• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 388
  • Last Modified:

Exchange 2010 - Office 365 Hybrid Migration - On-Premise to O365 not working

I read somewhere:
As for MX records, these can be pointing to Office 365 or your On Premise Exchange environment, depending on your needs. As long as the Hybrid Configuration Wizard worked correctly, mail flow should be seamless between the two systems.

All of my Internal DNS MX Records are pointing to On-Premise. All of the Public DNS MX records are pointing to Office365.

Mail from O365 to On-Prem is fine.
Mail from On-Prem to O365 is stuck in the Queue for the Domain.
Error: 451 4.4.0 Primary Target IP address responded with: "421 4.2.1 Unable to Connect" Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts.

Mail to: user@domain-a.com is getting sent to domain-0.com mail queue.
domain-0.com is the Primary O365 domain.

Here is the results of: get-hybridconfiguration | fl

[PS] C:\Windows\system32>get-hybridconfiguration | fl

RunspaceId                      : de34fead-a695-444b-44e7-44cc4444becb
ClientAccessServers             : {}
TransportServers                : {VSVR-EXCH2010}
SecureMailCertificateThumbprint : 4491AE94D3444C229CBCE4439CDF1444CCB44C244
OnPremisesSmartHost             : mail.<domain-0>.com
Domains                         : {domain-a.com, domain-b.com, domain-b.com, autod:domain-0.com}
Features                        : {FreeBusy, MoveMailbox, Mailtips, MessageTracking, OwaRedirection, OnlineArchive, SecureMail}
ExternalIPAddresses             : {<pub IP Address>}
AdminDisplayName                :
ExchangeVersion                 : 0.10 (
Name                            : Hybrid Configuration
DistinguishedName               : CN=Hybrid Configuration,CN=Hybrid Configuration,CN=myenm,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-0,DC=com
Identity                        : Hybrid Configuration
Guid                            : 3d96cf44-6f44-4744-a044-dd83e946c344
ObjectCategory                  : domain-0.com/Configuration/Schema/ms-Exch-Coexistence-Relationship
ObjectClass                     : {top, msExchCoexistenceRelationship}
WhenChanged                     : 1/5/2018 5:17:03 PM
WhenCreated                     : 12/7/2017 12:12:37 PM
WhenChangedUTC                  : 1/6/2018 1:17:03 AM
WhenCreatedUTC                  : 12/7/2017 8:12:37 PM
OrganizationId                  :
OriginatingServer               : ADDC.domain-o.COM
IsValid                         : True

Open in new window

Scott Townsend
Scott Townsend
  • 11
  • 4
  • 3
  • +1
6 Solutions
MAS (MVE)Technical Department HeadCommented:
Hi Scott,
Did you run hybrid configuration Wizard?
Did you properly configured  DNS on your onprem server?
Scott TownsendIT DirectorAuthor Commented:
HCW was run and was Successful. The send connector "Outbound to Office 365" is there as well as the "Inbound from Office 365" receive connector.

I have made the domains I'm working with along with the onmicrosoft.com domains 'Internal Relay' under accepted Domains.

The mail that is trying to be sent to domain-0.com is being sent to the Public IP address for the on-premise mail server.  The on-premise mail server's default send connector does have the 'Use the External DNS lookup on the transport server' set and it is set to google's DNS.

I'm not sure why the email sent to domain-a.com is in the Queue for domain-0.com and not tenant.mail.onmicrosoft.com

Look like my External DNS for domain-0.com was set to the on-premise server. I changed the MX record to <domain-0.com>.mail.protection.outlook.com   and all of the mail in the Queue went out.

I have yet to Migrate a user for a Domain that would have both on-premise and O365 users.
Vasil Michev (MVP)Commented:
The send connector on-premises should indeed only feature the tenant.mail.onmicrosoft.com domain, so check your settings. Not sure how that happened, but in general the HCW should detect/warn you for this - check the following KB: https://support.microsoft.com/en-us/help/3087172/-hcw8039-the-hybrid-send-connector-must-only-contain-the-single-addres

Did you happen to select the "centralized mail transport" option when running the HCW?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Scott TownsendIT DirectorAuthor Commented:
he send connector on-premises should indeed only feature the tenant.mail.onmicrosoft.com domain

The send connector (Outbound to Office 365)  does only have the <tenant>.mail.onmicrosoft.com as the only item in the Address space.

Though it seems like when sending an email from on-Premise to O365  (user@domain-a.com) the email should be sent to user@<tenant>.mail.onmicrosoft.com and not domain-0.com (the AD Username)

So when sending to user@domain-a.com the mail ends up in the Queue for domain-0.com. It uses the default send connector which uses External DNS to send email email. It looked up the Public MX record for domain-0.com and is using that host to send the email. I had to change the Public DNS MX for domain-0.com to <domain-0.com>01e.mail.protection.outlook.com
Vasil Michev (MVP)Commented:
Well if you havent yet migrated the mailboxes to O365 as you mentioned above, why would you expect the mail to be redirected to user@tenant.mail.onmicrosoft.com? The bit that makes this possible after the migration is the stamping of the targetaddress attribute of the user object with an SMTP address that points to user@tenant.mail.onmicrosoft.com. For non-migrated users, nothing is changed.
Scott TownsendIT DirectorAuthor Commented:
Sorry, I'm testing with a Migrated user.

user@domain-a.com is on O365.
me@domain-d.com is on On-Premise

From: me@domain-d.com
To: user@domain-a.com

the email Ends up in the Mail Queue for domain-0.com (the users AD Account Domain, Primary Domain on O365 Domains List)
Seems like should of gone to user@tenant.mail.onmicrosoft.com and sent via the Outbound to Office 365 connector.
Vasil Michev (MVP)Commented:
It should, *if* the targetaddress of the user is stamped with user@tenant.mail.onmicrosoft.com. So check for that.
Scott TownsendIT DirectorAuthor Commented:
Are you referring to the "Routing E-Mail Address"   It is set to domain-0.com

Is this set in the Remove Move Request - Target Delivery Domain? I did select haydon-mill.com as that is the Primary Tenant Domain, though not the tenant name space.

(I'm sure you can tell I'm in over my Head! ;-)

as long as TargetAddress is stamped on user properties pointing to user@tenant.mail.onmicrosoft.com, the mail should get delivered to o365, that is absolute purpose of TargetAddress attribute
You need to ensure that "onpremise to O365" connector contains all onpremise sending server IPs so that o365 would not reject the email.
Scott TownsendIT DirectorAuthor Commented:
so I changed the Routing E-Mail Address to the tenant.mail.onmicrosoft.com and I get an error:

SN1NAM04FT022.mail.protection.outlook.com #<SN1NAM04FT022.mail.protection.outlook.com #5.4.1 smtp;550 5.4.1 [user@tenant.mail.onmicrosoft.com]: Recipient address rejected: Access denied [SN1NAM04FT022.eop-NAM04.prod.protection.outlook.com]> #SMTP#

in O365 Portal I do not see the domain: tenant.mail.onmicrosoft.com
I do see tenant.onmicrosoft.com

To setup tenant.mail.onmicrosoft.com as a domain in the O365 Portal It wants me to add DNS Records to MS's DNS Servers.
if you navigate to exchange admin panel \ domains, you should see that domain at both places

how many hub transport servers are there who can send emails to outside, I think all servers are not added to onpremise to o365 connector" and hence O365 is rejecting the messages

also no need to add any dns records for microsoft domains, you cannot do that as it is controlled by MS
Scott TownsendIT DirectorAuthor Commented:
Only one On-Premise Server.
On portal.office.com setup/domains I see my own domains and tenant.onmicrosoft.com  
I do NOT see the tenant.mail.onmicrosoft.com

on On-Premise Exchange 2010 Server, Hub Transport I see:
Remote Domains:
  My Own Domains

Accepted Domains:
   My Own Domains

send connector:
Outbound to Office 365 - azureeandm.mail.onmicrosoft.com

receive connector:
Inbound from Office 365 - has all of the MS IPs in it.
in admin panel, navigate to admin center\exchange online and there go to domains, you should see the domain as accepted domain

also remove all internal MX records, those are not required, it may create issues as this is shared name space scenario and works on internal relay - TargetAddress mechanism
Scott TownsendIT DirectorAuthor Commented:
Exchange admin center
Mail Flow
Accepted Domains
  tenant.mail.onmicrosoft.com  - Authoritative
  tenant.onmicrosoft.com - Authoritative
Scott TownsendIT DirectorAuthor Commented:
If I do the remote move request I'm guessing I need to select the tenant.mail.onmicrosoft.com target domain for that to be the remote email address that the mail will be sent on at O365.

If I select tenant.mail.onmicrosoft.com I get the following error:
Cannot convert the "Microsoft.Exchange.MailboxReplicationService.TargetDeliveryDomainMismatchPermanentException" value of type "System.String" to type "System.Type".If I select my domain-0.com domain it moves fine.
either set targetaddress on user account manually OR
try beow article
Scott TownsendIT DirectorAuthor Commented:
here is what happens if I use Powershell to move.
[PS] C:\Windows\system32>$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
WARNING: Your connection has been redirected to the following URI: "https://ps.outlook.com/PowerShell-LiveID?PSVersion=2.0 "
[... lots of stuff...]
ModuleType Name                      ExportedCommands
---------- ----                      ----------------
Script     tmp_e4c285dd-498c-4f94... {Get-DeviceComplianceDetailsReportFilter, Get-PublicFolderMigrationReque...

[PS] C:\Windows\system32>New-MoveRequest -identity <user> -Remote -RemoteHostName 'on-premise.server.com' -TargetDeliveryDomain 'tenant.mail.onmicrosoft.com' -Remotecredential $OnPremisesCreds -Bad
VERBOSE: [23:30:25.651 GMT] New-MoveRequest : Active Directory session settings for 'New-MoveRequest' are: View Entire Forest: 'False', Default Scope: '<AD-Domain>', Configuration Domain Controller:
'ADDC.<AD-Domainn>', Preferred Global Catalog: 'addc2.<AD-Domainn>', Preferred Domain Controllers: '{ addc2.<AD-Domainn> }'
VERBOSE: [23:30:25.653 GMT] New-MoveRequest : Runspace context: Executing user: <AD-Domainn>/myOU/Scott, Executing user organization: , Current organization: ,
RBAC-enabled: Enabled.
VERBOSE: [23:30:25.655 GMT] New-MoveRequest : Beginning processing &
VERBOSE: [23:30:25.657 GMT] New-MoveRequest : Instantiating handler with index 0 for cmdlet extension agent "Admin Audit Log Agent".
WARNING: When an item can't be read from the source database or it can't be written to the destination database, it will be considered corrupted. By specifying a non-zero BadItemLimit, you are requesting that
Exchange not copy such items to the destination mailbox. At move completion, these corrupted items won't be available in the destination mailbox.
VERBOSE: [23:30:25.711 GMT] New-MoveRequest : Current ScopeSet is: { Recipient Read Scope: {{, }}, Recipient Write Scopes: {{, }}, Configuration Read Scope: {{, }}, Configuration Write Scope(s): {{, }, }, Exclu
 Recipient Scope(s): {}, Exclusive Configuration Scope(s): {} }
VERBOSE: [23:30:25.738 GMT] New-MoveRequest : Searching objects "<user>" of type "ADUser" under the root "$null".
VERBOSE: [23:30:25.786 GMT] New-MoveRequest : Previous operation run on domain controller 'addc2.<AD-Domainn>'.
VERBOSE: [23:30:25.790 GMT] New-MoveRequest : Processing object "$null".
VERBOSE: [23:30:25.805 GMT] New-MoveRequest : Admin Audit Log: Entered Handler:OnComplete.
Target user '<user name>' already has a primary mailbox.
    + CategoryInfo          : InvalidArgument: (<user>:MailboxOrMailUserIdParameter) [New-MoveRequest], RecipientTaskException
    + FullyQualifiedErrorId : 35586141,Microsoft.Exchange.Management.RecipientTasks.NewMoveRequest

VERBOSE: [23:30:25.835 GMT] New-MoveRequest : Ending processing &

Open in new window

Looking up this it is implying that I should be doing this form Office365, which is that the New-PSSession is supposed to do.
Scott TownsendIT DirectorAuthor Commented:
Cannot convert the "Microsoft.Exchange.MailboxReplicationService.TargetDeliveryDomainMismatchPermanentException" value of type "System.String" to type "System.Type".

Okay I figured this one out. My Company has about 20 Domain Names and I'm using some that are not widely used with employees for testing with email.  I added email addresses with the test domains to old Employee accounts and then tried Migrating the accounts.  Though I didn't remove the non-test domains from the accounts. So they still had email addresses with domains that were not validated for Office 365 yet. After removing the non validated domains I was able to Migrate users and resources.
Scott TownsendIT DirectorAuthor Commented:
To get the mail flowing I need to Add the tenant.mail.onmicrosoft.com to the Address Policy to add that email to everyone. We have a dozen Policies (we provide email for a few companies) and I had to add it to all of them.

Once the Address Policy was in place I and removed the non-test domains from user accounts I was able to Migrate users and have mail flow from On-Premise to O365.

I still have another issue with sending form O365 to some On-Premise users though I will start another thread for that since it is not directly related.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 11
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now