If you would like to read the other parts in this article series please go to:
- Using the Office 365 Hybrid Configuration Wizard (Part 1)
- Using the Office 365 Hybrid Configuration Wizard (Part 2)
- Using the Office 365 Hybrid Configuration Wizard (Part 4)
- Using the Office 365 Hybrid Configuration Wizard (Part 5)
- Using the Office 365 Hybrid Configuration Wizard (Part 6)
Enabling the Federation Trust Feature (Optional)
After making pre-requisite changes performing tests, it should be safe to perform the Hybrid Configuration. One feature configured by the Hybrid Configuration Wizard requires DNS records to be added during the Wizard. Many organizations prefer to add the DNS Text records before running the Hybrid configuration wizard so that the wizard will complete without warnings.
To identify the DNS Text records required, the Federation Trust can be enabled prior to executing the Hybrid Configuration wizard with little to no risk. After enabling the Federated Trust, an Exchange Management Shell cmdlet can be executed to retrieve the correct DNS record.
Enable the Federation Trust feature in Exchange 2013 or Exchange 2016 by accessing the Exchange Admin Center on-premises and navigating to Organization > Sharing. Underneath the Federation Trust heading choose Enable, as shown below:
Figure 1: Enabling the Federation Trust on Exchange 2013 / 2016
In Exchange 2010, enable the Federation Trust by accessing the Exchange Management Console and navigating to Organization Configuration and selecting New Federation Trust, as shown below:
Figure 2: Enabling the Federation Trust on Exchange 2010
After the Federation Trust is enabled, launch the Exchange Management Shell. Use the Get-FederatedDomainProof cmdlet as shown below to retrieve the Domain Proof:
| Get-FederatedDomainProof -DomainName <Accepted Domain> |
Figure 3: Obtaining Federation proof records manually
The cmdlet should return a number of records. The record to add as a Text (TXT) record is named Proof and appears as a Base 64-encoded string. This is entered on a single line, with no spaces and ends in two equals signs (==).
As shown in the example DNS control panel below the DNS TXT record is entered for the domain itself rather than a sub-domain. It can replace the Office 365 custom validation text record, which is no longer required:
Figure 4: Updating DNS
Performing the Hybrid Configuration
To begin the Office 365 Hybrid Configuration Wizard, open a web browser on the Exchange Server and navigate to the following URL: http://aka.ms/taphcw
Figure 5: Accessing the Office 365 Hybrid Configuration Wizard using a web browser
The Office 365 Hybrid Configuration Wizard will begin to download. When prompted, choose Install, as shown below:
Figure 6: Launching the HCW Installer
The installation for the Office 365 Hybrid Configuration wizard will begin. The wizard downloads the data it needs as part of the installation from a Microsoft domain under windows.net.
After the Office 365 Hybrid Configuration Wizard completes installation, it will launch automatically. The new wizard will attempt to detect the best server to use within your organization, but also provide you the opportunity to select a preferred server to run the wizard against.
After selecting the On-premises Exchange Server Organization, you’ll be given the opportunity to select the Office 365 Exchange Online option. For most Microsoft customers this will be the default – Microsoft Office 365:
Figure 7: Selecting the Exchange Server to run the HCW against
On the next page of configuration for the Hybrid Configuration Wizard it is necessary to enter credentials for Office 365 and On-Premises. These credentials are only used for the duration of the execution of the Hybrid Configuration Wizard and are not stored within the configuration.
First enter on-premises credentials that possess Organization Management permissions, or if the account you are using has sufficient rights, choose Use current Windows credentials.
For the Exchange Online connection that is used by the Hybrid Configuration Wizard it is necessary to enter a Global Administrator (or technically, user with Organization Management permissions within your tenant). After entering appropriate credentials, choose Next.
Figure 8: Entering the credentials to use with the HCW
On the next page of the wizard the credentials will be tested and the connection tested to ensure that the wizard can continue. As with the subsequent pages in the wizard, should an error be encountered, guidance will be given. In general, if you’ve followed the guidance in this series you should not expect to encounter an issue at this stage:
Figure 9: Validating the credentials against on-premises and online
Next, we’ll select the domains to use for our Exchange Hybrid configuration. These are typically the domains you use for SMTP mail flow and in particular should include addresses used as primary SMTP addresses. By selecting the correct domains here, you ensure that mail flow to these domains will always flow back to on-premises using the correct connector, and Free/Busy and Sharing will work correctly in both directions.
During the wizard, tests are performed to look up Autodiscover information against each Hybrid domain. If you do not have Autodiscover configured correctly for all these domains, select a domain that does have Autodiscover correctly configured. This is typically your primary domain and your Microsoft Connectivity tests earlier should have identified at least one such domain:
Figure 10: Selecting Hybrid domains and, optionally, selecting a single Autodiscover domain
On the next page of the wizard the Federation Trust will be created if it wasn’t created in the previous step. If you didn’t choose to pre-create and register the entries earlier in this guide, then select the copy to clipboard option and add to your external DNS. After ensuring that the records are in the external DNS, select I have created a TXT record for each token in DNS, then choose Verify domain ownership to perform pre-requisite lookup tests. Once the tests are successful, choose Next:
Figure 11: Verification of Federation Proof records
The Hybrid Configuration Wizard will next require input to choose the types of servers to use for SMTP mail transport, and whether to route mail through on-premises, known as Centralized Mail Transport within the wizard or deliver mail directly.
Figure 12: Selecting options for mail transport
If you need to use Centralized Mail Transport, select Advanced and then select Enable Centralized Transport:
Figure 13: Options to enabled Centralized mail transport
Once you have selected the correct option, based on the decisions made earlier in this series select the relevant option, then choose Next.
On the next page of the Wizard it is necessary to select the servers used for receiving mail from Office 365. As mentioned in the first part of the series these will typically be the organization’s Internet-facing servers that are the target of the inbound SMTP DNS name.
For Exchange 2010, these will be servers with the Transport role. For Exchange 2013, these will be servers with the Client Access role and for Exchange 2016 – these will be servers with the Mailbox role.
Select the servers and choose Next:
Figure 14: Selecting the servers for Hybrid receive connectors
For outbound mail, select the Exchange servers that will be bound to the Office 365 Send Connector. Often in a best practices multi-role deployment these will be the same servers. With Exchange 2010 these will be servers hosting the Transport role, and for Exchange 2013 and 2016 these will be servers hosting the Mailbox role.
After selecting the servers, choose Next:
Figure 15: Selecting the servers for the Hybrid send connector
In the next step the SSL certificate to use with the Hybrid Send and Receive connectors must be selected. The wizard will store the Thumbprint of the certificate.
The list will show the SSL certificates that have been installed on all Exchange Hybrid servers selected in the previous two steps. Select the SSL certificate decided upon in part one of the series and choose Next.
Figure 16: Selecting the SSL certificate for Hybrid mail transport
To match the SSL certificate enter the FQDN that will be used for mail from Office 365 destined to flow through or into Exchange, then choose Next:
Figure 17: Entering the Hybrid mail transport DNS name
After entering all configuration details within the wizard choose Update to apply the configuration:
Figure 18: Confirming details and choosing to update or create the Hybrid configuration
The Office 365 Hybrid Configuration will be applied. This can typically take between 10 minutes to upwards of 30 minutes depending on the size of your organization the first time it is executed. Tasks that delay execution include the enablement of organization customization, which is only performed once and update of Email Address Policies.
Figure 19: Showing the HCW in progress
After the Hybrid Configuration Wizard completes all settings listed in the Understanding the changes the Hybrid Configuration Wizard makes should be applied, and you can choose to close the wizard:
Figure 20: A successful HCW completion screen
If any errors occurred or any warnings were generated, these will be listed. You will see a description of any errors, alongside a link to read more about the error and aid troubleshooting:
Figure 21: Errors generated by the HCW along with potential solutions
After closing the wizard, you will also see a newly installed application, with a link configured on the desktop. You can use this to re-launch the Office 365 Hybrid Configuration Wizard at a later date:
Figure 22: HCW Icon
Summary
In this part of the series, we’ve successfully executed the Office 365 Hybrid Configuration Wizard. In the next part of this series, we’ll begin post-configuration changes to Exchange.
If you would like to read the other parts in this article series please go to:
I have a single-forest/multiple tenant (for the reason of billing Pro Plus licensing) customer who have not thought one single thought about being ‘hybrid-fit’ – until now where they want to start moving mailboxes to the respective sub-company-tenants.
Can I run the HCW multiple times, each time specifying a different user with Organization Management permissions in the Office365 User ID-field to have org relationships and federation with multiple tenants?
Br. Tim
No, you can’t. It’s one Hybrid relationship per Exchange org / Forest with a single Tenant.
Hi,
I’m planning to setup hybrid Office 365 with my exchange 2010 environment.
fyi>EOP had already configured a few years ago with Office 365. so currently all incoming and outbound emails go thru Office 365.
I was wondering whether I still require to do the Receiver and Sender Connector Configuration steps as part of the Wizard. do I skip this? as it’s already configured.
Please advise.
When I run the HCW it only detects one of my 6 on-premise exchange servers for the Receive Connector server. This happens to be the only one running Exchange 2016 with the rest being 2013. However when I go to the Send Connector on the next step it detects all of my servers. Is there some type of configuration requirement for it to detect my Exchange servers for a new Receive Connector? The one I want is not listed as an option.
Hello Steve
I setup an hybrid environment O365 – Exchange 2016 with no Edge server.
* I was able to migrate [email protected] to O365.
* I kept [email protected] on the onpremise Exchange server.
* The DNs records (mx, autodiscover …) point to mail.existingdomain.com onpremise external IP AND NOT to O365.
I created a set of rules on the firewall to allow O365 IPs to communicate with Onpremise exchange server with no proxies or anything in the missdle.
I created the same set of rules to allow Exchange server to communicate with O365 IPs with no proxies.
When I run the outbound connector validator (from O365 to Exchange onPremise, smart host set to mail.existingdomain.com), it fails with an error message as “RecipientStatus:[{LED=550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient [email protected] not found by SMTP address lookup}”
The [email protected] is able to send/receive email to internet. This user is able to send email to the migrated [email protected].
The [email protected] is able to receive/send email to internet. This user is unable to send an email to an internal user with mailbox set on the onpremise exchange server, but it is able to receive emails sent by [email protected].
And Im stuck there without knowing how to resolve such error. I do not find on the internet “the page” that will give me the answer what could be wrong. Any idea why the system reacts like this ? Did I miss a parameter somewhere ? Is it a routing issue ?
thank you if you have any ideas of what could happen here. Have a nice day.
Thierry
In Exchange 2016 environment, if we publish EWS and SMTP separately over two public IPs and ports restricted accordingly using different mailbox roles using the cert below, will HCW be able to configure full classic hybrid correctly or do we need to setup using mail.domain.com FQDN in Organization FQDN and later on manually update the smart host on O365 connector to point to SMTP FQDN.
SSL Cert:
Subject: domain.com
SAN: mail.domain.com, autodiscover.domain.com, smtp.domain.com
My assumption is that HCW will do the autodiscovery by itself to discover mail.domain.com FQDN. We just pick separate servers for SMTP and cert and use smtp.domain.com when it prompts for the Organization FQDN. We don’t need to mention mail.domain.com at any stage during the HCW setup.
The reason why I am running through this process is to ensure that the HCW will set this environment correctly, especially the other things it does such as shared domain name space, federation, Modern Auth etc. I am wondering if I need to use mail.domain.com with HCW and change the smart host on the O365 connector once it runs.
Which one will be the right approach?
Pl. advise.