Part One – So You Want To Migrate Your Linked Mailboxes!

Australia | Part One - So You Want To Migrate Your Linked Mailboxes!

Over the last few months, a number of clients have asked me for help migrating their on-premises Exchange based mailboxes to Exchange Online. “So what?” you say, this happens thousands of times every day across the world. Well, the interesting thing about these clients was that their messaging environments were effectively a resource forest model. I say “effectively” because all the clients had implemented this model in slightly different ways.

Over a series of blogs, I’ll be outlining some similar scenarios you may come across, some gotchas and some recommendations on how best to migrate mailboxes to Office 365 with, hopefully, as few issues as possible.

The Scenario

So, what is a resource forest model when I talk about Exchange? In a nutshell, a resource forest model means  the user accounts exist in an “account” forest, while the Exchange organisation and resources all exist in a separate, trusted, “resource” forest.

Now, when we say that user accounts exist in the account forest, what we really mean is the enabled user accounts exist in the account forest. Because an Exchange mailbox also requires a corresponding user account in the same forest, each user with a mailbox will also have an account in the resources forest. The mailboxes which exist in the resource forest are called “Linked” mailboxes as they are configured to allow access to the user account in the account forest.

How organisations provision these accounts vary. Some organisations use Microsoft Identity Manager, some use third party identity tools, others have created scripts, and some do this manually as part of their user creation process. The below diagram from Microsoft outlines the process.

Australia | Part One - So You Want To Migrate Your Linked Mailboxes!

Figure 1: Account Provisioning Image: Microsoft

 

The process of configuring the mailbox as a linked mailbox also disables the account in the resource forest if it isn’t already disabled. So, what happens if the user needs the account enabled in the resource forest to access other resources? Glad you asked. This scenario will still work, but when a user connects to their mailbox, they will need to use the credentials from the resource forest, which means they will need to keep a track of two sets of credentials. For this reason, I would recommend doing everything you can to avoid this scenario. Unless you’re using Microsoft Identity Manager’s password management features or similar functionality in 3rd party identity tools, you

Let’s Migrate!

So now we know what the environment looks like, lets dive into how to migrate mailboxes from on-premises Exchange to Exchange Online when you have a resource forest model in place.

A hybrid Exchange deployment provides organisations with the best user experience when migrating mailboxes to Exchange Online (EXO), and it’s no different for organisations using a resource forest model. Because the hybrid deployment process is so well documented by Microsoft and others, I won’t go into detail how to do it (you can start with the Exchange Deployment Assistant found at https://assistants.microsoft.com/). What I will do is outline the settings and steps which are particularly relevant to a resource forest scenario.

The first thing we need to do is install AAD Connect in the account forest using the custom installation option. The prerequisites for AAD Connect (see here) are the same in our scenario as for any other AAD deployment, so, again, I won’t discuss those here.  

During the AAD Connect installation process, you will be asked to connect to your on-premises AD directories. As you are installing AAD Connect in the account forest, this forest will be the first one added. Once you’ve added the account forest, you then add the resource forest.

Australia | Part One - So You Want To Migrate Your Linked Mailboxes!

Figure 2: Connect AD forests Image: Microsoft

 

The next step is to choose what on-premises attribute should be used as the Azure AD username. If at all possible, you should retain the default option to use the userPrincipalName attribute.

Australia | Part One - So You Want To Migrate Your Linked Mailboxes!

Figure 3: Azure AD username Image: Microsoft

 

Once you’ve configured any domain or OU filtering you would like to implement, you are then asked how you uniquely identify your users across your on-premises directories. By default, AAD connect assumes your users are present only once across the multiple forests you choose to sync. In our scenario, we have our users present in both the resource forest and the account forest, so we need to select the second option (User identities exist across multiple directories).

Australia | Part One - So You Want To Migrate Your Linked Mailboxes!

Figure 4: Identifying multiple users Image: Microsoft

 

From here you will need to choose the attribute that users in multiple forests are matched on. There are a number of options presented here for you to choose from. If your organisation has a true Exchange resource forest configuration then you should choose the ObjectSID and msExchMasterAccountSID. This is because the ObjectSID attribute value from the object in the account forest is copied to the msExchMasterAccountSID attribute of the object in the resource forest when the mailbox is configured as a Linked mailbox. When AAD Connect performs the initial sync AAD Connect identifies that these two attributes match and see them as the same user, merging the attributes so only a single account is created in Office 365.

I recently worked with a client who had a mixture of linked and non-linked mailboxes, so in this case, we couldn’t match users on the ObjectSID and msExchMasterAccountSID attributes. Instead, we chose to match users using the SamAccountName and MailNickName attributes. In most scenarios, user objects in each forest will have the same value for these attributes, so matching accounts on these attributes is the next best option. If this is not the case in your environment, you will need to select another attribute to match your users on. You will also need a process in place to populate this attribute correctly across the AD objects in the two forests.

The remaining AAD Connect install options can be chosen to suit your particular environment, but just make sure you are synching the OU’s which contain the users, groups, and contacts you require to be present in Office 365.

In the next blog, I’ll look at two issues you may encounter when you start syncing your users to AAD, and how to resolve them.

THANK YOU FOR YOUR SUBMISSION!

Australia | Part One - So You Want To Migrate Your Linked Mailboxes!

The form was submitted successfully.

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

If you’re waiting for a sign, this is it.

We’re a certified amazing place to work, with an incredible team and fascinating projects – and we’re ready for you to join us! Go through our simple application process. Once you’re done, we will be in touch shortly!

Who is Insentra?

Imagine a business which exists to help IT Partners & Vendors grow and thrive.

Insentra is a 100% channel business. This means we provide a range of Advisory, Professional and Managed IT services exclusively for and through our Partners.

Our #PartnerObsessed business model achieves powerful results for our Partners and their Clients with our crew’s deep expertise and specialised knowledge.

We love what we do and are driven by a relentless determination to deliver exceptional service excellence.

Australia | Part One - So You Want To Migrate Your Linked Mailboxes!

Insentra ISO 27001:2013 Certification

SYDNEY, WEDNESDAY 20TH APRIL 2022 – We are proud to announce that Insentra has achieved the  ISO 27001 Certification.