How to configure Exchange 2013 - 2016 for Office 365 Hybrid


Most of the tutorials I have seen over the years for Office 365 migrations / hybrid configuration etc have never really gone into the little details that make a huge difference to your migration experience. Over the Christmas break I decided to create a new hybrid test environments from scratch and I decided it was the perfect opportunity to fully document the detailed steps to prepare for Office 365 Hybrid.

 ==========================================================

Pre-Migration Preparation - Exchange Local

Windows Updates on Exchange and Active Directory servers and clients

Check your version of Exchange meets the minimum for the Hybrid Connection Wizard -
As at 7 October, the following are minimum versions of Exchange 2013 and 2016.
- Exchange 2013 - CU7
- Exchange 2016 - RTM

==========================================================

Pre-Migration Preparation - Local Active Directory

Review existing Active Directory Group Policies as cleaning Active Directory may break these.
If you will be creating new OU structures and moving users to the new OU structure, this may break Group Policies that are applied to these users.

Clean Active Directory to ensure all the Exchange Objects that you want synced to Office 365 are in a single AD Organisational Unit, or under that OU.
Understand that DirSync will target the OU you select and syncronise all objects under there. If you have not cleaned up AD, the DirSync process will synchronise everything, including
- Local AD System Accounts
- Local AD Administrator Accounts
- Deprovisioned Users
- Groups that you may want to keep as Local AD only
- Anything else that you may want to keep as Local AD only
--- Move anything not needing to be synced to Office 365 to separate OUs that will not be synced.

My Local Active Directory before the clean-up -
Default Active Directory with new users created in the Users OU by default.
Creation of a new Exchange OU structure -
I have created a new OU named Exchange at the AD Domain root.
I have then created the following OU structure underneath the Exchange OU.
- Contacts - (External email contacts to appear in the GAL)
- Distribution Groups - (Email distribution groups)
- Rooms - (Room mailboxes)
- Security Groups - (Email enabled security groups)
- Shared Mailboxes - (Shared Mailboxes)
- Users - (User mailboxes)

I then moved all the Exchange objects to their associated OU,
Including Exchange Dynamic DLs, Email enabled security groups, external contacts, rooms and shared mailboxes.
In summary, if you want it synched to Office 365, it goes under the Exchange OU.

*** Important ***
You will need to check how the membership of your Dynamic DLs are configured.
Example, the Dynamic DL I created, was configured to look at the Users OU for membership.
If I do not update the membership rule, the DL will break once users are moved to the new OU structure.
To update how the Dynamic DL is populated, you need to edit the properties of the Dynamic DL via Exchange On-premises.

See below for the new Exchange OU structure that I created -























Local Active Directory  Exchange objects have now been organised and all objects to be synched to Office 365 are under the Exchange OU.

Update Active Directory Group Policies if needed.
If you have created new OU structure and moved users to that OU structure, this may break Group Policies that are applied to these users. Review the Group Policies and resolve any issues.

===========================================================

Local Active Directory preparation for Office 365 login
Office 365 logins are usually the email address. Many small businesses have a mismatch between user's email addresses, their UPN and their local AD login. To resolve this conflict, perform the following steps in preparation for users logging in to Office 365 with their email address after migration.


Edit OWA login format to match the email - Link

Add the external domain to allow for login with UPN with external domain name
Add the external domain name to Active Directory Domains and Trusts
- Active Directory Domains and Trusts - Right click - Properties

















Add the domain name - Add - Apply - OK


This will update the login options for users in local AD.

User login format will now have two options in the AD logon name drop down.

Set ALL user logins to be the UPN (which will match the email address) - Link
Note the Active Directory path which will be needed in the final script
(work backwards as per example).



Note that this script targets only users in the specific OU and sub-OUs.
This means that after you edit the script to use a SearchBase, only user objects below that OU will be affected.

It is critical to ensure you are not accidentally targeting service accounts, administrator etc, so ensure that they are in other OUs that will NOT be affected.

Example script - edit the red sections to match your AD structure
Get-ADUser -Filter * -SearchBase 'ou=Users,ou=MyBusiness,dc=company,dc=local' -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName "$($_.samaccountname)@domain.com"}


My real world script to match my Active Directory -
Get-ADUser -Filter * -SearchBase 'ou=User Mailboxes,ou=Exchange,dc=internal,dc=teamterry365,dc=com' -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName "$($_.samaccountname)@teamterry365.com"}

Account logon name once updated with the script.

Check and Confirm ALL local Exchange objects that are being migrated have the external email address applied to the User Logon Name field.

==========================================================

Exchange Local Configuration -

If you have a non-routable domain name, split brain DNS is most likely already configured. To prepare for the Office 365 migration, please ensure you have DNS host records (A record) pointing to the IP address of the appropriate Exchange server(s).
You will need an A record for both autodiscover and mail host records.

Configure Split Brain DNS if using a non-routable domain name (company.local) Link
Internal DNS -
ServerName - Forward Lookup Zones - New zone -
Add two zones
Host - autodiscover.domain.com - Points to the IP address of the Exchange server
Host - mail.domain.com - Points to the IP address of the Exchange server










Ensure your Exchange SSL cert is current

Ensure your Exchange URLs are pointing to the external domain - Link
All Exchange internal and external URLs will be pointing to - mail.teamterry365.com -
Use the scripts below and update with your domain URL

Outlook Anywhere
Get-OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname mail.teamterry365.com -InternalHostname mail.teamterry365.com -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM

MAPI
Get-MAPIVirtualDirectory | Set-MAPIVirtualDirectory -ExternalUrl https://mail.teamterry365.com/mapi -InternalUrl https://mail.teamterry365.com/mapi

Outlook Web App
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -ExternalUrl https://mail.teamterry365.com/owa -InternalUrl https://mail.teamterry365.com/owa

Exchange Control Panel
Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -ExternalUrl https://mail.teamterry365.com/ecp -InternalUrl https://mail.teamterry365.com/ecp

Exchange ActiveSync
Get-ActiveSyncVirtualDirectory | Set-ActiveSyncVirtualDirectory -ExternalUrl https:/mail.teamterry365.com/Microsoft-Server-ActiveSync -InternalUrl https://mail.teamterry365.com/Microsoft-Server-ActiveSync

Exchange Web Services
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -ExternalUrl https://mail.teamterry365.com/EWS/Exchange.asmx -InternalUrl https://mail.teamterry365.com/EWS/Exchange.asmx

Offline Address Book
Get-OabVirtualDirectory | Set-OabVirtualDirectory -ExternalUrl https://mail.teamterry365.com/OAB -InternalUrl https://mail.teamterry365.com/OAB

AutoDiscover
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://mail.teamterry365.com/Autodiscover/Autodiscover.xml

PowerShell
Get-PowerShellVirtualDirectory | Set-PowerShellVirtualDirectory -ExternalUrl https://mail.teamterry365.com/PowerShell -InternalUrl https://mail.teamterry365.com/PowerShell


=========================================================

Office 365 Tenant pre-migration preparation - 
Tenant - 365adminblog.onmicrosoft.com

Exchange Online -
Purchase licenses

Verify you own the domain
- Office 365 Portal - Setup - Domains - Add domain - teamterry365.com

Edit your DNS txt record for domain verification

DO NOT edit any further DNS records at this time - Save and Close

Wait 15 minutes -

Continue with the Office 365 domain wizard,
Setup - Domains - Select the new domain you added - Continue Setup

I'll add the DNS records myself - Next

Scroll to the bottom of the page - Verify

Verify will advise that records are missing -





Scroll to the bottom of the page - tick the box 'Skip this step' -
Click - 'Skip

You will receive the following advice - Finish

Your domain is now verified and ready for Hybrid configuration

===========================================================

Exchange On-premises pre-migration preparation - 

Using the Hybrid Connection Wizard to create Exchange Online Objects 


Before downloading the HCW - download and install .Net 4.6.2 - Link

Exchange On-premises - Install and configure Hybrid Connection Wizard
Consider what server you would like Azure AD Connect installed on. If possible, install Azure AD Connect on a dedicated server.

On a local domain joined Server - Internet Explorer - Log into the Office 365 Portal -
Setup - Data Migration









Migration Page - Select your data service - Exchange











You will be prompted to download the application - The machine must be domain joined.
Install - (Note that you must be using Internet Explorer, other browsers may fail to run the install).

Note, if the Hybrid Connection Wizard doesn't start to download automatically
As per this article - Link

Open Control Panel - Default Programs - Associate a file type or protocol with a program
Scroll till you find - .application and .appref-ms
Select and change the program to Internet Explorer -





















On the pop-up - Click Install - Run - Next -

Hybrid Connection Wizard starts - Next - On-premises Exchange Server Organization -
By default it will pick the optimal server for the migration. - Next

Credentials -
Use current credentials for local Exchange (if appropriate)

Sign in for Exchange Online -
Enter admin credentials for Office 365 -
Next

The Hybrid Configuration Wizard gather information -
Once completed - click Next


Hybrid Features page - Select Minimal Hybrid Configuration - Next -




















Ready for update - Update
(This updates your on-premises Exchange environment and cannot be stopped and rolled back)















This process will create connectors and configure Exchange for Hybrid connectivity with Office 365.

==============================================================

Azure AD Connect installation - 

Download the latest version of Azure AD Connect here - Link

Azure AD Connect Wizard
Agree to the terms and select Continue

In this instance I am going to select Express Settings (read the summary of actions performed).


























Note - You can you Express Settings if your internal domain is routable. In this instance, the internal domain is - internal.teamterry365.com - and this is an Internet routable domain.

============================================================

If your internal domain is non-routable, you will need to choose Customize. An example of a non-routable domain would be - company.local - see image below






=============================================================

As this domain is Internet routable, I will continue with Express Settings -

Enter the Office 365 credentials - Next













Enter your local Active Directory credentials













As this is a routable domain, the Azure AD sign-in configuration will show the domain is verified.
- Click - Next



























The default configuration will start the synchronization after configuration is complete.
If you need Exchange Hybrid deployment, select that box and then click 'Install'.
In this tutorial, I will be selecting - Exchange Hybrid deployment -


























The wizard will continue.

Once the wizard is complete, you will see a summary.


























============================================================

Now that Hybrid has been enabled and configured with default settings, we need to update those settings to target our specific OU.

To see what objects have been targeted for sync in the initial configuration, log into the Office 365 portal and select - Users - Active Users. As you can see, the default configuration has selected all objects to be synced, including Health Mailboxes.













To remove them properly, we will reconfigure Azure AD Connect to target the specific OU in local Active Directory that we want.

Re-configuring Azure AD Connect -
Log on to the server that has Azure AD Connect installed.
Select the application - Azure AD Connect






Azure AD Connect will load and advise that the sync service scheduler is suspended.
Select - Configure -



























Under - Additional Tasks - Select - Customize Synchronization options - Next



















Enter the Office 365 credentials - Next












As our local Active Directory is already connected - click next (do not click Add Directory)















Now we can select the OU we want to target -
Select - Sync selected domains and OUs - then expand the domain and select the OU
In the image below, I have expanded the domain - internal.teamterry365.com
I have then selected ONLY the OU named - Exchange -
I have expanded the Exchange OU and confirmed all sub-OUs are selected. - Next
















Next - Select your optional features.
Note that Azure AD constantly updates these features, so choose which suits your Organization the best. I have selected the default for this tutorial. - Next














Azure AD Connect configuration will complete after you click - Configure
Click Configure.













The configuration will commence and take some time depending on the size of your Organization.

Once completed, review the results and click Exit.














=========================================================

Office 365 objects after sync

Azure AD Connect should update your synchronized objects automatically, but if you would like to manually force a sync on Azure AD Connect, perform the following - Link

On the server where Azure AD Connect is installed - PowerShell
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Delta

As you can see, Azure AD Connect has now only synchronized objects in the targeted OU.
Note that as no licenses have been assigned at this stage, and no mailboxes have been moved either, all the user, shared and resource / room mailboxes are created as unlicensed users in the Office 365 Admin portal.

- Admin Portal Objects -

Users
The users selected in Blue have been created in Office 365 - Sync Type - In Cloud
The users selected in Red have been synced with local Active Directory - Sync Type - Synced with...

















Contacts
Select Users - Contacts - to show the contacts that have been synced via DirSync

Groups -
 - The Distribution group has been synched correctly
- Note - Dynamic Distribution groups created in local Active Directory will need to be recreated.


- Office 365 - Exchange Admin Center Objects -

Mailboxes in Office 365 -
Only mailboxes created in Office 365 will show in the Exchange Online mailboxes view












Contacts in Office 365 -
Office contacts have been created in Office 365 that sync with on-premises user mailboxes, rooms and shared mailboxes. External contacts created in local Exchange will also show here.

Groups in Office 365
Only the Distribution Group created in local Exchange has been created in Office 365.
Note that mail enabled security groups will also be created in Office 365 via the sync.
Note that Dynamic Distribution Groups are NOT synced successfully and will need to be recreated in Office 365.













Resources and Shared -
Only Office 365 created resource and shared mailboxes will appear in the Office 365 EAC.

==============================================================

Congratulations -
You have successfully configured your Exchange 2013 - 2016 Organization for Hybrid.

==============================================================

Related Tutorials -

Configure your Administration PC or Server
- How to configure your desktop PC for Office 365 Administration - including MFA - Link
- How to configure Server 2012 R2 for Office 365 Administration - including MFA - Link
- How to configure your desktop PC for Hybrid Exchange - Office 365 - Azure Administration - Link

Connection Scripts
- How to connect to Office 365 and Azure via PowerShell - Link
- How to connect to Hybrid Exchange - Office 365 - Azure AD and Local AD via PowerShell - Link
- How to connect to Office 365 via PowerShell with MFA - Multi-Factor Authentication - Link

Downloads -
All my PowerShell TechNet Downloads - Link

Tips and Tricks -
How to get a 180 day trial tenant in Office 365 for testing - Link
General Tips and Tricks for better Office 365 Administration - Link
How to extend your Office 365 Trial - Link

2 comments:

  1. Sync Server need to be setup before run the Hybrid wizard.. just to correct here

    ReplyDelete
    Replies
    1. As per the Microsoft support article -

      https://support.office.com/en-us/article/Use-Minimal-Hybrid-to-quickly-migrate-Exchange-mailboxes-to-Office-365-FDECCEED-0702-4AF3-85BE-F2A0013937EF -

      Azure AD Connect is downloaded and installed AFTER the Hybrid Connection Wizard.

      Delete