exchange 2016 and office365 hybrid setup€¦ · exchange 2016 and office365 hybrid setup this...
Post on 24-Aug-2020
3 Views
Preview:
TRANSCRIPT
Exchange 2016 and Office365 Hybrid Setup
This guide focus substantially on how to setup Hybrid between on-premise Exchange
organization and Office365.
This is a get-the-job done guide to help you successfully setup Hybrid between Exchange 2016
and Office365.
Public IP
You need 1 Public IP. It’s recommended that you ask your IP provider (ISP) to add
Reverse DNS record for your public IP for email security and IP reputation.
Some email providers like Google, Yahoo and Microsoft tend to deliver your emails into
“Spam Folder” instead if your email server doesn’t have reverse DNS record.
Reverse DNS Record
1.1.1.1 ( your public IP, a sample) Mail.myanmarcloud.net
Certificate Consideration
You need a publicly signed SSL certificate as follow assuming that you have only 1
domain name. If you have more than one domains, you add another set of the records as
of primary’s as follow.
Or if you have more than a few domains, then there is a guide on how to save on
certificates, just Google it.
Common Name/Subject Name Subject Alternative Names
Mail.myanmarcloud.net Mail.myanmarcloud.net
Autodiscover.myanmarcloud.net
Myanmarcloud.net
Common Name/Subject Name Subject Alternative Names
Mail.example.com Mail.example.com
Autodiscover.example.com
Example.com
Replace my domain, Myanmarcloud.net and example.com with yours.
DNS Records in your public DNS servers.
DNS Records Point to
A Record
Mail.myanmarcloud.net 1.1.1.1 ( your public IP here)
Mail.example.com 1.1.1.1 (same public IP as of above – since
both domains are hosted on the same
Exchange server.)
CNAME
Autodiscover.myanmarcloud.net Mail.myanmarcloud.net
Autodiscover.example.com Mail.example.com
MX Record
Myanmarcloud.net Weight 0 Mail.myanmarcloud.net
Example.com Weight 0 Mail.example.com
DNS Records in your internal DNS servers.
A Record
Mail.myanmarcloud.net 172.16.40.26 ( your Exchange server’s
internal IP here)
Mail.example.com 172.16.40.26 (same public IP as of above –
since both domains are hosted on the same
Exchange server.)
CNAME
Autodiscover.myanmarcloud.net Mail.myanmarcloud.net
Autodiscover.example.com Mail.example.com
MX Record
Myanmarcloud.net Weight 0 Mail.myanmarcloud.net
Example.com Weight 0 Mail.example.com
Your Exchange server may have joined to internal, non-internet routable domain like,
domain.local, in that case you need to have the following internal DNS records as well.
DNS Records Point to
A Record
Exchange-hostname 172.16.40.26
Exchange-hostname.domain.local 172.16.40.26
Mail.domain.local 172.16.40.26
CNAME
Autodiscover.domain.local Exchange-hostname.domain.local
MX Record
Domain.local Weight 0 Exchange-hostname.domain.local
Firewall requirement
Assumed that you assigned your on-premise Exchange server an internal IP and NAT with a
public IP behind a Firewall.
Exchange server’s internal IP: 172.16.40.26 and its NAT public IP: 1.1.1.1
Source Destination Protocol Port Direction
1.1.1.1 (Exchange server’s public IP) Internet TCP 25 Bi-directional
1.1.1.1 (Exchange server’s public IP) Internet TCP 443 Bi-direction
Azure Active Directory Connect
This component is a must to have Hybrid successfully setup. Or you could setup ADFS SSO
(that is not covered in this guide). You can download it from here. This is to sync your AD users,
groups, contacts to the Office365 Cloud.
Lab Environment setup scenario (Hyper-V or VMWare)
If you just want to test Hybrid functionalities, features, capabilities, user experiences, technical
hands-on, and don’t want to mess with your existing production Exchange and Active Directory
environment, you could do so by setting up a separate AD and exchange environment.
Set up your Active Directory Domain Controller (AC DC) server, for example, abc.com.
o IP: 10.10.10.2, subnet mask, for example, 255.255.0.0.
o Add a second network card, connect it to your production network switch, assign
your production network IP, for example, 172.16.40.102
o Your AD DC server must be able to reach to the Internet, test it by pining
google.com or web surfing – ensure that your Exchange serve is able to connect
to the Internet.
Setup an Exchange server, 2013 or 2016 and join abc.com domain
o Add a network card and assign an internal IP (not your production network IP),
for example, 10.10.10.3
Point Exchange server’s DNS to 10.10.10.2 (your abc.com’s AD DC)
o Add a second network card, connect it to your production network switch, assign
your production network IP, for example, 172.16.40.26 , same subnet mask,
gateway and DNS servers as of your production network and NAT to a public IP
(1.1.1.1, in our example).
o Your Exchange server must be able to reach to the Internet, test it by pining
google.com or web surfing – ensure that your Exchange serve is able to connect
to the Internet.
Minimally, you need only 2 Virtual Machines, one is for Active Directory server and the other is
for Exchange 2016 server. That’s all.
Network configuration and settings
Server Names Running Services NIC-1 (internal Hyper-V network)
IP Net mask Gateway DNS
Acdc.abc.com
Active Directory
Domain Services
10.10.10.2 /16 10.10.10.1 10.10.10.2
127.0.0.1
NIC-2 (connected to the production network)
IP Net mask Gateway DNS
172.16.40.103 /24 172.16.40.1 190.10.10.11/12
ex16.abc.com
Exchange server
having installed
with all-in-one
server role.
NIC-1 (connected to the Hyper-V network)
IP Net mask Gateway DNS
10.10.10.3 /16 10.10.10.1 10.10.10.2
NIC-2 (connected to the production network)
IP Net mask Gateway DNS
172.16.40.26 /24 172.16.40.1 190.10.10.11/12
Local, non-routable domain name: abc.com
NetBIO Name: ABC
UPN Login: ABC\username
Active Directory setup guide.
https://social.technet.microsoft.com/wiki/contents/articles/12370.windows-server-2012-set-up-
your-first-domain-controller-step-by-step.aspx
Setup Exchange 2016 by following this guide.
http://exchangeserverpro.com/installing-exchange-server-2016/
Assumed that you have freshly setup both Active Directory server and Exchange servers, join
them with Active Directory domain, in our case, abc.com.
Email domain (SMTP domain)
Routable internet domain names that I used in my guide is:
myanmarcloud.net
Add a new UPN for the email domain (SMTP domain).
Adding my internet routable mail domain (SMTP domain).
Login to your Exchange Control Panel (ECP), https://localhost/ecp
Mail flow > accepted domains > and click “+” sign.
Type your domain name, myanmarcloud.net and click Save.
You would see your mail domain, myanmarcloud.net added.
There is a need to modify “Default Frontend EX16”.
If we didn’t modify and create a new Receive Connector, when someone sends an email to you,
the sender will receive the following error message.
550 5.7.54, Unable to relay recipient in non-accepted domain
Remove default scoping for “Remote network settings” which accepts email from all email
servers and replaced it with local host IP, 127.0.0.1 as shown in the next screenshot.
The reason we do is we need to define a new Frontend Transport “Receive Connector” (not this
Default Frontend Receive Connector) and accept emails from all email servers using this
“Remote network settings”.
If we didn’t remove and replace it with “127.0.0.1”, there will be a Remote Network Settings
duplication error.
550 5.7.54, Unable to relay recipient in non-accepted domain
After removing default Remote Network setting IPs, Now click “+” sign to add 127.0.0.1 as
below.
Mail Flow > Receive and click “+” sign to add a new “Frontend Transport Receive Connector”,
so that your on-premise Exchange can receive emails from the Internet.
Type a name for the connector, select “Frontend Transport”, and “Custom”, click Next.
Click Next to proceed.
Click “+” sign, and the following IP range (which accepts email servers from all network ranges,
such as from Internet). Click Finished
Select the newly created “Relayme” connector and click “Pencil” to edit it.
Click on “Security” > select “ Anonymous users” and click Save.
Launch Exchange PowerShell, and type the following command.
Get-ReceiveConnector ex16\relayme | Add-ADPermission –User “NT Authority\Anonymous
Logon” –ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”
Replace ex16 with your on-premise Exchange server’s hostname and relayme with newly
created Frontend Transport Receive Connector’s name.
Send Connector
Click “Send Connectors” and “+” sign to create a new Send Connector, so that you can send
your email to the Internet.
Type a name for this send connector, choose Custom, and click Next.
Choose MX record, and click Next.
Click “+” sign, and type “*” in FQDN and click Save. And then click Next.
Click “+” sign, choose your Exchange server, click add, OK and click Finish.
You should see a newly created Send Connector named “abcsend”.
It’s observed that at this point of time, when someone sends email to your exchange server, he
would receive bounced mail with the following error message.
“Remote host said: 451 4.7.0 Temporary server error. Please try again later. PRX2”
To resolve this issue, add your exchange server’s hostname and its IP address as following in
hosts file under C:\Windows\System32\drivers\etc.
Remember, I have two NICs assigned to my Exchange server, so I added as above.
Setting DNS servers for Exchange server.
Servers > Exchange server > Edit (pencil) > DNS lookups > External DNS lookups > All
network adapters.
Servers > Exchange server > Edit (pencil) > DNS lookups > Internal DNS lookups > Custom
Settings > your-internal-DNS server (not your production network’s DNS servers).
Follow this guide on setting External and Internal URLs, Outlook Anywhere in Exchange 2016.
Just replace with your own domain name.
http://www.mustbegeek.com/configure-external-and-internal-url-in-exchange-2016/
Follow this guide on how to configure Autodiscover setting in Exchange 2016
http://www.mustbegeek.com/configure-autodiscover-in-exchange-2016/
Email Address Policy
By default, when you created a mailbox user, he will be associated with Exchange server’s
default AD domain, in my case, abc.com that’s where it’s joined to. In your case, may be
yourdomain.local.
Therefore, if I created a mailbox user, his email address would be username@abc.com – it’s not
what I want because abc.com is not internet routable and my email domain is
username@myanmarcoud.net
I need to change my Default Policy to include myanmarcloud.net in it.
Click on the default Policy, and click “Pencil” to edit it,
Type your domain name, in my case, myanmarcloud.net, choose alias@contoso.com and click
Save.
It’s important to understand there could be multiple email domains in your environment, and you
need to define email address policies to match them.
Certificate
FREE CERTIFICATE - The biggest take away from this guide is getting a FREE PUBLIC
CERTIFICATE – go to https://www.startssl.com and get one.
Acquire a public SSL certificate from the public certificate service provider based on your
requirements; below is my requirement.
Once you have the certificate from the certificate service provider, import it into the server/PC
where you generated the CSR and then export it including private key.
Generating CSR from Exchange server could be confusing for some.
I would recommend you generate CSR request for the Exchange certificate using simple, quick
and easy tool like Digicert Utility for Windows - https://www.digicert.com/util/ .
Run the tool > Create CSR > SSL > type your domain URLs as follow > Generate.
Common Name/Subject Name Subject Alternative Names
Mail.myanmarcloud.net Mail.myanmarcloud.net
Autodiscover.myanmarcloud.net
Myanmarcloud.net
Copy and send it to your certificate service provider.
Assumed that you already have a public SSL certificate with private key, copy it over to the
Exchange server, and import it as follow.
Point to your certificate location, and type the password you used when exporting it.
Click “+”, select the Exchange server > Add > OK and Finish.
You need to assign the certificate to the Exchange services, click “Pencil” to edit it.
Select, SMTP, IMAP, POP, IIS and Save.
You will be asked if you want to apply this, just click Yes to confirm.
Email Delivery Testing
It’s the time to test email send/receive from internal and as well as external. Test the following
scenarios.
Sender Receiver Sender Receiver
user@myanmarcloud.net user@myanmarcloud.net user@myanmarcloud.net user@gmail.com
user@gmail.com user@myanmarcloud.net
Once you were able to send and receive successfully in all scenarios, it’s time to install Azure
Active Directory Connect.
Azure Active Directory Connect. (AAD Connect)
Downloaded it from - https://www.microsoft.com/en-us/download/details.aspx?id=47594
Copy it to your Active Directory server, and run it by following this guide. It’s quick and easy.
http://mstechtalk.com/step-by-step-azure-ad-sync-installation-guide-part-2/
After 15-30 minutes later, you should see all your on-premise AD users synced with Office365.
Exchange 2016 and Office365 Hybrid
Final part of this guide is to setup Hybrid setup between Exchange 2016 and Office365. Since
we have done setting up all fundamental requirements above, it’s time to setup Hybrid.
Login to your Exchange server, https://localhost/ecp > Hybrid > Modify
You will be redirected to login to Office365 portal, login using your Office365 credential,
download Hybrid Configuration Wizard (HCW) from the given link and follow the HCW.
Click “Enable” on the Federation Trust windows.
Copy the given TXT record, and add it at your public DNS server, sometimes it could take 30
minutes to 1 hour or less than that to get propagated.
Once it’s resolved, check “I have created a TXT record for each token in DNS and click “Verity
domain ownership”.
Select as highlighted in red and click Next.
Choose correct certificate from the drop down list and click Next
Type your complete FQDN of Exchange that’s routable to the Internet, in my case, my email
domain, mail.myanmarcloud.net.
Click Next to proceed.
The HCW will start configuring all necessary components, services and mail routings.
Once all went fine, you will be congratulated with a big green mark as follow.
Email Migration from on-premise Exchange to Office365. (On-boarding)
Steps to migrate on-premise mailbox (es) to Office365
1. Create an AD user, for example, on@myanmarcloud.net
2. Login to Exchange control panel, and create a mailbox user, ensure that the email address
is assigned on@myanmarcloud.net
3. Login to AD server, and launch Window PowerShell module, at the command prompt,
a. Import-module adsync
b. Start-ADSyncSyncCycle -PolicyType delta
4. Login to Office365 portal and check if the newly created user, on@myanmarcloud.net is
synced.
5. Once the user is synced to the Office365, go to Exchange Admin Center > Recipients >
Migration > + > Migrate to Exchange Online.
Click Next.
Click “+”, select the user you want to migrate, add > OK. Click Next and Finish.
Screenshots during email migration
Click “Complete this migration batch” to finish the migration.
6. Assign newly migrated user, on@myanmarclod.net an Office365 license.
7. Go to https://mail.office365.com and test your email flow.
Once your email has been migrated to Office365, there are a few changes made to the user’s AD
attributes.
Control Panel > Mail > setup your email account, on@myanmarcloud.net, type username and
password, you should be able to setup successfully.
Your account’s email server is pointing Office365 Cloud server as shown, it’s confirmed that
your account has been migrated successfully to the Office365 Cloud.
OWA Redirection Setup
When migrated mailbox user will access OWA using https://mail.myanmarcloud.net as per usual
and will be redirected. We have to configure to redirect it. Launch “Windows Azure Active
Directory Module” – type one line at a time.
o $UserCredential = Get-Credential
o Connect-MsolService -Credential $UserCredent
o $Session = New-PSSession -ConfigurationName Microsoft.Exchange -
ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential
$UserCredential -Authentication Basic –AllowRedirection
o Import-PSSession $Session
o Get-OrganizationRelationship | fl
Copy highlighted in red.
Replace with your value and domain name, and type the following line.
o Set-OrganizationRelationship -Identity "O365 to On-premises - 566d2175-0c6f-420b-
b69b-6bf532fafba4" –TargetOwaURL
"https://mail.office365.com/owa/myanmarcloud.net"
Sign in to OWA using https://mail.myanmarcloud.net
You will be redirected to login to Outlook (Office365 Online) instead, click on the link.
Your Cloud mailbox is ready and up.
Mail Flow
1. An internal user, username@myanmarcloud.net sends an email to a Hybrid user
2. On-premise Exchange server receives the email, check with Active Directory where the
user’s mailbox’s (recipient’s mailbox) is located.
3. AD looks up the user’s mailbox location by checking the user’s “TargetAddress”
attribute.
4. TargetAddress attribute is (on@e5thet.mail.onmicrosoft.com) and noted that it’s located
in the Office365 Cloud.
5. Since there is a Federation Hybrid between on-premise Exchange server and Office365
Online, the email is delivered to Hybrid user’s mailbox in the cloud.
6. When an internal user, username@myanmarcloud.net sends an email to the Internet
users, like Gmail, Yahoo or external users, it sends through on-premise Exchange server
> Exchange server knows that the recipient address is not local mailbox then it looks up
DNS record of the recipient and sends to MX server of the recipient. Mail delivered.
5. When a Hybrid user, on@myanmarcloud.net sends email to the Internet users like
Gmail, Yahoo or external users, it sends directly through Office365 (not sending through
on-premise Exchange server – this mail flow is known as Decentralized mail flow).
6. Internet user sends email to either on-premise or Hybrid user, it will go through on-
premise Exchange as its recipients’ ( *@myanmarcloud.net ) MX record is pointing to
on-premise Exchange server, mail.myanmarcloud.net. The same mail flow sequence
applies again to look up where the location of the recipients’ mailboxes when the email is
arrived to on-premise Exchange server.
top related