Migration

During a staged Active Directory migration from Domain A to Domain B, we hit a common but frustrating problem: legacy applications that only support a single LDAP endpoint couldn’t authenticate users split across two domains. This post covers our journey from an overly complex OpenLDAP virtual directory attempt to a simple, effective Python-based solution. The Problem When migrating users between AD domains in stages, you end up with users in both domains simultaneously. Modern applications handle this gracefully with multiple LDAP endpoints or federated identity. Legacy applications? Not so much. ...

During a multi-forest staged migration, where Domain A (source) and Domain B (target) were both synchronizing into a single Entra ID tenant via Entra Connect, we encountered a membership synchronization issue with mail-enabled distribution groups. Although users were successfully matched across forests using ms-ds-consistencyguid, mail-enabled group memberships did not merge. Instead, only one forest’s membership list was applied in Entra ID—regardless of where users actually existed or were migrated. This post explains why that happens, and the precise fix that resolved the issue. ...