In this article we will discuss how to migrate mailboxes from on-premise to office 365 using staged migration method.
Exchange Online Overview:
Exchange Online helps protect your information with advanced capabilities. Anti-malware and anti-spam filtering protect mailboxes. Data loss prevention capabilities prevent users from mistakenly sending sensitive information to unauthorized people. Globally redundant servers, premier disaster recovery capabilities, and a team of security experts monitoring Exchange Online around the clock safeguard your data. And with a guaranteed 99.9% up time, financially-backed service level agreement, you can count on your email always being up and running.
Stay in Control
Maintain control over your environment while gaining the advantage of hosting your email on Microsoft servers. Manage your organization efficiently with the Exchange admin center, an easy-to-use, web-based interface. Run In-Place eDiscovery across Exchange, SharePoint, and Skype for Business data from a single interface through the eDiscovery Center. With mobile device policies, you can create approved mobile device lists, enforce PIN lock, and remove confidential company data from lost phones. And IT-level phone support is available to you 24 hours a day, 7 days a week.
Easy to use and maintain
It’s easier than ever to provide your users with the business email they need to stay productive.
Automatic patching eliminates the time and effort of maintaining your system. Give your users an In-Place Archive, so they can keep all their important data in one place. And provide them with anywhere access to email, calendar, and contacts on all major browsers and across devices.
Integration with Outlook means they’ll enjoy a rich, familiar email experience with offline access.
1- This article based on exchange 2003 ( But there is no difference if you have exchange 2007, the difference just in the last step ” convert mailbox to mail enabled, there is another script for exchange 2007 from Microsoft).
2- You must have a little knowledge experience dealing with exchange 2003.
3- You already have an office 365 portal with .onmicrosoft.com domain, to start with office 365 portal follow Microsoft link: http://office365support.ca/signing-up-for-the-new-office-365-2/
4- Some information in snapshots have been hidden due to the privacy considerations.
so now the main question is why we chose the staged migration method and what this mean !
the answer is simple, exchange 2003 and exchange 2007 is supported by staged migration method.
1- Your Exchange must use a commercial certificate, self signed will not work, to learn more how to install the commercial certificate in exchange 2003 follow this link: http://blogs.technet.com/b/sbs/archive/2007/08/21/how-to-install-a-public-3rd-party-ssl-certificate-on-iis-on-sbs-2003.aspx, and if you thinking why you must use a 3rd party certificate you can think that the communication between your exchange server and office 365 should be secure so this is the reason.
2- You must have a public AutoDiscover record in your DNS. for example: AutoDiscover.yourdomain.com pointing to your exchange server.
3- It’s recommended that your exchange server is up to date.
Now let’s discuss some concepts and important notes before we begin the implementation. when you think about migrate mailboxes to office 365 you need to ask yourself many questions:
* How office 365 will collect information about my users ! this is really a very good question 🙂 first of all you need to synchronize your directories to office 365, simply this is means that you need to install some tool to do that.
As usual Microsoft always try to simplify these things to their customers so they offer a tool called directory synchronization, this tool will take care of syncing all important data to office 365.
* Does end users will manage their office 365 Mailbox with same on-premise password ! this is your decision, directory synchronization tool offer a service to sync the same passwords to office 365 so users will not need to use different password in exchange online.
* Where is this magic tool 🙂 you can download it from office 365 portal, it’s small tool with great benefits. we will see how to install and configure it later in this article.
* what is the impact on end users while migrated the mailboxes ! this is one of the questions that always make a trouble to the admins and let them to think more and more before start migration.
Now all users work fine before migration, once the mailbox started to be migrated it will enter four main modes until the migration completed.
First set of Modes called provisioning and queuing, these two modes is to initiate the migration process, and in this modes users can still use their mailboxes as normal, usually these two modes will not take more than 3 – 5 minutes.
after that the syncing mode will start, once the syncing mode starts users cannot receive any mails in their outlook or on-premise OWA. all received emails will be routed automatically to office 365 mailbox. so you must inform the user to use the office 365 portal by navigate to https://portal.office365.com, also remember at this stage you cannot configure the outlook to use the online mailbox so user should still use the office 365 portal, but why !! To answer this question let’s discuss about how migration process works and how mail flow work in coexistence mode with your exchange server.
Before try to understand how migration process work let’s try to understand the different between two important concepts. what is the difference between Mailbox enabled recipient and Mail enabled recipient.
A Mailbox enabled recipient can log on to network resources and can access domain resources. Mailbox-enabled recipients can send and receive messages and store messages on their Exchange server mailboxes. You can use mailbox enabled recipients for all aspects and functions in Exchange Server 2003.
A Mail enabled recipient can receive messages only at an external e-mail address. The mail enabled recipient cannot send or store messages on Exchange message stores. A mail enabled user has an account in Active Directory but no Exchange mailbox. This enables other users to easily locate and send e-mail to a mail enabled user even if the account does not have a mailbox in the Exchange organization. For example, you may create a mail enabled user for onsite contract employees who require access to the network but who want to continue receiving their e-mail through their Internet service provider.
Great, now let’s go back to the coexistence case between on-premise exchange and office 365. when you install the directory synchronization tool and sync directories to office 365, all mailbox enabled recipients will have mail enabled recipient in office 365. this actually before start migration process which mean before enter the sync mode. once the migration process started and the migration process enter the sync mode the mail enabled recipient in office 365 will be converted automatically to mailbox enabled recipients and the old mailbox on the on-premise exchange server will act as forwarders for emails. so all received emails will be forwarded to the mailbox on office 365 this is simply the answer of the question “why users should use office 365 portal once the sync process starts ! “.
Another important question will raised now: how the on-premise mailbox understand where to forward the received emails ! let’s stop here and back to the directory synchronization tool, once the directory synced to office 365 all mailboxes will have a new value in their Proxy Address attribute, so assume that there is an email address called User@mydomain.com, after this user is synced to office 365 using directory synchronization a new value will be added on the attribute of proxy address, it will be like this: email@example.com (mydomain maybe replaced with the tenant name you created while sign up in office 365 for first time). so once this attribute added the mailbox will understand to forward all emails to the same mailbox in office 365.
*OK, what about outlook profiles and active-sync! after the migration process finish successfully you must recreate the outlook profile and active-sync profile and there is no any other method to do this. again you must recreate the profiles.
*final important question that you may think about, you maybe ask your self that i am said in some period of time the user will have two mailboxes one in the local exchange server and the other in office 365, how outlook will deal with this and which one will be used by outlook and office 365 ! this is a very good question, but the answer is very straight forward, once the migration process finished you must run a script provided by Microsoft ( will be used later in this article ) to convert on-premise Mailbox Enabled to Mail Enabled, so when outlook try to connect after recreate the profile it will try first to connect to local mailbox and once it discover that the local one converted to Mail Enabled it will understand to connect to office 365 mailbox using the auto-discover service.
OK, All prerequisites is ready and you are understand most of the discussion above 🙂 so let’s start the implementation 😉
1.0 Office 365 IDFIX tool
The Office 365 IdFix tool, or IdFix, searches your directory and identifies most of the errors you will encounter before you synchronize to Office 365. IdFix helps you fix these errors and reduces the time it takes to on-board to Office 365. IdFix is simple enough to use so that you can fix Active Directory errors and synchronize your directory without relying on subject matter experts.
IdFix does not fix all errors, but it does find and allow you to fix the majority of errors; for example, over half of all synchronization errors are the result of duplicate or badly
formed proxyAddresses and userPrincipalName attributes in Active Directory. By fixing these errors, you will be able to successfully synchronize users, contacts, and groups from your on-premises Active Directory to Office 365.
IdFix may identify errors beyond those that are necessary to successfully complete synchronization to Office 365. For example, compliance with RFC 2822 for SMTP addresses. Directory synchronization allows you to synchronize invalid attribute values to the cloud but the best practice recommendation is that you correct these errors at the source before you synchronize.
To install IDFIX tool, go to portal and from the directory synchronization section download it as shown below:
Navigate to office 365 portal with a user have an admin privilege:
After that from the upper left corner choose the admin page:
if you don’t see the admin option this is mean that you are not an admin. by the way the first user created while sign up with office 365 will be global admin so you can use it for now.
Now from the left pane go to users -> Active users and beside Active directory synchronization choose set up:
Now there is many option in this page, in section number 4 click download:
After download the tool, extract the files and run the tool with a domain admin privilege in any joined machine in your environment, once the tool start click on the query button and wait until the results appear, if no results appear this mean there is nothing may failed during the syncing of your directories, if any results appear you must deal with it. in my case now the tool show nothing to do. if you need to know how to deal with any errors if there was any please follow this Microsoft Article: https://support.office.com/en-us/article/Install-and-run-the-Office-365-IdFix-tool-f4bd2439-3e41-4169-99f6-3fabdfa326ac
Also remember that run IDFix tool is optional but strongly recommended, if there is any errors which is not solved before syncing the directories it may lead to failure in migration process.
Now since there is no errors in my environment let’s continue the implementation 🙂
1.1 Enable Directory synchronization (DirSync Tool)
The Azure Active Directory Sync tool (also known as the Directory Synchronization tool, Directory Sync tool, the DirSync tool, or the DirSync server) is a server-based application that you install on a domain-joined server to synchronize your on-premises Active Directory users to Office 365 for professionals and small businesses. You can install the Azure Active Directory Sync tool on a server in Azure or on-premises.
Before installing the DirSync tool you must first verify your domain in office 365, for example until now you must noticed that you have only one domain in your office 365 account such like @mydomain.onmicrosoft.com ( mydomain is the same as tenant name you already created while signup) so all users until now will have this domain only. let’s explain more.
if you have an user have a UPN suffix like firstname.lastname@example.org and you try to sync this user to office 365 using DirSync tool before verifying your domain the user will be synced as email@example.com and this what you don’t need, so keep in mind that all domains the user associated with it must be verified, for example UPN suffix domain and Email domain both must be verified if it’s not the same.
To verify your domain(s), From admin page, go to domains and click add domain as shown below, note that there is already verified domain .onmicrosft.com:
Enter your domain name and click Next:
- Microsoft will provide you with a TXT record to add it in your global DNS to ensure that you are the real owner of the domain, After added the DNS TXT record to DNS, click “ Okay, I’ve Added the record” as shown below:
After you add the record successfully,Microsoft will verify your domain as show below ( sometimes this operation take several minutes ):After verifying the domain, you must enable the directory synchronization in order to sync the users from on premise to office 365 using DirSync, to enable directory synchronization from admin portal go to users and click on “ set up ” as shown below:
Now on Activate active directory synchronization section click Activate button as shown below:
Now you can install the DirSync tool from same page and start the syncing process, to install the DirSync tool, from office 365 portal navigate to directory synchronization section and download the tool as shown below:
After the download finished successfully, install the tool, you can install it in any joined machines including the DC also, after installing the tool run it as shown below and click Next on welcome page ( if you face this error: The error “Access to the registry key ‘HKEY_LOCAL_MACHINE\Software\Microsoft\MSOLCoExistence” is denied”occurs. you must rerun the tool with administrator privillage – Run as administrator ):
It will ask you to provide a global administrator user in office 365 portal, enter the user and password then click Next:
Since we used a staged migration, unchecked Enable hybrid Deployment and click Next:
Check Enable Password Sync Option to sync the user’s password to office 365 and click Next:
Wait until the wizard complete and click Next:
Now Unchecked synchronize you directories now and click Finish, if you check this option all your directories will be synced to office 365 including everything, so we postpone the synchronization now until we create some filters then we will start the syncing:
Now in this step navigate to “C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe” and run the miisclient.exe to select which OU’s to be synced with office 365.
When you open MIISCLIENT.exe go to Management Agents tab and double click on the second connector called “Active Directory Connector” as shown below:
Then choose configure directory partition and click on containers button, it will ask you to enter the a user with sufficient privileges to access your AD, enter the credentials then click OK:
Choose which OU’s you need to synchronize and click OK:
Before finish this step let’s stop in one of the most important point here. Keep in mind that you MUST synchronize all users that have a mailboxes even if you don’t need to migrate it, WHY ? simply if one of the users not synced to office 365 and a another user have a mailbox in office 365 and tried to send emails to the on-premise one which is not synced the delivery of emails will be failed, but this is seems not logic ! no it’s very logic since when a user in office 365 need to send an internal emails for example assume we have three users as below:
First user have an email: firstname.lastname@example.org ( Synced to office 365 and already migrated).
Second one have an email: Local_synced_user@mydomain.com which is synced to office 365 but not migrated
Third one have an email: Local_user_not_synced@mydomain.com which is not synced and not migrated.
Assume now first user need to send an email to second user, since first user already migrated then it have an mailbox in office 365, also since the second user is synced but not migrated it have an Mail Enabled user in office 365, so once first user send to second one, office 365 will understand that the domain is in it’s accepted domain nut since the second user have an mail enabled in office 365 not mailbox it will forward the email to on-premise mailbox.
Now assume the second case, assume that first user need to send an email to the third one, office 365 will understand that the domain is within it’s accepted domain but since their is no mail enabled for the third user it will assume that that email address incorrect and a None Delivery Report will be send to the first user states that the recipient not found.
Now Launch “C:\Program Files\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1” and type Start-OnlineCoexistenceSync to start the synchronization ASAP, this operation need several minutes up to several hours based on the number of objects you have.
2 Migrate Mailboxes to Office 365
2.1 Staged Migration Overview:
Staged Migration typically used to migrate mailboxes to Exchange Online over a period of a few weeks or months. Staged migrations are used by organizations that plan to eventually move all mailboxes to Exchange Online and completely transition their on-premises Exchange organization to Exchange Online. A staged migration isn’t intended for organizations that want to permanently maintain mailboxes in both their on-premises organization and Exchange Online or that plan to transition all mailboxes to Exchange over a long period of time. An Exchange hybrid deployment is a better solution for maintaining on-premises and cloud-based mailboxes for the long term because it offers features such as secure mail routing between on-premises and Exchange Online organizations, a unified shared address book, Free/Busy and calendar sharing between on-premises and Exchange Online organizations, and the ability to move Exchange Online mailboxes back to the on-premises organization.
You can’t use a staged migration to migrate Exchange 2010 or Exchange 2013 mailboxes to Exchange Online. If you have fewer than 2,000 Exchange 2010 or Exchange 2013 mailboxes in your organization, you can use a cutover Exchange migration. To migrate more than 2,000 Exchange 2010 or Exchange 2013 mailboxes, you have to implement an Exchange hybrid deployment.
To use a staged migration to migrate mailboxes to Exchange Online, you have to replicate user accounts from your on-premises Active Directory directory service to your Office 365 organization. To do this, you have to install and configure the Microsoft Online Services Directory Synchronization tool before you can run a staged migration. After mailboxes are migrated to Exchange Online, user accounts are still managed in your on-premises organization and the Directory Synchronization tool synchronizes your on-premises Active Directory with your Office 365 organization.
2.2 How to migrate:
To migrate users to office 365, prepare a CSV file contain the mailboxes to be migrated, this CSV will used later in the migration process, use notepad to create the CSV file, the CSV file format must be as below, then save it with CSV extension ( in this example we named the notepad file “Mig_User.csv”, You can add number of emails as you need, each email address must be in a single row:
Now go to office 365 portal and from the bottom of admin page click on exchange, after the exchange page appear, from the recipient section of the left pane choose Migration as shown below:
Now from the Migration types, choose staged migration and click Next:
From the New migration wizard click on change button and choose the CSV file created on the first step then click Next:
Now provide a domain admin on your local AD credential and click Next:
Fill the required information based on your environment and click Next:
Provide any name for the migration batch and click Next:
Provide an email address to receive the status report of the migration process and click New:
Important Note: The migration process will start after a moment at this stage you must inform the users which included in the migration batch to use the office 365 portal to access their emails until the migration process finished.
Once the Mailbox migration process shows the status is SYNCED not syncing you must convert the mailbox to mail enabled on local exchange:
First of all there is two scripts called Exchange2003MBtoMEU.vbs and ExportO365UserInfo.ps1 from provided by Microsoft must be downloaded on exchange server from below link: https://community.office365.com/en-us/w/exchange/834.convert-exchange-2003-mailboxes-to-mail-enabled-users-after-a-staged-exchange-migration
Note: First of all put the two scripts and the CSV file created before in the same folder.
- Run the ExportO365UserInfo in your cloud organization using PowerShell. Use the CSV file for the migration batch as the input file. The script creates a CSV file named Cloud.csv.
.\ExportO365UserInfo.ps1 <CSV input file>
Now it will connect to office 365 as shown below:
- Copy Exchange2003MBtoMEU.vbs and Cloud.csv to the same directory in your on -premises organization.
- In your on-premises organization, run the following command:
cscript Exchange2003MBtoMEU.vbs –c .\Cloud.csv <FQDN of on-premises domain controller>
cscript Exchange2003MBtoMEU.vbs –c .\Cloud.csv email.kudu.com.sa
Note: cloud.CSV will be created automatically after run the first script in first step.
After the mailbox converted successfully, you must recreate the outlook profile and the user can use outlook now.
Also you will take a grace period to work with office 365 mailbox, i think it’s 30-days before the period end you must assign a license to the migrated users to avoid any interrupt of service. To assign a license to the user follow this article: https://support.office.com/en-au/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-AU&ad=AU
Also keep in mind that creating the CSV file and start the migration process, finally converted the mailbox to mail enabled and assign license must be repeated each time you migrate a user or bunch of users.
Also After all Mailboxes Migrated to office 365 you can uninstall the Exchange server but before that you must create all required DNS records mentioned in the office 365 portal.
To see this records go to the admin page in office 365 portal, then go to domains then in your domain click manage or follow this article:
Then you can safely remove your exchange server after take a full backup 🙂
Also you can follow my previous article to learn how to manage Exchange online 🙂
Stay Tuned 🙂
Ahmad Yasin in a Microsoft Cloud Engineer and the publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.