Are you getting this error in Microsoft 365 Admin center when viewing mail tab of a user? And on-prem Exchange has already been decomissioned? Well, you kinda have to “fake” the migration and clear some user’s attributes:

In AD Users and Computers, make sure Advanced Features are activated (View > Advanced Features). Go to the users OU and double click on the user. Select AttributeEditor and clear the following attributes:

msExchMailboxGuid

msExchRecipientDisplayType

msExchRecipientTypeDetails

Run AD / Entra Sync:

Start-ADSyncSyncCycle -PolicyType Delta

Wait for 15-30min and now the user will get an Exchange Online Mailbox if he has a license.

References:

https://techpress.net/this-users-on-premises-mailbox-hasnt-been-migrated-to-exchange-online/

If you ever wondered if there is a cooler or faster way to update a computer’s group membership without having to reboot: well there is. If you delete or “purge” the kerberos tickets on the machine and then perform a gpupdate, the client is going to retrieve a new kerberos ticket with the new group membership.

Here are the two (well, if have never heard of gpupdate /force):

klist -lh 0 -li 0x3e7 purge

gpupdate /force

References:

https://www.shellandco.net/update-computer-membership-without-reboot/

In an Active Directory environment, it is best practice to enable DNS Aging and Scavenging. Aging and Scavenging will ensure that old DNS entries (such as decommissioned servers or computers) are deleted regularly. You will find this option by opening the properties in DNS Manager under the advanced tab or in the properties of a Forward Lookup Zone.

For detailed information, check out https://www.windowstechno.com/dns-aging-and-scavenging/.

On old Windows Active Directory environments, you might need to upgrade the Sysvol share from File Replication Service to Distributed File System Replication. This is very easy to do and it should be done asap in your environment.

Unfortunately I do not have screenshots to share with you, but here are the steps:

With dfsrmig /getmigrationstate you can see the status of the migration. Dfsrmig has 4 states starting from 0:

• State 0 – started
• State 1 – prepared
• State 2 – redirected
• State 3 – eliminated

Step 1:

dfsrmig /setglobalstate 0

Wait untill all Domain Controllers have the state “started”. You can check the state with dfsrmig /getmigrationstate. Be very patient as it might take some time to replicate changes particularly if you have Domain Controllers on remote offices.

Step 2:

dfsrmig /setglobalstate 1

Wait until all Domain Controller have the state “prepared”. You can check the state with dfsrmig /getmigrationstate. Once again, be very patient and double check the output.

Step 3:

dfsrmig /setglobalstate 2

Wait until all Domain Controller have the state “redirected”. You can check the state with dfsrmig /getmigrationstate. Be very patient and double-check the output.

Step 3:

dfsrmig /setglobalstate 3

Wait until all Domain Controller have the state “eliminated”. You can check the state with dfsrmig /getmigrationstate. Be very patient and double-check the output.

In addition to the last migration state, make sure the File Replication Service service is disabled on every Domain Controller.

References:

https://www.rebeladmin.com/2015/04/step-by-step-guide-for-upgrading-sysvol-replication-to-dfsr-distributed-file-system-replication/

With this awesome script, you can read Active Directory group membership and convert that information into a CSV file, which can be imported in Microsoft Excel.

The file will be saved inside C:\Temp. The result looks something like this (I’m no Excel wizard):

https://github.com/ajnik/AD-Group-Membership-to-Excel/blob/main/AD-Groups-To-CSV.ps1

Note: Not my script. Check credits.