Friday, March 2, 2018

Migration from on-premise Exchange 2010 resource forest to EXO.

We've just finished a year long project migrating 80,000 mailboxes from our single on-premise Exchange 2010 solution, to multiple O365 tenants. The on-premise environment is/was an Exchange resource forest. This means that user's logged into their local authentication domain, then via AD trust, they gained access to their mailbox hosted with us.

The only difference to this diagram, instead of the Internet cloud, replace with a WAN cloud. Clients could only access mail via Outlook over the VPN to our data center. I plan to use this space to post each of the scripts that I generated for this project.

image source: MS Blog - you had me at ehlo

To migrate from shared-multi-tenant, on-premise resource forest Exchange environment to individual O365 tenants.

  1. Create O365 tenant
  2. Configure Authentication domain
    1. Update AD to 2012 R2 or better. 
    2. Install Exchange 2013/2016 
      1. Clean-up legacy Exchange properties
      2. Extend schema for Exchange
      3. Install Exchange software
      4. Remove SCP record reference for auto-discover
    3. Cleanup 
      1. Consolidate (if possible) OUs so that they are easy to manage.
      2. Remove dead accounts.
      3. Cleanup mailboxes in Exchange.
      4. Update workstations so using latest Outlook (2013/2016) as available in Windows Update. Don't forget other Office applications.
      5. Public Folders
  3. Configure ADFS and AAD Connect to O365 tenant.
  4. Do Mailbox Identity Sync
    1. Export identity information from resource forest (RF). 
    2. Import identity info into similar objects in account forest.
  5. Sync mail enabled accounts and groups from account forest to O365.
    1. Review mailboxes for permissions assigned to Auth domain security groups. Include these groups in the sync.

  6. Migrate mailboxes from RF to O365.
    1. Create migration end-point from O365 to Exchange on-premise
    2. Create migration batches/move requests 
    3. Monitor / complete move requests.
  7. License mailboxes once migrated. 
    1. Convert any resource mailboxes that came over as USERMAILBOX to shared/equipment so as to avoid using a mailbox license.
  8. Create groups and external contacts in O365 tenant. 
  9. Review/ fix shared mailbox permissions (security groups)


  • 3.14 - extended outline, added page for Identity Sync scripts.

No comments:

Post a Comment