Hello,

I’m in the early planning / testing phase of preparing to migrate our staff from on-prem DC’s & Exchange 2013 to MS365 and Exchange Online.

Looking to have a hybrid AD solution in the end so authentication can occur on premise using our DC’s, and when off-net they can use AzureAD. I believe the AzureAD Sync Tool will assist with 2-way synchronization so account records are kept up to date.

We have around 100 staff, that will be migrated, and we’ll be setting up a domain alias because our on-prem domain was a “.local” domain.

Has anyone gone through this sort of process before, if so what was your experience like?

Were there any gotcha’s or major issues that you came across?

After completing your migration, was there something you wish you knew at the beginning that would have saved you time?

Thanks in advance for any feedback.

  • xubu@infosec.pub
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    Currently in hybrid situation. 65k+ users, two main forests.

    A lot of things. -What is your auth strategy? How do you want users to log in? You said you want to use local dc auth but you have three different ways of doing it: password hash sync, pass thru auth, or federation (typically adfs). (Don’t do federation though, I really don’t recommend it).

    -make sure your users user principal names match their email addresses. In most cases when MS asks a user for email for their username, they are asking for their upn. It’ll be easier on everyone when their upn and email match.

    -what is your two factor strategy? If you don’t have one, maybe look at Microsoft’s offering. This may sway your auth strategy slightly.

    -look at Azure Cloud Sync first before Azure AD Connect. They both perform the same function -synchronizing on prem objects in AD to AAD. Cloud sync is where MS wants to go but it’s not feature parity with AAD Connect. Likely would guess you’d end up with AADConnect

    -We are currently doing Exchange migrations to Azure now. And it’s going I guess. It’s not easy, particularly with the sync side of things. I don’t have a lot to say here except I know it’s a massive process for us. I only see parts of it. GPOs, conditional access, adjusting in our MDM solutions to work with migrated mailboxes, etc.

    -Use dynamic licensing groups where you can. Makes app on boarding easier.

    I could go on for days. Looking back I really wish I had banged the drum to do password hash sync. Federation domains into Azure feels pretty bad in a lot of ways and only helpful in a small subset of others. I expect you’d do seamless sso too, to make using m365 apps easy.

  • MentallyExhausted@reddthat.comM
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    If you’ve never done this before, you may want to hire an outside consultant. I’ve done a million of these migrations, and there can be issues, and MS support sucks these days.

    That said, broad overview: first step is installing Azure AD Connect and syncing to your 365 tenant.

    Second step is updating UPN suffixes to match your public domain.

    Third step is installing the Hybrid Wizard on your exchange server and doing a test migration.