Using the Office 365 Hybrid Configuration Wizard Part 3

So far in this series we’ve ensured pre-requisites are in place for Office 365, checked the environment and took time to understand what changes the Office 365 Hybrid Configuration Wizard will perform. In this part of the series, we’ll optionally enable the Federation Trust and then run the Office 365 Hybrid Configuration Wizard.

Enabling the Federation Trust Feature (Optional)

After making pre-requisite changes performing tests it should be safe to perform the Hybrid Configuration. One feature configured by the Hybrid Configuration Wizard requires DNS records to be added during the Wizard. Many organizations prefer to add the DNS Text records before running the Hybrid configuration wizard so that the wizard will complete without warnings.

To identify the DNS Text records required the Federation Trust can be enabled prior to executing the Hybrid Configuration wizard with little to no risk. After enabling the Federated Trust, an Exchange Management Shell cmdlet can be executed to retrieve the correct DNS record.

Enable the Federation Trust feature in Exchange 2013 or Exchange 2016 by accessing the Exchange Admin Center on-premises and navigating to Organization > Sharing. Underneath the Federation Trust heading choose Enable, as shown below:

clip_image002

Figure 1:Enabling the Federation Trust on Exchange 2013 / 2016

In Exchange 2010, enable the Federation Trust by accessing the Exchange Management Console and navigating to Organization Configuration and selecting New Federation Trust, as shown below:

clip_image004

Figure 2: Enabling the Federation Trust on Exchange 2010

After the Federation Trust is enabled, launch the Exchange Management Shell. Use the Get-FederatedDomainProof cmdlet as shown below to retrieve the Domain Proof:

Get-FederatedDomainProof -DomainName <Accepted Domain>

clip_image006

Figure 3: Obtaining Federation proof records manually

The cmdlet should return a number of records. The record to add as a Text (TXT) record is named Proof and appears as a Base 64-encoded string. This is entered on a single line, with no spaces and ends in two equals signs (==).

As shown in the example DNS control panel below the DNS TXT record is entered for the domain itself rather than a sub-domain. It can replace the Office 365 custom validation text record, which is no longer required:

clip_image008

Figure 4: Updating DNS

Performing the Hybrid Configuration

To begin the Office 365 Hybrid Configuration Wizard, open a web browser on the Exchange Server and navigate to the following URL:

http://aka.ms/taphcw

clip_image010

Figure 5: Accessing the Office 365 Hybrid Configuration Wizard using a web browser

The Office 365 Hybrid Configuration Wizard will begin to download. When prompted, choose Install, as shown below:

clip_image012

Figure 6: Launching the HCW Installer

The installation for the Office 365 Hybrid Configuration wizard will begin. The wizard downloads data it needs as part of the installation from a Microsoft domain under windows.net.

After the Office 365 Hybrid Configuration Wizard completes installation, it will launch automatically. The new wizard will attempt to detect the best server to use within your organization, but also provide you the opportunity to select a preferred server to run the wizard against.

After selecting the On-premises Exchange Server Organization, you’ll be given the opportunity to select the Office 365 Exchange Online option. For most Microsoft customers this will be the default – Microsoft Office 365:

clip_image014

Figure 7: Selecting the Exchange Server to run the HCW against

On the next page of configuration for the Hybrid Configuration Wizard it is necessary to enter credentials for Office 365 and On-Premises. These credentials are only used for the duration of the execution of the Hybrid Configuration Wizard and are not stored within the configuration.

First enter on-premises credentials that possess Organization Management permissions, or if the account you are using has sufficient rights, choose Use current Windows credentials.

For the Exchange Online connection that is used by the Hybrid Configuration Wizard it is necessary to enter a Global Administrator (or technically, user with Organization Management permissions within your tenant). After entering appropriate credentials, choose Next.

clip_image016

Figure 8: Entering the credentials to use with the HCW

On the next page of the wizard the credentials will be tested and the connection tested to ensure that the wizard can continue. As with the subsequent pages in the wizard, should an error be encountered, guidance will be given. In general, if you’ve followed the guidance in this series you should not expect to encounter an issue at this stage:

clip_image018

Figure 9: Validating the credentials against on-premises and online

Next, we’ll select the domains to use for our Exchange Hybrid configuration. These are typically the domains you use for SMTP mail flow and in particular should include addresses uses as primary SMTP addresses. By selecting the correct domains here, you ensure that mail flow to these domains will always flow back to on-premises using the correct connector, and Free/Busy and Sharing will work correctly in both directions.

During the wizard, tests are performed to look up Autodiscover information against each Hybrid domain. If you do not have Autodiscover configured correctly for all these domains, select a domain that does have Autodiscover correctly configured. This is typically your primary domain and your Microsoft Connectivity tests earlier should have identified at least one such domain:

clip_image020

Figure 10: Selecting Hybrid domains and, optionally, selecting a single Autodiscover domain

On the next page of the wizard the Federation Trust will be created if it wasn’t created in the previous step. If you didn’t choose to pre-create and register the entries earlier in this guide, then select the copy to clipboard option and add to your external DNS. After ensuring that the records are in the external DNS, select I have created a TXT record for each token in DNS, then choose Verify domain ownership to perform pre-requisite lookup tests. Once the tests are successful, choose Next:

clip_image022

Figure 11: Verification of Federation Proof records

The Hybrid Configuration Wizard will next require input to choose the types of servers to use for SMTP mail transport, and whether to route mail through on-premises, known as Centralized Mail Transport within the wizard or deliver mail directly.

clip_image024

Figure 12: Selecting options for mail transport

If you need to use Centralized Mail Transport, select Advanced and then select Enable Centralized Transport:

clip_image026

Figure 13: Options to enabled Centralized mail transport

Once you have selected the correct option, based on the decisions made earlier in this series select the relevant option, then choose Next.

On the next page of the Wizard it is necessary to select the servers used for receiving mail from Office 365. As mentioned in the first part of the series these will typically be the organization’s Internet-facing servers that are the target of the inbound SMTP DNS name.

For Exchange 2010, these will be servers with the Transport role. For Exchange 2013, these will be servers with the Client Access role and for Exchange 2016 – these will be servers with the Mailbox role.

Select the servers and choose Next:

clip_image028

Figure 14: Selecting the servers for Hybrid receive connectors

For outbound mail, select the Exchange servers that will be bound to the Office 365 Send Connector. Often in a best practices multi-role deployment these will be the same servers. With Exchange 2010 these will be servers hosting the Transport role, and for Exchange 2013 and 2016 these will be servers hosting the Mailbox role.

After selecting the servers, choose Next:

clip_image030

Figure 15: Selecting the servers for the Hybrid send connector

In the next step the SSL certificate to use with the Hybrid Send and Receive connectors must be selected. The wizard will store the Thumbprint of the certificate.

The list will show the SSL certificates that have been installed on all Exchange Hybrid servers selected in the previous two steps. Select the SSL certificate decided upon in part one of the series and choose Next.

clip_image032

Figure 16: Selecting the SSL certificate for Hybrid mail transport

To match the SSL certificate enter the FQDN that will be used for mail from Office 365 destined to flow through or into Exchange, then choose Next:

clip_image034

Figure 17: Entering the Hybrid mail transport DNS name

After entering all configuration details within the wizard choose Update to apply the configuration:

clip_image036

Figure 18: Confirming details and choosing to update or create the Hybrid configuration

The Office 365 Hybrid Configuration will be applied. This can typically take between 10 minutes to upwards of 30 minutes depending on the size of your organization the first time it is executed. Tasks that delay execution include the enablement of organization customization, which is only performed once and update of Email Address Policies.

clip_image038

Figure 19: Showing the HCW in progress

After the Hybrid Configuration Wizard completes all settings listed in the Understanding the changes the Hybrid Configuration Wizard makes should be applied, and you can choose to close the wizard:

clip_image040

Figure 20: A successful HCW completion screen

If any errors occurred or any warnings were generated, these will be listed. You will see a description of any errors, alongside a link to read more about the error and aid troubleshooting:

clip_image042

Figure 21: Errors generated by the HCW along with potential solutions

After closing the wizard, you will also see a newly installed application, with a link configured on the desktop. You can use this to re-launch the Office 365 Hybrid Configuration Wizard at a later date:

clip_image043

Figure 22: HCW Icon

Summary

In this part of the series, we’ve successfully executed the Office 365 Hybrid Configuration Wizard. In the next part of this series, we’ll begin post-configuration changes to Exchange.