User Profile migration Problem AAD -> AD
-
Customer pulling in smaller firm running Windows clean Azure.
I am to get those users off their Azure and onto the On-prem domain and have been given the task to move not only their data but also their current user account experience.
Going through everything I could find over the weekend I get to the point where I conclude that there is no way to do this.
-There doesn't even seem to be a way to link a local or domain profile to an Azure account?
Has anyone of you done this?
-
@d-cunnings never done that and never heard of anyone doing it. While in theory it should be possible, maybe, it's definitely not what MS or anyone really expects. AD is very much considered legacy and really only there for special cases or existing infrastructure that isn't ready to migrate. They don't expect anyone to be investing in it new.
-
Might not
But to have ~2000 servers and 16000 PCs with thousands of automation settings, GPOs etc. is not moving out just like that.Also the cost for putting just the servers in the cloud would outrun the entire IT departments salary.
I always advise customers to go easy on cloud and see where it goes.
It's a one way street in many ways and I foresee that when "everything is out there" all our collected balls are pinned to the wall..I find the negligence from MS regarding our work astonishing.
The amount of time I spend on stuff like this is just... I cannot fathom that MS has not bothered to build in some general function to lift over profiles either way. -
@d-cunnings said in User Profile migration Problem AAD -> AD:
I always advise customers to go easy on cloud and see where it goes.
I understand what you're saying but there is nothing to see really. It will only go one way. Microsoft want you to move everything to
the cloudtheir cloud.You might not want that but Microsoft will force you with their planned obsolescence scheme, vendor lock-in and if needed with unlawful business practices. That is their MO and it has worked well since the 80s.
Companies that are knee-deep in Microsoft solutions will never be able to wriggle themselves out of that situation. Not until it's too late and too costly and then they just have to abandon any resistance and go full cloud. Company attitude is how they ended up with MS in the first place.
So the reason you can't find an easy way to do move from AAD to AD is because Microsoft doesn't want you to. It's not astonishing negligence, it's the result of a well planned strategy.
-
@d-cunnings said in User Profile migration Problem AAD -> AD:
Customer pulling in smaller firm running Windows clean Azure.
I am to get those users off their Azure and onto the On-prem domain and have been given the task to move not only their data but also their current user account experience.
What specifically about the experience are you trying to ensure?
Can you not use user state migration to backup the profile, backup all data, rebuild the PC - join your domain, log into the newly created AD account - restore the profile, etc..
Of course, the user won't have their O365 account associated, If you have O365 as part of your setup, you can do whatever you're doing to bring that to bare.
-
@d-cunnings said in User Profile migration Problem AAD -> AD:
But to have ~2000 servers and 16000 PCs with thousands of automation settings, GPOs etc. is not moving out just like that.
I'm confused, I thought you were already on AAD and trying to go to a new AD deployment that you didn't have before.
-
@d-cunnings said in User Profile migration Problem AAD -> AD:
Also the cost for putting just the servers in the cloud would outrun the entire IT departments salary.
Nope, AAD is free and requires no servers. It's just a service from MS. I'm not saying that it is good, that I recommend it, nor that I use it. Just pointing out that it's not something that involves servers or necessarily any cost.
AD on Azure is AD, Azure AD is not. I think you are picturing running AD on Azure, and that would be insanely costly and problematic for many reasons. Many of us did AD in the cloud long before MS offered it or even had Azure. But that's a totally different animal than the topic here.
No one (AFAIK) is even hinting at the idea of AD on Azure. That requires VPNs and all kinds of bad things. It's plausible, but a horrible idea.
-
@d-cunnings said in User Profile migration Problem AAD -> AD:
I always advise customers to go easy on cloud and see where it goes.
Cloud is an architecture. There should be no "going easy" or "going hard" or "seeing where it goes." Cloud has been one of the standard approaches for nearly two entire decades now, it's way, way past the point of "mature". We don't just know where it was going to go, but it went there long ago. It's like saying "let's see if this Windows thing takes off."
Cloud should be used logically just like on-prem is. Any amount of emotional involvement in deciding one way or the other is bad. It's really just a logic / math equation. Compare features, cost, capabilities, nothing more. Cloud is mature and extremely well known, there's zero unknown at this point, not since 2004 or so. So there shouldn't be any guessing and you should never need to advise about it - only point out standard decision factors and ensure businesses aren't going insane and being emotional.
I realize many businesses are emotional and illogical about core business decisions, even one that the business has no business even being aware of, but I'd recommend heavily advising them to think logically, rather than attempting to steer a bad emotional response. It might get the right result this time, but it just trains them that acting crazy is acceptable and misses a chance to educate them on how to interact with IT and how to make sound business decisions.
-
@d-cunnings said in User Profile migration Problem AAD -> AD:
I find the negligence from MS regarding our work astonishing.
I don't, I've been watching them since the early 1980s and the market has responded to them over and over again that their audience does not care about stability and reliability and these assumed enterprise functionalities. So why would MS care if their customers do not? The customers are free (and encouraged) to use other products. No one has to use Windows or AD or Azure. And yet customers flock to it and often get burned really badly. Do they stop using it? No.
Case in point, I bet your customer in this example didn't move to Windows in the early 1990s when people were still learning how bad the product line from MS was. They probably implemented Windows long after it was commonly accepted to be pretty bad, that MS had no business care or regard, and long after Microsoft slapped "for entertainment purposes only" stickers on their OS boxes. And yet, they went to it anyway. And I bet, after problems that they have here today, they won't even entertain the idea of using something else.
That's not right or wrong, my point is only that by choosing Windows and staying with Windows and AD and Azure... they are telling Microsoft in clear, certain terms that they are happy to keep paying and that they are a-ok with how MS handles this. So... don't be surprised that MS listens to their customers and gives them the minimum necessary to keep them sticking around.
Businesses voting with their wallets is a very real thing.
-
@d-cunnings said in User Profile migration Problem AAD -> AD:
The amount of time I spend on stuff like this is just... I cannot fathom that MS has not bothered to build in some general function to lift over profiles either way.
This would honestly make absolutely no business sense for them. They have a massive financial incentive to force companies anyway that they can over to Azure AD from AD. They are very, very actively phasing out AD and want it to go away. Investing money into building (and that means supporting, too) tools to shoot themselves in the foot would make no sense. If you want to go against MS' financial interests, you are going to have to either build your own tools or buy them from a third party. MS is not going to pay to encourage you to act against their business interests. If I was an MS shareholder, I'd be pretty upset if MS did that.
Their goal is to make this as painful as possible for you, without actually blocking you from doing it. They want you to rethink this decision, but if management asks if MS blocked you, you can't claim that they did because you are free to migrate by hand, build your own tools, etc.
-
@Pete-S said in User Profile migration Problem AAD -> AD:
I understand what you're saying but there is nothing to see really. It will only go one way. Microsoft want you to move everything to the cloud their cloud.
You might not want that but Microsoft will force you with their planned obsolescence scheme, vendor lock-in and if needed with unlawful business practices. That is their MO and it has worked well since the 80s.Exactly. AND the decision to accept this behaviour was made by whomever (chances are LONG ago) first chose to go down the MS path and is constantly being made by whomever keeps choosing not to leave MS.
Again, not saying that their decision is wrong. I'm saying that this kind of lockin and lack of agility is one of the key decision factors that needs to be considered when Windows, AD, Azure, etc. are chosen. If that lock in and lack of agility is not as important as the features or benefits that those products bring to the table, then they are the right choice. That's just fine. But it means any alternative was deemed to be (and continues to be deemed) too inferior by comparison (for the business need) and therefore the pain that MS causes is not really a pain in the general sense.
-
We do this all the time with the free ProfWiz from https://www.forensit.com/domain-migration.html
They even have video tutorials to do this
This is the most troublesome I have seen with this technique, turned out to be a permissions issue.
https://forum.forensit.com/cannot-determine-local-account-sid_topic2185_post5473.html?KW=azure#5473We've been using ProfWiz, DAILY, for more than 10 years!
-
@JasGot said in User Profile migration Problem AAD -> AD:
They even have video tutorials to do this
To me, video tutorials are more of a pain. Like when I'm looking for a single command I need to run in the middle of the instructions, good luck quickly finding that in a video!
-
@travisdh1 said in User Profile migration Problem AAD -> AD:
@JasGot said in User Profile migration Problem AAD -> AD:
They even have video tutorials to do this
To me, video tutorials are more of a pain. Like when I'm looking for a single command I need to run in the middle of the instructions, good luck quickly finding that in a video!
They might be perfect for someone who has never used ProfWiz before, and wants to accomplish this task.
-
@d-cunnings said in User Profile migration Problem AAD -> AD:
Customer pulling in smaller firm running Windows clean Azure.
I am to get those users off their Azure and onto the On-prem domain and have been given the task to move not only their data but also their current user account experience.
Going through everything I could find over the weekend I get to the point where I conclude that there is no way to do this.
-There doesn't even seem to be a way to link a local or domain profile to an Azure account?
Has anyone of you done this?
Maybe just get rid of computers and go back to pencil and paper?
-
@d-cunnings
I realize this is nearly a year old but you can actually just backup the AAD user profile with USMT as USMT will see the profile as a local profile.We have done this using USMTGUI previously
