Cross-forest migration from Office 365 to Exchange 2010/2013/2016/2019
I. Pre-migration activities
Below you will find a list of key points to be considered:
Step 1: Prepare a clean target Exchange environment in a new Active Directory forest
The following points need to be revised:
Step 2: Prepare domain accounts on the target server
- Create appropriate mailbox-enabled accounts manually in the target forest.
- During the mailboxes matching step, you can also set the program to create the mailboxes and the corresponding users automatically.
If you choose either to manually create the mailboxes or allow the program to prepare them for you, be advised that the account data (such as permissions) will not be migrated. However, if you set the program to automatically create a new mailbox-enabled user in the target environment, there is an option to copy main AD attributes from the source user account. Learn more
Step 3: Make sure that the admin account used to connect to the source Office 365 tenant has the necessary roles assigned and that it has its mailbox configured correctly
- Check if the source admin account has the following management roles assigned:
- View-Only Configuration
- View-Only Recipients
If these roles are missing, you can either assign them manually, following the steps described in this KB article or let the program assign them for you during the Configuration step of the Source server connection wizard.
- Ensure that this account is mailbox-enabled.
Step 4: (Recommended) Set your Office 365 admin account's primary email address to use the initial *.onmicrosoft.com domain
You should set the *.onmicrosoft.com (or *.onmicrosoft.de in case of Office 365 Germany) domain to be used as the primary email address of the admin account that will be used to connect to your source Office 365 tenant. We recommend doing so as, otherwise, you will encounter problems if you change the tenant's domain name during the migration.
To change your primary email address in Office 365, perform the following actions:
- Log in to the target Office 365 tenant.
- Go to Microsoft 365 admin center (Office 365 admin center).
- Choose Users > Active users from the menu on the left.
- Select the admin account that will be used in CodeTwo software to connect to that tenant.
- In the window that opens, click Edit in the in the User name / Email row.
- Click Set as primary next to the alias in the *onmicrosoft.com / *onmicrosoft.de domain.
- Click Save to apply the changes.
Step 5: Verify the configuration and rights of the admin account that will be used to connect to the target Exchange server
Make sure that the target admin account is assigned the necessary management roles and that this account is mailbox-enabled.
Verify the following:
- Check if the target admin account has the following roles assigned:
- View-Only Recipients
- View-Only Configuration
- Public Folders*
- Mail Recipient Creation*
- Mail Recipients*
Please note that the Public Folders role is only required if you plan to migrate public folders. Moreover, the Mail Recipient Creation and Mail Recipients roles are required to create new users and mailboxes. Therefore, it's not required to assign them to the admin account if you are migrating data to the mailboxes that already exist on the target server.
- check which roles are assigned to a specific user. To do that, run the Exchange Management Shell on the target server and enter the following cmdlet: Get-ManagementRoleAssignment -RoleAssignee “UserName”, where instead of UserName you need to enter a valid Name or Alias of your mailbox-enabled AD user; or
- check which users are assigned a specific role. To do that, run the Exchange Management Shell on the target server and enter the following cmdlet: Get-ManagementRoleAssignment –Role “RoleName”, where instead of RoleName you need to enter a specific role, e.g. ApplicationImpersonation.
- Access to the target server's EWS service using IP or Domain Name, e.g. https://[Exchange_IP]/EWS/Exchange.asmx or https://[Exchange_Name]/EWS/Exchange.asmx
- If a client connects to EWS from the outside of the local network he needs to have the external EWS URL correctly configured:
- Open the Exchange Management Shell on the target server and check if the ExternalUrl is defined: Get-WebServicesVirtualDirectory | fl
- If there's no address in the ExternalUrl line it needs to be defined. Execute the following script: Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl https://[Target server's internet name]/EWS/Exchange.asmx
Step 6: Adjust the EWS throttling settings and change the maximum size limit of sent mail to decrease the time of migration processing
Step 7: Install and activate CodeTwo Exchange Migration
You can install CodeTwo Exchange Migration on any machine with a connection to both the source and the target Exchange Server environment. However, we recommend that you install the software and required components on the target server to maximize the upload speed.
The following additional components will also be installed, as they are required for CodeTwo Exchange Migration to run properly:
- Microsoft Online Services Sign-In Assistant (required on all systems)
- Windows Azure Active Directory Module for Windows PowerShell Office 365 (required on all systems, more information here)
- .NET 4.0 (required on any system, might be already installed)
- PowerShell 2.0 (or higher, must be installed on Windows Server 2008)
- Download Windows Management Framework Core (WinRM 2.0 and Windows PowerShell 2.0) Windows Server 2008.
- Newer Windows releases (Windows 7 or higher, Windows Server 2008 R2 or higher) already have PowerShell 2.0 (or higher) built-in.
- Small Business Server 2008 (SBS2008) users might stumble upon a problem with installing PowerShell. See our Knowledge Base article on that.
The installation wizard will guide you through the whole installation process. After the installation is finished, remember to activate the program.
II. Migration process
Step 1: Connect to the source server
Make sure that the software user who runs the migration is a local administrator.
When you start the program, you will see the Dashboard tab. Click Create a new migration job link on the How to start card. Select the source server type: Office 365. The Create Office 365 migration job wizard will open. Set the name of the job and click Next to proceed to the Source mailboxes step. If this is your first migration job, you will need to configure a connection to the Office 365 tenant that will be used as the source of your migration. Click Add new source connection in the Source server drop-down menu and a wizard will open. You need to complete three steps:
- Office 365 cloud – choose between connecting to Office 365 global and Office 365 Germany.
- Admin account – provide the email address and password for an Office 365 account. If this account has multi-factor authentication enabled, enter the app password instead (learn more).
- Configuration – this process configures your Office 365 connection and checks whether the account provided in the previous step has the necessary roles assigned. If not, the program will attempt to assign them automatically. In such a case, you might be asked to provide the credentials of another account that is assigned the Global administrator role. This account will not be used to connect to the Office 365 tenant, but only to assign the missing roles.
If the configuration is successful, click Finish.
If any errors appear, see Troubleshooting
Step 2: Select mailboxes you want to migrate and define target connection
After successfully configuring the source connection, you will get back to the migration job wizard.
The Source mailboxes step now allows you to include or exclude mailboxes by using multiple filters. You can, for example, include all users' mailboxes from a particular Organizational Unit or Active Directory group. By default, the program includes all users along with the Public Folders, because it is a most common scenario. Choose the mailboxes you want to migrate and proceed to the next step (Target mailboxes).
Now, set up a new target server connection by choosing Add new target connection from the Target server drop-down menu. A simple wizard will open.
- In the Server connection step, choose either Autodiscover Exchange Server (default option) to automatically find the proper target server or configure the connection manually.
If you decided to configure the target connection manually, be aware that using an IP address will make granting impersonation rights and creating mailboxes impossible unless you configure PowerShell Virtual Directory in IIS to allow basic authentication.
- Admin account – provide a valid UPN and password of the account that will access the target server (remember that the admin account must fulfill the requirements specified in I Pre-migration activities, Step 4). Click Next to move on to the Configuration step.
- Configuration – this process configures the target Exchange server connection and checks whether the account provided in the previous step has the necessary roles assigned. If not, the program will attempt to assign them automatically. In such a case, you might be asked to provide the credentials of another account that belongs to the Organization Management role group. This account will not be used to connect to the target server, but only to assign the missing roles.
Once the configuration ends successfully, you will see green check marks. If any errors appear, see Troubleshooting.
After your connection is established, click Finish and proceed to the next step (Match mailboxes).
Step 3: Match source and target mailboxes
Matching the source mailboxes with the target mailboxes can be done automatically, by using the built-in automatch feature, or manually. We suggest that you start off by matching mailboxes automatically and modify the automatch settings if not all the mailboxes were matched in the first run. Use the manual option only if there are any mailboxes left unmatched after several automatch runs with a different configuration of the automatch mechanism.
To match mailboxes automatically, select those mailboxes that you want to match and click the Match mailboxes button. In the window that opens, click the Automatch button. Configure the automatching mechanism and click Automatch to start the matching process. If not all the mailboxes were matched, modify the automatch mechanism and run it again. Repeat this as many times as necessary.
If any source mailbox is left unmatched despite several attempts to match it automatically with different automatch settings, match it manually.
Note that you can set the program to create target users and mailboxes on your Exchange server, whether you’re matching mailboxes manually or automatically. Learn more
When you have matched all your mailboxes, save your configuration and close the matching window. Continue with the migration job wizard. The next steps will allow you to configure additional options.
Step 5: Start the migration
Review your migration job in the Job summary step. Click Finish to close the wizard.
Move on to the JOBS tab and click Start on the toolbar to begin the migration. Once you start the migration, all items from the source mailboxes will be migrated to their corresponding target mailboxes.
The migration processing time depends on several different factors, e.g. the number of mailboxes and items, the speed of internet connection, EWS throttling settings. See this article for details.
Step 6: Check if the number of items migrated in the target mailboxes matches the number of items in the source server mailboxes
If you notice any missing items in the target mailbox, restart the migration by using the Rescan feature.
Please be aware that the program does not migrate some specific folders at all. Those are e.g. Sync Issues or ones created while putting a mailbox on litigation hold.
If any problems appear during the migration process, they will be visible on the JOBS tab in the Migration status column or on the Job bad news card. Details of the problems can be checked in the diagnostic files.
Step 7: Check if there are any new items in the source mailbox after migration
Once the migration is finished and you have noticed that some new items appeared (in the meantime) in the migrated source mailbox, just restart the migration by using the Rescan feature.
Please keep in mind that the Rescan feature uploads only new items, not the changed ones.
III. Post-migration cleanup
Step 1: Change DNS records (MX, Autodiscover)
You need to change MX records to enable mail flow to new servers. Additionally, you should also set up Autodiscover record to facilitate connecting migrated mailboxes with a mail client (e.g. Outlook). Detailed information on how to do so on Exchange Server 2019 and 2016 can be found in this Microsoft article. Please note that this process may take several hours.
If any new items appear in a source mailbox while the MX records are being changed, it is possible to migrate these items after the records migration process is completed. It can be done by using the Rescan feature.
Step 2: Disconnect the domain from the source tenant
- Log in to your Microsoft 365 admin center (Office 365 admin center).
- Go to Setup > Domains.
- Select the domain you want to disconnect.
- In the window that opens, click Remove. If you are notified of any dependencies regarding the domain you intend to remove, simply confirm that you want to disconnect the domain.
Step 3: Outlook profiles
If your Outlook has problems connecting to the new Exchange server, you need to create a new Outlook profile for each user in your domain. Refer to this Knowledge Base article that explains how to do so.