Steps to prepare Exchange 2016 for Office 365 Hybrid Migration
A. Update Exchange 2016 CU11
- Download and install .NET 4.7.1
- Dwonload and install Exchange 2016 CU11
It take 3 hours to install the Exchange 2016 CU11 for one of our client as Exchange 2016 which is only have 12GB RAM installed for 300 users.
- Restart Exchange 2016 Server and ensure that it is running fine
- Run Microsoft Remote Connectivity Analyzer for Outlook Autodiscover & Connectivity test and ensure that it is working successfully
- Ensure that the public wildcard SSL certificate is bind to IIS & SMTP Services
Get-ExchangeCertificate | ? Subject -like "*aventislab.com*" | fl
AccessRules : {System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule,
System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {*.aventislab.com}
HasPrivateKey : True
IsSelfSigned : False
Issuer : CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
NotAfter : 12/31/2018 8:17:54 PM
NotBefore : 10/2/2018 8:17:54 PM
PublicKeySize : 2048
RootCAType : ThirdParty
SerialNumber : 043CE5EC537C6CE6C041DB5EB704338F0D4D
Services : IIS, SMTP
Status : Valid
Subject : CN=*.aventislab.com
Thumbprint : 043366D30FD9679B7DE82183C709E9C8C559C1C4
B. Enable TLS in SMTP Gateway with the same SSL Certificate installed in Exchange 2016 Server
TLS is used for Mail Flow between Exchange Online and Exchange 2016 SMTP Connector or SMTP Gateway, and we have to enable TLS on F-Secure SMTP Gateway
Upload the SSL Wildcard Certificate to F-Secure
Assign SSL Certificate to SMTP Service
Turn on TLS
C. Microsoft Office 365 Hybrid Migration Wizard
- Login to Exchange 2016 ECP with Internet Explorer (IE) on the Exchange 2016 Server and Select Hybrid
- Login to Office 365 with Global Administrator
- Add https://outlook.office365.com as Trusted Sites in IE
- Install the Hybrid Migration Wizard
Notes
* We do encounter it is hard to install the Hybrid Migration Wizard on some of our client side by following the steps above, and we have to download the
Microsoft Office 365 Hybrid Migration Wizard and install it manually
- Click Next
-
It will detect the confiugration of Exchange 2016 & Office 365
-
Ensure that valid credential is detected for AD & Office 365
-
Click next once the Gatering Configuration Information is completed successfully
-
You will get the error message below if Exchange 2016 is NOT installed with CU10 or above.
-
Select Full Hybrid Configuration – I had never try the Minimal Hybrid Configuration and will setup another lab to test on this feature
-
Enter credential for On Premises AD
-
Enable Federation Trust and click next
-
Check on the primary FQDN Only if you are using SSL wildcard certificate for your primary FQDN in Exchange 2016 Server.
-
Copy the TXT record for Primary FQDN (aventislab.com) and update the Public DNS. Click on verify domain ownership once the TXT is updated in Public DNS
-
Select Confiure my Client Access and Mailbox Server for secure mail transport (typical) and click next to continue
-
It will detect the Receive Connector automatically
-
It will detect the Send Connector automatically
-
Select the Public trusted SSL Certificate
-
Enter the FQDN of our F-Secure SMTP Gateway which had enabled TLS with the Same Public SSL Certificate used by Exchange 2016 SMTP Service.
Alternative Solution
1. You can configure Firewall to Perform NAT to Exchange 2016 Server for Port 25 (SMTP) with a different fixed public IP and associate a new FQDN, like o365.aventislab.com in Public DNS
- Limit the SMTP Connection from IP Address from O365 only. You can refer to the link below for the updated IP Range from Microsoft
https://docs.microsoft.com/en-us/office365/SecurityCompliance/eop/exchange-online-protection-ip-addresses
- Click Update
-
Office 365 Migration Wizard will configure Exchange 2016 & Office 365 ready for Hybrid Co-Existance. Please also review the warning / error and correct it (if any)
D. Mail Flow between O365 & Exchange 2016
- Verify the Connector provisioned by Hybrid Wizard in Exchange 2016
Get-SendConnector -Identity "Outbound to Office 365" | Select Identity, AddressSpaces, HomeMTA, RequireTLS
Identity AddressSpaces HomeMTA RequireTLS
-------- ------------- ------- ----------
Outbound to Office 365 {smtp:M365x333981.mail.onmicrosoft.com;1} Microsoft MTA True
- Verify the connector provisioned by Hybrid Wizrd in Office 365
#Inbound Connector
Get-InboundConnector
Name SenderDomains SenderIPAddresses Enabled
---- ------------- ----------------- -------
Inbound from ff477ab0-bf72-4d13-af38-418b00560630 {smtp:*;1} {} True
#Outbound Connector
Get-outboundConnector
Name RecipientDomains SmartHosts Enabled
---- ---------------- ---------- -------
Outbound to ff477ab0-bf72-4d13-af38-418b00560630 {Aventislab.com} {mail.aventislab.com} True
- Migrate 1 of the mailbox from Exchange 2016 or create a New Remote Mailbox in O365 to test the Mail Flow
#Remote Mailbox in O365
$OU = "aventislab.local/UAT"
$Password = "P@ssw0rd!@#$" | ConvertTo-SecureString -AsPlainText -Force
New-RemoteMailbox -Name "MyO1" -LastName "TEST" -Password $Password -UserPrincipalName [email protected] -OnPremisesOrganizationalUnit $OU
#Start the Delta Sync in AAD Connect Server
Invoke-Command –ComputerName AVTLAB-ADC –ScriptBlock {Start-ADSyncSyncCycle -PolicyType Delta}
#Login to O365 Portal to assign License to myO1
- Message Header for Email from Exchange 2016 to O365
Exchange 2016 – F-Secure SMTP Gateway – O365
- Message Header for Email from O365 to Exchange 2016
O365 – F-Secure – Exchange 2016
