Thursday 27 September 2018

How to run the HCW to configure hybrid from Exchange Server to Exchange Online

I’ve put together a comprehensive list of my notes on how to implement an Exchange Hybrid to Office 365 with Exchange 2016. This is something I have done countless times now, but I always forget some of the finer details every time I do it, so this is for my own archive more than anything.
The setup in this example is simple, there is a single Exchange Server on premise which is used for:
  • Email administration (both on premise and Office 365)
  • Local SMTP relay for devices with no Internet route
The topology looks something like this, a single Exchange 2016 sits on premise, there is a firewall between it and the Internet. All external MX Records point to Office 365, the firewall is configured to all the Exchange Server out to the EXO IP’s on SMTP TCP 25. It also allows inbound SMTP TCP 25 which is NAT’d to the Exchange Server. In addition to this the NAT rule also include HTTPS TCP 443 from anywhere.

I’m going to assume you have the following things already configured:
  1. Install Exchange Server 2016 (latest CU)
  2. Configure Exchange Server
    1. Virtual Directories with External URL’s (e.g
  3. Configure External DNS
  4. Configure Exchange Certificates
    1. A wildcard certificate is best, but if you do not have a wildcard certificate ensure your certificate has multiple Subject Alternative Names (SAN’s) to cover things like, to prevent any certificate warnings from Outlook.
In this post I’m going to cover the following with some lessons learned.
  1. Hybrid Configuration Wizard
  2. Verify and Test Hybrid
  3. Administering a Hybrid
Firewall Rules
Exchange Server should be presented to the Internet on TCP ports 25 and 443. The firewall rule should only accept incoming SMTP (TCP 25) from the Exchange Online IP’s. HTTPS (TCP 443) however should be open to all to ensure services such as Autodiscover work correctly. These rules should be done using NAT on your perimeter firewall.
The Exchange Server should be allowed out to the Exchange Online IP’s for SMTP (TCP 25). It’s advisable to only allow the server itself out and not the other nodes in the subnet.
MX Records
It’s possible to have your MX Records point to either Office 365 or the on premise server for a hybrid deployment. It’s my preference to always have these points to the Office 365 tenant. When your setup your custom domain for Office 365 you will be given the target address for your MX records to point.
Centralized Mail Flow
Centralized Mail Flow is when all your outbound mail is forced to go through the on premise Exchange Server. Personally I prefer all mail to be routed out via Office 365, ensure this option is not selected if you want Office 365 to route outbound mail.
Full or Minimal Hybrid
Full Hybrid gives the richest coexistence and will be required if your organization is going to retain hybrid for an extended period of time.  
Edge Transport
The Edge Transport server is an SMTP Relay which sits between your Exchange Server and the Internet, most commonly in a DMZ. You must decide if this is going to be in your topology before you run through the hybrid wizard.
AD Connect
AD Connect will be required to sync you on premise identities to Office 365. This should be configured with Password Sync and Exchange Hybrid Deployment. Please note if the Exchange Hybrid Deployment option is not selected AD Connect will not write-back the Exchange-specific attributes to AD which will cause internal mail routing issues.

If AD Connect is already in place, you must change the settings so that you can reconfigure it to use Exchange Hybrid Configuration. To do this open the AD Connect admin screen and edit the configuration, on the Optional Features you will see the option.

Login to the ECP on the Exchange Server and click the Hybrid tab, then click Configure. This will download the HCW, install and run it.

It should auto detect the Exchange Server, ensure you select the correct Office 365 (more than likely Worldwide).

You will be prompted for credentials for on premise AD and Office 365, the AAD creds must be Global Admin.

The HCW will check over each environment.

Select which features you want as part of this hybrid, Full Hybrid gives the richest integration between on premise and Office 365.

Now you need to publish a TXT record to the root of your domain so that the HCW can validate you own the domain. Create the record, wait for it to replicate and verify the record. This part of the HCW is prone to break. Top tip is to rerun the HCW if it continously fail, it will eventually pass the validation test if the record has been created correctly. 

Enable the federation trust, this will ensure free/busy information etc. can be share across the environments.

I don't have an Edge Transport server in my environment so I've chosen the CAS option. If you click Advanced you will be presented with an option to use Centralized Mail Flow, this will route all mail through your on premise Exchange, which is probabaly not wise.

The HCW will auto create Receive connector so that the Exchange Server can accept incoming mail from Office 365, choose from the drop down the server you want this to be created on.

Same goes for a Send Connector, we will examine the Send Connector further down and create another one to ensure mail flow to external recipients works correctly. 

A globally trusted certificate must be installed on the Exchange Server, the same certificate you use to secure the servers Virtual Directories can be used by the HCW. A wildcard is generally best as it can cover multiple service names behind a single domain.

You then need to input the on premise service name I tend to use, this is how Exchange Online will route mail to mail-enabled objects that reside in your domain. Obviously a DNS A record must be created to direct this service name to the outside IP address of your Exchange Server. Please do some DNS testing to ensure this is working before you attempt this part.

Click Update and the HCW will run a bunch of scripts to implement the changes, based on the information you have provided to the HCW.