Moving to O365: Some Observations
Having recently moved a small shop to Office 365 (62 Days to the Cloud), I would like to share a few observations about what we learned so that you can prepare for the best experience. This is not a complete set of tips, but there are a few here that I suspect will save you some time and frustration. For context, this effort involved a local Windows Domain, hosted Exchange for the source environment, established Office 365 E3 Plan as the destination, and used Microsoft Directory Synchronization (dirsync).
The first thing we did was sign up for a tenant with O365. This can be done with the free trial to start and then later changed to one of the subscriptions. The first tip here is to pick a name that is short and convenient because it will be appended with “.onmicrosoft.com” and you will use it frequently for administrative and troubleshooting access. We had an enterprise name like “Northwest Trading Inc” that had an e-mail and web domain of “NWTrade.com.” We opened the tenant using “NorthwestTradingInc” for the name. In hindsight, we should have used “NWTrade”.
The next thing you will do is create some user accounts – and since you haven’t got Dirsync configured yet they’ll be “In Cloud” accounts. Now, when you create these accounts, DO NOT use names and aliases that already exist on your local domain because that leads to collisions, confusion, and some cleanup later on. DO create an Administrative account that you will use strictly for tenant management. You do not need to use up a license for that account. It will be usable with or without the Dirsync functioning. That is important for troubleshooting and repair if the directory synchronization gets compromised.
When you assign Global Administrator rights to an account, you will need to provide a secondary e-mail address that Microsoft will use for notifications. That secondary e-mail address MUST deliver to a mailbox outside of your O365 tenant. That makes sense as an out-of-band model, should e-mail delivery or access to your tenant be compromised. However, Microsoft also uses that address for Invoice notification. That means you need to be disciplined about checking for your invoice through the admin console, or keep a constant eye on that secondary mailbox. There is a way to set that e-mail address to a mailbox in your tenant, but only by using PowerShell. Note: this is not relevant if you setup a credit card for automatic payments (but that is pricey at $2,200 a month — without adding any other subscriptions, like Visio and Project).
Directory Synchronization (Dirsync) will copy your domain user objects and passwords to the tenant, and this is very convenient. But once it is turned on, it makes your local domain the authoritative source for user attributes, and actually disables the ability to change them with the O365 admin console. So, user attribute management must be done on your local domain and then synchronized to the O365 accounts with Dirsync. The default frequency for that synchronization is every three hours. That can be tailored with an .ini file setting. You can also trigger a “sync now,” , but that’s another PowerShell operation. When we deployed last summer, Dirsync was required to run on a member server and was not supported on a Domain Controller. That restriction has been removed since, so that can save a server instance.
Before you turn on Dirsync, carefully consider your naming conventions for three key items:
1. User Principal Name (UPN): This is the string folks will use to authenticate with O365 in Outlook Web App, Outlook Client, SkyDrive Pro, and ActiveSync.
2. Primary SMTP Address: This is the address that gets stamped on your outbound e-mail, designated by “SMTP:” in the ProxyAddresses attribute on the user object. Additional addresses can be added by using the lowercase “smtp:” prefix. Those get applied in the local domain and synchronized with Dirsync.
3. SIP Address: This is the identity used in Lync, and it is important to get it right the first time! Changing this after the fact is basically creating a new Lync user and leads to a lot of contact cleanup.
At NWTrade.com, we used these formats:
Primary SMTP Mike.Grady@nwtrade.com
The UPN followed the existing norm for the organization. In retrospect, we might have been better served with the SIP address matching the Primary SMTP because that would have been more intuitive for external folks adding NWTrade contacts. Many organizations have folks include their SIP: address in the e-mail signature, and that’s a good approach here.
That is a full post for now. There is a lot more to share and, of course, many different ways to approach these topics. These are my real observations from our NWTrade move to O365. Questions and comments welcome! And remember, your mileage may vary. J