Not agreeing with approach

[RZomermanMS]

[Enter feedback here]

I have to object against this way of establishing the immutableID between the groups. There are some fundamental problems with this approach:

• Group from F1 and F2 added already to AADConnect are not merged together - instead AAD Connect will throw an error
• Groups are usually migrated more often to reflect membership changes - which can overwrite the mS-DS-ConsistencyGuid !
• the setup here does not automatically take into account new groups and errors are prone to exist and has to be dealt with manually
• mapping can be done on name, but often during migrations names of groups change as per input file for ADMT causing manual work for copying the right attribute values.

A better solution is to writeback the mS-DS-ConsistencyGuid to the F1 (SOURCE) group and have it copy automatically during ADMT copying to the F2 group.

see: https://blog.azureinfra.com/2022/03/10/immutableid-ms-ds-consistencyguid-aadconnect-admt-part-4-groups/

You should also make a note that group membership is NOT merged, but instead the first domain wins.. (meaning always F1) and changes made directly to F2 are not reflected in AAD - UNLESS a change is made in the ruleset.

(Roelf)

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: e906851f-7f69-1344-c2e5-ab2a0c52e8ec
• Version Independent ID: c188e414-e7b1-d765-e924-a139ce0ff8fe
• Content: Azure AD Connect: Migrate groups from one forest to another
• Content Source: articles/active-directory/hybrid/how-to-connect-migrate-groups.md
• Service: active-directory
• Sub-service: hybrid
• GitHub Login: @billmath
• Microsoft Alias: billmath

[AnuragSharma-MSFT]

@RZomermanMS Thank you for the feedback. We are actively investigating and will get back to you soon.

[shashishailaj]

@RZomermanMS We are going to engage on this internally and will create a review item internally for this one with the Azure AD connect content team with your suggestions and copy you there as well. Once the discussion is done , we will update the document as per the outcome.