O365 AD Connect User’s On-Premise Mailbox Hasn’t Been Migrated to Exchange Online

Hi All

Have taken over a small business IT

Their environment is a mess, Currently they have onprem domain, exchange and File Server and have 365 but only use Teams, The previous IT steup AzureAD Sync and looks like Hybrid Setup was enabled

When accessing 365 Portal and looking at the users when I go into the mail Tab for each user I get the following message

"The user's on-premise mailbox hasn't been migrated to Exchange Online. The Exchange Online mailbox will be available after migration is completed"

Due to the mess and issues / errors on their servers I don't want to use the inbuilt OnPrem Exchange Migration Wizard what i have seen so far I will probably see more errors and don't want to deal with it alof easier to either export each mailbox as PST or use a Third Party Migration Tool like BitTitan

I assume what ever way to fix the below to get access to mailbox settings in 365 it won't affect users mailboxes on prem as this still needs to work as in in mail flow and working until all the first stage migration is complete then I can do final cut over sync of emails and change dns records for mx and autodiscover records from on prem to point to 365.

First off How am I able to remove this message from all users 365 when clicking on the Mail Tab So I gain full control back through 365 Portal.

"The user's on-premise mailbox hasn't been migrated to Exchange Online. The Exchange Online mailbox will be available after migration is completed"

Then I want to fully remove / uninstall AzureAD Sync from current Domain Controller

Then I want to install AzureAD Sync on new Domain Controller

I know I need to add their email domain for example test1.com.au to Active Directory Sites and Trusts on New Domain Controller when adding the new users to the New Domain select test1.com.au from their Primary Domain when creating the AD Account instead of test.local add their email to the email field in AD and also their email to the Primary SMTP Proxy Address in Attributes Editor in AD for the user.


After posting I found these two articles

https://www.codetwo.com/kb/msexchmailboxguid-problems/#setting-attribute-to-null

https://www.codetwo.com/kb/managing-mailboxes-in-hybrid-environment/

Can someone confirm I can just follow https://www.codetwo.com/kb/managing-mailboxes-in-hybrid-environment/ that is to disable AD Sync will it bring back all the functionality in 365 now no AzureAD Sync between onPrem and 365

or do I need to follow https://www.codetwo.com/kb/msexchmailboxguid-problems/#setting-attribute-to-null first then follow https://www.codetwo.com/kb/managing-mailboxes-in-hybrid-environment/

 

So is the HCW configured on Exchange somewhere? is mail currently flowing?

Well no. Exchange Migration Wizard works fine, but does imply that you will *always* have Exchange in Hybrid mode. The only real reason to do this anymore is:

* You want easy multi-mailbox export options
* You have a bunch of SMTP relaying you need doing and just want to whitelist internal IP's.

Managing to shift to a pure Azure AD (i.e non-hybrid) is going to be clunky unless you ditch AD entirely - otherwise you're down to manually updating proxyaddresses which is feelsbad.

The only way to do this will remove AD Sync. This has other impacts. Also remember that Azure AD Sync is effectively a copy between AD and Azure AD - if you want to redeploy, you just move it and keep the same sourceAnchor.

1. Don't put this on a DC.

2. Don't put this on a DC.

Huh. I presume you're talking about an alternate UPN suffix.

With respect, this is something that can cause serious impact to business operations. Losing mail is *really* easy to do (and excessive NDR's abound), causing significant reputational and potentially financial damage to a business. It definitely sounds like you don't know what you're doing, and it will be challenging to explain in piecemeal.

I would suggest you get a professional with migration, specifically exchange and other M365 services such as OneDrive, understanding to ensure that things are handled correctly.

 

Exchange Hybrid is installed but nothing is configured as their is no send or receive connectors in onprem to go via 365 and no send / receive connectors setup in 365

Sending emails from onprem exchange go out via a send connector which is a hosted spam filter then out to the Internet
Incoming mail goes through hosted spam filter then hits the onprem exchange.

Nothing goes via 365 at all

In theory I should be able to disable AzureAD Sync on OnPrem wait 72Hours or less for everything to to go Cloud Status in 365

OnPrem exchange still working as it should before the disabling of Azure AD Sync

Then I can follow this guide https://www.slashadmin.co.uk/how-to...65-tenant-into-a-new-active-directory-domain/ which I have used before in my lab and it worked without any issues
In new Environment and install AzureAD Sync on a Domain joined member server.

In theory users in onprem ad if have the correct email and Primary / aliases in Primary Proxy SMTP Address for the user in AD Attributes for the Primary Proxy SMTP Addresses then on first AzureAD Sync they link up.
I still have control to create shared mailboxes, create mail distribution Groups, Team Groups, add / edit / remove users from groups from the 365 Portal.

Then on onPrem AD new users will sync to 365 and if need to add aliases do this via onPrem AD then users and Password resets done via onPrem AD sync to 365.
Existing onPrem AD Users I will be able to do password resets and syncs to 365 and update any contact details that will sync to 365

Matthew

 

So HCW isn't setup at all

No. Its still going to have properties from AD on the MSOLUser and AzureAD account.

At this point, On-prem exchange has nfi about O3

You realise this is for an AD Domain that doesn't have exchange installed on it right?

You can't just *ignore* on-prem exchange.

You will lose mail.

Stop.

Pay someone else.

 

My number one learned tip from an IT career thus far. Drop the bravado and pay an expert. Play your cards right and higher up people are still happy that you've achieved their requirements.

 

the best advice the OP will hear today.

 

Exactly. Sometimes knowing who to call to get the job done is just as valuable as knowing how to do it yourself. You also hand off all risk to someone else.

 

If I disable ADSync and their is no Hybrid setup between onprem exch and 365 I don't understand how I will loose mail.


I could just disable ADSync wait till in 365 all users statues go from OnPrem managed to Cloud. If all good Uninstall ADSync from OnPrem. Fully delete all users from 365 their is no data for mailboxes in 365 they only use Teams

Then on the new server which is brand new setup no connection or link between current Domain controller and onprem exchange new Domain Controller, create the users in Active Directory create member server join that to the Domain install Azure AD Sync.

 

You haven't really stated what you're trying to do then.

Initially you sounded like you wanted to get to O365 for mail without Exchange onprem, but using AD sync'd accounts for Single Sign On.

Now it sounds like you want O365 for Teams only, but Exchange on-prem, but still using AD sync'd accounts...

 

https://support.serviceshub.microsoft.com/supportforbusiness

 

I may have not explained myself clearly in the beginning

The current environment is too broken and easier to start over again

I have taken on a new client that has onprem domain, onprem fileserver and onprem exchange with Hybrid role installed but not configured. And has Azure AD Sync installed. Client has a 365 Tenancy but only use it for Teams and Basic Sharepoint Intranet no mail is stored in 365

Currently their are issues with their current servers and don't want to spend time fixing the issues and this what I want to do

Disable Azure AD Sync on current domain controller so all objects go back to Cloud Status in 365 instead of AD Managed
Uninstall Azure AD Sync from current domain controller

All emails still working on onprem exchange with no azure ad sync

So everything in 365 is able to be managed by 365.

Export users mailboxes from onprem exchange using pst or use BitTitan to migrate emails from onprem exchange to 365.

I either create new mailboxes directly in 365 for each user and use the @onmicrosoft.com while email migration is happening mailboxes and once migration done switch over the dns records to point to 365 fully delete all the users that are in 365 that were originally synced with Azure AD then change each mailbox that I created directly in 365 with all the mail synced from using @onmicrosoft.com to their @domain.com.au

Then build new DOmain Controller in a new environment add in all the users into the new AD, build a new member server join to AD DOmain and install Azure AD Connect and link ad users to the 365 mailboxes then user management in done via AD including password resets and from the 365 Portal client can create shared mailboxes, Mail Distribution Groups, Teams Groups and add / remove users from the Groups.

Or instead of creating the mailboxes in 365 directly fully delete all the existing mailboxes in 365 that were synced from old onprem AD build the new Domain Controller in new environment setup AzureAD Sync create users in AD they sync to 365 from their I migrate the emails to 365 using pst or BitTitan. then switch the autodiscover and mx, spf records to 365.

Matthew

 

How much are you paying to learn with this project with the customer's data?

 

The client is a friend of a friend
I have backups of their systems

All they use their 365 Tenancy for is Teams and a small Intranet, Emails are not configured or even running through 365. Only onprem exchange.

I have done this type of work before but haven't had one that has had a onprem exchange with AzureAD Sync with Hybrid installed but not configured.

I have had AzureAD sync configured using 365 with no problems

 

Better to keep ADSync running, better to have one set of credentials for AD and mailboxes for your users.
Just null out mailbox status for O365 users and re-sync as per the steps in the 1st CodeTwo link you found.
Assuming you have added the email domain successfully to O365 and similar the UPN suffix / login in AD for required users.
Then buy and apply O365 Exchange Online licensing (per user) to the users you want to create O365 mailboxes.
Create other shared mailboxes, groups with addresses, etc as required.
Then modify MX, Autodiscover, etc on DNS afterhours to flow email flow to new mailboxes instead.
Have users start using their new mailbox with current AD credentials Outlook, Web, Mobile, etc.
Buy CodeTwo mailbox migration licensing (per mailbox), install software on-prem and upload existing email from Exchange to O365 mailboxes easily.
On-prem data remains intact as copied instead of moved, Decommission when ever satisfied.

Source: We are an MSP 365 / CodeTwo reseller.

 

2c. I'm in IT but not technical space.

Please please please do this with test cases before diving in. Whatever solution you end up with. Ensure a strong backout plan and plan for the worst.

Ps: doesn't matter if the business is for a friend of a friend. Hammer drops regardless of how you met your client if you fuck this up.

 

What we can gather is:

• The users don't seem to care about their mailbox data (PST import advised by you, their trusted IT adviser & industry professional).
• There's not a lot of users (as above).
• AD is not critical to anything (you plan to rebuild it for unknown reasons).

It sounds like they might be better off without local AD/servers at all. That project would look like:

• Decommission dir sync
• Cutover mail migration with MWiz
• Cutover removal of "hosted spam filter"
• Disjoin PCs from domain
• Disconnect servers from network

For someone who knows what they're doing, this would be half a day's work + MWiz license costs.

Alternatively, configuring the hybrid Exchange would be quicker and seamless but they will be stuck with on-prem AD. It's also likely installed on the same server (perhaps it's SBS/WSE and everything is on the single box?) and that isn't supported/best practice but hey, that's probably the least problematic issue here.

However as you seem intent on doing it your way, you should generally prioritise Microsoft technical resources for Microsoft products where available:

• This is how you disable dir sync.
• How to manage O365 objects when on-prem AD DS is no longer available.

If you use community resources, check the post dates as O365/BPOS has been out for over a decade with many, many changes over the years.

It's not difficult, but there are traps if you don't understand the solution architecture, design decisions and ramifications. The current usage of the hosted spam filter makes it much easier as you can mail hold/redirect instantly; it should outweigh the on-premise Exchange as a new factor for you.

 

I am going to stop posting I have done plenty of AzureAD Connect Setups and Email Migration from onPrem Exchange to 365 using Migration Tools like BitTitan and CodeTwo. I very rarely do PST Imports only use if Mailbox is less then 10GB which is rare these days.

I have hardly done work where AzureADSync has been installed with Hybrid and onprem exchange with hybrid installed but nothing configured. I read many articles about having to keep onprem Exchange and I was just asking for advice if what I had planned would work. I have haven't really used the hybrid exchange to 365 mailbox migration.

Matthew

 

Actually broken? or just setup in a way you haven't seen before?

 

I don't think anybody here cares for puffery.

You've mentioned this several times. Perhaps nobody answered you directly: Since the hybrid role was not configured, there is no practical difference whether Exchange has the hybrid role installed or not. Perhaps the schema was extended, or Server/Exchange updates were made but that makes no practical difference to the solution design.

You should refer to Microsoft documentation. I linked you to Microsoft answers for your questions. Here's another one on how and when to decommission Hybrid Exchange but that's not really applicable here since Hybrid Exchange isn't even configured, but it is relevant to answering your question in that it answers you completely and in full in Scenario one. Here's another link on hybrid deployment, and on creating a hybrid deployment; takes ten minutes to read and thirty minutes to complete, allocate double time for first attempt.

I don't think we're going to get a straight answer

 

Quite frankly, every time someone tells me this - particularly when they can't articulate what is "broken" and "why" - they are absolutely not the person who should be rebuilding/rearchitecting an environment.

This isn't what happens...

This is basically insane. See my previous comment.