365 Email Migration Question

Question

365 Email Migration Question

Zane Donaldson 1

I have a somewhat convoluted email migration issue, will try to explain as best I can.

In the past, I attempted to use a third-party migration software to move our mailboxes from on-prem Exchanged to 365. Accounts were already being synced to 365 and were licensed which means they had mailboxes prior to migration. The migration software simply moved the contents of the mailbox. This obviously caused issues, the 365 mailboxes were not able to be managed on either side. On-prem didn't know the mailboxes existed so couldn't manage them. 365 thought they were managed on prem. The solution was to turn off Azure AD Connect and break the connection which enabled mailbox management in the 365 interface. This worked for us, because we are small and rarely hire or fire.

We are now trying to come up with a way to re-enable syncing. The thought process being, Exchange has now been completed retired, which I'm hoping has removed the on-premise AD attribute that indicates and forces on-prem management. If this is true, I should be able to reinstall Azure AD Connect at this point, map the on-prem user accounts to existing 365 accounts, and enable syncing without messing up mailbox management.

Any thoughts on this process? concerns? What am I missing?

Yuki Sun-MSFT 41,376 Reputation points Moderator

2022-12-30T05:07:01.25+00:00

Hi @Zane Donaldson

We are now trying to come up with a way to re-enable syncing. The thought process being, Exchange has now been completed retired, which I'm hoping has removed the on-premise AD attribute that indicates and forces on-prem management.

Just wondering why you wanted to re-enable the syncing? Actually, I personally doubt if the decommission of the on-prem Exchange server would also removes the on-premise AD attributes that force on-prem management. Furthermore, according to this official document, "It's important to plan carefully when you re-enable directory synchronization. If you used the cloud service portal or Windows PowerShell to make any changes directly to the objects that were originally synchronized from on-premises AD DS, the changes will be overwritten by on-premises attributes and settings the first time that synchronization occurs after directory synchronization is re-enabled."
Yuki Sun-MSFT 41,376 Reputation points Moderator

2023-01-03T08:11:13.057+00:00

Hi @Zane Donaldson ,

I am writing to check how things are going on with this thread. Feel free to post back if you are still looking for help on this.
Zane Donaldson 1 Reputation point

2023-01-03T16:40:00.263+00:00

Yes, the note you included is an issue for us. We have made changes in the cloud that we don't want to mess with, so I can't test if syncing will work for fear of losing those changes.

We are looking at a 3rd party software solution that will sync passwords for us.
Yuki Sun-MSFT 41,376 Reputation points Moderator

2023-01-05T06:59:01.09+00:00

Thanks @Zane Donaldson for the update. So, for current situation, you can just keep this thread open and hopefully other community members who have experiences about this can join the discussion and share more insights here.

1 answer

Your answer

Yuki Sun-MSFT 41,376 Reputation points Moderator

2022-12-30T05:07:01.25+00:00

Hi @Zane Donaldson

We are now trying to come up with a way to re-enable syncing. The thought process being, Exchange has now been completed retired, which I'm hoping has removed the on-premise AD attribute that indicates and forces on-prem management.

Just wondering why you wanted to re-enable the syncing? Actually, I personally doubt if the decommission of the on-prem Exchange server would also removes the on-premise AD attributes that force on-prem management. Furthermore, according to this official document, "It's important to plan carefully when you re-enable directory synchronization. If you used the cloud service portal or Windows PowerShell to make any changes directly to the objects that were originally synchronized from on-premises AD DS, the changes will be overwritten by on-premises attributes and settings the first time that synchronization occurs after directory synchronization is re-enabled."
Yuki Sun-MSFT 41,376 Reputation points Moderator

2023-01-03T08:11:13.057+00:00

Hi @Zane Donaldson ,

I am writing to check how things are going on with this thread. Feel free to post back if you are still looking for help on this.
Zane Donaldson 1 Reputation point

2023-01-03T16:40:00.263+00:00

Yes, the note you included is an issue for us. We have made changes in the cloud that we don't want to mess with, so I can't test if syncing will work for fear of losing those changes.

We are looking at a 3rd party software solution that will sync passwords for us.
Yuki Sun-MSFT 41,376 Reputation points Moderator

2023-01-05T06:59:01.09+00:00

Thanks @Zane Donaldson for the update. So, for current situation, you can just keep this thread open and hopefully other community members who have experiences about this can join the discussion and share more insights here.

Answer 1

Hi @Zane Donaldson

I'm going to preface my answer by saying I'm looking at this at a very high level as I dont have a deep understanding of your environment.

@Yuki Sun-MSFT is correct in saying that removing Exchange does not remove the attributes from AD DS. The article here should help you if you need to check and remove all Exchange attributes and settings from Active Directory:

https://www.alitajran.com/how-to-remove-exchange-from-active-directory/

I'm assuming that you want to re-enable sync purely from a User Management and Security perspective so that users don't have 2 separate passwords, which also creates double the management overhead. It really depends on the changes you've made in the Cloud, but you could in theory re-enable Azure AD Connect and only specify a test OU to see if the following will work:

Soft matching of your users
Password sync when changed on AD DS
Will it break any of your cloud changes globally or will it only affect the synced users? It really depends on what your changes are and how business critical they are.

The other way I would look at it is this - you have said you are a small business, so with that in mind how large is your on-premises footprint. Do you have specific LOB Applications that require AD DS, or could these Apps support Azure AD identity and authentication? Is there a possiblilty to move to a full cloud model where you could do the following:

Onboard all user devices to Azure AD Joined
Keep your files and data in SharePoint/OneDrive
Move to a Cloud Print solution
Move your LOB Apps to either Azure VMs or dedicated App Services?

Not sure if this is an option for you, but could be worth considering?

Hope this helps,

Thanks

Michael Durkan

If the reply was helpful please upvote and/or accept as answer as this helps others in the community with similar questions. Thanks!

Share via

365 Email Migration Question

1 answer

Your answer