If you would like to read the other parts in this article series please go to:
Introduction
In parts one to three of this series, we looked at the checks you need to make before beginning your Hybrid Configuration, then looked at what changes will be made to your Exchange environment, before going through the Hybrid Configuration Wizard itself. In part four of this series we looked at troubleshooting Hybrid Configuration Wizard failures and started to look at the kind of tests you need to perform.
For the final part of this article, we’ll continue to look at the tests worth performing along with common areas to investigate if those tests fail.
Testing Mail Flow
Naturally mail flowing back and forth correctly is a key component of any mail system, therefore it’s important to ensure this is the case with your new Hybrid environment. You’ll be expecting mail flow, from an end-user perspective to be near-identical to the experience between on-premises mailboxes.
That means messages between recipients and to distribution groups should work just the same, internal Out of Office messages should display and if you’re routing all messages to the internet through your on-premises Exchange servers – messages should reach the internet fine.
As a minimum, test the following features:
- Test mail flow from on-premises to Office 365
- Test mail flow from Office 365 to on-premises and the internet
- Test mail flow to unauthenticated distribution groups from Office 365
- Test mail flow to authenticated distribution groups from Office 365
- Test internal Out of Office set on an on-premises user from Office 365
- Test internal Out of Office set on an Office 365 user from Office 365
When troubleshooting mail flow failures ensure that firewall rules for inbound and outbound mail to and from your Hybrid Hub Transport servers allow port 25 to and from the IP address ranges for Office 365.
When troubleshooting outbound mail, in addition to your firewall logs, you can examine the message tracking logs and view the outbound mail queue within Exchange Server.
For inbound mail from Office 365, you can use Forefront Online Protection for Exchange (FOPE) to check settings and use message tracking.
You can access the FOPE by navigating to http://portal.microsoftonline.com, then in the Admin Overview page choose to Manage Exchange Online:
Figure 7: Office 365 Admin Portal
Next, after the Exchange Control Panel launches, choose Mail Control then choose Configure IP safelisting, message tracing and email policies:
Figure 8: Exchange Control Panel
On the FOPE homepage, you can examine the Connectors section to examine the Hybrid Mail Flow Connectors that are created by the Hybrid Configuration Wizard. Check each of these match the settings specified in the wizard:
Figure 9: FOPE Admin Center Connectors
To check message tracking logs in FOPE, navigate to Tools and choose Message Tracing. You can then search for messages sent from Exchange Online to your on-premises Exchange organization and examine error messages generated:
Figure 10: FOPE Message Tracking (Tracing) logs
Testing Federated Sharing
The Federated Sharing Features primarily allow free/busy and Calendars to be shared between uses in both on-premise and Office 365 sides of your Hybrid Exchange environment.
Both availability and calendar sharing rely heavily on Exchange Web Services for functionality, and the configuration and testing put in place in the first part of this article should ensure that both work, however it’s important to test these features and at the same time understand how it should be used by end users.
The following tests should be performed to ensure functionality.
- Test availability of on Office 365 user from on-premises
- Test availability of an on-premises user from Office 365
- Test Calendar sharing by creating calendar sharing requests
- If you have a larger organization with Exchange servers in multiple Active Directory sites, test to and from test users in non-internet facing Active Directory sites after testing against users in internet facing sites.
The first time you use either of these features, you may find that it takes a little while to work – just like when Exchange has freshly booted up, OWA takes a little longer to respond. So, before starting to troubleshoot, consider retrying after a couple of minutes, trying free/busy against a different test recipient or shared calendar.
If after retrying you still receive failures, examine IIS and Event Logs for more insight and to verify requests are reaching the Exchange on-premises organization.
Next, use the Test-FederationTrust cmdlet to find out more information about the error, using the on-premises Exchange Management Shell. For the UserIdentity parameter, use the mailbox you’re trying to view free/busy for (whether that’s an Office 365 or On-Premises mailbox); and to gain more insight, use the Verbose parameter:
Test-FederationTest -UserIdentity <[email protected]> -Verbose
In the example below, we can see that the reason for the failure was due to the time being incorrect for the domain:
Figure 11: Testing Federation Features used for Free/Busy
Test Mailbox Move Functionality
The final feature that is important to test, if you plan on moving Mailboxes either to or from Office 365, is Remote Moves. To ensure you can move mailboxes both ways, ensure you test:
- Test mailbox move functionality from on-premises to Office 365
- Test mailbox move functionality from Office 365 to on-premises
To initiate moves, navigate either to your On-Premises or Office 365 organization in the Exchange Management console and expand Recipient Configuration > Mailbox to find the mailbox you want to move to the opposite organization, then right-click and choose New Remote Move Request:
Figure 12: New Remote Move Request
For move to Office 365, enter the fully qualified domain name (FQDN) of your external name of your Hybrid Client Access servers – these are the servers the Hybrid Configuration Wizard enabled the Mailbox Replication Services proxy (MRSProxy) during the Wizard, then enter the credentials of an on-premises administrative user with Migration role – A member of the Recipient Management role group will have this permission:
Figure 13: Speciying the Hybrid server and credentials
On the next page, enter the service domain (e.g. <tenantname>.mail.onmicrosoft.com) as the Target Delivery Domain:
Figure 14: Specify the target delivery domain
For a move from Office 365, again enter the Hybrid Client Access server and on-premises credentials with the same permissions used to move the test mailbox to Office 365. When promoted for the target delivery domain however, you’ll use an on-premises accepted domain. For the Remote Target Database, carefully enter the database name. For pre-Exchange 2010 databases, you’ll need to prefix this with the server name and storage group (for example servername\storagegroup\database):
Figure 15: Specifying the Target Delivery Domain and Remote Target Database
When troubleshooting remote move requests, check the following:
- Credentials used to request the mailbox move.
- FQDN is correct for the Hybrid Client Access Servers
- Database name entered when moving mailboxes from Office 365 to on-premises
- Ensure that DirSync is correctly running and for moves to Office 365 Mail-Enabled contacts have been created that correspond to the On-Premises mailboxes being moves; and for moves from Office 365, DirSync writeback for Rich Co-existence was enabled when DirSync was configured.
- The MRSProxy is enabled for the Hybrid Client Access Servers. You can verify this with the following command, which should show MRSProxyEnabled as True:
Get-WebServicesVirtualDirectory | fl Identity,MRSProxyEnabled
Summary
In the final part of this article, we’ve continued to look at areas to test after executing the Hybrid Configuration Wizard; and we’ve looked at how to troubleshoot issues you might experience. Although it’s impossible to cover every single issue you might experience, hopefully these tips will ensure you are able to thoroughly test your Hybrid environment before moving ahead, and put you on the right track to solve any problems.
If you would like to read the other parts in this article series please go to:
