Share via

Tenant to Tenant Migration

NK 1 Reputation point
2019-12-02T20:33:56.493+00:00

Hi There,

I have the below scenarios and need suggestions for the same.

  1. Currently, 2 very small companies are part of one on-premises AD. This AD is synced to one tenant for O365 services. The tenant has two verified custom domains. Now these two companies wants their own tenant. What is the best possible way to do this?
    1. Is this an ideal solution to have a full domain controller in Azure Iaas VM in this separation scenario to avoid having any on-premises physical server with the DC role? Once we have a site-to-site VPN connection to Azure, I hope this DC can work as a print server as well to manage on-premises physical print devices.

Thanks,
NG

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,205 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,666 Reputation points
    2019-12-03T08:40:50.53+00:00

    @NK
    Answer to question 1 would vary on the basis of how you are separating objects of these 2 companies? However in both cases, you need to remove one of the verified domain from 1 tenant and add that to the other tenant.

    Your scenario must fall under one of the below scenarios:

    1. You have one forest for each company
    2. Users are part of same forest but you are using different upn suffix to separate users of company 1 from users of company 2.

    If you have separate forest for each tenant, you need to use 2 AD Connect Servers and sync users to their respective Tenant.

    If you have single forest for both companies, you need to sync each object only once in an Azure AD tenant using AD Connect.
    alt text

    In this topology, one Azure AD Connect sync server is connected to each Azure AD tenant. The Azure AD Connect sync servers must be configured for filtering so that each has a mutually exclusive set of objects to operate on. You can, for example, scope each server to a particular domain or organizational unit.

    A DNS domain can be registered in only a single Azure AD tenant. The UPNs of the users in the on-premises Active Directory instance must also use separate namespaces. For example, in the preceding picture, three separate UPN suffixes are registered in the on-premises Active Directory instance: contoso.com, fabrikam.com, and wingtiptoys.com. The users in each on-premises Active Directory domain use a different namespace.

    Refer to Topologies for Azure AD Connect for more details.

    For the second question, it should be absolutely fine to have a DC as a print server on Azure IAAS VM provided you have a VPN connection with your on-prem environment.

    1 person found this answer helpful.
  2. Lukas Beran 176 Reputation points
    2019-12-03T11:00:43.65+00:00

    Hi.

    For the second question, I would highly recommend at least 1 local DC, and then another one in Azure. Local DC is much faster than the DC in Azure because it's local. And also in case of some outage of your internet connectivity, our users still have the DC available.

    0 comments
  3. AmanpreetSingh-MSFT 56,666 Reputation points
    2019-12-05T04:00:36.44+00:00

    @NK You would need to perform below steps:

    -------------------------------------------------------------------------------------------------------------

    Please "mark as answer" or "vote as helpful" wherever the information provided helps you to help others in the community.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.