Can I have One on-premise domain and Two Office 365 Tenants
I've heard two Tenants and one on-premise domain isn't supported, but when I read this article - it seems to suggest it is ..
We currently have two on-premise domains and two Tenants. We are beginning to use AD for all authentication and having two on-premise domains has been problematic. We will be merging our two domains into one domain. We have no reason to merge the Tenants. We have talked to a contractor and they suggest it would take up to two weeks for users to have their 'old' mail back if we merge Tenants.
Can we not just sync with ADConnect by OU to the appropriate Tenant - each with it's own ADConnect Servers -- we already have the two servers? AdConnect seems to be a verify capable tool. The two domains would have to remain separate - even if we put both in one Tenant -- the emails address are different, and also the Federation methods. Why can't I essentially use the two ADConnect configurations I currently use -- with just minor adjustments for domain name.
People not having their old email and calendar appointments for up to two weeks - is not a good plan. This doesn't necessarily consider what 'might go wrong'.
Thanks
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies
Multiple Tenants Section
"There's a 1:1 relationship between an Azure AD Connect sync server and an Azure AD tenant. For each Azure AD tenant, you need one Azure AD Connect sync server installation. The Azure AD tenant instances are isolated by design. That is, users in one tenant can't see users in the other tenant. If you want this separation, this is a supported configuration. Otherwise, you should use the single Azure AD tenant model.
In this topology, one Azure AD Connect sync server is connected to each Azure AD tenant. The Azure AD Connect sync servers must be configured for filtering so that each has a mutually exclusive set of objects to operate on. You can, for example, scope each server to a particular domain or organizational unit."
We currently have two on-premise domains and two Tenants. We are beginning to use AD for all authentication and having two on-premise domains has been problematic. We will be merging our two domains into one domain. We have no reason to merge the Tenants. We have talked to a contractor and they suggest it would take up to two weeks for users to have their 'old' mail back if we merge Tenants.
Can we not just sync with ADConnect by OU to the appropriate Tenant - each with it's own ADConnect Servers -- we already have the two servers? AdConnect seems to be a verify capable tool. The two domains would have to remain separate - even if we put both in one Tenant -- the emails address are different, and also the Federation methods. Why can't I essentially use the two ADConnect configurations I currently use -- with just minor adjustments for domain name.
People not having their old email and calendar appointments for up to two weeks - is not a good plan. This doesn't necessarily consider what 'might go wrong'.
Thanks
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies
Multiple Tenants Section
"There's a 1:1 relationship between an Azure AD Connect sync server and an Azure AD tenant. For each Azure AD tenant, you need one Azure AD Connect sync server installation. The Azure AD tenant instances are isolated by design. That is, users in one tenant can't see users in the other tenant. If you want this separation, this is a supported configuration. Otherwise, you should use the single Azure AD tenant model.
In this topology, one Azure AD Connect sync server is connected to each Azure AD tenant. The Azure AD Connect sync servers must be configured for filtering so that each has a mutually exclusive set of objects to operate on. You can, for example, scope each server to a particular domain or organizational unit."
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need multiple sync servers but it should be supported to have multiple tenants.
But for the migration, the domain association is a pain. I would say that doing a double migration from Exchange Online --> On-Prem (or hosted) Exchange --> Exchange Online is the only way to avoid downtime.
But for the migration, the domain association is a pain. I would say that doing a double migration from Exchange Online --> On-Prem (or hosted) Exchange --> Exchange Online is the only way to avoid downtime.
ASKER
How does avoid downtime -- would you use Mailbox Move and run Hybrid? Could you elaborate? Thanks.
Oh, is that the question? It really depends on your environment. If you have more than 150 users then probably hybrid is the way to go.
1. Setup hybrid with tenant you want to decom
2. Move mailboxes to on-prem
3. Remove hybrid
4. Decom tenant
5. Add domain to other tenant when available
6. Setup hybrid with tenant
7. Remove (or keep) hybrid setup.
1. Setup hybrid with tenant you want to decom
2. Move mailboxes to on-prem
3. Remove hybrid
4. Decom tenant
5. Add domain to other tenant when available
6. Setup hybrid with tenant
7. Remove (or keep) hybrid setup.
ASKER
No, the big questions is can I just have two Tenants - moving 4000 mailboxes back on-premise and then back to a different Tenant sounds just dreamy :(. However, that is an interesting option and a possibly to consider. If two Tenants - One domain isn't supported - then the only other options is between Tenants with days of downtime and whatever problems come with cross Tenant data moves. Have you moved data between Tenants before by chance -- does that work well - any ideas of speed of data transfer?
I am not sure how can there be downtime of 7 to 14 days, it would just be the duration to remove the domain from one tenant and adding that to another which could be done over the weekend with the good planning. rest is just updating recipient policy and to update primary SMTP.
you can plan for mail flow in advanced.
as far as the mailbox is concerned aren't you using outlook, setup the new mailbox as an additional mailbox in the outlook, both profile would be there in the outlook, as mailbox data will still be there for users in the existing outlook profile they shouldn't miss anything, furthermore, you can use 3rd party tools where you can pre-stage the data for 30 to 60 days in advance.
you can plan for mail flow in advanced.
as far as the mailbox is concerned aren't you using outlook, setup the new mailbox as an additional mailbox in the outlook, both profile would be there in the outlook, as mailbox data will still be there for users in the existing outlook profile they shouldn't miss anything, furthermore, you can use 3rd party tools where you can pre-stage the data for 30 to 60 days in advance.
ASKER
Sunil, I'd wondered about pre-staging data but I'm perplexed about 'where' you'd pre-stage 'to'? I'm 'moving' the data -- I can't create the domain in the new Tenant because it already exists in the 'old' Tenant. If I delete the domain in the 'old' Tenant - in order to create in the 'new' Tenant -- it results in users mailbox being in the new Tenant (empty) and the data still being in the 'old' Tenant. This is the downtime for old data issue. If I could pre-stage to a temporary domain int he 'new' Tenant and then remain the domain - when the domain was available (after deleted from 'old' Tenant) that would work -- but I'm not sure you can rename a domain?
Let me explain the scenario in details.
Primary Tenant abc.com
Secondary talent xyz.com
Requirement: Merge both the one keeping the mailbox with the separate email address.
steps:
1) - Create Mailboxes for all the users in xyz.com in Abc.com tenant.
2) - use the 3rd party tool (cloud migrater, migrationwiz or whatever suits you) pre-stage the data in advanced in the new mailbox.
2a) User already have all the data in their outlook, instruct them to set up the new outlook and if they need any email order then 60 days they can get it from the existing outlook profile until all the data is migrated.
3 - At the cutover day, send the (last and final email notification to users old mail with instructions) and then place the forwarding on Xyz.com mailbox to there corresponding abc.com mailbox.
4 - Remove the xyz.com from the tenant, involved the Microsoft support to make sure it's completely removed.
5 - Register the domain with abc.com, get the required DNS records setup.
6 - configure the accepted domain and mail policy, add the xyz.com email address to all the mailbox and make it primary.
7 - test the mail flow, in and out, if you are using any 3rd party product for mail gateway make sure outbound mail works when sending as Xyz.com
8) - you can switch the Mx later on or the same Day to EOP or to the 3rd party gateway if any.
9 ) -
Primary Tenant abc.com
Secondary talent xyz.com
Requirement: Merge both the one keeping the mailbox with the separate email address.
steps:
1) - Create Mailboxes for all the users in xyz.com in Abc.com tenant.
2) - use the 3rd party tool (cloud migrater, migrationwiz or whatever suits you) pre-stage the data in advanced in the new mailbox.
2a) User already have all the data in their outlook, instruct them to set up the new outlook and if they need any email order then 60 days they can get it from the existing outlook profile until all the data is migrated.
3 - At the cutover day, send the (last and final email notification to users old mail with instructions) and then place the forwarding on Xyz.com mailbox to there corresponding abc.com mailbox.
4 - Remove the xyz.com from the tenant, involved the Microsoft support to make sure it's completely removed.
5 - Register the domain with abc.com, get the required DNS records setup.
6 - configure the accepted domain and mail policy, add the xyz.com email address to all the mailbox and make it primary.
7 - test the mail flow, in and out, if you are using any 3rd party product for mail gateway make sure outbound mail works when sending as Xyz.com
8) - you can switch the Mx later on or the same Day to EOP or to the 3rd party gateway if any.
9 ) -
ASKER
I have a couple of questions though. How can I pre-stage if the domain can't be created in the new Tenant. The domain name will remain the same -- I can't add the domain to the new Tenant without removing from the old Tenant -- which breaks mail. Concerning Outlook cache -- will the cache not sync and be emptied as soon as it connects to the new mailbox in the same domain on the new tenant - since the domain/email will remain exactly the same. If I can't prestage -- the mailboxes will be empty of old mail for days.
from your comments, i feel your experience with the office 365 and mail support is limited, and migration of 3k mailbox is a big project you should not signup alone for it and I would suggest a team of experts should be involved.
further to answer your questions.
you dont need to setup the domain before setting up the mailbox, setup the mailbox with the existing domain email address, email address can be updated later on when you register the domain with that tenant.
outlook have options to setup addition mailbox which keeps the old profile intact and give access to both mailbox at the same time.
3rd party tools give you capabilities to sync, you would need to review the couple of them to see what best suits you.
further to answer your questions.
you dont need to setup the domain before setting up the mailbox, setup the mailbox with the existing domain email address, email address can be updated later on when you register the domain with that tenant.
outlook have options to setup addition mailbox which keeps the old profile intact and give access to both mailbox at the same time.
3rd party tools give you capabilities to sync, you would need to review the couple of them to see what best suits you.
ASKER
Actually, we are hiring a team of experts. They are the ones that say that you have to remove the domain from one tenant before adding to the others, and spoke of up to 14 days downtime for older mail. That's why I'm asking questions on forums -- because I'm hoping there is a way to pre-stage. When you say setup with 'existing email address' -- I assume you mean the default Tenant address -- only Tenant and verified domain addresses would seem to be available? If I understand then, you are saying I can copy to the username@tenantaddress.com
you have to remove the domain from one tenant before adding to the others,
yes, set up the mailbox in advanced as @tenantaddress.com, and update to @realdomain.com
and spoke of up to 14 days downtime for older mail. Please reconfirm the same, This might probably mean data transfer time.
because I'm hoping there is a way to pre-stage.
yes, that can be done, as the migration is being done using the EWS tool, you choose what to migration first and how much etc, Review the MigrationWiz tool, i gave the link in the post above.
When you say setup with 'existing email address' -- I assume you mean the default Tenant address -- only Tenant and verified domain addresses would seem to be available?
YES
If I understand then, you are saying I can copy to the username@tenantaddress.comfor all users, and then come back at go-live and update the primary SMTP address and add the 'real' domain - username@realdomain.com for each of those.
yes
What I'm not clear on is what the domain representation technically means in O365 -- if it makes sense, what 'puts' these moved users with updated primary SMTP address in the 'moved/real' domain when I create it after the fact of the copy. What are ramifications if any?
Once your domain is registered to new Tenant, you can go back to your Local Ad and update the primary SMTP address for these objects and get the AAD sync the primary SMTP address. the only ramifications are user education regarding the process and impact and set up their new profile etc.
ASKER
This is all a lot of good information - but I've deviated a little from my original question. Is it supported to have one on-premise domain - with two ADConnect servers and sync two separate sets of OUs to two different Tenant. I understand one object can only be sync to on or the other Tenant. Does anyone have any official documentation -- I'm trying to officially document. I just need to know so that we can make an informed decision -- we could delay merging if it's not absolutely required for some reason -- we don't have a 'need' for merged Tenants ... just merged on-premise domains. The way it works now -- two ADConnect servers syncing separate sets of OUs - works great for us. Are we forced to merge Tenants?
In the link you posted it does say that, while not recommended, single domain/multi tenant is supported.
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies#multiple-azure-ad-tenants
This is official Microsoft documentation so I think it covers it in my mind.
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-topologies#multiple-azure-ad-tenants
This is official Microsoft documentation so I think it covers it in my mind.
ASKER
Microsoft also confirmed -- two tenants are supported from one on-premise domain -- as long as you have two ADConnect servers syncing and each tenant's object are synced appropriate once to their tenant.
ASKER
What do you based you comment - that it should be supported on? I keep being told it isn't -- although I very much want it be -- the article isn't totally clear on 'one domain with multiple tenants' - but it seems to imply that by the way I read it.