Active Directory and Microsoft 365 Migration for a Global Financial Services Firm

TL;DR. Global financial services firm, 541 users, multi-domain AD synchronization, four-month engagement delivered ahead of schedule. Quest Migrator Sync Pro for bidirectional AD sync, SQL Server backend, MFA-aware service account configuration.

What was the client environment?

A global financial services and technology firm with operations spanning multiple entities needed to consolidate its Active Directory environments and Microsoft 365 tenants after a corporate restructuring. The firm operates in a highly regulated industry where directory integrity, security policies, and authentication continuity are critical to business operations and compliance.

What made this migration challenging?

• Cross-domain AD synchronization. Multiple Active Directory domains needed to be synchronized and consolidated, with user objects, groups, and security principals migrated while maintaining access to resources in both source and target environments.
• Password synchronization complexity. Syncing user passwords across domains required careful configuration so users could authenticate seamlessly in the target environment without manual resets, which is critical in a financial services firm where password-related help-desk calls during a migration can cascade into security incidents.
• SQL-backed sync infrastructure. The migration tooling required a SQL database backend to manage sync profiles, track migrated objects, and maintain state across migration batches. Setting up this infrastructure with proper security hardening was essential for a financial services environment.
• MFA policy alignment. Service accounts used for migration automation needed to be properly excluded from multi-factor authentication requirements to avoid blocking automated sync processes, while maintaining the firm's security posture.

How did LeadThem approach the migration?

Infrastructure setup and configuration

Our engineer built the migration infrastructure from the ground up, configuring a dedicated migration console with proper security settings, SQL Server for the sync database, and Quest Migrator Sync Pro for bidirectional AD synchronization.

Week 1: Infrastructure build. Created domain local security groups and configured audit policies. Installed SQL Server and Quest Migrator Sync Pro across both source and target domains. Set up service accounts with appropriate delegated permissions and excluded them from MFA conditional access policies.

Week 2: Sync profile configuration. Created sync profiles for test users and worked through password synchronization issues. Resolved password-sync failures by adjusting the sync configuration and validating credential flow between domains. Pushed all development accounts into the SQL database for tracking.

Weeks 3-4: Production sync and group migration. Rolled sync profiles to production user batches. Migrated security groups and distribution groups with membership preservation. The client's team confirmed they were significantly ahead of schedule, allowing for extended production testing before final cutover.

Weeks 5+: Production testing and validation. With the core migration ahead of schedule, the remaining engagement hours went to thorough production testing, edge-case validation, and documentation. The client's team continued using our engineer for testing scenarios that ensured zero issues at final cutover.

What technical challenges did we solve?

• Password sync failures. Initial sync profile configuration resulted in passwords not synchronizing to the target domain. Our engineer systematically diagnosed the issue by testing individual sync components, identified the root cause in the sync profile settings, and resolved it within a day, avoiding what could have been a project-blocking issue.
• MFA blocking automation. CDS (Custom Deployment Solution) PowerShell service accounts were being blocked by MFA requirements, causing errors in the automated sync logs. Our engineer worked with the client's security team to properly exclude the migration service accounts from conditional access policies while maintaining the firm's security posture.
• SQL infrastructure hardening. The SQL backend for Migrator Sync Pro needed to meet financial services security standards. Our engineer configured the database with appropriate access controls and audit logging.

What were the results?

The Active Directory and Microsoft 365 migration was completed significantly ahead of schedule. The client confirmed the project's rapid progress during status reviews, and the additional time went into thorough production testing that ensured a clean cutover. All user objects, groups, and passwords were synchronized across domains with zero authentication disruptions for the firm's employees.

Which tools and technologies were used?

• Quest Migrator Sync Pro for cross-domain AD synchronization
• SQL Server for sync state management and tracking
• Active Directory with domain trust configuration
• Microsoft 365 integration
• PowerShell CDS (Custom Deployment Solution) automation
• Conditional Access and MFA policy management

Why LeadThem Consulting

Financial services firms need migration partners who can build secure infrastructure, handle complex AD synchronization scenarios, and deliver results that meet regulatory expectations. LeadThem Consulting delivered this engagement ahead of schedule by combining deep expertise in Quest Migrator Sync Pro with the discipline to build infrastructure right the first time. When password-sync issues arose, our engineer resolved them in hours, not days, keeping the project on its accelerated timeline.

What Quest tool is used for cross-domain Active Directory synchronization?

Quest Migrator Sync Pro. It provides bidirectional synchronization of users, groups, passwords, and security principals between source and target AD domains, with state tracked in a SQL Server backend.

How are passwords kept in sync across two Active Directory domains?

Migrator Sync Pro captures password changes at the source domain controller and replays them into the target domain in near real time, so users authenticate with the same credentials in both environments throughout the migration.

How do MFA and conditional access policies affect migration automation?

Automated migration accounts are blocked when conditional access policies require MFA, because there is no user to complete the second factor. The fix is to exclude migration service accounts from MFA-required policies, while still requiring MFA for human-operated accounts.

Why is a SQL Server backend required for cross-domain AD migration?

Quest Migrator Sync Pro stores sync profiles, migration batches, object mapping, and state in SQL Server. This lets the tool resume cleanly after restarts, audit which objects have been processed, and run multiple sync profiles in parallel without losing state.

How long does an AD and M365 migration take for a financial services firm?

This engagement was completed in roughly four months and finished ahead of schedule. Timelines depend on domain count, user count, and the depth of security-team review required for service accounts and audit configuration.