Domain Cutover

What is a Power365 Domain Cutover?

The Power365 Premium Integration project type includes the “Domain Cutover” or move functionality. After a tenant mailbox and group migration, the next step during a domain consolidation or divestiture project will be to move your registered Office 365 Domain (i.e. Exchange Online Accepted Domain) from one Microsoft Office 365 tenant to another.

Moving a domain from one Office 365 tenant to another is a tedious, multi-step, manually intensive procedure that must be carefully planned and executed at the proper time to ensure a seamless user transition. One of the biggest obstacles during this process is email sent to the domain in transit is not deliverable because it is held until the Domain move is complete. This can cause delays, lost messages and productivity.

The Power365 Domain Cutover is the solution. This powerful feature guides the migration operator through the domain move process, and streamlines many of the steps. It works in conjunction with the Email Rewrite Service (ERS) to maintain deliverability throughout the move. Mail is never held but delivered on-time, ensuring your users never miss that business-critical message.

Figure 1: Power365 Domain Cutover In-Progress (click to view larger)

 

How does Domain Cutover Work?

The Domain Cutover feature is designed to fulfill three major needs when moving an Accepted Domain from one tenant to another. Those are, moving user’s addresses, moving the domain and most importantly, ensure continuity of mail routing during the domain transition.

The Domain Cutover wizard will follow these 6 primary stages. Read through each one before continuing. They provide important details to the process that will help with planning and preparation.

1. Start

During the start of this process Power365 will validate groups and request some input before beginning.

  1. Power365 will validate if any Unified Groups exist using the Domain being moved. If found, these Office365 Groups must be removed before continuing.
  2. Power365 will warn that any Mailbox or Group not migrated cannot be migrated after the Domain Cutover begins.
  3. Choose Replacement Source Domain – When removing a primary address from a source user, it must be replaced with a new domain. Choose the domain to replace the domain being moved. This may impact the user’s UPN, Mail and Proxyaddresses attributes. Note this will remove the source domain name configured for cutover from the source environment.
  4. Select Scope of Users to be Updated – When moving Domains, select the users to have their target proxies updated. This only impacts the target tenant. User Logins (userPrincipalName) are not modified in the target user.

         i. All Users – All matched objects will have their target proxies updated.

         ii. ERS “Day Two” Group Users – Only users in the BT-IntegrationPro-DayTwo group will have their target proxies updated.

         iii. Disabled – Do not update target proxies for any object. This is useful when you want to move the Domain but do not want to carry over any proxy addresses.

2. Enable Relay

During Step 2, the Email Rewrite Service (ERS) Relay servers will be brought online to service the Domain being cutover to the target tenant. This step can take up to 60 minutes before the relays are activated. Don’t worry, Power365 will keep you up to date. Once this step is complete you will be able to move onto Step 3.

3. Redirect MX

During Step 3, the DNS administrator of the Domain being moved will execute an update to their public DNS MX record to direct traffic to the ERS Relay Servers. It can take up to 2 hours before an MX record change is propagated globally. Be sure to keep your TTL low during the transition.

After this step is complete, all inbound mail from the Internet for the domain being moved will be routed to the Power365 ERS relays that were setup during step 2. Mail will be delivered to the target user’s mailbox until step 5 is complete.

The Project Administrator may elect to skip redirection to the ERS relays but instead choose to queue mail using their own systems. This is also acceptable. Power365 will continue with the remainder of the Domain Cutover process. Binary Tree is not responsible for any mail flow if by-passing ERS is elected.

Important Note to Administrators: If you are using a 3rd party email provider or relay system to receive all Internet mail before directing traffic to the Power365, it is recommended that you contact Binary Tree Support with a list of IPs to have them whitelisted during the Domain Cutover process to avoid any mail delivery delays.

4. Move Domain

During Step 4, Power365 will do most of the heavy lifting. This step is the most complicated, lengthy and error prone depending on the size and complexity of the environment. The following actions will take place during this step. User status will begin to update during this step. The Power365 Project administrator will also receive notifications if the Domain Cutover fails during these activities and when it complete.

  1. Read email addresses in source AD and tenant
  2. Remove email alias addresses (Proxyaddresses) from the source AD and tenant
  3. Replace Primary address from the source AD and tenant
  4. Replace User Login (userPrincipalName) from the source AD and tenant
  5. Remove domain from source tenant
  6. Add domain to target tenant
  7. Administrator must verify domain in target (This is a manual step executed by the Tenant Administrator within the Office 365 Admin Portal or using the Powershell Confirm-MsolDomain cmdlet.)
  8. Add email addresses in target (The target UPN is not modified)

5. Restore MX

During Step 5, the DNS administrator of the Domain being moved will execute an update to their public DNS MX record to direct traffic to the Exchange Online Protection (EOP) (e.g. contoso-com.mail.protection.outlook.como) or another relay service.

After this step is complete, all inbound mail from the Internet for the domain being moved will be routed to the new destination tenant. Power365 ERS relays will no longer be used.

6. Complete

During this final step of the Power365 Domain Cutover please allow up to 48 hours for the Cutover Domain wizard to deprovision the ERS engine and cleanup this domain move; this is to ensure that any outstanding mail items are delivered before the service is shut down. During this time, you may be prevented from making certain changes to this Power365 project.

If you had users located in the “DayTwo” ERS group, you may now remove them from the group. If all Domains have been cutover and ERS is no longer required it is recommended that it be disabled in the Power365 Project. Once ERS is disabled, the associated Transport Rules, Groups and Connectors will be removed in the configured Office 365 tenants. The same is true for the Calendar Sharing configured between the tenants using Power365. If this feature is disabled in the Power365 Project, the associated Organization Relationships setup in each tenant will be removed automatically.

 

What to plan for using Domain Cutover

As each production environment has different operations, standards and policies, be sure to carefully plan your environment’s domain cutover process. While this wizard will assist with specific portions of the domain cutover process, there may be additional reconfiguration necessary to support a successful domain cutover.

 

Updating the Source Environment

During the 4th step of the Domain Cutover process, the source objects (users, groups, contacts) both local and in the cloud, will have their proxyaddresses and UserPrincipalName (users only) updated to replace the Domain being cutover. Therefore, be sure to plan your local Mailbox migrations beforehand and Unified Groups (Office 365 Groups) and Microsoft Teams must be manually remediated to remove the proxy address or the group must be deleted before proceeding.

 

Updating the Target Environment

Once the domain has been moved to destination Office 365 tenant during step 4, the wizard will re-assign their addresses (userPrincipalName is not updated, logins remain unchanged) to users and groups that have been matched by Power365. However, the wizard will not update the following objects in the target environment:

  • Users not Prepared by Power365
  • Distribution Groups not Migrated by Power365
  • Mail-Enabled Public Folders
  • Mail-Enabled Contacts

Please ensure that these object types are remediated with the proper address after the Domain Cutover is complete.

 

Other Considerations during a Domain Cutover

  • Only one domain can be cutover at a time using Power365.
  • Disable the scheduled Discovery jobs in all environments before starting the Domain Cutover.
  • All Users and Groups in P365 must be migrated before Domain Cutover. If not, they cannot be migrated after the Domain Cutover is complete.
  • Any user or group in the source that contains a proxyaddress of the Domain being Cutover will have their status updated in Power365. Their proxyaddresses will be removed in the source to remove the Domain later. These users will not be able to be migrated afterwards.
  • Plan to move or remediate Office 365 Groups (Unified Groups) and Microsoft Teams before the Domain Cutover. Either remove the address associated with the Domain Cutover or delete the group or team.
  • Plan to manually reassign primary or alias addresses to Mail contacts, Public Folders or unmatched users and groups in the Target environment.
  • Plan to migrate local Exchange Mailboxes before the Domain Cutover.
  • Plan to setup the local AD Domains before the Domain Cutover if UPN reassignment is required in the Target environment.
  • Plan to move other configurations related to the domain being cutover such as Exchange Policies, Transport Rules, Connectors, EOP Rules, GPOs, etc.
  • Remove all Skype for Business licenses from the users in the Source tenant using the Skype for Business Admin Portal. This will remove the Skype for Business SIP address connected to the domain.
  • Update your SharePoint Online website address 24 hours before your Domain Cutover.
  • You cannot remove a domain that has subdomains. You must first delete the subdomains before you can remove the parent domain.
  • The Microsoft Online routing domain that's issued by Office 365 (for example, contoso.onmicrosoft.com) cannot be moved or deleted.
  • If using a 3rd party email relay system to receive all Internet mail before directing traffic to the Power365 mail gateways, it is recommended that you contact Binary Tree Support with a list of IPs to have them whitelisted during the Domain Cutover process to avoid any mail delivery delays.

 

Domain Cutover Logging

  • Domain Cutover Logs – At various stages of the Domain Cutover Wizard the Domain Cutover Logs download link will be presented. Click this link to open the current logs. These logs pertain to the activities being driven by the Power365 engine.
  • User Move Logs – During the Domain Cutover the User status will be updated. Double click a user to display their activity logs. Click on the Move log to review the history of the user’s Domain Cutover process.
  • Directory Sync Lite Logs – When the Power365 engine has a job that needs to be executed on the local Active Directory, it gives this job to Power365 Directory Sync Lite. Launch the Directory Sync Lite Console then click the View Logs button to review the actions taken locally.

 

User Status Types during a Domain Cutover

  • Moving – During Step 4 the user’s status will update to the Move state.
  • Moved – When Step 4 is complete for the user, their status will change to the Moved state.
  • Move Error – During Step 4 if at any time a local user or group cannot be remediated, an error will be logged. Open the user Move log to determine why. Remediate the problem and rerun Step 4.

 

What account roles are required for Domain Cutover?

There are two accounts used during the domain cutover process. Each require the Global Administrator role to facilitate the process on your behalf.

  • Application Service Account – Global Administrator Role
  • Binary Tree PowerShell Account – Global Administrator Role

 

If I lowered my application account roles to the minimum, should I raise them before the domain cutover?

If you have your application account roles are set to the minimum requirements, then assign the Global Administrator role before beginning the domain cutover. Otherwise it will fail, and you will be required to restart the process.

 

Is my organization required to modify our MX records?

Power365 does not require you utilize our Email Rewrite Services to route inbound mail to the target mailbox during the Domain Cutover event. The Project Administrator may elect to skip redirection to the ERS relays but instead choose to queue mail using their own systems. This is also acceptable. Power365 will continue with the remainder of the Domain Cutover process. Binary Tree is not responsible for any mail flow if by-passing ERS is elected. The Domain Cutover process will still provision the mail relays for your project, this can take as much as 60 minutes to complete. You will not be able to continue to the next step until this process is complete, please plan accordingly.

 

Are 3rd party email service providers such as Proofpoint or Mimecast supported during a Domain Cutover?

If you choose to have all inbound Internet mail for your domains to be directed to a 3rd party email relay prior to directing the traffic to the Power365 Email Gateways as recommended, you may experience rate controls being applied, causing email delivery delays.

To avoid this situation, bypass your 3rd party provider during the domain cutover event or contact Binary Tree Support with a list of IPs and dates to have the system whitelisted.

 

Additional Information on Domain Migrations