2rwxh (2rwxh) asked a question.
We currently have 1 domain with 1 ad integration using the agents, and this domain is federated with O365 to allow for sign on to O365 with ad credentials.
We have setup a new domain that we are migrating all of our AD accounts and Computer objects from the domain above to the new domain. My question is multi faceted.
1) What is required to get both AD directories working at the same time for a limited amount of time during the migration?
2) When adding the second directory by installing the agents on the new AD domain controllers what will it look like to the end user on the login page? Will there just be a second drop down for domain? Can you default it? We want to add the domain without it affecting logins for the old domain.
3) If we use the microsoft AD sync service for the new domain and sync to O365 will that be ok with the federation with the old domain that is in place now? Can run in parallel during the migration?
4) Any special requirements i might be missing to make this as seemless as possible for the end users?
Hello @2rwxh (2rwxh)
Thanks for posting.
1) What is required to get both AD directories working at the same time for a limited amount of time during the migration?
Please take a look at this document with the explanation:
https://support.okta.com/help/s/article/Migrating-users-from-one-domain-to-another-Using-Okta?language=en_US
Basically, what could happen is that you get duplicated users, to aovid this you can modify the profile source to choose the peferred order to update attributes.
2) When adding the second directory by installing the agents on the new AD domain controllers what will it look like to the end user on the login page? Will there just be a second drop down for domain? Can you default it? We want to add the domain without it affecting logins for the old domain.
This process is transparent for the end users, they will see the regular sign-in page, the difference will be the Auth process depending on where the users are sourced, for example:
Users from AD1 will authenticate with the old DCs and users from AD2 will authenticate with the new ones.
3) If we use the microsoft AD sync service for the new domain and sync to O365 will that be ok with the federation with the old domain that is in place now? Can run in parallel during the migration?
Assuming that your new domain matched the Okta account that was provisioned by the old domain.
- you can map the immutable ID (ObjectGUID) from OLD to a custom attribute in Okta
- Create a new O365 app that is SSO enabled, and map the custom attribute to the ImmutableID in the O365 app (Okta to O365)
- you will need to adjust the mapping an update it accordingly when you switch over to the new domain (areas you may need to look into: Okta provisioning to O365, conditional statements for users with an existing ImmutableID based on AD vs ImmutableID based on the Okta id, and possibly attribute level mastering)
4) Any special requirements i might be missing to make this as seemless as possible for the end users?
Take into account contacting Professional Services to help you out with a personalized solution if necessary.
Let us know if this helps you.
Daniela Chavarria.
Okta Inc.