Exchange 2010 - Office 365 Hybrid Migration - On-Premise to O365 not working

I read somewhere:
As for MX records, these can be pointing to Office 365 or your On Premise Exchange environment, depending on your needs. As long as the Hybrid Configuration Wizard worked correctly, mail flow should be seamless between the two systems.

All of my Internal DNS MX Records are pointing to On-Premise. All of the Public DNS MX records are pointing to Office365.

Mail from O365 to On-Prem is fine.
Mail from On-Prem to O365 is stuck in the Queue for the Domain.
Error: 451 4.4.0 Primary Target IP address responded with: "421 4.2.1 Unable to Connect" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

Mail to: user@domain-a.com is getting sent to domain-0.com mail queue.
domain-0.com is the Primary O365 domain.

Here is the results of: get-hybridconfiguration | fl

[PS] C:\Windows\system32>get-hybridconfiguration | fl


RunspaceId                      : de34fead-a695-444b-44e7-44cc4444becb
ClientAccessServers             : {}
TransportServers                : {VSVR-EXCH2010}
SecureMailCertificateThumbprint : 4491AE94D3444C229CBCE4439CDF1444CCB44C244
OnPremisesSmartHost             : mail.<domain-0>.com
Domains                         : {domain-a.com, domain-b.com, domain-b.com, autod:domain-0.com}
Features                        : {FreeBusy, MoveMailbox, Mailtips, MessageTracking, OwaRedirection, OnlineArchive, SecureMail}
ExternalIPAddresses             : {<pub IP Address>}
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : Hybrid Configuration
DistinguishedName               : CN=Hybrid Configuration,CN=Hybrid Configuration,CN=myenm,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-0,DC=com
Identity                        : Hybrid Configuration
Guid                            : 3d96cf44-6f44-4744-a044-dd83e946c344
ObjectCategory                  : domain-0.com/Configuration/Schema/ms-Exch-Coexistence-Relationship
ObjectClass                     : {top, msExchCoexistenceRelationship}
WhenChanged                     : 1/5/2018 5:17:03 PM
WhenCreated                     : 12/7/2017 12:12:37 PM
WhenChangedUTC                  : 1/6/2018 1:17:03 AM
WhenCreatedUTC                  : 12/7/2017 8:12:37 PM
OrganizationId                  :
OriginatingServer               : ADDC.domain-o.COM
IsValid                         : True

Open in new window

LVL 3
Scott TownsendIT DirectorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MAS (MVE)EE Solution Guide - Technical Dept HeadCommented:
Hi Scott,
Did you run hybrid configuration Wizard?
Did you properly configured  DNS on your onprem server?
0
Scott TownsendIT DirectorAuthor Commented:
HCW was run and was Successful. The send connector "Outbound to Office 365" is there as well as the "Inbound from Office 365" receive connector.

I have made the domains I'm working with along with the onmicrosoft.com domains 'Internal Relay' under accepted Domains.

The mail that is trying to be sent to domain-0.com is being sent to the Public IP address for the on-premise mail server.  The on-premise mail server's default send connector does have the 'Use the External DNS lookup on the transport server' set and it is set to google's DNS.

I'm not sure why the email sent to domain-a.com is in the Queue for domain-0.com and not tenant.mail.onmicrosoft.com

Look like my External DNS for domain-0.com was set to the on-premise server. I changed the MX record to <domain-0.com>.mail.protection.outlook.com   and all of the mail in the Queue went out.

I have yet to Migrate a user for a Domain that would have both on-premise and O365 users.
0
Vasil Michev (MVP)Commented:
The send connector on-premises should indeed only feature the tenant.mail.onmicrosoft.com domain, so check your settings. Not sure how that happened, but in general the HCW should detect/warn you for this - check the following KB: https://support.microsoft.com/en-us/help/3087172/-hcw8039-the-hybrid-send-connector-must-only-contain-the-single-addres

Did you happen to select the "centralized mail transport" option when running the HCW?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Scott TownsendIT DirectorAuthor Commented:
he send connector on-premises should indeed only feature the tenant.mail.onmicrosoft.com domain

The send connector (Outbound to Office 365)  does only have the <tenant>.mail.onmicrosoft.com as the only item in the Address space.

Though it seems like when sending an email from on-Premise to O365  (user@domain-a.com) the email should be sent to user@<tenant>.mail.onmicrosoft.com and not domain-0.com (the AD Username)

So when sending to user@domain-a.com the mail ends up in the Queue for domain-0.com. It uses the default send connector which uses External DNS to send email email. It looked up the Public MX record for domain-0.com and is using that host to send the email. I had to change the Public DNS MX for domain-0.com to <domain-0.com>01e.mail.protection.outlook.com
0
Vasil Michev (MVP)Commented:
Well if you havent yet migrated the mailboxes to O365 as you mentioned above, why would you expect the mail to be redirected to user@tenant.mail.onmicrosoft.com? The bit that makes this possible after the migration is the stamping of the targetaddress attribute of the user object with an SMTP address that points to user@tenant.mail.onmicrosoft.com. For non-migrated users, nothing is changed.
0
Scott TownsendIT DirectorAuthor Commented:
Sorry, I'm testing with a Migrated user.

user@domain-a.com is on O365.
me@domain-d.com is on On-Premise

From: me@domain-d.com
To: user@domain-a.com

the email Ends up in the Mail Queue for domain-0.com (the users AD Account Domain, Primary Domain on O365 Domains List)
Seems like should of gone to user@tenant.mail.onmicrosoft.com and sent via the Outbound to Office 365 connector.
0
Vasil Michev (MVP)Commented:
It should, *if* the targetaddress of the user is stamped with user@tenant.mail.onmicrosoft.com. So check for that.
0
Scott TownsendIT DirectorAuthor Commented:
Are you referring to the "Routing E-Mail Address"   It is set to domain-0.com

Is this set in the Remove Move Request - Target Delivery Domain? I did select haydon-mill.com as that is the Primary Tenant Domain, though not the tenant name space.

(I'm sure you can tell I'm in over my Head! ;-)

Thanks!
0
MaheshArchitectCommented:
as long as TargetAddress is stamped on user properties pointing to user@tenant.mail.onmicrosoft.com, the mail should get delivered to o365, that is absolute purpose of TargetAddress attribute
You need to ensure that "onpremise to O365" connector contains all onpremise sending server IPs so that o365 would not reject the email.
0
Scott TownsendIT DirectorAuthor Commented:
so I changed the Routing E-Mail Address to the tenant.mail.onmicrosoft.com and I get an error:

SN1NAM04FT022.mail.protection.outlook.com #<SN1NAM04FT022.mail.protection.outlook.com #5.4.1 smtp;550 5.4.1 [user@tenant.mail.onmicrosoft.com]: Recipient address rejected: Access denied [SN1NAM04FT022.eop-NAM04.prod.protection.outlook.com]> #SMTP#

in O365 Portal I do not see the domain: tenant.mail.onmicrosoft.com
I do see tenant.onmicrosoft.com

To setup tenant.mail.onmicrosoft.com as a domain in the O365 Portal It wants me to add DNS Records to MS's DNS Servers.
0
MaheshArchitectCommented:
if you navigate to exchange admin panel \ domains, you should see that domain at both places

how many hub transport servers are there who can send emails to outside, I think all servers are not added to onpremise to o365 connector" and hence O365 is rejecting the messages

also no need to add any dns records for microsoft domains, you cannot do that as it is controlled by MS
0
Scott TownsendIT DirectorAuthor Commented:
Only one On-Premise Server.
On portal.office.com setup/domains I see my own domains and tenant.onmicrosoft.com  
I do NOT see the tenant.mail.onmicrosoft.com

on On-Premise Exchange 2010 Server, Hub Transport I see:
Remote Domains:
  My Own Domains
  tenant.mail.onmicrosoft.com
  tenant.onmicrosoft.com

Accepted Domains:
   My Own Domains
   tenant.mail.onmicrosoft.com

send connector:
Outbound to Office 365 - azureeandm.mail.onmicrosoft.com

receive connector:
Inbound from Office 365 - has all of the MS IPs in it.
0
MaheshArchitectCommented:
in admin panel, navigate to admin center\exchange online and there go to domains, you should see the domain as accepted domain

also remove all internal MX records, those are not required, it may create issues as this is shared name space scenario and works on internal relay - TargetAddress mechanism
0
Scott TownsendIT DirectorAuthor Commented:
Exchange admin center
Mail Flow
Accepted Domains
  tenant.mail.onmicrosoft.com  - Authoritative
  tenant.onmicrosoft.com - Authoritative
0
Scott TownsendIT DirectorAuthor Commented:
If I do the remote move request I'm guessing I need to select the tenant.mail.onmicrosoft.com target domain for that to be the remote email address that the mail will be sent on at O365.

If I select tenant.mail.onmicrosoft.com I get the following error:
Cannot convert the "Microsoft.Exchange.MailboxReplicationService.TargetDeliveryDomainMismatchPermanentException" value of type "System.String" to type "System.Type".If I select my domain-0.com domain it moves fine.
0
MaheshArchitectCommented:
either set targetaddress on user account manually OR
try beow article
http://www.amdocorp.com/movetocloudpowershell
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Scott TownsendIT DirectorAuthor Commented:
here is what happens if I use Powershell to move.
[PS] C:\Windows\system32>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
WARNING: Your connection has been redirected to the following URI: "https://ps.outlook.com/PowerShell-LiveID?PSVersion=2.0 "
[... lots of stuff...]
ModuleType Name                      ExportedCommands
---------- ----                      ----------------
Script     tmp_e4c285dd-498c-4f94... {Get-DeviceComplianceDetailsReportFilter, Get-PublicFolderMigrationReque...

[PS] C:\Windows\system32>New-MoveRequest -identity <user> -Remote -RemoteHostName 'on-premise.server.com' -TargetDeliveryDomain 'tenant.mail.onmicrosoft.com' -Remotecredential $OnPremisesCreds -Bad
VERBOSE: [23:30:25.651 GMT] New-MoveRequest : Active Directory session settings for 'New-MoveRequest' are: View Entire Forest: 'False', Default Scope: '<AD-Domain>', Configuration Domain Controller:
'ADDC.<AD-Domainn>', Preferred Global Catalog: 'addc2.<AD-Domainn>', Preferred Domain Controllers: '{ addc2.<AD-Domainn> }'
VERBOSE: [23:30:25.653 GMT] New-MoveRequest : Runspace context: Executing user: <AD-Domainn>/myOU/Scott, Executing user organization: , Current organization: ,
RBAC-enabled: Enabled.
VERBOSE: [23:30:25.655 GMT] New-MoveRequest : Beginning processing &
VERBOSE: [23:30:25.657 GMT] New-MoveRequest : Instantiating handler with index 0 for cmdlet extension agent "Admin Audit Log Agent".
WARNING: When an item can't be read from the source database or it can't be written to the destination database, it will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting that
Exchange not copy such items to the destination mailbox. At move completion, these corrupted items won't be available in the destination mailbox.
VERBOSE: [23:30:25.711 GMT] New-MoveRequest : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclu
 Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} }
VERBOSE: [23:30:25.738 GMT] New-MoveRequest : Searching objects "<user>" of type "ADUser" under the root "$null".
VERBOSE: [23:30:25.786 GMT] New-MoveRequest : Previous operation run on domain controller 'addc2.<AD-Domainn>'.
VERBOSE: [23:30:25.790 GMT] New-MoveRequest : Processing object "$null".
VERBOSE: [23:30:25.805 GMT] New-MoveRequest : Admin Audit Log: Entered Handler:OnComplete.
Target user '<user name>' already has a primary mailbox.
    + CategoryInfo          : InvalidArgument: (<user>:MailboxOrMailUserIdParameter) [New-MoveRequest], RecipientTaskException
    + FullyQualifiedErrorId : 35586141,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

VERBOSE: [23:30:25.835 GMT] New-MoveRequest : Ending processing &

Open in new window


Looking up this it is implying that I should be doing this form Office365, which is that the New-PSSession is supposed to do.
0
Scott TownsendIT DirectorAuthor Commented:
Cannot convert the "Microsoft.Exchange.MailboxReplicationService.TargetDeliveryDomainMismatchPermanentException" value of type "System.String" to type "System.Type".

Okay I figured this one out. My Company has about 20 Domain Names and I'm using some that are not widely used with employees for testing with email.  I added email addresses with the test domains to old Employee accounts and then tried Migrating the accounts.  Though I didn't remove the non-test domains from the accounts. So they still had email addresses with domains that were not validated for Office 365 yet. After removing the non validated domains I was able to Migrate users and resources.
0
Scott TownsendIT DirectorAuthor Commented:
To get the mail flowing I need to Add the tenant.mail.onmicrosoft.com to the Address Policy to add that email to everyone. We have a dozen Policies (we provide email for a few companies) and I had to add it to all of them.

Once the Address Policy was in place I and removed the non-test domains from user accounts I was able to Migrate users and have mail flow from On-Premise to O365.

I still have another issue with sending form O365 to some On-Premise users though I will start another thread for that since it is not directly related.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.