SOLVED

Microsoft 365 Minimal or Cutoff Migration?

%3CLINGO-SUB%20id%3D%22lingo-sub-2598338%22%20slang%3D%22en-US%22%3EMicrosoft%20365%20Minimal%20or%20Cutoff%20Migration%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2598338%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20currently%20running%20an%20on-premises%20Server%202016%20domain%20with%20Active%20Directory%20and%20Exchange%202016%20with%20around%2065%20users.%26nbsp%3B%20I%20am%20starting%20to%20plan%20for%20migrating%20our%20Exchange%20server%20to%20Microsoft%20365%20and%20would%20like%20to%20know%20what%20method%2C%20either%20Minimal%20or%20Cutoff%2C%20would%20be%20the%20best%20path%20to%20take.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERight%20now%20I%20currently%20have%20Azure%20AD%20Connect%20installed%20and%20syncing%20my%20users%20and%20passwords%20to%20the%20Microsoft%20365%20admin%20center.%26nbsp%3B%20If%20possible%2C%20I%20would%20like%20to%20keep%20Azure%20AD%20Connect%20after%20the%20migration%20so%20I%20can%20manage%20user%20accounts%20and%20passwords%20on%20my%20Domain%20Controller%20still%20but%20I%20am%20a%20little%20confused%20on%20how%20to%20accomplish%20this.%26nbsp%3B%20If%20I%20want%20to%20keep%20directory%20synchronization%20enabled%20would%20I%20have%20no%20choice%20but%20to%20use%20the%20'Cutoff'%20method%3F%26nbsp%3B%20The%20'Minimal'%20method%20notes%20that%20it%20disables%20directory%20synchronization%20after%20the%20first%20initial%20sync%2C%20but%20what%20if%20I%20want%20to%20keep%20this%20on%20so%20I%20still%20have%20the%20ability%20to%20manage%20users%2Fpasswords%20locally%20and%20have%20them%20still%20sync%20to%20the%20admin%20center%3F%26nbsp%3B%20I%20am%20not%20sure%20what%20the%20best%20practices%20are%20for%20this%2C%20or%20if%20directory%20synchronization%20is%20even%20necessary%20if%20you%20plan%20to%20fully%20decommission%20Exchange%20from%20the%20domain%20like%20I%20do.%26nbsp%3B%20It%20seems%20that%20if%20syncing%20was%20turned%20off%20then%20you%20have%20to%20manage%20user%20accounts%20on%20the%20Domain%20Controller%2C%20but%20also%20then%20have%20to%20manage%20mailboxes%20in%20Exchange%20Online.%26nbsp%3B%20Is%20this%20the%20normal%20way%20to%20do%20this%3F%26nbsp%3B%20Can%20directory%20sync%20remain%20on%20indefinitely%20after%20migrating%20and%20decommissioning%20Exchange%20entirely%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20any%20further%20information%20is%20needed%20to%20help%20clarify%20my%20intentions%20please%20let%20me%20know%20and%20I%20will%20explain%20the%20best%20I%20can.%26nbsp%3B%20Any%20help%20is%20very%20appreciated!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%2C%3C%2FP%3E%3CP%3EJason%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2598338%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EExchange%202016%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMicrosoft%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20server%202016%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2602401%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20365%20Minimal%20or%20Cutoff%20Migration%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2602401%22%20slang%3D%22en-US%22%3EYou%20can%20re-enable%20sync%20after%20the%20migration%2C%20that's%20not%20a%20problem.%20Do%20note%20that%20if%20you%20plan%20to%20decommission%20Exchange%2C%20having%20AAD%20Connect%20in%20the%20mix%20puts%20you%20in%20an%20unsupported%20configuration.%20Every%20configuration%20involving%20dirsync%2FAAD%20Connect%20requires%20you%20to%20keep%20at%20least%20one%20Exchange%20box%20for%20management%20purposes.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2604838%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20365%20Minimal%20or%20Cutoff%20Migration%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2604838%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20the%20information%2C%20Vasil.%20Since%20you%20mention%20that%20if%20I%20did%20decommission%20Exchange%20it%20would%20be%20in%20an%20unsupported%20state%2C%20what%20would%20be%20the%20recommendation%20for%20managing%20local%20Active%20Directory%20users%20and%20their%20mailboxes%3F%20Say%2C%20for%20example%2C%20a%20new%20user%20needed%20to%20be%20created%2C%20is%20the%20recommendation%2C%20without%20having%20AAD%20Connect%2C%20for%20you%20to%20create%20the%20user%20on%20your%20local%20Domain%20Controller%20in%20Active%20Directory%2C%20then%20as%20a%20second%20step%20create%20their%20mailbox%20in%20the%20Exchange%20admin%20center%3F%20It%20just%20seems%20like%20it%20would%20be%20far%20easier%20to%20manage%20things%20like%20that%20with%20AAD%20Connect%20still%20syncing%20users%2Fpasswords.%20I'm%20curious%20what%20other%20people%20normally%20do%20in%20a%20situation%20like%20this.%26nbsp%3B%20Do%20most%20people%20really%20choose%20to%20keep%20Exchange%20running%20even%20though%20it's%20not%20needed%20when%20all%20mailboxes%20are%20migrated%20to%20MS365%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2605248%22%20slang%3D%22en-US%22%3ERe%3A%20Microsoft%20365%20Minimal%20or%20Cutoff%20Migration%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2605248%22%20slang%3D%22en-US%22%3EThat's%20the%20only%20supported%20configuration.%20It's%20a%20pain%20yes%2C%20but%20using%20the%20Exchange%20management%20tools%20is%20the%20only%20supported%20way%20to%20manage%20Exchange%20related%20objects%20and%20attributes.%20If%20you%20don't%20care%20about%20the%20%22supported%22%20bit%2C%20it's%20perfectly%20possible%20to%20do%20it%20with%20AD%20tools%2FPowerShell.%3C%2FLINGO-BODY%3E
Occasional Contributor

Hello,

 

I am currently running an on-premises Server 2016 domain with Active Directory and Exchange 2016 with around 65 users.  I am starting to plan for migrating our Exchange server to Microsoft 365 and would like to know what method, either Minimal or Cutoff, would be the best path to take.

 

Right now I currently have Azure AD Connect installed and syncing my users and passwords to the Microsoft 365 admin center.  If possible, I would like to keep Azure AD Connect after the migration so I can manage user accounts and passwords on my Domain Controller still but I am a little confused on how to accomplish this.  If I want to keep directory synchronization enabled would I have no choice but to use the 'Cutoff' method?  The 'Minimal' method notes that it disables directory synchronization after the first initial sync, but what if I want to keep this on so I still have the ability to manage users/passwords locally and have them still sync to the admin center?  I am not sure what the best practices are for this, or if directory synchronization is even necessary if you plan to fully decommission Exchange from the domain like I do.  It seems that if syncing was turned off then you have to manage user accounts on the Domain Controller, but also then have to manage mailboxes in Exchange Online.  Is this the normal way to do this?  Can directory sync remain on indefinitely after migrating and decommissioning Exchange entirely? 

 

If any further information is needed to help clarify my intentions please let me know and I will explain the best I can.  Any help is very appreciated! 

 

Thank you,

Jason

8 Replies
best response confirmed by JasonL (Occasional Contributor)
Solution
You can re-enable sync after the migration, that's not a problem. Do note that if you plan to decommission Exchange, having AAD Connect in the mix puts you in an unsupported configuration. Every configuration involving dirsync/AAD Connect requires you to keep at least one Exchange box for management purposes.

Thank you for the information, Vasil. Since you mention that if I did decommission Exchange it would be in an unsupported state, what would be the recommendation for managing local Active Directory users and their mailboxes? Say, for example, a new user needed to be created, is the recommendation, without having AAD Connect, for you to create the user on your local Domain Controller in Active Directory, then as a second step create their mailbox in the Exchange admin center? It just seems like it would be far easier to manage things like that with AAD Connect still syncing users/passwords. I'm curious what other people normally do in a situation like this.  Do most people really choose to keep Exchange running even though it's not needed when all mailboxes are migrated to MS365? 

That's the only supported configuration. It's a pain yes, but using the Exchange management tools is the only supported way to manage Exchange related objects and attributes. If you don't care about the "supported" bit, it's perfectly possible to do it with AD tools/PowerShell.
Thank you for the clarification. I think for now I will start with the 'Minimal' option and see how easy things are to manage with Exchange still being in the mix and decide later whether to fully decommission it or not.

@JasonL 

 

MSFT recommendation in currently described scenario is to go with hybrid (minimal/express) migration as you won't have any problems related to synchronization and management. If your plan is to get rid of complete on prem-infrastructure, then cut over is the best choice because you got only 65 mailbox users. One of the requirements before starting cut over is to actually stop the directory synchronization (AAD Connect). Once migration is done, you can reconfigure the AADConnect. If you choose to go with Cut Over but still wants to keep the on Prem AD, then you need to manage some properties on daily basis via powershell or AD tools. Most common example is proxy address. As the source of authority is on prem AD, any change in proxy of M365 will be written over once synced.

 

 

Jason if you are syncing AD users via ADConnect then you should just do traditional Exchange Hybrid migration and not screw around with trying to decom exchange.
Thank you for the recommendation, Kevin. I have decided to do exactly that for the time being. Hopefully the backend administration settings are incorporated into Exchange Online at some point so this is no longer a concern for people who want to decommission Exchange entirely but still use on-prem AD. Seems like that's something that really should have been already included honestly.
Thanks for the suggestion, Shane. It does seem like it's entirely possible to administer Exchange Online via powershell or other tools, but in order to stay in compliance with Microsoft I am just going to leave my on-prem Exchange server online for now, which will also make it easier to manage. Even though I would absolutely love to completely decommission Exchange I would rather stay in compliance for now. Hopefully these tools are eventually built directly into Exchange Online at some point so this is no longer a concern.