Configuring an Exchange 2013 Hybrid Deployment and Migrating to Office 365 (Exchange Online) (Part 13)

If you would like to read the other parts in this article series please go to:

Introduction

In part 12 of this multi-part article series revolving around Exchange 2013 hybrid deployment based migrations to the new Office 365 or more precisely Exchange Online, we finished the configuration for the custom domain in Office 365, for which Exchange hybrid should be set up.

In this part 13, we will continue where we left off back in part 12. That is we will take a look behind the scenes by looking at the hybrid configuration settings performed by the hybrid configuration wizard.

Let’s get started.

A Look at the Hybrid Configuration Settings

So back in part 11 and 12, we established a hybrid configuration between our on-premises Exchange 2013 organization and Exchange Online in Office 365. Let’s take a look at the things that were created behind the scenes when we ran the Hybrid Configuration Wizard (HCW).

Let’s first look at the hybrid configuration object itself. We can do so by launching the Exchange Management Shell (EMS), and run the following command:

Get-HybridConfiguration

Image
Figure 1: Listing the configuration for the hybrid configuration object in the on-premises Exchange organization

As you can see above in Figure 1, the settings (such as receiving and sending transport servers, on-premises smart host and domains) you specified when we ran the wizard have been set on the hybrid configuration object. But, this is far from the only thing that has been configured. You can also see which features have been enabled (“FreeBusy”, “MoveMailbox”, “MailTips”, “MessageTracking”, “OwaRedirection”, “OnlineArchive”, “SecureMail”), which are all features we wish to have enabled between the on-premises Exchange organization and the Exchange Online organization in Office 365.

Important:
The “ClientAccessServers” parameter is deprecated and will be removed from Exchange Server 2013 sometime in the future, which explains why it is blank. Also, bear in mind that we no longer need to have any public IP addresses configured for the hybrid configuration. This was required in Exchange 2010 based hybrid deployments, so that we could specify the IP addresses that were allowed to send to the inbound connector in FOPE.

Note:
Since we either use Exchange 2010 Edge Transport servers or have enabled centralized transport, the “EdgeTransportServers” attributes is blank and “CentralizedTransport” is missing under “Features”.

In addition, the following has also been performed in the on-premise Exchange organization:

  1. A federation trust with the Microsoft Federation Gateway (MFG) has been established for the specified domain:

Image
Figure 2: Federation Trust in the Exchange Management Console

Creating a federation trust with the MFG is required in order to be able to set up an organizational relationship, which again is required in order to share free/busy information and calendars between the on-premises Exchange organization and the Exchange Online organization in Office 365. With that said, it’s important to note that a trust isn’t set up with the MFG, instead the MFG merely acts as a trust broker between the involved Exchange organizations.

  1. “tenant_name.mail.onmicrosoft.com” (in our scenario “clouduserdk.onmicrosoft.com”) has been added as an accepted domain:

Image
Figure 3:
New accepted domain in the Exchange admin center (EAC)

Adding the “tenant_name.mail.onmicrosoft.com” domain to the “Accepted Domains” list as an authoritative domain is required in order for the on-premises Exchange organization to accept inbound e-mail messages destined for a mailbox user located in Exchange Online. When a mailbox is moved from the on-premises Exchange organization to Exchange Online, the source mailbox user object is converted to a mail user object, which is configured with an external address of “[email protected]“. We will look more at this later in this article series.

  1. “tenant_name.mail.onmicrosoft.com” (in our scenario “clouduserdk.onmicrosoft.com”) has been added as a remote domain. Since remote domains are not exposed in the Exchange admin center (EAC), we must use the “Get-RemoteDomain” cmdlet to see this.

Image
Figure 4: New remote domains in the Exchange Management Console

A remote domain is an SMTP domain that is external to our Exchange organization. When a new remote domain is created, it’s possible to specify the remote domain is used for Exchange Online purposes. With a remote domain, we can configure out of office and message formatting settings. The HCW sets the ideal setting for a hybrid and enables the SMTP domain as the domain used for an Office 365 tenant, which is important in relation to provisioning of new remote mailbox users (users that get a mailbox created directly in Exchange Online).

  1. The default E-Mail Address policy has been updated, so that it stamps a secondary proxy address ([email protected]) on mailbox user objects:

Image
Figure 5:
New SMTP address added to the default E-mail Address Policy

The SMTP address “[email protected]“ is added to the default E-mail address policy, so that it can be stamped as an additional proxy address on the mail objects in the organization. As mentioned earlier, when a mailbox is moved to Exchange Online, the source mailbox user object is converted to a mail user object and in order to be able to set “[email protected]“ as the external e-mail address, it must already be stamped on the object.

Image
Figure 6:
Secondary proxy address stamped on mailbox user object

  1. In addition, the HCW will create a send connector that will route all e-mail messages destined for “tenant_name.mail.onmicrosoft.com” (in this scenario “clouduserdk.mail.onmicrosoft.com”) in our on-premises Exchange 2013 environment to Exchange Online in Office 365 (see Figure 7).

Image
Figure 7:
Outbound connector to Office 365

The send connector is configured to use DNS to look up the MX record of the destination server.

Image
Figure 8: DNS used to lookup the MX record for the destination server

The send connector is configured with an address space of “clouduserdk.mail.onmicrosoft.com”, so that only e-mail messages destined for Exchange Online users in Office 365 is routed via this send connector.

Image
Figure 9: Address space for the outbound connector to Office 365

Unlike with Exchange 2010 based hybrid deployments, the HCW no longer creates an Office 365 specific receive connector on our hybrid servers (see Figure 10).

Image
Figure 10: No Office 365 specific receive connectors created by the HCW

  1. Finally, as we could also see back in Figure 2, an organizational relationship has been created to establish Exchange federation with the Exchange Online organization in Office 365.

Image
Figure 11:
Listing details for the organizational relationship

Just like it’s the case with Exchange 2010 based hybrid deployments, by default, free/busy is enabled with limited details. In addition, mailbox moves, delivery reports, mailtips and online archive are enabled. Moreover, a target OWA URL is specified and by default, which is set to: “http://outlook.com/owa/tenant_name.onmicrosoft.com”. The target OWA URL is the URL that a user will be non-transparently redirected to (we will look at this later in this article series), when he tries to access his mailbox using the existing OWA namespace (i.e. http://mail.domain.com/owa) after his mailbox has been moved to Exchange Online. Lastly, a target autodiscover Epr has been set by the HCW. This is the endpoint used to reach out to the Exchange Online organization for the configured features, when a request comes from the on-premises Exchange organization to the Exchange Online organization.

This concludes part 13 of this multi-part article in which I explain how you configure an Exchange 2013 hybrid deployment followed by migrating to Office 365 (Exchange Online).

If you would like to read the other parts in this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top