Exchange Hybrid Steps

Exchange Server Deployment Assistant | https://technet.microsoft.com/ - technet.microsoft.com/ https://technet.microsoft.com/en-us/exdeploy2013/PrintChecklist?state=3229-W-DgAIAAA...
Welcome
Deployment Options

Topic Last Modified: 2019-04-05
The Exchange Server Deployment Assistant is your source for Exchange deployment technical guidance. Tell us what
kind of deployment you’re interested in, answer a few questions about your environment, and then view Exchange
deployment instructions created just for you.
Hybrid
Configure Exchange 2010,
2013, or 2016 to support both
on-premises users and cloud
users in Office 365
Important: The Exchange Deployment Assistant has a new home! The new Deployment Assistant is located at https://aka.ms/eda. If you're starting a new deployment, please head
over to the new Deployment Assistant. If you're in the middle of a deployment, don't worry! This site isn't going away right away. This site will remain available until the end of April,
2019. After that, however, you'll need to use the new Deployment Assistant at https://aka.ms/eda.
1 of 61 5/1/2019, 2:01 PM
Choose your deployment type

Exchange 2016
hybrid
Create an Exchange 2016-
based hybrid deployment
2 of 61 5/1/2019, 2:01 PM
Current on-premises environment

What is your current on-premises Exchange environment?

Exchange Server 2016
I don’t have Exchange Server installed in my on-premises organization

3 of 61 5/1/2019, 2:01 PM
Existing Office 365 plan

Have you signed up for Office 365 using a supported plan?

Before you can configure a hybrid deployment, you need to sign up for Office 365 using a supported Office 365 plan. All Office 365 Enterprise, Government, Nonprofit, and Education
plans support hybrid deployments. Office 365 Business and Home plans don’t support hybrid deployments. For more information about Office 365 plans that support hybrid
deployments, check out Compare Office 365 Plans.
Yes, I've signed up for an Office 365 plan that supports hybrid deployments
No, I either haven't signed up for Office 365, or my existing Office 365 plan doesn't support hybrid deployments
What does your Office 365 admin center look like?

The Office 365 admin center is getting a new look! Whether you see the new admin center depends on your Office 365 plan and whether you've signed up to see new features
earlier. Choose the picture below that matches what your admin center looks like. If you want to find out more about the new Office 365 admin center, check out About the Office
365 Admin Center Preview.
4 of 61 5/1/2019, 2:01 PM
Authentication method

Do you want to synchronize user credentials to Office 365 or require authentication to be performed by your on-
premises Active Directory?
To help make your users' experience with Office 365 as seamless as possible, you need to configure single sign-on. Single sign-on lets users sign into Office 365 using the same
username and password that they use to sign into your on-premises organization. This means they only have to remember one username and password to access both their Office
365 mailbox and their on-premises network account, and reduces the administrative overhead involved with managing both organizations. There are a couple of different ways you
can implement single sign-on with Office 365:
Password synchronization Password synchronization syncs a user's on-premises username and password with Azure Active Directory. Azure Active Directory is the directory
service that Office 365 uses to authenticate users trying to log in to your Office 365 organization. Any time a user's password is changed, the change is automatically
synchronized with Azure Active Directory and, in turn, Office 365.
This is the recommended choice for most organizations.
Active Directory Federation Services (AD FS) AD FS directs authentication requests from users logging into your Office 365 organization to your on-premises Active
Directory domain controllers. Only after users successfully authenticate with your on-premises Active Directory are they allowed to access your Office 365 organization.
This choice should only be used by very large organizations with specific requirements or deployments, such as multiple Active Directory forests.
To help you choose the right options, check out Single sign-on with hybrid deployments see the advantages and disadvantages of both choices.
Password synchronization (recommended)

AD FS

5 of 61 5/1/2019, 2:01 PM
Deploy Edge Transport

Do you want mail sent between your Exchange Online and on-premises organizations to go through an Edge Transport
server?
An Edge Transport server is typically deployed on a computer located in an Exchange organization's perimeter network and is designed to minimize the attack surface of the
organization. If you don’t want to expose your internal Mailbox server to the Internet, answer Yes, and later we’ll show you how to add an Exchange 2016 Edge Transport server to
your hybrid deployment. The Edge Transport server works with internal Mailbox servers in the on-premises Exchange organization to route messages between the on-premises and
Exchange Online organizations.
Learn more about Edge Transport servers at Edge Transport servers with hybrid deployments.
Yes
No

6 of 61 5/1/2019, 2:01 PM
Inbound mail routing

How do you want to route inbound Internet mail for both your on-premises and Office 365 mailboxes?
All inbound Internet messages for both the on-premises and Office 365 organizations can follow the same inbound route. You need to choose the route that you want these
messages to take. The choice you make determines where your mail exchanger (MX) record will point and other routing configuration options.
Learn more about mail routing in Exchange hybrid deployments at Transport routing in Exchange hybrid deployments.
Route all inbound Internet mail for both organizations through Office 365
Route all inbound Internet mail for both organizations through my on-premises Exchange servers

7 of 61 5/1/2019, 2:01 PM
Prepare for Deployment
8 of 61 5/1/2019, 2:01 PM
Navigate your checklist

Now that we’ve asked you a few questions about the type of deployment you want, it’s time to review how to use your Exchange deployment checklist.
How can I see my answers to the deployment questions?
That's easy. Simply expand the deployment questions section in the left menu of this page, and select a question to see how you answered it.
How can I change my answers?
Go to the deployment questions section in the left menu. Select the question you’d like to change the answer for, revise your answer, and then click Next . You can also click Start
Over at the top of any page. When you change your answers, you'll get a whole new checklist that's tailored to those answers.
How can I move through the checklist?
You can browse the checklist by clicking a step in the left pane or by using the Previous and Next buttons. While you can browse in any order you want, you do need to
complete the steps in the order shown.
What do I do when I finish a step?
Pat yourself on the back! Then you can move on to the next step by clicking Next .
How long will it take to complete the checklist?
Good question! It depends. The checklist is based on answers you gave to the questions about your environment, and because there are many possible combinations of answers, it’s
hard to know the total time it will take you to complete the entire process. Plus, you’ll need to do some planning before you start the configuration steps. However, to give you some
idea as to how long a step should take, we’ve included an estimate of time to complete at the beginning of each configuration step in your checklist.
What if I get interrupted?
9 of 61 5/1/2019, 2:01 PM
You can exit the Exchange Server Deployment Assistant at any time and return to the same computer later to continue where you left off. Please be aware that if you access the
Deployment Assistant from a different computer, progress from your session on the original computer is not available.
Can I print this stuff?
Yes! See Print Checklist at the top of this page? Use that icon to print the entire deployment checklist. You can also use Print This Page at the bottom of each page to print
just a single checklist step.
Can I copy and paste?
You can copy the code examples while you’re in the checklist. Just click Copy in the code example to copy the code to your clipboard. For everything else, you can just highlight any
text passage and copy to your clipboard and paste into the text editor of your choice.
How do I tell you what I think about this?
We'd love to hear what you think of the Deployment Assistant. Your feedback is encouraged and welcome! See Feedback at the top of the page? Click it to send feedback to us
via email anytime.
10 of 61 5/1/2019, 2:01 PM
Before you begin

Configuring a hybrid deployment in your organization provides many benefits. However, to enjoy those benefits, you'll need to first do some careful planning. Before you go any
further with the Deployment Assistant, we urge you to review this entire topic to make sure that you fully understand how configuring a hybrid deployment could affect your existing
network and Exchange organization.
Important:
To successfully configure your organization for a hybrid deployment, you need to sign up for Office 365 using a supported subscription plan. We’ll give you instructions to sign up
for Office 365 later in the checklist.
What is a hybrid deployment?
In the Deployment Assistant, a hybrid deployment is when you connect your Office 365 Exchange Online organization to your existing on-premises Exchange organization using the
Hybrid Configuration wizard. After configuring the hybrid deployment, the following features are enabled:
Secure mail routing between on-premises between the organizations.
Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the @contoso.com SMTP domain.
A unified global address list (GAL), also called a “shared address book,” showing full details of recipients.
Free/busy calendar information sharing between the organizations.
Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises
Exchange organization.
A single Outlook on the web URL for both the organizations.
Automatic Exchange ActiveSync profile redirection when mailboxes are moved to Office 365 (dependent on device support).
The ability to move on-premises mailboxes to the Exchange Online organization and vice versa.
Centralized mailbox management using the on-premises Exchange Administration Center (EAC).
Message tracking, internal MailTips and Out of Office replies, and multi-mailbox search between the organizations.
Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment. Learn more about Exchange Online
11 of 61 5/1/2019, 2:01 PM
Archiving at Microsoft Office 365 Additional Services.
Hybrid deployment components
A hybrid deployment involves several different services and components:
Exchange 2016 servers The Exchange 2016 Mailbox server role is required in your on-premises Exchange organization. All on-premises Exchange 2016 servers need to have
the latest release of Exchange 2016, or the release immediately prior to the current release, installed to support hybrid functionality with Office 365. For example, if the current
release of Exchange 2016 is Cumulative Update 10, only that release, and Cumulative Update 9, are supported.
Office 365 Hybrid deployments are supported with Office 365 Enterprise, Government and Academic plans. Office 365 Business and Office 365 Home plans don’t support
hybrid deployments.
Hybrid Configuration wizard Exchange 2016 includes the Hybrid Configuration wizard which provides you with a streamlined process to configure a hybrid deployment
between on-premises Exchange and Exchange Online organizations.
Learn more at: Hybrid Configuration wizard
Azure Active Directory synchronization Azure AD synchronization uses Azure AD Connect to replicate on-premises Active Directory information for mail-enabled objects
to the Office 365 organization to support the unified global address list (GAL) and user authentication. Organizations configuring a hybrid deployment need to deploy Azure
AD Connect on a separate, on-premises server to synchronize your on-premises Active Directory with Office 365.
Learn more at: Azure AD Connect - Overview
Hybrid deployment example
Take a look at the following scenario. It's an example topology that provides an overview of a typical Exchange 2016 deployment. Contoso, Ltd. is a single-forest, single-domain
organization with two domain controllers and one Exchange 2016 server installed. Remote Contoso users use Outlook on the web to connect to Exchange 2016 over the Internet to
check their mailboxes and access their Outlook calendar.
12 of 61 5/1/2019, 2:01 PM
Let's say that you’re the network administrator for Contoso, and you’re interested in configuring a hybrid deployment. You deploy and configure a required Azure AD Connect server
and you also decide to use the Azure AD Connect password synchronization feature to let users use the same credentials for both their on-premises network account and their Office
365 account. After you complete the hybrid deployment prerequisites and use the Hybrid Configuration wizard to select options for the hybrid deployment, your new topology has
the following configuration:
Users will use their the same username and password for logging on to the on-premises and Exchange Online organizations (“single sign-on”).
User mailboxes located on-premises and in the Exchange Online organization will use the same email address domain. For example, mailboxes located on-premises and
mailboxes located in the Exchange Online organization will both use @contoso.com in user email addresses.
All outbound mail is delivered to the Internet by the on-premises organization. The on-premises organization controls all messaging transport and serves as a relay for the
Exchange Online organization (“centralized mail transport”).
On-premises and Exchange Online organization users can share calendar free/busy information with each other. Organization relationships configured for both organizations
also enable cross-premises message tracking, MailTips, and message search.
13 of 61 5/1/2019, 2:01 PM
On-premises and Exchange Online users use the same URL to connect to their mailboxes over the Internet.
If you compare Contoso's existing organization configuration and the hybrid deployment configuration, you'll see that configuring a hybrid deployment has added servers and
services that support additional communication and features that are shared between the on-premises and Exchange Online organizations. Here's an overview of the changes that a
14 of 61 5/1/2019, 2:01 PM
hybrid deployment has made from the initial on-premises Exchange organization.

Configuration Before hybrid deployment After hybrid deployment
Mailbox location Mailboxes on-premises only. Mailboxes on-premises and in Office 365.
Message transport On-premises Mailbox servers handle all inbound and On-premises Mailbox servers handle internal message routing
outbound message routing. between the on-premises and Office 365 organization.
Outlook on the web On-premises Mailbox servers receive all Outlook on the web On-premises Mailbox servers redirect Outlook on the web
requests and displays mailbox information. requests to either on-premises Exchange 2016 Mailbox servers or
provides a link to log on to Office 365.
Unified GAL for both organizations Not applicable; single organization only. On-premises Active Directory synchronization server replicates
Active Directory information for mail-enabled objects to Office
365.
Single-sign on used for both organizations Not applicable; single organization only. On-premises Active Directory and Office 365 use the same
username and password for mailboxes located either on-premises
or in Office 365.
Organization relationship established and Trust relationship with th Azure AD authentication system and Trust relationship with the Azure AD authentication system is
a federation trust with Azure AD organization relationships with other federated Exchange required. Organization relationships are established between the
authentication system organizations may be configured. on-premises and Office 365.
Free/busy sharing Free/busy sharing between on-premises users only. Free/busy sharing between both on-premises and Office 365
users.
Things to consider before configuring a hybrid deployment
Now that you're a little more familiar with what a hybrid deployment is, you need to carefully consider some important issues. Configuring a hybrid deployment could affect multiple
areas in your current network and Exchange organization.
Directory synchronization and single sign-on
15 of 61 5/1/2019, 2:01 PM
Active Directory synchronization between the on-premises and Office 365 organizations, which is performed every 30 minutes by a server running Azure Active Directory Connect, is
a requirement for configuring a hybrid deployment. Directory synchronization enables recipients in either organization to see each other in the global address list. It also
synchronizes usernames and passwords which enables users to log in with the same credentials in both your on-premises organization and in Office 365. We'll show you how to set
up Azure AD Connect later in the checklist.
All customers of Azure Active Directory and Office 365 have a limit of 50,000 objects (users, mail-enabled contacts, and groups) by default. This limit determines how many objects
you can create in your Office 365 organization. When you verify your first domain, this object limit is automatically increased to 300,000 objects. If you have verified a domain and
need to synchronize more than 300,000 objects or you do not have any domains to verify, and need to synchronize more than 50,000 objects, you will need to contact Azure Active
Directory Support to request an increase to your object quota limit.
Hybrid deployment management
You manage a hybrid deployment in Exchange 2016 via a single unified management console that allows for managing both your on-premises and Exchange Online organizations.
The Exchange admin center (EAC), which replaces the Exchange Management Console and the Exchange Control Panel, allows you to connect and configure features for both
organizations. When you run the Hybrid Configuration wizard for the first time, you will be prompted to connect to your Exchange Online organization. You need to use an Office 365
account that is a member of the Organization Management role group to connect the EAC to your Exchange Online organization.
Certificates
Secure Sockets Layer (SSL) digital certificates play a significant role in configuring a hybrid deployment. They help to secure communications between the on-premises hybrid server
and the Exchange Online organization. Certificates are a requirement to configure several types of services like AD FS (if you're deploying it), Outlook on the web and Exchange
ActiveSync, secure mail flow, and so on. You may have to purchase additional certificates that include additional domains from a trusted third-party certificate authority (CA).
Learn more at: Certificate requirements for hybrid deployments
Bandwidth
Your network connection to the Internet will directly impact the communication performance between your on-premises organization and the Office 365 organization. This is
particularly true when moving mailboxes from your on-premises Exchange 2016 server to the Office 365 organization. The amount of available network bandwidth, in combination
with mailbox size and the number of mailboxes moved in parallel, will result in varied times to complete mailbox moves. Additionally, other Office 365 services, such as SharePoint
Online and Skype for Business Online, may also affect the available bandwidth for messaging services.
Before moving mailboxes to Office 365, you should:
Determine the average mailbox size for mailboxes that will be moved to Office 365.
16 of 61 5/1/2019, 2:01 PM
Determine the average connection and throughput speed for your connection to the Internet from your on-premises organization.
Calculate the average expected transfer speed, and plan your mailbox moves accordingly.
Learn more at: Networking
Mail flow
Important:
Don't place any servers, services, or devices between your on-premises Exchange servers and Office 365 that process or modify SMTP traffic. Secure mail flow between your on-
premises Exchange organization and Office 365 depends on information contained in messages sent between the organization. Firewalls that allow SMTP traffic on TCP port 25
through without modification are supported. If a server, service, or device processes a message sent between your on-premises Exchange organization and Office 365, this
information is removed. If this happens, the message will no longer be considered internal to your organization and will be subject to anti-spam filtering, transport and journal
rules, and other policies that may not apply to it.
For more information, see Transport options in Exchange hybrid deployments.
Organization Policies
When you run the Hybrid Configuration Wizard, you can choose whether it should copy over organization-wide policies from your on-premises organization to Office 365. The
wizard can copy Retention policies, Retention policy tags, OWA Mailbox policies, and Mobile Device Mailbox policies.
Note:
Policies other than the ones listed above aren't copied by the wizard and need to be copied to Office 365 manually. For a list of policies and attributes copied by the wizard, see
Organization Configuration Transfer Attributes.
When the wizard copies policies to Office 365, it'll check to see if a policy with the same name already exists there. If a policy does exist, the wizard won't copy the version from your
on-premises organization. For example, if you already have an OWA Mailbox policy named "Executive Users" in Office 365, the wizard won't copy the "Executive Users" OWA Mailbox
policy from your on-premises organization. You'll need to either rename the policy in Office 365 or manually configure the "Executive Users" OWA Mailbox policy in Office 365. This
includes any default policies that already exist in Office 365.
Some policy settings in Office 365 can't be changed, even if they can be in an on-premises organization. If the wizard tries to copy a setting to Office 365, and the policy setting in
Office 365 is read-only, the on-premises value won't be copied.
17 of 61 5/1/2019, 2:01 PM
Unified Messaging
Unified Messaging (UM) is supported in a hybrid deployment between your on-premises and Office 365 organizations. Your on-premises telephony solution must be able to
communicate with Office 365. This may require that you purchase additional hardware and software.
If you want to move mailboxes from your on-premises organization to Office 365, and those mailboxes are configured for UM, you should configure UM in your hybrid deployment
prior to moving those mailboxes. If you move mailboxes before you configure UM in your hybrid deployment, those mailboxes will no longer have access to UM functionality.
Learn more at: Plan for UM Coexistence
Information Rights Management
Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages that they send. AD RMS templates can
help prevent information leakage by allowing users to control who can open a rights-protected message, and what they can do with that message after it's been opened.
IRM in a hybrid deployment requires planning, manual configuration of the Office 365 organization, and an understanding of how clients use AD RMS servers depending on whether
their mailbox is in the on-premises or Exchange Online organization.
Learn more at: IRM in Exchange hybrid deployments
Mobile devices
Mobile devices are supported in a hybrid deployment. If Exchange ActiveSync is already enabled on your existing servers, they’ll continue to redirect requests from mobile devices to
mailboxes located on the on-premises Mailbox server. For mobile devices connecting to existing mailboxes that are moved from the on-premises organization to Office 365,
Exchange ActiveSync profiles will automatically be updated to connect to Office 365 on most phones. All mobile devices that support Exchange ActiveSync should be compatible with
a hybrid deployment.
Learn more at: Mobile Phones
Client requirements
We recommend that your clients use Outlook 2016 or Outlook 2013 for the best experience and performance in the hybrid deployment. Pre-Outlook 2010 clients aren't supported in
hybrid deployments or with Office 365.
Licensing for Office 365
18 of 61 5/1/2019, 2:01 PM
To create mailboxes in, or move mailboxes to, Office 365, you need to sign up for Office 365 for enterprises and you must have licenses available. When you sign up for Office 365,
you'll receive a specific number of licenses that you can assign to new mailboxes or mailboxes moved from the on-premises organization. Each mailbox in Office 365 must have a
license.
Antivirus and anti-spam services
Mailboxes moved to Office 365 are automatically provided with antivirus and anti-spam protection by Exchange Online Protection (EOP), a service provided by Office 365. You may
need to purchase additional EOP licenses for your on-premises users if you chose to route all incoming Internet mail through the EOP service. We recommend that you carefully
evaluate whether the EOP protection in your Office 365 is also appropriate to meet the antivirus and anti-spam needs of your on-premises organization. If you have protection in
place for your on-premises organization, you may need to upgrade or configure your on-premises antivirus and anti-spam solutions for maximum protection across your
organization.
Learn more at: Anti-spam and anti-malware protection
Public folders
Public folders are supported in Office 365, and on-premises public folders can be migrated to Office 365. Both on-premises and Office 365 users can access public folders located in
either organization using Outlook on the web, Outlook 2016, Outlook 2013, or Outlook 2010 SP2 or newer. Existing on-premises public folder configuration and access for on-
premises mailboxes doesn’t change when you configure a hybrid deployment.
Learn more at: Public folders
Accessibility
For information about keyboard shortcuts that may apply to the procedures in this checklist, see Keyboard shortcuts in the Exchange admin center.
19 of 61 5/1/2019, 2:01 PM
Verify prerequisites

Before you go any further with the Deployment Assistant, make sure that your organization's operating systems, hardware, software, clients, and other elements meet the
requirements for configuring a hybrid deployment between your on-premises organization and Office 356. If they don't, you won't be able to complete the steps in the Deployment
Assistant and you won't be able to successfully configure the hybrid deployment for your organization.
Learn more at: Hybrid deployment prerequisites
To successfully configure your current on-premises Exchange organization for a hybrid deployment, you’ll need the following components.
Servers
At a minimum, you’ll need the following hybrid deployment components:
One or more Exchange 2016 servers configured with the Mailbox server role. All on-premises Exchange 2016 servers must have the latest release, or the immediately previous
release, of Exchange 2016 installed to support hybrid functionality with Office 365. For more information, see Install the Exchange 2016 Mailbox role using the Setup wizard.
Tip:
We highly recommend deploying more than one Exchange 2016 server in your on-premises organization to help increase reliability and availability of hybrid deployment
features.
An Active Directory synchronization server running Azure Active Directory Connect.
Exchange 2016 servers
Exchange 2016 servers configured in a hybrid deployment have the same system requirements as standard Exchange 2016 deployments.
Learn more at: Exchange 2016 System Requirements
Azure Active Directory Connect server
You must deploy a server running Azure Active Directory Connect to synchronize mail-enabled Active Directory objects to the Office 365 organization to support a unified global
20 of 61 5/1/2019, 2:01 PM
address list (GAL) between your on-premises Exchange and Exchange Online organizations.
Note:
Office 365 has an upper limit for replicating mail-enabled Active Directory objects to the cloud-based organization of 50,000 objects. If your Active Directory environment
contains more than 50,000 objects, contact the Microsoft Online Services support team to open a service request for an exception and indicate the number of objects you need to
synchronize.
Learn more at: Prerequisites for Azure Active Directory Connect
Existing directory servers
In the Active Directory site where your existing Exchange 2016 servers are deployed, you must have at least one writeable domain controller running any of the following:
Windows Server 2012 R2 Standard or Datacenter
Windows Server 2012 Standard or Datacenter
Windows Server 2008 R2 Standard or Enterprise
Windows Server 2008 R2 Datacenter RTM or later
Windows Server 2008 Standard, Enterprise, or Datacenter
Additionally, the Active Directory forest must be Windows Server 2008 forest functional level or higher.
Learn more at: Exchange 2016 System Requirements
Having problems? Ask for help in the Office 365 forums. To access the forums, you'll need to sign in using an account that's granted administrator access to your cloud-based service.
Visit the forums at: Office 365 Forums
21 of 61 5/1/2019, 2:01 PM
Collect information

To configure a hybrid deployment between your on-premises Exchange organization and the Exchange Online organization, you're going to need information about your current
deployment. We suggest that you print this step so you can record your organization's information and have easy access to it as you go through the checklist. (See Print This Page
at the bottom of this page.)
Learn more at: Exchange Server Hybrid Deployments
You can use the following table to gather information about your existing organization that you're going to need before you get started. When you're working through your
checklist, replace the example information that you see in the checklist with the information you've provided in this table. For example, if the external fully qualified domain name
(FQDN) of your Exchange 2016 server is exchange.adatum.com, enter that FQDN in the "Value in your organization" field.

Description Example value in checklist Value in your organization
Active Directory forest root corp.contoso.com
Internal Exchange 2016 Mailbox server host name EX2016
External Exchange 2016 Mailbox server FQDN mail.contoso.com
Existing or proposed internal Exchange 2016 Edge Transport server host name1 Edge
Existing or proposed external Exchange 2016 Edge Transport server FQDN1 edge.contoso.com
Primary SMTP namespace contoso.com
User principal name domain contoso.com

Microsoft Online ID domain
1 Only used if you chose to deploy an Edge Transport server.
The following table lists new services that you configure as part of the hybrid deployment. Replace contoso.com with your domain name for the values you provide in the table.
22 of 61 5/1/2019, 2:01 PM
Example value in Value in your

Description
checklist organization
Internal Azure AD Connect server host name AADConnect
Internal Azure AD Connect with AD FS web proxy server host name (only for organizations choosing to deploy AD WebProxy
FS)2
External Azure AD Connect with AD FS FQDN (only for organizations choosing to deploy AD FS)2 sts.contoso.com
On-premises Autodiscover FQDN autodiscover.contoso.com
Service tenant FQDN contoso.onmicrosoft.com

Note You can only choose the subdomain portion of this FQDN. The domain portion must be "onmicrosoft.com".
2 Only used if you chose to configure Active Directory Federation Services.
23 of 61 5/1/2019, 2:01 PM
Configure Hybrid Deployment Prerequisites
24 of 61 5/1/2019, 2:01 PM
Add primary SMTP domain to Office 365

Estimated time to complete: 20 minutes
You need to configure Office 365 with the primary SMTP namespace of your on-premises Exchange organization. This namespace will be shared between recipients in your on-
premises Exchange organization and recipients in Office 365. The primary SMTP namespace is the email address domain that you've configured as the default reply address for your
on-premises Exchange organization. For example, if a user's reply address is david@contoso.com, the primary SMTP namespace of the on-premises Exchange organization is
contoso.com.
Just a reminder: When you started the Deployment Assistant, you answered that you're using Office 365 admin center (classic), shown below. If your portal doesn't look like this,
you can change your answer. In the Deployment Assistant's navigation pane, open Welcome and then select Existing Office 365 plan. Select the picture that matches your portal
and click Next. Then you can come back to this step and continue on.
How do I do this?
Perform the following steps to add the primary SMTP namespace to Office 365:
1. Log on to: Office 365 admin center
2. Click Domains > Add a domain > Let's get started.
3. Enter the primary SMTP namespace. For example, contoso.com. Then, click Next.
4. Follow the instructions provided to verify your domain ownership. When complete, wait 15 minutes and then click Okay, I've added the record. If the wizard says it can't
verify your domain ownership, you might need to wait longer for your DNS records to update across the Internet; this might take several hours. Also verify that the record you
created is correct.
25 of 61 5/1/2019, 2:01 PM
5. Step through the rest of the wizard, responding Skip this step to each page.
6. When you're ready to set up your DNS records, click Next.
7. Select No, I have an existing website or prefer to manage my own DNS records and click Next.
8. Select the services you want to use in your Office 365 organization. At minimum, you need to select Outlook on the web for email, calendar, and contacts. Click Next.
9. Don't update your DNS records when told to do so in this step. Instead, you'll update your DNS records later in your hybrid deployment. For now, click Okay, I've added the
records. The new domain wizard will tell you that some DNS records need to be fixed; this is expected. Click Ignore these errors, then Finish.
Caution:
Updating your DNS records to the values provided in this step may cause messages sent to your organization to be returned as undeliverable. You'll update your DNS
records later in the checklist to values that are compatible with your hybrid deployment.
How do I know this worked?
To verify that you've successfully added the primary SMTP namespace of your on-premises Exchange organization as a domain in Office 365, do the following:
1. Log on to: Office 365 admin center
2. Click Domains.
3. Confirm that the domain you added is shown in the list of domains.
26 of 61 5/1/2019, 2:01 PM
Configure Azure Active Directory Connect

Active Directory synchronization using Azure Active Directory Connect with password sync between your on-premises organization and the Office 365 organization enables a unified
global address list (GAL), gives you the ability to manage all Active Directory user accounts on-premises, and synchronizes your users' account credentials. Enabling password sync
lets your users log into their Office 365 account using the same username and password that they use when they log into your on-premises network. All account changes synchronize
automatically to the Office 365 organization.
How do I do this?
1. Download Azure Active Directory Connect on the computer where you'll install it, and then open it.
2. On the Welcome page, click Continue if you agree to the license terms and privacy notice.
3. On the Express Settings page, click Use express settings.
4. On the Connect to Azure AD page, enter the username and password for a user account that is a Global Administrator in your Office 365 organization, and then click Next.
5. On the Connect to AD DS page, enter the username and password for a user account in your on-premises organization that is an Enterprise Administrator, and then click
Next.
6. On the Ready to configure page, select both Start the synchronization process as soon as the configuration completes and Exchange hybrid deployment, and then
click Install.
At this point, Azure AD Connect will synchronize your on-premises user accounts and their information, including passwords, to your Office 365 organization. Depending on
how many accounts need to be synchronized, this might take a while.
7. On the Configuration complete page, click Exit.
After the initial full synchronization completes, Azure AD Connect will perform an incremental synchronization every 30 minutes. We don't support changing this interval.
Log on to the administration portal for your Office 365 organization, and verify that all on-premises Active Directory user accounts settings have been replicated to the Office 365
organization:
27 of 61 5/1/2019, 2:01 PM
1. Log on to your Office 365 admin center
2. Click Users and then Active Users to verify that your on-premises users are listed on the Office 365 organization.
Note:
Just because a user account is displayed here doesn't mean that the user mailbox has been moved to Office 365. The displayed accounts represent only that an Office 365
account has been created for a user and that the account information has been synchronized from the on-premises organization.
28 of 61 5/1/2019, 2:01 PM
Verify tenant configuration

Now that you've configured Active Directory synchronization between your on-premises organization and the Office 365 organization, it's time to make sure that everything is
working correctly.
The steps below create a new test user in your on-premises organization. Active Directory synchronization is working correctly if the user is automatically synchronized to the
Office 365 organization. Single sign-on is working correctly if, after synchronization is complete and the user is assigned a license, you can log on to the Exchange Online-based
Outlook on the web using the user's on-premises credentials.
Important:
After a user is assigned a license, a mailbox is created for the user in the Exchange Online organization if the user doesn't have an on-premises mailbox. This is why it's important,
for this test, to make sure that the user you create in the on-premises organization isn't configured with an on-premises mailbox.
How do I do this?
To create a mailbox in the Exchange Online organization, do the following:
1. Open Active Directory Users and Computers on an Active Directory domain controller in your on-premises organization.
2. Expand the container or organizational unit (OU) where you want to create a new Active Directory user.
3. Click Action in the menu bar, and then click New > User.
4. Enter the required user information. Because this user will be associated with a test mailbox, we recommend that you clearly identify the user as such. For example, name the
user "Test User".
5. In the User logon name field, provide the user name that the user should specify when logging into their user account. This user name, combined with the user principal
name (UPN) in the drop-down box next to the User logon name field, makes up the Microsoft Online Identity of the user. The Microsoft Online Identity typically matches the
user's email address, and the domain suffix chosen should match the federated domain configured in Active Directory Federation Services. For example,
testuser@contoso.com. Click Next.
6. Enter a password for the new user, specify any options you want to set, and then click Next.
7. Click Finish.
29 of 61 5/1/2019, 2:01 PM
8. Wait for directory synchronization to synchronize the new user to the Office 365 organization.
Note:
By default, after initial synchronization, directory synchronization runs once every 30 minutes. To force immediate directory synchronization, open a Windows PowerShell
on the Active Directory synchronization server and type the following.
Start-ADSyncSyncCycle -PolicyType Delta
9. Log on to: Office 365 service administration portal
10. Assign a license to the new user. Learn more at: Activate synced users
To verify that you've created a test mailbox and that the mailbox is accessible in the cloud-based organization, do the following:
1. Log on to: Office 365 service administration portal
2. Verify that the user has been synchronized to the Office 365 service directory. If the user has synchronized correctly, the user will appear in the user list in the administration
portal.
3. Verify that the user has an associated license by doing the following:
1. Click the name of the user to open the user's property information.
2. Click Licenses to view the licenses available to the user. If a license has been assigned to the user, the check box next to the license will be selected.
4. Log out of the administration portal, and close your browser window.
5. Open a new browser window, and attempt to log on to the user's mailbox by browsing to the Exchange Online organization's Outlook on the web URL, https://outlook.com
/owa/contoso.com, and logging on with the user's credentials.
30 of 61 5/1/2019, 2:01 PM
31 of 61 5/1/2019, 2:01 PM
Configure DNS

To enable Outlook 2016, Outlook 2013, Outlook 2010, and mobile clients, to connect to mailboxes in Office 365, you need to configure an Autodiscover record on your public DNS.
Autodiscover automatically configures client settings so that users don't need to know server names or other technical details to configure their mail profiles. We also recommend
that you configure a Sender Policy Framework (SPF) record to ensure that destination email systems trust messages sent from your domain via your on-premises servers and Office
365.
How do I do create an Autodiscover and SPF DNS record?
You need to configure the following public DNS records to enable Autodiscover lookups for the on-premises organization, allow Office 365 to connect to a Mailbox server, and
ensure that all the messages from your domain appear to originate from Office 365:
Autodiscover record The Autodiscover DNS record for your on-premises organization needs to refer requests for autodiscover.contoso.com to your on-premises Mailbox
servers. You can use either a CNAME DNS record or an A DNS record. A CNAME DNS record must refer to the FQDN of an on-premises Exchange 2016 server that has the
Mailbox server role installed. An A DNS record must point to the external IP address of an Exchange 2016 Mailbox server or your firewall, depending on your network
configuration.
SPF record The SPF record for your organization uses the Sender ID Framework. The Sender ID Framework is an email authentication protocol that helps prevent spoofing
and phishing by verifying the domain name from which email messages are sent. Sender ID validates the origin of email messages by verifying the IP address of the sender
against the alleged owner of the sending domain.
This table shows examples of the public DNS records that you need to configure for your hybrid deployment.

DNS record
Hybrid requirement DNS record Target and value
type
Required for all hybrid deployments autodiscover.contoso.com CNAME or A If using CNAME DNS: mail.contoso.com
If using A DNS: External IP address of an Exchange 2016 Mailbox server or
firewall
Recommended as a best practice for all hybrid SPF TXT v=spf1 include:spf.protection.outlook.com ~all
32 of 61 5/1/2019, 2:01 PM
deployments
Refer to your public DNS host's Help for more information about how to add a CNAME or TXT record to your DNS zone.
To verify that you've configured the Autodiscover DNS record for the on-premises organization correctly, do the following on an Internet-accessible computer that can perform DNS
lookups.
Important:
Depending on your DNS configuration, it may take an hour or more for changes to DNS to replicate across the Internet.
1. Open a Windows command prompt.
2. Run the following command.
nslookup autodiscover.contoso.com
Information similar to the following example should be returned if you've correctly configured the DNS CNAME record. If you’ve configured a DNS A record, your results may be
different. The IP address returned will be different than the address in the example below.
Server: dns.corp.contoso.com
Address: 192.168.1.10
Non-authoritative answer:
Name: mail.contoso.com
Address: 65.55.94.54
Aliases: autodiscover.contoso.com
To validate that you’ve configured the SPF record correctly, verify that you’ve correctly entered the TXT record value listed in the table above.
33 of 61 5/1/2019, 2:01 PM
34 of 61 5/1/2019, 2:01 PM
Configure Exchange Web Services

The external fully qualified domain name (FQDN) of your Internet-facing Exchange 2016 Mailbox server needs to be configured on several virtual directories for a hybrid deployment.
If you’ve already configured these virtual directories in your organization, you should skip to the How do I know this worked section below and verify that the virtual directories are
correctly configured with the external FQDN of the Exchange 2016 Mailbox server.
Note:
By completing this checklist step, the external URL on the Exchange Web Services (EWS), Outlook Address Book (OAB), Outlook Web App (OWA), Exchange Control Panel (ECP),
and the Exchange ActiveSync (Microsoft-Server-ActiveSync) virtual directories will be reset to the external FQDN of your Internet-facing Exchange 2016 Mailbox server.
How do I do this?
You can use the EAC to set the external FQDN of the Exchange 2016 Mailbox servers as the external URL on these virtual directories:
1. Open the EAC and navigate to Servers > Virtual directories.
2. In the Select server field, click the down arrow and select the Exchange 2016 Mailbox server to update.
3. Click Configure external access domain .
4. On the Configure external access domain page, click Add .
5. On the Select a Server page, select the Exchange 2016 Mailbox servers you want to configure and click Add. Click OK.
6. On the Configure external access domain page, enter the externally accessible FQDN of your Internet-facing Exchange 2016 Mailbox server in the Enter the domain name
you will use with your external Client Access servers text box. For example, mail.contoso.com.
Note:
The text on Configure external access domain page incorrectly refers to "Client Access" servers when it should say "Mailbox" servers instead.
7. Click Save.
35 of 61 5/1/2019, 2:01 PM
8. Click Close when the wizard completes.
To verify that you've successfully configured the external URL on the required virtual directories on your Configure external access domain Mailbox servers, run the following
commands:
Verify that the external URL is set on the EWS virtual directory.
Get-WebServicesVirtualDirectory "EWS (Default Web Site)" | Format-Table Name, ExternalUrl
Verify that the external URL is set on the OAB virtual directory.
Get-OabVirtualDirectory "OAB (Default Web Site)" | Format-Table Name, ExternalUrl
Verify that the external URL is set on the Microsoft-Server-ActiveSync virtual directory.
Get-ActiveSyncVirtualDirectory "Microsoft-Server-ActiveSync (Default Web Site)" | Format-Table Name, ExternalUrl
Each of the commands that you run will return the name of the virtual directory, and the value that's stored in the ExternalUrl property. The value stored in the ExternalUrl property
should match the FQDN value that you provided when you configured the virtual directories in the wizard.
36 of 61 5/1/2019, 2:01 PM
Configure Exchange certificates

Digital certificates are an important requirement for secure communications between on-premises Exchange 2016 servers, clients, and Office 365. You need to obtain a certificate that
will be installed on Mailbox and Edge Transport servers from a third-party trusted certificate authority (CA). Secure communications for internal connections between the on-premises
Exchange 2016 Mailbox servers use self-signed certificates. We recommend that your certificate's common name match the primary SMTP domain for your organization.
Learn more at: Certificate requirements for hybrid deployments
How do I get a certificate?
Before you can configure certificates on Exchange servers, you need to get a certificate from a trusted CA. Complete the following task on an Exchange 2016 Mailbox server if you
need to generate a request for a new certificate for use with the hybrid deployment.
1. Open the EAC by browsing to https://<FQDN of Mailbox server>/ECP.
2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
3. Go to Servers > Certificates. On the Certificates page, make sure your Internet-facing Exchange 2016 Mailbox server is selected in the Select server field, and then click
Add .
4. In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.
5. Specify a name for this certificate, and then click Next. For example, “contoso.com”.
6. If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don't
want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.
7. Click Browse, and specify an Exchange server to store the certificate on. The server you select should be the Internet-facing Exchange 2016 Mailbox server. Click Next.
8. For each service in the list shown, specify the external or internal server names that users will use to connect to the Exchange server. For example, for Outlook Web App
(when access from the Internet), you might specify owa.contoso.com. For OWA (when access from the Intranet), you might specify internal.corp.contoso.com. These
domains will be used to create the SSL certificate request. Click Next.
Important:
37 of 61 5/1/2019, 2:01 PM
We recommend that your certificate's common name match the primary SMTP domain for your organization. Make sure you assign the primary SMTP domain as the
certificate’s common name for the certificate. For example, you would select the “contoso.com” domain and click the check mark icon.
9. Add any additional domains you want included on the SSL certificate. If you are deploying an Edge Transport server as part of your hybrid deployment, add the external
FQDN for the Edge Transport server. For example, “edge.contoso.com”. Click Next.
10. Provide information about your organization. This information will be included with the SSL certificate. Click Next.
11. Specify the network location where you want this certificate request to be saved. Click Finish.
How do I import and configure the certificate?
After you have obtained a certificate from a trusted CA, complete the following steps on an Exchange 2016 server to import your certificate and configure Exchange services to use
the certificate for your hybrid deployment. You will also need to import the certificate to your Mailbox servers and assign Exchange services:
1. On the Server > Certificates page in the EAC, select your Internet-facing Exchange 2016 Mailbox server and the certificate request you created in the previous steps.
2. In the certificate request details pane, click Complete under Status.
3. On the complete pending request page, specify the path to the SSL certificate file and then click OK.
4. Select the new certificate you just added, and then click Edit .
5. On the certificate page, click Services.
6. Select the services you want to assign to this certificate. At minimum, you should select SMTP and IIS. Click Save.
7. If you receive the warning Overwrite the existing default SMTP certificate?, click No.
To import the certificate to other Mailbox servers and assign Exchange services, complete the following:
1. On the Server > Certificates page in the EAC, select another Exchange 2016 Mailbox server.
2. Click More options and select Import Exchange certificate.
3. Enter the path to the certificate file you’ve configured for the hybrid deployment.
38 of 61 5/1/2019, 2:01 PM
4. Enter the password for the certificate.
5. Click Next.
6. Click .
7. Select the Mailbox servers and click Add, and then click OK.
8. Click Finish.
9. After the certificate is imported and listed in the list, select the certificate and click Edit .
10. In certificate properties, click Services.
11. Select the SMTP check box and click Save.
The successful completion of the New Exchange Certificate, Import, and Assign Services wizards will be your first indication that importing and assigning services to the certificate
worked as expected.
To further verify that the certificate has been successfully imported, you can run the following command in the Exchange Management Shell on an Exchange server to view the
certificates in the local certificate store and the services assigned to the certificate.
Get-ExchangeCertificate |fl
You should see the certificate you installed listed in the list of Exchange certificates returned by the Get-ExchangeCertificate cmdlet, including the parameter attributes assigned to
each certificate. Verify that the certificate from the third-party trusted certificate authority (CA) that you will use for the hybrid deployment has:
The Service attribute has the IIS and SMTP services assigned.
The Status attribute is listed as “Valid”.
The RootCAType attribute is listed as “ThirdParty”.
If any of the three conditions listed above are not met, you can't use the certificate with the Hybrid Configuration wizard or with the hybrid deployment.
39 of 61 5/1/2019, 2:01 PM
40 of 61 5/1/2019, 2:01 PM
Configure Hybrid Services
41 of 61 5/1/2019, 2:01 PM
Run Hybrid Configuration wizard

The Hybrid Configuration wizard helps you establish your hybrid deployment by creating the HybridConfiguration object in your on-premises Active Directory and gathering existing
Exchange and Active Directory topology configuration data. The Hybrid Configuration wizard also enables you to define and configure several organization parameters for your
hybrid deployment, including secure mail transport options.
How do I create and configure a new hybrid deployment?
You can use the Hybrid Configuration wizard in the EAC on an Exchange 2016 server in your on-premises organization to create and configure the hybrid deployment.
1. In the EAC on an Exchange 2016 server in your on-premises organization, navigate to the Hybrid node.
2. In the Hybrid node, click Configure to enter your Office 365 credentials.
Important:
If your on-premises organization is located in China and your Office 365 tenant is hosted by 21Vianet, you must select the My Office 365 organization is hosted by
21Vianet check box. If your Office 365 tenant is hosted by 21Vianet and this checkbox isn’t selected, the Hybrid Configuration wizard won’t connect to 21Vianet service,
your Office 365 account credentials won’t be recognized and the wizard won’t complete properly.
3. At the prompt to log in to Office 365, select sign in to Office 365 and enter the account credentials. The account you log into needs to be a Global Administrator in Office
365.
4. Click Configure again to start the Hybrid Configuration wizard.
5. On the Microsoft Office 365 Hybrid Configuration Wizard Download page, click Click here to download wizard. When you're prompted, click Install on the Application
Install dialog.
Note:
If you're doing this on a server using Internet Explorer, you might need to enable cookies (Internet Options > Privacy > Low) and enables files to be downloaded
(Internet Options > Security > Custom level > Downloads > File download.
42 of 61 5/1/2019, 2:01 PM
6. Click Next, and then, in the On-premises Exchange Server Organization section, select Detect a server running Exchange 2013 CAS or Exchange 2016. The wizard will
attempt to detect an on-premises Exchange 2016 server. If the wizard doesn't detect an Exchange 2016 server, or if you want to use a different server, select Specify a server
running Exchange 2013 CAS or Exchange 2016 and then specify the internal FQDN of an Exchange 2016 Mailbox server.
7. In the Office 365 Exchange Online section, select Microsoft Office 365 and then click Next.
8. On the Credentials page, in the Enter your on-premises account credentials section, select Use current Windows credentials to have the wizard use the account you're
logged into to access your on-premises Active Directory and Exchange 2016 servers. If you want to specify a different set of credentials, unselect Use current Windows
credentials and specify the username and password an Active Directory account you want to use. Whichever selection you choose, the account used needs to be a member
of the Organization Management role group.
9. In the Enter your Office 365 credentials section, specify the username and password of an Office 365 account that has Global Administrator permissions. Click Next.
10. On the Validating Connections and Credentials page, the wizard will connect to both your on-premises organization and your Office 365 organization to validate
credentials and examine the current configuration of both organizations. Click Next when it's done.
11. On the Hybrid Features page, select Full Hybrid Configuration and then click Next.
12. Select Organization Configuration Transfer if you want the wizard to copy select organization-wide policies to your Exchange Online organization. Retention policies and
retention policy tags, OWA Mailbox policies, Mobile Device Mailbox policies, and ActiveSync Mailbox policies are copied.
13. On the Hybrid Domains, select the domains you want to include in your hybrid deployment. In most deployments you can leave the Auto Discover column set to False for
each domain. Only select True next to a domain if you need to force the wizard to use the Autodiscover information from a specific domain. Click Next.
Important:
The Hybrid Domains page only appears if you have more than one on-premises accepted domain added to your Office 365 organization.
14. On the Federation Trust page, click Enable and click then Next.
15. On the Domain Ownership page, click Click copy to clipboard to copy the domain proof token information for the domains you’ve selected to include in the hybrid
deployment. Open a text editor such as Notepad and paste the token information for these domains. Before continuing in the Hybrid Configuration wizard, you must use this
info to create a TXT record for each domain in your public DNS. Refer to your DNS host's Help for information about how to add a TXT record to your DNS zone. Click Next
after the TXT records have been created and the DNS records have replicated.
Important:
The TXT proof of ownership wizard page only displays if there is a non-federated domain selected in the previous step.
16. On the Hybrid Configuration page, select the Configure my Client Access and Mailbox servers for secure mail transport (typical) option to configure your on-premises
43 of 61 5/1/2019, 2:01 PM
Client Access and Mailbox servers for secure mail transport with the Office 365. Click Next.
Important:
If you want Office 365 to send all outbound messages to external recipients to your on-premises transport servers, select the Enable centralized mail transport check
box in the More options section. The on-premises transport servers will be responsible for delivering the messages to external recipients. This approach is helpful in
compliance scenarios where all mail to and from the Internet must be processed by on-premises servers. If this check box is not selected, Office 365 will bypass the on-
premises organization and deliver messages to external recipients directly using the recipient’s external DNS settings.
17. On the Receive Connector Configuration page, select the Receive connector that will be used to accept secure mail from Exchange Online, and then click Next.
18. On the Send Connector Configuration page, select the Send connector that will used to send secure mail to Exchange Online, and then click Next.
19. On the Transport Certificate page, select the certificate to use for secure mail transport. This list displays the digital certificates issued by a third-party certificate authority
(CA) installed on the Exchange server selected in the previous step. Click Next.
20. On the Organization FQDN page, enter the externally accessible FQDN for your Internet-facing Exchange 2016 Mailbox server. Office 365 uses this FQDN to configure the
service connectors for secure mail transport between your Exchange organizations. For example, enter “mail.contoso.com”. Click Next.
21. The hybrid deployment configuration selections have been updated, and you’re ready to start the Exchange services changes and the hybrid deployment configuration. Click
Update to start the configuration process. While the hybrid configuration process is running, the wizard displays the feature and service areas that are being configured for
the hybrid deployment as they are updated.
22. When the wizard has completed all of the tasks it can perform automatically, it'll list any tasks that you need to address manually before your hybrid deployment
configuration is complete.
23. The wizard displays a completion message and the Close button is displayed. Click Close to complete the hybrid deployment configuration process and to close the wizard.
The successful completion of the Hybrid Configuration wizard will be your first indication that creating the Hybrid Deployment Active Directory object and completing the hybrid
deployment configuration steps worked as expected. To further verify that the hybrid deployment is configured correctly, you can also run the following command in the Shell for the
on-premises organization.
Get-HybridConfiguration
Learn more at: Get-HybridConfiguration
You can also confirm that Hybrid Configuration wizard completed all the configuration steps by examining the hybrid configuration log. By default, the hybrid configuration log is
44 of 61 5/1/2019, 2:01 PM
located at C:\Users\<user logged on when wizard was run>\AppData\Roaming\Microsoft\Exchange Hybrid Configuration.
45 of 61 5/1/2019, 2:01 PM
Finalize Your Deployment
46 of 61 5/1/2019, 2:01 PM
Create a test mailbox

We recommend that you create a test mailbox in the Exchange Online organization so that you can test your configuration changes while you work through the checklist.
Learn more at: Hybrid management in Exchange hybrid deployments
How do I do this?
You can use the Office 365 Mailbox wizard in the EAC on an Exchange server to create a test mailbox in Office 365. If you want to create more than one test mailbox, you'll have to
use this wizard for each test mailbox. You can't use the wizard to create multiple test mailboxes.
1. Log into the EAC on an on-premises Exchange 2016 server.
2. In the EAC, navigate to Enterprise > Recipients > Mailboxes.
3. Expand the menu at the Add control and select Office 365 mailbox.
4. On the New Office 365 mailbox page, specify the following settings:
First Name Type the first name of the new user.
Initials Type the initials of the new user.
Last Name Type the last name of the new user.
User logon name Type the user logon name of the new user and select the primary SMTP domain used for your other on-premises users. For example,
@contoso.com.
Mailbox type Choose the type of mailbox to create. For example, User mailbox.
Password Type the password.
Confirm password Retype the password.
Make sure the Create an archive mailbox check box is not selected.
47 of 61 5/1/2019, 2:01 PM
5. Click Save to continue.
Note:
By default, directory synchronization occurs once every 30 minutes. To force immediate directory synchronization, open Windows PowerShell on the Azure AD Connect
server and type the following at the command prompt.
Start-ADSyncSyncCycle -PolicyType Delta
6. Log on to: Office 365 admin portal.
When you create a test mailbox in Office 365, the successful completion of the Office 365 Mailbox wizard will be your first indication that creating the mailbox worked as expected.
To verify that you've created a test mailbox and that the mailbox is accessible in the Exchange Online organization, do the following:
1. Log on to: Office 365 admin portal
2. Navigate to Users > Active Users.
Verify that the user has been synchronized to the service directory. If the user has synchronized correctly, it will appear in the user list in the administration portal.
3. Verify that the user has an associated license by doing the following:
1. Click the name of the user to open the user's property information.
2. Under Assigned license in the user's details pane, verify that the license you added is shown.
4. Attempt to log on to the user's mailbox by doing the following:
Open a private browsing window (Internet Explorer: InPrivate Browsing, Chrome: Incognito, Firefox: Private Window) in your browser.
Browse to the Exchange Online organization's Outlook on the web URL, https://www.outlook.com/owa/contoso.com
Log in with the user's credentials.
48 of 61 5/1/2019, 2:01 PM
49 of 61 5/1/2019, 2:01 PM
Move or create mailboxes

You can choose to either move existing mailboxes to, or create mailboxes in, the Office 365 organization. You can also do a mix of both: move existing on-premises mailboxes to
Office 365 and create mailboxes for new users there too.
Move a mailbox Moving mailboxes from the on-premises organization to Office 365 uses a remote mailbox move request. This approach allows you to move your existing
Exchange user mailboxes to Office 365 instead of creating user mailboxes and importing their mailbox content.
Create a mailbox Instead of moving existing mailboxes in your on-premises organization to Office 365, you can create mailboxes in Office 365 for your users. These mailboxes are
called remote mailboxes, and they are included in the on-premises Active Directory. Active Directory synchronization automatically synchronizes this new mail user object to Office
365 which then converts it to an Exchange Online user mailbox.
Learn more at: Recipients
How do I move mailboxes to Office 365?
You can use the remote move migration wizard in the Office 365 tab in the Exchange admin center (EAC) on an Exchange server to move existing user mailboxes in the on-premises
organization to Office 365:
1. Open the EAC and navigate to Office 365 > Recipients > migration.
2. Click Add and select Migrate to Exchange Online.
3. On the Select a migration type page, select Remote move migration and then click Next.
4. On the Select the users page, click Add , select the on-premises users to move to Office 365 and click Add, and then click OK. Click Next.
5. On the Enter the Windows user account credential page, enter the on-premises administrator account name in the On-premises administrator name text field and enter
the associated password for this account in the On-premises administrator password text field. For example, “corp\administrator” and a password. Click Next.
6. On the Confirm the migration endpoint page, verify that the FDQN of your on-premises Mailbox server is listed when the wizard confirms the migration endpoint. For
example, “mail.contoso.com”. Click Next.
Note:
50 of 61 5/1/2019, 2:01 PM
You enabled the Mailbox Replication Proxy service (MRSProxy) on the Exchange 2016 Mailbox servers earlier in the checklist and the service automatically throttles the
mailbox move requests when you select multiple mailboxes to move to Office 365. The total time to complete the mailbox move depends on the total number of
mailboxes selected, the size of the mailboxes, and the properties of the MRSProxy. To learn more about customizing the MRSProxy, see: Message throttling
7. On the Move configuration page, enter a name for the migration batch in the New migration batch name text field. Use the down arrow to select the target delivery
domain for the mailboxes that are migrating to Office 365. In most hybrid deployments, this will be the primary SMTP domain used for both on-premises and Office 365
mailboxes. For example, user@contoso.com. Verify that the Move primary mailbox along with archive mailbox option is selected, and then click Next.
8. On the Start the batch page, select at least one recipient to receive the batch complete report. Verify that the Automatically start the batch and Automatically complete
the migration batch options are selected. Click New.
While the mailboxes are being moved, you will see a status of Synching in the migration status for each mailbox moved to Office 365. After the mailbox move request reaches a
status of Completed, the mailbox migration process is complete.
How do I create a mailbox in Office 365?
You can use the Office 365 Mailbox wizard in the EAC on an Exchange server to create user mailboxes in Office 365. If you want to create remote mailboxes, you'll have to use this
wizard for each remote mailbox. You can't use the wizard to create multiple remote mailboxes.
1. Log into the EAC on an on-premises Exchange 2016 server.
2. In the EAC, navigate to Enterprise > Recipients > Mailboxes.
3. Click Add and select Office 365 mailbox.
4. On the new Office 365 mailbox page, specify the following settings:
First Name Type the first name of the new user.
Initials Type the initials of the new user.
Last Name Type the last name of the new user.
Name Type the full name of the user if the automatically generated name is not correct.
User logon name Type the user logon name of the new user and select the primary SMTP domain used for your other on-premises users. For example,
@contoso.com.
51 of 61 5/1/2019, 2:01 PM
Mailbox type Use to select the mailbox type for the new mailbox. For example, select User mailbox for a new user.
New Password Type the password.
Confirm password Retype the password.
5. Verify that the Create an archive mailbox check box is not selected. Click Save to create the new mailbox.
Note:
By default, directory synchronization occurs once every three hours. To force immediate directory synchronization, open an elevated command prompt on the Azure AD
Connect server and type the following at the command prompt.
"%ProgramFiles%\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe"
6. Log on to: Cloud-based service administration portal
When you move existing user mailboxes to Office 365, the successful completion of the remote move wizard will be your first indication that moving the mailbox worked as expected.
Because the mailbox move process takes several minutes to complete, you can also verify that the move is working correctly by opening the EAC and selecting Office 365 >
Recipients > Migration to display the move status for the mailboxes selected in the remote move wizard. The value of the Status is Syncing during the mailbox move and it’s
Completed when the mailbox has successfully moved to Office 365.
After the directory replication process has completed, you can check that the remote mailbox located on the Exchange Online organization has been successfully created by verifying
the mailbox properties. To do this, navigate to Enterprise > Recipients > Mailboxes in the EAC for the on-premises organization. The user mailbox should show a Mailbox Type of
Office 365.
52 of 61 5/1/2019, 2:01 PM
Configure MX record

After you’ve completed configuration of your hybrid deployment using the Hybrid Configuration wizard, you can direct mail flow through Office 365. To do this, you need to
configure the mail exchanger (MX) record to point to the FQDN created for your Office 365 organization. After you change the MX record to point to the Office 365, all email
messages for both on-premises and Office 365 recipients will be routed through Office 365. Email messages for on-premises recipients will then be routed from Office 365 to your
on-premises organization.
Learn more at: Transport options in Exchange hybrid deployments
How do I do this?
You need to configure the public DNS MX record for your primary SMTP namespace to point to the FQDN created for your Office 365 organization.
The FQDN that you need to use is created automatically when you add your primary SMTP namespace to your Office 365 organization. The FQDN is
<domain>.mail.protection.outlook.com where <domain> is your primary SMTP namespace. For example, contoso-com.mail.protection.outlook.com.
To find the FQDN that you should use for your MX record, do the following:
1. Log on to: Office 365 admin portal
2. Select Domains.
3. Select the primary SMTP namespace for your Office 365 organization (for example, contoso.com) and then click Domain settings.
4. On the DNS management page, verify that Exchange Online is listed under Domain purpose. If it's not, do the following:
1. Under Domain purpose, click Change domain purpose.
2. Select Outlook on the web for email, calendar, and contacts, and then click Next.
Important:
On the next couple pages, you'll see instructions on how to configure MX, Autodiscover, MSOID, and SPF records for your Office 365 organization. Some of these
settings don't work when you're configuring a hybrid deployment so we're not going to configure them here. We'll configure hybrid-specific settings later in this
topic.
53 of 61 5/1/2019, 2:01 PM
3. On the Add the following DNS records... page, click Okay, I've added the records.
4. On the next page, you'll see Some DNS records have to be fixed and one or more DNS records will show an error. You can safely ignore these errors. Click Ignore
these errors at the bottom of the page, and then click Finish.
5. On the Manage domains page, select your primary SMTP namespace again and click Domain settings.
Exchange Online should now be listed under Domain purpose.
5. In the Exchange Online DNS records table, find the row where Type equals MX. Use the value in the Points to address field. For example, contoso-
com.mail.protection.outlook.com.
Important:
Don't change the Autodiscover record for your domain to the value in the Exchange Online table. Doing so will prevent your on-premises users from being able to find
their on-premises mailboxes.
6. After you've found the FQDN to use with your MX record, create the MX record in your DNS zone.
For example, the MX record for contoso.com is the following:

Primary SMTP namespace DNS record type MX priority Target
contoso.com MX 0 <domain>.mail.protection.outlook.com
Refer to your DNS host's Help for more information about how to add an MX record to your DNS zone.
To verify that you've configured the DNS MX record for the primary SMTP namespace correctly, do the following on an Internet-accessible computer that can perform DNS lookups.
1. Open a Windows command prompt.
2. Run the following command.
nslookup -type=MX contoso.com
54 of 61 5/1/2019, 2:01 PM
The following should be returned if you've correctly configured the DNS record. (Depending on your DNS configuration, it may take an hour or more for changes to DNS to replicate
across the Internet.) The IP addresses returned may be different than the addresses in the example below.
Server: dns.corp.contoso.com
Address: 192.168.1.10
Non-authoritative answer:
contoso.com MX preference = 0, mail exchanger = contoso-com.mail.protection.outlook.com
contoso-com.mail.protection.outlook.com internet address = 216.32.181.10

contoso-com.mail.protection.outlook.com internet address = 216.32.180.42
55 of 61 5/1/2019, 2:01 PM
Post-configuration tasks

After you complete the configuration steps for deploying a hybrid organization, you should complete the post-installation tasks to enable any additional needed functionality.
Configure client computers
After you’ve set up your hybrid deployment, you must ensure that your users’ desktop computers are updated and configured for use with Office 365. Your users will be able to use
their user ID to sign in to Office 365 from their desktop applications and their on-premises computers must be configured with the necessary updates to their existing Office
applications to directly access their Online accounts. You can ensure that your users’ desktop computers are set up for Office 365 by either having your users update and configure
their desktops themselves, if they have permission to install applications, or you can manually install the updates for them. After updating and configuring on-premises desktops,
users will be able to send email from Outlook 2016, Outlook 2013, or Outlook 2010 and save files directly to SharePoint Online from their Office desktop applications.
Learn more at: Manually Update and Configure Desktops for Office 365
Test hybrid deployment connectivity
Testing the external connectivity for critical Exchange 2016 and Office 365 features is an important step in ensuring that your hybrid deployment features are functioning correctly.
The Microsoft Remote Connectivity Analyzer is a free online web service that you can use to analyze, and run tests for, several Exchange 2016 and Office 365 services, including
Exchange Web Services, Outlook, Exchange ActiveSync, and Internet email connectivity.
Learn more at: Microsoft Remote Connectivity Analyzer
Configure network security
Hybrid deployment configuration changes may require you to modify security settings for your on-premises network and protection solutions. Exchange 2016 Mailbox servers must
be accessible on TCP port 443, and Edge Transport and Mailbox servers must be accessible on TCP port 25. Other Office 365 services, such as SharePoint Online and Lync Online, may
require additional network security configuration changes. If you’re using Microsoft Threat Management Gateway (TMG) in your on-premises organization, additional configuration
steps will also be needed to allow full Office 365 integration in the hybrid deployment.
Learn more about Office 365 port requirements at: Microsoft Office 365 for Enterprises Deployment Guide
Learn more about hybrid deployments and the Microsoft Threat Management Gateway at: How to Configure TMG for Office 365 (Exchange) Hybrid deployments
Configure permissions in the Office 365 organization
56 of 61 5/1/2019, 2:01 PM
By default, the administrative account that you specified when the Office 365 tenant organization was created is granted administrator permissions to the Exchange Online
organization. This account can configure all aspects of the Exchange Online organization and manage recipients located in the organization. You can add additional administrators as
needed.
End users are also granted permissions when their mailboxes are moved to or created in the Exchange Online organization. By default, they can configure things like their own
contact information, distribution group membership, email subscriptions, telephone number, and so on. You can configure the default role assignment policy or create new role
assignment policies.
Administrative and end user permissions that are configured in the on-premises organization aren't transferred to the Office 365 organization. You must re-create your permissions in
the Office 365 organization.
Note:
We don't support manager and mailboxes with delegate permissions to them residing in different organizations. If you move a manager mailbox to Office 365, any mailboxes that
have delegate permissions also need to be moved to Office 365. If a
Learn more at: Permissions in Exchange hybrid deployments
Configure additional remote domains
The Deployment Assistant has shown you how to configure transport between your on-premises organization and Office 365. If you have configured remote domains between your
organization and other organizations to customize settings such as the type of encoding to use, whether non-delivery reports are enabled, the character set to use, and so on, you
should re-create similar custom remote domains in your Exchange Online organization.
Learn more at: Remote domains
Configure Outlook on the web mailbox policies
Outlook on the web mailbox policies enable you to manage access to features in Outlook on the web. For example, you can control whether users can open the Calendar or other
folders in their Inbox, customize their theme, use the spell checker, access file attachments, and more.
By default, every mailbox in the Exchange Online organization is assigned to the default Outlook on the web mailbox policy. The default policy allows access to all features of Outlook
on the web. You can configure the default Outlook on the web mailbox policy or create additional policies and assign them to mailboxes.
Outlook on the web mailbox policies that you've defined in your on-premises organization aren't transferred to the Exchange Online organization. You must re-create your Outlook
on the web mailbox policies in the Exchange Online organization.
57 of 61 5/1/2019, 2:01 PM
Learn more at: Outlook Web App mailbox policies
Configure Exchange ActiveSync mailbox policies
Exchange ActiveSync mailbox policies enable you to apply a common set of policy or security settings to a user or group of users. These policies are applied to the mobile devices
that are connected to a user's mailbox. For example, you can control whether users can use the camera on a mobile device, whether a password is required, the maximum calendar
age, and so on.
By default, every mailbox in the Exchange Online organization is assigned to a default Exchange ActiveSync mailbox policy. The default policy doesn't place any restrictions on mobile
devices connected to Exchange Online mailboxes and doesn't require that passwords be used on the device. You can configure the default Exchange ActiveSync mailbox policy or
create additional policies and assign them to mailboxes.
Exchange ActiveSync mailbox policies that you've defined in your on-premises organization aren't transferred to the Exchange Online organization. You must re-create your Exchange
ActiveSync mailbox policies in the Exchange Online organization.
Learn more at: Exchange ActiveSync
Configure remote clients
Users running Outlook 2016, Outlook 2013, or Outlook 2010 who connect using Outlook Anywhere will be automatically reconfigured to connect to the Exchange Online
organization when their mailbox is moved.
Users who connect a mobile device to their mailbox may be required to manually reconfigure their device, depending on the version of Exchange ActiveSync the device uses. If the
device doesn't reconfigure itself automatically, the user can re-create the Exchange ActiveSync association or change their POP or IMAP settings.
Learn more at: Set Up Your E-Mail Account on Your Mobile Phone
If your users use an email client other than Outlook 2016, Outlook 2013, or Outlook 2010, they must use POP or IMAP if their mailbox is moved to the Exchange Online organization.
Important:
Pre-Outlook 2010 clients are not supported by the Office 365.
Learn more at: E-mail Setup
Move Office 365 mailboxes to the on-premises organization
58 of 61 5/1/2019, 2:01 PM
In a hybrid deployment, you have mailboxes in both your on-premises and Exchange Online organizations. As part of on-going recipient management, you’ll often have a need to
move mailboxes between the two organizations. This need could come up because a user is moving departments or because a manager is being assigned a new delegate, and so on.
When you’re moving mailboxes from the Exchange Online organization to the on-premises organization, you’ll use the Exchange admin center (EAC).
Learn more at: Move mailboxes between on-premises and Exchange Online organizations in hybrid deployments
Export and import retention tags for custom folders in archived mailboxes
If your on-premises users are using personal email retention tags in custom folders in an archive mailbox, the tags are removed and changed to “Use parent folder policy” when an
on-premises mailbox and archive is moved to Exchange Online. You will need to export the on-premises retention tags from the on-premises organization and import the retention
tags in the Exchange Online organization.
Learn more at: Export and import retention tags
Configure Information Rights Management
Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages they send. AD RMS templates can help
prevent information leakage by allowing users to control who can open a rights-protected message, and what they can do with that message after it's been opened.
IRM in a hybrid deployment requires planning, manual configuration of the Exchange Online organization, and an understanding of how clients use AD RMS servers depending on
whether their mailbox is in the on-premises or Exchange Online organization.
Learn more at: IRM in Exchange hybrid deployments
Configure public folders
Office 365 supports public folders and migrating public folders between the on-premises and Office 365 organizations. You can configure public folders so that users in either the
on-premises or Office 365 organization have access to public folders in either organization.
Learn more at: Public folders
Troubleshooting hybrid deployments
Configuring a hybrid deployment with the Hybrid Configuration wizard greatly minimizes the potential that the hybrid deployment will experience problems. However, there are
59 of 61 5/1/2019, 2:01 PM
some typical areas outside the scope of the Hybrid Configuration wizard that, if misconfigured, may present problems in a hybrid deployment. Sometimes there can be minor
configuration issues that prevent your hybrid deployment features from working as expected.
Check out the following resources to resolve some common hybrid deployment configuration issues:
Troubleshoot a hybrid deployment
Hybrid Deployment Free/Busy Troubleshooter
Hybrid Migration Troubleshooter
Still having problems?
Ask for help in the Office 365 forums. To access the forums, you'll need to sign in using an account that's granted administrator access to your cloud-based service. Visit the forums
at: Office 365 Forums
60 of 61 5/1/2019, 2:01 PM
Checklist complete

Congratulations on successfully completing your checklist in the Deployment Assistant!
Tools you can use
The Microsoft Remote Connectivity Analyzer tool is a free web-based tool that helps you troubleshoot connectivity issues. The tool simulates several client logon and mail flow
scenarios. When a test fails, troubleshooting tips can assist you in correcting the problem.
Take a look at Microsoft Remote Connectivity Analyzer Tool.
And, for more information about Exchange planning and deployment, you can always review the related content in the Exchange TechCenter Library.
Find it all at Planning and deployment.
Give us feedback please
We would really appreciate your feedback about the Deployment Assistant. What worked for you? What could we have done better? What do you recommend we change for the
next version?
Tell us what you think at Feedback: Exchange Server Deployment Assistant.
61 of 61 5/1/2019, 2:01 PM

Exchange Hybrid Steps

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Exchange Hybrid Steps

Hochgeladen von

Copyright:

Verfügbare Formate

Exchange Server Deployment Assistant | https://technet.microsoft.com/ - technet.microsoft.com/ https://technet.microsoft.com/en-us/exdeploy2013/PrintChecklist?state=3229-W-DgAIAAA...

Choose your deployment type

Current on-premises environment

What is your current on-premises Exchange environment?

Existing Office 365 plan

Have you signed up for Office 365 using a supported plan?

What does your Office 365 admin center look like?

This is the recommended choice for most organizations.

Password synchronization (recommended)

Deploy Edge Transport

Inbound mail routing

Prepare for Deployment

Navigate your checklist

How can I see my answers to the deployment questions?

How can I change my answers?

How can I move through the checklist?

What do I do when I finish a step?

How long will it take to complete the checklist?

What if I get interrupted?

Can I print this stuff?

Can I copy and paste?

How do I tell you what I think about this?

Before you begin

What is a hybrid deployment?

Secure mail routing between on-premises between the organizations.

Free/busy calendar information sharing between the organizations.

A single Outlook on the web URL for both the organizations.

Archiving at Microsoft Office 365 Additional Services.

Hybrid deployment components

A hybrid deployment involves several different services and components:

Learn more at: Hybrid Configuration wizard

Learn more at: Azure AD Connect - Overview

Hybrid deployment example

Things to consider before configuring a hybrid deployment

Directory synchronization and single sign-on

Hybrid deployment management

Learn more at: Certificate requirements for hybrid deployments

Before moving mailboxes to Office 365, you should:

Learn more at: Networking

For more information, see Transport options in Exchange hybrid deployments.

Learn more at: Plan for UM Coexistence

Information Rights Management

Learn more at: IRM in Exchange hybrid deployments

Learn more at: Mobile Phones

Licensing for Office 365

Antivirus and anti-spam services

Learn more at: Anti-spam and anti-malware protection

Learn more at: Public folders

Learn more at: Hybrid deployment prerequisites

At a minimum, you’ll need the following hybrid deployment components:

An Active Directory synchronization server running Azure Active Directory Connect.

Exchange 2016 servers

Learn more at: Exchange 2016 System Requirements

Azure Active Directory Connect server

Learn more at: Prerequisites for Azure Active Directory Connect

Existing directory servers

Windows Server 2012 R2 Standard or Datacenter

Windows Server 2012 Standard or Datacenter

Windows Server 2008 R2 Standard or Enterprise

Windows Server 2008 R2 Datacenter RTM or later

Windows Server 2008 Standard, Enterprise, or Datacenter

Learn more at: Exchange 2016 System Requirements

Learn more at: Exchange Server Hybrid Deployments

Active Directory forest root corp.contoso.com