We have a sitatuaiton where a company will migrate their Duo Protected AD into a new forest.
The user ID will be retain but the old AD (which is synched with Duo) will be retired.
What is th best strategy to follow is such cases ? In particular we would like to avoid having to recongifure all end user devices…
Welcome back to the Duo Community, @AlexT ! Here are some steps that may help you with upgrading your AD FS servers.
To upgrade Duo on an AD FS 3 or 4 server, it is necessary to disable the Duo Authentication for AD FS authentication method in the AD FS Management console first.
- Launch the AD FS Management console on your AD FS internal server.
- Navigate to AD FS > Authentication Policies and click the Edit Global Multi-factor Authentication… action.
- Uncheck the box next to the Duo Authentication for AD FS X.X.X.X authentication method to disable Duo protection. Note that in older releases of Duo for AD FS, the authentication method is called Duo Security for AD FS 3.0.
- Update your ADFS servers.
- Download the most recent Duo AD FS Installer Package for AD FS 3 and 4 and run the MSI from an elevated command prompt.
- Follow the on-screen prompts to complete the upgrade installation.
- When the installer is finished, repeat the steps you originally followed to enable the Duo method in AD FS. Users may log on to federated services without two-factor protection until you’ve re-enabled the Duo authentication method.
- If you have deployed AD FS as farm, you’ll need to upgrade Duo on each of your servers. For a WID farm, install Duo on the primary server first. If you have a SQL farm, you may begin with any node.
Whilst the plugin is disabled users will be bypassing 2FA. No additional work will be required for users’ enrollments, activations, or their Duo mobile devices. This will be unaffected and will work again when you re-enable the updated plugin on your updated servers.
@AlexT is this your scenario?
- You’re syncing users from an existing AD forest (let’s call it
foo.comwith the base DN
dc=foo,dc=com) into Duo.
- You will be migrating all your users into a new AD forest (
oof.comwith base DN
In general, a sync migration plan consists of these steps:
Delete the current
foo.comAD sync configuration. The users previously synced from
foo.comto Duo become manually-managed Duo users, with their existing devices. Note that it is important here to just delete the entire sync to convert the synced users to regular unmanaged users; if you delete groups from the sync instead of deleting the entire sync then it will mark your users for deletion.
Create a new
oof.comAD sync configuration, using the same attributes as the old
foo.comsync and specifying groups to sync from
OOFthat have the same user members as the
FOOgroups you previously synced. When the new
oof.comsync runs, it will take over management of the existing users.
Whether existing users already synced into Duo can be preserved with their devices depends on what attributes you’re currently syncing. What AD attributes are you using for the imported username? If the synced username attribute values in the new
oof forest will exactly match the current values in the
foo forest, then it’s possible to retain the existing users with their current usernames post-migration and have them managed by a sync with the new forest.
You are using the
sAMAccountNameas the username attribute (example
jdoe), and the existing
foo.comwill be used in
oof.com= a new sync to
oof.comcan take over existing users.
You are using the
msDS-PrincipalNameusername attribute (example
FOO\jdoe) in the sync with
msDS-PrincipalNameattribute values are constructed using the domain’s NetBIOS name, the
msDS-PrincipalNamevalues post-migration will not match (example after migration
OOF\jdoe) = a new sync to
oof.comwill create new users instead of taking over the existing users.
So, the best practice to retain existing users and their attached devices is to ensure that the same attributes and attribute values exist in your new forest so that a new sync to the new forest can take over management of the existing users.
There is more information in these knowledge base articles: