In my previous blog post I explained about an Exchange 2013 hybrid configuration, and what the prerequisites are for such a configuration and how to implement and configure one (or more) Exchange 2013 Hybrid servers.
In this blog post we’ll continue with the Hybrid Configuration and we will run the Hybrid Configuration Wizard (HCW) to actually create the Exchange 2013 Hybrid configuration.
Note. For simplicity I assume your Exchange 2013 is fully operational without any (certificate) issues on the Internet, which means you have configured all your Virtual Directories, Outlook Anywhere and Autodiscover. Everything must be working correctly to prevent any issues during configuration, possibly resulting in a misconfigured and not working hybrid configuration.
Run the Hybrid Configuration Wizard
Configuring Exchange 2013 is relatively easy and can be started from the Exchange Admin Center (EAC). The wizard that’s used here is known as the Hybrid Configuration Wizard (HCW) and in my experience a very stable (although there have been some glitches with the HCW in earlier CU’s of Exchange 2013) and efficient wizard, providing you have met all prerequisites of course.
Login to the Exchange 2013 Hybrid server and start the Exchange Admin Center locally. The reason for doing this locally on the server is that during the wizard some additional software needs to be installed for the OAuth part of the Hybrid configuration.
In the Exchange Admin Center in the navigation pane select hybrid. In the hybrid setup window click the enable button to initially enable the hybrid mode in your organization. The option My Office 365 organzation is hosted by 21Vianet should be left unchecked. Office 365 in China is hosted by 21Vianet so this option does not apply to us (unless you are in China and your organization is hosted by 21Vianet of course).
When you click enable you are prompted to logon to your Office 365 tenant. Click the sign in to Office 365 option and enter your Office 365 Global Admin credentials.
At this point it looks like we’re back in the original situation, the only difference is that we’re logged on the Office 365 tenant which you can see in the address bar. In the Exchange Control Panel click the enable button again to enable Exchange Online for a hybrid configuration. Again, don’t check the My Office 365 organization is hosted by 21Vianet checkbox.
Once enabled you get an information message saying local forest “Enterprise” is currently not configured. Would you like to setup Exchange hybrid? Well, this is what we’re here for, so click Yes to continue.
The HCW will detect all configured domains that can be used in a hybrid configuration and these are all shown in the wizard as can be seen in the following screenshot:
You can add or remove domains here as appropriate. When you want to use these domains in a Hybrid configuration they have to be validated. This is a different validation process compared to adding a domain to your Office 365 tenant, and the TXT records are different as well. When you click Next all validation records are shown, as can be seen in the following screenshot:
These are serious tokens and you better not try to type them manually in your DNS console but copy-and-past them since they are prone to error. Once added to public DNS you can use NSLOOKUP to see if they are returned properly:
When all DNS records are configured properly and replicated click Next in the HCW to continue.
You can use the Edge Transport server for SMTP traffic (secured) between your Exchange 2013 on-premises and Exchange Online, but you can also opt to use the (dedicated) Exchange 2013 hybrid server for this. I typically configure these servers, so select the Configure my Client Access and Mailbox servers for secure mail transport (typical) radio button and click Next to continue.
The next step is to point out which servers can be used as a source server for the new Send Connector and Receive Connector (to/from Exchange Online). Since we’re using a dedicated hybrid server use the Browse button to select the appropriate server as shown in the following screenshot:
Click Next and do the same for selecting the hybrid server for the new Send Connector.
The SMTP communication between Exchange 2013 on-premises and Exchange Online is encrypted (TLS) and a 3rd party certificate needs to be configured on your Exchange 2013 hybrid server. As mentioned before, do not forget to bind this SSL certificate to the SMTP Service. If you omit this step the HCW will detect the SSL certificate and continue, but when configuring the actual hybrid relationship it will fail. The error message shown is obvious as easy to fix as described in this blog post.
In the HCW, select the appropriate SSL certificate and click Next to continue.
Enter the FQDN of the Exchange 2013 hybrid server (hybrid.exchangelabs.nl) which will be used to route SMTP message from Exchange Online (Exchange Online Protection, EOP) to your Exchange 2013 on-premises environment, and click Next to continue.
The HCW needs credentials to configure the Hybrid Relationship, both in Exchange 2013 on-premises as well as Exchange Online. Enter an administrative account on-premises (CONTOSO\Administrator) and an administrative account online (Admin@contoso.onmicrosoft.com). Both accounts need to be a member of the respective Organization Management Role Groups. Click Next twice (once in every window in the HCW).
At this moment all information that’s needed for the Hybrid Configuration Wizard is gathered and when you click Update the wizard is run.
When you click Update the HWC will configure the hybrid relationship between your Exchange 2013 on-premises environment and Exchange Online. One step will be the creation of a hybrid configuration object in Active Directory:
You can find this hybrid configuration object in the Exchange services container in the Organization Partition of Active Directory as shown in the following screenshot:
When the HCW has finished the hybrid configuration is created and configured and only one step remains, the configuration of OAuth (server validation).
During configuration of OAuth additional software (the Microsoft Office 365 Support Assistant 3.5) is downloaded and installed on the server, so you have to run this part of the HCW on the Exchange 2013 hybrid server itself.
Click Configure to continue and start the configuration wizard and download the additional software. When the Security Warning appears click Run to continue, this will trigger the download of the software.
When the Security Warning appears again, click Run again to continue with the wizard. After two or three minutes the Exchange 2013 hybrid server is configured with OAuth and the HCW is finished:
Click Done to continue and close the browser. Your hybrid configuration is now fully configured.
How do you know your Exchange 2013 Hybrid configuration is working properly? Mailboxes in Exchange 2013 on-premises correspond to Mail-Enabled Users in Office 365. So, for all Mailboxes in your on-premises environment you should find a Mail-Enabled user in Office 365 (the user accounts themselves are synchronized with DirSync or WAADSync of course) as shown in the following figure:
In this blogpost I discussed how to build an Exchange 2013 hybrid scenario where Exchange Online and Exchange 2013 on-premises are tightly integrated. For a successful deployment you need to have all your prerequisites as outlined in the first blog post configured correctly, otherwise it will fail utterly. But if you have it configured properly the Hybrid Configuration Wizard will run smoothly without any issues and you will see all Mailboxes appear in Exchange Online as Mail-Enabled users.
In the next blog post we’ll discuss moving Mailboxes from Exchange on-premises to Exchange Online and how they integrate.