By establishing a hybrid deployment, you can extend the feature-rich experience and administrative control you have with your existing on-premises Exchange Server organization to the cloud. A hybrid deployment also offers support for a cloud-based archiving solution for your on-premises mailboxes with Exchange Online Archiving and may also serve as an intermediate step towards a complete migration of your on-premises mailboxes to Exchange Online.
This topic covers configuring a hybrid deployment for your on-premises Exchange organization and your Exchange Online organization in Microsoft 365 or Office 365 using the Hybrid Configuration wizard. In this topic, a hybrid deployment is created for the following organization configuration:
- The on-premises organization is a single-forest on-premises Exchange organization.
- The on-premises organization doesn't use an existing Microsoft Exchange Online Protection (EOP) service for on-premises protection.
- The on-premises organization doesn't have Edge Transport servers deployed. The Hybrid Configuration wizard supports configuring Edge Transport servers as part of a hybrid deployment, but configuring Edge Transport servers in the wizard isn't covered in this topic.
Creating a full classic hybrid deployment
Use the following procedure to create and configure a hybrid deployment:
- Download the latest Hybrid Configuration Wizard from here or from the hybrid tab of the Exchange Online Admin Center.
- When you're prompted, click Install on the Application Install dialog.
- When you're prompted, click Run to open the Hybrid Configuration Wizard.
- Click Next, and then, in the On-premises Exchange Server Organization section, select Detect the optimal Exchange server. The wizard will attempt to detect an on-premises Exchange server. If the wizard doesn't detect an Exchange server, or if you want to use a different server, select Specify a server running Exchange 2010, Exchange 2013, or Exchange 2016. Then specify the internal FQDN of an Exchange Client Access Server for Exchange 2010 and Exchange 2013 or an Exchange Mailbox server for Exchange 2016.
- In the Office 365 Exchange Online section, select the location where your Microsoft 365 or Office 365 organization is hosted and then click Next.
- On the On-premises Exchange account page, in the Please provide your on-premises Exchange administrator account credentials section, select change if you don't want that the wizard to use the account you're logged into to access your on-premises Active Directory and Exchange servers. If you want to use the same credentials, continue to the next step.
- In the Office 365 Exchange Online Account credentials section, click sign in and specify the username and password of a Microsoft 365 or Office 365 account that has Global Administrator permissions. Click Next.
- On the Gathering Configuration Information page, the wizard will connect to both your on-premises organization and your Microsoft 365 or Office 365 organization to validate credentials and examine the current configuration of both organizations. Click Next when it's done.
- On the Hybrid Features page, select Full Hybrid Configuration and then click Next. On this page, you can also select Organization Configuration Transfer if you want to perform a one-time transfer of organization objects from your on-premises environment to Exchange Online. For more information, see Hybrid Organization Configuration Transfer V2.
- On the Hybrid Domains page, select the domains you want to include in your hybrid deployment. In most deployments, you can leave the Auto Discover column set to False for each domain. Only select True next to a domain if you need to force the wizard to use the Autodiscover information from a specific domain for all selected hybrid domains. Click Next.
- On the Federation Trust page, click Enable and then click Next.
- On the Domain Ownership page, click Click copy to clipboard to copy the domain proof token information for the domains you've selected to include in the hybrid deployment. Open a text editor such as Notepad and paste the token information for these domains. Before continuing in the Hybrid Configuration Wizard, you must use this information to create a TXT record for each domain in your public DNS. Refer to your DNS host's Help for information about how to add a TXT record to your DNS zone. Click Next after the TXT records have been created and the DNS records have replicated.
- On the Hybrid Topology page, click Use Exchange Classic Hybrid Topology and then click Next.
- On the Transport Certificate page, in the Select a reference server field, select the Exchange server that has the certificate you configured earlier in the checklist.
- In the Select a certificate field, select the certificate to use for secure mail transport. This list displays the digital certificates issued by a third-party certificate authority (CA) installed on the Mailbox server selected in the previous step. Click Next.
- On the Organization FQDN page, enter the externally accessible FQDN for your Internet-facing Exchange server. Microsoft 365 and Office 365 use this FQDN to configure the service connectors for secure mail transport between your Exchange organizations. For example, enter "mail.contoso.com". Click Next.
- The hybrid deployment configuration selections have been updated, and you're ready to start the Exchange services changes and the hybrid deployment configuration. Click Update to start the configuration process. While the hybrid configuration process is running, the wizard displays the feature and service areas that are being configured for the hybrid deployment as they are updated.
- The wizard displays a completion message and the Close button is displayed. Click Close to complete the hybrid deployment configuration process and to close the wizard.
Configure OAuth authentication between Exchange and Exchange Online organizations
For mixed Exchange 2013/2010 and Exchange 2013/2007 hybrid deployments, the new hybrid deployment OAuth-based authentication connection between Microsoft 365 or Office 365 and on-premises Exchange organizations isn't configured by the Hybrid Configuration Wizard. These deployments continue to use the federation trust process by default. However, certain Exchange 2013 features such as Message Records Management (MRM), Exchange In-place Archiving, and In-place eDiscovery are only fully available across your organization by using the new Exchange OAuth authentication protocol. We recommend that all mixed Exchange 2013/2010 and Exchange 2013/2007 organizations that wish to implement these features as part of a new hybrid deployment with Exchange Online configure Exchange OAuth authentication after configuring their hybrid deployment with the Hybrid Configuration Wizard.
Final Results
The successful completion of the Hybrid Configuration wizard will be your first indication the completion of the hybrid configuration steps worked as expected. To further verify that you have successfully created and configured your hybrid deployment, do the following:
- Run the following command in the Exchange Management Shell for the on-premises organization. This command displays the hybrid deployment configuration values and settings, hybrid features, and transport endpoints. Verify that these values are correct.
- Confirm that the Hybrid Configuration wizard completed all the configuration steps by examining the hybrid configuration log. By default, the log is located at C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration on the on-premises Mailbox server.
- Move an existing on-premises mailbox to the Exchange Online organization to test the mailbox move feature support, or create a new user mailbox in the Exchange Online organization to test free/busy calendar sharing between the two organizations. Either mailbox action will also allow you to test and confirm that message delivery between the on-premises and Exchange Online organizations is functioning correctly with existing mailboxes and that message delivery is secure and treated as internal messages to the Exchange organization.
- Use the EAC and navigate to Enterprise > Recipients > Mailboxes to create a new remote mailbox in Exchange Online.
- Use the EAC and navigate to Office 365 > Recipients > Migration to move an existing mailbox to Exchange Online.
Exchange Hybrid and Office 365 Monitoring and Reporting
On-premises components, such as AD FS, PTA, and Exchange Hybrid are critical for Office 365 end user experience. In addition, something as trivial as expiring Exchange or AD FS certificates can certainly lead to unexpected outages. By proactively monitoring hybrid components, ENow gives you early warnings where hybrid components are reaching a critical state, or even for an upcoming expiring certificate. Knowing immediately when a problem happens, where the fault lies, and why the issue has occurred, ensures that any outages are detected and solved as quickly as possible.
Access your free 14-day trial of ENow’s Exchange Hybrid and Office 365 Monitoring and Reporting today!