Without a doubt, building an Exchange hybrid environment to migrate your Exchange mailboxes to Office 365 is a significant undertaking, which is all the more difficult when small tasks need doing as they stop you moving to the next step. There are a number of pre-planning tasks you can complete prior to starting an Office 365 migration that will make the hybrid environment build smoother and reduce the pressure on your deployment team. So before you jump in to configuring Exchange Server and all the other major steps required to allow you to migrate, consider the following smaller tasks. If you are planning to maintain a long term relationship between Office 365 and your local Active Directory, which is probably a good idea, then you have some work to do with your Active Directory to get it ready for synchronizing with Office 365.
- Synchronization Tool or Synchronization Services There are two tools available for synchronizing your Active Directory to Office 365; Azure Active Directory Synchronization Tool (DirSync) and Azure Active Directory Synchronization Services (AAD Sync). Eventually AAD Sync will replace DirSync so you need to decide which tool you want to use. The simple answer is whether you will eventually want to provide password write-back so changes made to passwords in Office 365 are synchronised back to your on-premises Active Directory, and why wouldn’t you? For more details on the comparisons between the different synchronization tools, please see Directory Integration Tools and Should I use DirSync or AAD Sync? Office 365 uses Azure Active Directory (AAD), so if someone refers to synchronizing with Office 365 they actually mean synchronizing with AAD. You’ll see both terms used, but they mean the same thing.
- Query-based distribution groups (QBDG) Office 365 doesn’t understand your OU structure. by that I mean that users in Office 365 are not organised in OUs; it’s a flat structure and there is no concept of OUs. This means that QBDG are an alien concept and won’t work when synchronized to Office 365. You’ll need to change your QBDGs to normal distribution groups and manually create its membership.
- User Principle Names (UPN) It’s best practice for your Active Directory administrators to add one or more UPNs to your Active Directory and configure users’ accounts to use a UPNs. Often UPNs are configured to match a user’s e-mail address so that users have less to remember. The only UPNs that can be used with Office 365 are UPNs that use a valid external domain as you’ll need to add that domain to Office 365 by confirming ownership by adding a TXT to the external zone file. For example, if your users are using a .local domain to login to the internal domain, this will have to be changed to a valid domain before you start synchronizing with Office 365.
- Blank user information and invalid characters Any accounts (or contacts) that have blank fields or duplicate values; specifically first names, surnames, SMTP addresses or account names, won’t synchronise to Office 365, neither will accounts that have invalid characters in synchronized fields. Part of the process for deploying directory synchronization involves running a tool call IdFix. IdFix will check your Active Directory accounts and highlight any potential issues, IdFix will also help you fix accounts that have issues preventing them from being synchronized to Office 365.
- OU Structure When you configure directory synchronisation between Active Directory and Office 365 you will want to limit which accounts are synchronized. All you’ll really want to synchronize are user accounts, not service accounts or other accounts that don’t need to be synchronized to Office 365. This is normally done by choosing to synchronize the user accounts in specific OUs. If you haven’t created an OU structure to manage your user accounts, now is the time.
- ADFS or Password Sync Most labs for setting up an Exchange hybrid environment include deploying Active Directory Federation Services (ADFS), but do you need ADFS? The short answer is no, you don’t need ADFS; it’s not a prerequisite for building a hybrid environment. Don’t get me wrong, ADFS is nice to have as it simplifies account management, but you have to deploy a resilient ADFS solution that is external available, so that means deploying at least 4 servers, reconfiguring your firewall and playing around with your external DNS. If you don’t deploy a resilient ADFS solution and it fails your users won’t be able to login to Office 365. For smaller organisations this can be quite a burden which, when you consider password synchronization will suffice. Also consider that AAD Sync allows you to do password write-back to AD, so without deploying ADFS you already have a perfectly reasonable authentication solution. If you aren’t sure you can properly deploy a resilient ADFS solution, don’t, stick with password synchronization.
- Administration Accounts If you deploy ADFS in your environment, consider using specific administration accounts that use the onmicrosoft.com domain not your federated domain name. Why? Simple, if your ADFS solution fails you won’t be able to login using an account from a federated domain. It is possible to configure accounts to be either federated or managed (not federated) using PowerShell, but using an onmicrosoft.com address will give you a back door if all else fails.
- Active Directory and Exchange Environment Clean Up before you start to deploy the hybrid environment, it’s worth cleaning up your Active Directory and Exchange environment. By this I mean removing and dead domain controllers and Exchange servers from Active Directory before you proceed. Many organisations remove dead servers, in particular dead domain controllers, but don’t clean up Active Directory so the servers still appear in either Active Directory Users and Computers or the Exchange Management Console. Use ADSIEdit to check which servers are still being reference and remove any dead servers. NOTE: this process can be a risky business as you are bypassing the safeguards in the management tools to stop you deleting objects that you shouldn’t be deleting. If you are in doubt, contact someone that knows.
The list of tasks I have highlighted don’t form part of a typical hybrid environment deployment, but if you work through them before you start then your deployment should go more smoothly. If you want more information or want help with your Office 65 migration, please get on contact or e-mail me direct.