Avatar of Scott Townsend
Scott TownsendFlag for United States of America

asked on 

Exchange 2010 - Office 365 Hybrid Migration - On-Premise to O365 not working

I read somewhere:
As for MX records, these can be pointing to Office 365 or your On Premise Exchange environment, depending on your needs. As long as the Hybrid Configuration Wizard worked correctly, mail flow should be seamless between the two systems.

All of my Internal DNS MX Records are pointing to On-Premise. All of the Public DNS MX records are pointing to Office365.

Mail from O365 to On-Prem is fine.
Mail from On-Prem to O365 is stuck in the Queue for the Domain.
Error: 451 4.4.0 Primary Target IP address responded with: "421 4.2.1 Unable to Connect" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

Mail to: user@domain-a.com is getting sent to domain-0.com mail queue.
domain-0.com is the Primary O365 domain.

Here is the results of: get-hybridconfiguration | fl

[PS] C:\Windows\system32>get-hybridconfiguration | fl


RunspaceId                      : de34fead-a695-444b-44e7-44cc4444becb
ClientAccessServers             : {}
TransportServers                : {VSVR-EXCH2010}
SecureMailCertificateThumbprint : 4491AE94D3444C229CBCE4439CDF1444CCB44C244
OnPremisesSmartHost             : mail.<domain-0>.com
Domains                         : {domain-a.com, domain-b.com, domain-b.com, autod:domain-0.com}
Features                        : {FreeBusy, MoveMailbox, Mailtips, MessageTracking, OwaRedirection, OnlineArchive, SecureMail}
ExternalIPAddresses             : {<pub IP Address>}
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
Name                            : Hybrid Configuration
DistinguishedName               : CN=Hybrid Configuration,CN=Hybrid Configuration,CN=myenm,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-0,DC=com
Identity                        : Hybrid Configuration
Guid                            : 3d96cf44-6f44-4744-a044-dd83e946c344
ObjectCategory                  : domain-0.com/Configuration/Schema/ms-Exch-Coexistence-Relationship
ObjectClass                     : {top, msExchCoexistenceRelationship}
WhenChanged                     : 1/5/2018 5:17:03 PM
WhenCreated                     : 12/7/2017 12:12:37 PM
WhenChangedUTC                  : 1/6/2018 1:17:03 AM
WhenCreatedUTC                  : 12/7/2017 8:12:37 PM
OrganizationId                  :
OriginatingServer               : ADDC.domain-o.COM
IsValid                         : True

Open in new window

Microsoft OfficeExchangeMicrosoft 365

Avatar of undefined
Last Comment
Scott Townsend
SOLUTION
Avatar of M A
M A
Flag of United States of America image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Avatar of Scott Townsend

ASKER

HCW was run and was Successful. The send connector "Outbound to Office 365" is there as well as the "Inbound from Office 365" receive connector.

I have made the domains I'm working with along with the onmicrosoft.com domains 'Internal Relay' under accepted Domains.

The mail that is trying to be sent to domain-0.com is being sent to the Public IP address for the on-premise mail server.  The on-premise mail server's default send connector does have the 'Use the External DNS lookup on the transport server' set and it is set to google's DNS.

I'm not sure why the email sent to domain-a.com is in the Queue for domain-0.com and not tenant.mail.onmicrosoft.com

Look like my External DNS for domain-0.com was set to the on-premise server. I changed the MX record to <domain-0.com>.mail.protection.outlook.com   and all of the mail in the Queue went out.

I have yet to Migrate a user for a Domain that would have both on-premise and O365 users.
The send connector on-premises should indeed only feature the tenant.mail.onmicrosoft.com domain, so check your settings. Not sure how that happened, but in general the HCW should detect/warn you for this - check the following KB: https://support.microsoft.com/en-us/help/3087172/-hcw8039-the-hybrid-send-connector-must-only-contain-the-single-addres

Did you happen to select the "centralized mail transport" option when running the HCW?
Avatar of Scott Townsend

ASKER

he send connector on-premises should indeed only feature the tenant.mail.onmicrosoft.com domain

The send connector (Outbound to Office 365)  does only have the <tenant>.mail.onmicrosoft.com as the only item in the Address space.

Though it seems like when sending an email from on-Premise to O365  (user@domain-a.com) the email should be sent to user@<tenant>.mail.onmicrosoft.com and not domain-0.com (the AD Username)

So when sending to user@domain-a.com the mail ends up in the Queue for domain-0.com. It uses the default send connector which uses External DNS to send email email. It looked up the Public MX record for domain-0.com and is using that host to send the email. I had to change the Public DNS MX for domain-0.com to <domain-0.com>01e.mail.protection.outlook.com
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of Scott Townsend

ASKER

Sorry, I'm testing with a Migrated user.

user@domain-a.com is on O365.
me@domain-d.com is on On-Premise

From: me@domain-d.com
To: user@domain-a.com

the email Ends up in the Mail Queue for domain-0.com (the users AD Account Domain, Primary Domain on O365 Domains List)
Seems like should of gone to user@tenant.mail.onmicrosoft.com and sent via the Outbound to Office 365 connector.
SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of Scott Townsend

ASKER

Are you referring to the "Routing E-Mail Address"   It is set to domain-0.com

Is this set in the Remove Move Request - Target Delivery Domain? I did select haydon-mill.com as that is the Primary Tenant Domain, though not the tenant name space.

(I'm sure you can tell I'm in over my Head! ;-)

Thanks!
SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of Scott Townsend

ASKER

so I changed the Routing E-Mail Address to the tenant.mail.onmicrosoft.com and I get an error:

SN1NAM04FT022.mail.protection.outlook.com #<SN1NAM04FT022.mail.protection.outlook.com #5.4.1 smtp;550 5.4.1 [user@tenant.mail.onmicrosoft.com]: Recipient address rejected: Access denied [SN1NAM04FT022.eop-NAM04.prod.protection.outlook.com]> #SMTP#

in O365 Portal I do not see the domain: tenant.mail.onmicrosoft.com
I do see tenant.onmicrosoft.com

To setup tenant.mail.onmicrosoft.com as a domain in the O365 Portal It wants me to add DNS Records to MS's DNS Servers.
Avatar of Mahesh
Mahesh
Flag of India image

if you navigate to exchange admin panel \ domains, you should see that domain at both places

how many hub transport servers are there who can send emails to outside, I think all servers are not added to onpremise to o365 connector" and hence O365 is rejecting the messages

also no need to add any dns records for microsoft domains, you cannot do that as it is controlled by MS
Avatar of Scott Townsend

ASKER

Only one On-Premise Server.
On portal.office.com setup/domains I see my own domains and tenant.onmicrosoft.com  
I do NOT see the tenant.mail.onmicrosoft.com

on On-Premise Exchange 2010 Server, Hub Transport I see:
Remote Domains:
  My Own Domains
  tenant.mail.onmicrosoft.com
  tenant.onmicrosoft.com

Accepted Domains:
   My Own Domains
   tenant.mail.onmicrosoft.com

send connector:
Outbound to Office 365 - azureeandm.mail.onmicrosoft.com

receive connector:
Inbound from Office 365 - has all of the MS IPs in it.
SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of Scott Townsend

ASKER

Exchange admin center
Mail Flow
Accepted Domains
  tenant.mail.onmicrosoft.com  - Authoritative
  tenant.onmicrosoft.com - Authoritative
Avatar of Scott Townsend

ASKER

If I do the remote move request I'm guessing I need to select the tenant.mail.onmicrosoft.com target domain for that to be the remote email address that the mail will be sent on at O365.

If I select tenant.mail.onmicrosoft.com I get the following error:
Cannot convert the "Microsoft.Exchange.MailboxReplicationService.TargetDeliveryDomainMismatchPermanentException" value of type "System.String" to type "System.Type".If I select my domain-0.com domain it moves fine.
ASKER CERTIFIED SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Blurred text
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Avatar of Scott Townsend

ASKER

here is what happens if I use Powershell to move.
[PS] C:\Windows\system32>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
WARNING: Your connection has been redirected to the following URI: "https://ps.outlook.com/PowerShell-LiveID?PSVersion=2.0 "
[... lots of stuff...]
ModuleType Name                      ExportedCommands
---------- ----                      ----------------
Script     tmp_e4c285dd-498c-4f94... {Get-DeviceComplianceDetailsReportFilter, Get-PublicFolderMigrationReque...

[PS] C:\Windows\system32>New-MoveRequest -identity <user> -Remote -RemoteHostName 'on-premise.server.com' -TargetDeliveryDomain 'tenant.mail.onmicrosoft.com' -Remotecredential $OnPremisesCreds -Bad
VERBOSE: [23:30:25.651 GMT] New-MoveRequest : Active Directory session settings for 'New-MoveRequest' are: View Entire Forest: 'False', Default Scope: '<AD-Domain>', Configuration Domain Controller:
'ADDC.<AD-Domainn>', Preferred Global Catalog: 'addc2.<AD-Domainn>', Preferred Domain Controllers: '{ addc2.<AD-Domainn> }'
VERBOSE: [23:30:25.653 GMT] New-MoveRequest : Runspace context: Executing user: <AD-Domainn>/myOU/Scott, Executing user organization: , Current organization: ,
RBAC-enabled: Enabled.
VERBOSE: [23:30:25.655 GMT] New-MoveRequest : Beginning processing &
VERBOSE: [23:30:25.657 GMT] New-MoveRequest : Instantiating handler with index 0 for cmdlet extension agent "Admin Audit Log Agent".
WARNING: When an item can't be read from the source database or it can't be written to the destination database, it will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting that
Exchange not copy such items to the destination mailbox. At move completion, these corrupted items won't be available in the destination mailbox.
VERBOSE: [23:30:25.711 GMT] New-MoveRequest : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclu
 Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} }
VERBOSE: [23:30:25.738 GMT] New-MoveRequest : Searching objects "<user>" of type "ADUser" under the root "$null".
VERBOSE: [23:30:25.786 GMT] New-MoveRequest : Previous operation run on domain controller 'addc2.<AD-Domainn>'.
VERBOSE: [23:30:25.790 GMT] New-MoveRequest : Processing object "$null".
VERBOSE: [23:30:25.805 GMT] New-MoveRequest : Admin Audit Log: Entered Handler:OnComplete.
Target user '<user name>' already has a primary mailbox.
    + CategoryInfo          : InvalidArgument: (<user>:MailboxOrMailUserIdParameter) [New-MoveRequest], RecipientTaskException
    + FullyQualifiedErrorId : 35586141,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

VERBOSE: [23:30:25.835 GMT] New-MoveRequest : Ending processing &

Open in new window


Looking up this it is implying that I should be doing this form Office365, which is that the New-PSSession is supposed to do.
Avatar of Scott Townsend

ASKER

Cannot convert the "Microsoft.Exchange.MailboxReplicationService.TargetDeliveryDomainMismatchPermanentException" value of type "System.String" to type "System.Type".

Okay I figured this one out. My Company has about 20 Domain Names and I'm using some that are not widely used with employees for testing with email.  I added email addresses with the test domains to old Employee accounts and then tried Migrating the accounts.  Though I didn't remove the non-test domains from the accounts. So they still had email addresses with domains that were not validated for Office 365 yet. After removing the non validated domains I was able to Migrate users and resources.
Avatar of Scott Townsend

ASKER

To get the mail flowing I need to Add the tenant.mail.onmicrosoft.com to the Address Policy to add that email to everyone. We have a dozen Policies (we provide email for a few companies) and I had to add it to all of them.

Once the Address Policy was in place I and removed the non-test domains from user accounts I was able to Migrate users and have mail flow from On-Premise to O365.

I still have another issue with sending form O365 to some On-Premise users though I will start another thread for that since it is not directly related.
Exchange
Exchange

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

213K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews

TRUSTED BY

IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo