In this multi part series, we’ll explore how to prepare for and use the Office 365 Hybrid Configuration Wizard with Exchange Server 2010, 2013 and 2016. The wizard replaces the built-in Hybrid Configuration Wizards in Exchange 2010 and 2013 and is now the de-facto method for implementing Exchange Hybrid. After implementing Hybrid we’ll walk you through post-configuration steps and provide guidance on testing core functionality.
Pre-requisites you need to get in place first
The Hybrid configuration wizard is just one component of an Office 365 implementation. Before you get started with implementing Hybrid, you need to configure some supporting components for your Office 365 deployment. We’ll cover some of the basics here to give a little context.
Active Directory Remediation
Identity is crucial for Office 365 and before you begin you should consider ensuring that Active Directory and associated mail related objects are in a good state.
A good practice where possible is to match the User Principal Name to the mailbox Primary SMTP address. This makes sign-in and Autodiscover to Office 365 simple. Remove old, invalid, legacy email domains (and associated proxy addresses) from mailboxes where you can. Ensure you completed previous migrations between Exchange versions properly. If Exchange management tools do not show warnings or errors when getting lists of recipients, it is a good start.
If you are wondering where to start, then Microsoft’s IdFix tool will assist with core remediation actions and is available for download from Microsoft. If you are working with Microsoft’s Fast Track Onboarding center, you will receive assistance at this early stage and will be expected to run this tool.
IdFix allows you to query the Active Directory for potential issues, and then, should you wish, fix those issues. These include invalid characters, duplicate addresses, unrouteable domains and more. A full list is available here.
Upon choosing the Query option, the user interface provides a list of all AD objects that may be invalid. In the example below, some key information such as Attribute, Error and Value help identify the issues that require remedation:
Figure 1: Performing an IdFix query
In this example, we’ll need to make several changes. The Value column shows the current value that must be updated. The Update column has a recommended replacement, but is editable. The Action allows us to specify if we should use the Update value to Edit the attribute, whether we should Remove it or mark it as Complete.
In the example below we’ve chosen to update a userPrincipalName to match the user’s email address, chosen to remove a duplicate email address, corrected an incorrect alias and marked complete changes we won’t make (for example to service accounts):
Figure 2: Correcting invalid AD objects
To allow users to sign-in to Office 365 services, they will need identities configured. Office 365 relies on Azure Active Directory, a multi-tenant directory service that provides similar functionality to on-premises Active Directory, like a user directory and the ability to perform sign-in but is not the same as traditional AD.
A number of options are available for Office 365:
· Cloud IDs – A standalone account is created in Office 365 for each user. It has no relationship with the on-premises Active Directory or Exchange Servers.
· Synchronized IDs with Password Hash Sync – Accounts from on-premises Active Directory are synchronized (copied) to Azure AD, along with a hash of the user’s Active Directory encrypted password
· Synchronized IDs with Federation – Accounts again are synchronized from the on-premises AD, but when users sign-in, Active Directory Federation Services is used to enable the password to be directly verified by the local AD.
Although it makes no difference whether Password Sync or AD FS is in use for the Hybrid Configuration itself, either solution should be chosen rather than cloud-based passwords. This ensures that during client setup and Autodiscover the same password can be sent to on-premises Autodiscover and the Office 365 service.
Office 365 Domains
The easiest and most common option is to use all your on-premises accepted domains as Hybrid domain in Office 365. This ensures that email will be correctly received by Office 365 mailboxes.
To use all of your accepted domains you will need to also configure them as Custom Domains in the Office 365 portal. Any domain configured in Office 365 must be a valid internet domain that your organisation owns and controls.
Figure 3: Custom domains in your Office 365 portal
Decisions you need to make before you implement Hybrid
Hybrid Exchange Servers
Every Exchange 2010, 2013 and 2016 server includes Hybrid functionality, so you don’t usually need to install additional servers to fulfil this role.
Existing servers can and usually should be chosen. The typical servers to choose for Hybrid are the same servers hosting the Client Access role that manage inbound and the same servers hosting the Mailbox role for outbound mail flow. Your primary HTTPS namespaces for Exchange Web Services and AutoDiscover will always be used by default.
If you don’t have Exchange 2010 or above, then you will need to implement Exchange 2010 or above to take advantage of Exchange Hybrid. As Exchange 2010 is out of mainstream support, Exchange 2013 is recommended for organizations running Exchange 2007. If you are still running Exchange 2003, then you will only be able to utilize Exchange 2010 for Hybrid. In both cases, look at the cutover, staged and third-party migration products first before considering Hybrid.
Hybrid Mail Flow Options
When implementing Hybrid Exchange, a decision must be made concerning the flow of email from Office 365 to external recipients.
There are two main options available; mail can be configured to flow through the existing Exchange servers and out to the Internet via the on-premises Send Connectors, or the Hybrid configuration can be set so that mail is sent directly to external recipients.
Organisations looking to move all email to Office 365 typically choose to deliver email to external recipients directly as this represents the end goal. Long term hybrid organisations who are looking to switch their anti-spam solution to Exchange Online Protection will also typically choose this option. Organisations with an existing anti-spam, data loss prevention, encryption or other compliance solution and plan on a long-term Hybrid will often choose to route mail via on-premises.
Checks to perform against your Exchange Environment
Preparation of the Exchange environment is key to ensuring that the Hybrid configuration works after the wizard completes. We’ll begin by examining update versions.
Checking update versions
Office 365 is an ever-evolving service. It is important to ensure that the latest updates are applied to the Exchange environment.
For Exchange 2013 and 2016, it’s recommended to run the latest update. You must however ensure you are running a cumulative update supported by Microsoft, which typically means the latest update or previous update. The latest cumulative updates include Service Pack 1 for Exchange 2013.
For Exchange 2010, you must be running Service Pack 3 and should install the latest Update Rollup.
As with any patch or update it is your responsibility to test before implementation for compatibility with clients and third-party add-ons. If plans include a long-term Hybrid co-existence, then be prepared to keep the Exchange servers on the latest updates on an ongoing basis.
In the first part of this series, we’ve examined the pre-requisites you need to cover before considering Exchange Hybrid. We’ve also covered decisions about which Hybrid Servers to use and how mail will flow. We’ve finished by checking update levels. In the next part of these series, we’ll continue testing and examine what changes the Office 365 Hybrid Configuration Wizard will make.