What We'll Do
We will migrate every mailbox from your on-premises Exchange 2013 server to Microsoft's Exchange Online using a cutover migration. This means all mailboxes move at once over a single weekend. Employees come in Monday morning to find their email working exactly as before — same Outlook, same contacts, same calendar — but now running from Microsoft's cloud instead of the aging server in the office.
This is the most time-sensitive phase of the project. Email is the backbone of daily communication, so we plan the cutover carefully and execute it when the office is closed to avoid any disruption to the business day.
Cutover migration is the simplest and fastest method for organizations with fewer than 150 mailboxes. All mailboxes migrate simultaneously, and the DNS change — which tells the internet where to deliver new email — is made once everyone's data has synced. By doing this on a Saturday, we avoid any impact to the business day.
Pre-Cutover Preparation
During the week before the cutover weekend, we handle all the setup and testing so Saturday goes smoothly.
- Document all mailboxes, distribution lists, shared mailboxes, and mail contacts in Exchange 2013
- Configure Outlook Anywhere on Exchange 2013 (required for cutover migration)
- Create migration endpoint in the Exchange Online admin center
- Test with 1–2 pilot mailboxes (admin account + one volunteer) to catch any issues early
- Prepare DNS change plan (MX, autodiscover, SPF, DKIM, DMARC)
- Communicate cutover schedule to all staff
Migration Risk Factors — Resolved Before Cutover Weekend
The items below are the most common failure points in Exchange 2013 cutover migrations. Every one of these will be validated during Phase 0 discovery — not on Saturday night.
| Risk | What We Check | When |
|---|---|---|
| SSL certificate invalid or self-signed | Run Test-MigrationServerAvailability from Exchange Online admin | Phase 0 |
| Autodiscover misconfigured | Test from external network connection | Phase 0 |
| Firewall blocking Microsoft migration IPs | Review SonicWall rules on port 443 for 72.70.41.163 | Phase 0 |
| DNS TTL too high | Lower all records to 300s at least 48hrs before cutover | Week before cutover |
| Network Solutions access unconfirmed | Verify credentials with Mike during discovery | Phase 0 |
| Mailboxes over 10GB | Check sizes — clean up or pre-stage large mailboxes | Phase 0 |
| Delegate permissions lost | Document all Send As / Full Access — re-apply manually in Exchange Online | Phase 1 |
| Public folders in use | Check for public folders — migrate separately if found | Phase 0 |
| Mobile devices break | Identify all mobile email users — prepare reconfiguration instructions | Phase 5 |
| SPF includes old server IP | Pull current SPF — remove 72.70.41.163 post-migration | Cutover weekend |
If DNS TTL values at Network Solutions are at the default of 86400 seconds (24 hours), a DNS mistake during the cutover window takes up to 24 hours to recover from. Lower every record that will be touched to 300 seconds at least 48 hours before the cutover weekend. This is the single easiest thing to forget and the most painful when you do. Raise TTLs back to 3600 after migration is confirmed stable.
Cutover Weekend (Saturday)
On Saturday, we begin the migration and work through each step until mail flow is fully transitioned to Exchange Online.
- Start cutover migration batch (all mailboxes)
- Monitor migration progress (estimated 2–8 hours for 15–20 mailboxes)
- Once initial sync is complete, update MX records at Network Solutions
- Update SPF record for email authentication
- Configure DKIM email signing in Microsoft 365
- Update DMARC record (p=none → p=quarantine)
- Update autodiscover DNS record
- Verify mail flow — send and receive test from external accounts
For full technical details on the cutover process, see Microsoft's official documentation: Cutover Migration to Microsoft 365
Post-Cutover (Sunday / Monday)
After the weekend migration, we complete the final validation steps and begin retiring the old infrastructure.
- Final delta sync (catches any emails received during the cutover window)
- Complete migration batch
- Test Outlook Web Access at outlook.office365.com
- Remove public internet access to the old Exchange server (72.70.41.163)
- Update Barracuda ESS delivery destination from on-prem Exchange IP to
boardwalkrealestate-com.mail.protection.outlook.com - Remove 72.70.41.163 from SPF record
- Block public inbound port 443 to 72.70.41.163 at SonicWall immediately after MX change
- Re-apply all delegate permissions in Exchange Online (Send As / Full Access)
- Send mobile device reconfiguration instructions to all staff before Monday morning
- Raise DNS TTLs back to 3600 after migration confirmed stable
- Disable on-premises Exchange services
DNS Records Summary
These DNS changes redirect email delivery from the old server to Microsoft 365. All changes are made at Network Solutions (your domain registrar).
| Record Type | Name | Value | Action |
|---|---|---|---|
| MX | boardwalkrealestate.com | Pref 0: d274065a.ess.barracudanetworks.com Pref 10: d274065b.ess.barracudanetworks.com |
No change |
| TXT (SPF) | boardwalkrealestate.com | v=spf1 include:spf.protection.outlook.com -all | Change |
| CNAME | autodiscover | autodiscover.outlook.com | Change |
| TXT (DMARC) | _dmarc | v=DMARC1; p=quarantine; rua=mailto:cooper@boardwalkrealestate.com,mailto:9ae49c30@mxtoolbox.dmarc-report.com; ruf=mailto:cooper@boardwalkrealestate.com,mailto:9ae49c30@forensics.dmarc-report.com; fo=1; pct=100; sp=quarantine; adkim=r; aspf=r | Update existing |
| CNAME (DKIM) | selector1._domainkey / selector2._domainkey | Microsoft-provided values | Add new |
| Barracuda ESS | Admin portal — Delivery destination | Update to boardwalkrealestate-com.mail.protection.outlook.com | Change (inside Barracuda portal, not DNS) |
The existing DMARC record sends aggregate and forensic reports to cooper@boardwalkrealestate.com. This mailbox must exist and be active in Exchange Online after migration or DMARC reporting will fail silently. Confirm this mailbox is created in the new tenant or update the rua/ruf addresses to an active mailbox before cutover.
The old Exchange server will remain running for 48 hours after the MX record change. Any email that was in transit or cached by external servers will still be deliverable. Pilot testing with 1–2 mailboxes before the weekend cutover catches compatibility issues early.
What Users Will Notice
By Monday morning, email works the same way — Outlook opens and sends/receives normally. The only visible change is that webmail is now accessed at outlook.office365.com instead of the old OWA address. No new passwords, no new software to learn. It simply works.
Since we do not push Outlook configuration via Intune in the v2.0 model, mobile email setup requires a user action. Every employee with email on their phone must either re-authenticate the Outlook app or remove and re-add their account using M365 credentials. We will send a step-by-step mobile setup guide (with screenshots for both iOS and Android) before the cutover weekend. For a real estate firm where agents rely on mobile email throughout the day, this communication must go out before Monday morning.