Microsoft SharePoint Online for Enterprises

Domain Migration Planning Template Published: October 2012

Microsoft SharePoint Online Domain Migration Planning Template

12.3

ii

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

©2012 Microsoft Corporation. All rights reserved.

Microsoft, ActiveSync, Active Directory, Entourage, Forefront, Internet Explorer, Lync, Outlook, SharePoint, Windows, Windows Phone, Windows Mobile, Windows PowerShell, and Windows Vista are trademarks of the Microsoft group of companies.

All other trademarks are property of their respective owners.

Microsoft SharePoint Online Domain Migration Planning Template

12.3

iii

Contents

Chapter 1 Assessment .................................................................................................................................... 1 section 1.1 Project Scope ............................................................................................................................................................. 1

section 1.2 Migration Plan ........................................................................................................................................................... 1

section 1.2.1 Tasks ..................................................................................................................................................................... 2

section 1.2.2 Domain List/Data Source .............................................................................................................................. 2

section 1.2.3 Active Directory Trusts .................................................................................................................................. 3

section 1.2.4 Current Environment ...................................................................................................................................... 3

Chapter 2 During Migration .......................................................................................................................... 4 section 2.1 User Profiles and Active Directory ..................................................................................................................... 4

section 2.1.1 Active Directory Design................................................................................................................................. 4

section 2.1.2 Active Directory Synchronization .............................................................................................................. 5

section 2.1.3 BCS Sync'd .......................................................................................................................................................... 6

section 2.1.4 User Updated .................................................................................................................................................... 7

section 2.2 People ........................................................................................................................................................................... 7

section 2.2.1 Resolve Users .................................................................................................................................................... 7

Chapter 3 CR List ............................................................................................................................................ 8

Chapter 4 Reports .......................................................................................................................................... 9 section 4.1 Orphan Site Report .................................................................................................................................................. 9

section 4.2 Active Directory Groups ......................................................................................................................................... 9

section 4.3 Broken Inheritance ................................................................................................................................................... 9

Chapter 5 Schedule ...................................................................................................................................... 10 section 5.1 Active Directory Migration Schedule ............................................................................................................. 10

section 5.2 DMT Migration Schedule ................................................................................................................................... 10

Microsoft SharePoint Online Domain Migration Planning Template

2010/2013

1

Chapter 1

Assessment

The purpose of this domain migration plan template is to identify and capture all the known facts

regarding domain migrations for Microsoft® SharePoint® Online for enterprises dedicated plan

customers. Based on known information and assumptions, this document is an attempt to identify steps

required for a successful completion of domain migrations. Customers must use this template as the basis

of a complete domain migration plan.

The scope of this document is limited to remediation of user profile and permissions. Active Directory

information captured and covered in this document is limited to what is required for the user profile and

permission remediation. The purpose of completing this template is to ensure customers are protected

from the known failure modes of SharePoint Online domain migration.

Important

This domain migration plan template must be completed and submitted for approval through the

service delivery manager (SDM), along with the requisite configuration requests (CRs). The

customer’s domain migration plan must be approved by Microsoft before domain migration can

occur. Before domain migration planning can begin, customers must read the SharePoint Online

Domain Migration Policy, available to customers on the Customer Extranet site.

section 1.1

Project Scope

In this section, provide an executive summary of what this project is to achieve.

What is the scope of the project?

What are the business drivers?

Include a project description.

section 1.2

Migration Plan

Insert a screen shot of the project plan here. Include all important dates, including Alpha Pilot, Pilot and

production wave schedule.

Phase Dates Main Characteristics Notes

First Phase

Test `

Alpha Pilot

Pilot-1

Microsoft SharePoint Online Domain Migration Planning Template

2010/2013

2

Phase Dates Main Characteristics Notes

Pilot-2

Wave-1

Second Phase

(if applicable)

Test

Alpha Pilot

Pilot-1

Pilot-2

Wave-1

section 1.2.1 Tasks

The following table lists the tasks to be performed before, during, and after the migration. The scope of

these tasks is limited to user migration in SharePoint Online only.

The template below has examples of the required tasks.

Task Order Task Owner Dependency

1 Prepare CR’s Customer

2 Submit CR’s Customer/SDM

4 Plan Active Directory migration waves Customer

section 1.2.2 Domain List/Data Source

Please list these details.

Active Directory domains

User profile data sources

Domain synchronization

Active Directory OU structure

Microsoft SharePoint Online Domain Migration Planning Template

2010/2013

3

Active Directory trust relationships

User log on account/domain

section 1.2.3 Active Directory Trusts

Clearly define and illustrate the current trust relations in SharePoint Online. Also include the trust

relationships planned. In certain scenarios, the customer will gradually decompose the existing trust once

the migration is complete. Please include those as well. Divide this section into Current Scenario, During

Migration, and Final Scenario.

Scenario Trust relationship in SharePoint Online

Current Scenario

During Migration

Final Scenario

Please use a visual illustration to show various states of Active Directory trusts.

section 1.2.4 Current Environment

This section is important to the understanding of how domains are configured and designed. Details in

this section help the customer identify how user profiles and authentication work in the current

environment. Provide specifics of domain trusts and how SharePoint Online is configured to various

domains. As a result of this section, you will able to answer these questions:

Is sufficient trust is in place to authenticate a user?

Is there a trust to a domain from the cloud, which would allow users to use login credentials that

they should not be using once migration starts?

Apart from Active Directory trust, you will also start collecting information on how your SharePoint Online

environment is configured. If you are not sure how to get specific information, please contact the SDM. In

most cases a service request (SR) is required. Typically, you will look for the following information:

FIM filters in place (on your existing Active Directory connection)

People Picker search custom filter

OU scope that your current user profile connection crawls

Any web application permission policy in place

Any audience targeting to an Active Directory security group

Microsoft SharePoint Online Domain Migration Planning Template

2010/2013

4

Chapter 2

During Migration

Based on the current Active Directory trust and user profile connection discovered above, what additional

configuration will be needed during the transition? The following sections address the collection of

detailed information for the following:

Authentication

User profiles

Resolving users in People Picker

FIM filters should be put in place

People picker custom filter

User profile property list and binding

section 2.1

User Profiles and Active Directory

Important

For information about failure modes and remediation for handling user profiles during migrations,

see the SharePoint Online Domain Migration Policy, available to customers on the Customer

Extranet site.

section 2.1.1 Active Directory Design

In this section, describe how the user migration is managed and controlled in Active Directory. Include

these specific details:

1. Migration method –There are various methods that can be adopted in order to migrate users in

Active Directory:

o The user objects are copied into the target directory prior to their logon migration.

o The user objects are copied but disabled in the target domain prior to actual user logon

migration.

o The user objects are not copied into target domain, but migrated along with their logon

migration.

Item User State Migration State

Copy all user objects into

Target domain

User objects are copied to a

different OU (rest) in the

target (and are disabled /

enabled)

Pre-migration

Microsoft SharePoint Online Domain Migration Planning Template

2010/2013

5

Item User State Migration State

User Logon migration Users are moved from rest

OU into the employee OU

and are enables

During migration

Delete user in the source

domain

Users account is disabled or

deleted in the source domain

Post migration

2. Extension attributes and other attributes

Attribute Currently in all the domains Will be added / removed

Manager Yes Deleted in target domain

Awards No Added: To all the domain

schema

3. Filter users: How will the SG groups be created to block and unblock users in old and new

domains from accessing SharePoint Online? Specify the synchronization with relationship to the

domain migration stages.

Stage Block user in source

domain

Block user in destination

domain

current

During migration

After Migration

section 2.1.2 Active Directory Synchronization

Identify the user profile properties in this section that are being synchronized from the current Active

Directory. This will help ensure that source Active Directory attribute schema and the target domain

attribute schema are in sync. Note any additional attributes that are being included in the schema and

that all the domains that are used to build user profiles during migration conform to the schema.

User Profile properties Current Active Directory

attr. Schema

Source Active Directory attr.

Schema

Microsoft SharePoint Online Domain Migration Planning Template

2010/2013

6

User Profile properties Current Active Directory

attr. Schema

Source Active Directory attr.

Schema

section 2.1.2.1

Account block/unblock activities

When a user logs into SharePoint 2010, authentication is done by the Operation System and the IIS. Since

there will be various trust relationships between domains, if users are not disabled in the source domain

as they are migrated, in theory users can log into SharePoint using the old login (sign in as). If the domain

migration tool (DMT) is executed for that user in SharePoint Online, the user will generally see an “access

denied” error from the SharePoint authorization process. But the user will be served pages that have “All

authenticated user” permissions defined. This may create confusion and an undesired user experience. If

the DMT is not executed for the user in SharePoint Online, logging in using the new log-in will cause the

DMT to fail for that user.

Migration Stage Not Migrated user in

Source

Not Migrated user in target

Current

During

After

You can use a web application policy in combination with an Active Directory security group to deny

access to SharePoint Online by placing users in the Active Directory security group. Please describe here

how this is being addressed.

section 2.1.3 BCS Sync'd

Many organizations use a BCS layer to populate certain user profile properties. Please identify profile

properties, if any. This may call for some remediation of BCS layer as the users are being migrated. LANID

is almost always used as a primary key when using BCS to synch user profile properties. Ensure that back-

end attribute data source switches to the new LANID as users are being migrated.

Information Yes / No Plan to remediate

Do you use BCS to sync data in

profile properties?

Are you planning to modify you

BCS solution for migrated users?

Microsoft SharePoint Online Domain Migration Planning Template

2010/2013

7

Information Yes / No Plan to remediate

Are there any custom applications

that may be using the BCS sync’d

data?

section 2.1.4 User Updated

Because user-updated properties are managed by the users and are stored in the profile database, when

the user is migrated, these properties are lost. SharePoint builds new profiles. Depending on the number

of user updateable properties and how critical they are, have a plan to automate populating these

properties by leveraging the user profile service API. This is not a required step. But depending on the

business requirement, include the decision and plan to handle the user-updated profile properties.

Property Any change in the target domain Dependency if this not

remediated

section 2.2

People

section 2.2.1 Resolve Users

Since People Picker and user profile are two completely separate features, People Picker executes in real

time against Active Directory. For this to work correctly, ensure that People Picker is configured to resolve

users from the appropriate domain. Ensure that the new domains are reachable from the SharePoint

Online data center. In this section, please list the FQDN’s of domains that will now be used to resolve the

users.

FQDN list

Microsoft SharePoint Online Domain Migration Planning Template

2010/2013

8

Chapter 3

CR List

Purpose

(Jon Doe is migrated to

newdomain)

CR CR

Number

SharePoint

Online template

links

New account profiles are not

imported in SharePoint online

farm before running DMT.

After this CR is run,

NewDomain\Jon Doe profile

will be “marked for deletion.”

1. Standard CR: Update FIM Filter to

exclude NewDomain\Jon Doe

SPOD-10-143:

Modify Forefront

Identity Manager

Filter

To delete the users’ old profile

after the domain migration, the

customer must go to SPSites to

manage user profile deletion.

1. Managed in SPSites. Below are the

details on the user profile deletion

in SPSites.

2010: Click Here for documentation

2013: Click Here for documentation

If the user accesses a

SharePoint Online site with new

domain account, the migration

will FAIL. These CRs are to

ensure that NewDomain\Jon

Doe CANNOT access any

SharePoint Online sites.

2. Standard CR: update People Picker

Filter to exclude NewDomain\Jon

Doe (only be able to choose users

in CURRENT domain)

3. Standard CR: implement a DENY

ALL web application policy for SG

that contains NewDomain\Jon

Doe

SPOD-10-135:

People Picker

Filter

SPOD-10-023:

Update User

Policy for Web

Application

Microsoft SharePoint Online Domain Migration Planning Template

2010/2013

9

Chapter 4

Reports

section 4.1

Orphan Site Report

Orphan sites are a failure scenario in SharePoint 2010. Submit the appropriate SR to get a report on users

impacted by orphan sites (config orphan) and to clean up orphan sites.

section 4.2

Active Directory Groups

As of the writing of this document, DMT does not re-permission the security in SharePoint Online directly

given to Active Directory groups. Describe the remediation in place to re-permission Active Directory

groups in SharePoint Online. Typically this is a manual remediation.

section 4.3

Broken Inheritance

This is a POC/test scenario. Please perform adequate testing in the pre-production environment (PPE) to

ensure the DMT tool is able to remediate the sub sites permissions that do not inherit permission from

the parent.

Microsoft SharePoint Online Domain Migration Planning Template

2010/2013

10

Chapter 5

Schedule

section 5.1

Active Directory Migration Schedule

Phase Date User count Environment

Test 10 On premises

Alpha Pilot 10 Production

Pilot-1 50 Production

Pilot-2 50 Production

Wave-1 1000 Production

End Migration Production

section 5.2

DMT Migration Schedule

DMT execution

Phase

Date Max user

count/DMT run

DMT frequency

per day

Environment

Test 10 On premises

Alpha Pilot 10 Production

Pilot-1 50 Production

Pilot-2 50 Production

Wave-1 1000 Production

End Migration Production

Note: The DMT can be schedule hourly and up to 1,000 user records/If the DMT is scheduled to run

once a day, the .csv file can contain 10,000 user records.

Microsoft SharePoint Online Domain Migration Planning Template

2010/2013

11