Another interesting topic to discuss today, we will discuss in this article how to use Hybrid configuration wizard with exchange 2010.
Exchange Online Overview:
Exchange Online helps protect your information with advanced capabilities. Anti-malware and anti-spam filtering protect mailboxes. Data loss prevention capabilities prevent users from mistakenly sending sensitive information to unauthorized people. Globally redundant servers, premier disaster recovery capabilities, and a team of security experts monitoring Exchange Online around the clock safeguard your data. And with a guaranteed 99.9% uptime, financially-backed service level agreement, you can count on your email always being up and running.
Stay in Control
Maintain control over your environment while gaining the advantage of hosting your email on Microsoft servers. Manage your organization efficiently with the Exchange admin center, an easy-to-use, web-based interface. Run In-Place eDiscovery across Exchange, SharePoint, and Skype for Business data from a single interface through the eDiscovery Center. With mobile device policies, you can create approved mobile device lists, enforce PIN lock, and remove confidential company data from lost phones. And IT-level phone support is available to you 24 hours a day, 7 days a week.
Easy to use and maintain
It’s easier than ever to provide your users with the business email they need to stay productive. Automatic patching eliminates the time and effort of maintaining your system. Give your users an In-Place Archive, so they can keep all their important data in one place. And provide them with anywhere access to email, calendar, and contacts on all major browsers and across devices.
Integration with Outlook means they’ll enjoy a rich, familiar email experience with offline access.
In this article we will discuss how to use and implement Hybrid deployment between your exchange 2010 and exchange online.
1- You have a very good knowledge with Exchange 2010.
2- All Exchange 2010 prerequisites already installed, follow Microsoft Article for all Prerequisites:
3- This article will not discuss the demote process of on-premise exchange server.
4- You already have an office 365 portal with .onmicrosoft.com domain, to start with office 365 portal follow Microsoft link: http://office365support.ca/signing-up-for-the-new-office-365-2/
5- Some information in snapshots have been hidden due to the privacy considerations.
1- Your Exchange must use a commercial certificate, self signed will not work and if you thinking why you must use a 3rd party certificate you can think that the communication between your exchange server and office 365 should be secure so this is the reason.
2- You must have a public AutoDiscover record in your DNS. for example: AutoDiscover.yourdomain.com pointing to your exchange server.
3- Your Exchange 2010 should be SP3 with CU9.
OK, now let’s discuss about the concept of hybrid deployment, First of all always keep in mind that hybrid deployment is support Exchange 2010 and Exchange 2013 only.
In hybrid deployment you have two options, first one is to migrate some mailboxes to office 365 and keep remaining mailboxes on the local exchange, the other option is to migrate all mailboxes and demote your local exchange server.
Now let’s discuss some concepts and important notes before we begin the implementation. when you think about migrate mailboxes to office 365 you need to ask yourself many questions:
* How office 365 will collect information about my users ! this is really a very good question 🙂 first of all you need to synchronize your directories to office 365, simply this is means that you need to install some tool to do that.
As usual Microsoft always try to simplify these things to their customers so they offer a tool called directory synchronization, this tool will take care of syncing all important data to office 365.
* Does end users will manage their office 365 Mailbox with same on-premise password ! this is your decision, directory synchronization tool offer a service to sync the same passwords to office 365 so users will not need to use different password in exchange online.
* Where is this magic tool 🙂 you can download it from office 365 portal, it’s small tool with great benefits. we will see how to install and configure it later in this article.
* what is the impact on end users while migrated the mailboxes ! this is one of the questions that always make a trouble to the admins and let them to think more and more before start migration. Fortunatly in Hybrid deployment there is no effect
Another important question will raised now: how the on-premise mailbox understand where to forward the received emails ! let’s stop here and back to the directory synchronization tool, once the directory synced to office 365 all mailboxes will have a new value in their Proxy Address attribute, so assume that there is an email address called User@mydomain.com, after this user is synced to office 365 using directory synchronization a new value will be added on the attribute of proxy address, it will be like this: firstname.lastname@example.org (mydomain maybe replaced with the tenant name you created while sign up in office 365 for first time). so once this attribute added the mailbox will understand to forward all emails to the same mailbox in office 365.
*OK, what about outlook profiles and active-sync! after the migration process finish successfully you must recreate the outlook profile and active-sync profile and there is no any other method to do this. again you must recreate the profiles.
*final important question that you may think about, you maybe ask your self that i am said in some period of time the user will have two mailboxes one in the local exchange server and the other in office 365, how outlook will deal with this and which one will be used by outlook and office 365 ! this is a very good question, but the answer is very straight forward, once the migration process finished you must run a script provided by Microsoft ( will be used later in this article ) to convert on-premise Mailbox Enabled to Mail Enabled, so when outlook try to connect after recreate the profile it will try first to connect to local mailbox and once it discover that the local one converted to Mail Enabled it will understand to connect to office 365 mailbox using the auto-discover service.
OK, All prerequisites is ready and you are understand most of the discussion above 🙂 so let’s start the implementation 😉
1.0 Office 365 IDFIX tool
The Office 365 IdFix tool, or IdFix, searches your directory and identifies most of the errors you will encounter before you synchronize to Office 365. IdFix helps you fix these errors and reduces the time it takes to on-board to Office 365. IdFix is simple enough to use so that you can fix Active Directory errors and synchronize your directory without relying on subject matter experts.
IdFix does not fix all errors, but it does find and allow you to fix the majority of errors; for example, over half of all synchronization errors are the result of duplicate or badly
formed proxyAddresses and userPrincipalName attributes in Active Directory. By fixing these errors, you will be able to successfully synchronize users, contacts, and groups from your on-premises Active Directory to Office 365.
IdFix may identify errors beyond those that are necessary to successfully complete synchronization to Office 365. For example, compliance with RFC 2822 for SMTP addresses. Directory synchronization allows you to synchronize invalid attribute values to the cloud but the best practice recommendation is that you correct these errors at the source before you synchronize.
To install IDFIX tool, go to portal and from the directory synchronization section download it as shown below:
After that from the upper left corner choose the admin page:
if you don’t see the admin option this is mean that you are not an admin. by the way the first user created while sign up with office 365 will be global admin so you can use it for now.
Now from the left pane go to users -> Active users and beside Active directory synchronization choose set up:
Now there is many option in this page, in section number 4 click download:
After download the tool, extract the files and run the tool with a domain admin privilege in any joined machine in your environment, once the tool start click on the query button and wait until the results appear, if no results appear this mean there is nothing may failed during the syncing of your directories, if any results appear you must deal with it. in my case now the tool show nothing to do. if you need to know how to deal with any errors if there was any please follow this Microsoft Article: https://support.office.com/en-us/article/Install-and-run-the-Office-365-IdFix-tool-f4bd2439-3e41-4169-99f6-3fabdfa326ac
Also remember that run IDFix tool is optional but strongly recommended, if there is any errors which is not solved before syncing the directories it may lead to failure in migration process.
Now since there is no errors in my environment let’s continue the implementation 🙂
1.1 Enable Directory synchronization (DirSync Tool)
The Azure Active Directory Sync tool (also known as the Directory Synchronization tool, Directory Sync tool, the DirSync tool, or the DirSync server) is a server-based application that you install on a domain-joined server to synchronize your on-premises Active Directory users to Office 365 for professionals and small businesses. You can install the Azure Active Directory Sync tool on a server in Azure or on-premises.
Before installing the DirSync tool you must first verify your domain in office 365, for example until now you must noticed that you have only one domain in your office 365 account such like @mydomain.onmicrosoft.com ( mydomain is the same as tenant name you already created while signup) so all users until now will have this domain only. let’s explain more.
if you have an user have a UPN suffix like email@example.com and you try to sync this user to office 365 using DirSync tool before verifying your domain the user will be synced as firstname.lastname@example.org and this what you don’t need, so keep in mind that all domains the user associated with it must be verified, for example UPN suffix domain and Email domain both must be verified if it’s not the same.
To verify your domain(s), From admin page, go to domains and clickadd domain as shown below, note that there is already verified domain .onmicrosft.com:
In the below page click “let’s start now” :
Enter your domain name and click Next:
Microsoft will provide you with a TXT record to add it in your global DNS to ensure that you are the real owner of the domain, After added the DNS TXT record to DNS, click “ Okay, I’ve Added the record” as shown below:
After you add the record successfully,Microsoft will verify your domain as show below ( sometimes this operation take several minutes ):
After verifying the domain, you must enable the directory synchronization in order to sync the users from on premise to office 365 using DirSync, to enable directory synchronization from admin portal go to users and click on “ set up ” as shown below:
Now on Activate active directory synchronization section clickActivate button as shown below:
Now you can install the DirSync tool from same page and start the syncing process, to install the DirSync tool, from office 365 portal navigate to directory synchronization section and download the tool as shown below:
After the download finished successfully, install the tool, you can install it in any joined machines including the DC also, after installing the tool run it as shown below and click Next on welcome page ( if you face this error: The error “Access to the registry key ‘HKEY_LOCAL_MACHINE\Software\Microsoft\MSOLCoExistence” is denied”occurs. you must rerun the tool with administrator privillage – Run as administrator ):
It will ask you to provide a global administrator user in office 365 portal, enter the user and password then click Next:
After that it will also ask you to provide a user in on premise with “Domain Admin” and “Enterprise Admin” permissions, Enter the user credential and click Next:
Since we used a Hybrid migration, you must check the option Enable hybrid Deployment and click Next:
Check Enable Password Sync Option to sync the user’s password to office 365 and click Next:
Wait until the wizard complete and click Next:
Now Unchecked synchronize you directories now and click Finish,if you check this option all your directories will be synced to office 365 including everything, so we postpone the synchronization now until we create some filters then we will start the syncing:
Now in this step navigate to “C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe” and run the miisclient.exe to select which OU’s to be synced with office 365.
When you open MIISCLIENT.exe go to Management Agents tab and double click on the second connector called “Active Directory Connector” as shown below:
Then choose configure directory partition and click on containersbutton, it will ask you to enter the a user with sufficient privileges to access your AD, enter the credentials then click OK:
Choose which OU’s you need to synchronize and click OK:
Before finish this step let’s stop in one of the most important point here. Keep in mind that you MUST synchronize all users that have a mailboxes even if you don’t need to migrate it, WHY ? simply if one of the users not synced to office 365 and a another user have a mailbox in office 365 and tried to send emails to the on-premise one which is not synced the delivery of emails will be failed, but this is seems not logic ! no it’s very logic since when a user in office 365 need to send an internal emails for example assume we have three users as below:
First user have an email: email@example.com ( Synced to office 365 and already migrated).
Second one have an email: Local_synced_user@mydomain.com which is synced to office 365 but not migrated
Third one have an email: Local_user_not_synced@mydomain.com which is not synced and not migrated.
Assume now first user need to send an email to second user, since first user already migrated then it have an mailbox in office 365, also since the second user is synced but not migrated it have an Mail Enabled user in office 365, so once first user send to second one, office 365 will understand that the domain is in it’s accepted domain nut since the second user have an mail enabled in office 365 not mailbox it will forward the email to on-premise mailbox.
Now assume the second case, assume that first user need to send an email to the third one, office 365 will understand that the domain is within it’s accepted domain but since their is no mail enabled for the third user it will assume that that email address incorrect and a None Delivery Report will be send to the first user states that the recipient not found.
So let’s back now to our snapshots, from below snapshot synchronize all users and groups to office 365.
Now Launch “C:\Program Files\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1” and type Start-OnlineCoexistenceSync to start the synchronization ASAP, this operation need several minutes up to several hours based on the number of objects you have.
ِAfter that you can check that all users you chose appear in office 365 portal as below, also you need to note that the status of users is ” synced with active directory”:
2 Migrate Mailboxes to Office 365
2.1 Hybrid Migration Overview:
A hybrid deployment offers organizations the ability to extend the feature-rich experience and administrative control they have with their existing on-premises Microsoft Exchange organization to the cloud. A hybrid deployment provides the seamless look and feel of a single Exchange organization between an on-premises Exchange Server 2013 organization and Exchange Online in Microsoft Office 365. In addition, a hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization.
2.2 Key Terminology:
The following list provides you with definitions of the core components associated with hybrid deployments in Exchange 2013.
- centralized mail transport
- The hybrid configuration option in which all Exchange Online inbound and outbound Internet messages are routed via the on-premises Exchange organization. This routing option is configured in the Hybrid Configuration wizard.
- coexistence domain
- An accepted domain added to the on-premises organization for hybrid mail flow and Autodiscover requests for the Office 365 service. This domain is added as a secondary proxy domain to any email address policies which have PrimarySmtpAddress templates for domains selected in the Hybrid Configuration wizard. By default, this domain is <domain>.mail.onmicrosoft.com.
- HybridConfiguration Active Directory object
- The Active Directory object in the on-premises organization that contains the desired hybrid deployment configuration parameters defined by the selections chosen in the Hybrid Configuration wizard. The Hybrid Configuration Engine uses these parameters when configuring on-premises and Exchange Online settings to enable hybrid features. The contents of the HybridConfiguration object are reset each time the Hybrid Configuration wizard is run.
- hybrid configuration engine (HCE)
- The Hybrid Configuration Engine executes the core actions necessary for configuring and updating a hybrid deployment. The HCE compares the state of theHybridConfiguration Active Directory object with current on-premises Exchange and Exchange Online configuration settings and then executes tasks to match the deployment configuration settings to the parameters defined in the HybridConfiguration Active Directory object. For more information, see Hybrid Configuration Engine.
- hybrid configuration wizard (HCW)
- An adaptive tool offered in Exchange 2013 and exchange 2010 that guides administrators through configuring a hybrid deployment between their on-premises and Exchange Online organizations. The wizard defines the hybrid deployment configuration parameters in the HybridConfiguration object and instructs the Hybrid Configuration Engine to execute the necessary configuration tasks to enable the defined hybrid features.
- Exchange 2010-based hybrid deployment
- A hybrid deployment configured using Service Pack 3 (SP3) for Exchange Server 2010 on-premises servers as the connecting endpoint for the Office 365 and Exchange Online services. A hybrid deployment option for on-premises Exchange 2010, Exchange Server 2007, and Exchange Server 2003 organizations and compatible with Office 365 service versions 14.0.000.0 and 15.0.000.0.
- Exchange 2013-based hybrid deployment
- A hybrid deployment configured using Exchange 2013 on-premises servers as the connecting endpoint for the Office 365 and Exchange Online services. A hybrid deployment option for on-premises Exchange 2013, Exchange 2010, and Exchange 2007 organizations and compatible with Office 365 service version 15.0.000.0 or later only.
- secure mail transport
- An automatically configured feature of a hybrid deployment that enables secure messaging between the on-premises and Exchange Online organizations. Messages are encrypted and authenticated using transport layer security (TLS) with a certificate selected in the Hybrid Configuration wizard. The Exchange Online Protection (EOP) service in the Office 365 tenant is the endpoint for hybrid transport connections originating from the on-premises organization and the source for hybrid transport connections to the on-premises organization from Exchange Online.
2.3 Exchange Hybrid Deployment features:
A hybrid deployment enables the following features:
- Secure mail routing between on-premises and Exchange Online organizations.
- Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the @contoso.com SMTP domain.
- A unified global address list (GAL), also called a “shared address book.
- Free/busy and calendar sharing between on-premises and Exchange Online organizations.
- Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization.
- A single Microsoft Office Outlook Web App URL for both the on-premises and Exchange Online organizations.
- The ability to move existing on-premises mailboxes to the Exchange Online organization. Exchange Online mailboxes can also be moved back to the on-premises organization if needed.
- Centralized mailbox management using the on-premises Exchange admin center (EAC).
- Message tracking, MailTips, and multi-mailbox search between on-premises and Exchange Online organizations.
- Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment. Learn more about Exchange Online Archiving at Microsoft Office 365 Additional Services.
2.4 Configure Hybrid Configuration Wizard (HCW):
In Hybrid Migration method you must run the Hybrid configuration wizard included all domain need to be migrated.
In case there is an accepted domains not included in the public certificate, you must run below command in exchange PowerShell:
Set-HybridConfiguration –Domains “FirstDomain.com, Anydomain.com, SecondDomain.com “, “autod:DomainNameIncludedInTheCertificate.com”
In above PowerShell command you can mention any non-included domain in public certificate and point autod parameter for the domain name included in the public certificate, which means in case of multiple SMTP domain you need to have at least one domain included in the public certificate.
Before you can manage the hybrid configuration wizard, you must add the office 365 tenant to your local exchange, to do that follow below steps:
Open your exchange console, right click on Microsoft Exchange and click on Add Exchange Forest:
Choose any friendly name and Exchange online option:
Now you must see the office 365 tenant appear on your exchange console similar to below:
Now to enable Hybrid configuration wizard, from exchange 2010 console go to organization management and choose manage Hybrid Configuration:
In the introduction page click Next:
Provide the on premise and cloud credential and click Next:
Here you need to add the domain need to be migrate it’s mailboxes, but keep in mind if you have an multiple SMTP and all SMTP’s included in the public certificate you can add all of these domains, but if some SMTP’s not included in the public certificate you must add only the one’s included and execute the power shell command we already discussed above to configure the non-included domain names.
Enter the domain and click Next:
To verify the domain you must add this new TXT record in your public DNS, Add the TXT record in public DNS and click Next:
Here you need to add the Client access servers need to be used in this deployment and the HUB servers also in the second mailboxes , then click Next:
Add the public IP of your exchange server and the Public FQDN and click Next:
(You can visit MXtoolbox.xom to get these information)
Now the HCW will obtain the public certificate automatically.
If the certificate Not obtained automatically by HCW, this means that you have an issue with your Puvlic certificate, below some common issues:
1- The certificate must be public (3’rd party) certificate and installed on all Client access servers, it’s must be installed on all CAS servers selected in the wizard before.
2- the certificate root parameter must be Thirdparty, to check this property open exchange power shell in all CAS servers and write: Get-ExchangeCertificate | fl, it will show this property.
3- the public certificate must be in the personal folder of the Exchange servers, to check this open MMC and add the certificate snap in.
Also in the same page, there is two options for delivering emails for the migrated mailboxes.
- Deliver Internet-bound messages directly using the external recipient’s DNS settings Select this option if you want Office 365 to bypass your on-premises transport servers when routing outbound messages to external recipients.
- Route all Internet-bound messages through your on-premises Exchange servers Select this option if you want Office 365 to send all outbound messages to external recipients to your on-premises transport servers. The on-premises hybrid transport servers will be responsible for delivering the messages to external recipients.Finally Click Manage:
After minutes the HCW must have a successful result as below:
4 Migrate Mailboxes to Office 365
4.1 Hybrid Migration Overview:
A hybrid deployment offers organizations the ability to extend the feature-rich experience and administrative control of their existing on-premises Microsoft Exchange organization to the cloud. A hybrid deployment provides the seamless look and feel of a single Exchange organization between an on-premises Exchange organization and Exchange Online in Microsoft Office 365. In addition, a hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization.
Hybrid Deployment Features
- A hybrid deployment enables the following features:
- Secure mail routing between on-premises and Exchange Online organizations.
- Mail routing with a shared domain namespace. For example, both on-premises and cloud-based organizations use the @contoso.com SMTP domain.
- A unified global address list, also called a “shared address book”.
- Free/busy and calendar sharing between on-premises and Exchange Online organizations.
- Centralized control of outbound mail flow. You can configure Exchange Online to route all messages to Internet recipients through the on-premises Exchange organization.
- A single Outlook Web App URL for both the on-premises and Exchange Online organizations.
- The ability to move existing on-premises mailboxes to the Exchange Online organization.
- Centralized mailbox management using the on-premises Exchange Management Console.
- Message tracking, MailTips, and multi-mailbox search between on-premises and Exchange Online organizations.
- Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment.
4.2 How to migrate:
To migrate users to office 365, Login to office 365 portal and select Exchange Tab, from exchange portal go to the recipient section of the left pane choose Migration as shown below:
Click on (+) button and choose Migrate to exchange online option as below:
Now from the Migration types, choose Remote migration and click Next:
From the New migration wizard click on the (+) button:
From the select users page choose the users to be migrated as below and click OK:
Now keep the configuration as it and click Next:
Give any name for the migration batch and click Next:
Finally Click On New:
Now you will wait until the migration batch show a complete status as below:
Once the migration completed you can assign the license to the user and configure the outlook.
Also you will take a grace period to work with office 365 mailbox, i think it’s 30-days before the period end you must assign a license to the migrated users to avoid any interrupt of service. To assign a license to the user follow this article: https://support.office.com/en-au/article/Assign-or-unassign-licenses-for-Office-365-for-business-997596b5-4173-4627-b915-36abac6786dc?ui=en-US&rs=en-AU&ad=AU
Also After all Mailboxes Migrated to office 365 you can uninstall the Exchange server if this is your requirement but before that you must create all required DNS records mentioned in the office 365 portal.
To see this records go to the admin page in office 365 portal, then go to domains then in your domain click manage or follow this article:
Then you can safely remove your exchange server after take a full backup 🙂
Ahmad Yasin in a Microsoft Cloud Engineer and the publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.