Configuring an Exchange Hybrid Deployment & Migrating to Office 365 (Exchange Online) (Part 1)

If you would like to read the other parts of this article series please go to:


It’s a fact that more and more organizations are making or at least are considering making the move from an on-premise messaging environment to Exchange Online (part of Office 365) in the foreseeable future. The migration path from an on-premise messaging environment to Exchange Online will differ based on things such as size of the on-premise environment, number of users, the messaging environment an organization is migrating from as well as the expectations revolving around coexistence.

So if we leave third party migration solutions out of the picture, we have four different migration approaches at our disposal:

  • Exchange Cutover migrations
  • Staged Exchange migrations
  • Hybrid Exchange Deployment-based migrations
  • IMAP-based e-mail migrations

In this particular multi-part article series, I’ll go through the steps necessary to configure an Exchange 2010 hybrid configuration in existing Exchange 2007 on-premise organization followed by migrating mailboxes from the Exchange 2007 organization to Exchange Online. I’ll also uncover the advantages you get by choosing a hybrid configuration based migration. I already demystified staged Exchange migrations here on If you missed that article series, have a look here. The other migration approaches will be covered in another set of articles.

Ok so the primary targets for an Exchange hybrid deployment based migration to Exchange Online are large organizations that wish to move mailboxes to Exchange Online over a longer period of time or only want to move a subset of the total mailboxes. An Exchange hybrid deployment based migration to Exchange Online involves the following deployment steps:

  • Configure ADFS based identity federation in order to provide users with a single sign-on (SSO) experience when accessing services part of the Office 365 offering.
  • Configure directory synchronization (DirSync) so that on-premise users, groups and contacts are synchronized to Office 365. By doing so there will only be one source of authority (the on-premise Active Directory forest), which means that users migrated to Office 365 can be managed from the on-premise environment. Changes made to a user in the on-premise environment will be reflected in Office 365.
  • Deploy Exchange 2010 Hybrid deployment servers into the existing on-premise Exchange organization so that rich coexistence can be set up between the on-premise Exchange organization and Exchange Online. A hybrid deployment provides functionality such as free/busy & calendar sharing, MailTips integration (between Exchange Online & Exchange on-premise), Exchange Online-based online archiving support, option to offboard mailboxes from Exchange Online (move mailbox back to Exchange on-prem) as well as the option to manage Exchange Online users using the on-prem Exchange Management Console.

As most of you know, Office 365 not only consists of Exchange Online but also Lync Online and SharePoint Online, Office Web Apps etc. However in this article series we only focus on the Exchange side of things. Said in another way, the steps required to configure and move from on-premise solutions to Lync Online and SharePoint Online are outside the scope of this article series.

Alright, we have a lot to cover so let’s get started.

Overview of the Lab Environment

The lab environment used as the basis of this article series consists of the following servers:

  • 2 x Windows Server 2008 R2 Domain Controllers
  • 2 x Exchange Server 2007 Service Pack 3 multi-role (CAS/HUB/MBX) server (in a Windows NLB)
  • 2 x Forefront Threat Management Gateway (Forefront TMG) Servers in a stand-alone array

The Active Directory forest name is ”” and I use split-brain DNS which means that the same namespace is used internally as well as externally.

The TMG array publishes Outlook Anywhere (OA), Outlook Web Access (OWA) and Exchange ActiveSync (EAS) to the Internet.

A wildcard certificate (* is configured on the Exchange 2007 servers as well as the TMG servers in the TMG array.

When moving through this article series, we will deploy the following servers into the on-premise environment:

  • 2 x Active Directory Federation Services (ADFS) Servers (for identity federation)
  • 2 x Active Directory Federation Services (ADFS) Proxy Servers (for identity federation)
  • 1 x Windows Server 2008 R2 domain member server with DIrSync configured (for directory synchronization with Office 365)
  • 1 x SQL 2008 R2 server that will store the DirSync database
  • 2 x Exchange 2010 Service Pack 2 based hybrid deployment servers (for rich coexistence with Exchange Online)

Below is a conceptual diagram of the environment.

Figure 1

Creating an Office 365 Tenant

Okay so the very first thing we want to do is to create the Office 365 tenant. You can create a trial here. After having filled out the form and chosen an Office 365 tenant name, you receive an email containing the Office 365 portal link and other information such as tenant name, service plan and expiration date (Figure 2).

Figure 2:
Office 365 Welcome Email

When you log on to the Office 365 portal, you are presented with the screen shown in Figure 3. Much like the Exchange Management Console (EMC), the Office 365 portal is split into four work centers (left pane): Setup, Management, Subscriptions and Support. You also see three or four links in the top of the page depending on whether you have been assigned an administrative role or not. Normal end users have the Home, Outlook and Team Site links while an administrator also has the Admin link.

Figure 3:
Office 365 Portal

Adding a New Domain to O365

The very first thing we want to do in order to prepare for a hybrid deployment is to add our on-premise domain name (in this case “”) to the Office 365 tenant. To add a domain to an Office 365 tenant, click “Domains” under the Management work center. On the “Domains” page, you see the default “” domain listed.

Figure 4:
Domains section in Office 365 portal

Click “Add a domain” and then specify the domain you wish to add as shown in Figure 5 then click “Next”.

Figure 5:
Specifying the domain you wish to add

Office 365 now needs to verify that you actually are the owner of this domain. This can be done using two methods. One is to add a TXT record to the public DNS server hosting your domain (recommended approach) and the other is to add an invalid MX record. In this article, we use the TXT record-based approach.


Figure 6:

Instructions for verifying the added domain

Figure 7: Instructions for verifying the added domain

To add a TXT record, log on to the DNS control panel at your DNS hosting provider then click ”Add TXT record” or whatever its called in the web UI you’re using. The steps differ a bit from DNS provider to provider, but basically, you need to add a host name and the ”Destination” for that host name as shown in Figure 8.

Figure 8:
TXT record added in the DNS Control Panel at public DNS provider

After having added the TXT record go back to the Office 365 portal and click the ”Verify” button. Since it can take up to 72 hours for the TXT record to propagate throughout the DNS systems, you will most likely receive the error message shown in Figure 9. So now is a good time to have a break and do something else.

Figure 9:
DNS verification for domain failed

When Office 365 can verify the domain successfully, you are taken to the page shown in Figure 10. Here you can specify which services you wish to use with the domain. Make sure you at least select ”Exchange Online” and then click ”Next”.

Figure 10:
Specifying the services for which the domain is to be used

The domain has now been added to the Office 365 tenant and at this stage you can either select to ”Configure DNS settings” or click ”Close”. Since we do not want to direct SMTP traffic directly to Exchange Online or change the autodiscover DNS record yet, click ”Close”.

Figure 11:
The domain has now been added to the Office 365 tenant

We’re taken back to the domain list, and here we can see the status for the domain has changed to ”Verified”.


Figure 12:
Domain has been verified successfully

This concludes part 1 of this multi-part article in which I explain how you configure Exchange hybrid deployment followed by migrating to Office 365 (Exchange Online). Until next time have fun!

If you would like to read the other parts of this article series please go to:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top