Hybrid migration from Exchange 2016 to Office 365

Hybrid migration from Exchange 2016 to Office 365 Cloud

High Level Migration Approach
1. Generate Users’ Mailbox usage with PowerShell Script on Exchange 2016 Server to identify which mailbox need to be migrated
2. Add addtional User Principle Name (UPN) – Aventislab.com in AD, and update all users with the new UPN
3. Upgrade Forest & Domain Functional Level to Windows 2008R2 and enable AD Recycle Bin Features
4. Associate FQDN (Aventislab.com) in Office 365
5. Enable Directory Synchronization in Office 365
6. Configure Azure AD Connect to sync users, groups & password from Local AD to Office 365

A. Active Directory Domain Controller

  1. To change users’ UPN from mylab.local to aventislab.com
Import-module ActiveDirectory

#Update UPN for all users
$OU = "OU=MyUsers, DC=Mylab, DC=Local"
$Users = Get-ADUser -SearchBase $OU -Filter * 

foreach ($User in $Users) { 

    $NewUPN = $user.UserPrincipalName.Replace("mylab.local","aventislab.com")
    $user |  Set-ADuser -UserPrincipalName $NewUPN 

}

#Verify All users in $OU are updated with new UPN Name
Get-ADUser -SearchBase $OU -Filter * | Select UserPrincipalName
  1. Verify the exsiting Forest & Domain Functionality Mode
#Check AD Forest & Domain Level
Get-ADDomain | Select-Object domainMode, DistinguishedName 
Get-ADForest | Select-Object forestMode

#Check FSMO Roles 
Get-ADDomain | Select-Object InfrastructureMaster, RIDMaster, PDCEmulator
Get-ADForest | Select-Object DomainNamingMaster, SchemaMaster
  1. Upgrade to Forest & Domain Functionality to Windows 2008R2
#Raise AD Domain & Forest Functional Level to 2008R2 
$ADDomainPDC = Get-ADDomainController -Discover -Service PrimaryDC
$ADForest = Get-ADForest

Set-ADDomainMode -Identity $ADDomainPDC.Domain -Server $ADDomainPDC.HostName[0] -DomainMode Windows2008R2Domain
Set-ADForestMode -Identity $ADForest -Server $ADForest.SchemaMaster -ForestMode Windows2008R2Forest

#Force AD REplication to All DC
cmd /c repladmin /syncall
  1. Enable AD Recycle Bin Feature – Only available in Windows 2008R2 Mode
#Enable AD Recycle Bin Feature
#Run directly on DC or Targeted to DomainNamingMaster
Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Server $ADForest.DomainNamingMaster -target $ADDomainPDC.Domain 

You will get a warning message when you install Azure AD Connect if AD Recycle Bin is NOT enabled. However, if you do not enable it, Azure AD Connect can still be installed successfully.

B. Office 365
1. Prepare a Key & Password file to login to O365 with PowerShell

#First time only
    $KeyFile = "C:\AventisLab\MasterKey.key"
    $PasswordFile = "C:\AventisLab\PW-AventisLab.txt"

    $Key = New-Object Byte[] 32
    [Security.Cryptography.RNGCryptoServiceProvider]::Create().GetBytes($Key)
    $Key | out-file $KeyFile

    #Enter your username & Password when prompt and save the password you enter to $passwordfile
    (get-credential).Password | ConvertFrom-SecureString -key (get-content $KeyFile) | set-content $PasswordFile
  1. Login to O365
$KeyFile = "C:\AventisLab\MasterKey.key"
$PasswordFile = "C:\AventisLab\PW-AventisLab.txt"
$Password = Get-Content $PasswordFile | ConvertTo-SecureString -Key (Get-Content $KeyFile)
$UserName = "admin@M365x333981.onmicrosoft.com" 
$credential = New-Object System.Management.Automation.PsCredential($UserName,$Password)

#Login to Office 365
Connect-MsolService -Credential $Credential

The advantage of using Master Key is that you can just copy the entire folder C:\AventisLab and run it on any computer with Azure AD PowerShell Module installed

  1. You can remove all the provisioned users if you provision the 90 Days O365 tenant from Office 365 DEMO
#To remove all demo account provisioned 
Get-MsolUser | ? UserPrincipalName -NotLike "admin@M365x738125.onmicrosoft.com" | Remove-MsolUser -Force
  1. Add the FQDN Domain, like aventislab.com
#New Domain
$Domain = "Aventislab.com"
New-MsolDomain -Name $Domain
Get-MsolDomainVerificationDNS -DomainName $Domain
<#
CanonicalName : ps.microsoftonline.com
ExtensionData : System.Runtime.Serialization.ExtensionDataObject
Capability    : None
IsOptional    : 
Label         : ms52173542.AventisLab.com - MS=ms52173542
ObjectId      : fe8b277b-6665-477a-82a5-13d12093c912
Ttl           : 3600 #>
  1. Add the TXT record to Public DNS Server, and comfirm the Domain Name once it was published
Confirm-MsolDomain -DomainName $Domain

#Set it as default 
Set-MsolDomain -Name AventisLab.com -IsDefault

get-msoldomain | Select Name, isDefault
<#
Name                        IsDefault
----                        ---------
M365x738125.onmicrosoft.com     False
AventisLab.com                   True #>
  1. Enable Directory Synchronization

\#Enable AAD Sync Get-MsolCompanyInformation | Select-Object DirectorySynchronizationEnabled Set-MsolDirSyncEnabled -EnableDirSync $true

We will continue to install Azure AD Sync, Update Exchange 2016 to latest CU11, and install Hybrid Wizard in my next post

Leave a Comment