If you would like to read the other parts in this article series please go to:
- Using the Hybrid Configuration Wizard in Exchange Server 2013 (Part 1)
- Using the Hybrid Configuration Wizard in Exchange Server 2013 (Part 3)
- Using the Hybrid Configuration Wizard in Exchange Server 2013 (Part 4)
Introduction
This series looks at how to use the Hybrid Configuration wizard successfully whilst ensuring pre-requisites are considered. In part one of this series we made core decisions about which servers to use, verified a number of pre-requisites and made changes to the underlying environment to ensure the Hybrid configuration will work after application of settings.
In part two of this series we examine the changes the Hybrid Configuration Wizard will make to the Exchange on-premises and Office 365 environment, optionally pre-create Federation settings and then run through the wizard options step-by-step before application of settings.
Understanding the changes the Hybrid Configuration Wizard makes
Many organizations will wish to understand the changes that the Hybrid Configuration Wizard will make before executing it within a production environment.
Because the Hybrid Configuration Wizard makes slightly different changes depending on the configuration chosen and other factors, such as the number of accepted domains, the changes are slightly different for each environment.
At a high level the changes made are as follows:
- A new Hybrid Configuration object is created in the Configuration container within the local Active Directory forest.
- Settings chosen within the Hybrid Configuration Wizard are stored in the new Hybrid Configuration object.
- The Office 365 tenant is “rehydrated” by enabling organizational customization settings. This exposes all advanced features needed for Hybrid.
- A New Remote Domain is created on-premises in the format “<tenant name>.mail.onmicrosoft.com” and set as the Target Delivery Domain for Office 365.
- The same “<tenant name>.mail.onmicrosoft.com” domain is created as an accepted domain on-premises.
- Email address policies are updated with an additional SMTP proxy address in the format “<alias>@<tenant name>.mail.onmicrosoft.com”, with the option to only update secondary addresses.
- If one doesn’t exist, a Federation Trust certificate is created and the feature enabled on-premises.
- Federated domains are configured on-premises and in Office 365.
- Matching organization relationships are created both in Office 365 and on-premises with settings enabled to allow Free/Busy, Mail Tips, Remote Moves, Contact Photos, Delivery Reports and on-premises, settings to ensure that when mailboxes are moved the correct OWA URL is shown to users.
- An Availability Address Space is configured to ensure that the Hybrid servers are registered as “proxies” for Free/Busy lookups.
- The MRS Proxy is enabled on each on-premises Exchange Hybrid server.
- A new Send Connector is created to send mail destined for the <tenant name>.mail.onmicrosoft.com routing domain to Office 365 with TLS enforced, and selected Hybrid Exchange Mailbox servers are bound to it.
- The Default Front End receive connector on each selected Hybrid Client Access server is configured so that email received by TLS from trusted Office 365 SSL certificates is treated as Hybrid mail.
- Inbound and Outbound connectors are created in Office 365 to ensure internal email passes through the on-premises connectors and inbound mail from on-premises is received and classified correctly.
- If the additional OAuth configuration is applied, new partner OAuth applications are registered along with associated certificates and a new Intra Organization Connector is created both on-premises and in Office 365.
Other changes, such as configuration or copying of policies (such as Sharing Policies, In-Place Hold Policies, Mobile Device Policies) is not performed and should be configured and tested after the Hybrid configuration is complete. We’ll show how to make typical changes in this guide, after the Hybrid configuration is completed.
Enabling the Federation Trust Feature (Optional)
After making pre-requisite changes performing tests it should be safe to perform the Hybrid Configuration.
One feature configurator by the Hybrid Configuration Wizard requires DNS records to be added during the Wizard.
Many organizations prefer to add the DNS Text records before running the Hybrid configuration wizard so that the wizard will complete without warnings.
To identify the DNS Text records required, the Federation Trust can be enabled prior to executing the Hybrid Configuration wizard with little to no risk. After enabling the Federated Trust, an Exchange Management Shell cmdlet can be executed to retrieve the correct DNS record.
Enable the Federation Trust feature by accessing the Exchange Admin Center on-premises and navigating to Organization > Sharing. Underneath the Federation Trust heading choose Enable, as shown below:
Figure 1: Enabling the Federation Trust
After the Federation Trust is enabled, launch the Exchange Management Shell. Use the Get-FederatedDomainProof cmdlet as shown below to retrieve the Domain Proof:
| Get-FederatedDomainProof -DomainName <Accepted Domain> |
Figure 2: Retrieving Federation Proof TXT records
The cmdlet should return a number of records. The record to add as a Text (TXT) record is named Proof and appears as a Base 64-encoded string. This is entered on a single line, with no spaces and ends in two equals signs (==).
As shown in the example DNS control panel below the DNS TXT record is entered for the domain itself rather than a sub-domain. It can replace the Office 365 custom validation text record, which is no longer required:
Figure 3: Updating a DNS control panel with the Federation Proof TXT record
Performing the Hybrid Configuration
Before starting the Hybrid Configuration Wizard it is necessary to enable Hybrid mode and create the underlying Hybrid Configuration object. To do this, navigate to Hybrid within the Exchange Admin Center, then choose Enable as shown below:
Figure 4: Initial enablement of Hybrid in the Exchange Admin Center on-premises
After choosing Enable, the web browser will be redirected to Office 365. Sign in when prompted as a Global Administrator:
Figure 5: Sign-in as a Global Administrator to Office 365
When sign-in completes, the web browser will be redirected to the original Hybrid section on the Exchange Admin Center although the browser URL will contain the Office 365 address.
Choose Enable again to begin the Hybrid Configuration wizard:
Figure 6: Launching the Hybrid Configuration Wizard
After choosing Enable the Exchange Hybrid Configuration Wizard will launch in a new browser pop-up Window. Assuming a Hybrid configuration has not been implemented before it will state that Office 365 coexistence has not been configured and offer the opportunity to set up Exchange Hybrid. Choose Yes to continue:
Figure 7: Confirmation that the Hybrid Configuration Wizard should be launched
On the next page of the wizard the Federation Trust will be created if it wasn’t created in the previous step. If you didn’t choose to pre-create and register the entries earlier in this guide, then select each Text record (as highlighted below) and add to your external DNS:
Figure 8: Verification of the Federation Proof TXT record
The Hybrid Configuration Wizard will next require input to choose the types of servers to use for SMTP mail transport, and whether to route mail through on-premises, known as Centralized Mail Transport within the wizard or deliver mail directly. Based on the decisions made in the first part of this series select the relevant option, then choose Next:
Figure 9: Selecting appropriate options for mail transport
On the next page of the Wizard it is necessary to select the Client Access Servers to use for Hybrid. As mentioned in the first part of the series these will typically be the organization’s Internet-facing Client Access servers that are the target of the inbound SMTP DNS name. Select the servers and choose Next:
Figure 10: Selecting Exchange Servers that will receive SMTP email from Office 365
For outbound mail, select the Exchange 2013 Mailbox servers that will be bound to the Office 365 Send Connector. Often, in a best practices multi-role deployment, these will be the same servers. After selecting the servers, choose Next:
Figure 11: Selecting Exchange Servers that will send mail to Office 365
In the next step the SSL certificate to use with the Hybrid Send and Receive connectors must be selected. The wizard will store the Thumbprint of the certificate. The list will show the SSL certificates that have been installed on all Exchange Hybrid servers selected in the previous two steps. Select the SSL certificate decided upon in part one of the series and choose Next.
Figure 12: Selecting the correct SSL certificate to use for Hybrid email flow
To match the SSL certificate enter the FQDN that will be used for mail from Office 365 destined to flow through or into Exchange 2013, then choose Next:
Figure 13: Entering the external DNS name for inbound SMTP from Office 365
On the final two pages of configuration for the Hybrid Configuration Wizard it is necessary to enter credentials for Office 365 and On-Premises. These credentials are only used for the duration of the execution of the Hybrid Configuration Wizard and are not stored within the configuration.
First enter on-premises credentials that possess Organization Management permissions, then choose Next:
Figure 14: Entering administrative credentials for on-premises Exchange
For the Exchange Online PowerShell connection that is used by the Hybrid Configuration Wizard it is necessary to enter a Global Administrator (or technically, user with Organization Management permissions within your tenant). After entering appropriate credentials, choose Next.
Figure 15: Entering administrative credentials for Office 365
After entering all configuration details within the wizard choose Update to apply the configuration:
Figure 16: Choosing update to implement the Hybrid configuration
The Hybrid Configuration will be applied. This can typically take between 10 minutes to upwards of 30 minutes depending on the size of your organization the first time it is executed. Tasks that delay execution include the enablement of organization customization, which is only performed once and update of Email Address Policies.
Figure 17: Progress shown whilst the Hybrid Configuration is implemented
After the Hybrid Configuration Wizard completes all settings listed in the Understanding the changes the Hybrid Configuration Wizard makes will be applied except for the OAuth configuration. If the organization is a pure Exchange 2013 organization the OAuth configuration can be applied by selecting Configure:
Figure 18: The completed Hybrid Configuration wizard offering the opportunity to configure OAuth
Upon selecting Configure a new browser window will open using the credentials of the user logged into Office 365. After choosing Configure for an additional time in the new browser window the Microsoft Office 365 Support Assistant 3.5 will be downloaded an executed. This will create and apply the OAuth configuration.
Figure 19: OAuth configuration in progress
Summary
In part two of this series we have applied the Hybrid Configuration within our organization and by this point we have a basic, functional Hybrid environment. In the next part of this series we will apply basic settings every Exchange Hybrid environment usually needs and examine tests required to ensure functionality works as expected.
If you would like to read the other parts in this article series please go to:
I want to off-board 365 Mailboxes to a staging server before moving them to another Tenant. Do I still need a digital cert for the temp staging server?
Hiya,
Yes you will need a third party certificate if you use native mailbox moves. Alternatively a third party tool could help (eg. MigrationWiz etc) to move direct from tenant to tenant.
Thanks Steve,
For this temp staging server can I use a self signed cert or do without a certificate?