This is part two in a series about using complex forests to migrate to Office 365. In part one, Exchange MVP Steve Goodman covered how complex Active Directory setups fit into Office 365 and the challenges that come with migrating or integrating complex Active Directory forests.
Migrating via a single forest
Migrating using a single forest makes sense for many organizations, and a move to Office 365 can be an important goal. In mergers and acquisition scenarios -- especially those where a company is consumed slowly over time and many large Active Directory forests are present -- it's often already part of an organization's consolidation plans.
There are typically two approaches in a scenario where you migrate through a single forest, depending on the organization's business situation. The first may be to keep the forest where the majority of accounts and complex integration are present and to migrate accounts into this forest. This works best when the forest is already on a recent Exchange version, such as Exchange 2010 or Exchange 2013, since the components in a hybrid Exchange deployment are already present.
The second approach is often used when there's no good candidate to serve as an overall company Active Directory (AD). This could be due to a merger and a group has a new name, but neither forest is named accordingly. There are ways to solve that issue, but it's common to have the combined IT departments pool their respective knowledge to start with a fresh AD infrastructure and move accounts.
The approaches are the same for a hybrid Exchange deployment, whether it's a new forest or using the best candidate for the final resulting forest. Each account is migrated using a tool such as the Active Directory Migration Tool, and then it's prepared for the cross-forest move using Prepare-MoveRequest.ps1 script in Exchange 2010 and higher. At this point, DirSync creates a corresponding mailbox in Office 365, and the mailbox can be migrated to Office 365 either by first moving the mailbox to the target forest or by creating a migration endpoint in the source forest.
Multi-forest hybrid Exchange and Azure AD Sync
Using a single forest as the bridge to Office 365 works well for migration from multiple account forests, but it isn't great if you're migrating a resource-account forest combination or looking to maintain long-term multiple AD forests. A single Office 365 tenant could meet your organization's needs, and keeping separate AD forests could as well, especially in the short term.
The traditional option for these scenarios has been to use Forefront Identity Manager combined with the Azure Active Directory Connector for the FIM. The samples provided with the tool set are tailored to account-resource forest combinations. This makes it possible to use the FIM and the provided connector to build an option capable of creating accounts in Office 365 and merging attributes from account and resource forests to result in a single hybrid relationship in the resource forest.
Exchange 2013 SP1 brought new features that improved support for multi-forest hybrid deployments. This means that if you have multiple AD forests with Exchange deployed in all of them, it's possible to run the Hybrid Configuration Wizard in each one. This naturally assumes that services such as shared email namespaces and AutoDiscover already work correctly across the environments. It also crucially requires the deployment of at least one Exchange 2013 SP1 server into each forest in Internet-facing sites.
Using a multi-forest hybrid Exchange deployment requires an option capable of synchronizing accounts in their respective AD forests to the single Office 365 tenant. FIM with the Azure AD Connector is a good candidate right now, but it requires custom coding to implement -- it's not for the faint-hearted.
Microsoft has released the public preview of Azure AD Sync. This isn't for use in production environments at this time, but you'll have a taste of what's in store for the future. Azure AD Sync will solve most multi-forest AD sync issues: Via a simple wizard, it will configure itself to meet most multi-forest AD requirements, depending on each organization's needs.
Expect to see Azure AD Sync later this year. It will complement the existing, simpler DirSync software to make a multi-forest hybrid Exchange deployment easier to implement. But for many organizations, keeping multiple forests is a sticking plaster waiting to be removed. Although Azure AD Sync might help put that off, moving mailboxes to Exchange Online can ease that consolidation.
About the author:
Steve Goodman is an Exchange MVP, and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners. Goodman has worked extensively with Microsoft Exchange since version 5.5 and with Office 365 since its origins in Exchange Labs and Live@EDU.