Office 365 Offboarding: Reverse Hybrid Migration to Exchange 2016 On-premisesAlex Fields
Why would anyone want to off-board mailboxes from Office 365 to Exchange On-premises? Isn’t that a bit like moving backwards? Well, I tend to think so, yes–at least in the SMB. But what happens when a mid or larger-sized enterprise organization eats a smaller-sized business through acquisition?
In this scenario, it is not uncommon for IT at the “adoptive parent” organization to be running their own flavor of Exchange on-premises already–such as Exchange 2013 or Exchange 2016. If so, Microsoft has a great migration path available to bring the acquired/adopted Office 365 mailboxes back down to this environment.
Yes, you could just do a PST export/import and cut-over DNS records the sloppy way–and that might be just fine, particularly if the number of users is very low. But there is a better way allowing administrators to take a more careful, staged approach.
If you are familiar with the “hybrid” or “remote move” migration for on-boarding mailboxes, you will be glad to hear that the same is possible in reverse–you can also offboard using the same technique! Here are my notes from having done one myself recently.
Step 1: Prepare the environment
A. Add the Exchange Online IP’s to the exceptions list in your parent organization’s firewall, explicitly allowing traffic from these IP’s on port 25 inbound to the local Exchange server.
B. Add the external IP address(es) of the parent organization to the SPF record on the child organization’s domain. E.g.:
v=spf1 ip4:xx.xx.xx.xx include:spf.protection.outlook.com -all
C. In the parent organization’s Active Directory Domains & Trusts console, add the alternative UPN suffix for the child org’s domain name.
D. Add a new remote domain name to Exchange on-premises in the parent organization, which will eventually be used by the hybrid connection. E.g. TenantName.mail.onmicrosoft.com:
New-RemoteDomain -Name “Hybrid Domain – TenantName.mail.onmicrosoft.com” -DomainName “TenantName.mail.onmicrosoft.com”
Set-RemoteDomain -TargetDeliveryDomain:$true -Identity “Hybrid Domain – TenantName.mail.onmicrosoft.com”
E. You will also need to ensure that your on-premises Exchange server has the child organization’s domain added to the accepted domains list. EAC > mail flow > accepted domains. This will temporarily interrupt mail flow between the on-premises parent organization and the Office 365 tenant / child organization.
Step 2: Export & Import users, contacts and distribution groups
If you want to see a really cool set of scripts that will allow you to export and then import the accounts from Office 365 into the local Active Directory, see this series of articles from Exchange MVP Steve Goodman.
If you choose to manually create your users, etc. in advance in the on-premises directory, I recommend doing so in a separate OU (it will be necessary to select this OU when syncing with Azure AD Connect later on). Some key pieces of information here:
- No on-premises mailboxes should exist for the users that will be migrated from Office 365–create the AD accounts only at first
- Be sure that the on-premises UPN for usernames matches precisely the logon name that is used in Office 365
- It is further recommended to match:
- Email address,
- Display Name and
- proxyAddresses (multi-valued attribute)–you will want to capture all aliases in advance–including any SIP and legacy X500 style addresses before syncing
- The “targetAddress” attribute for these accounts should be set to the following address: username@TenantName.mail.onmicrosoft.com
- You will need to create Exchange objects to be associated with these accounts as well, but they will not be local mailboxes, they will be “Remote” mailboxes using the “New-RemoteMailbox” cmdlet.
- Finally, you also will need to find the ExchangeGUID property by connecting to Exchange Online via PowerShell and running the command
Get-Mailbox email@example.com | fl ExchangeGUID
You will then need to set the ExchangeGUID attribute on the on-premises account. See here for more details on this process.
Again, because of the complexity/tediousness of doing this all manually, I would highly recommend the resource I mentioned above. I personally used the scripts provided by Steve Goodman, and the process went very smoothly–we only had a handful of corrections to proxyAddresses (such as missing X500 entries). It is very important that you have matching information precisely input to the local Active Directory before proceeding to Step 3, since activating Directory Sync will overwrite whatever information is attached to those accounts in the cloud, with whatever you have coming from the on-premises AD.
By the way, if you choose to activate password sync, then this also implies that Office 365 passwords will be overwritten as well, to match whatever you have set for the users on-premises. Be sure to communicate this impact to them in advance of the change, but know that enabling password sync is also optional here.
Step 3: Activate Directory Synchronization
At this point, you are ready to install and Activate Azure AD Connect.
But wait, Alex–what if my parent organization is already using Azure AD Connect to synchronize their directory with another Azure AD tenant?!
No problem. All you have to do is install the tool on a different server (not the same location as the existing installation). Then, configure it to sync with the child organization’s tenant, and select the option to only sync objects from the OU containing the appropriately pre-staged items. Ensure also that the new OU is not included in the scope of objects being synced in the parent org’s existing tenancy.
Step 4: Run the Hybrid Wizard and re-establish mail flow
Now you can download the Hybrid Configuration Wizard and run it. This will establish a relationship between the on-premises Exchange server and the Exchange Online instance. Connectors will be created that will help pass mail from/to Exchange online.
You may also need to edit the accepted domain that was added earlier and change it from “Authoritative” to “Internal Relay.” This means that if the server does not yet own or is not aware of a mailbox, it will pass messages along to Office 365. Also, if you had verified other domains in the child organization’s tenant (such as the parent organization’s main email domain), then the same will need to be done in Exchange Online. Navigate in the portal to accepted domains, and edit the domain type from Authoritative to Internal Relay for domains with mailboxes that exist on-premises.
Test mail flow in both directions.
Step 5: Migrate mailboxes
It is possible to do this step either before or after changing DNS records to point on-premises (although flipping this in advance is recommended). In Exchange Online from the EAC, you can find recipients > migration. Select the ellipses and add a Migration endpoint. You need to define the fqdn of the on-premises (parent org) server. After the endpoint is defined, you can start migrating mailboxes by choosing the “plus” (+) symbol, Migrate from Exchange Online. You will select the mailboxes you intend to migrate, and specify a target database (you should get the database name from the server with Get-MailboxDatabase). Fill out a few other options and you’re all set–migration batches should start moving.
This is a fairly straightforward process that allows administrators to provide a decently smooth transition from Office 365 back to an on-premises instance of Exchange Server 2013 or 2016. Keep in mind that until you flip autodiscover, MX records, etc. over to the on-premises server, you may need to manually configure profiles in Outlook and on mobile devices (to use the on-premises server). Otherwise, you can treat it much like a cut-over with a small enough group of users, and do this all at once with DNS records and all, allowing the users then to simply remove and re-add their accounts on their mobile devices, and let autodiscover take care of the rest, for example.
I did not go super heavy on detail here–my goal was simply to show in broad strokes what is required to do this end-to-end. More experienced readers will have no trouble following this outline and completing a migration, but I really do recommend the series by Steve Goodman which I linked above–it has much more granular step-by-step detail and some excellent scripts to go with it.
Could you pls help me.
Our company going to migrate from Exchange online to Exchange2016 on-premises.
On-premises internal domain name is “domain.local” with UPN “company.com” (added to accepted domain)
Accepted domains in Exchange online are “company.com” and “xyz.onmicrosoft.com”.
Is “xyz.onmicrosoft.com” the domain name i need to add to on-premises in step D.?
The domain that is used to route mail from on-premises to Office 365 is actually xyz.mail.onmicrosoft.com; note that this is not meaningful in the outside world, it will only be meaningful on your Exchange server–that is how it knows where to send mail (the cloud users will have an on-premises SMTP address of firstname.lastname@example.org). When Exchange server sees that suffix, it uses the appropriate connector to send the mail to Office 365, rather than route it normally via the Internet send connector. I would highly recommend using the article I referenced–Steve Goodman is a solid resource for getting this done, if you follow his steps one at a time, carefully.
Thank you for fast response. One else question: is the public certificate mandatory or i can use a corp. CA cert?
Not sure why you wouldn’t just purchase a public UCC cert… I assume the corp one would work… but your client computers need to trust the cert too. And for mobile devices you may need to export/import it, etc. So there is more support work & maintenance involved in that type of setup, which is why I’d just recommend the public certificate for easier management on IT, less headache/questions/interventions with users.
In the beginning of the 1st part of his article Steve says that “…In preparation they have implemented some based components – Exchange Server 2013 and Directory Sync with Password Sync”. Do i need to set up Directory and Password Sync first on my on-premises Exchange?
Password sync is optional, however it is necessary to synchronize directory objects in order to create the hybrid connection. Before synchronizing accounts, you would want to stage the accounts that exist in the cloud first in the on prem directory using those scripts to export them from Azure AD and then import them to on-prem AD. Once you have the same accounts on-prem as already exist in 365, then you would implement directory sync with Azure AD Connect. Having that done is a pre-req to creating a hybrid relationship to Exchange Online.
Did you had any issues with breaking the hybrid configuration after the migration was completed?
Nope, it should be pretty straightforward. You can follow Microsoft’s guide on doing so–search “how and when to decommission hybrid”
Do you know of any issues if you are going to offboard o365 users and there has never been a on premise exchange environment.
AD is currently syncing using AD connect.
The plan is to install an Exchange 2016 server into the current AD environment, setup as hybrid and offboard users.
can you see any issues introducing an exchange server into this Active Directory?
As long as you follow all the steps, there shouldn’t be any issues. Most important is to export all the relevant/important attributes such as proxyaddresses (aliases), etc., and import them on-prem, make sure they match before enabling the AD sync. Sorry for slowness of reply here too.