{"id":172,"date":"2018-04-11T17:24:58","date_gmt":"2018-04-11T15:24:58","guid":{"rendered":"http:\/\/zupertails.be\/wur\/?p=172"},"modified":"2018-04-11T17:24:58","modified_gmt":"2018-04-11T15:24:58","slug":"office-356-migration-4-3-steps-ahead","status":"publish","type":"post","link":"https:\/\/zupertails.be\/wur\/?p=172","title":{"rendered":"OFFICE 356 MIGRATION (4) – 3 steps ahead"},"content":{"rendered":"

Remember Oliver’s company (Shortstraw LLC) mail profile in one of our previous posts ?
\nRefresh your memory<\/a> if you stumble upon this website and have forgotten \/ not read the previous one.
\nI will base this actual setup on our findings in that post.
\nThe hardware and operating system upgrading procedures, that I spoke about, will not be handled here.<\/p>\n

Preparing the environment<\/h2>\n

Since we’ve established our to-do list, we can now start the procedure in which the customer will experience the least downtime.
\nDepending on the expectations of the customer, you can either perform all these actions on-the-fly or prepare yourself thoroughly. In this case we’ll take the long(er) road.<\/p>\n

After having created the 30-day trial (or go ahead and buy one instantly through Microsoft or a Cloud Solutions Partner)<\/p>\n

\"\"
At least, we’re welcome<\/figcaption><\/figure>\n

You’ll be greeted with something similar to the screenshot above.
\nClicking the upper left square icon will get you into the apps menu.
\nDepending on the user rights and licenses, you’ll see less or more icons, representing the programs and apps you’re allowed to use.<\/p>\n

\"\"One important icon you’ll see, is the “Admin<\/strong>“.
\nUsers that have administrator rights will be provided with this option.
\nIn this example, our admin user has a fully working E3 license (you get 25 of these buggers in an O365 trial), which is something that’s “not done” in a real life situation.
\nWere you to upgrade this 30 day trial to a full tenant, I strongly suggest stripping the admin account of all his licenses. It’s bad practice to use your O365 admin account for anything else than … well… admin purposes.
\nWe’ll get into licensing later.<\/p>\n

\"O365
The admin menu<\/figcaption><\/figure>\n

Click on “Admin” and a specific administrative portal opens.
\nYou can take a short tour of everything by clicking “Start the tour” if you want or read onward and click “Skip”.<\/p>\n

On the left side of the admin page you’ll notice the admin menu (which is deliberately placed as a screenshot on the right side of this page, just to confuse you)<\/p>\n

First thing you’ll be wanting to do is to create the situation with the correct internal mailflow, user rights etc.
\nRemember : as long as you don’t change the MX record in the customer’s DNS settings, NOTHING will happen<\/strong> to the existing setup.
\nYou can safely mess around until you’ve got the flow up and running to your own standards.<\/p>\n

Remembering our previous conclusion<\/a>, we’ll start creating our users’ mailboxes first.
\nIf you want to get this right at first try, you’ll want to include the domain first as an “inbound” domain into your O365 tenant. This will allow you to create user names ending in @yourdomain.com instead of @yourdomain-com.onmicrosoft.com.
\nAgain, including the domain name will not change your current mail flow.
\nDON’T PANIC !!!<\/p>\n

\"\"Open the Setup menu and click “Domains”<\/p>\n

One domain will be listed by default.
\nThis is you tenant name (in my example “shortstraw.onmicrosoft.com”) and cannot be removed.<\/p>\n

Click “Add Domain” and fill in the desired domain name, after which you click “Next”.<\/p>\n

In order for Microsoft’s servers to verify your identity and double checking if you’re actually the owner or admin for your added domain, you’ll be given the choice of either adding a TXT record or adding a fake MX record into your own DNS management software at your hosting company’s admin package.<\/p>\n

\"\"<\/p>\n

In my case, the lovely French hosting company “OVH” will be my location to turn to.<\/p>\n

\"\"
A line of TXT in OVH’s DNS management<\/figcaption><\/figure>\n

Eventually, practically every DNS hosting company allows you to manage your settings through some form of admin portal for easy setup purposes.
\nOnce the record has been added, you can click the “Verify” button to let Microsoft doucble check the creation of the record.<\/p>\n

Troubleshooting :
\n<\/strong>
\nIf the TXT record is not yet found, according to the O365 domain verification wizard, you can always start your troubleshooting on a global level by surfing to\u00a0https:\/\/dnschecker.org\/<\/a>DNS Checker creates a worldwide DNS lookup, using all sorts of DNS servers to see if your DNS record has propagated already to all locations.
\nUsually DNS propagation<\/a> for a brand new domain record will probably not take a lot of time. It’s those record changes that tend to take longer.<\/div>\n
<\/div>\n
<\/div>\n
\"\"
Successful verification will get you to this screen<\/figcaption><\/figure>\n

From this point on, you’ll be able to pick your domain name already in the user creation wizard.<\/strong>
\nShould you choose to continue, more DNS records will be added.
\nSkip forward to user creation. (link not yet implemented, because too lazy)<\/em><\/p>\n

The screenshot above will give you a sneaky Microsoft question, with the default option set to “Set up my online services for me”.
\nThough Microsoft might say “Recommended”, I strongly disagree here.<\/p>\n

“Why’s that”, you say ?
\nIn case you decide to stop your O365 adventures and want to move on to a new platform for mail, you’re going to have to go through a lot of hassle to set this straight again.<\/p>\n

Always choose to manage your own DNS records<\/strong> and click “Next”. Unless you’re REALLY pissed about your current DNS provider. In that case, I still suggest just finding another one. BUT NOT MICROSOFT FOR THE LOVE OF GOD.<\/p>\n

\"\"
Choose what you need (or select all)<\/figcaption><\/figure>\n

A step that has been neatly added in the onboarding wizard, since Q4 of 2017 is the “Choose your Online Services” wizard.
\nThis narrows down the amount of DNS records for you to add, according to the active checkmarks.
\nI’m going to select all of them, because I know my end-customer Oliver Shortstraw will need toe Exchange parts as well as the Mobile Device Management.
\nHe’s also a somebody that changes his mind in the blink of an eye, so just to be sure we won’t have to setup anything else later, I also picked “Skype for Business”.<\/p>\n

A somewhat huge list of DNS records will appear, for you to fill into your favorite DNS hoster *cough* OVH *cough*<\/p>\n

\"\"
A wild list appears. You crit it for 9000. It was super effective<\/figcaption><\/figure>\n

Now in order to fully understand what’s going on here, I’ll explain in detail the actual stuff that’s going on. Teach a man to fish<\/em> etc.<\/p>\n

FINAL WARNING<\/strong> (I won’t repeat it again) DO NOT CHANGE THE MX RECORD JUST YET<\/strong> (unless this is a brand new setup for a brand new domain, then go ahead and have fun)<\/p>\n

CNAME : autodiscover > autodiscover.outlook.com<\/strong>
\nThis record basically tells your Outlook client to read a pre-made config file on a Microsoft server.
\nThus allowing you to just enter your e-mail address and password in the Outlook setup wizard, instead of having to go through the hassle of manually setting up your O365 config.<\/p>\n

CNAME : sip > sipdir.online.lync.com
\n<\/strong>Refers to the actual SIP server for using Skype for Business\/Lync\/Teams. Your communication client will connect to this server and this server will in place patch you through to the geographically most redundant SIP server.<\/p>\n

CNAME : lyncdiscover > webdir.online.lync.com<\/strong>
\nThis server uses the same Autodiscover protocol as the Outlook one.
\nIt patches you through to the correct Microsoft server cluster where your tenant is hosted, as well as other various kinky background processes. Dragons be here.<\/p>\n

CNAME : enterpriseregistration > enterpriseregistration.windows.net<\/strong>
\nBasically serves as a registration server (duh), so the Microsoft servers know what mobile device was added to the tenant for so-called “conditional access”<\/p>\n

CNAME : enterpriseenrollment > enterpriseenrollment.manage.microsoft.com<\/strong>
\nEnrolling (again, duh) Windows mobile devices and managing them through Microsoft Intune, requires these servers.<\/p>\n

TXT : v=spf1 …<\/strong>
\nSpecifies the server(s) that may send mail, originating from your domain name.
\nMore on SPF records in an other post.
\nFor now, follow the suggested entry, which – shortly explained – allows a group of servers that are defined in the name spf.protection.outlook.all to send mail from your domain. All others are denied.<\/p>\n

SRV : _SIP<\/strong>
\nTogether with the sipfederationtls entry, these are usually the more tricky ones to enter, depending on the DNS management tool.
\n[An example from the one.com hosting panel]<\/a>.
\nThis specific entry provides the security layer.<\/p>\n

SRV : _SIPFEDERATIONTLS<\/strong>
\nThis entry states the TCP port 5061 is being used for everything federation-related in communicating over SIP. A Classic SIP port uses port 5060. Microsoft likes to do things in their own special way…<\/p>\n

MX : xxxx-yy.mail.protection.outlook.com<\/strong>
\nAn automatically generated server name, based on your domain name and domain extension.
\nMX is short for Mail Exchanger and tells other mailservers in the world where to go dump its mail for your specific domain name.
\nThe second you change this record in your DNS management (and it gets propagated world wide, bla bla) your mail will be directed to the server(s) in this record.<\/p>\n

<lazy mode> Let’s assume for the time being, that our test company does not care much for just a little downtime and let’s change all these records in our DNS management tool <\/lazy mode><\/em><\/p>\n

Clicking the “Verify” button at the bottom of the wizard page will get Microsoft’s O365 server to check all your entries. Depending on the DNS management tool and the hosting company, this might take a couple of seconds up to a couple of hours.<\/p>\n

After a successful verification of all entered services, let’s move on to creating new users in the next post<\/strong>.
\nFor now, pat yourself on the back for a job well done and have a refreshing beverage.<\/p>\n","protected":false},"excerpt":{"rendered":"

Remember Oliver’s company (Shortstraw LLC) mail profile in one of our previous posts ? Refresh your memory if you stumble upon this website and have forgotten \/ not read the previous one. I will base this actual setup on our findings in that post. The hardware and operating system upgrading<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,6,9],"tags":[12,13,14,10,11],"_links":{"self":[{"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=\/wp\/v2\/posts\/172"}],"collection":[{"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=172"}],"version-history":[{"count":5,"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=\/wp\/v2\/posts\/172\/revisions"}],"predecessor-version":[{"id":186,"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=\/wp\/v2\/posts\/172\/revisions\/186"}],"wp:attachment":[{"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=172"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=172"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zupertails.be\/wur\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=172"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}