VMware Workspace ONE Community
air_contract
Contributor
Contributor

Migrating users to another AD domain

We have created a new Active Directory domain (same forest as the main one) and we need to migrate about half of our users.

 

What I'm specifically trying to achieve is:

- Creating a user under domain A, importing into WS1 UEM and enrolling a device [done]

- Migrating the AD user from domain A to domain B via a third party tool. (Object GUID should remain the same since it's under the same forest.) [done]

- Syncing (or force sync) WS1 via LDAP and have the user to correctly show up and match under domain B 

 

For some reason I'm stuck on the last point even though I successfully binded the new AD domain under the "Directory Services".

I can query users (including the migrated one) but when going into Account > Users > List View the migrated user does not refresh with the new information about the domain.

It pretty much acts like a dead user since it does not exist on domain A anymore, but it does not get matched to the new one.

Therefore all AD fields that are pulled from the AD sync become misaligned since the user is not actually matching with anything.

 

Manual LDAP sync also fails both with and without "Refresh all attributes based on User DN" + "Refresh all attributes based on Object Guid" options enabled. 

 

Also, if I try to import another user via Add > User > Directory and type in the migrated user samAccountname, it's lets me import it as completely new user.

 

Not sure if this can be helpful:

- domain A is configured for the main OG

- domain B is configured for a sub-OG 

I'm out of ideas as of now.

Any suggestion? Is such thing even viable?

 

 

Labels (1)
Reply
0 Kudos
1 Reply
Phil_Helmling
VMware Employee
VMware Employee

Unfortunately the current Directory Service feature creates a user object within UEM with the metadata sync'd from LDAP/AD. If you are adding a new domain B, you will need to add that domain to UEM and hence those users will be a different object. So what you want to do is not possible unfortunately. 

You essentially will need to unenrol and re-enrol the device with the new user from domain B.

Reply
0 Kudos