All posts by jaapwesselius

Moving from Exchange 2010 to Office 365 Part II

In my previous blogpost, I’ve discussed the prerequisites for moving from Exchange 2010 to Office 365 when using Directory Synchronization (using Azure AD Connect). In this blogpost I’ll discuss how to create an Exchange 2010 hybrid environment.

Exchange 2010 Hybrid

Now that Directory Synchronization is in place using Azure AD Connect we can focus on connecting the on-premises Exchange environment to Exchange Online, this a called an Exchange Hybrid Configuration.

Hybrid configurations can consist of Exchange 2010, Exchange 2013 or Exchange 2016 or a combination of versions, so it is possible to have an Exchange 2010 and Exchange 2013 coexistence scenario on-premises, and connect this to Exchange Online. However, when using multiple versions of Exchange in a Hybrid configuration there’s always add complexity, and when configured incorrectly you can get unexpected results. Therefore, I typically recommend using only one version, so if you’re running Exchange 2010 on-premises, there’s no need to add an Exchange 2013 or Exchange 2016 server to your configuration, just as a ‘hybrid server’. Despite what other people tell you, there’s no need to add a newer version, and Exchange 2010 Hybrid is fully supported by Microsoft. Better is to create an Exchange 2010 hybrid environment, and when the mailboxes (or most the mailboxes) are moved to Office 365 upgrade your existing Exchange 2010 environment to Exchange 2016. But that might be an interesting topic for a future blog post Smile.

Basically, we will create the following configuration (again, there is no Exchange 2016 server installed in the existing organization):


Figure 14. Exchange 2010 hybrid configuration.

In February 2016 Microsoft released a new Office 365 Hybrid Configuration Wizard (HCW) for Exchange 2010, replacing the old HCW that was initiated from the Exchange Management Console. To start the new Hybrid Configuration Wizard logon to the Exchange 2010 server and go to to download and start the new HCW. This will automatically download the new HCW from Office 365, click Install to start the new HCW.

This will start the Hybrid Configuration Wizard that will configure the Hybrid configuration, or long term coexistence configuration between Exchange 2010 and Office 365. When the HCW wizard appears click Next to start the wizard.


The wizard will look in Active Directory for installed Exchange servers, and it will try to detect the optimal Exchange server to configure. Since Inframan has only one Exchange server it will automatically select this server.

When you click on the Office 365 Exchange Online dropdown box you’ll see an overview of all available Office 365 environments. For our environment, we should select the default Office 365 Worldwide. Click next to continue.


In the next window, enter the credentials of your Office 365 tenant administrator and if needed, change the credentials of your on-premises domain administrator and click next to continue.


The HCW will now login to both your on-premises Active Directory and your Office 365 tenant. If all goes well, you’ll see six green dots for Exchange and Office 365 (including ‘Succeeded’). Click next to continue.


Now there are two options:

  • Minimal Hybrid Configuration – This is a very minimal hybrid configuration that can be used for moving your mailboxes from Exchange 2010 to Exchange Online in a short amount of time, where a coexistence scenario is not needed. This can be used for smaller organizations that want to move to Office 365 at all, but keep Directory Synchronization in place.
  • Full Hybrid Configuration – As the name implies this is a true hybrid configuration with a long term coexistence scenario. You can easily move mailboxes back and forth, but also use secure mail between Exchange on-premises and Exchange online, use free/busy information cross-premises and use stuff like out-of-office information and mailtips.

For the Inframan organization (which requires a long-term coexistence) select Full Hybrid Configuration and click next to continue.


If you want to implement a hybrid configuration, a trust is needed between Exchange Online and Exchange on-premises. This is not something like a forest- or domain-trust as you see in Active Directory on-premises, but this is a Federation Trust. Before a Federation Trust is implemented, Microsoft must make sure you own the domain you want Microsoft to federate with (i.e. the domain). Click enable to continue and start the domain validation process.


The validation process is similar to the validation process when adding a new domain to Office 365, but instead of a simple ‘MS=ms123456’ text string a much more complex string needs to be added to public DNS. Click to copy to clipboard option to copy the text string to the clipboard of your computer. This contains the TXT records that needs to be added to your public DNS, and will be something like:


You can use NSLOOKUP to check if the new TXT record is available on the internet, and when it is check the I have created a TXT record for each token in DNS checkbox and click verify domain ownership.


The next window will be about configuring your Client Access servers and Mailbox servers for secure mail transport. You can leave this option default (typical), and in this scenario mail from Exchange Online to the Internet will be sent directly by the Exchange Online mail servers. If you select the Enable centralized mail transport option, you can configure the mail flow to use Exchange on-premises. In this scenario mail from Exchange Online sent to the Internet will always be sent via your Exchange on-premises organization. This lets you have full control over your inbound and outbound SMTP mail flow. One of my customers is actually doing this, and they perform DKIM signing on all outbound messages on-premises, even when messages originate from Exchange Online.

For Inframan we don’t use the centralized mail transport, click next to continue.


For secure mail between Exchange Online and Exchange on-premises we must select a Hub Transport server (in Exchange 2010) or a Mailbox server (in Exchange 2013/2016) to configure with Send and Receive Connectors. For mutual TLS, the Exchange servers also need to be configured with a valid 3rd party SSL certificate.

Again, in Inframan we only have one Exchange 2010 server which we can select using the drop-down box. Select the server and click next to continue.


Enter the public IP address that Exchange on-premises uses for inbound and outbound mail flow and click next to continue.

The HCW will no try to detect the SSL certificates on the Exchange server. One of these servers need to be used to enable mutual TLS. In this Exchange 2010 server I only have one SSL certificate with, the domain name is a Subject Alternative Name on this certificate.


Select this SSL certificate and click next to continue.

Enter the FQDN of your Exchange organization (i.e. the FQDN Exchange Online will use to connect to your Exchange environment) and click next to continue.

The HCW has now gathered enough information to configure the hybrid configuration. Click update to start the configuration of the hybrid configuration.


The status of the configuration is shown on the console:


After a couple of minutes the hybrid configuration wizard has finished. If all goes well no errors are generated and you can rate your experiences at the end of the wizard. If you are extremely satisfied you can rate five stars, and click close to finish the HCW.


You have now successfully configured a hybrid configuration with Exchange 2010 on-premises and Exchange Online. And… without using an Exchange 2016 server Smile

In my next blog I will discuss testing the hybrid configuration , and will discuss moving mailboxes from Exchange 2010 to Exchange Online.

Moving from Exchange 2010 to Office 365

There are a lot of articles on the Internet on how to create a hybrid environment, where Exchange 2016 is connected to Office 365. Now that’s fine, but when you’re running Exchange 2016 you most like are NOT going to move to Office 365 anytime soon I guess. If you are running Exchange 2010 chances are that you will move to Office 365 (soon), but there aren’t that much articles about moving from Exchange 2010 to Office 365. And a lot of the articles available don’t have the right approach I’m afraid, and will result in you (the customer) having to pay way too much money to your system integrator.

In this article, I’ll try to outline the recommended approach when moving from Exchange 2010 to Office 365 in a hybrid scenario. With Azure AD Connect for synchronization purposes. Cliffhanger: I’m not going to install Exchange 2016 into the existing Exchange 2010 environment Smile

Existing Exchange environment

Our organization is called Inframan and they have their own on-premises Exchange 2010 environment which they have been running for 5 years now without too much issues. There are internal Outlook clients using Outlook 2010 and higher, and there are external clients using Outlook Anywhere. There are also mobile clients using ActiveSync to connect to their Mailboxes. Of course, there is Outlook Web Access, but POP3 and IMAP4 are not used.


Figure 1. Overview of the Inframan Exchange 2010 environment.

Continue reading Moving from Exchange 2010 to Office 365

Disable automatic forwarding in Office 365

By default automatic forwarding and automatic replies of email messages is turned on in Exchange Online (Office 365). You can turn this of in the Exchange Admin Center of Exchange Online (

Logon using your tenant administrator, select mail flow in the navigation menu and select the remote domains tab.


Open the Default remote domain and deselect the Allow automatic replies and Allow automatic forwarding checkboxes under Automatic replies.


When you click Save automatic forwarding and automatic replies will be turned off in your Office 365 tenant. Please be aware that it can take some time before the settings becomes active (I think due to replication issue).

I’m speaking at IT/Dev Connections 2017

The IT/Dev Connections 2017 takes place in San Francisco from October 23-26. IT/Dev Connections is a highly technical and non blahblah event, delivered by professionals for professionals. To give you an idea, this is the only event (I think) that has no keynote sessions, just a small talk 5 minutes before the welcome drink on the first day of the event.

There are five technical tracks:

  • Cloud and Datacenter.
  • Data platform & business intelligence.
  • Enterprise Collaboration.
  • Enterprise Management, Mobility and Security.
  • Development and DEVOPS.

I’ve submitted a couple of sessions (surprisingly in the Enterprise Collaboration track) and I’m happy to announce two sessions were selected:

  • High Availability in a Microsoft federated infrastructure –
    October 25, 9:15 AM
  • Message Security – Is this legitimate email or not? –
    October 26, 8:30 AM

If you’d like to join me and other already confirmed speakers like Bert Wolters and Sander Berkouwer, use the following link to register!

The last 15 editions the event took place in Las Vegas, this is the first time it is NOT in Las Vegas but in San Francisco, in the Hilton San Francisco Union Square.

Want to know more? Any ideas or feedback? Just leave a comment below or drop me an email. I’m looking forward to see you all again in San Francisco!

Setting Calendar permissions right after mailbox creation

Customer is running Exchange 2013 with approx. 2500 mailboxes. When looking at calendars and sharing information through the availability service only the availability (free, busy or tentative) is shown. No details are shown by default.

Customer now request to publish more information so that users that want to schedule a meeting can see the details of other user’s appointments. This should not only be configured for existing users, but new users should receive this setting directly when provisioned.

For example, when configuring this for a user called Kim Akers ( for all users you can use the following Exchange PowerShell command:

Set-MailboxFolderPermission kima:\Calendar -User Default -AccessRights Reviewer

When scheduling a meeting with Kim Akers I can now see her appointment details in Outlook, and I can open the appointment to see all details (read-only) of this appointment as shown in the following two screenshots:



Note. Check the Set-MailboxFolderPermission article on Microsoft TechNet for all details regarding the permissions that can be assigned.

Continue reading Setting Calendar permissions right after mailbox creation