Migrate a Hybrid-AD (HAD) domain-trust NFA account to Nerdio Manager for MSP

Definitions

• On-premises domain: Your instance of AD DS that was not provisioned by Nerdio/NFA.

• Nerdio domain: The local domain configured on DC01 during provisioning.

  Note: If you used the default provisioning settings, the Nerdio domain is nerdio.int.

• If you are unsure if you have Hybrid AD (HAD), you can confirm this via the NFA portal. See the screenshot below.

  

Overview

One of the biggest advantages of Nerdio Manager for MSP over Nerdio for Azure (NFA) is the ability to connect directly to existing domains. In NFA, a hybrid environment was required to use an on-premises Active Directory. In contrast, you can connect Nerdio Manager directly to an existing AD without the added complexity of domain trusts.

• If you're migrating from NFA to Nerdio Manager and want to simplify your environment, you can follow the steps in this guide to dismantle the Hybrid AD (HAD) configuration and connect Nerdio Manager directly to your on-premises domain.

• This guide is a supplement to the Migrate to Nerdio Manager via automations article, and focuses specifically on HAD-related items. It should be used alongside the main migration process. Other migration considerations still apply and must be followed accordingly.

Prerequisites

Before you get started, ensure the following prerequisites are met:

• From the domain controller on the local domain (either on-premises or EAD-DC01), confirm that the appropriate users or groups are members of the ADSyncAdmins group.

  • Ensure you have full command and control of Microsoft Entra Connect.

  • Verify that Microsoft Entra Connect is error-free using the Microsoft Entra Connect Services Manager, accessible from the Start menu.

• Perform a complete review of Group Policy Objects (GPOs).

  Any GPOs linked to the Nerdio AD domain (e.g., nerdio.int used in examples across the documentation) should be unlinked to avoid error messages.

• Verify that replication between servers in the local domain is error-free.

  When replication is functioning properly, changes can occur from any domain controller.

• Ensure that both domain and local admin accounts for resources are available and tested.

  • Prioritize setting up a local admin account on FS01 to ensure control of the VM in case of issues during the domain join process.

  • Review permissions on the profiles share, as you will be joining FS01 to the on-premises domain.

• Run a GPResult before making any changes to confirm that Group Policy is error-free.

  • Use the /r or /h flags to make the policy execution on a host more visible.

Update DNS on VNet

DNS for your VNet must be pointing to the correct DNS server. In NFA, custom DNS for the VNet was automatically set to use DC01 for name resolution. You need to update this to use a cloud-based DNS server as your primary, preferably EAD-DC01. You can set any secondary or tertiary settings to point to an on-premises DNS server.

To update DNS:

1. In the Azure portal, navigate to Virtual networks > DNS.

2. Select Custom, and then enter the DNS server IP for the EAD-DC01.

   

Migrate from NFA to Nerdio Manager

Create an account in Nerdio Manager as an existing IaaS deployment.

For more information, see:

• Add an account

• What are possible customer deployment scenarios?

Step 1: Migrate from NFA to Nerdio Manager

1. Follow the standard migration steps as described in Migrate to Nerdio Manager via automations.

2. When adding an account, Step 3, make the following adjustments:

   • Domain name: Enter your on-premises domain name.

     Note:

     • This should be your on-premises domain name. Make sure you don't use nerdio.int or any other internal domain defined on the DC01.

       

     • You can confirm the DC01 domain name in NFA. For this:

       1. On the Home page, next to Azure region, select more....

       2. Navigate to Onboard > Domains > Active Directory Domain Trust, and locate the domain name you need to use.

          

   • Domain admin user (must have domain-join rights): Enter the username.

Step 2: Replicate group policy objects (GPOs) from the Nerdio domain to on-premises domain

Partner considerations:

• Recreate the GPOs linked to the Nerdio domain users and groups OU on DC01 on the on-premises domain.

• You can either create new GPOs or export and import the existing ones. After importing, ensure the policies are correctly linked and that they only reference the current, preferred internal domain.

  

Once you've completed the two steps above, resume the migration by following the instructions in.

Post-migration: Manage domains

After completing all non-hybrid AD steps, such as creating desktop images and host pools, follow these steps to finalize the migration from Hybrid AD.

Step 1: Remove FS01 from the Nerdio domain and join it to the on-premises domain (current or preferred)

• Keep DC01 active during the unjoin and rejoin process.

• Once FS01 is joined to the new domain, sign in as a domain admin to verify proper access.

Step 2: Verify NTFS permissions for FSLogix profiles and redirected folders

Review and apply the correct permission structure as outlined in Configure SMB Storage Permissions.

Step 3: Delete domain trust

1. In Active Directory Domains and Trusts, right-click your domain name and select Properties.

   Note: You can perform this step from Nerdio’s domain (DC01 or FS01) or from your on-premises/HAD domain. The screenshot below illustrates Nerdio’s domain.

   

2. In the Properties dialog box, on the Trusts tab, select the trust you want to remove, and then select Remove.

   You are prompted to choose whether to remove the trust from the local domain only, or from both the local domain and the other domain.

3. Select Yes, remove the trust from both the local domain and the other domain.

4. Enter the username and password for an account with administrative privileges in the other domain, and then select OK.

5. Select Yes in the next dialog box to confirm removing the trust.

   You return to the Trusts tab in the domain’s Properties dialog box. The name of the other domain should no longer be displayed.

Post-migration: Destroy the NFA account and clean up resources

To destroy the NFA account:

1. Delete the public IP address assigned to EAD-DC01.

2. Remove the NFA account as described in Destroy an NFA account.

3. Once the NFA account is destroyed (no longer visible in the Accounts section), safely delete DC01 and PRX01, as they no longer serve any role in the internal domain.

4. If a backup policy is linked in Nerdio Manager, ensure neither VM is orphaned in the policy.

Verify the NFA account is fully destroyed

Consider the following post-destruction checklist. Ensure you have completed all items, which should allow you to proceed with other migration tasks. Specifically:

• All group policy objects (GPOs) exist and function within the preferred and current local domain.

• No domain trust remains with other internal domains.

• FS01 is joined to the preferred local domain and continues to serve file shares for profiles and user redirected folders, with permissions verified.

• PRX01 and DC01 are deleted from the Azure resource group.

• The public IP attached to EAD-DC01 (or the custom host name for the external Active Directory controller in Azure) has been removed.

• The NFA account is destroyed and no longer appears in the NFA portal.

With all these steps completed, you can now move forward with the remaining items as described in Migrate to Nerdio Manager via automations.

See also

• Install Nerdio Manager

• Troubleshoot Active Directory Domain Join Errors

• Troubleshoot desktop image Sysprep errors

• Troubleshoot FSLogix profile mount errors