Retospective AD Federation. Hosted Exchange moving to Exchange Online (365); onsite AD.


We are in the process of planning and investigating a potential move of our email from a hosted Exchange solutions provider to Office 365 (Exchange Online to be specific). Now the hosted exchange provider have their own AD and therefore our email accounts are not federated with our internal domain active directory. Therefore we have seperate passwords for our AD and Email. Not synced.

Now I have a fair idea of how the migration will go; a cutover batch migration of the users (in our OU on the hosting providers AD) and their corresponding passwords and mailboxes to Exchange Online. A sync every evening to "top-up" mail received during the day and then a final sync before the switch get's flicked.

Now my question is how do we tie the post migration accounts that now will sit on Exchange Online, with our onsite AD accounts and is it possible to do it retrospectively in a sensible user friendly nature?

Thanks for your insights in advance,
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Vasil Michev (MVP)Commented:
In any case, the first step will be running Dirsync/AADSync and soft-matching those EO mailboxes against the on-prem accounts. As Cutover cannot work with dirsync, you need to do this after the migration has completed. Here's the soft-match article:

One potential issue that comes to mind is attribute mismatch - might be a good idea to ask the hosting company do to a simple export of all user's attributes to CSV and import them against your local AD. Otherwise, you might end up overwritting the cloud accounts with some attribute value from your local AD, and cause trouble. Once the accounts are soft-matched, you should be able to move to using password sync or AD FS.

The question on how you are going to manage those objects should also be considered. Do you have the local AD schema extended with Exchange attributes?
SimonBrookAuthor Commented:

Thanks for the quick response. The local AD schema is not Exchange extended. Surely I could extend the AD by installing a trial of on-premise Exchange in our environment?

Point taken onboard ref the attribute mismatch.

So the way I see it. This is going to be a two part process.

1. Migrate from the hosting provider to Exchange Online in a very matter of fact way and leave the disparate authentication credentials in place a while longer. Users can use new email solution in much the way they could before.

2. ADFS/Password sync work to tie the O365/On-Prem AD together.

Vasil Michev (MVP)Commented:
Yes you can extend the schema at any time. Usually the management process after the migration is the issue, that's why Microsoft's recommended and supported scenario is to keep an Exchange box on-prem. In your case though, it shouldnt make much difference, as you are already used to managing the recipient objects outside of the local AD. The only thing that will be changed is the source of authority moving back to on-prem due to dirsync - so dust off that old ADSI Edit/Attribute editor :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.