We recently migrated from one domain to another at work. In the new domain we actually can see both. Not sure if this makes sense. Hope this helps.
----------------------old domain trees----------companya
The problem is that our AD sync from the new domain pulls down both branches.
Our client encryption is set to add users to the preboot that have logged on to that machine previously.
This means that we end up with user from companya as well as same user from companya on old domaintree.
They will have different passwords.
Now when a user logs in to preboot there is no domain info and it just seems to pick one randomly to use for the authentication.
This causes many failures. The fix is to do a recovery to get them booted. Reset their SSO and token and then force them to change their Windows password on the new domain.
After a sync they are fixed.
Now for my question. Is there a way in our AD sync task to ignore a certain branch of the domain? That way only their new ID's will get pulled down.
If not what does the encryption client sync task look at when deciding which users to add to preboot.
As it adds user that have logged onto machine previously does it look for profile folders or registry info etc. Maybe we could push out a change to desktops this way.