Exchange 2016 and Office365 Hybrid Setup

This guide focus substantially on how to setup Hybrid between on-premise Exchange

organization and Office365.

This is a get-the-job done guide to help you successfully setup Hybrid between Exchange 2016

and Office365.

Public IP

You need 1 Public IP. It’s recommended that you ask your IP provider (ISP) to add

Reverse DNS record for your public IP for email security and IP reputation.

Some email providers like Google, Yahoo and Microsoft tend to deliver your emails into

“Spam Folder” instead if your email server doesn’t have reverse DNS record.

Reverse DNS Record

1.1.1.1 ( your public IP, a sample) Mail.myanmarcloud.net

Certificate Consideration

You need a publicly signed SSL certificate as follow assuming that you have only 1

domain name. If you have more than one domains, you add another set of the records as

of primary’s as follow.

Or if you have more than a few domains, then there is a guide on how to save on

certificates, just Google it.

Common Name/Subject Name Subject Alternative Names

Mail.myanmarcloud.net Mail.myanmarcloud.net

Autodiscover.myanmarcloud.net

Myanmarcloud.net

Common Name/Subject Name Subject Alternative Names

Mail.example.com Mail.example.com

Autodiscover.example.com

Example.com

Replace my domain, Myanmarcloud.net and example.com with yours.

DNS Records in your public DNS servers.

DNS Records Point to

A Record

Mail.myanmarcloud.net 1.1.1.1 ( your public IP here)

Mail.example.com 1.1.1.1 (same public IP as of above – since

both domains are hosted on the same

Exchange server.)

CNAME

Autodiscover.myanmarcloud.net Mail.myanmarcloud.net

Autodiscover.example.com Mail.example.com

MX Record

Myanmarcloud.net Weight 0 Mail.myanmarcloud.net

Example.com Weight 0 Mail.example.com

DNS Records in your internal DNS servers.

A Record

Mail.myanmarcloud.net 172.16.40.26 ( your Exchange server’s

internal IP here)

Mail.example.com 172.16.40.26 (same public IP as of above –

since both domains are hosted on the same

Exchange server.)

CNAME

Autodiscover.myanmarcloud.net Mail.myanmarcloud.net

Autodiscover.example.com Mail.example.com

MX Record

Myanmarcloud.net Weight 0 Mail.myanmarcloud.net

Example.com Weight 0 Mail.example.com

Your Exchange server may have joined to internal, non-internet routable domain like,

domain.local, in that case you need to have the following internal DNS records as well.

DNS Records Point to

A Record

Exchange-hostname 172.16.40.26

Exchange-hostname.domain.local 172.16.40.26

Mail.domain.local 172.16.40.26

CNAME

Autodiscover.domain.local Exchange-hostname.domain.local

MX Record

Domain.local Weight 0 Exchange-hostname.domain.local

Firewall requirement

Assumed that you assigned your on-premise Exchange server an internal IP and NAT with a

public IP behind a Firewall.

Exchange server’s internal IP: 172.16.40.26 and its NAT public IP: 1.1.1.1

Source Destination Protocol Port Direction

1.1.1.1 (Exchange server’s public IP) Internet TCP 25 Bi-directional

1.1.1.1 (Exchange server’s public IP) Internet TCP 443 Bi-direction

Azure Active Directory Connect

This component is a must to have Hybrid successfully setup. Or you could setup ADFS SSO

(that is not covered in this guide). You can download it from here. This is to sync your AD users,

groups, contacts to the Office365 Cloud.

Lab Environment setup scenario (Hyper-V or VMWare)

If you just want to test Hybrid functionalities, features, capabilities, user experiences, technical

hands-on, and don’t want to mess with your existing production Exchange and Active Directory

environment, you could do so by setting up a separate AD and exchange environment.

Set up your Active Directory Domain Controller (AC DC) server, for example, abc.com.

o IP: 10.10.10.2, subnet mask, for example, 255.255.0.0.

o Add a second network card, connect it to your production network switch, assign

your production network IP, for example, 172.16.40.102

o Your AD DC server must be able to reach to the Internet, test it by pining

google.com or web surfing – ensure that your Exchange serve is able to connect

to the Internet.

Setup an Exchange server, 2013 or 2016 and join abc.com domain

o Add a network card and assign an internal IP (not your production network IP),

for example, 10.10.10.3

Point Exchange server’s DNS to 10.10.10.2 (your abc.com’s AD DC)

o Add a second network card, connect it to your production network switch, assign

your production network IP, for example, 172.16.40.26 , same subnet mask,

gateway and DNS servers as of your production network and NAT to a public IP

(1.1.1.1, in our example).

o Your Exchange server must be able to reach to the Internet, test it by pining

google.com or web surfing – ensure that your Exchange serve is able to connect

to the Internet.

Minimally, you need only 2 Virtual Machines, one is for Active Directory server and the other is

for Exchange 2016 server. That’s all.

Network configuration and settings

Server Names Running Services NIC-1 (internal Hyper-V network)

IP Net mask Gateway DNS

Acdc.abc.com

Active Directory

Domain Services

10.10.10.2 /16 10.10.10.1 10.10.10.2

127.0.0.1

NIC-2 (connected to the production network)

IP Net mask Gateway DNS

172.16.40.103 /24 172.16.40.1 190.10.10.11/12

ex16.abc.com

Exchange server

having installed

with all-in-one

server role.

NIC-1 (connected to the Hyper-V network)

IP Net mask Gateway DNS

10.10.10.3 /16 10.10.10.1 10.10.10.2

NIC-2 (connected to the production network)

IP Net mask Gateway DNS

172.16.40.26 /24 172.16.40.1 190.10.10.11/12

Local, non-routable domain name: abc.com

NetBIO Name: ABC

UPN Login: ABC\username

Active Directory setup guide.

https://social.technet.microsoft.com/wiki/contents/articles/12370.windows-server-2012-set-up-

your-first-domain-controller-step-by-step.aspx

Setup Exchange 2016 by following this guide.

http://exchangeserverpro.com/installing-exchange-server-2016/

Assumed that you have freshly setup both Active Directory server and Exchange servers, join

them with Active Directory domain, in our case, abc.com.

Email domain (SMTP domain)

Routable internet domain names that I used in my guide is:

myanmarcloud.net

Add a new UPN for the email domain (SMTP domain).

Adding my internet routable mail domain (SMTP domain).

Login to your Exchange Control Panel (ECP), https://localhost/ecp

Mail flow > accepted domains > and click “+” sign.

Type your domain name, myanmarcloud.net and click Save.

You would see your mail domain, myanmarcloud.net added.

There is a need to modify “Default Frontend EX16”.

If we didn’t modify and create a new Receive Connector, when someone sends an email to you,

the sender will receive the following error message.

550 5.7.54, Unable to relay recipient in non-accepted domain

Remove default scoping for “Remote network settings” which accepts email from all email

servers and replaced it with local host IP, 127.0.0.1 as shown in the next screenshot.

The reason we do is we need to define a new Frontend Transport “Receive Connector” (not this

Default Frontend Receive Connector) and accept emails from all email servers using this

“Remote network settings”.

If we didn’t remove and replace it with “127.0.0.1”, there will be a Remote Network Settings

duplication error.

550 5.7.54, Unable to relay recipient in non-accepted domain

After removing default Remote Network setting IPs, Now click “+” sign to add 127.0.0.1 as

below.

Mail Flow > Receive and click “+” sign to add a new “Frontend Transport Receive Connector”,

so that your on-premise Exchange can receive emails from the Internet.

Type a name for the connector, select “Frontend Transport”, and “Custom”, click Next.

Click Next to proceed.

Click “+” sign, and the following IP range (which accepts email servers from all network ranges,

such as from Internet). Click Finished

Select the newly created “Relayme” connector and click “Pencil” to edit it.

Click on “Security” > select “ Anonymous users” and click Save.

Launch Exchange PowerShell, and type the following command.

Get-ReceiveConnector ex16\relayme | Add-ADPermission –User “NT Authority\Anonymous

Logon” –ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

Replace ex16 with your on-premise Exchange server’s hostname and relayme with newly

created Frontend Transport Receive Connector’s name.

Send Connector

Click “Send Connectors” and “+” sign to create a new Send Connector, so that you can send

your email to the Internet.

Type a name for this send connector, choose Custom, and click Next.

Choose MX record, and click Next.

Click “+” sign, and type “*” in FQDN and click Save. And then click Next.

Click “+” sign, choose your Exchange server, click add, OK and click Finish.

You should see a newly created Send Connector named “abcsend”.

It’s observed that at this point of time, when someone sends email to your exchange server, he

would receive bounced mail with the following error message.

“Remote host said: 451 4.7.0 Temporary server error. Please try again later. PRX2”

To resolve this issue, add your exchange server’s hostname and its IP address as following in

hosts file under C:\Windows\System32\drivers\etc.

Remember, I have two NICs assigned to my Exchange server, so I added as above.

Setting DNS servers for Exchange server.

Servers > Exchange server > Edit (pencil) > DNS lookups > External DNS lookups > All

network adapters.

Servers > Exchange server > Edit (pencil) > DNS lookups > Internal DNS lookups > Custom

Settings > your-internal-DNS server (not your production network’s DNS servers).

Follow this guide on setting External and Internal URLs, Outlook Anywhere in Exchange 2016.

Just replace with your own domain name.

http://www.mustbegeek.com/configure-external-and-internal-url-in-exchange-2016/

Follow this guide on how to configure Autodiscover setting in Exchange 2016

http://www.mustbegeek.com/configure-autodiscover-in-exchange-2016/

Email Address Policy

By default, when you created a mailbox user, he will be associated with Exchange server’s

default AD domain, in my case, abc.com that’s where it’s joined to. In your case, may be

yourdomain.local.

Therefore, if I created a mailbox user, his email address would be username@abc.com – it’s not

what I want because abc.com is not internet routable and my email domain is

username@myanmarcoud.net

I need to change my Default Policy to include myanmarcloud.net in it.

Click on the default Policy, and click “Pencil” to edit it,

Type your domain name, in my case, myanmarcloud.net, choose alias@contoso.com and click

Save.

It’s important to understand there could be multiple email domains in your environment, and you

need to define email address policies to match them.

Certificate

FREE CERTIFICATE - The biggest take away from this guide is getting a FREE PUBLIC

CERTIFICATE – go to https://www.startssl.com and get one.

Acquire a public SSL certificate from the public certificate service provider based on your

requirements; below is my requirement.

Once you have the certificate from the certificate service provider, import it into the server/PC

where you generated the CSR and then export it including private key.

Generating CSR from Exchange server could be confusing for some.

I would recommend you generate CSR request for the Exchange certificate using simple, quick

and easy tool like Digicert Utility for Windows - https://www.digicert.com/util/ .

Run the tool > Create CSR > SSL > type your domain URLs as follow > Generate.

Common Name/Subject Name Subject Alternative Names

Mail.myanmarcloud.net Mail.myanmarcloud.net

Autodiscover.myanmarcloud.net

Myanmarcloud.net

Copy and send it to your certificate service provider.

Assumed that you already have a public SSL certificate with private key, copy it over to the

Exchange server, and import it as follow.

Point to your certificate location, and type the password you used when exporting it.

Click “+”, select the Exchange server > Add > OK and Finish.

You need to assign the certificate to the Exchange services, click “Pencil” to edit it.

Select, SMTP, IMAP, POP, IIS and Save.

You will be asked if you want to apply this, just click Yes to confirm.

Email Delivery Testing

It’s the time to test email send/receive from internal and as well as external. Test the following

scenarios.

Sender Receiver Sender Receiver

user@myanmarcloud.net user@myanmarcloud.net user@myanmarcloud.net user@gmail.com

user@gmail.com user@myanmarcloud.net

Once you were able to send and receive successfully in all scenarios, it’s time to install Azure

Active Directory Connect.

Azure Active Directory Connect. (AAD Connect)

Downloaded it from - https://www.microsoft.com/en-us/download/details.aspx?id=47594

Copy it to your Active Directory server, and run it by following this guide. It’s quick and easy.

http://mstechtalk.com/step-by-step-azure-ad-sync-installation-guide-part-2/

After 15-30 minutes later, you should see all your on-premise AD users synced with Office365.

Exchange 2016 and Office365 Hybrid

Final part of this guide is to setup Hybrid setup between Exchange 2016 and Office365. Since

we have done setting up all fundamental requirements above, it’s time to setup Hybrid.

Login to your Exchange server, https://localhost/ecp > Hybrid > Modify

You will be redirected to login to Office365 portal, login using your Office365 credential,

download Hybrid Configuration Wizard (HCW) from the given link and follow the HCW.

Click “Enable” on the Federation Trust windows.

Copy the given TXT record, and add it at your public DNS server, sometimes it could take 30

minutes to 1 hour or less than that to get propagated.

Once it’s resolved, check “I have created a TXT record for each token in DNS and click “Verity

domain ownership”.

Select as highlighted in red and click Next.

Choose correct certificate from the drop down list and click Next

Type your complete FQDN of Exchange that’s routable to the Internet, in my case, my email

domain, mail.myanmarcloud.net.

Click Next to proceed.

The HCW will start configuring all necessary components, services and mail routings.

Once all went fine, you will be congratulated with a big green mark as follow.

Email Migration from on-premise Exchange to Office365. (On-boarding)

Steps to migrate on-premise mailbox (es) to Office365

1. Create an AD user, for example, on@myanmarcloud.net

2. Login to Exchange control panel, and create a mailbox user, ensure that the email address

is assigned on@myanmarcloud.net

3. Login to AD server, and launch Window PowerShell module, at the command prompt,

a. Import-module adsync

b. Start-ADSyncSyncCycle -PolicyType delta

4. Login to Office365 portal and check if the newly created user, on@myanmarcloud.net is

synced.

5. Once the user is synced to the Office365, go to Exchange Admin Center > Recipients >

Migration > + > Migrate to Exchange Online.

Click Next.

Click “+”, select the user you want to migrate, add > OK. Click Next and Finish.

Screenshots during email migration

Click “Complete this migration batch” to finish the migration.

6. Assign newly migrated user, on@myanmarclod.net an Office365 license.

7. Go to https://mail.office365.com and test your email flow.

Once your email has been migrated to Office365, there are a few changes made to the user’s AD

attributes.

Control Panel > Mail > setup your email account, on@myanmarcloud.net, type username and

password, you should be able to setup successfully.

Your account’s email server is pointing Office365 Cloud server as shown, it’s confirmed that

your account has been migrated successfully to the Office365 Cloud.

OWA Redirection Setup

When migrated mailbox user will access OWA using https://mail.myanmarcloud.net as per usual

and will be redirected. We have to configure to redirect it. Launch “Windows Azure Active

Directory Module” – type one line at a time.

o $UserCredential = Get-Credential

o Connect-MsolService -Credential $UserCredent

o $Session = New-PSSession -ConfigurationName Microsoft.Exchange -

ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential

$UserCredential -Authentication Basic –AllowRedirection

o Import-PSSession $Session

o Get-OrganizationRelationship | fl

Copy highlighted in red.

Replace with your value and domain name, and type the following line.

o Set-OrganizationRelationship -Identity "O365 to On-premises - 566d2175-0c6f-420b-

b69b-6bf532fafba4" –TargetOwaURL

"https://mail.office365.com/owa/myanmarcloud.net"

Sign in to OWA using https://mail.myanmarcloud.net

You will be redirected to login to Outlook (Office365 Online) instead, click on the link.

Your Cloud mailbox is ready and up.

Mail Flow

1. An internal user, username@myanmarcloud.net sends an email to a Hybrid user

2. On-premise Exchange server receives the email, check with Active Directory where the

user’s mailbox’s (recipient’s mailbox) is located.

3. AD looks up the user’s mailbox location by checking the user’s “TargetAddress”

attribute.

4. TargetAddress attribute is (on@e5thet.mail.onmicrosoft.com) and noted that it’s located

in the Office365 Cloud.

5. Since there is a Federation Hybrid between on-premise Exchange server and Office365

Online, the email is delivered to Hybrid user’s mailbox in the cloud.

6. When an internal user, username@myanmarcloud.net sends an email to the Internet

users, like Gmail, Yahoo or external users, it sends through on-premise Exchange server

> Exchange server knows that the recipient address is not local mailbox then it looks up

DNS record of the recipient and sends to MX server of the recipient. Mail delivered.

5. When a Hybrid user, on@myanmarcloud.net sends email to the Internet users like

Gmail, Yahoo or external users, it sends directly through Office365 (not sending through

on-premise Exchange server – this mail flow is known as Decentralized mail flow).

6. Internet user sends email to either on-premise or Hybrid user, it will go through on-

premise Exchange as its recipients’ ( *@myanmarcloud.net ) MX record is pointing to

on-premise Exchange server, mail.myanmarcloud.net. The same mail flow sequence

applies again to look up where the location of the recipients’ mailboxes when the email is

arrived to on-premise Exchange server.