This user guide covers the steps required to configure and perform a Domain Move. The Domain Move Quick Start Guide summarizes these steps and addresses some frequently asked questions.
Introduction
Directory Sync
Directory Sync Requirements
Setup
Active Directory
Workflows
Workflow Test Mode
Workflow: Evaluate Changed Objects Only
Templates
Local Environment Template Options
Advanced Mapping
Reset Mappings
Agents
Guest Users in Directory Sync
Product Licensing
Settings
How-To
Planning the Migration Project
Active Directory Requirements
Setup
Domain Rewrite
Domain Move
Deleting Customer Data
Appendix A: Using PowerShell
Environments
Workflows
Profiles
Migrate and Navigate
How-To
FAQs
Additional Info
Migration Profiles
Network Profiles
Device ReACL Profiles
File Share ReACL Profiles
Microsoft Entra ID Join Profiles
Credential Profiles
Credential Cache Profiles
Creating Interactive Client Profiles
Configurations
Migration Waves
Settings
Directory Integration
What is Directory Integration?
Directory Integration refers to the Directory Sync components that are automatically deployed and configured when you set up a Premium Integration project.
Where do I manage Directory Integration?
Directory Integration will display under Settings when a Domain Move project is created. To manage the Directory Sync components of your project, click Directory Integration from the left navigation menu as shown below.
What can be managed from Directory Integration?
After project configuration, You may use the Directory Integration tab to check on the status of their workflows and local agents, download history logs and manage the Organizational Units (OU) for creating new objects during Prepare and Cutover activities.
How do I create a new agent?
From Directory Integration management click the New button to begin creating a new agent for your existing environments.
Are agents automatically upgraded when a new version is available?
Yes, if the Auto Upgrade feature is checked then agents will automatically be upgraded when new versions are available.
Certificates
What are certificates?
Certificates will display, under Settings within the Domain Move project. Certificates are used to ensure secure message transit with TLS.
What is required to ensure mail delivery during Domain Move?
For full details about TLS certificate requirements see the SSL requirements.
Where can I verify the status of my certificates?
Existing certificates can be viewed by selecting Certificates from the left navigation menu. The Mail Relay Service page opens.
Where do I manage certificates?
Certificates are managed within your project. They are uploaded during project setup and can be removed or newly uploaded by editing your project. Follow these steps to add a new certificate or remove an existing certificate from your project setup.
- Open the desired project.
- From the project dashboard click Setup.
- From the project summary, click Security.
- The project certificate page opens.
- If a certificate has expired and you need to upload a new version, then simply click the X to remove the existing certificate.
- After removing the old certificate, click Upload to provide a valid certificate. Be sure it meets requirements. It must be in the PFX format with a valid password.
- After uploading the new certificate, click Next to navigate to project summary.
- Click Next again.
- Now click Skip Discovery to return to the project dashboard.
Email Relay Service
What is the Email Relay Service?
One of the biggest obstacles during this process is that email sent to the domain in transit is not deliverable because it is held until the Domain move is complete. This can cause delays, rejected messages, and productivity. On Demand Migration for Active Directory addresses these concerns with its robust Email Relay Service which provides the administrator options on how email should be delivered. Migration Administrators can choose Either Basic Mode or Advanced Mode s based on their project requirements.
Microsoft has enabled “MTA-STS for Exchange Online” security feature in Exchange Online, and will refuse deliver messages to servers that don’t support TLS and have a trusted certificate. Customer will need to update their MTA-STS policy and add the Email Relay Server’s MX records to the policy. Below is a sample of the policy, additional detail for MTA-STS implementation in Exchange Online, please refer to Introducing MTA-STS for Exchange Online - Microsoft Tech Community link.
When Should Basic Mode be used?
Choose this mode if you would like to queue your emails using your existing delivery service during the domain move process. Mail flow for your domain will be resumed after the domain move has completed.
Basic Mode is easy to setup and requires no configuration changes to the tenant. Tenant administrators have the option to hold the email message delivery while the domain is being moved or to send the email messages to their own relay service provider for final delivery. In this mode, the directory synchronization component of On Demand Migration for Active Directory will facilitate the move for email addresses and domain names between tenants but it will not be responsible for the mail flow.
Basic Mode is the best choice when:
- Only a handful of objects associated with the tenant and the domain move process will be done within a couple hours.
- Continuous email delivery during domain move is not a requirement, and messages can be queued for delivery after domain move is completed.
- Custom Transport rules and connectors are not allowed in Exchange Online for either source or target tenant.
When should Advanced Mode be used?
Choose this mode if you would like to have mail delivered to your users in the target tenant during the domain move process. Transport rules and connectors will be configured in the tenants when this mode is selected.
Advanced Mode offers the full coexistence experience for end-users that are affected by the domain move. It will relay incoming email messages sent to the source user mailboxes to their matching target user mailboxes. The benefit of choosing Advanced Mode is there is no email disruption while the domain is being moved.
Advanced Mode is the best choice when:
- A large number of objects are associated with the tenant and the domain move process is expected to take hours.
- Continuous email delivery during the domain move is a requirement. Mission critical systems and businesses are impacted when email delivery is suspended.
- Custom Transport rules and connectors are allowed in Exchange Online for either source or target tenant.
Domain Move Relay Service being discontinued after Dec 31, 2025.
The Domain Move Relay Feature which automatically redirects incoming email to target user mailboxes during domain transfer process will be discontinued after Dec 31, 2025. To facilitate this change, inbound email delivery can be temporarily interrupted to facilitate the domain migration between two M365 tenants. Typically, Internet mail servers will attempt to deliver new email for up to 24 hours. Email queuing can be achieved by changing the primary MX record from the M365 tenant to an unreachable domain.
However, note that using this method may result in some email returning as non-deliverable (NDR) if the primary MX record is not promptly restored to M365. Alternatively, a third-party email queuing service can be used to queue your email for extended periods (days or weeks). Once the migration is complete, queued messages will be delivered to the target M365 tenant.
During the migration of the domain, the system will prompt for redirecting the MX record, the admin may temporarily reconfigure the mail flow by changing the primary MX record to a non-deliverable domain. By default, email will be queued and retried for up to 24 hours.
