How to properly offboard mailboxes from Office 365 back on premise in mixed environment

This post is to archive all my issues I have found so far during this project.

First impression is that there is a lack of information regrading offboarding Office 365 mailboxes back on prem and if there is any, it doesn’t contain much details or proper explanation. At this point I will try to explain all my findings in details and as much simple as I can.

If you will have any questions just ask in comments and I will try to answer as fast as I can.

This is my scenario of offboarding Office 365 mailboxes back on premise.

My environment contains:

  1. Two datacenters – one in EU – Europe – and one in NA – USA
  2. Office 365 tenant with ~880 mailboxes – ~8TB of data – EU based tenant.
  3. On premise mixed Exchange environment – 2010, 2013 – ~1600 mailboxes
  4. Datacenter Site A – All servers are Exchange 2010 RU7 on Windows 2008 R2
    1. Two EDGE servers load balanced – W2008R2
    2. Two CAS/HUB servers – CAS Array – load balanced – W2008R2
    3. Two MBX servers in DAG – W2008R2 – ~800 mailboxes
  5. Datacenter Site B – mixed Exchange 2010 and 2013, seven Exchange 2010 RU7 on Windows 2008R2 and one Exchange 2013 CU10 on Windows 2012R2
    1. Two EDGE servers load balanced – W2008R2
    2. Two CAS/HUB servers – CAS Array – load balanced – W2008R2
    3. Two MBX servers in DAG – W2008R2 – ~800 mailboxes
    4. One CAS/MBX server with one database – Public Folder database – W2008R2
    5. One CAS/MBX server with one database – Hybrid server – W2012R2

My first migration strategy – !!! WRONG WAY – DIDN’T WORK !!! – O365 -> specific 2010database

All Office 365 mailboxes must go to particular site depends on user location – EU and APAC users to EU datacenter, NA and SA users to NA datacenter.

My first strategy was to migrate all Office 365 mailboxes back on premise to particular site depends on users location.  Based on what I have found and read at the time on the internet I have created new migration end point using my mailbox which was seating on Exchange 2013 database. When I was creating new migration end point I was using Office 365 Exchange Admin Center portal and I was following the wizard using my personal mailbox which  automatically used Autodiscover settings and resolved MRSProxy URL to my Exchange 2013 server – mail2013.mydomain.com and I used my Domain/Exchange admin account. After my new migration end point was created I have started creating migration batches using this endpoint and I have pointed the batch to one of my Exchange 2010 databases. When I have started my migration batch I have immediately received an error saying something like that “your target database is not compatible and your mailbox cannot be migrated”.

My second migration strategy – !!! WRONG / LONGER WAY !!! – O365 -> Exchange2013 database -> specific Exchange2010 database

On the next step I have created new migration batch using my new migration end point and this time I have pointed my migration batch to my Exchange 2013 database. This time when I started my migration batch I have had no errors at all.

After 6 weeks of migrating mailboxes from Office 365 back on premise I have realised that my migration project is running very slow (1.5 TB in 6 weeks) and it is very complicated as it involves me to create another few steps – I had to create migration batches from Exchange 2013 database to particular Exchange 2010 database each time my O365->2013 batch was finished.

Can you feel the mess I was dealing with for last 6 weeks;) ???

Step 1 – migrate 10 mailboxes from Office 365 to on premise Exchange 2013 database.

Step 2 – migrate mailboxes from on premise Exchange 2013 to specific Exchange 2010 database.

Believe me, Nightmare !!!

Additional to this my environment contains LYNC 2013. Another NIGHTMARE !!! Imagine this, I have moved mailbox form Office 365 back to on premise Exchange 2013 database. When I tried to move this mailbox to specific Exchange 2010 database as a step 2, I have received warning saying “If you will migrate this mailbox to Exchange 2010 you will lose Unified Contacts” what the what ??? I started digging and reading about this error and found the solution but as I couldn’t make any changes to my Lync environment – it is managed by different team – I had to add additional step to my project. Every time my Office 365 mailbox was moved to Exchange 2013 database I had to send this information to my Lync team and ask them to run Invoke-csucsRollback -Identity emailaddres@mydomain.com cmdlet and wait when it’s done. Once it was done I could restart my migration batch and mailbox start moving from Exchange 2013 database to specific Exchange 2010 database with no warnings or errors.

Below generic idea presented in graphic

My third migration strategy – !!! PROPER WAY !!! – O365 -> specific 2010database

After a while I have started thinking and reading more about offboarding form Office 365 and I have finally found the proper solution. The whole idea is  to create proper migration end point which will be pointing to the right MRSProxy URL on Exchange 2010 CAS server instead of Exchange 2013 server.

I have created new migration end point using my temporary mailbox which is seating on Exchange 2010 database in site A and I have created new migration batch which is pointing straight to my Exchange 2010 database in site A. When I started my migration batch, it started straight away and no errors at all !!! No additional steps involved, no mess, no LYNC team involved anymore and it is faster than O365->2013->SiteA2010 or SiteB2010.

Migration plan – current – proper:

  1. Create new temporary mailbox on each site: tempmbxNA@mydomain.com in NA DAG and tempmbxEU@mydomain.com in EU DAG
  2. Logon to your Office 365 tenant portal
  3. Create new migration end point using tempmbxNA mailbox
  4. Create new migration end point using tempmbxEU mailbox
  5. Create new migration batches for users based in NA and SA using NA migration end point
  6. Create new migration batches for users based in EU and APAC using EU migration end point

 

 

In my next post I will explain all catches I have found while renewing SSL certificates in my whole Exchange environment – it was fun as well !!!

How to set Free/Busy permissions in Exchange Management Shell

This article describes how to add, change, and remove Free/Busy permissions

You can view or set Free/Busy permissions through the Exchange Management Shell. Use the following table to match Microsoft Outlook permissions with the access permissions that Microsoft Exchange Server uses.

Requested Outlook permissions Access rights
Free/Busy time AvailabilityOnly
Free/Busy time, subject, location LimitedDetails
Reviewer Reviewer
Nonediting Author NonEditingAuthor
Author Author
Publishing Author PublishingAuthor
Editor Editor
Publishing Editor PublishingEditor
Owner Owner

How to view Free/Busy permissions

To view current Free/Busy permissions, run the following cmdlet:

Note The <PrimarySMTP> placeholder represents the mailbox for which you want to view permissions.

For example, the cmdlet resembles the following:

How to add Free/Busy permissions

To add Free/Busy permissions, run the following cmdlet:

Notes

  • The <PrimarySMTP> placeholder represents the mailbox for which you want to change permissions.
  • The <UserSMTP> placeholder represents the user who is granted Free/Busy permissions.
  • The <AccessRights> placeholder represents the user permissions.
  • If you want to make the Free/Busy time viewable for nonspecific users, the AccessRights setting for the default user should be AvailabilityOnly or higher.

For example, the following cmdlet grants otheruser@contoso.com permission to view the calendar for user@contoso.com:

 

How to remove Free/Busy permissions

To remove Free/Busy permissions, run the following cmdlet:

Notes

  • The <PrimarySMTP> placeholder represents the mailbox for which you want to change permissions.
  • The <UserSMTP> placeholder represents the user who is granted Free/Busy permissions.

For example, the following cmdlet revokes permission for otheruser@contoso.com to view the calendar for user@contoso.com:

SMTP certificate renewal and EDGE subscription

1. Import new certificate
To import certificate to local certification store run:

2. Connect pending request to certificate
If step 1 failed to connect certificates together inside certification store run:

3. Enable new Exchange certificate for SMTP service
Before certificate can be used, it must have been enabled for particular services.

Result:

4. Restart transport service and AD LDS service
At this moment e-mail stop to flow to this EDGE server, because AD LDS is using new certificate and Edge is subscribed via old one.

5. Create subscription file (XML) on Edge server ans copy it to HUB server
We don´t need to create connectors for EDGE Subscription, since those are already created. EDGE must be subscribed to AD site within 24 hours after creation of subscription file.

Result:

6. Subscribe EDGE server on HUB by subscription file (XML).
We need to re-create trusted connection between Edge server and HUB servers. Subscription needs to be re-created, because AD LDS needs to use new certificate instead of old one. It is enough to subscribe each EDGE server once per subscription.

7. Restart EDGE server
Just to be sure all settings are applied before tests.

8. Test Edge Subscription
If the test is not successful you receive error.

Successful result:

9. Test mailflow

10. To start Edge synchronisation manually

Result:

TechNet Link: http://technet.microsoft.com/en-us/library/bb310755(v=exchg.80).aspx

 

 

 

Test post with Powershell code inside

This is test line of Powershell code inside a WordPress post

This is next line