TL;DR. Commercial real estate firm, 900+ users, domain rewrite migration touching every UPN, SMTP, and proxyAddress attribute. Hybrid AD and Exchange coexistence maintained throughout, PowerShell CDS automation for bulk rewrites.
What was the client environment?
A major commercial real estate and advisory firm with offices across major metropolitan markets needed to restructure its Microsoft 365 and Active Directory environment. The project required a domain rewrite migration, reconfiguring user principal names, SMTP addresses, and directory objects to align with a new domain structure, along with hybrid AD synchronization and Exchange coexistence.
What made this migration challenging?
Domain rewrite migrations are among the most technically demanding M365 migration scenarios. They touch every layer of the identity and messaging stack:
- Domain rewrite complexity. User principal names (UPNs), SMTP addresses, and directory attributes all needed to be rewritten to the new domain. If misconfigured, the process can break authentication, email delivery, and application access simultaneously.
- OU-based object scoping. The domain rewrite workflows required careful configuration of default OUs for object creation across different migration workstreams (users, groups, contacts), ensuring objects were placed correctly in the target AD structure.
- MFA and service account conflicts. PowerShell CDS (Custom Deployment Solution) accounts used for automated migration tasks were being blocked by conditional access MFA requirements. Two of the three CDS accounts were failing authentication, causing errors in the automated rewrite logs.
- Hybrid AD and Exchange coexistence. The migration needed to maintain hybrid AD synchronization and Exchange mail flow throughout the domain rewrite process, ensuring no disruption to the firm's real estate transaction communications.
How did LeadThem approach the migration?
Domain rewrite configuration
Phase 1: Domain rewrite setup. Configured domain rewrite workflows including default OU selection for object creation across users, groups, and contacts. Set up rewrite rules for UPN, SMTP, and proxyAddress attributes. Configured PowerShell CDS accounts and worked with the client's security team to properly exclude them from MFA conditional access policies, resolving authentication failures that were blocking automated rewrite operations.
Phase 2: Pilot rewrite and validation. Executed pilot domain rewrites to validate the complete process chain (UPN changes, SMTP address updates, AD attribute modifications, and Entra ID synchronization). Verified that rewritten users could authenticate, send and receive email, and access Teams and SharePoint without disruption.
Phase 3: Production rollout. Scaled domain rewrite operations to production batches with automated PowerShell CDS execution. Monitored each batch for rewrite errors and validated mail flow, authentication, and application access after each batch completed.
What technical challenges did we solve?
- MFA blocking CDS automation. Two of three PowerShell CDS service accounts were failing due to MFA requirements. Our engineer identified the specific conditional access policy causing the blocks, documented the required exclusions, and worked with the client's security team to implement changes that maintained security while enabling the automated migration workflows.
- OU placement configuration. Different object types (users, groups, contacts) needed to be created in different OUs during the domain rewrite process. Our engineer configured the rewrite workflows with the correct default OU mappings for each object type, preventing misplaced objects that could cause permission and GPO application issues.
- Hybrid coexistence during rewrite. Rewriting SMTP domains while maintaining hybrid Exchange mail flow required careful sequencing of MX record changes, connector updates, and accepted domain configurations. Our team ensured mail flow was preserved throughout every phase of the rewrite.
What were the results?
The commercial real estate firm's domain rewrite and M365 migration was completed with all user identities, SMTP addresses, and directory objects transitioned to the new domain structure. PowerShell CDS automation handled bulk rewrite operations efficiently, and hybrid AD and Exchange coexistence was maintained throughout, ensuring zero disruption to the firm's critical real estate transaction communications.
Which tools and technologies were used?
- Domain Rewrite (UPN, SMTP, proxyAddress attribute management)
- Active Directory with hybrid AD Connect synchronization
- Hybrid Exchange with mail flow coexistence
- Microsoft 365 (Exchange Online, Teams)
- Microsoft Entra ID (Azure Active Directory)
- PowerShell CDS (Custom Deployment Solution) automation
- Conditional Access and MFA policy management
Why LeadThem Consulting
Domain rewrite migrations require a partner who understands every layer of the Microsoft identity and messaging stack, from AD attributes to SMTP routing to Entra ID synchronization. LeadThem Consulting brings hands-on expertise in configuring domain rewrite workflows, troubleshooting CDS automation issues, and managing the hybrid coexistence complexities that make these projects technically demanding. When MFA policies blocked automation and OU configurations needed precision, our team delivered solutions, not escalations.
- What is a domain rewrite migration?
- A domain rewrite migration changes user principal names (UPNs), SMTP addresses, and other directory attributes from one domain namespace to another, without moving users between AD forests or M365 tenants. It is used when an organization rebrands, divests a business unit, or restructures legal entities.
- Which attributes change in a domain rewrite?
- UPN, primary SMTP address, proxyAddresses (secondary SMTP), and any custom attributes that reference the old domain. Mail flow, authentication, and application sign-in all depend on these values, which is why pilot validation is critical before scaling to production.
- How does LeadThem automate bulk domain rewrites?
- Through Quest's Custom Deployment Solution (CDS) PowerShell automation. CDS scripts execute rewrite operations in controlled batches against AD and Entra ID, with logging and error handling so failed objects can be re-run individually rather than reprocessing the entire batch.
- Can mail flow stay up during a domain rewrite?
- Yes. Hybrid Exchange coexistence is maintained throughout. SMTP domain transitions are sequenced with MX record changes, connector updates, and accepted domain reconfigurations so that mail flow is preserved at every phase.
