Tag Archives: HCW

Moving from Exchange 2010 to Office 365 Part II

In my previous blogpost, I’ve discussed the prerequisites for moving from Exchange 2010 to Office 365 when using Directory Synchronization (using Azure AD Connect). In this blogpost I’ll discuss how to create an Exchange 2010 hybrid environment.

Exchange 2010 Hybrid

Now that Directory Synchronization is in place using Azure AD Connect we can focus on connecting the on-premises Exchange environment to Exchange Online, this a called an Exchange Hybrid Configuration.

Hybrid configurations can consist of Exchange 2010, Exchange 2013 or Exchange 2016 or a combination of versions, so it is possible to have an Exchange 2010 and Exchange 2013 coexistence scenario on-premises, and connect this to Exchange Online. However, when using multiple versions of Exchange in a Hybrid configuration there’s always add complexity, and when configured incorrectly you can get unexpected results. Therefore, I typically recommend using only one version, so if you’re running Exchange 2010 on-premises, there’s no need to add an Exchange 2013 or Exchange 2016 server to your configuration, just as a ‘hybrid server’. Despite what other people tell you, there’s no need to add a newer version, and Exchange 2010 Hybrid is fully supported by Microsoft. Better is to create an Exchange 2010 hybrid environment, and when the mailboxes (or most the mailboxes) are moved to Office 365 upgrade your existing Exchange 2010 environment to Exchange 2016. But that might be an interesting topic for a future blog post Smile.

Basically, we will create the following configuration (again, there is no Exchange 2016 server installed in the existing organization):


Figure 14. Exchange 2010 hybrid configuration.

In February 2016 Microsoft released a new Office 365 Hybrid Configuration Wizard (HCW) for Exchange 2010, replacing the old HCW that was initiated from the Exchange Management Console. To start the new Hybrid Configuration Wizard logon to the Exchange 2010 server and go to https://aka.ms/HybridWizard to download and start the new HCW. This will automatically download the new HCW from Office 365, click Install to start the new HCW.

This will start the Hybrid Configuration Wizard that will configure the Hybrid configuration, or long term coexistence configuration between Exchange 2010 and Office 365. When the HCW wizard appears click Next to start the wizard.


The wizard will look in Active Directory for installed Exchange servers, and it will try to detect the optimal Exchange server to configure. Since Inframan has only one Exchange server it will automatically select this server.

When you click on the Office 365 Exchange Online dropdown box you’ll see an overview of all available Office 365 environments. For our environment, we should select the default Office 365 Worldwide. Click next to continue.


In the next window, enter the credentials of your Office 365 tenant administrator and if needed, change the credentials of your on-premises domain administrator and click next to continue.


The HCW will now login to both your on-premises Active Directory and your Office 365 tenant. If all goes well, you’ll see six green dots for Exchange and Office 365 (including ‘Succeeded’). Click next to continue.


Now there are two options:

  • Minimal Hybrid Configuration – This is a very minimal hybrid configuration that can be used for moving your mailboxes from Exchange 2010 to Exchange Online in a short amount of time, where a coexistence scenario is not needed. This can be used for smaller organizations that want to move to Office 365 at all, but keep Directory Synchronization in place.
  • Full Hybrid Configuration – As the name implies this is a true hybrid configuration with a long term coexistence scenario. You can easily move mailboxes back and forth, but also use secure mail between Exchange on-premises and Exchange online, use free/busy information cross-premises and use stuff like out-of-office information and mailtips.

For the Inframan organization (which requires a long-term coexistence) select Full Hybrid Configuration and click next to continue.


If you want to implement a hybrid configuration, a trust is needed between Exchange Online and Exchange on-premises. This is not something like a forest- or domain-trust as you see in Active Directory on-premises, but this is a Federation Trust. Before a Federation Trust is implemented, Microsoft must make sure you own the domain you want Microsoft to federate with (i.e. the Inframan.nl domain). Click enable to continue and start the domain validation process.


The validation process is similar to the validation process when adding a new domain to Office 365, but instead of a simple ‘MS=ms123456’ text string a much more complex string needs to be added to public DNS. Click to copy to clipboard option to copy the text string to the clipboard of your computer. This contains the TXT records that needs to be added to your public DNS, and will be something like:


You can use NSLOOKUP to check if the new TXT record is available on the internet, and when it is check the I have created a TXT record for each token in DNS checkbox and click verify domain ownership.


The next window will be about configuring your Client Access servers and Mailbox servers for secure mail transport. You can leave this option default (typical), and in this scenario mail from Exchange Online to the Internet will be sent directly by the Exchange Online mail servers. If you select the Enable centralized mail transport option, you can configure the mail flow to use Exchange on-premises. In this scenario mail from Exchange Online sent to the Internet will always be sent via your Exchange on-premises organization. This lets you have full control over your inbound and outbound SMTP mail flow. One of my customers is actually doing this, and they perform DKIM signing on all outbound messages on-premises, even when messages originate from Exchange Online.

For Inframan we don’t use the centralized mail transport, click next to continue.


For secure mail between Exchange Online and Exchange on-premises we must select a Hub Transport server (in Exchange 2010) or a Mailbox server (in Exchange 2013/2016) to configure with Send and Receive Connectors. For mutual TLS, the Exchange servers also need to be configured with a valid 3rd party SSL certificate.

Again, in Inframan we only have one Exchange 2010 server which we can select using the drop-down box. Select the server and click next to continue.


Enter the public IP address that Exchange on-premises uses for inbound and outbound mail flow and click next to continue.

The HCW will no try to detect the SSL certificates on the Exchange server. One of these servers need to be used to enable mutual TLS. In this Exchange 2010 server I only have one SSL certificate with CN=webmail.inframan.nl, the autodiscover.inframan.nl domain name is a Subject Alternative Name on this certificate.


Select this SSL certificate and click next to continue.

Enter the FQDN of your Exchange organization (i.e. the FQDN Exchange Online will use to connect to your Exchange environment) and click next to continue.

The HCW has now gathered enough information to configure the hybrid configuration. Click update to start the configuration of the hybrid configuration.


The status of the configuration is shown on the console:


After a couple of minutes the hybrid configuration wizard has finished. If all goes well no errors are generated and you can rate your experiences at the end of the wizard. If you are extremely satisfied you can rate five stars, and click close to finish the HCW.


You have now successfully configured a hybrid configuration with Exchange 2010 on-premises and Exchange Online. And… without using an Exchange 2016 server Smile

In my next blog I will discuss testing the hybrid configuration , and will discuss moving mailboxes from Exchange 2010 to Exchange Online.

412 Cookies are disabled

This blogpost is more a note to self, but sigh, I hate it when it does this…. show the 412 Cookies are Disabled error message when trying to open the Exchange Admin Center (EAC) in Exchange Online:


I’m not sure if this issue shows up every time, but at least it shows up when you want to configure an Exchange Hybrid Configuration and you select Hybrid in the On-Premises EAC and select Sign In to Office 365.

To solve this, select the Tools menu in Internet Explorer, select Internet Options and click the Privacy tab.

Lower the slider just one click to Low and click Apply or OK.


Now when you refresh the page in Internet Explorer it should continue with the Hybrid Configuration page:


Exchange 2013 Hybrid Configuration Wizard (Part II)

In my previous blog post I explained about an Exchange 2013 hybrid configuration, and what the prerequisites are for such a configuration and how to implement and configure one (or more) Exchange 2013 Hybrid servers.

In this blog post we’ll continue with the Hybrid Configuration and we will run the Hybrid Configuration Wizard (HCW) to actually create the Exchange 2013 Hybrid configuration.

Note. For simplicity I assume your Exchange 2013 is fully operational without any (certificate) issues on the Internet, which means you have configured all your Virtual Directories, Outlook Anywhere and Autodiscover. Everything must be working correctly to prevent any issues during configuration, possibly resulting in a misconfigured and not working hybrid configuration.

Run the Hybrid Configuration Wizard

Configuring Exchange 2013 is relatively easy and can be started from the Exchange Admin Center (EAC). The wizard that’s used here is known as the Hybrid Configuration Wizard (HCW) and in my experience a very stable (although there have been some glitches with the HCW in earlier CU’s of Exchange 2013) and efficient wizard, providing you have met all prerequisites of course.

Login to the Exchange 2013 Hybrid server and start the Exchange Admin Center locally. The reason for doing this locally on the server is that during the wizard some additional software needs to be installed for the OAuth part of the Hybrid configuration.

In the Exchange Admin Center in the navigation pane select hybrid. In the hybrid setup window click the enable button to initially enable the hybrid mode in your organization. The option My Office 365 organzation is hosted by 21Vianet should be left unchecked. Office 365 in China is hosted by 21Vianet so this option does not apply to us (unless you are in China and your organization is hosted by 21Vianet of course).


Continue reading Exchange 2013 Hybrid Configuration Wizard (Part II)