based upon the proxyaddresses value.
Important Note: If you have a new domain name , make sure you verify the same on office 365. You might have to change UPN for all the users and this too can be done using powershell script given below:-
Import-Module MSOnline;
Connect-MSOLService;
$Users=Get-MsolUser -all | select UserPrincipalName
foreach($User in $Users){Set-MsolUserPrincipalname -UserPrincipalName $User.Userprincipalname -NewUserPrincipalName $User.UserPrincipalName.Replace("Enter Old domain name here","Enter New Domain Name};
It is assumed that you have used the ADMT tool to conduct the migration to new domain. If you are using some other tool or mechnism make sure that the old proxyaddresses and other attributes are populated for each object else there might be duplicate accounts created and in worst cases I have seen the cloud proxy addresses or other attributes being overwritten by local AD values, which means anything which is not in the local AD isn't on the cloud as well.