AD Connect (DirSync) after Cutover migration

While using a Cutover migration it mentioned that I could not use or need to disable /deactivate the DirSync, but just have a question can I use (DirSync) after that ?

Suppose I need to do the migration using cutover and complete the migration batch from the current hosting provider and then I deploy the AD Connect Server/tool in the on-premise to sync the AD identities with password sync to office 365 ?

Will I able to perform in that manner? Will the all accounts match with the email address in office 365 ? 

 
Question Info

Last updated August 10, 2018 Views 4,596 Applies to:

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.

Hi, That is correct.

Office 365 won't allow a cutover migration in tenants that already have directory synchronizations in place.

When using cutover migration, Office 365 would enumerate all on-premise mailboxes and create equivalent ones on Exchange online (this step is called "provisioning").

Once you complete your migration, you may run a full sync in order to "connect" your users to your on-prem AD, match user attributes and passwords.

I usually recommend:

1. Start the cutover migration batch.

2. Install and configure AD Connecet - DO NOT start sync and make sure to disable the scheduled task.

(This would allow you a quick sync once completed the migration)

3. Complete the migration.

4. Run a full sync and enable the scheduled task to sync deltas in a preset interval.

Maor

2 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Thanks Maor. Just to inform here that we are NOT going to use the ADFS. so there won;t be any issues or do i need to convert the on-premise mailboxes to mail enabled users (MEU) ?? is that necessary ?

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi again,

Using AD-FS (or not) does not make any difference in a cutover migration, apart from the obvious requirement of installing and configuring the AD-FS servers and federation.

The thing that you would need to keep in mind is when using AD-FS there's no need to sync passwords, so you can leave that check-box unchecked when configuring AD Connect.

You can find more information here:

technet.microsoft.com/.../jj874016(v=exchg.150).aspx

This TechNet article should prove useful, even though lacks some information (for instance how to prepare for a cutover migration involving DirSync\AD-Connect).

In your case, If you're planning to use a DirSync\AD-Connect server to sync and manage users from your on-premise AD- Then yes, you would have to convert your mailboxes to mail enabled users.

Make sure to maintain all existing email addresses, including X500s, in order to prevent NDRs and allow good user experience for your organization.

Regards,

Maor Bracha

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi Amitbahl4589,

Do you still have any questions? If yes, please let us know.

Generally, if you want to deploy DirSync after a Cutover migration, you need to complete the Cutover migration first, and then you can deploy DirSync. Before you implement DirSync, please convert on-premises mailboxes to mail-enabled users. For more detailed information, please see the article below:
community.office365.com/.../835.cutover-exchange-migration-and-single-sign-on

Thanks,
Edward

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hello Edward & Maor , just a small doubt as you mentioned if before cutover migration we deploy a DirSync /AD connect server then ONLY we need to convert on-premise mailboxes to mail-enabled users, otherwise NOT , Correct ?

Apart from this few doubts if you can help me with that

1. What investment required to deploy AD connect like additional AD licensing etc.

2. Where is the best recommended location to deploy it (on premises/Cloud )

3. What incase we deploy the AD Connect Server and during sync if something goes wrong , will that effect end-users if yes then what would be the impact ?

4. How much duration users need to maintain two set of credentials by the time AD Connect server Deploy ?

2 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi Amitbahl4589,

The followings are the suggested steps to enable DirSync after a Cutover migration:
1. Perform a Cutover migration.
2. Convert on-premises mailboxes to mail-enabled users.
3. Install AAD connect tool and configure AAD connect.
Note: If you enabled DirSync service in the Office 365 Admin Center, you will not perform a Cutover migration.

Q1: What investment required to deploy AD connect like additional AD licensing etc.
A1: If you want to deploy AAD connect, a Windows Server 2008 or Windows Server 2012 is required. No AD licensing is required.

Q2: Where is the best recommended location to deploy it (on premises/Cloud).
A2: Both are OK.

Q3: What incase we deploy the AD Connect Server and during sync if something goes wrong, will that effect end-users if yes then what would be the impact?
A3: There is no impact on the Office 365 since the user authentication is perform by Office 365. It is different from Single-Sign On that the users are authenticated by the local AD. Only impact is that new users or the password change cannot be synced to Office 365.

Q4: How much duration users need to maintain two set of credentials by the time AD Connect Server Deploy?
A4: If you deployed AAD connect with password sync, users need to maintain the local credentials. The password policy will depend on the local policy.

Thanks,
Edward

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Thanks Edwards, Just wanted to on step -2 - Convert on-premises mailboxes to mail-enabled users. is this really required ? why bcoz if we have a hosted exchange server ( in a hosted environment) then in that case we do not have the control over that so in that perspective I am thinking.

What if we won't covert ( on-premises mailboxes to mail-enabled users.)

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi Amitbahl4589,

To covert on-premises mailboxes to mail-enabled users is required. When you convert on-premises mailboxes to mail-enabled users (MEUs), the proxy addresses and other information from the Office 365 mailboxes are copied to the MEUs, which reside in Active Directory in your on-premises organization. These MEU properties enable the Directory Synchronization tool, which you activate and install in step 3, to match each MEU with its corresponding cloud mailbox.

Thanks,
Edward

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hi Amitbahl4589,

Do you still need assistance?

Regards,
Edward

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Hello Edward,  i was reading about converting so got to know that If you use Exchange remote mailbox move, it will convert the source mailbox to mail user after a successful move. So it means when we create a batch and when the initial sync will be performed then Mail enabled used will be created ?

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

* Please try a lower page number.

* Please enter only numbers.

* Please try a lower page number.

* Please enter only numbers.