Deploying a hybrid environment is one of the most complicated tasks a system administrator faces during migration to Office 365. It might take weeks of collecting data about the infrastructure, reading publications, planning migration stages and testing. What is more, even with all this effort, there is no guarantee that everything will turn out just fine. This article gives a step by step guide to getting through the Exchange/Office 365 Hybrid Configuration Wizard (HCW). After that, I give an insight into what actions the HCW performs in the background. Finally, the last section is a guide on how to analyze logs and solve problems connected with deploying a hybrid environment.
To go straight to an activity performed by Hybrid Configuration Wizard, click on one of the links below:
- Validating On-premises and Online Exchange Connection
- Collecting data about Exchange configuration from the on-premises Active Directory
- Collecting information on the Exchange online (Office 365) configuration
- Creating new Federation Trust and the required certificate in the local Exchange
- Creating new Hybrid Configuration Object in the local Active Directory
- Changing settings of on-premises Exchange server
- Configuring Organization Relationship between the local server and the cloud
- Setting connectors on both Exchange servers
- Enabling MRS Proxy
- Configuring OAuth
Exchange/Office 365 Hybrid Configuration Wizard
Configuring your environment using the Exchange Hybrid Configuration Wizard is one of the most critical moments before the actual migration. This tool is used to configure your local domain and Office 365 tenant, so that your on-premises Exchange can merge with Exchange Online, resulting in the creation of a single, hybrid organization.
Before you run the HCW, you need to prepare:
- Credentials of an on-premises Exchange user who is a member of the Domain Admins security group
- Credentials of the Office 365 Global Administrator
- Office 365 plan which supports hybrid deployment (Enterprise, Government, Academic or Midsize)
The Wizard can be started from Exchange Admin Center (EAC) by going to the “hybrid” tab.
Clicking on the “configure” button redirects you to the Office 365 login page. To continue, you have to enter your tenant’s global administrator credentials. By default, administrator’s login has the following format: [email protected]. In a few seconds, a page with a download link should appear:
Clicking on the link will start the download of the Office 365 Hybrid Configuration Wizard Installer. The HCW installation should start automatically. If the installation does not start on its own, just run the recently downloaded installer and follow the steps on the screen.
At this stage, the installation process should be completed, and a shortcut to the HCW should have appeared on the desktop. The Wizard should start automatically. If not, run it using the shortcut.
On the next screen, the wizard either searches automatically for the right Exchange server or waits for the user to specify it. In Exchange 2010 or Exchange 2013 it must point to the server with the Client Access Server Role. Another option is to set the location from which the Office 365 is hosted for the company. In most cases, it is Office 365 Worldwide.
At this point, you need to enter credentials of your on-premises admin and its cloud counterpart.
After entering the credentials, the Wizard attempts to log into each server using PowerShell. It is done in order to verify that the credentials, necessary for the Hybrid deployment to be completed, are valid.
Note that in this step, there is an option to “use current Windows credentials”. If the on-premises admin validation does not work, you should unmark the checkbox and enter the right user’s credentials manually.
The next step is setting up Federation Trust. Federation Trust is a required feature for the full Hybrid deployment. It enables sharing calendar free/busy information within a Hybrid environment, between all users.
Here, the Office 365 Hybrid Configuration Wizard lists your domains along with information if the Autodiscover service is available. From the domains’ list, you have to choose your public domain or domains, remembering that Autodiscover has to be configured correctly for them. At this stage, you will also need to prove you are the domain’s owner. For each domain there, a token is generated.
In your DNS, you have to create a TXT record for each of your domains, with a value corresponding to the token generated in the HCW. After having created the TXT records, you should wait for a while so that the records propagate throughout the network. When the TTL (time to live) has passed, click on “I have created a TXT record for each token in DNS” and “verify domain ownership”. The Exchange Hybrid Configuration Wizard will check whether the tokens are visible on your domain’s DNS. After the verification is complete, go to the next screen.
Now the HCW asks you how the connection between Exchange online and Exchange on-premises should be established. The first choice depends on whether you have Microsoft Edge Server or not. The next option – “Enable centralized mail transport” enables your on-premises Exchange server to function as a smart host. Thanks to that, all outbound emails sent from Office 365 have to go through the on-premises server. It gives the possibility of central management of mail flow rules and signatures throughout the company. All from one place and applied to every mail, regardless of the source of the email.
In the next window, you choose the server which is to receive emails sent from Office 365. The server should have appropriate SMTP certificate on port 25. This port also cannot be blocked by any firewall software or by the router. You can easily check which certificate does your server have with the help of this site.
The next step is determining on which server a Send Connector will be. Remember that the public IP address of your Exchange server should point to its internal IP address. Apart from that, the server should have its SPF (Sender Policy Framework) record configured. The PTR record should resolve the IP address to the hostname present in the certificate for SMTP service. The name is usually in format “smtp.domain.com”, or “mail.domain.com”.
The Office 365 Hybrid Configuration Wizard will also ask you to identify the Transport Certificate between on-premises Exchange and Office 365. The certificate is used to ensure secure communication between those servers.
The last step is entering the fully qualified domain name (FQDN) for the on-premises organization. FQDN is resolved to the public IP address and enables mails to be routed to the on-premises Exchange. On this address, the Exchange server is listening on port 25 and 443 (EWS, OWA). FQDN’s format usually is like in this example: mail.domain.com.
After pressing the “next” button, the HCW starts connecting the Office 365 with the local Exchange into a single hybrid organization.
If everything goes well and the Wizard does not encounter any difficulties, the following window will show:
Easy, right? However, this is where most admins wonder what was changed in their infrastructure and what to do to ensure that everything is in order.
Analyzing Hybrid Configuration Wizard logs (thorough analysis)
Hybrid Configuration Wizard, after taking input from the administrator, performs a series of activities divided into several workflows. Information on the execution of those tasks can be viewed in the wizard’s log. The log is in the following location:
%AppData%\Roaming\Microsoft\Exchange Hybrid Configuration
In this localization, there should be three files. The most important one is the txt file.
By analyzing the txt file, you can check every task performed by the Wizard. For example, you can check if the Wizard finished activity successfully and how much time did it spend on it. Also, in most cases, you can learn what kind of cmdlet was used to achieve it. The HCW normally executes the following activities:
- Validating On-premises and Online Exchange Connection.
Simply speaking, the Hybrid Configuration Wizard checks if it is possible to connect to both servers with PowerShell. You can easily find the log entry which provides data on this activity by searching for the following phrase:
Activity=OnPremises Connection Validation and Activity=Tenant Connection Validation
It will come in handy whenever the HCW is unable to connect with On-premises Exchange or Exchange Online
- Collecting data about Exchange configuration from the on-premises Active Directory
At this point, the Wizard gathers information about the local domain. In order to do that, the HCW executes a series of Get- cmdlets. You can check which cmdlets are used by searching for this phrase:
Activity=OnPremises Connection Validation, Session=OnPremises, Cmdlet=
As you can see in the log, HCW executed Get-OrganizationConfig command and managed to get one result, namely: “OrganizationConfig”.
- Collecting information on the Exchange online (Office 365) configuration
This task repeats what has been done in the previous step, only for the Exchange online, instead of the on-premises one. The results can be found by typing the following phrase in the Find window:
Activity=Tenant Connection Validation, Session=Tenant, Cmdlet=
In the example, Get-AcceptedDomain returned three results. It means that in this Office 365 tenant there are three domains. Their exact names are present just below the found phrase.
- Creating new Federation Trust and the required certificate in the local Exchange:
In the log file, it can be found using this phrase:
Activity=Enable Federation Trust
If the activity is finished successfully, a new certificate should appear on the on-premises Exchange certificates’ list. The new certificate includes “Federation” in its Subject field. To make sure the certificate is there, you can run a cmdlet: Get-ExchangeCertificate. The results will look like this:
- Creating new Hybrid Configuration Object in the local Active Directory:
The newly created object can be viewed in a few ways:
CN=Hybrid Configuration,CN=Hybrid Configuration,CN=<organization’s_name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>,DC=<domain>
- Through Exchange Management Shell:
Get-HybridConfiguration
- In the HCW logs, by going to the following phrase:
Functionality=RunWorkflow, Workflow=Hybrid
In the screenshot, you can also see when the wizard executed the command “New-HybridConfiguration”.
- Changing settings of on-premises Exchange server:
EmailAddressPolicy – adds address @tenant.mail.onmicrosoft.com
Configures remote domains – adds tenant.mail.onmicrosoft.com and tenant.onmicrosoft.com
Adds new accepted domain – adds tenant.mail.onmicrosoft.com
The data about those activities can be found between the following phrases:
[Functionality=RunWorkflow, Workflow=Hybrid, Task=Recipient] START
[Functionality=RunWorkflow, Workflow=Hybrid, Task=Recipient] FINISH
Changes can also be viewed with the following cmdlets:
Get-EmailAddressPolicy | FL Name,EnabledEmailAddressTemplates
Get-RemoteDomain
Get-AcceptedDomain
- Configuring Organization Relationship between the local server and the cloud.
This configuration is not necessary in minimal hybrid deployment. Thanks to the correct configuration, it is possible to synchronize free/busy status of mailboxes’; elements between the on-premises Exchange and Exchange online. To find information on the task’s progress, you can search for the following phrase.
Functionality=RunWorkflow, Workflow=Hybrid, Task=OrganizationRelationship
Set- and New commands are executed on both servers to make synchronization possible.
To view all data about the Organization Relationship, use your PowerShell console:
Get-OrganizationRelationship
- Setting connectors on both Exchange servers.
During this workflow, four connectors are set – one receive and one send connector for each server. Those connectors guarantee the mail flow between the on-premises and Exchange Online. Logs include information on this process under a phrase:
Functionality=RunWorkflow, Workflow=Hybrid, Task=MailFlow
The HCW also generates tables with information on receive and send connectors’ settings. The tables provide a comparison between the current and expected configuration. The table below presents settings of on-premises receive connector:
Another table compares actual and expected settings of send connector from on-premises Exchange to tenant.mail.onmicrosoft.com.
Cmdlets used during this stage for on-premises Exchange are:
- New-SendConnector
- Set-ReceiveConnector
And for Exchange Online:
- New-OutboundConnector
- New-InboundConnector
To sum up, if you choose “Centralized Mail Transport” option, the HCW should setup:
Two connectors in Exchange Online:
- Receive connector which identifies the organization by the name set in the TLS certificate
- Send connector which reroutes all communication through a smart host (local Exchange) that identifies itself with a certificate on port 25
Two connectors in on-premises Exchange:
- New send connector, which points to mail.onmicrosoft.com
- Default receive connector is not as much created, as modified, so that it accepts TLS connections.
- Enabling MRS Proxy
MRS Proxy makes it possible to migrate mailboxes from and to Office 365. Usually, this step is done before launching the Hybrid Configuration Wizard. However, if you didn’t do that prior to launching the wizard, it will do it for you. You can see it doing this if turn to logs to phrase:
Functionality=RunWorkflow, Workflow=Hybrid, Task=MRSProxy
- Configuring OAuth
To see how is the OAuth authentication configured, go to the phrase:
Functionality=RunWorkflow, Workflow=Hybrid, Task=IntraOrganization
A common error which occurs during this workflow is error HCW8064. It occurs whenever there is a problem with accessing the EWS virtual directory from the Internet. You can easily verify what seems to be the problem by using https://testconnectivity.microsoft.com/. On the site, choose test synchronization, notification, availability and automatic replies. Note that sometimes, despite the correct EWS configuration, the error still shows up. Then, usually restarting your Exchange server and re-launching Hybrid Configuration Wizard does the trick.
If nothing else works, you can perform manual configuration. Here is a Microsoft documentation on how to do it.
Summary
Even though Hybrid Configuration Wizard is quite simple to use, it performs some complicated tasks. Its primary task is to introduce changes in the Exchange Server infrastructure. In my opinion, it is worthwhile to look at what exactly happens, before creating a hybrid environment. This way, you will be able to predict where problems may arise. What is more, understanding the HCW logs gives an upper hand, as it lets you easily find out what is wrong and how to deal with it.
See also:
So what does the application do other than fail?
Hi Adam,
thanks for this great post.
After doing the hybrid configuration with the help of your post in Januar this year, unfortunately I must go way back to an isolated on-premises Exchange installation without hybrid mode.
Can you give me a tip, how todo this?
We have an Exchange 2016 Server.
Prepare for some stress and manual configuration. I’ve never come acrosss any official documentation concerning such procedure. You’ll need to remove DNS records pointing to Microsoft 365, organization relationship, federation gateway, connectors… Pretty much everything the Hybrid Configuration Wizard set up for you. Good luck!
Hallo Adam,
wirklich klasse!
Herzlichen Dank dafür.
Really useful info Adam, Thanks. What advice do you have for someone needing to split their on-premise Exchange users into two separate Office365 accounts?
Our organisation is splitting off into two separate companies and I need to migrate them to their own Office 365 accounts. I guess I can go through the entire hybrid migration twice and just specify the OU to migrate to individual O365 account each time but am coming up blank on how to do the Azure AD sync!
Hi Tobi,
If I had to migrate using native methods, I would not choose hybrid migration. When using hybrid, it is recommended to leave at least one Exchange Server behind and having an Exchange server linked to two different tenants doesn’t look like a good idea. So if I were to choose a native method for this kind of migration, I would do cutover twice and connect respective, separate on-premises servers with the right tenants using Azure AD Connect. To make the migration easier, I would use CodeTwo Office 365 Migration tool.
Hi Adam,
Great Article! Very Helpful. We are about to start our migration from 2 trusted forests with exchange 2010 to a single tenant. Since we have the two forests, I need to run the HCW on a server in both forests correct? Also, if I want the mail to continue to flow through on prem do I need to configure centralized mail transport in each forest? Thanks for sharing your insight.
Hi Chris
You need to run the HCW on each forest. When it comes to centralised transport – I would advise against it. If you check the box for centralised email transport on your subsequent forest, the HCW will route all Office 365 emails through the subsequent forest. This Practical 365 article explains how to handle multiple forest hybrid scenarios.
Hi Adam,
We are currently planning the deployment of Exchange Hybrid and need to make a decision where to run the HCW from. We have exchange server 2010 with the latest exchange updates and server 2008 R2 up to date as well. As a requirement for the HCW to run we need .net at least 4.6.2 on the server but this version is not supported on exchange 2010 servers. In this setup is it possible to run the HCW from another, non exchange server?
Many thanks,
Svet
Hi Svet,
According to Microsoft Docs, you can run the HCW from any domain-joined machine. You should be using the Office 365 Hybrid Configuration wizard, accessible from the Office 365 portal.
Does user’s outlook profile automatically redirected to the Exchange Online after his/her mailbox has been moved from on Premise Exchange to Exchange Online?
Thanks.
It should, and in most cases – it does. It might take some time; however, so it is advisable make the final switch outside of business hours. If the profile doesn’t get redirected, usually the quickest way to solve issues is to recreate an Outlook profile. More information in the article, below:
How to recreate Outlook profiles (video tutorial)
Apologies if this question has been answered before. We are going for Exchange hybrid migration to EOL (Exchange Online). On-premise, we have Exchange 2016 mailbox and Exchange 2016 Edge transport servers, DLP appliance (Forcepoint 8.4) and Cisco Email Security as our mail gateway.
We are enabling Centralised Mail Transport (CMT) because we wish to retain the DLP appliance for now until all mailboxes are migrated.
1) When running the HCW, should I choose the Edge Transport server as the Optimal server or the Exchange 2016 mailbox server? The Edge Transport server is used for address-rewrite for outgoing emails. Incoming emails do not traverse the Edge Transport server.
2) Is there any additional configuration needed on the send/receive connectors, so that email delivered to the online mailbox is routed back to the on-premise Exchange (CMT) without issues. I read somewhere that you should not have anything in between the on-premise Exchange and EOL that modifies the email.
3) Is there any address rewriting capabilities in Exchange Online?
Thank you.
Awesome article thanks Adam, I am progressing through my own migration now and have done a write up. I would really appreciate your critique on my methods below? Thanks
https://dailysysadmin.com/KB/Article/1492/migrating-to-office-365-from-microsoft-exchange-step-by-step-stage-1-prerequisites/
https://dailysysadmin.com/KB/Article/1526/migrating-to-office-365-from-microsoft-exchange-step-by-step-stage-2-azure-ad-connect/
https://dailysysadmin.com/KB/Article/1582/migrating-to-office-365-from-microsoft-exchange-step-by-step-stage-3-exchange-hybrid-configuration-wizard/
Hello Adam,
A few doubts..
1) Do we need a public domain & public ip pointing to our exchange server ? I mean, can’t we do this with a local server
2) Azure AD connect etc.. are must ?
Hello George.
1) Do you have an on-premises Exchange Server without a domain or a public IP? I am not sure if this can function in any way. Maybe a cloud-only deployment of Office 365 is a better option for you?
2) If you want to have a Hybrid environment then yes, AAD Connect is one of the prerequisites for the Hybrid.
Hi, we are about to do a migration from EXC10 running on SBS11 using the full hybrid migration path. My question is, is it even possible and is it supported? I am asking this because I stumble upon different blog posts that are saying that SBS has this limitation for inter-forest trust and that HCW will fail. Others are saying they did not have a problem with HCW step of provisioning Exchange federation trust. Are they even talking about the same thing? Thank you.
Hi Dragan,
According to the Exchange Server Deployment Assistant, SBS Server is not among the list of the supported Directory Servers for hybrid migration. The documentation about SBS migration to Office 365 is very scarce, but most people seem to recommend a cutover migration or using third-party tools for a pain-free transition.
I have never configured a hybrid environment with an SBS11 server, but I don’t think it is impossible. Try looking up the Office 365 Integration Module – it should take care of the integration. That said, I still think that SBS11-Office 365 hybrid seems like an overkill and a hard case to support if you run into any problems on the run.
hi,
Great article ..
few doubts
1. In the next window, you choose the server which is to receive emails sent from Office 365. The server should have appropriate SMTP certificate on port 25 …. Here we need internal self generated cert or public cert.
2 . The next step is determining on which server a Send Connector will be. Remember that the public IP address of your Exchange server should point to its internal IP address. Apart from that, the server should have its SPF (Sender Policy Framework) record configured. The PTR record should resolve the IP address to the hostname present in the certificate for SMTP service …… here we should have public certificate ?
Br
Rajesh
Hi Rajesh,
I am afraid that a self-signed certificate will not do in either of the steps you have mentioned.
You can find more information on hybrid certificates requirements in the following TechNet articles:
Certificate requirements for hybrid deployments
Hybrid deployment prerequisites
Hello,
Is is possible to use this wizard for a hybrid configuration between SMTP (on-premise) and Exchange (Office 365)?
Hello Sem,
Do you mean SMTP server other than Exchange? I am afraid it is not possible, please refer to Hybrid deployment prerequisites for a list of supported on-premises environments.
Thanks for the great article. I’m curious, will running the HCW bring down access to my on-premise server to my current users?
Hello Eric,
No, creating a Hybrid environment with the HCW should not influence the user access to your on-premises environment in any way. To block the access to your on-premises environment, you will have to migrate all your users to Office 365 and decommission your Exchange Server.
Question, do Hybrid deployments using OAuth authentication by default ? Are there any other Authentication mechanisms that are supported for exchange On-Prem and On-Line integration.
Hybrid deployments do use OAuth by default, but not for all communication. Configuring OAuth lets you use Exchange features such as Message Right Management, or Exchange In-place eDiscovery. Other hybrid authentication mechanisms include Federation trust, Azure Authentication Service and Organization relationship.
In reference to step 6, above (Changing settings of on-premises Exchange server:)
If a hybrid environment already exists, and the wizard is run again in order to add a second domain which will be synced with AD (additional UPN suffix from on-prem), will new remote domains be created? (ie, @mail.onmicrosoft.com, and @onmicrosoft.com)
I have HCW configured and its working perfectly fine. now i want to add another transport (mailbox in 2013) in to the source of send connector in on-prem, do i need to run HCW again or simply running Set-HybridConfiguration -SendingTransportServers xyz.contoso.com will help ?
Hello, one question. Does hybrid setup transforms Default Frontend receive connector to SMTP with authentication (auth ntlm or auth login)?
Hello Marinko,
Yes, default Full Hybrid Configuration changes the default frontend receive connector to accept emails only from authenticated users. If it causes problems with receiving emails from outside the company, you might need to create a new receive connector, just for Anonymous Users group.
Thank you for detailed information. Very great post.
Hi,
is there a problem if we run HCW on exchange 2010 installed on server 2003?
According to Understanding Prerequisites for Exchange 2010 Hybrid Deployments on TechNet, Exchange Server 2010 requires at least Windows Server 2008 SP2 for a succesful Hybrid Deployment.
Hi – I am trying to complete hybrid configuration at home lab. I have gone through all the steps. Just want to confirm one final thing before, I press NEXT button to kick start the process.
My home lab (Exchange 2016) uses smart host on the send connector to route the message using port 2525 – reason being ISP blocks port 25. Is this going to cause any issue during HCW process? Please note, I have selected ENABLE CENTRALIZED MAIL TRANSPORT feature during HCW process.
Thanks
Ram
As I mentioned in the article, if you choose Enable Centralized Mail Transport, the HCW creates connectors on its own. As a result, there might be some issues with port numbers you might need to fix manually later on. I have never tried routing messages using port 2525 so I cannot say for sure what will happen. If you choose to go with it, please share what happens.
Hi Adam,
Awesome! Yeah, I have actually saved those links already. Thanks a lot and keep posting guides like these – very helpful. :)
Hi Adam,
Great post! Exactly what we are looking for to guide us on our Hybrid Configuration. Now, I just wonder which should we perform first, the Azure AD Connect or the Hybrid Configuration Wirzard? Does it matter what we do first?
Thanks in advanced!
Arnel
Thank you, Arnel!
According to this TechNet article, Azure AD Connect is one of the prerequisites for Hybrid deployment and needs to be run before the Hybrid Configuration Wizard. If you look for a similar guide on Azure AD Connect, be sure to check the articles listed in the See also section, just above comments.