The migration involves moving existing on-premises environment with dedicated Exchange forest to a “greenfield” hybrid deployment. This entails a change of domain name for the objects that are migrated. In general, primary SMTP addresses of existing objects are not changed in course of migration.
The typical use case for this scenario is when a company optimizes its directory and mail operations, and one or more forests are merged into a single clean hybrid.
Prerequisites
- The source environment uses a separate Exchange resource domain in addition to an account domain.
- The target is a specifically pre-configured forest with a hybrid deployment.
Procedure
The procedure is the same as for the Complex Acquisition with a Hybrid scenario. Therefore to implement this scenario, follow the steps described here.
This topic contains information, how to support Single Sign-On (SSO) using Migration Manager, and how to benefit from Migration Manager if you already use Microsoft Azure AD Connect to synchronize user accounts with Microsoft Office 365.
Single Sign-On (SSO) technology provides users an ability to login to trusted Active Directory domain or Microsoft Office 365 under the same credentials that they use in Active Directory where they reside. If you already have Active Directory Federation Services (AD FS) deployed in your organization and plan to migrate your Exchange environment to Office 365, you can implement SSO for Microsoft Office 365. Migration Manager for Active Directory is capable to ease the process of configuring SSO during migration to Microsoft Office 365. It can create users in federated domain or move existing users to federated domain within Microsoft Office 365 subscription; such users are capable of logging in through Single Sign-On as soon as they get a Microsoft Office 365 account.
Implementing SSO by means of Migration Manager for Active Directory allows getting the following benefits for mailbox migration over common scenario that includes using Microsoft Azure AD Connect:
- Mail migration from multiple Exchange organizations
- Online migration from Exchange 2003
- Item-by-item migration with ability to safely rollback changes
|
Caution: Rollback tasks that move accounts from a federated domain to a non-federated domain (or the other way around) complete with errors. To avoid this issue, perform an explicit migration to a non-federated (or federated, respectively) domain first, and then perform the rollback task. |
If you plan to implement SSO using Migration Manager for Active Directory, note that Active Directory Federation Services (AD FS) 2.0 must be deployed in your organization.
|
Note: If Microsoft Azure AD Connect already provisioned user accounts in Microsoft Office 365 or is managing them, then you can still support SSO and take advantage of using Migration Manager for mail migration in some environment configurations. For more information, refer to the Interoperating with Microsoft Azure AD Connect section. |
The following figure denotes overall environment configuration with SSO implemented using Migration Manager:
Migration Manager for Active Directory supports basic environment configuration where Active Directory and Exchange organization are located in the same forest as well as more sophisticated environment configuration with separate authentication and Exchange resource forests.
Specific for each environment configuration steps that should be taken to migrate to Microsoft Office 365 while taking advantage of Single Sign-On are described below.
Basic Migration Scenario
If your Active Directory and Exchange organization reside in the same forest, then to migrate to Microsoft Office 365 with support of Single Sign-On you need to perform the following steps:
- Ensure that AD FS 2.0 is deployed in your environment. Do not start directory synchronization using Microsoft Azure AD Connect. If synchronization is already started make sure that the tool does not manage user accounts planned to be migrated using Migration Manager.
- Provision user accounts in Microsoft Office 365 using Migration Manager for Active Directory (Microsoft Office 365) console. Directory Migration Agent will set up SSO support automatically. Note that you need to use the default mapping template.
- Synchronize calendars and migrate mailboxes using Migration Manager for Exchange.
Users can log in through Single Sign-On as soon as they get a Microsoft Office 365 account.
After mail data is migrated and mailboxes are switched, you can enable Microsoft Azure AD Connect to keep user accounts synchronized.
ERF Migration Scenario
With Migration Manager you can migrate from an environment with separate authentication and Exchange resource forests (ERF) to Microsoft Office 365 to Microsoft Office 365 while taking advantage of Single Sign-On. Migration Manager for Active Directory features special migration templates for that. To migrate to Microsoft Office 365 with support of Single Sign-On you need to perform the following steps:
- Ensure that AD FS 2.0 is deployed in your environment. Do not start directory synchronization using Microsoft Azure AD Connect.
- Provision user accounts in Microsoft Office 365 using Migration Manager for Active Directory (Microsoft Office 365) console. Note that you need to migrate accounts twice:
- First, you should synchronize or migrate users from Exchange resource forest using the ERF mapping template. That lets you populate the Office 365 Global Address List (GAL) from the Exchange resource forest.
- Second, you need to migrate (or synchronize) users from Active Directory authentication forest using the Activate SSO mapping template. That template enables federation between the authentication forest and the Office 365 subscription.
|
Note: Using the ERF template, you make sure that federation with the separate authentication forest is not broken by ongoing GAL coexistence between the Exchange resource forest and the Microsoft Office 365 subscription. |
- Synchronize calendars and migrate mailboxes using Migration Manager for Exchange.
Users can log in through Single Sign-On as soon as they get a Microsoft Office 365 account.
After mail data is migrated and mailboxes are switched, you can enable Microsoft Azure AD Connect to keep user accounts synchronized.
If Microsoft Azure AD Connect is already synchronizing user accounts with Microsoft Office 365 in your organization, you can still take an advantage of using Migration Manager for mail migration in certain environment configurations.
|
Note: Windows Azure Active Directory Sync (DirSync) and Azure AD Sync Azure AD Connect are also supported for this scenario. However, these tools are now deprecated by Microsoft and will reach end of support on April 13, 2017. So if still you use one of them, it is recommended to upgrade to Azure AD Connect. |
Using Migration Manager along with Microsoft Azure AD Connect allows getting the following benefits for mail migration:
- Migrate mailboxes using Migration Manager for Exchange:
- Ability to avoid excess steps in certain migration scenarios
- Mail migration from multiple Exchange organizations
- Online migration from Exchange 2003
- Item-by-item migration with ability to safely rollback changes
- Process the Send on behalf, Send as, and Full Mailbox Access permissions.
- Support Single Sign-On (SSO) by means of Microsoft Azure AD Connect right from the beginning of migration.
Migration Manager is able to work with objects created and managed by Microsoft Azure AD Connect. However as majority of mail-related object attributes are already synced by the Microsoft Azure AD Connect, they are not meant to be synced by Migration Manager. The goal of Migration Manager in this case is to establish proper matching of objects, and also set location attributes and mail redirection settings for the objects so that mail migration using Migration Manager for Exchange could be performed.
The following restrictions apply in such configuration:
- The Active Directory object that Microsoft Azure AD Connect treats as the source should be mail-enabled. This is typical for environments with a consolidated Active Directory forest or for environments with separate authentication and Exchange resource forests.
- It is strongly recommended to use only the Empty Active Directory to Microsoft Office 365 mapping template during migrating objects and synchronizing directories. If you need to process specific permissions such as Send on behalf, add the corresponding mapping rules to the template.
- If you experienced that X.400 addresses from the EmailAddresses attribute are not synced by Microsoft Azure AD Connect, then do not try to sync them using Migration Manager. They will not be synced properly even if you add the corresponding mapping rules to the mapping template.
- If ongoing directory synchronization is established between forest where mailboxes reside and authentication Active Directory forest using Migration Manager for Active Directory or any other third-party synchronization tool, then it should be turned off while migrating to Microsoft Office 365. Otherwise, an additional domain should be set up in the Exchange organization for mail redirection using the Edit Mail Redirection Domain action item for the corresponding migration pair in Migration Manager for Active Directory (Microsoft Office 365) console.
|
Caution: The mailboxes to be migrated with Migration Manager reside in the domain you specify. The domain must be accessible from the Internet for mail delivery and must not be listed as an accepted domain for the Microsoft Office 365 tenant. |
|
Note: Setting up the mail redirection domain ensures that mail can be successfully redirected from Microsoft Office 365 to the source Exchange organization. |