Lessons learned from the Cutover Migration to Office 365
Migrating to Office 365 can be quite a struggle but it doesn’t have to be like that. With this blog entry I hope that you can avoid some critical mistakes that I have done during the migration.
There are several ways how you can migrate your Exchange Environment to Exchange Online/Office 365. We will focus on the cutover migration and will also cover some things about the synchronization product Azure AD Connect.
A lot of information about the process can be found in the official guide, which I urge you to read first.
Before you start the migration, consider the following things:
- Hidden mailboxes, contacts or distribution groups won’t be detected by the migration endpoint. This is also a good way to exclude mailboxes from the migration if you don’t want to move them to the new cloud. You can get hidden mailboxes with the following command:
get-mailbox * | where {$_.HiddenfromAddresslistsenabled-eq"true"} | ft Name, PrimarySmtpAdress
- Any mail forwarding settings will not be migrated. Before you complete the migration batch, you should filter out all the mailboxes or distribution groups and write them down. You can use this command as an example:
get-mailbox * | where {$_.ForwardingAddress -ne $null} | FT Name, ForwardingAddress –autosize
- Public folders are not included in the cutover migration. However, there are guides for Exchange 2007 or 2010. Exchange 2013 & 2016 public folders right now are not officially supported. In this case I would advise you to export the folder manually and import them into Exchange Online – be aware that you will lose permissions and mail enabled public folders this way.
- Things like mailflow rules, connectors & mailfilter settings will not be migrated and should be done before you start the migration
Azure AD Connect:
After completing the migration batch, you might want to set up the AD Connect Synchronization Service. You can’t do this before, because this will interfere with the Cutover Migration to Office 365. AD Connect will map all on premise users with the completed migration batch, so you don’t have to worry about any duplicates. The objectGUID will be used by default as the source anchor. Since this attribute is unique and immutable (if you are not changing AD forests) I would not change this setting unless you know what you are doing.
When configuring the AD connect, you can choose the object types, attributes, organizational units and if you want enable password hash synchronization, so users can use the same credentials on the cloud as on premise.
- To prevent accidental deletion of all accounts with the synchronization service, you should set a threshold. I disabled all mailboxes after I completed the migration batch and found out too late that not only the mailbox but also the AD user got deleted. It has cost me a lot of time recovering those accounts.
Enable-ADSyncExportDeletionThreshold -DeletionThreshold 10
- To see and change the schedule for the sync, use the following command
Get-ADSyncScheduler # For a 30 minute interval Set-ADSyncScheduler –CustomizedSyncCycleInterval 00:30:00
- If you can’t wait for the next SyncCycle to run you can always start it manually
Start-ADSyncSyncCycle –Policytype delta
There is also a tool called “Synchronization Service Manager”, which will be installed when you set up AD Connect. This tool helps you to overview the whole synchronization process – you can check what items and what attributes have been created, modified or deleted. Basic actions like a synchronization cycle can be started as well.
For more information about the default configuration of AD Connect check the following site.
Assigning Licenses to Mailboxes:
After you migrated the mailboxes to Office 365, you need to assign user licenses to these accounts or they will not be able to sign in into Exchange after a grace period of 30 days. If you have mailboxes which are not for personal usage, you can convert them into shared mailboxes either with the Office 365 Administration Portal or Powershell. Here is a guide how you can connect to Exchange Online with Powershell and import.
To find out what licenses are available use the following command:
Get-MsolAccountSku
Here is an example how to assign a license to all user-mailboxes:
#get principal names of all user mailboxes
$upn = (Get-Mailbox | where {$_.RecipientTypeDetails-eq'UserMailbox'}).UserPrincipalName
#filter out all mailboxes which dont need a license
$users = $upn | %{Get-Msoluser -UserPrincipalName $_} | where {$_.LicenseReconciliationNeeded-eq$true}
#assign a region for each mailbox
$users | %{Get-MsolUser -UserPrincipalName $_.UserPrincipalName}| Set-MsolUser -UsageLocation <your region>
#assing a licence for each mailbox
$users | %{ Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses "your licence name"}
If you want to convert mailboxes to shared mailboxes make sure that the property “LicenseReconciliationNeeded” is set to false after the conversion. Otherwise your shared mailbox might be deleted after 30 days. If it is set to true, you must convert the mailbox back to a usermailbox and assign a license temporary. During the conversion back to a shared mailbox, the license will be unassigned automatically and the property will be set to false.
I hope I saved you some trouble with this post and I wish you a smooth migration to Office 365.
