Chat now with support
Chat with Support

Power365 Current - Help Center

Help Center Home Power365 Platform Tenant-to-Tenant Directory Sync Migration for Active Directory Support

Domain Cutover

What is a Power365 Domain Cutover?  

The Power365 Premium Integration project type includes the “Domain Cutover” or move functionality. After a tenant mailbox and group migration, the next step during a domain consolidation or divestiture project will be to move your registered Microsoft 365 Domain (i.e. Exchange Online Accepted Domain) from one Microsoft Microsoft 365 tenant to another.

Moving a domain from one Microsoft 365 tenant to another is a tedious, multi-step, manually intensive procedure that must be carefully planned and executed at the proper time to ensure a seamless user transition. One of the biggest obstacles during this process is email sent to the domain in transit is not deliverable because it is held until the Domain move is complete. This can cause delays, lost messages and productivity.

The Power365 Domain Cutover is the solution. This powerful feature guides the migration operator through the domain move process, and streamlines many of the steps. It works in conjunction with the Email Rewrite Service (ERS) to maintain deliverability throughout the move. Mail is never held but delivered on-time, ensuring your users never miss that business-critical message.

Figure 1: Power365 Domain Cutover In-Progress

Figure 1: Power365 Domain Cutover In-Progress

 

How does Domain Cutover Work?  

The Domain Cutover feature is designed to fulfill three major needs when moving an Accepted Domain from one tenant to another. Those are, moving user’s addresses, moving the domain and most importantly, ensure continuity of mail routing during the domain transition.

The Domain Cutover wizard will follow these 6 primary stages. Read through each one before continuing. They provide important details to the process that will help with planning and preparation.

1. Start  

During the start of this process Power365 will validate groups and request some input before beginning.

  1. Power365 will warn that any Mailbox or Group not migrated cannot be migrated after the Domain Cutover begins.
  2. Choose Replacement Source Domain – When removing a primary address from a source user, it must be replaced with a new domain. Choose the domain to replace the domain being moved. This may impact the user’s UPN, Mail and Proxyaddresses attributes. Note this will remove the source domain name configured for cutover from the source environment.

  3. Select Scope of Users to be Updated – When moving Domains, select the users to have their target proxies updated. This only impacts the target tenant. User Logins (userPrincipalName) are not modified in the target user.

         i. All Users – All matched objects will have their target proxies updated.

         ii. ERS “Day Two” Group Users – Only users in the BT-IntegrationPro-DayTwo group will have their target proxies updated.

         iii. Disabled – Do not update target proxies for any object. This is useful when you want to move the Domain but do not want to carry over any proxy addresses.

2. Enable Relay  

During Step 2, the Email Rewrite Service (ERS) Relay servers will be brought online to service the Domain being cutover to the target tenant. This step can take up to 60 minutes before the relays are activated. Don’t worry, Power365 will keep you up to date. Once this step is complete you will be able to move onto Step 3.

Note: This step can be skipped if the use of the relay or Email Rewrite Service is not needed.

3. Redirect MX  

During Step 3, the DNS administrator of the Domain being moved will execute an update to their public DNS MX record to direct traffic to the ERS Relay Servers. It can take up to 2 hours before an MX record change is propagated globally. Be sure to keep your TTL low during the transition.

After this step is complete, all inbound mail from the Internet for the domain being moved will be routed to the Power365 ERS relays that were setup during step 2. Mail will be delivered to the target user’s mailbox until step 5 is complete.

The Project Administrator may elect to skip redirection to the ERS relays but instead choose to queue mail using their own systems. This is also acceptable. Power365 will continue with the remainder of the Domain Cutover process. Quest is not responsible for any mail flow if by-passing ERS is elected.

Note: This step can be skipped if the use of the relay or Email Rewrite Service is not needed.

Important Note to Administrators: If you are using a 3rd party email provider or relay system to receive all Internet mail before directing traffic to the Power365, it is recommended that you contact Support with a list of IPs to have them whitelisted during the Domain Cutover process to avoid any mail delivery delays.

4. Move Domain  

During Step 4, Power365 will do most of the heavy lifting. This step is the most complicated, lengthy and error prone depending on the size and complexity of the environment. The following actions will take place during this step. User status will begin to update during this step. The Power365 Project administrator will also receive notifications if the Domain Cutover fails during these activities and when it complete.

  1. Read email addresses in source AD and tenant
  2. Remove email alias addresses (Proxyaddresses) from the source AD and tenant
  3. Replace Primary address from the source AD and tenant
  4. Replace User Login (userPrincipalName) from the source AD and tenant
  5. Remove domain from source tenant
  6. Add domain to target tenant
  7. Administrator must verify domain in target (This is a manual step executed by the Tenant Administrator within the Microsoft 365 Admin Portal or using the Powershell Confirm-MsolDomain cmdlet.)
  8. Add email addresses in target (The target UPN is not modified)

Note:

  • The Removing Addresses From Source action can be skipped if an error occurs. You can skip this action if you want to forcefully remove the domain and you have already ensured addresses have been removed from all in-scope objects.

  • The Removing Domain From Source, Adding Domain To Target, and Verifying Domain In Target State actions can be skipped if you decide to remove and add the domain manually and not use Power365.

  • The Adding Addresses To Target action can be skipped if an error occurs.

5. Restore MX  

During Step 5, the DNS administrator of the Domain being moved will execute an update to their public DNS MX record to direct traffic to the Exchange Online Protection (EOP) (e.g. contoso-com.mail.protection.outlook.como) or another relay service.

After this step is complete, all inbound mail from the Internet for the domain being moved will be routed to the new destination tenant. Power365 ERS relays will no longer be used.

Note: This step should be skipped if the Redirect MX step was skipped.

6. Complete  

During this final step of the Power365 Domain Cutover please allow up to 48 hours for the Cutover Domain wizard to deprovision the ERS engine and cleanup this domain move; this is to ensure that any outstanding mail items are delivered before the service is shut down. During this time, you may be prevented from making certain changes to this Power365 project.

If you had users located in the “DayTwo” ERS group, you may now remove them from the group. If all Domains have been cutover and ERS is no longer required it is recommended that it be disabled in the Power365 Project. Once ERS is disabled, the associated Transport Rules, Groups and Connectors will be removed in the configured Microsoft 365 tenants. The same is true for the Calendar Sharing configured between the tenants using Power365. If this feature is disabled in the Power365 Project, the associated Organization Relationships setup in each tenant will be removed automatically.

 

What to plan for using Domain Cutover  

As each production environment has different operations, standards and policies, be sure to carefully plan your environment’s domain cutover process. While this wizard will assist with specific portions of the domain cutover process, there may be additional reconfiguration necessary to support a successful domain cutover.

 

Updating the Source Environment  

During the 4th step of the Domain Cutover process, the source objects (users, groups, contacts) both local and in the cloud, will have their proxyaddresses and UserPrincipalName (users only) updated to replace the Domain being cutover. Therefore, be sure to plan your local Mailbox migrations beforehand and Unified Groups (Office 365 Groups) and Microsoft Teams must be manually remediated to remove the proxy address or the group must be deleted before proceeding.

 

Updating the Target Environment  

Once the domain has been moved to destination Microsoft 365 tenant during step 4, the wizard will re-assign their addresses (userPrincipalName is not updated, logins remain unchanged) to users and groups that have been matched by Power365. However, the wizard will not update the following objects in the target environment:

  • Users not Prepared by Power365
  • Distribution Groups not Migrated by Power365
  • Mail-Enabled Public Folders
  • Mail-Enabled Contacts

Please ensure that these object types are remediated with the proper address after the Domain Cutover is complete.

 

Other Considerations during a Domain Cutover  

  • Only one domain can be cutover at a time using Power365.
  • Disable the scheduled Discovery jobs in all environments before starting the Domain Cutover.
  • All Users and Groups in P365 must be migrated before Domain Cutover. If not, they cannot be migrated after the Domain Cutover is complete.
  • Any user or group in the source that contains a proxyaddress of the Domain being Cutover will have their status updated in Power365. Their proxyaddresses will be removed in the source to remove the Domain later. These users will not be able to be migrated afterwards.
  • Plan to move or remediate Office 365 Groups (Unified Groups) and Microsoft Teams before the Domain Cutover. Either remove the address associated with the Domain Cutover or delete the group or team.
  • Plan to manually reassign primary or alias addresses to Mail contacts, Public Folders or unmatched users and groups in the Target environment.
  • Plan to migrate local Exchange Mailboxes before the Domain Cutover.
  • Plan to setup the local AD Domains before the Domain Cutover if UPN reassignment is required in the Target environment.
  • Plan to move other configurations related to the domain being cutover such as Exchange Policies, Transport Rules, Connectors, EOP Rules, GPOs, etc.
  • Remove all Skype for Business licenses from the users in the Source tenant using the Skype for Business Admin Portal. This will remove the Skype for Business SIP address connected to the domain.
  • Update your SharePoint Online website address 24 hours before your Domain Cutover.
  • You cannot remove a domain that has subdomains. You must first delete the subdomains before you can remove the parent domain.
  • The Microsoft Online routing domain that's issued by Microsoft 365 (for example, contoso.onmicrosoft.com) cannot be moved or deleted.
  • If using a 3rd party email relay system to receive all Internet mail before directing traffic to the Power365 mail gateways, it is recommended that you contact Support with a list of IPs to have them whitelisted during the Domain Cutover process to avoid any mail delivery delays.

 

Domain Cutover Logging  

  • Domain Cutover Logs – At various stages of the Domain Cutover Wizard the Domain Cutover Logs download link will be presented. Click this link to open the current logs. These logs pertain to the activities being driven by the Power365 engine.
  • User Move Logs – During the Domain Cutover the User status will be updated. Double click a user to display their activity logs. Click on the Move log to review the history of the user’s Domain Cutover process.
  • Directory Sync Lite Logs – When the Power365 engine has a job that needs to be executed on the local Active Directory, it gives this job to Power365 Directory Sync Lite. Launch the Directory Sync Lite Console then click the View Logs button to review the actions taken locally.

 

User Status Types during a Domain Cutover  

  • Moving – During Step 4 the user’s status will update to the Move state.
  • Moved – When Step 4 is complete for the user, their status will change to the Moved state.
  • Move Error – During Step 4 if at any time a local user or group cannot be remediated, an error will be logged. Open the user Move log to determine why. Remediate the problem and rerun Step 4.

 

What account roles are required for Domain Cutover?  

There are two accounts used during the domain cutover process. Each uses the Global Administrator role to facilitate the process on your behalf.

  • Application Service Account – Global Administrator Role
  • Binary Tree PowerShell Account – Global Administrator Role

Note: Domain move can be performed without having to grant Global Administrator rights to the service accounts. The Removing Domain from Source and Adding Domain to Target actions require Global Administrator rights, but these actions can be skipped if performed manually.

 

If I lowered my application account roles to the minimum, should I raise them before the domain cutover?  

If you have your application account roles are set to the minimum requirements, then assign the Global Administrator role before beginning the domain cutover.

Note: Domain move can be performed without having to grant Global Administrator rights to the service accounts. The Removing Domain from Source and Adding Domain to Target actions require Global Administrator rights, but these actions can be skipped if performed manually.

 

Is my organization required to modify our MX records?  

Power365 does not require you utilize our Email Rewrite Services to route inbound mail to the target mailbox during the Domain Cutover event. The Project Administrator may elect to skip redirection to the ERS relays but instead choose to queue mail using their own systems. This is also acceptable. Power365 will continue with the remainder of the Domain Cutover process. Quest is not responsible for any mail flow if by-passing ERS is elected. The Domain Cutover process will still provision the mail relays for your project, this can take as much as 60 minutes to complete.

 

Are 3rd party email service providers such as Proofpoint or Mimecast supported during a Domain Cutover?  

If you choose to have all inbound Internet mail for your domains to be directed to a 3rd party email relay prior to directing the traffic to the Power365 Email Gateways as recommended, you may experience rate controls being applied, causing email delivery delays.

To avoid this situation, bypass your 3rd party provider during the domain cutover event or contact Support with a list of IPs and dates to have the system whitelisted.

 

Can steps of the Domain Cutover process be skipped?

Some steps of the Domain Cutover process can be skipped. The Skip button will appear on the Cutover Domain wizard screen when the step can be skipped.

The following steps/actions can be skipped:

  • Enable Relay can be skipped if the use of the relay or Email Rewrite Service is not needed.

  • Redirect MX can be skipped if the use of the relay or email rewrite service is not needed.

  • Removing Addresses From Source can be skipped if an error occurs. You can skip this action if you want to forcefully remove the domain and you have already ensured addresses have been removed from all in-scope objects.

  • The Removing Domain From Source, Adding Domain To Target, and Verifying Domain In Target State actions can be skipped if you decide to remove and add the domain manually and not use Power365.

  • Adding Addresses To Target can be skipped if an error occurs.

  • Restore MX should be skipped if the Redirect MX step was skipped.

 

Additional Information on Domain Migrations  

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating