Tchater maintenant avec le support
Tchattez avec un ingénieur du support

On Demand Migration Current - Active Directory Domain Move Quick Start Guide

Introduction

On Demand Migration for Active Directory provides the “Domain Cutover” or move functionality. After a tenant mailbox and group migration, the next step during a domain consolidation or divestiture project is to move any registered Microsoft 365 Domains (i.e. Exchange Online Accepted Domains) from one Microsoft 365 tenant to another.

Manually moving a domain from one Microsoft 365 tenant to another is a tedious, multi-step, intensive procedure that must be carefully planned and executed at the proper time to ensure a seamless user transition. One of the biggest obstacles during this process is that email sent to the domain is not deliverable because it is held until the move is complete. This can cause delays, lost messages and decreased productivity.

The On Demand Migration for Active Directory Domain Cutover is the solution. This powerful feature guides the migration operator through the entire domain move process and automates many of the steps. It works in conjunction with the Email Relay Service (ERS) to maintain deliverability throughout the move. Mail is never held but is delivered on time, ensuring your users never miss any business-critical messages.

​This step-by-step guide walks through how to configure On Demand Migration for Active Directory to move a domain between two Microsoft 365 Hybrid tenants.

Topics

This guide covers the following topics:

  • Differences between Basic and Advanced Email Relay Service

  • Configuring an On Demand Migration for Active Directory Domain Move Project

  • Deploying and Configuring Directory Sync integration

  • Validating object matches

  • Performing Domain Move between two Microsoft 365 tenants

  • Validating the Domain Move results

  • Frequently Asked Questions

Requirements

General

  • Client is licensed for On Demand Migration for Active Directory Domain Move

  • One Global Administrator Account for each Microsoft 365 tenant

  • One Domain Administrator Account for each On-Premise Active Directory attached to the tenant

  • One dedicated server to install the Directory Sync agent

  • Permissions to download and install Directory Sync agent

 

Hardware  

The local agent must meet the following minimum hardware requirements:

  • At least one (1) Windows Server 2012 R2, 2016 or 2019

  • Additional Windows servers may be deployed; limit of 5.

  • CPU: 4 Cores

  • Memory: 4GB Free

  • Disk: 40GB Free Disk Space excluding Operating System.

Important Tip: Do not install local agents on AD domain controllers in a production environment.

Software  

The local agent must meet the following minimum software requirements:

  • Windows Server 2012 R2, 2016 or 2019

  • .NET 4.5.2. NOTE: .NET will automatically be installed if needed.

  • TLS 1.2 or higher 

Domain and Forest Functional Levels  

  • 2012 R2 or 2016 

Network  

  • Directory Sync web interface use TCP port 443 (HTTPS).

  • Agent web connections use port 443 to Directory Sync host application.

  • DCs use TCP ports 139, 389 (UDP), 445, and 3268.

  • SID History functionality uses TCP ports 135, 137-139, 389 (UDP), 445, 1027, 3268, and 49152-65535. 

Accounts  

Local Active Directory Account

  • Agent installer will prompt for a domain account with permission to read and write on-premises Active Directory.

  • An agent intended to sync all domains in a forest must have rights to all domains and objects used in workflows.

  • Azure AD Application Account

  • An account with Global Administrator Role is required to grant permissions and establish connection when adding a Cloud Environment.

  • Azure AD PowerShell Accounts

  • Two (2) PowerShell accounts are automatically created to read and update objects in the cloud.  To do this an OAuth token is used from the account used to add the Cloud Environment.

  • These PowerShell accounts do not require any Microsoft 365 licenses.

Email Relay Service

One of the biggest obstacles during this process is that email sent to the domain in transit is not deliverable because it is held until the move is complete. This can cause delays, rejected messages and decreased productivity. On Demand Migration for Active Directory addresses these concerns with the Email Relay Service (ERS).  ERS provides the administrator two options on how email should be delivered during a move:

  • Basic Mode - Choose this mode if you would like to queue your emails using your existing delivery service during the domain move process. Mail flow for your domain will be resumed after the domain move has completed.

Basic Mode is easy to setup and requires no configuration changes to the tenant. Tenant administrators have the option to hold the email message delivery while the domain is being moved or to send the email messages to their own relay service provider for final delivery. In this mode, the directory synchronization component of On Demand Migration for Active Directory will facilitate the move for email addresses and domain names between tenants but it will not be responsible for the mail flow.

Basic Mode is the best choice when:

  • Only a handful of objects associated with the tenant and the domain move process will be done within a couple hours.

  • Continuous email delivery during domain move is not a requirement, and messages can be queued for delivery after domain move is completed.

  • Custom Transport rules and connectors are not allowed in Exchange Online for either source or target tenant.

  • Advanced Mode - Choose this mode if you would like to have mail delivered to your users in the target tenant during the domain move process. Transport rules and connectors will be configured in the tenants when this mode is selected.

Advanced Mode offers a full coexistence experience for end-users that are affected by the domain move.  It relays incoming email messages sent to the source user mailboxes to their matching target user mailboxes. The benefit of choosing Advanced Mode is there is no email disruption while the domain is being moved.

Advanced Mode is the best choice when:

  • A large number of objects are associated with the tenant and the domain move process is expected to take hours.

  • Continuous email delivery during the domain move is a requirement. Mission critical systems and businesses are impacted when email delivery is suspended.

  • Custom Transport rules and connectors are allowed in Exchange Online for either source or target tenant.

Setup

This topic describes how to set up the On Demand Migration Domain Move Project, how to deploy the Directory Sync Agent and how to configure the Directory Sync Integration. 

On Demand Project

This section explains how to add a Microsoft 365 tenant and configure a Migration project using On Demand Migration. During project setup an Office 365 Global Administrator account is initially required to add each tenant to the project.

How to add a Microsoft 365 tenant

Follow these steps to add each Microsoft 365 tenant for On Demand Migration. If there is an existing tenant from another project, it can be reused. 

  1. Log in to On Demand

  2. Navigate to Tenants

  3. Choose the Add Tenant button

  4. On Demand supports both Commercial and GCC High tenants, for the purpose of this guide, select Commerical Tenant, and choose Add Commerical or GCC Tenant and choose OK.

  5. Log in to Office 365 with a Global Administrator account for the source tenant.

  6. Accept the requested Application Permissions

  7. Choose Finish

  8. Repeat steps 2 – 8 for the target tenant

Setting up the Domain Move Project

Follow these steps to setup the Domain Move Project.

  1. Log in to On Demand

  2. Navigate to Migration

  3. Select an existing migration project

  4. Click on Domain Move from the Project Dashboard

  5. Once the On Demand Migration Active Directory module is loaded, click on the Domain Move icon in the main dash view.

  6. Click the New Project button and bring up the project setup wizard

  7. Provide a name and description for the project and click Next

  8. Click on the New button to create a new environment or choose any existing environments from the list. Click Next once you have at least two environments selected.

  9. Choose the source and target environments from the dropdown menu and click Next.

  10. Configure the domain mapping for your project and click Next.

LightbulbImportant Tip: Domain Mapping will be used to match objects and allows On Demand Migration Active Directory to add the source domain to all matched target objects during the domain move.

  1. Configure the attributes to use to match users and groups. Once complete, click Next

LightbulbImportant Tip: Multiple attributes can be selected and On Demand Migration will evaluate each one until it finds a matching source and target object.  If more than one attribute is selected, the first attribute that matches is used.

  1. Copy the Directory Sync agent Registration URL and Registration Key and click Next. NOTE: this information can be obtained again after the project is configured.

  2. On Demand Migration for Active Directory offers two email relay service modes.  For the purpose of this guide, select Advanced Mode and click Next.

  3. Upload a SSL Certificate for each environment.  On Demand Migration for Active Directory will ensure mail delivered during a domain move is always encrypted, secure and private by using this SSL Certificate.  Click Next once the certificates are uploaded.

LightbulbImportant Tip: A single subject certificate with both private and public key must be used.

  1. Review the project configuration settings and click Next

  2. Enter an email address and click on Start Discovery to finish the project setup

 

Configure Directory Sync Agents

This section provides a step-by-step guide on how to deploy and configure the Directory Sync Agents.

  1. Log in to On Demand

  2. Navigate to Migration, select the project and click on Domain Move.

  3. Select the Domain Move project previously configured.

  4. Click on Directory Integration link via the hamburger menu.

  5. Download the Directory Sync Agent.

  6. Copy the agent file to a dedicated directory sync server for the source tenant and run the installer.

  7. Click Next when the installer loads.

  8. Accept the License agreement, Click Next.

  9. Enter the domain, GC, and credential for the service account, click Next.

  10. Enter the Registration URL and Registration Key for the agent associated with the source tenant, click Next.

  11. Select Run as System Account option, click Next.

  12. Skip the SID History Migration setting and Click Next.

  13. Allow the agent to be installed and close the installer.

  14. Repeat Steps 1-13 for the target tenant Directory Sync agent.

Configure Directory Integration

This section provides a step-by-step guide on how to deploy and configure the Directory Integration for Domain Move Project.

  1. Log in to On Demand.

  2. Navigate to Migration, select the project and click on Domain Move.

  3. Select the Domain Move project previously configured.

  4. Click on Directory Integration link via the hamburger menu.

  5. Click Choose OUs to finish the On-Prem Active Directory integration.

  6. In the pop-up window, click the Select OU button and choose an OU for the Users and Contacts in the target Active Directory. Click Next and choose the OU for the source Active Directory. Click Finish to close the pop-up window.

LightbulbImportant Tip: Domain Move projects will not create any objects in the source or target Active Directory; it simply requires this OU information to complete the project setup.  We plan to make this step optional in a future release.

Validating Object Matches

This section provides a step-by-step guide on how to validate object matching.

  1. Log in to On Demand

  2. Navigate to Migration, select the project and click on Domain Move.

  3. Select the Domain Move project previously configured.

  4. From the Domain Move Project dashboard, verify the Users, Groups and Domain Matching information:

  5. Click on the total users link to see all Users, then click on Filter and select the Matched checkbox.

  6. Validate that the users are correctly matched, as shown below.

  7. Repeat step 10 - 12 for Groups.

 

 

Moving a Domain

This section explains how to move a domain between two Microsoft tenants using On Demand Migration. Be sure to review the frequently asked questions in the Error! Reference source not found. section.

Start the Domain Cutover (Step 1)

  1. Log in to On Demand

  2. Navigate to Migration, select the project and click on Domain Move.

  3. Select the Domain Move project previously configured.

  4. Select the Domain from the Domain Cutover Dashboard and click on Start Cutover.

  5. Review the Before You Begin Guide in the pop-up window, and once finished click Start.

  6. Review the Warning messages regarding unmatched objects and Click Next.

  7. Select a replacement domain from the dropdown menu and then choose As Primary Address from the list of options below and click Next.

  1. As Primary Address – Domain will be added as the primary email address and will replace the existing primary email address for matched objects.

  2. As Secondary Address only – Domain will be added as a secondary email address for matched objects

  3. Do not update – Domain will not be added for matched objects

    LightbulbImportant Tip: This Target Address setting cannot be changed once the Domain Move begins. 

Enable Email Relay (Step 2)

  1. On Demand Migration for Active Directory will now start the Email Relay provisioning process.  The screen will automatically refresh and move to the next step once the Email Relay is provisioned.

Redirect MX (Step 3)

 

  1. Update the DNS MX record for the domain being moved and point it to the Email Relay Service.  Check the checkbox and click the Next button once the MX record is updated.

    LightbulbImportant Tip:  Once the MX record has been updated, external incoming email messages will be delivered to the Email Relay Service (ERS) first.  Once the message is processed by ERS it will be sent to the target tenant for final delivery.

Move Domain (Step 4)

  1. The following steps are then done automatically by On Demand Migration for Active Directory.

  1. Read the email addresses from the source tenant

  2. Remove the email addresses from the source tenant for all objects

  3. Remove the domain from the source tenant

  4. Add the domain to the target tenant

    LightbulbImportant Tip: Any errors encountered during these steps will be shown on-screen and with an automated email notification.  Migration administrators will need to remediate these errors before the domain move can continue.  Email delivery will not be interrupted however, if the Advanced Mode was selected.  Be sure to review the frequently asked questions in the FAQ & Known Limitations section.

  1. Log into the Microsoft 365 admin portal for the target tenant and verify the newly added domain.

  2. On Demand Migration for Active Directory now automatically adds the email addresses to matched objects in the target tenant using the target address setting previously selected. 

Restore MX (Step 5)

  1. Restore the domain MX record now that email addresses have been added to the matching target objects.  Check “Yes, I have updated my mail flow to Office 365 and am ready to proceed” and click Next.

    LightbulbImportant Tip:  Once the MX record is updated to point back to Microsoft 365, all external incoming email messages will be delivered directly to the target tenant and the Email Relay Service (ERS) will stop processing any new incoming emails.

     

Complete (Step 6)

  1. The Domain Move has completed successfully at this point, click Finish.

  2. On Demand Migration for Active Directory will now remove the Email Relay created at the start of the domain move.

    LightbulbImportant Tip: This process can take up to 48 hours to complete.  This will not affect mail delivery as all email is sent directly to the target tenant.

Validating the Result

This section provides a step-by-step guide on how validate the domain in the target tenant.

  1. Validate that the domain is added as an accepted domain in the target tenant.  Connect to the target tenant with an Exchange Online PowerShell session and run “Get-AcceptedDomain”.  Confirm that the domain has been added as an Authoritative domain in the tenant.

  2. Validate the domain was added as the Primary Email address by checking On-Premise and Cloud objects.

    On-Prem Objects

  • Open Active Directory User and Computer in the target Active Directory

  • Select an object that has the domain moved and open the properties window.

  • Select Attribute Editor and navigate to the ProxyAddresses attribute. Confirm the domain is listed as the primary SMTP address for this object.

     

    Cloud Objects

  • Open a remote PowerShell session to the target tenant.

  • Run the following PowerShell script and verify the domain is added as the Primary SMTP Address for the object.

    Get-Mailbox Lab1JuneMail10 | Select-Object -ExpandProperty Emailaddresses

     

Frequently Asked Questions

Can I use a wild card certificate for Advanced Email Relay Service?

Advanced Email Relay Service requires a single subject SSL certificate with both private and public keys attached.  Wild Card certificates are not supported.

I am receiving an error during the remove addresses step related to duplicated addresses. How can I locate the duplicate accounts?

On Demand Migration Active Directory replaces the email address and/or userprinciplename with the replacement domain name when the domain is removed that is under move.  If the replacement address already exists in the directory, the domain move process will generate an error and alert migration administrators.  An administrator can use the following PowerShell script to find objects that still have the domain name attached and perform any remediation needed.

Get-AzureADUser -All:$true | where { ($_.ImmutableId -ne $null) -and (($_.UserPrincipalName -like '*xxx.com') -or ($_.Mail -like '*xxxx.com') -or ($_.ProxyAddresses -like '*xxx.com')) } | select "UserPrincipalName", ImmutableId  

The remove address step cannot continue because my hybrid objects in the cloud are still associated with my domain, what should I do?

On Demand Migration Active Directory removes the domain name from hybrid users by making changes to Active Directory on-premise objects. After the objects are updated on-premise, these changes must be synced to Microsoft Azure Active Directory.  Verify the changes are correctly synced to the cloud from the Azure AD Sync log.

Can I remove Global Administrator from my account after creating my project?

Yes, however, the Global Administrator role must be added back to the account during an active domain move as it is required to remove the domain from the source tenant and add it to the target tenant.

My company security policy does not allow the global administrator role to be assigned the account, can I still move my domain?

Yes, you can use On Demand Migration Active Directory to move your domain, but you will need to manually remove the domain from source tenant and add the domain to the target tenant at the appropriate time. The Domain Move project will alert you that it is unable to automatically remove the domain due to a lack of permissions, at that point you may manually remove and add the domain.  Once you have completed these steps, you may skip to the add email addresses step by click on the Skip button.

Will my end-users have to update or recreate their target Outlook Profiles when their Primary Email address is updated during a domain move?

No, Microsoft Outlook will automatically detect and update their Outlook profile when their primary address is changed.

I am using the Basic Mode Email Relay Service for my domain move project.  What is the best method to hold the email during the domain move and resume the delivery after the domain is moved?

The easiest solution is to change your MX records from Microsoft 365 to domain that is not reachable during the domain move.  For more details, please refer to this Microsoft link

MX record change - Stop inbound mail flow

Change your primary MX record from Office 365 to domain that is not reachable, i.e. "unreachable.example.com". Internet mail servers attempting to deliver new mail will queue the mail and attempt redelivery for 24 hours. Using this method, some email may return a non-delivery report (NDR) depending on the server attempting to deliver the email. If this is a problem use an MX record backup service. There are many third-party services that will queue your email for days or weeks. Once your migration is complete, these services will deliver the queued mail to your new Office 365 organization.

 LightbulbImportant Tip: It is highly recommended to use either On Demand Migration Active Directory Email Relay Service or a third-party service to queue the email for final delivery to avoid any lost emails.

 

 

 

 

        About us

Quest creates software solutions that make the benefits of new technology real in an increasingly complex IT landscape. From database and systems management, to Active Directory and Office 365 management, and cyber security resilience, Quest helps customers solve their next IT challenge now. Around the globe, more than 130,000 companies and 95% of the Fortune 500 count on Quest to deliver proactive management and monitoring for the next enterprise initiative, find the next solution for complex Microsoft challenges and stay ahead of the next threat. Quest Software. Where next meets now. For more information, visit www.quest.com.

Technical support resources

Technical support is available to Quest customers with a valid maintenance contract and customers who have trial versions. You can access the Quest Support Portal at https://support.quest.com.

The Support Portal provides self-help tools you can use to solve problems quickly and independently, 24 hours a day, 365 days a year. The Support Portal enables you to:

  • Submit and manage a Service Request

  • View Knowledge Base articles

  • Sign up for product notifications

  • Download software and technical documentation

  • View how-to-videos

  • Engage in community discussions

  • Chat with support engineers online

  • View services to assist you with your product.

 

Outils libre-service
Base de connaissances
Notifications et alertes
Support produits
Téléchargements de logiciels
Documentation technique
Forums utilisateurs
Didacticiels vidéo
Flux RSS
Nous contacter
Obtenir une assistance en matière de licence
Support Technique
Afficher tout
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation