Configuring Exchange 2019 and Exchange Online in Full Hybrid mode

While many organizations are flocking to cloud offerings, such as Office 365 and Exchange Online, others continue to host their email on-premises. By releasing the newest iteration of Exchange (Microsoft Exchange Server 2019), Microsoft has given these organizations a few more years of “on-prem” time. Will there be an on-prem Exchange solution beyond 2019? Who knows? However, with Exchange Server 2019 here, I figured it would be a good idea to explain how to configure it to work with Exchange Online in Full Hybrid mode.

What we’ll cover

In this tutorial, we will walk through the process of provisioning an O365 tenant and then we will use the Hybrid Configuration Wizard to connect an on-prem Exchange 2019 organization with the O365 tenant that is provisioned. We’ll cover the HCW setup process, the preparation of the on-prem Active Directory, and then the deployment of Azure AD Connect.

When you finish reading this tutorial, you should have no problems connecting an on-premises Exchange 2019 organization to an O365 tenant, using the Hybrid Configuration Wizard. Let’s get started!

Prerequisites

Before going into the process of setting up a Full Hybrid between Exchange 2019 and Exchange Online, let’s cover what my lab looks like.

The lab for this tutorial includes an on-prem AD, a domain controller, and Exchange 2019 server (both hosted on VMs in Azure), and a publicly routed email domain:

  • Active Directory: bluewidgets.local
  • AD Domain Controller: DC01.bluewidgets.local (Windows 2016)
  • Exchange 2019 Server: EX01.bulewidgets.local (Windows 2016)
  • Email Domain: bluewidgets.org (hosted at GoDaddy)

I’ve added bluewidgets.org as an alternate UPN suffix for the bluewidgets.local AD domain, and I’ve updated all users in the domain to use bluewidgets.org as their UPN suffix. This is necessary because, when the users eventually sync to O365, they must be syncing with an Internet-routable domain name as their UPN suffix.

Getting started

The first step in the process is to provision an O365 tenant. For this tutorial, I provisioned a tenant with a single E1 license. (E1 provides an Exchange Online license.)

To sign up for a new O365 tenant, visit this link.

exchange 2019

If you are following along with this tutorial, all you need to do is purchase a single E1 license during tenant provisioning.

Once you have the O365 tenant provisioned, login and add your email domain to the tenant. The email domain that I’m using for this tutorial is bluewidgets.org so that’s the domain I’ve added to my newly-provisioned O365 tenant. To do this, click on Setup, and then Domains, after logging into the tenant as a Global Admin. Click “Add Domain” and then add your on-prem email domain.

exchange 2019

exchange 2019

After adding the email domain to the O365 tenant, you’ll need to verify the domain. Doing so proves to Microsoft that you own the domain that you are adding.

exchange 2019

To verify the domain, you can either sign in to GoDaddy (if your domain’s DNS is hosted there) or you can add a TXT record to your public DNS. I prefer to add a TXT record in all cases.

exchange 2019

After adding the requested TXT record to DNS, click the Verify button to allow O365 to check for the record’s existence.

exchange 2019

After verifying the domain, you’ll be prompted to update DNS records so that things like autodiscover, MX, and such point to O365. Skip this for now because changing them now will break mail flow to your on-prem environment.

exchange 2019

After clicking the “Skip” button, click “Finish” to complete the DNS setup.

exchange 2019

After clicking “Finish,” your new domain will show “Possible service issues” because O365 is still looking for the DNS entries it previously wanted you to add. This is OK to ignore.

exchange 2019

Run the Hybrid Configuration Wizard

The Hybrid Configuration Wizard is the software that connects the on-premises Exchange 2019 org to Exchange online. It creates a HybridConfiguration object in the on-prem Active Directory, which stores the hybrid configuration information for the hybrid deployment. This information is then updated by the HCW. The HCW then collects existing on-prem Exchange and AD topology information, O365 tenant data, and Exchange Online configuration data. It then defines organizational parameters and performs several configuration tasks in both the on-prem Exchange org and the Exchange Online org.

To run the HCW, open the on-prem Exchange Admin Center and click “Hybrid” and then “Configure.”

exchange 2019

After clicking “Configure,” you are prompted to sign in to your O365 tenant.

exchange 2019

Login with the Global Admin account.

exchange 2019

After logging into O365, click “Configure” again to continue the HCW setup and configuration.

exchange 2019

The HCW application is downloaded and then launches.

exchange 2019

exchange 2019

You will be prompted to specify a server running Exchange. In this lab environment, there is only one Exchange server, so I’ve selected EX01.

exchange 2019

In most cases, you’ll select “Office 365 Worldwide” as the location hosting Exchange Online. After doing so, click “Next” so you can provide login credentials for both the on-prem environment and for the Exchange Online environment.

exchange 2019

 

After supplying both sets of login credentials, click “Next” to allow the HCW to gather configuration information for both environments.

exchange 2019

 

When the collection is complete, you are prompted to choose a hybrid mode. For this tutorial, we are covering a full hybrid solution, so I’ve chosen the Full Hybrid Configuration option.

exchange 2019

Clicking “Next” takes you to the Federation Trust setup screen when you must click “Enable” to enable a Federation Trust between the two orgs. As a side note, such a trust is NOT necessary when configuring a Minimal Hybrid solution.

exchange 2019

When you enable the Federation Trust, you’ll be prompted to add a TXT record to the public DNS for the email domain. Copy the TXT record value supplied and add it to the public DNS for the email domain.

exchange 2019

After adding the TXT record to DNS, continue with the Domain Ownership confirmation portion of the Federation Trust setup process.

exchange 2019

After confirming domain ownership by clicking “Next,” you are prompted to choose a way to ensure secure mail between the on-prem org and Exchange online. You may choose to configure the CAS/MBX servers for secure mail or you can use Edge Transport. The first option is most — and is what we will do for this tutorial (since there is no Edge Transport server in place).

exchange 2019

After clicking “Next,” configure a receive connector. You will be prompted to select an on-prem server. I’ve selected EX01 (my only server) in this example.

exchange 2019

After clicking “Next,” you are prompted to configure a send connector and are, again, asked to choose an on-prem server to host it.

exchange 2019

After configuring the send connector and clicking “Next,” you must choose the transport certificate that will be used to secure mail between the organizations. This must be a public cert (typically the one already installed on the on-prem Exchange server).

exchange 2019

Clicking next brings you to the Organization FQDN screen, where you must provide a fully qualified name for your on-prem org. I’ve used mail.bluewidgets.org in this example.

exchange 2019

Click “Next” to move onto the “Update” page, where you will complete the configuration of hybrid.

exchange 2019

 

The Hybrid Configuration Wizard will take all of the information that you have provided and complete the hybrid connection setup, making changes as required.

exchange 2019

When the process completes, you are greeted with the “Congratulations” screen that indicates the Hybrid Configuration Wizard has successfully created the hybrid connection.

Directory synchronization

Once the Hybrid Configuration Wizard has completed, you can then setup Azure AD Connect to sync on-prem users to O365. To get started, login to a domain-joined server and browse to the Active Directory Admin Center in the Azure portal. From the portal, download the latest version of Azure AD Connect.

In my lab for this tutorial, I did this from the domain controller. Although this works, my personal preference is to use a separate server specifically for Azure AD Connect. You should do what’s best for your environment.

exchange 2019

After downloading Azure AD Connect, launch the installer.

exchange 2019

Accept the license terms and click “Continue.”

exchange 2019

Follow the instructions on-screen to determine whether you should use Express or Custom. Although my lab Active Directory is a single-forest AD, I am using bluewidgets.local, a non-routable domain name, as my AD domain name. As you can see in the screenshot, the Custom option is recommended when using a nonroutable domain name — so in this example, I chose Custom.

exchange 2019

After clicking “Customize,” begin the installation by installing required components. The optional checkboxes can all be left unchecked.

exchange 2019

After you click “Install,” the installation begins.

exchange 2019

When prompted to choose a sign-in option, select Password Hash Synchronization and click “Next.”

exchange 2019

After clicking “Next,” you are prompted to connect to Azure AD by providing Global Admin credentials. Do so and then click “Next.”

exchange 2019

After Azure AD Connect connects to Azure AD, you are prompted to connect to the on-prem org. Do so by providing an Enterprise Admin account. In my lab, I opted to allow Azure AD Connect to create a service account for me by selecting the first radio button.

exchange 2019

After providing admin credentials for both environments, click “Next” to connect the directories.

exchange 2019

Once the directories are connected, you are taken to the “Azure AD Sign-In” screen. If your on-premises AD uses a nonroutable domain name (.local, for example), you’ll see a notification that not all domains have been added (and the .local will be called out). As long as the domain listed with the alternate UPN suffix is showing as “Verified,” you can continue.

exchange 2019

/You will need to confirm that you are OK with the UPN suffix mismatch by checking the box and then clicking “Next.”

After clicking “Next,” configure Domain/OU Filtering by either syncing all domains and OUs or by filtering them. For this tutorial, I’ve chosen to sync just the “Employees” OU. I chose to do so to prevent sync of unnecessary accounts to O365 (ie. service accounts and such).

exchange 2019

After selecting which OUs to sync, click “Next” to specify how users should be identified in the on-prem AD.

exchange 2019

For this lab, I just left the options at their defaults (and you should also be able to do so in most cases as well). Click “Next” to move onto the group filtering settings.

exchange 2019

 

The filtering option offers the ability to limit synchronization to a specific group of users. This is helpful for piloting. For this tutorial, I skipped over group filtering since I was already filtering on a specific OU.

Click “Next” to move on to optional features.

exchange 2019

When configuring the Optional Features, check the “Exchange hybrid deployment” checkbox and leave everything else unchecked. Obviously, if you wanted to enable other features, such as password writeback, you would enable those — but those options are outside the scope of this tutorial.

Click “Next.”

exchange 2019

When you arrive at the “Ready to Configure” screen, ensure the “Start sync” box is checked and then click “Install.” Azure AD Connect will complete configuration and it will perform a sync of selected OUs to O365.

exchange 2019

When configuration completes, you are presented with a “Success” screen that provides an overview of settings.

exchange 2019

If you switch over to the O365 tenant, you can confirm that your users have been synchronized into O365 as expected.

exchange 2019

You can further test your hybrid configuration by opening the Exchange Admin Center for the on-premises environment and provisioning a mailbox. When you click on “Recipients” and then the “+” sign to create a new mailbox, you should now see “Office 365 Mailbox” as an option. This allows you to create an on-prem user that uses a mailbox hosted in O365.

exchange 2019

 

Optional configuration

Once you’ve confirmed the hybrid is working as expected, you can modify your DNS records (the ones that you skipped at the beginning of this tutorial) so that autodiscover and MX records point directly to Exchange Online / O365, instead of the on-prem Exchange environment. However, if you decide to do this, make sure you modify both internal and external records for autodiscover. There should only be an external MX record.

exchange 2019

These DNS changes should only be completed if you are migrating your on-prem mailboxes to O365 — and should only be completed after all mailboxes have been migrated.

If you choose to make these DNS changes, select “Exchange” and make the DNS changes that are presented to you.

exchange 2019

After making the changes, click the “Check DNS” button to ensure you’ve made the proper changes.

exchange 2019

Summary

The overall process for deploying a hybrid solution, essentially, consists of just a few main steps. These steps include:

  • Provision O365 Tenant
  • Add and Verify Domain in O365
  • Run Hybrid Configuration Wizard
  • Deploy and Configure Azure AD Connect
  • Modify Remaining DNS (optional)

The process sounds scary but after you’ve done one or two hybrid deployments, it becomes apparent that the process isn’t nearly as scary as it looks.

4 thoughts on “Configuring Exchange 2019 and Exchange Online in Full Hybrid mode”

  1. I believe you would’ve installed Exchange 2019 on Windows 2019 and not Windows 2016, as 2016 not supported?

    Also, based on my reading, you cannot get a hybrid key for Exchange 2019, and that to use it for hybrid purposes you would need a volume licence Exchange key, or you would need to use Exchange 2016 for hybrid. Is your understanding correct?

    1. Thomas Mitchell

      Hi Chas… The Exchange 2019 server that is used in this lab/demo was actually built on Windows 2016 Core a few months ago, prior to Microsoft’s published Windows Server 2019 requirements. You are correct however – moving forward, Windows 2019 is the published OS “requirement” for Exchange 2019. As far as the hybrid license goes, this particular tutorial assumes that you will actually host mailboxes on prem and in O365, meaning a full Exchange license would be required.

  2. Chas,
    Is it possible to remove the on-prem servers later which have the mailbox roles and add an on-prem exchange server with management roles only.
    So all mailboxes are in off365 and we have an exchange server on-prem with just management role (no mailbox or CAs roles). Is this a supported configuration

  3. Mark O'Loughlin

    Hi Thomas,

    Just wondering if this guide is setting up a Classic Full Hybrid, or Modern Full Hybrid environment.
    Apparently I need to be setting up Classic Full Hybrid as we want Microsoft Teams access to on-premises calendar’s, etc.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top