Chat now with support
Chat mit Support

On Demand Migration Current - Active Directory User Guide

Domain Cutover

What is a Domain Cutover?  

The Domain Move project type includes the “Domain Cutover” or move functionality. After a tenant mailbox and group migration, the next step during a domain consolidation or divestiture project will be to move your registered Microsoft 365 Domain (i.e. Exchange Online Accepted Domain) from one Microsoft Microsoft 365 tenant to another.

Moving a domain from one Microsoft 365 tenant to another is a tedious, multi-step, manually intensive procedure that must be carefully planned and executed at the proper time to ensure a seamless user transition. One of the biggest obstacles during this process is email sent to the domain in transit is not deliverable because it is held until the Domain move is complete. This can cause delays, lost messages and productivity.

The On Demand Migration Domain Cutover is the solution. This powerful feature guides the migration operator through the domain move process, and streamlines many of the steps. It works in conjunction with the Email Relay Service (ERS) to maintain deliverability throughout the move. Mail is never held but delivered on-time, ensuring your users never miss that business-critical message.

Figure 1: Power365 Domain Cutover In-Progress

Figure 1: Domain Cutover In-Progress

 

How does Domain Cutover Work?  

The Domain Cutover feature is designed to fulfill three major needs when moving an Accepted Domain from one tenant to another. Those are, moving user’s addresses, moving the domain and most importantly, ensure continuity of mail routing during the domain transition.

The Domain Cutover wizard will follow these 6 primary stages. Read through each one before continuing. They provide important details to the process that will help with planning and preparation.

1. Start  

During the start of this process Domain Move will validate groups and request some input before beginning.

  1. Domain Move will warn that any Mailbox or Group not migrated cannot be migrated after the Domain Cutover begins.
  2. Choose Replacement Source Domain – When removing a primary address from a source user, it must be replaced with a new domain. Choose the domain to replace the domain being moved. This may impact the user’s UPN, Mail and Proxyaddresses attributes. Note this will remove the source domain name configured for cutover from the source environment.

  3. Choose Target Address Assignment Scope of Users to be Updated – When moving Domains, select how the target address is assigned. This only impacts the target environment. User Logins (userPrincipalName) are not modified in the target user.

         i. As Primary Email Address - Domain will be added as the primary email address and will replace the existing primary email address for matched objects.

         ii. As Secondary Email Address Only - Domain will be added as a secondary email address for matched objects.

         iii. Do Not Update – Domain will not be added for matched objects.

2. Enable Relay  

During Step 2, if you have chosen to used the On Demand Migration Email Relay Service, the Email Relay Service (ERS) Relay servers will brought online to service the Domain being cutover to the target tenant. This step can take up to 60 minutes before the relays are activated. Don’t worry, Domain Move will keep you up to date. Once this step is complete you will be able to move onto Step 3.

3. Redirect MX  

During Step 3, the DNS administrator of the Domain being moved will execute an update to their public DNS MX record to direct traffic to the ERS Relay Servers. It can take up to 2 hours before an MX record change is propagated globally. Be sure to keep your TTL low during the transition.

After this step is complete, all inbound mail from the Internet for the domain being moved will be routed to the Domain Move ERS relays that were setup during step 2. Mail will be delivered to the target user’s mailbox until step 5 is complete.

The Project Administrator may elect to skip redirection to the ERS relays but instead choose to queue mail using their own systems. This is also acceptable. Domain Move will continue with the remainder of the Domain Cutover process. Quest is not responsible for any mail flow if by-passing ERS is elected.

Important Note to Administrators: If you are using a 3rd party email provider or relay system to receive all Internet mail before directing traffic to the Domain Move, it is recommended that you contact Support with a list of IPs to have them whitelisted during the Domain Cutover process to avoid any mail delivery delays.

4. Move Domain  

During Step 4, Domain Move will do most of the heavy lifting. This step is the most complicated, lengthy and error prone depending on the size and complexity of the environment. The following actions will take place during this step. User status will begin to update during this step. The Domain Move Project administrator will also receive notifications if the Domain Cutover fails during these activities and when it complete.

  1. Read email addresses in source AD and tenant
  2. Remove email alias addresses (Proxyaddresses) from the source AD and tenant
  3. Replace Primary address from the source AD and tenant
  4. Replace User Login (userPrincipalName) from the source AD and tenant
  5. Remove domain from source tenant
  6. Add domain to target tenant
  7. Administrator must verify domain in target (This is a manual step executed by the Tenant Administrator within the Microsoft 365 Admin Portal or using the Powershell Confirm-MsolDomain cmdlet.)
  8. Add email addresses in target (The target UPN is not modified)

5. Restore MX  

During Step 5, the DNS administrator of the Domain being moved will execute an update to their public DNS MX record to direct traffic to the Exchange Online Protection (EOP) (e.g. contoso-com.mail.protection.outlook.como) or another relay service.

After this step is complete, all inbound mail from the Internet for the domain being moved will be routed to the new destination tenant. Domain Move ERS relays will no longer be used.

6. Complete  

During this final step of the Domain Move Domain Cutover please allow up to 48 hours for the Cutover Domain wizard to deprovision the ERS engine and cleanup this domain move; this is to ensure that any outstanding mail items are delivered before the service is shut down. During this time, you may be prevented from making certain changes to this Domain Move project.

If all Domains have been cutover and ERS is no longer required it is recommended that it be disabled in the Domain Move Project. Once ERS is disabled, the associated Transport Rules, Groups and Connectors will be removed in the configured Microsoft 365 tenants. The same is true for the Calendar Sharing configured between the tenants using Domain Move. If this feature is disabled in the Domain Move Project, the associated Organization Relationships setup in each tenant will be removed automatically.

 

What to plan for using Domain Cutover  

As each production environment has different operations, standards and policies, be sure to carefully plan your environment’s domain cutover process. While this wizard will assist with specific portions of the domain cutover process, there may be additional reconfiguration necessary to support a successful domain cutover.

 

Updating the Source Environment  

During the 4th step of the Domain Cutover process, the source objects (users, groups, contacts) both local and in the cloud, will have their proxyaddresses and UserPrincipalName (users only) updated to replace the Domain being cutover. Therefore, be sure to plan your local Mailbox migrations beforehand and Unified Groups (Office 365 Groups) and Microsoft Teams must be manually remediated to remove the proxy address or the group must be deleted before proceeding.

 

Updating the Target Environment  

Once the domain has been moved to destination Microsoft 365 tenant during step 4, the wizard will re-assign their addresses (userPrincipalName is not updated, logins remain unchanged) to users and groups that have been matched by Domain Move. However, the wizard will not update the following objects in the target environment:

  • Users not Prepared by Domain Move
  • Distribution Groups not Migrated by Domain Move
  • Mail-Enabled Public Folders
  • Mail-Enabled Contacts

Please ensure that these object types are remediated with the proper address after the Domain Cutover is complete.

 

Other Considerations during a Domain Cutover  

  • Only one domain can be cutover at a time using Domain Move.
  • Disable the scheduled Discovery jobs in all environments before starting the Domain Cutover.
  • All Users and Groups in Domain Move must be migrated before Domain Cutover. If not, they cannot be migrated after the Domain Cutover is complete.
  • Any user or group in the source that contains a proxyaddress of the Domain being Cutover will have their status updated in Domain Move. Their proxyaddresses will be removed in the source to remove the Domain later. These users will not be able to be migrated afterwards.
  • Plan to move or remediate Office 365 Groups (Unified Groups) and Microsoft Teams before the Domain Cutover. Either remove the address associated with the Domain Cutover or delete the group or team.
  • Plan to manually reassign primary or alias addresses to Mail contacts, Public Folders or unmatched users and groups in the Target environment.
  • Plan to migrate local Exchange Mailboxes before the Domain Cutover.
  • Plan to setup the local AD Domains before the Domain Cutover if UPN reassignment is required in the Target environment.
  • Plan to move other configurations related to the domain being cutover such as Exchange Policies, Transport Rules, Connectors, EOP Rules, GPOs, etc.
  • Remove all Skype for Business licenses from the users in the Source tenant using the Skype for Business Admin Portal. This will remove the Skype for Business SIP address connected to the domain.
  • Update your SharePoint Online website address 24 hours before your Domain Cutover.
  • You cannot remove a domain that has subdomains. You must first delete the subdomains before you can remove the parent domain.
  • The Microsoft Online routing domain that's issued by Microsoft 365 (for example, contoso.onmicrosoft.com) cannot be moved or deleted.
  • If using a 3rd party email relay system to receive all Internet mail before directing traffic to the Domain Move mail gateways, it is recommended that you contact Support with a list of IPs to have them whitelisted during the Domain Cutover process to avoid any mail delivery delays.

 

Domain Cutover Logging  

  • Domain Cutover Logs – At various stages of the Domain Cutover Wizard the Domain Cutover Logs download link will be presented. Click this link to open the current logs. These logs pertain to the activities being driven by the Domain Move engine.
  • User Move Logs – During the Domain Cutover the User status will be updated. Double click a user to display their activity logs. Click on the Move log to review the history of the user’s Domain Cutover process.
  • Directory Sync Lite Logs – When the Domain Move engine has a job that needs to be executed on the local Active Directory, it gives this job to Directory Sync Lite. Launch the Directory Sync Lite Console then click the View Logs button to review the actions taken locally.

 

User Status Types during a Domain Cutover  

  • Moving – During Step 4 the user’s status will update to the Move state.
  • Moved – When Step 4 is complete for the user, their status will change to the Moved state.
  • Move Error – During Step 4 if at any time a local user or group cannot be remediated, an error will be logged. Open the user Move log to determine why. Remediate the problem and rerun Step 4.

 

What account roles are required for Domain Cutover?  

There are two accounts used during the domain cutover process. Each require the Global Administrator role to facilitate the process on your behalf.

  • Application Service Account – Global Administrator Role
  • Binary Tree PowerShell Account – Global Administrator Role

 

If I lowered my application account roles to the minimum, should I raise them before the domain cutover?  

If you have your application account roles are set to the minimum requirements, then assign the Global Administrator role before beginning the domain cutover. Otherwise it will fail, and you will be required to restart the process.

 

Is my organization required to modify our MX records?  

Domain Move does not require you utilize our Email Relay Services to route inbound mail to the target mailbox during the Domain Cutover event. The Project Administrator may elect to skip redirection to the ERS relays but instead choose to queue mail using their own systems. This is also acceptable. Domain Move will continue with the remainder of the Domain Cutover process. Quest is not responsible for any mail flow if by-passing ERS is elected. The Domain Cutover process will still provision the mail relays for your project, this can take as much as 60 minutes to complete. You will not be able to continue to the next step until this process is complete, please plan accordingly.

 

Are 3rd party email service providers such as Proofpoint or Mimecast supported during a Domain Cutover?  

If you choose to have all inbound Internet mail for your domains to be directed to a 3rd party email relay prior to directing the traffic to the Domain Move Email Gateways as recommended, you may experience rate controls being applied, causing email delivery delays.

To avoid this situation, bypass your 3rd party provider during the domain cutover event or contact Support with a list of IPs and dates to have the system whitelisted.

 

Additional Information on Domain Migrations  

 

Settings

This user guide covers the steps required to configure and perform a Domain Move. The Domain Move Quick Start Guide summarizes these steps and addresses some frequently asked questions.

Directory Integration

What is Directory Integration?  

Directory Integration refers to the Directory Sync components that are automatically deployed and configured when you set up a Premium Integration project.

 

Where do I manage Directory Integration?  

Directory Integration will display under Settings when a Domain Move project is created. To manage the Directory Sync components of your project, click Directory Integration from the left navigation menu, see figure 1.

Figure 1: Settings Menu for Premium Integration Pro Project

Figure 1: Settings Menu for Domain Move Project

 

What can be managed from Directory Integration?  

After project configuration, You may use the Directory Integration tab to check on the status of their workflows and local agents, download history logs and manage the Organizational Units (OU) for creating new objects during Prepare and Cutover activities.

 

How do I create a new agent?  

From Directory Integration management, see figure 2, click the New button to begin creating a new agent for your existing environments.

 

Are agents automatically upgraded when a new version is available?  

Yes, if the Auto Upgrade feature is checked (see figure 2), then agents will automatically be upgraded when new versions are available.

Certificates

What are certificates?  

Certificates will display, under Settings within the Domain Move project. Certificates are used to ensure secure message transit with TLS.

Figure 1: Settings Menu for Domain Move Project

 

What is required to ensure mail delivery during Domain Move?  

For full details about TLS certificate requirements see the SSL requirements.

 

 

Where can I verify the status of my certificates?  

Existing certificates can be viewed by selecting Certificates from the left navigation menu, see figure 1. The Mail Relay Service page will open,figure 2.

Figure 2: Mail Relay Service

 

Where do I manage certificates?  

Certificates are managed within your project. They are uploaded during project setup and can be removed or newly uploaded by editing your project. Follow these steps to add a new certificate or remove an existing certificate from your project setup.

  1. Open the desired project.

  2. From the project dashboard click Setup.

  3. From the project summary, click Security.

  4. The project certificate page will open.

    Figure 5: Project Wizard Certificate Management

  5. If a certificate has expired and you need to upload a new version, then simply click the X to remove the existing certificate.
  6. After removing the old certificate, click Upload to provide a valid certificate. Be sure it meets requirements. It must be in the PFX format with a valid password.
  7. After uploading the new certificate, click Next to navigate to project summary.
  8. Click Next again.
  9. Now click Skip Discovery to return to the project dashboard.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen