Migrate Organization from Hosted Exchange Solution to Office 365 using Cutover Migration

After having your mail system hosted by a hosting company and with Exchange Online and Office 365 becoming even more widespread and popular, you are ready to commit to the move and get away from that hosting company or ISP.

But how do you go about moving all your mailboxes, distribution groups and other exchange resources? Many,  if not all,  hosting companies will give you zero visibility to their environment so you really cannot do a regular hybrid type of migration.

The solution is to perform a cutover migration to Exchange Online. In a cutover migration, all on-premises mailboxes are migrated at the same time. to do a cutover migration, a few things to note are:

  • Your current on-premise Exchange server is running Microsoft Exchange 2003, 2007, 2010 or 2013
  • A maximum of 2,000 mailboxes can be migrated using this method of migration
  • The primary domain name used for your on-premise organization must be an accepted domain in Office 365 before you begin the migration

For more details on how this type of migration process works, check out Microsoft’s TechNet article – https://technet.microsoft.com/en-us/library/jj898490(v=exchg.150).aspx


Now that the requirements are in place, here are the steps you need to perform. Please note that the assumption is you have already purchased and configured your Office 365 tenant.

Also note that Azure Active Directory Sync tool cannot be run with a cutover migration. If it has already been installed, it must be deactivated.

Step 1: Prepare for a Cutover Migration

  • Add on-premise Exchange Organization as an accepted domain in Office 365. The migration service will use the SMTP address of your hosted mailboxes to create Microsoft Online user accounts and email addresses for the new online mailboxes.

If your on-premise organization uses multiple SMTP domains, all the domains must be added and verified as accepted domains in Office 365. Once added, configure the default domain for the organization.

  • Configure Outlook AnyWhere on your on-premise Exchange server. The migration service uses RPC over HTTP to connect to the hosted Exchange server.
  • Verify Connectivity to the hosted Exchange organization using Outlook AnyWhere. This can be done either by configuring Outlook from Outsize your corporate network to connect to a hosted mailbox or by running the Microsoft Remote Connectivity Analyzer to test the connection settings.
  • Assign an on-premise user account necessary permissions to access mailboxes in the hosted Exchange organization. The user account that will be used to connect to the on-premise Exchange organization is called the migration administrator and it needs the proper permissions to access the mailboxes to be migrated.

The permissions required by the migration administrator can be either Domain Admins group member in active directory OR it can be assigned Full Access permission for each on-premise mailbox to be migrated OR it can be assigned Receive As permission for each on-premise mailbox database that stores the user mailboxes.

  • Disable Unified Messaging. Unified Messaging (UM) must be disabled on all on-premise mailboxes before migrating them. Once migrated, you can enable UM in Office 365
  • Security Groups and Delegates. A cutover migration only moves mailboxes, mail users, mail contacts and mail-enabled groups. If any other Active Directory object is assigned as a manager or a delegate to an object being migrated, it must be removed from the object before the migration process.
  • Un-hide any hidden Exchange Objects. The migration service is not able to detect any hidden objects in Exchange. If you have any mailboxes or other objects that need to be migrated and are hidden, they must be unhidden for the migration service to detect them and include them in the migration batch.

Step 2: Create a Migration Endpoint

A Migration endpoint is simply an Exchange Online object that contains the connection settings for the on-premise server hosting the mailboxes to be migrated. it includes the credentials (NetBIOS_Domain_Name\UserName and password) for the migration administrator.

To create a migration endpoint (see https://technet.microsoft.com/en-us/library/jj874458(v=exchg.150).aspx)

  1. In the EAC, navigate to Recipients > Migration. Click More More Options Icon, and then click Migration endpoints.
  2. On the Migration endpoints page, click New Add Icon.
  3. On the Select the migration endpoint type page, click Outlook Anywhere, and then click Next.
  4. On the Enter on-premises account credentials page, complete the following boxes:
    1. Email address   Type the email address of any user in the on-premises Exchange organization that will be migrated using this endpoint. Exchange Online will test the connectivity to this user’s mailbox
    2. Account with privileges   Type the user name (using the domain\user name format) for the migration administrator
    3. Password of account with privileges   Type the password for the administrator account that you specified in the previous box
  5. Click Next. Exchange Online uses the information on the Enter on-premises account credentials page to test connectivity to the source server, and then displays the Confirm the migration endpoint page. Once confirmed, click Next to continue.
  6. Enter information in the following boxes:
    1. Migration endpoint name   This name is displayed in the list of migration endpoints. It’s also used in the drop-down list of migration endpoints when you select a migration endpoint while you’re creating a migration batch. This is required
    2. Maximum concurrent migrations   This is the number of connections to the source server that are available to migrate on-premises mailboxes and mailbox items to Exchange Online during initial and incremental synchronization. If the value is set to 20, which is the default value, you can migrate up to 20 mailboxes at the same time
    3. Maximum concurrent incremental syncs   This is the number of connections to the source server that are available to perform incremental synchronizations. If the value is set to 10, the default value, then incremental synchronization can be performed on up to 10 mailboxes at the same time.
  7. Click New to create the migration endpoint.

Step 3: Create the Cutover Migration Batch

Following Microsoft’s recommendation on creating a migration endpoint first, the process to create the migration batch is as follows:

  1. In the EAC, navigate to Recipients > Migration.
  2. Click New Add Icon and then click Migrate to Exchange Online.
  3. On the Select a migration type page, click Cutover migration, and then click Next.
  4. Since the migration endpoint has already been created, the fully qualified domain name (FQDN) of your on-premises Exchange server and RPC proxy server are displayed on the Confirm the migration endpoint page. Verify the settings and then click Next
  5. On the Move configuration page, type the name of the migration batch, and then click Next. This name will be displayed in the list of migration batches on the Migration page after you create the migration batch. Batch names can’t contain spaces or special characters
  6. On the Start the batch page, do the following:
    1. Click Browse to send a copy of the migration reports to other users. By default, migration reports are sent to the administrator who creates the migration batch. You can also access the migration reports from the properties page of the migration batch
    2. Specify to Automatically start the batch so that the migration is started as soon as you save the migration batch.
  7. Click New to create the migration batch

Step 4: Configure your MX Record to Point to Office 365

Until you change your MX record, email sent to users is still routed to their on-premises Exchange mailboxes. Once the migration batch has been created, incremental synchronization process synchronizes the on-premise exchange mailboxes and the Exchange Online mailboxes once every 24 hours to keep them in-sync until you stop or delete the migration batch.

Using DNS, the MX record of the SMTP domain(s) can then be changed to the value provided by the DNS Domain setup in Office 365. AutoDiscover and other DNS records can also then be created for the domains.

Once you configure your organization’s MX record according to those settings, all email is sent directly to the Exchange Online mailboxes.

Step 5: Delete the Cutover Migration Batch

After changing the MX record, verify mail is being routed to the Exchange Online mailboxes. Once confirmed, verify the following:

  • Mail is being delivered directly to Exchange Online mailboxes
  • All users are now connecting to their Exchange Online mailboxes
  • The Exchange Online mailboxes have been synchronized at least once after the MX record change.

Once all has been verified, the migration batch can be deleted:

  1. In the EAC, navigate to Recipients > Migration
  2. On the migration dashboard, select the batch, and then click Delete Delete icon.

Step 6: Assign Licenses to Office 365 users

Using the cutover migration process, a user account is created in Office 365 for each mailbox being migrated. For those that are configured as resources or shared in a source Exchange 2010 or 2013 Server, they will be migrated as such and those do not require licenses in Office 365.

Before users can begin using their mailboxes, licenses must be assigned to activate the user account. If no licenses are assigned, the mailbox will be disabled when the 30-day grace period ends.

Best Practices

  • Configure New Outlook Profiles using GPO
  • Implement a single sign-on solution.   After all mailboxes are migrated to the cloud, you can implement a single sign-on solution to enable users to use their on-premises Active Directory credentials (user name and password) to access their Office 365 mailboxes and existing on-premises resources. You implement a single sign-on solution by deploying Active Directory Federation Services 2.0 (AD FS 2.0).
  • Change the DNS Time-to-Live (TTL) setting on your MX record.   Before you start to migrate mailboxes, change the DNS TTL setting on your current MX record to a shorter interval, such as 3600 seconds (one hour). Then, when you change your MX record to point to your Office 365 organization after all mailboxes are migrated, the updated MX record should propagate more quickly because of the shortened TTL interval
  • Updating the WindowsEmailAddress attribute   The WindowsEmailAddress attribute is used as the primary key for the cutover migration and changing the WindowsEmailAddress attribute on the on-premises side during a cutover migration isn’t recommended. If the WindowsEmailAddress attribute needs to be changed, we recommend that you remove the target MigrationUser attribute, remove the target mailbox, group and contact, and then restart the migration batch.
  • Communicate with your users.   Let users know ahead of time that you’re migrating the content of their on-premises mailboxes to Exchange Online. Consider doing the following:
    • Asking users to delete old or unnecessary email messages from their Exchange mailboxes before migration. This helps reduce the amount of data that has to be migrated and can help reduce the overall migration time.
    • Suggesting that users back up their Inboxes
    • Telling users when they can use their Office 365 user account to access the email that was migrated from their on-premises accounts. Don’t give users access to their Exchange Online mailboxes until you’re ready to switch your MX record to point to Office 365

Inter-Org Exchange Migration using PST Files

Exchange migrations are relatively straight forward – you install new Exchange servers in the Exchange organization, configure them and them move Exchange recipients to the new server. But this is assuming you are migrating with the same network, Active Directory forest or Exchange organizations.

What about when you want to migrate between Active Directory forests? Well the simplest and most direct way would be to setup a trust relationship between the forests for the two Exchange organizations may communicate with each other.

What if a trust relationship CANNOT be established due to security restrictions, network boundaries or some other reason? Well the only other option would be to use PST files.

Using PST files to do a migration has its limitations – main one being that calendar entries are broken when importing a PST file into another organization. This is because the x.500 address is unique in each organization and this is what is used when a calendar entry is created. Obviously there are other issues you need to worry about as well such as:

  • Replying to imported emails – when replying to an imported email from another member of the same organization, make sure the user exists in the address book before replying otherwise you will receive an NDR
  • Replying to a Distribution Group – Make sure the DL has been recreated in the new organization otherwise an NDR will be generated.

This blog talks about migrating an Exchange organization into another organization using PST files. Before we begin the steps taken, here are the prerequisites to this migration.


Assuming that we are migrating from an Exchange organization called EXORG to another called EXNEW (wish same forest names). We are also assuming that the users will maintain their original email addresses.

  1. User accounts for all mailboxes to be migrated from EXORG must be created in the EXNEW forest. If possible, place all the users in the same OU.
  2. Create a new accepted domain for their original SMTP domain (exorg.com) and make it as an external relay domain.
  3. Create an Email address policy that assigns the SMTP address format %g.%s@exorg.com to all recipients in the OU where the users were created.
  4. Create mailboxes for these users ahead of time (you can have them hidden from the address book to avoid users sending emails to them. Also you can assign fake email addresses to the mailboxes so that valid emails from users in the EXNEW organization don’t send messages to these mailboxes).

At this point, the MX record still points to the original organization. The plan is to do the export to PST in 2 phases:

  • Phase one would be to export the bulk of the historic data from the mailboxes. The mailbox content will be exported to a certain date (for example June 30th 2015) and depending on the size of the mailboxes and the number of users, this may take some time to complete the export.
  • This will give you enough time to complete the export AND the import of this data into the empty mailboxes.
  • Phase two would be performed just before the cutover to EXNEW and would involve running another export but this time we would export everything from the last export (for example July 1st 2015) to the present. This should not take long to complete as the amount of data would be very little.

So let’s get into this!

Exporting Distribution Groups and their Members

This would be a task you need to perform only once as distribution groups hardly change.

  1. Export Distribution groups and members from EXORG environment
    1. Create a folder on the root of C:\ drive called DLS
    2. Using Notepad, create a script called EXORGDLs.PS1 and save it in the C:\DLs folder. This script will be used to export a list of all distribution groups with their unique identity (Update the script to contain the proper folder and file names for the CSV file export):

$DL = Get-distributiongroup –resultsize unlimited

$Groups = @()

Foreach ($D in $DL) {

$Groups += Get-distributiongroup –identity $D | Select DisplayName, Alias, Name, SamAccountName}

$Groups | export-csv Drive:\folderpath\FILENAME.csv -NoTypeInformation

This script will export all the distribution groups from the EXORG environment with the following attributes and their values – these will be used to create the Distribution groups in the EXNEW environment:

    • DisplayName
    • Alias
    • Name
    • SamAccountName
    1. Using Notepad, create a script called DLMembers.PS1 and save it in the C:\DLS\Members folder (a subfolder named Members must be created). The content of the script will be as follows:
    2. This script will export all the distribution group names with their members (Update the script to contain the proper folder and file names for the CSV file export).

$DL = Get-DistributionGroup –resultsize unlimited

$Output =@()

Foreach ($D in $DL) {

$Members = Get-DistributionGroupMember $D.name -resultsize unlimited

$Total = $Members.Count

$RemoveNull = $Total-1

For($i=0;$i -le $RemoveNull;$i++)


$userObj = New-Object PSObject

$userObj | Add-Member NoteProperty -Name “DisplayName” -Value $members[$i].Name

$userObj | Add-Member NoteProperty -Name “Alias” -Value $members[$i].Alias

$userObj | Add-Member NoteProperty -Name “Distribution Group” -Value $D.Name

$userObj | Add-Member NoteProperty -Name “Distribution Group Primary SMTP address” -Value $D.PrimarySmtpAddress

$output += $UserObj


$output | Export-csv -Path Drive:\folderpath\FILENAME.csv -NoTypeInformation


  1. Copy the C:\DLs folder to the primary exchange server at EXNEW and paste it in the same path.
  2. Create a new script in the C:\DLs folder of EXNEW Exchange called CreateEXORGDLs.PS1 using Notepad with the following content:
  3. This script will create new mail-enabled universal distribution groups in EXNEW in a predetermined OU and add the necessary members to the groups. Before running the script, update it with the proper OU path and folder\file path for the CSV file. This file was obtained in step 5-b earlier.

Write-host ”  “

Write-host “

This script will create all EXORG Distribution groups in an OU named ” Domain.com/OU-Path” in the EXNEW Active Directory”

$OU = “Domain.com/OU-Path”

$content = import-csv Drive:\folderpath\FILENAME.csv | foreach {

$Name = $_.”Name”

New-DistributionGroup -Name $_.”Name” -Alias $_.”Alias” -DisplayName $_.”DisplayName” -SAMAccountName $_.”SAMAccountName” -OrganizationalUnit $OU -Type Distribution

Write-host $Name ” DL has been created successfully”-foregroundcolor green


The format of the CSV file will contain columns with the following headings:

DisplayName Alias Name SamAccountName
  1. Once the groups have been created in Active Directory from the previous step, next is to add the members to the group. Previously in Step 5-c, the members of the groups were successfully exported to a CSV file. This file will be used to populate the group membership.
  2. On the EXNEW Exchange production server, create a new script named AddDLMembers.PS1 with the following content. Please update the content of this script before running it:

Write-host ”  “

Write-host “

This script will add the members to the distribution groups”

$content = import-csv Drive:\folderpath\FILENAME.csv | foreach {

$Alias = $_.”Alias”

$DL = $_.”Distribution group”

Add-DistributionGroupMember -Identity $DL -member $Alias

Write-host $Alias ” has been successfully added to the distribution group ” $DL -foregroundcolor blue



Steps required to export data from EXORG environment

  1. Assign a selected active directory group in EXORG the proper permissions to be able to import/export data from mailboxes to PST from Exchange Management Shell using the following command:
  2. New-ManagementRoleAssignment Role “Mailbox Import Export” –SecurityGroup “GroupName”
  3. Log onto Exchange 2010 as one of the users who is a member of the group
  4. Create a network shared folder.
    1. To export a mailbox or archive, you must first create a network shared folder.
    2. You need to grant read/write permission to the Import/export group  and the Exchange Trusted Subsystem group to the network share where you’ll export or import mailboxes
  5. Create a mailbox export request in Exchange.
    • A mailbox export request is a process of exporting mailbox or archive data to a PST file.
    • You can create more than one mailbox export request per mailbox, and each request must have a unique name. Microsoft Exchange automatically generates up to 10 unique names for a mailbox.
    • To create more than 10 export requests for a mailbox, you must specify a unique name when you create the request.
    • Although you can create multiple export requests per mailbox at one time, you can create only one request at a time per PST file. This is because the PST file is locked as in-use when the request begins to run.
    1. Open the Exchange Management Shell and run the following command to export mailbox content from a user’s primary mailbox to a PST using the following command:
    2. New-MailboxExportRequest -Mailbox UserName -FilePath \\Server\FileShare\FileName.PST

Run the following command to export mailbox content from a user’s archive mailbox to a PST:

New-MailboxExportRequest -Mailbox UserName -IsArchive –FilePath \\Server\FileShare\FileName_Archive.PST

  1. Open Notepad and paste the following script to be used to bulk export mailbox data for ALL mailboxes in the environment.
  2. Please note that the proper server name and shared folder path must be updated.

$Users = get-mailbox

foreach ($u in $users) {

$Batchname = “$u PrimaryExport”

$ArchiveName = “$U ArchiveExport”

new-mailboxexportrequest -batchname $Batchname -mailbox $U -filepath “\\SERVERNAME\SHARED_FOLDER\$U.pst”

write-host “Export of $U primary mailbox has begun”

 get-mailbox $U | where {$_.archivedatabase -ne $Null}

new-mailboxexportrequest -batchname $Archivename -mailbox $U -isarchive -filepath “\\ SERVERNAME\SHARED_FOLDER\$U-Archive.pst”


  1. In order to export the delta changes, copy the following script into a Notepad.

$Users = get-mailbox

foreach ($u in $users) {

 $Batchname = “$u PrimaryExport”

$ArchiveName = “$U ArchiveExport”

 new-mailboxexportrequest -batchname $Batchname -mailbox $U -filepath “\\ SERVERNAME\SHARED_FOLDER\$U.pst” -ContentFilter {(Received -ge ’07/01/2015′) -and (sent -ge ’07/01/2015′)}

write-host “Export of $U primary mailbox has begun”



Steps required to import data into EXNEW Environment

  1. Assign a selected active directory group in EXNEW the proper permissions to be able to import/export data from mailboxes to PST from Exchange Management Shell using the following command:
  2. New-ManagementRoleAssignment Role “Mailbox Import Export” –SecurityGroup “GroupName”
  3. Log onto the exchange server that will be used to import the PST data into the mailboxes as a member of the group
  4. Create a mailbox import request in Exchange
    1. You can create more than one mailbox import request per mailbox and each mailbox import request must have a unique name.
    2. Microsoft Exchange automatically generates up to 10 unique names for a mailbox import request. However, to create more than 10 import requests for a mailbox, you need to specify a unique name when creating the import request
    3. By default, the import checks for duplication of items and doesn’t copy the data from the PST file into the mailbox or archive if a matching item exists in the target mailbox or target archive
  1. Using the Exchange Management Shell, run the following command to import the contents of the PST back into an existing mailbox:

New-MailboxImportRequest MailboxName -FilePath \\server\Fileshare\FileName.pst

Run the following command to import PST content into an archive mailbox:

New-MailboxImportRequest MailboxName -IsArchive –FilePath  \\server\Fileshare\FileName_Archive.pst

Final Cutover Procedure

On the day of the Cutover, the following steps need to be taken in the EXNEW Exchange Environment:

  1. Prepare EXNEW to accept mail for EXORG domains
    1. In the EXNEW Exchange Administrative Center, change the accepted domain for EXORG.com to be authoritative
    2. Manually update each mailbox to have the proper email address of EXORG.COM
    3. Configure EXNEW SMTP gateway to accept mail for EXORG.COM domain forwarded to EXNEW`s exchange environment
    4. Change the MX record for  EXORG.COM to point to the EXNEW exchange environment (SMTP Gateway)
    5. At this point, any new mail generated externally destined to an EXORG recipient will be delivered to their new mailboxes at EXNEW.
  2. Prepare EXORG environment for cutover
    1. Change the  EXORG.COM accepted domains from authoritative to External Relay
    2. Reconfigure all mobile devices (BlackBerry and/or ActiveSync) to use EXNEW’s BES and ActiveSync settings
    3. Reconfigure Outlook profiles to connect to EXNEW’s Exchange environment for mail access
    4. Run a delta export of the mailboxes from EXORG exchange environment to copy data updated since the initial export
  3. Import the PST containing delta changes into the mailbox at EXNEW