04-02-2020 05:38 PM - edited 04-03-2020 12:47 PM
04-02-2020 05:38 PM - edited 04-03-2020 12:47 PM
This is a strange one i have never come across before so please assist if you can. At this time i want to better understand what needs to be done to remove the Resource Forest (de-couple it from the account forest) and what pitfalls might be encountered.
Here is the scenario:
1) Customer has Hybrid setup between the resource forest/account forest. And connected to office 365. Did not use HCW to setup hybrid, set it up manually.
2) Mailboxes have all been migrated from the Resource Forest to Office 365.
3) Has their own tenant, has a 2 forests added (to ad connect), account and resource, account forest data provides account attributes, resource provide exchange attributes.
4) All mailboxes are in the cloud, Customer also has Skype for Business On-Prem.
Question: Customer wants to remove their resource forest, while continuing to keep their account forest and wants to be able to "Manage" user objects using an exchange server in the account forest, and also keep ad connect.
I am not sure how best to approach this, while i have worked with Resource forests in the past, its been a while.
I have seen several links that cover this, but nothing explains whats going on what could go wrong etc.
@Tony Redmond if you could review the question for me please. I just wanted to get some input on it, not asking you to fix anything. thanks in advance.
04-03-2020 12:50 PM
@Robert Bollinger I am afraid that I am no help here. It's been a long time since I even looked at a resource forest and I have no test lab to play with that has a resource forest.
04-03-2020 12:53 PM
Ok thanks for the response. Do you know who might be able to take a look at this and do a quick review? I found several links on this, namely fro Japp W. But as with all things exchange things aren't always what they seem.
The reason why i am asking is because this is for a large enterprise business. so i want to get some additional input.
04-03-2020 01:00 PM
@Robert Bollinger Brian Desmond, Michael Van Horenbeeck, Jaap W, Jeff Guillet... all do work with on-premises servers.
04-06-2020 09:40 PM
I worked a little on the issue over the weekend, and setup a new test environment. Exchange 2013, new office 365 tenant. Setup a standard resource forest/account forest. I have been commenting on one of Jaap's posts. my comments all the way at the bottom.
Since AD connect would be installed in the account forest and then connected to both Environment's Directories for sync purposes, I thought ADMT might do the job, but i just cant be sure. Tomorrow i am going to see if/what i can test.
Brian, Tony Redmond said you may be able to assist. Paul, you have provided valuable insight in the past which is why i suffered you into this. Thanks in advance.
04-07-2020 08:43 AM
@Robert Bollingerif I follow what you want to do is remove the resource forest, which contains all of the Exchange attributes?
You'll need to copy all of those over to the objects in the account forest so they look like remote mailboxes there, and then you'll probably find it easier to setup a new AAD Connect that only talks to the account forest. There are various ways to copy the attributes over, but using a script is probably easiest. You can setup the new AAD Connect server in staging mode and look at the pending exports to make sure you have everything copied over.
04-07-2020 08:54 AM
04-07-2020 11:59 AM
If you just take the attributes 1:1 from the resource forest to the account forest, you're not going to have what you want. You have (or had) linked mailboxes in the resource forest. You want a plain remote mailbox in the account forest.
ADMT also hasn't been updated in a very, very long time. It may or may not actually work for you regardless of the issue above.
You'll need to put an Exchange server in the account forest for this to work.
04-07-2020 12:55 PM
@BrianDesmond Thanks again.
To be clear for myself on this process, and to make sure i have the order right, with all mailboxes already migrated to office 365, I should do the following:
Is that about right? I will of course test everything in my lab, before making any changes on the customers environment, and may reach out to PFE for a design review to be doubly sure.
The customer also needs to migrate all their groups to office 365 as well, however for that i think the correct course of action is to create a script (or find one) that simply creates the groups in the cloud, re-assigns all group memberships and send as, send on behalf of settings, and group security settings.
The group portion would probably need to be done first, I would imagine.
04-07-2020 12:56 PM
@Robert BollingerSounds about right. Don't forget to copy proxyAddresses and legacyExchangeDN values as X500 proxies on users and groups to preserve autocomplete reply-ability.