Introduction
On Demand Migration for Active Directory provides the “Domain Cutover” or move functionality. After a tenant mailbox and group migration, the next step during a domain consolidation or divestiture project is to move any registered Microsoft 365 Domains (i.e. Exchange Online Accepted Domains) from one Microsoft 365 tenant to another.
Manually moving a domain from one Microsoft 365 tenant to another is a tedious, multi-step, intensive procedure that must be carefully planned and executed at the proper time to ensure a seamless user transition. One of the biggest obstacles during this process is that email sent to the domain is not deliverable because it is held until the move is complete. This can cause delays, lost messages and decreased productivity.
The On Demand Migration for Active Directory Domain Cutover is the solution. This powerful feature guides the migration operator through the entire domain move process and automates many of the steps. It works in conjunction with the Email Relay Service (ERS) to maintain deliverability throughout the move. Mail is never held but is delivered on time, ensuring your users never miss any business-critical messages.
This step-by-step guide walks through how to configure On Demand Migration for Active Directory to move a domain between two Microsoft 365 Hybrid tenants.
Topics
This guide covers the following topics:
-
Differences between Basic and Advanced Email Relay Service
-
Configuring an On Demand Migration for Active Directory Domain Move Project
-
Deploying and Configuring Directory Sync integration
-
Validating object matches
-
Performing Domain Move between two Microsoft 365 tenants
-
Validating the Domain Move results
-
Frequently Asked Questions
Requirements
General
-
Client is licensed for On Demand Migration for Active Directory Domain Move
-
One Global Administrator Account for each Microsoft 365 tenant
-
One Domain Administrator Account for each On-Premise Active Directory attached to the tenant
-
One dedicated server to install the Directory Sync agent
-
Permissions to download and install Directory Sync agent
The local agent must meet the following minimum hardware requirements:
-
At least one (1) Windows Server 2012 R2, 2016 or 2019
-
Additional Windows servers may be deployed; limit of 5.
-
CPU: 4 Cores
-
Memory: 4GB Free
-
Disk: 40GB Free Disk Space excluding Operating System.
The local agent must meet the following minimum software requirements:
-
Windows Server 2012 R2, 2016 or 2019
-
.NET 4.5.2. NOTE: .NET will automatically be installed if needed.
-
TLS 1.2 or higher
Domain and Forest Functional Levels
-
2012 R2 or 2016
-
Directory Sync web interface use TCP port 443 (HTTPS).
-
Agent web connections use port 443 to Directory Sync host application.
-
DCs use TCP ports 139, 389 (UDP), 445, and 3268.
-
SID History functionality uses TCP ports 135, 137-139, 389 (UDP), 445, 1027, 3268, and 49152-65535.
Local Active Directory Account
-
Agent installer will prompt for a domain account with permission to read and write on-premises Active Directory.
-
An agent intended to sync all domains in a forest must have rights to all domains and objects used in workflows.
-
Azure AD Application Account
-
An account with Global Administrator Role is required to grant permissions and establish connection when adding a Cloud Environment.
-
Azure AD PowerShell Accounts
-
Two (2) PowerShell accounts are automatically created to read and update objects in the cloud. To do this an OAuth token is used from the account used to add the Cloud Environment.
-
These PowerShell accounts do not require any Microsoft 365 licenses.
Email Relay Service
One of the biggest obstacles during this process is that email sent to the domain in transit is not deliverable because it is held until the move is complete. This can cause delays, rejected messages and decreased productivity. On Demand Migration for Active Directory addresses these concerns with the Email Relay Service (ERS). ERS provides the administrator two options on how email should be delivered during a move:
-
Basic Mode - Choose this mode if you would like to queue your emails using your existing delivery service during the domain move process. Mail flow for your domain will be resumed after the domain move has completed.
Basic Mode is easy to setup and requires no configuration changes to the tenant. Tenant administrators have the option to hold the email message delivery while the domain is being moved or to send the email messages to their own relay service provider for final delivery. In this mode, the directory synchronization component of On Demand Migration for Active Directory will facilitate the move for email addresses and domain names between tenants but it will not be responsible for the mail flow.
Basic Mode is the best choice when:
-
Only a handful of objects associated with the tenant and the domain move process will be done within a couple hours.
-
Continuous email delivery during domain move is not a requirement, and messages can be queued for delivery after domain move is completed.
-
Custom Transport rules and connectors are not allowed in Exchange Online for either source or target tenant.
-
Advanced Mode - Choose this mode if you would like to have mail delivered to your users in the target tenant during the domain move process. Transport rules and connectors will be configured in the tenants when this mode is selected.
Advanced Mode offers a full coexistence experience for end-users that are affected by the domain move. It relays incoming email messages sent to the source user mailboxes to their matching target user mailboxes. The benefit of choosing Advanced Mode is there is no email disruption while the domain is being moved.
Advanced Mode is the best choice when:
-
A large number of objects are associated with the tenant and the domain move process is expected to take hours.
-
Continuous email delivery during the domain move is a requirement. Mission critical systems and businesses are impacted when email delivery is suspended.
-
Custom Transport rules and connectors are allowed in Exchange Online for either source or target tenant.