Prepare Exchange 2016 for Office 365 Hybrid Migration

Steps to prepare Exchange 2016 for Office 365 Hybrid Migration

A. Update Exchange 2016 CU11

  1. Download and install .NET 4.7.1
  2. Dwonload and install Exchange 2016 CU11

It take 3 hours to install the Exchange 2016 CU11 for one of our client as Exchange 2016 which is only have 12GB RAM installed for 300 users.

  1. Restart Exchange 2016 Server and ensure that it is running fine
  2. Run Microsoft Remote Connectivity Analyzer for Outlook Autodiscover & Connectivity test and ensure that it is working successfully


  1. Ensure that the public wildcard SSL certificate is bind to IIS & SMTP Services
Get-ExchangeCertificate | ? Subject -like "**" | fl

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
CertificateDomains : {*}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
NotAfter           : 12/31/2018 8:17:54 PM
NotBefore          : 10/2/2018 8:17:54 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 043CE5EC537C6CE6C041DB5EB704338F0D4D
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=*
Thumbprint         : 043366D30FD9679B7DE82183C709E9C8C559C1C4

B. Enable TLS in SMTP Gateway with the same SSL Certificate installed in Exchange 2016 Server

TLS is used for Mail Flow between Exchange Online and Exchange 2016 SMTP Connector or SMTP Gateway, and we have to enable TLS on F-Secure SMTP Gateway

Upload the SSL Wildcard Certificate to F-Secure

Assign SSL Certificate to SMTP Service

Turn on TLS

C. Microsoft Office 365 Hybrid Migration Wizard

  1. Login to Exchange 2016 ECP with Internet Explorer (IE) on the Exchange 2016 Server and Select Hybrid

  2. Login to Office 365 with Global Administrator

  3. Add as Trusted Sites in IE

  4. Install the Hybrid Migration Wizard

* We do encounter it is hard to install the Hybrid Migration Wizard on some of our client side by following the steps above, and we have to download the
Microsoft Office 365 Hybrid Migration Wizard and install it manually

  1. Click Next

  2. It will detect the confiugration of Exchange 2016 & Office 365

  3. Ensure that valid credential is detected for AD & Office 365

  4. Click next once the Gatering Configuration Information is completed successfully

  5. You will get the error message below if Exchange 2016 is NOT installed with CU10 or above.

  6. Select Full Hybrid Configuration – I had never try the Minimal Hybrid Configuration and will setup another lab to test on this feature

  7. Enter credential for On Premises AD

  8. Enable Federation Trust and click next

  9. Check on the primary FQDN Only if you are using SSL wildcard certificate for your primary FQDN in Exchange 2016 Server.

  10. Copy the TXT record for Primary FQDN ( and update the Public DNS. Click on verify domain ownership once the TXT is updated in Public DNS

  11. Select Confiure my Client Access and Mailbox Server for secure mail transport (typical) and click next to continue

  12. It will detect the Receive Connector automatically

  13. It will detect the Send Connector automatically

  14. Select the Public trusted SSL Certificate

  15. Enter the FQDN of our F-Secure SMTP Gateway which had enabled TLS with the Same Public SSL Certificate used by Exchange 2016 SMTP Service.

Alternative Solution
1. You can configure Firewall to Perform NAT to Exchange 2016 Server for Port 25 (SMTP) with a different fixed public IP and associate a new FQDN, like in Public DNS

  1. Limit the SMTP Connection from IP Address from O365 only. You can refer to the link below for the updated IP Range from Microsoft

  1. Click Update

  2. Office 365 Migration Wizard will configure Exchange 2016 & Office 365 ready for Hybrid Co-Existance. Please also review the warning / error and correct it (if any)

D. Mail Flow between O365 & Exchange 2016

  1. Verify the Connector provisioned by Hybrid Wizard in Exchange 2016
Get-SendConnector -Identity "Outbound to Office 365" | Select Identity, AddressSpaces, HomeMTA, RequireTLS 

Identity               AddressSpaces                             HomeMTA       RequireTLS
--------               -------------                             -------       ----------
Outbound to Office 365 {;1} Microsoft MTA       True
  1. Verify the connector provisioned by Hybrid Wizrd in Office 365
#Inbound Connector

Name                                              SenderDomains SenderIPAddresses Enabled
----                                              ------------- ----------------- -------
Inbound from ff477ab0-bf72-4d13-af38-418b00560630 {smtp:*;1}    {}                True   

#Outbound Connector

Name                                             RecipientDomains SmartHosts            Enabled
----                                             ---------------- ----------            -------
Outbound to ff477ab0-bf72-4d13-af38-418b00560630 {} {} True   
  1. Migrate 1 of the mailbox from Exchange 2016 or create a New Remote Mailbox in O365 to test the Mail Flow
#Remote Mailbox in O365
$OU = "aventislab.local/UAT"
$Password = "P@ssw0rd!@#$" | ConvertTo-SecureString -AsPlainText -Force

New-RemoteMailbox -Name "MyO1" -LastName "TEST" -Password $Password -UserPrincipalName [email protected] -OnPremisesOrganizationalUnit $OU 

#Start the Delta Sync in AAD Connect Server
Invoke-Command –ComputerName AVTLAB-ADC –ScriptBlock {Start-ADSyncSyncCycle -PolicyType Delta}

#Login to O365 Portal to assign License to myO1
  1. Message Header for Email from Exchange 2016 to O365

Exchange 2016 – F-Secure SMTP Gateway – O365


  1. Message Header for Email from O365 to Exchange 2016

O365 – F-Secure – Exchange 2016


Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top