Prepare Exchange 2016 for Office 365 Hybrid Migration

Steps to prepare Exchange 2016 for Office 365 Hybrid Migration

A. Update Exchange 2016 CU11

  1. Download and install .NET 4.7.1
  2. Dwonload and install Exchange 2016 CU11

It take 3 hours to install the Exchange 2016 CU11 for one of our client as Exchange 2016 which is only have 12GB RAM installed for 300 users.

  1. Restart Exchange 2016 Server and ensure that it is running fine
  2. Run Microsoft Remote Connectivity Analyzer for Outlook Autodiscover & Connectivity test and ensure that it is working successfully

HybridMigration-EX16-01

  1. Ensure that the public wildcard SSL certificate is bind to IIS & SMTP Services
Get-ExchangeCertificate | ? Subject -like "*aventislab.com*" | fl


AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule,
                     System.Security.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {*.aventislab.com}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
NotAfter           : 12/31/2018 8:17:54 PM
NotBefore          : 10/2/2018 8:17:54 PM
PublicKeySize      : 2048
RootCAType         : ThirdParty
SerialNumber       : 043CE5EC537C6CE6C041DB5EB704338F0D4D
Services           : IIS, SMTP
Status             : Valid
Subject            : CN=*.aventislab.com
Thumbprint         : 043366D30FD9679B7DE82183C709E9C8C559C1C4

B. Enable TLS in SMTP Gateway with the same SSL Certificate installed in Exchange 2016 Server

TLS is used for Mail Flow between Exchange Online and Exchange 2016 SMTP Connector or SMTP Gateway, and we have to enable TLS on F-Secure SMTP Gateway

Upload the SSL Wildcard Certificate to F-Secure
HybridMigration-EX16-02

Assign SSL Certificate to SMTP Service
HybridMigration-EX16-03

Turn on TLS
HybridMigration-EX16-04

C. Microsoft Office 365 Hybrid Migration Wizard

  1. Login to Exchange 2016 ECP with Internet Explorer (IE) on the Exchange 2016 Server and Select Hybrid
    HybridMigration-EX16-05

  2. Login to Office 365 with Global Administrator
    HybridMigration-EX16-06

  3. Add https://outlook.office365.com as Trusted Sites in IE
    HybridMigration-EX16-07

  4. Install the Hybrid Migration Wizard
    HybridMigration-EX16-08

Notes
* We do encounter it is hard to install the Hybrid Migration Wizard on some of our client side by following the steps above, and we have to download the
Microsoft Office 365 Hybrid Migration Wizard and install it manually

  1. Click Next
    HybridMigration-EX16-09

  2. It will detect the confiugration of Exchange 2016 & Office 365
    HybridMigration-EX16-10

  3. Ensure that valid credential is detected for AD & Office 365
    HybridMigration-EX16-11

  4. Click next once the Gatering Configuration Information is completed successfully
    HybridMigration-EX16-12

  5. You will get the error message below if Exchange 2016 is NOT installed with CU10 or above.
    HybridMigration-EX16-13

  6. Select Full Hybrid Configuration – I had never try the Minimal Hybrid Configuration and will setup another lab to test on this feature
    HybridMigration-EX16-14

  7. Enter credential for On Premises AD
    HybridMigration-EX16-15

  8. Enable Federation Trust and click next
    HybridMigration-EX16-16

  9. Check on the primary FQDN Only if you are using SSL wildcard certificate for your primary FQDN in Exchange 2016 Server.
    HybridMigration-EX16-17

  10. Copy the TXT record for Primary FQDN (aventislab.com) and update the Public DNS. Click on verify domain ownership once the TXT is updated in Public DNS
    HybridMigration-EX16-18

  11. Select Confiure my Client Access and Mailbox Server for secure mail transport (typical) and click next to continue
    HybridMigration-EX16-19

  12. It will detect the Receive Connector automatically
    HybridMigration-EX16-20

  13. It will detect the Send Connector automatically
    HybridMigration-EX16-21

  14. Select the Public trusted SSL Certificate
    HybridMigration-EX16-22

  15. Enter the FQDN of our F-Secure SMTP Gateway which had enabled TLS with the Same Public SSL Certificate used by Exchange 2016 SMTP Service.
    HybridMigration-EX16-23

Alternative Solution
1. You can configure Firewall to Perform NAT to Exchange 2016 Server for Port 25 (SMTP) with a different fixed public IP and associate a new FQDN, like o365.aventislab.com in Public DNS

  1. Limit the SMTP Connection from IP Address from O365 only. You can refer to the link below for the updated IP Range from Microsoft

https://docs.microsoft.com/en-us/office365/SecurityCompliance/eop/exchange-online-protection-ip-addresses

  1. Click Update
    HybridMigration-EX16-24

  2. Office 365 Migration Wizard will configure Exchange 2016 & Office 365 ready for Hybrid Co-Existance. Please also review the warning / error and correct it (if any)
    HybridMigration-EX16-25

D. Mail Flow between O365 & Exchange 2016

  1. Verify the Connector provisioned by Hybrid Wizard in Exchange 2016
Get-SendConnector -Identity "Outbound to Office 365" | Select Identity, AddressSpaces, HomeMTA, RequireTLS 

Identity               AddressSpaces                             HomeMTA       RequireTLS
--------               -------------                             -------       ----------
Outbound to Office 365 {smtp:M365x333981.mail.onmicrosoft.com;1} Microsoft MTA       True
  1. Verify the connector provisioned by Hybrid Wizrd in Office 365
#Inbound Connector
Get-InboundConnector

Name                                              SenderDomains SenderIPAddresses Enabled
----                                              ------------- ----------------- -------
Inbound from ff477ab0-bf72-4d13-af38-418b00560630 {smtp:*;1}    {}                True   

#Outbound Connector
Get-outboundConnector

Name                                             RecipientDomains SmartHosts            Enabled
----                                             ---------------- ----------            -------
Outbound to ff477ab0-bf72-4d13-af38-418b00560630 {Aventislab.com} {mail.aventislab.com} True   
  1. Migrate 1 of the mailbox from Exchange 2016 or create a New Remote Mailbox in O365 to test the Mail Flow
#Remote Mailbox in O365
$OU = "aventislab.local/UAT"
$Password = "P@ssw0rd!@#$" | ConvertTo-SecureString -AsPlainText -Force

New-RemoteMailbox -Name "MyO1" -LastName "TEST" -Password $Password -UserPrincipalName my01@aventislab.com -OnPremisesOrganizationalUnit $OU 

#Start the Delta Sync in AAD Connect Server
Invoke-Command –ComputerName AVTLAB-ADC –ScriptBlock {Start-ADSyncSyncCycle -PolicyType Delta}

#Login to O365 Portal to assign License to myO1
  1. Message Header for Email from Exchange 2016 to O365

Exchange 2016 – F-Secure SMTP Gateway – O365

HybridMigration-EX16-26

  1. Message Header for Email from O365 to Exchange 2016

O365 – F-Secure – Exchange 2016

HybridMigration-EX16-27

Leave a Comment