On Premise Exchange 2013 hybrid merge with Office 365 on separate domain

We have an on premise exchange 2013 in our domain, and recently acquired a company that uses a hosted, Exchange Online (Office 365). The plan is to migrate their users into our domain, and create a hybrid Exchange environment. From what I've read, this would involved using the Hybrid function in Exchange 2013 to add the Office 365 account, being sure to add our domain to the Exchange online as well. The assumption here is that this is the first step in this process, and that migrating users from their domain to ours is the next step, and then perform any necessary mailbox migrations.

Is this the proper order for this type of migration/merge? My concern is disconnecting mailboxes and losing users email. We want them to be able to log into our domain, and still maintain access to their email, whether moved to the on premise or still residing on the Exchange online.

I've migrated domains and exchange environments before, but this one has a slightly more complicated layer to, especially because I've never used Exchange Online before. Any guidance on this is greatly appreciated!
Jay DibbleAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSr Solutions ArchitectCommented:
That is definitely a more screwy migration to work with. If they are using DirSync in O365, you will need to do some work to get the user accounts synced back up to O365 once they are moved over to your domain. The trick here will be to Migrate the users to your AD, then disable AD Connect on the partner forest. Once this is done, you'll need to go through a "Hard Match" process for each of the accounts that you moved over. A Hard Match requires you to modify the Immutable ID for the O365 objects that were tied to the partner forest so that they match the Immutable ID that would be generated for the accounts in your forest. https://blogs.technet.microsoft.com/praveenkumar/2014/04/11/how-to-do-hard-match-in-dirsync/ covers how to do this. Once the Hard Match process is completed for each of the users moved into your forest, you'll then install Azure AD Connect on your forest. Once the sync runs, it will match up the AD accounts in your forest to the O365 accounts that were created for the original accounts. Note that this will forcibly overwrite any synced attributes from the partner forest with the values in your forest, so you'll want to make sure those attributes are either equal or not necessary for something else. Make sense?
in order to "link" the environments, prior to offloading users to your Exchange, you would need to add and authorize your external domain to theirs Office365 deployment. If they have Directory Synchronization in place, that would needs to be addressed. Basically at some point in time, those users which are in Office365 would need identities in your AD. This will require to export the details of the users and re-create them in your AD. Followed by soft or hard-matching. However there's a drawback, due to the fact that you would have to change the users' password so the source of authority will be your AD. You can't copy the password, unless you create trust between the domains (yours on-prem) and theirs on-prem (if exists) and migrate users.

If they don't have AD (or don't use AADConnect) your would need to soft/hard match the users. So passwords would need to be reset.

Provide more details if any.
AmitIT ArchitectCommented:
If your final goal is to keep all user on your on-prem Exchange server. I don't see any reason for setting up hybrid. In your situation. I might just create new users and mailboxes into on-prem Exchange environment and then export data from old mailboxes and merge them into on-prem exchange server.
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Muhammad AsifSenior Solutions ArchitectCommented:
I agree with amit, if ultimate goal is to migrate all users to your on premises Exchange. You would just need to create their accepted domain and  mailboxes  into your on-premises Exchange. Once it is done, simply ask the users to export their pst files from outlook.  

Once everything is done from your end then just point the MX and Mail record of domain to your on-premises domain and users will be receiving their emails on your on premises mailboxes.

They can can configure the new outlook profile and import pst file which they have imported before migration.
Jay DibbleAuthor Commented:
Hi Everyone,

Thanks for the quick responses! Let me clarify a few things based on your comments:

- We will be keeping a Hybrid solution in place; the majority of users will utilize the on-premise, while management, HR, IT, etc will be using the Exchange online.

- As I just found out yesterday, they had issues with the AD Sync tool, and so they stopped using it. As of right now, it is not in use.

Based on the above, is it recommended to resume use of the AD Sync for this process? As in, does it make things easier/cleaner? Or should we proceed without it?

I've done the PST thing before, but we have over 1000 users now, so importing/exporting PST en mass is not really an option any more.

The idea here is to migrate the majority of users from Exchange online to the on prem, then move a much smaller number of on prem users to online.
ok, answer this - Are you able to tolerate handling password change across those 1000 users? And by handling I mean, communicating this way or another the new password to those users.
To the best of my knowledge THIS will bear the biggest impact.
Jay DibbleAuthor Commented:
Not particularly - there are a bunch of different ways to bulk reset, and force password change on login. So really, it wouldn't be that big of a deal.
Adam BrownSr Solutions ArchitectCommented:
If AD sync was used in the past, the remnants of that will remain. Hybrid setup requires aadconnect to function properly, so you will have to change immutable id's. You won't have to use it in the old forest, but will want it in the new on. Migrate the users to the primary AD forest, then set up hybrid, making sure to change the o365 user immutable id's first. I would also recommend contracting an experienced consultant to verify health of each environment and o365 tenant as well, since you're dealing with a more complex than usual situation.
Exactly my next point I would make, in regards to the users migration.
(The password handling, I suspect would be much more complex than you think)
Since I put user experience in the top of every project, providing them with an uninterrupted access to email would be in the highest priority on my list. You should be looking to consolidate the users from both domains. Once the migration is completed, treat migration to/from Office365 as any other Hybrid project.

I would start my research with "consolidate domains with Exchange hybrid" topic in search engine.

Here's a good example.
AmitIT ArchitectCommented:
There are tools for exporting data and importing into mailboxes. Look for Quest tools.
Jay DibbleAuthor Commented:
Got it. I agree completely - uninterrupted (or as little interruption as possible) access is paramount.

Concern with consolidating both domains:  Disconnecting them from Exchange online.  Shouldn't be a problem though, as if I remember correctly the migration simply copies the user (attributes, SID, etc) into the target domain. As you suggest, then I'd begin the separate project of setting up Hybrid, mapping the users to their Exchange online mailboxes, then migrating the appropriate users into the on prem (or vice versa).

The last issue I have is the 'mapping the user to their Exchange online mailboxes'. Adam's initial response provided a link on how to map GUID to immutable ID. The problem is that the scripting looks to be for single account mapping. Considering how many I have to map, I'm trying to figure out the best way to run those scripts for bulk users.

I found this:  https://blogs.perficient.com/microsoft/2015/04/office-365-why-you-need-to-understand-immutableid/

Since you bought the other company, their Office365 tenant became yours. So there are multiple ways you can go on project approach overall.
Personally, I would check the amount of work mainly involved with two main approaches:
1. Create trust between domains, migrate data.
2. Move data on-prem, consolidate, clean-up, create hybrid, move data to Office365.

To understand your options, I would literally meticulously read all the available information about AADConnect and understand available options, starting from here.

Consolidate this with AD Trust, along with Exchange resource implementation if required, should all the required technical aspect of the project.

Obviously you have also a politics issues to solve, so it's a long and interesting road ahead.
Good luck.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jay DibbleAuthor Commented:
Thanks Ronin and Adam - you guys got me on the right track. I think I've got a roadmap now.

Found this, which is a good step by step through linking the accounts using a different anchor for the immutable IDs:


Went through the AAD Connect resources as well, and we should be all set to get this configured. Going to set this up and run through a whole host of tests before actually attempting anything.

Thanks again!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.