How-to migrate Email from Small Business Server 2008/2011 or Exchange Server 2007/2010 to Office 365 with Zero DowntimeAlex Fields
Update: Please refer to this newer article. Some of the details here are very dated–like there is no hybrid key anymore–and the activation only works on 2016, not 2019, plus we have minimal hybrid now, etc., etc. A “minimal hybrid” approach is preferred if you’re just doing a quick migration of a small org (under 300 users).
If you are coming from Microsoft Exchange Server 2007, 2010 or Windows Small Business Server 2008, or 2011, then you will be able to take advantage of Remote Move or “Hybrid” migration. Which is excellent news, since it means you will have a very smooth migration experience with no downtime for your Outlook users.
If you do not plan on keeping your Exchange or SBS server around after you finish the migration–no worries! It is technically supported to migrate off this platform and even fully remove all legacy Exchange servers from your environment.
A Hybrid migration has many benefits—mainly, there is no need to visit each user and reconfigure their Outlook profile—this is handled by Exchange. Additionally, for a large number of mailboxes, you will be able to move users in batches—one department at a time for example, and stage the migration over several days if needed.
The purpose of this article is to help you make your hybrid migration a SUCCESS! Here are the migration steps:
- Prepare for the migration & install Exchange
- Configure Directory Synchronization
- Create the hybrid connection
- Create Remote Move migration batch
- Migrate Public Folder data (if applicable)
- Finalize the migration batch & activate mailboxes
- Complete Office 365 setup & cutover DNS
- Post-migration tasks
Step 1. Prepare for the migration & install Exchange
A. Prepare for the migration
If you haven’t already, go ahead and sign up for an Office 365 account online and verify your domain. Also: so many pitfalls can be avoided by taking the following precautions:
- Have a good backup before making any changes–Active Directory as well as Exchange
- Ensure your source server has the latest service packs / updates
- Run Best Practices Analyzer to identify potential issues with the existing configuration
- Review the steps in advance and communicate the plan to stakeholders / end users
If you do those four things first, you will be able to avoid many issues, and recover in case of unforeseen problems.
B. Install Exchange 2013 or 2016
1. On a new virtual machine, download the latest cumulative update, extract it on the server, and install Exchange 2013 (if coming from 2007 or SBS 2008), or Exchange 2016, accepting defaults. Note that you may also need to download and install this prerequisite. Reboot after all installations are completed.
2. You will want to rekey your existing UCC certificate to include the name “hybrid.company.com” as well as the “autodiscover” and “mail” namespaces. Export and import this certificate so that both servers have the same certificate. Make sure you have firewall rules configured (25, 443), and a DNS (A) record for “hybrid.company.com,” pointing to the new hybrid Exchange server.
3. Update the SCP to autodiscover.company.com, from PowerShell:
Set-ClientAccessServer -Identity $ServerName -AutoDiscoverServiceInternalURI https://autodiscover.company.com/Autodiscover/Autodiscover.xml
4. Set the virtual directories on the new hybrid Exchange server to use “hybrid.company.com,” and enable Basic authentication on the EWS directory:
$ServerName = “EXCH13”
$HybridFQDN = “mail.company.com” or “hybrid.company.com”
Get-OWAVirtualDirectory -Server $ServerName | Set-OWAVirtualDirectory -InternalURL https://$($HybridFQDN)/owa -ExternalURL “https://$($HybridFQDN)/owa”
Get-ECPVirtualDirectory -Server $ServerName | Set-ECPVirtualDirectory -InternalURL “https://$($HybridFQDN)/ecp” -ExternalURL “https://$($HybridFQDN)/ecp”
Get-OABVirtualDirectory -Server $ServerName | Set-OABVirtualDirectory -InternalURL “https://$($HybridFQDN)/oab” -ExternalURL “https://$($HybridFQDN)/oab”
Get-ActiveSyncVirtualDirectory -Server $ServerName | Set-ActiveSyncVirtualDirectory -InternalURL https://$($HybridFQDN)/Microsoft-Server-ActiveSync -ExternalURL “https://$($HybridFQDN)/Microsoft-Server-ActiveSync”
Get-WebServicesVirtualDirectory -Server $ServerName | Set-WebServicesVirtualDirectory -InternalURL “https://$($HybridFQDN)/EWS/Exchange.asmx” -ExternalURL https://$($HybridFQDN)/EWS/Exchange.asmx -BasicAuthentication $true
5. Set OutlookAnywhere to use the “hybrid.company.com” name, also. I use Basic authentication in this example (works with most firewalls/proxy settings).
Get-OutlookAnywhere -Server $ServerName | Set-OutlookAnywhere -ExternalHostname $HybridFQDN -InternalHostname $HybridFQDN -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod Basic
6. Configure an Internal Relay SMTP connector by navigating to mail flow > receive connectors. Create a new connector on the hybrid server. You need to select Frontend Transport & Custom, and step through the rest of the wizard. Secure externally (by IP address). Include IP addresses that were on the old relay connector. You should also edit the connector and make sure the security is set to include Anonymous permission groups. Devices or apps that relay will also need to be updated to point at the new server.
7. Obtain a hybrid license key from Microsoft, and activate the server. This assumes that you have already purchased your Enterprise Office 365 licenses.
Step 2. Configure Directory Synchronization
A Remote Move migration requires that you enable Directory Synchronization. This will sync all of your existing users into Azure Active Directory for your Office 365 tenant. It also means that your users will be able to maintain the same credentials in the cloud as they have on-premises.
A. Set UPN suffix to match the email domain
Before you proceed to install the Azure AD Connect utility, just be sure that your on-premises users have their UPN suffix set to match the email domain name (e.g. company.com instead of company.local). In Active Directory Users & Computers, check the Properties / Account tab on your users:
If you do not see an option for the email domain name, then you might have to add it from Active Directory Domains & Trusts console. Right-click Active Directory Domains and Trusts, and select Properties. Enter your email domain name and click Add. Click OK.
Note: For best results, the naming convention of the user accounts should also match the Email addresses (e.g. MaryJ@domain.com vs. domain\MJohnson). If this type of change is required in your environment, it may affect how users log on to Windows in the existing domain.
B. Install Azure AD Connect
Download and install Azure AD Connect on a member server in your domain (some pre-reqs apply) that you plan on keeping around for a while. I usually just install this on the hybrid server. As you complete the wizard, be sure to select the option for Hybrid Exchange, so that it will export the appropriate attributes to Azure Active Directory. Sync your users and make sure they show up in your portal.
Note: At this point in time, do NOT assign Office 365 / Exchange Online licenses to your users.
Step 3. Create the hybrid connection
A. Run the Hybrid Configuration Wizard
We are ready to run the Hybrid Configuration Wizard. You need to download this tool from Microsoft, and run it on the local hybrid Exchange server. Note that if you are launching a shortcut to the Exchange Administrative Center and configuring the Hybrid connection from there, you should update the shortcut to use the Internet domain name (instead of “https://localhost…”).
- This wizard will ask for your local and remote administrative credentials for your on-premises domain and the Office 365 portal.
- Be sure to select the Deliver Internet-bound messages directly… option, unless for compliance reasons you need to relay all mail through the on-premises server throughout the migration.
- Complete the wizard.
Notes on troubleshooting: In case the Hybrid configuration wizard fails, try the following steps.
- reboot the server
- ensure your patches are up to date
- disable SPAM filters and other 3rd-party security software
- double-check your firewall settings
You may even want to open up the firewall a bit in case it is locked down. For example, instead of using an SMTP proxy rule, where it might be applying some software filtering at the perimeter, you could use an SMTP filtering policy instead (simply allowing traffic through–at least from Microsoft IP’s). If none of that works and you are getting a specific error code, Google it or call MS support.
Step 4: Create Remote Move migration batch
You are ready to begin moving data! You also need to create a migration endpoint. Go to the Exchange admin center in the Office 365 Admin portal. Navigate to recipients > migration and find the ellipse (see screenshot):
Step through the wizard to define your on-premises Exchange server as the migration endpoint. Use the Exchange Remote option since this is a hybrid deployment.
After the endpoint is defined, choose the plus symbol and select Migrate to Exchange Online from the drop down.
Select Remote Move migration and step through the rest of the wizard to select your users and begin moving data.
At this point I let data finish syncing, with the option to finalize/complete the migration batch manually at the time of my choosing.
Step 5: Migrate Public Folder data (if applicable)
For migrating Public Folder data, I find that the easiest method tends to be a quick PST export/import process using an Outlook client. Otherwise, you can try the batch method that Microsoft recommends. The batch migration process is somewhat more complex, and I find PST is often faster/easier to do in a Small Business setting. You will need to manually reset permissions after the PST import.
If you have Public Folders to migrate, you need to create a Public Folder mailbox in Exchange Online. Go to Exchange admin center > public folders > public folder mailboxes.
Step 6. Finalize the migration batch & activate mailboxes
If you were able to use the migration batch successfully, you will need to return to the Exchange admin center in Office 365, and complete it. Go back to recipients > migration. Select your batch(es) and move the status to Complete.
Also, in case you haven’t activated your users’ licenses yet, return to the Office 365 Admin center, bulk-select your Users, and click Edit product licenses to apply the Office 365 / Exchange Online licensing. This will activate the cloud mailboxes.
Step 7. Complete the Office 365 Setup & cut-over DNS
As soon as you’ve finalized the migration batch, you are ready to complete the Office 365 setup process you started earlier by verifying your domain. Return to the Office 365 Admin center > Settings > Domains to complete your set up. You will be required to enter additional DNS records with your domain registrar / service provider.
Once you have added the records, simply follow the link at the bottom of this page that says, Okay, I’ve added the records. At this point, mail will no longer be delivered to your on-premises Exchange server, and you are done!
Step 8. Post-migration tasks
As I mentioned, the best part about using hybrid /remote move migration is that users will not be required to setup a new Outlook profile! They will receive a message similar to: An administrator has made a change that requires you to close and reopen Outlook. Upon doing this, they will be prompted for credentials. They should enter their email address as the username along with password, and choose to remember the password. That’s it! So. Much. Better.
A. Reconfigure mobile devices
However, users will still be required to reconfigure their mobile devices. In most cases, this just involves removing and then re-adding the Email account. Assuming you have autodiscover configured properly, this should be pretty straightforward.
If you have to enter manual settings, you would use outlook.office365.com for the server name, and re-enter the email address again if asked to provide a domain\username.
B. Adjust SPF record for SMTP relay (optional)
If you want to continue using your local Exchange server for SMTP relay (scan to email, line of business apps that send email, etc.), then that is completely supported, however just be sure your SPF record includes both the local external IP, as well as Office 365, like this:
v=spf1 ip4:[ExternalIPAddress] include:spf.protection.outlook.com -all
C. Remove Exchange (optional)
Otherwise, if you plan to remove your legacy Exchange server now that the migration is completed, you have an additional procedure to follow, which involves moving the SMTP relay service, and temporarily disabling Directory Synchronization during the Exchange uninstall process.
If you made it this far, congratulations on the migration! Don’t forget to keep improving–explore what else is new in Office 365. Maybe you will want to configure Mobile Device Management (MDM), Multi-factor authentication (MFA), or turn on Email encryption with Azure Rights Management (RMS). Or check out other add-on features such as Advanced Threat Protection (ATP) to help with emerging / zero day threats.
All of these technologies would have likely represented separate third-party products / investments in the past. Now you can leverage the power of the Microsoft Cloud to easily & cost-effectively deliver them from one place to your end users. How about that?