Simon Leung
asked on
How to configure Exchange 2010 hybrid mode
I am moving my onPremise Exchange 2010 mailbox to Cloud. AD users has been synchronized to Cloud and company mail domain has been setup. However, I haven't setup the MX, spf at this stage.
Try to configure the Exchange Hybrid setup on my server but encounter the following problem. Any idea ? I have a mailbox database role on one server, CAS and Hub Transport on another server. Fortigate firewall is used to match the external to internal CAS. Wizard certificate is deployed.
How to fix my problem ? As I will finally phrase out my server, should all the mails go through Cloud first and then local server. Any more guideline on the hybrid configuration ?
Thx
MailServer01.png
MailServer02.png
Try to configure the Exchange Hybrid setup on my server but encounter the following problem. Any idea ? I have a mailbox database role on one server, CAS and Hub Transport on another server. Fortigate firewall is used to match the external to internal CAS. Wizard certificate is deployed.
How to fix my problem ? As I will finally phrase out my server, should all the mails go through Cloud first and then local server. Any more guideline on the hybrid configuration ?
Thx
MailServer01.png
MailServer02.png
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My certificate is a wildcard cert supporting SHA. Run the Hybrid configuration on Cloud and the followings setup is added in my onPremise Exchange. Can I point my MX to Microsoft now and start the migration ? Hence, I can get rid of the subscription license for my antivirus gateway. Is there anything that I can check to ensure the setup is correct before the DNS switchover ? For new users, can I simply create on Cloud ?
Where should I carry out the mailbox migration ?
Cloud04.png
Cloud05.png
Where should I carry out the mailbox migration ?
[PS] C:\Windows\system32>get-ExchangeCertificate | select Subject, issuer, services
Subject Issuer Services
------- ------ --------
CN=Federation CN=Federation SMTP, Federation
CN=Federation CN=Federation None
CN=Federation CN=Federation SMTP
CN=*.xxxxsssssssssss.com, OU=Domain ... CN=Go Daddy Secure Certificate Autho... IIS, SMTP
CN=*.xxxxxxxxxxxxxxx.com, OU=Domain ... CN=Go Daddy Secure Certificate Autho... SMTP
CN=Mxxxxxxxxxxx CN=Mxxxxxxxx SMTPCloud04.png
Cloud05.png
ASKER
Once one thing, after running the Hybrid configuration, the following message is popped up :
HCW8057 - Office 365 was unable to communicate with your on-premises Autodiscover endpoint. This is typically due to incorrect DNS or firewall configuration. The Offie 365 tenant is currently configured to use the following URL for Autodiscover queries from Office 365 tenant to the on-premises organization - https://autodiscover.xxxx/autodiscover/autodiscover.svc/WSSecurity.
Thx again.
HCW8057 - Office 365 was unable to communicate with your on-premises Autodiscover endpoint. This is typically due to incorrect DNS or firewall configuration. The Offie 365 tenant is currently configured to use the following URL for Autodiscover queries from Office 365 tenant to the on-premises organization - https://autodiscover.xxxx/autodiscover/autodiscover.svc/WSSecurity.
Thx again.
You can initiate test mailbox migration to test with
Run hybrid configuration wizard again from exchange onlime setup and check if it get success
I believe you have published both autodiscover and mail endpoints to internet
Run hybrid configuration wizard again from exchange onlime setup and check if it get success
I believe you have published both autodiscover and mail endpoints to internet
ASKER
I can migrate a onPremise mailbox to Cloud.
However, MX, TXT and CNAME for Cloud haven't been added to my company email domain. Right now, I find that the mailbox on cloud can't be resolved successfully. Does it caused by missing these records in my DNS ?
So, should I add these 3 records (TXT, MX and CNAME) to my DNS ? My current MX is 10. Should I add Microsoft's MX with 20. Can I have two CNAME record co-exist , one autodiscover point to my server and one autodiscover point to Microsoft server ?
Thx again.
However, MX, TXT and CNAME for Cloud haven't been added to my company email domain. Right now, I find that the mailbox on cloud can't be resolved successfully. Does it caused by missing these records in my DNS ?
So, should I add these 3 records (TXT, MX and CNAME) to my DNS ? My current MX is 10. Should I add Microsoft's MX with 20. Can I have two CNAME record co-exist , one autodiscover point to my server and one autodiscover point to Microsoft server ?
Thx again.
No
autodiscover should point to onpremise exchange only until migrate all mailboxes - after that you could setup autodiscover to point O365 and set onpremise internal SCP to $null - that's later stage config
No need to add 2nd MX right now pointing to O365 - that can be achieve d after you migrate all mailboxes to O365
TXT as in you are referring to SPF?
You need to add include:spf.protection.out
If O365 mailboxes are not able to resolve, you have problem with sharing policy
rerun your hybrid config wizard and follow steps provided in wizard in line and your problem should get resolved
autodiscover should point to onpremise exchange only until migrate all mailboxes - after that you could setup autodiscover to point O365 and set onpremise internal SCP to $null - that's later stage config
No need to add 2nd MX right now pointing to O365 - that can be achieve d after you migrate all mailboxes to O365
TXT as in you are referring to SPF?
You need to add include:spf.protection.out
If O365 mailboxes are not able to resolve, you have problem with sharing policy
rerun your hybrid config wizard and follow steps provided in wizard in line and your problem should get resolved
ASKER
Is there any harm to add Microsoft MX (with priority number larger than current one) and the discover CNAME pointing to Microsoft server ?
I have talked to MS support and they recommend me to add the records in my existing DNS. I have rerun the Hybrid configuration but doesn't help.
Thx again.
I have talked to MS support and they recommend me to add the records in my existing DNS. I have rerun the Hybrid configuration but doesn't help.
Thx again.
For mx you can add one more mx with high priority
OR
Even u can add o365 mx with high priority (lower number) if you want
However for autodiscover you must point it to Onpremise until you have mailboxes onpremise
OR
Even u can add o365 mx with high priority (lower number) if you want
However for autodiscover you must point it to Onpremise until you have mailboxes onpremise
ASKER
Still doesn't work. It seems that the migrated mailbox can't send out any email, although it can receive emails. Beside, accessing from Outlook is always disconnected. Web access works fine.
If the migrated users is access my corporate web access URL, it ask the users to redirect to
http://outlook.com/owa/xxxxxxx.com.hk
However, "xxxxxxx.com.hk" is not the primary email address for the migrated users. The captioned domain is only one of the accept domain for our Exchange.
try to rerun the Hybrid configuration several time, using "Exchange Classic Hybrid Topology" with "Enable centralized mail transport" be clicked or unclicked.
My existing Topology
IMSVA (antivirus/spam gateway) > Mail1 (CAS, Transport) --> Mail2
When it asks for fully qualified domain name for my on-premises organization, I have tried the public IP address of my IMSVA (port 25 opened), and my mail1 (port 25 / 443 opened). But still doesn't work. In my case, incoming mail should point to IMSVA or my CAS server ?
Do I need to setup Federated AD Server ? Any idea for further test is appreciated ?
Thx again.
If the migrated users is access my corporate web access URL, it ask the users to redirect to
http://outlook.com/owa/xxxxxxx.com.hk
However, "xxxxxxx.com.hk" is not the primary email address for the migrated users. The captioned domain is only one of the accept domain for our Exchange.
try to rerun the Hybrid configuration several time, using "Exchange Classic Hybrid Topology" with "Enable centralized mail transport" be clicked or unclicked.
My existing Topology
IMSVA (antivirus/spam gateway) > Mail1 (CAS, Transport) --> Mail2
When it asks for fully qualified domain name for my on-premises organization, I have tried the public IP address of my IMSVA (port 25 opened), and my mail1 (port 25 / 443 opened). But still doesn't work. In my case, incoming mail should point to IMSVA or my CAS server ?
Do I need to setup Federated AD Server ? Any idea for further test is appreciated ?
Thx again.
Hi ---- Mahesh more or less have got you covered here, no intention to hijack this.
Looks like theres several issues - so let's work systematic
1. outlook clients won't connect to cloud mailboxes after migration?
2. they can receive emails, but not send
1. Outlook connection problem - make sure these settings are correct
- Do the cloud mailbox have a remote mailbox on premises? get-remotemailbox
- if they do - make sure remote mailbox have a corresponding RemoteRoutingAddress that points to a mail address the user have in Exchange Online, this address must be of the following format somethingsomething@yourdom
- if they have a remote mailbox, and with a correct remote routing address - test autodiscover from a Outlook Client.
*Test AutoDiscover*:
- open a working Outlook profile (like for a on-premises user, no need to be the same user)
- hold CTRL and choose Outlook icon in system tray and choose Test Email Autoconfiguration
- Enter address of Exchange Online mailbox, using his primary SMTP address (somethingsomething@yourdo
- Enter password
- Remove GuessSmart checkboxes and choose test
- look at LOG while testing. autodiscover should pickup autodiscover URI from SCP in domain, it should then contact your on premises exchange looking for mailbox. Exchange would respond with "this mailbox is not here - redirecting to autodiscover of somethingsomething@yourdom
- If redirect doesn't happen - look at remote mailbox and target address again.
- Also - make sure remote mailbox has a correct primary smtp address
So, problem 2 - mail flow
- in Exchange Online - do you have a connector that handles mail flow from Office 365 to Exchange Onpremises? (Mail Flow - Connectors)
- if not, create one.
- this connector should point directly to you HUB transport server (mail1) NOT IMSVA server (no, really - NEVER! :-) )
- make sure firewall accepts TCP25 to that server
- at last. look at Receive Connectors on MAIL1. I guess you have a receive connector for incoming anonymous emails. Is this one limited to IP-address of IMSVA server? if so - add all of Microsofts EOP email addresses (https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges)
- and (which I almost forgot) in Connectors - you can choose VALIDATE connector for the Office 365 to OnPremises connector. This will try to send an email to your on premises server from Exchange Online,
- and - finally, look at mail flow and message tracking in Exchange Online - look for failed messages and look at error messages received there.
phew .... ! with a history as a consultant, I struggle to keep answers simple and short. good luck.
Looks like theres several issues - so let's work systematic
1. outlook clients won't connect to cloud mailboxes after migration?
2. they can receive emails, but not send
1. Outlook connection problem - make sure these settings are correct
- Do the cloud mailbox have a remote mailbox on premises? get-remotemailbox
- if they do - make sure remote mailbox have a corresponding RemoteRoutingAddress that points to a mail address the user have in Exchange Online, this address must be of the following format somethingsomething@yourdom
- if they have a remote mailbox, and with a correct remote routing address - test autodiscover from a Outlook Client.
*Test AutoDiscover*:
- open a working Outlook profile (like for a on-premises user, no need to be the same user)
- hold CTRL and choose Outlook icon in system tray and choose Test Email Autoconfiguration
- Enter address of Exchange Online mailbox, using his primary SMTP address (somethingsomething@yourdo
- Enter password
- Remove GuessSmart checkboxes and choose test
- look at LOG while testing. autodiscover should pickup autodiscover URI from SCP in domain, it should then contact your on premises exchange looking for mailbox. Exchange would respond with "this mailbox is not here - redirecting to autodiscover of somethingsomething@yourdom
- If redirect doesn't happen - look at remote mailbox and target address again.
- Also - make sure remote mailbox has a correct primary smtp address
So, problem 2 - mail flow
- in Exchange Online - do you have a connector that handles mail flow from Office 365 to Exchange Onpremises? (Mail Flow - Connectors)
- if not, create one.
- this connector should point directly to you HUB transport server (mail1) NOT IMSVA server (no, really - NEVER! :-) )
- make sure firewall accepts TCP25 to that server
- at last. look at Receive Connectors on MAIL1. I guess you have a receive connector for incoming anonymous emails. Is this one limited to IP-address of IMSVA server? if so - add all of Microsofts EOP email addresses (https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges)
- and (which I almost forgot) in Connectors - you can choose VALIDATE connector for the Office 365 to OnPremises connector. This will try to send an email to your on premises server from Exchange Online,
- and - finally, look at mail flow and message tracking in Exchange Online - look for failed messages and look at error messages received there.
phew .... ! with a history as a consultant, I struggle to keep answers simple and short. good luck.
However, "xxxxxxx.com.hk" is not the primary email address for the migrated users. The captioned domain is only one of the accept domain for our Exchange.
don't you register your primary smtp domain onpremise with O365?
try to rerun the Hybrid configuration several time, using "Exchange Classic Hybrid Topology" with "Enable centralized mail transport" be clicked or unclicked.
Centralized mail flow is different stuff and you don't require it unless security team forced you to do for compliance reason
ASKER
IMSVA (antivirus/spam gateway) > Mail1 (CAS, Transport) --> Mail2
For inputting the fully qualified domain name for my on-premises organization in Hybrid configuration, should I put the public domain name for IMSVA or my CAS server.
On your confirmation, I will rerun the hybrid setup again.
For inputting the fully qualified domain name for my on-premises organization in Hybrid configuration, should I put the public domain name for IMSVA or my CAS server.
On your confirmation, I will rerun the hybrid setup again.
ASKER
Seem like autodiscover fails. I only add MS spf records to my DNS server so far.
Any further advise is appreciated. Thx again.
Any further advise is appreciated. Thx again.
ASKER
For autodiscover, last message is
Redirect check to https://autodiscover.xxx.mail.onmicrosoft.com/autodiscover/autodiscover.xml succeeded.
Redirect check to https://autodiscover.xxx.mail.onmicrosoft.com/autodiscover/autodiscover.xml succeeded.
For inputting the fully qualified domain name for my on-premises organization in Hybrid configuration, should I put the public domain name for IMSVA or my CAS server.
I am not sure about which public domain you are talking about
whatever domain you have primary onpremise same should be registered with O365 as well and your antispam gateway also should accept emails for that domain
So your MX is pointing to antispam device. right? and same is used for outbound messages, correct?
right now you are unable to receive emails in O365, correct?
In that case create relay connector on antispam device to route all emails to O365
Within O365 configure one internal relay connector which directly send primary domain mails to onpremise Hub transport server when user mailbox exists with onpremise exchange server
This way emails 1st need to routed to O365 since antispam device is in between and from O365 if mailbox is with onpremise it will get them directly to onpremise exchange server bypassing antispam device. If you pointed to antispam device again from O365, loop will be created
U could have stated in question at 1st that you have separate antispam device in between
Refer this article for more info
https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud
https://docs.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-mail-flow-using-third-party-cloud
ASKER
I mean the attached file asking for FQDN when running Hybrid setup.
Try my IMSVA gateway : can't send email to internal users and outsider (eg. gmail.)
Try my CAS server : can send email to outsider but not internal users
Log6.png
Try my IMSVA gateway : can't send email to internal users and outsider (eg. gmail.)
Try my CAS server : can send email to outsider but not internal users
Log6.png
sorry, Its difficult to understand exact issue without remote in to you servers, some issue with connectors
ASKER
Do we need to setup a Federated AD server ?
Currently routing issues : users on cloud can send email to outsider but not internal user if FQDN point to my CAS Server
If the FQDN setup to antispam gateway, no email can be sent out at all...
Currently routing issues : users on cloud can send email to outsider but not internal user if FQDN point to my CAS Server
If the FQDN setup to antispam gateway, no email can be sent out at all...
That is what I said, unless remoting I cannot figure out
else you can hire somebody
else you can hire somebody
I'd look into certificate used for other send connectors
get-ExchangeCertificate | select Subject, issuer, services
the certificate you're using:
1. is it wildcard certificcate?
2. is it public or private certificate?
3. is it by any chance SHA1?
4. get-sendConnector | fl - for your existing send-connector, which certificate is in use?