Solved

Cutover Migration - DirSync - DNS Changes - Migration Endpoint - Question Please...

Posted on 2014-03-13
6
342 Views
Last Modified: 2016-06-01
So I've come to find that after DirSync is installed and Active Directory Synchronization is enabled on 365 side that the migration batch fails..

So my question is this.. I want to have DirSync enabled and to have my users be able to use their network passwords for 365.. So, I create the migration endpoint and the migration batch choosing cutover migration. It creates all the mailboxes on the 365 side and starts syncing mail..

I then install DirSync on my network and push my AD passwords.. It matches up the users to the mailboxes and life is good..

I then make the DNS changes and there is a time that email will be being delivered to both the on premise sever and the 365 servers depending on the amount of time it takes for DNS to propagate..

 This is fine, if the migration batch was still running fine.. However, after DirSync is enabled it breaks.. But then I want DirSync enabled because I want the users to be able to log in with their network password..

¿Well here's my dilemma.. I want to leave the migration batch running for a few days after the MX record change so it can pull any emails that were sent to the onpremise server from servers that didn't get the updated DNS..

I also want my users to be able to login to their 365 accounts with their AD password..

So if I cant' enable DirSync until after I stop the migration batch, then they can't log in with their AD password..

If I stop the migration batch and enable DirSync then they can log in with their AD password but they may be missing some emails..

Is that right?
0
Comment
Question by:TBIRD2340
6 Comments
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
Change the MX on late Friday afternoon, and by Monday everyone should see the updated one. Then you can stop the batch and run dirsync. You can also ask them to check the on-prem mailbox once per day or something like that just to be sure.
0
 
LVL 1

Author Comment

by:TBIRD2340
Comment Utility
My main issue is the password.. I don't want to have them log in with a different password, change it, match it, etc..

But if I can't install DirSync until after I stop the migration batch I don't see a way around this.. If that is the case, what is the best way to handle the passwords?
0
 
LVL 13

Expert Comment

by:Mark Galvin
Comment Utility
Hi

DirSync is for syncing data between on-prem and O365.

For SSO (Single Sign On) you need to make sure you have ADFS in place:
http://technet.microsoft.com/en-us/windowsserver/dd448613.aspx
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 500 total points
Comment Utility
@pappaslim: Dirsync now supports Password syncing, so ADFS is not necessary. It isn't full SSO, but is instead Same Sign On with that enabled.

Your best bet would probably be to let the migration finish up, then set up Dirsync on your Tenant and get it installed and set up on your domain. Users wouldn't be able to access their email in the cloud until the first sync finishes, but that takes like 5 minutes or less if you have everything ready to go. So switch your MX records on a friday night as mentioned right after the migration completes, but before finalizing it. Wait 24 hours for the final Delta-Sync to occur, then close out the migration. Once the migration is closed out, enable Dirsync in your tenant and install Dirsync on a member server in your domain with password sync enabled. You may need to wait a couple ours for the dirsync change in O365 to apply, but once it is you can configure dirsync with the appropriate credentials and it will do its first sync very quickly. As long as the User Principal Names for your On-prem AD accounts matches the Domain name you use for their sign in accounts in the cloud, those users will be able to log in with their AD password as soon as the first full Dirsync completes.
0
 
LVL 13

Expert Comment

by:Mark Galvin
Comment Utility
@acbrown2010 - sweet, thanks!
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now