Today, Microsoft has made some quite big (and important!) announcements around the work they are doing to improve the experience for Hybrid Exchange customers. These announcements were all “dropped” during session BRK3155 (How to thrive as an organization in Exchange Online), and – for most – came quite unexpected. If there’s one piece of feedback I would give Microsoft, it would be to better align the title of such sessions to their content!
This being said, with everything that was mentioned, I figured it would be a good idea to summarize it all (without going into too much detail) in a short write-up. As time permits, I will go into more detail on each of these items later this week.
If you’re not interested in more information about each feature, and just care about the headlines, here’s what was announced:
Cross-premises delegation permissions (e.g. Send-on-Behalf, Calendar permissions, …) will be fully supported. Expected timeframe is Q1/2018. Fix for this is already rolling out in the service.
Microsoft is working to solve the Automapping problem in hybrid deployments. Fix is being rolled out and (Private) Preview starting soon.
In the future you will be able to remove the last Exchange server after having moved all mailboxes to the cloud. Plumbing for this has already started and expected to be released in the coming 12-18 months. Though with Microsoft, you never know!
Microsoft is working on allowing you to move mailboxes cross-tenant. The capability to do so has been demoed in the session, but more work is needed to offer a more holistic approach. This is important, because cross-tenant migrations entail more than just moving mailboxes. There’s mail routing, there’s other workloads and – perhaps most importantly – there’s the need for proper governance. None of which was discussed (or showed) at this time. The timeline for this capability is the coming 12-18 months. This means that 3rd-party vendors (like QuadroTech, BinaryTree) are still very much needed to facilitate such scenarios today. Microsoft isn’t just there yet. Future will tell how useful Microsoft’s capability will be and how 3rd-party vendors will adopt to enhance the experience even further.
To drive down complexity for hybrid deployments, a new hybrid solution backbone is being developed. This backbone which uses a “connector” will no longer require inbound connections (no more firewall ports to be opened) and is part of the solution for earlier new features. Think of the connector like an Azure App Proxy which uses the same principle (I wouldn’t be surprised that it’s a modified version thereof). Exchange Online will then, instead of using the “Public” Internet, route traffic to the connector through which it then makes its way to on-prem (outbound TCP443 connection). Timeline is in the next 6 months or so.
Send-As permissions are a bit harder to solve. This will require item 4 to be solved (which will probably require item 5 to be done too). However, once that is done, this scenario will be covered as well. Today, however, the workaround is to explicitly define permissions in both EXO/On-Prem (it works!).
Other news – not necessarily hybrid related – that was announced in this session:
Client Access Rules are coming to Exchange Online. These rules allow you to control how someone can access Exchange Online.
new On Send events allow you to create add-ins which can fire when someone sends a message (e.g. DLP, content inspection, classification etc.). Currently only for OWA. Outlook clients coming (much) later.
There’s plenty of exciting stuff coming in the next few months. For now, we will still have to work with the limitations that exist, but if you are in the planning phase for Hybrid Exchange, it might be worth keeping these announcements in the back of your mind.
As things unfold over the coming weeks and months, I will be covering a lot of the details here, and in the Office 365 for IT Pros ebook. Make sure to grab your copy here!
Just a few weeks ago, Microsoft announced a new feature in its line-up of hybrid Exchange capabilities: the Minimal Hybrid Configuration option. With the introduction of this new capability, Microsoft seems to have responded to a long-standing question from customers who can now move mailboxes to Office 365 without the need to deploy a ‘full’ Hybrid configuration.
Nothing but excellent news in the hybrid Exchange realm these days! Microsoft recently updated the support statement for cross-premises permissions in a hybrid deployment. As of now, Full Access delegate permissions are supported cross-premises. I know many customers will be delighted to hear this as this has been a big ask for quite some time now.
It’s important to understand that the support only applies to Full Access permissions, as stated here. Other permissions like Send-As, Receive-As or Send-on-Behalf are still not supported. Note that Microsoft is in the process of updating its documentation; you should see a more consistent message across TechNet over the next few days!
Although full access permissions have been reported to work intermittently, no cross-premises permissions were supported previously. As such, you could not rely on them working either. From what I understand, the plumbing was already in place for a while but the intermittent results were partially due to the Outlook client not honoring them quite as one would expect. Provided you have the November 2015 update to Outlook 2013, you should no longer run into any problems.
As you move mailboxes to Office 365, permissions are migrated along. If you already had permissions assigned before the move, there is nothing you need to do. Although the permissions were also migrated previously, you had to move connected mailboxes at the same time so they would be hosted in the same organization in order for them to work. Not too long ago, I was talking to a customer who started out with a handful of mailboxes to move to Office 365 but ended up with a huge migration batch because of the interweaved permissions… As of now, this is no longer needed, making planning for migration batches a lot easier!
You should now also be able to add the Full Access permissions after mailboxes have been moved. This means you can give an on-premises mailbox access to a mailbox in Office 365 and the other way around without having to set the permissions prior to moving the target mailbox to Office 365.
In order to explain things more clearly, I have put together a Q&A. I hope this helps!
What cross-premises permissions are supported in a hybrid deployment today?
Full Access only. Other delegate permissions like Send-As, Receive-As or Send-on-Behalf are not. There are no changes to cross-premises calendar delegation either. That continues to work the same way it did before.
Will the permissions work both ways?
Yes. On-premises mailboxes can access Office 365 mailboxes and vice versa.
What do I need to do to make this work?
Nothing, really. Just make sure you are using an up-to-date Outlook client. For Outlook 2013, this means you need at least the November 2015 Cumulative Updates. Needless to say, the more up-to-date you are, the better!
In order to add permissions for a recipient in the other organization, you can either use PowerShell or the Exchange Admin Center. Unlike the EAC in Office 365, you cannot use the on-premises EAC to grant an Office 365 mailbox access to an on-premises mailbox. For that you must revert to using PowerShell.
How do I add permissions to an Office 365 mailbox for an on-premises recipient?
Follow these steps to add Full Access permissions to an Office 365 mailbox for an on-premises recipient:
Login to the EAC in Office 365 (Exchange Online)
Navigate to recipients > mailboxes and then select properties of the mailbox you want to add Full Access permissions for.
In the properties window, navigate to mailbox delegation
Scroll down to you get to the Full Access From there, use the recipient picker (plus-sign) to add the on-premises mailbox you wish to grant permissions to:
How do I add permissions to an on-premises mailbox for an Office 365 recipient?
As mentioned earlier, you cannot use the EAC to add permissions for an Office 365 recipient. Instead, you must use the on-premises Exchange Management Shell. Don’t worry it’s quite simple!
Unlike for permissions in the same environment, the AutoMapping feature is not supported. Hence why I specified the –AutoMapping $false parameter. I suspect the permissions to work without adding the parameter too!
What will my users see?
There is no difference in how Outlook displays an Office 365 mailbox over an on-premises mailbox you have access to. However, an on-premises user might get prompted for credentials when trying to access a mailbox in Office 365. This is because, in the back, the Outlook client must establish a connection with the Office 365 service first.
How that looks, depends on a number of things like the version of the Outlook client, whether you use Modern Authentication and whether or not they already have another Office 365 mailboxes in their Outlook profile.
Yesterday, Microsoft announced they released Azure AD Connect and Azure AD Connect Health to the public.
Azure AD Connect can be seen as the successor to DirSync/AADSync, with an added edge. It does not only allow you to configure directory synchronization, but the wizard also allows you to automatically setup and configure Active Directory Federation Services instead of having to go through the motions manually.
The GA of the tool has been long awaited and it’s great to finally see it become available for everyone. Make sure to check back in the weeks to come as I will more than likely be posting some articles on what’s new and how to deal with the tool.
You can read the original announcement here. If you want to skip the ‘boring’ stuff and get going straight away, you can get the tool from here.
As mentioned before, the purpose of this article series is to explore 3rd-party federation solutions that work with Office 365 and which can be an alternative to a Windows’ built-in ADFS server role. In this first article however, I will be discussing a solution which is somewhat different from the others that I will be looking into.
In fact, this solution is not really very different from a regular deployment. The company behind this solution is Celestix, whom have made their name with similar approaches for TMG, UAG and before that ISA servers. This time around, they [Celestix] have made an ADFS appliance out of a ‘regular’ Windows Server 2012 R2 machine. Through a custom web page, which is built into the appliance as a service in Windows, you have the ability to easily configure ADFS and DirSync by following a couple steps in the “Quick Setup Wizard”. Under the hood, the wizard will configure Microsoft’s implementation of ADFS and DirSync for you.
(the appliance’s web portal)
For this article series, Celestix was so kind to send me a (test)example of their A-Series (3400) appliance which is targeted at small to medium-sized organizations. The appliance is built on top of an Intel i5 CPU with a total of 8GB of RAM. Based on my experiences in the field, this ought to be more than enough for most (smaller) environments. There’s also a larger model which – by taking a look at the specs – is targeted more at the enterprise level. The CPU is upgraded to an Xeon E3 and comes with 16GB of RAM. More importantly though, the big brother (A-6400) comes with 2 redundant hot-swappable hard drives and powers supplies, whereas its little brother doesn’t have any of that.
It’s safe to assume that an appliance would cost anywhere between $ 4,000 and $ 5,000 (but don’t hold me to that!). For that kind of money – even though it includes the license for Windows too – it would be nice to have had at least a redundant hard drive; just for peace of mind. But then again, not many vendors offer that with their entry-level models.
(unboxing the appliance)
Celestix also has a solution for the ADFS Proxy role, which is built into their E-Series “Cloud Edge” appliance. I haven’t tested that appliance myself, but I can only assume it operates in a similar way as the A-Series. If you want a highly available setup, you will have to purchase at least 4 devices –just like you would do for a regular Windows-based ADFS setup; 2 Cloud Edge devices (to replace the ADFS proxy servers) and 2 A-Series appliances for the ADFS servers.
It is true that you could setup a (virtual) machine yourself and go through the configuration just as easy –that is if you know the steps to execute. But on the other hand, the configuration of ADFS in Windows Server 2012 R2 has become quite easy to do. On top of that, Microsoft is putting quite a bit effort into making it even more easy through e.g. Azure AD Connect; a solution which lets you configure DirSync and AD FS through a wizard. And that solutions comes for “free”… (although nothing is truly free; there’s always some overhead to take into account). Another thing I’m a little “worried” about is the device’s ability to upgrade specific software components. Right now, the appliance is equipped with ‘regular’ DirSync (not AAD Sync). If you are not looking to configure a multi-organization hybrid deployment or if you don’t have multiple forests, this should not be a problem at this very moment. But on the other hand, Microsoft has already mentioned that AAD Sync is the successor to DirSync which means the latter will disappear at some point.
It will be interesting to see how Celestix will deal with the upgrade to AADSync on the same appliance. As you might know, there is no in-place upgrade and switching from the one to the other is (sometimes) a little daunting. The current guidance for the upgrade is to uninstall DirSync and then install AADsync, at least – that’s the theory! And we all know how theories work in real life… When I spoke with the Celestix folks, they told me they were already working on figuring out a way to deal with this and they are also working on a version of their appliance that comes with AAD Sync out-of-the box.
A good thing about this appliance – unlike most other appliance – is that you have full control over the underlying operating system: you can RDP into it at any time and make changes where needed – of course, within the guidance of the vendor! But when it comes to ADFS or DirSync, this means that you could implement custom ADFS Claim Rules or configure some filtering rules. Unfortunately, there is no web interface for that.
One thing which I didn’t particularly like is how one would deal with high availability – but that might be a personal thing. When purchasing multiple devices, the web interface allows you to start the Windows Network Load Balancin management interface to setup an array and include multiple appliances. While NLB might work just fine, I’m not particularly fond of it. Also, the web interface launches the Windows NLB console; there’s no built-in wizard which guides you through the setup. I would have loved to see this feature be developed a little more – for instance including a wizard which sets up Windows Network Load Balancing, or which includes additional health checks over the built-in TCP connection-based health check. It is do-able, there are even some code samples that you can find on the internet: http://msdn.microsoft.com/en-us/library/cc307934(v=vs.85).aspx
I’m not saying it’s easy per se, but it would provide a lot of value for the audience which I think would benefit most from these kind of appliances.
Configuring AD FS & DirSync
Now that we’ve discussed the device a little, let’s take a look at home to start configuring it.
After having it connected to the network, I used the dial button on the device to do the basic networking configuration (assigning IP address etc). The configuration itself went fairly easy, but I was unable to connect to the device afterwards. It left me baffled for a moment, but after rebooting the appliance, I could connect to the web interface just right.
The first thing that I noticed is how clean the interface is. It’s particularly easy to navigate, and I had no problems finding what I needed. Through the Start menu-item, you can launch the Quick Setup Wizard where you immediately get the opportunity to join the machine to the domain.
Next up is a (mandatory) reboot, just like you would expect when joining a Windows machine to a domain:
After each reboot, the wizard will automatically continue where it left off. The next step is to start configuring ADFS. I chose to configure ADFS in the most simple way possible, using the built-in Windows Internal Database:
Oddly enough, the appliance does not allow you to generate a CSR. This means that you already have to have exported the certificate (with public key) before. It’s not a big deal, but it would have been nice if one could really work ‘from scratch’ here:
I chose the easy route: using Windows’ built-in database. The wizard also allows you to integrate with an existing SQL server – which is a requirement/recommendation for larger deployments:
Just like the wizard in Windows, you get a summary before firing of the wizard which will configure AD FS.
For those who have setup AD FS in Windows Server 2012 R2 before, you will notice that the wizard which Celestix uses is very similar: all the steps in this wizard are also the ones that you have to step through when configuring a Windows ADFS server.
It takes a few minutes to setup AD FS. Once this is done, you can go back to the wizard, which will then give you the option to configure “Office 365 Integration”. This means as much as: setup DirSync.
Next, you have to enter the Office 365 (Global Administrator) credentials, and you choose which domain you want to federate:
At this point, the appliance was giving me a hard time. It wouldn’t continue and displayed the following error message. As any administrator would do, I restarted it and was able to move on.
On the next page, I was able to specify some settings for DirSync. If you have setup DirSync manually before, I’m sure you will recognize them:
And that was it. After clicking “Next”, DirSync ran and I was able to successfully logon using ADFS:
The ADFS login-page. Just as you would expect:
What I particularly like about this solution is that it has some built-in reports. This can be very useful as the built-in AD FS roles does not come with that capability and looking for the right events in the Event Viewer can be time-consuming (unless you have already some reporting solution / PowerShell script that does that for you).
The first report is the ADFS Activity Report which gives you more information about the current authentication requests etc. I’ve simulated some failed logons and they showed up promptly (and correctly) in the interface:
The second report is more of a health statistics page. It will tell you if the required components are running and display some statistics about general usage.
The beauty of these reports are their simplicity. Unfortunately, I have not found a way to configure an alert when multiple failed logons occur. I was assured by Celestix that this is something they are working on for the future, and I welcome that. It would be really helpful if the right people in the organization would get a message when you might be under attack (or when just “more than usual” failed login attempts happen…).
In order not to go overboard with this article, there are some features (which are less important to the “ADFS Aspect” of the appliance) that I did not discuss. For instance, the web interface allows you to restrict access through the device’s Jog Dial (by configuring a password) and
I really liked the appliance, though I cannot speak to its performance and operations over time. Aside of some occasional hiccups (i.e. having to reboot the appliance through the wizard), I’ve had no problems configuring and getting it to work in a matter of a little more than one hour. Given that this is a v1-version, I trust these little wrinkles will sort themselves out shortly.
All things considered, some might find value in such an appliance, others might not. It all depends on what you are looking for. Personally, I don’t think there’s much value to be found if you are looking something to “replace” your AD FS servers with. However, if you take into account the (childishly) easy web interface and the built-in reports or if you have a small deployment and do not want the burden to manage additional servers, it might be a different story!
Stay tuned as in the next part of this article series, I will be discussing Okta for Office 365!
To make a long story short, if Outlook Anywhere is disabled at the user level, Autodiscover does not return the External EWS URL which is required to make the Free/Busy call.
The solution is as simple as the problem itself: re-enable Outlook Anywhere for the user and you would be fine. Of course, this might – depending on your environment – be a little challenging. This being said, however, I do suggest that you configure and (if possible) use Outlook Anywhere as it will make your life easier down the road (e.g. for migrations to Exchange 2013).
A few days ago, Microsoft released Cumulative Update 6 for Exchange 2013 to the world. There used to be a time where Exchange server updates were fairly safe. However, pretty much like in every other Cumulative Update for Exchange 2013, this one also includes some bugs which break functionality in one way or another. While one would say that it starts to become painful for Microsoft, I’m starting to believe it’s more of a joke.
Exchange Server MVP Jeff Guillet was the one to first report the issue. As it turns out, the Hybrid Configuration Wizard in CU6 runs just fine, but some of the features (like initiating a mailbox move from the on-premises EAC or the ability to switch between the on-prem/cloud EAC) no longer work. Although the scope of the break is somewhat limited (it only applies to customers in a hybrid deployment), one could argue it’s an important focus area for Microsoft – especially given that it’s cloud-related. Microsoft has been trying really hard (with success, may I add) to promote Office 365 and get customers to onboard to “the service”. As such, I find it really surprising that it’s the n-th issue related to hybrid deployments in such a short time. In Cumulative Update 5, the Hybrid Configuration Wizard is broken and now there’s this.
Needless to say, you are warned about deploying Cumulative Updates into production. Pretty much every MVP which announced the Cumulative Update made the remark that you should better test the update before deploying it. I would say this is a general best-practice, but given the history of recent Exchange Server updates, I wouldn’t dare to deploy one without thoroughly testing it.
This brings me to another point: what happened to testing, Microsoft? I understand that it’s impossible to test every customer scenario that you can find out there, but how come that pretty obvious functionalities like these manage to slip through the cracks? If it were a one-time event, I could understand. But there’s a clear trend developing here.
Running a service like Office 365 is not easy. More so, the cadence at which the service evolves can be really scathing. On-premises customers have been struggling to keep up with the updates that are being released in the cloud, but it seems that Microsoft itself is having a hard time to keep up too.
On a final note, I’m wondering what customers with a hybrid deployment should do. According to Microsoft support guidelines, hybrid customers are requested to stay current with Exchange Server updates. But given that this is now two consecutive update that are causing problems, one might start to wonder if it’s not better to stay at CU4 as it was the last CU which did not have any hybrid issues…
I imagine that Microsoft is working hard on a fix for this issue, even during a holiday weekend… Let’s wait and see what happens early next week!
Until then, I would hold off on deploying CU6 and revert to using CU5 with the interim update which fixes the HCW bug or – if you don’t like IUs – stick to CU4/SP1.
Recently, I got asked to assist with a Hybrid Configuration Wizard which was failing with the following error message:
Updating hybrid configuration failed with error ’Subtask NeedsConfiguration execution failed: Configure Mail Flow Default Receive Connector cannot be found on server <server name>. at Microsoft.Exchange.Management.Hybrid.MailFlowTask.DoOnPremisesReceiveConnectorNeedConfiguration() at…
Although the message might not reveal much information at first sight, it does contain everything we need to start troubleshooting. Typically, I would suggest you go and have a look into the Hybrid Configuration Wizard log files (located in the logging\Update-HybridConfiguration folder), but the only thing you would find there is the exact same error message.
First, we know that the HCW is trying to configure the hybrid mail flow and that it failed trying to modify the default connector that’s in place. More specifically, it was trying to modify the receive connector on the server that’s specified in the error message.
In this particular case, it wasn’t even able to find the Default Receive Connector. However, when you run the Get-ReceiveConnector -Server <servername>, the receive connector does show up. How is this possible?
The Hybrid Configuration Wizard looks at more specifics than just the existence of the connector. In fact, it will check that the connector’s configuration is valid as well. As such, it will check the bindings on the connector and expect that both bindings for IPv4 and IPv6 are present. So to check whether your existing connector is valid, you should run the following command:
In this particular case, the IPv6 bindings were missing. This was caused because IPv6 was disabled on the server (which shouldn’t be!). Re-enabling IPv6 and then either manually adding the binding to the connector or re-creating the connector solved the issue.
The morale here is that you shouldn’t disable IPv6 on an Exchange 2013 box. Even more so, it’s not supported if you do. I’ve seen companies that still disable IPv6 by default; maybe a remainder from earlier times where disabling IPv6 would actually solve issues instead of creating them. However, times have changed and the IPv6 implementation in Windows is much better now…
As posted here, Microsoft today released Cumulative Update 5 for Exchange 2013. At first sight, this update doesn’t appear to make lots of changes – at least not visibly. However, it does contain a lot of fixes and, as you will find out, there have been some changes to the Hybrid Configuration Wizard as well.
New options in the Hybrid Configuration Wizard
Whenever you enable an organization for a hybrid deployment in CU5, you will find the following new option:
21Vianet is Microsoft’s partner which offers Office 365 in China. You could say that they “host” Office 365 for Chinese customers as outlined in this Press Release
MRS Proxy now configured automatically
This is one of my personal asks for quite a long time now. Although the HCW already did an excellent job configuring all the components for a hybrid deployment, it did not enable the MRS Proxy on the Exchange Web Services Virtual Directory. Even though you could do it yourself with only a single command, I’m a big fan of having the HCW take care of this. It’s one less thing you can forget yourself!
OAuth now configured automatically
You’ll also notice that towards the end, the Hybrid Configuration Wizard will now prompt you to configure oAuth automatically:
The wizard will then automatically redirect you to a webpage where you’ll be asked to start the configuration (again):
Once you click configure, you will be asked to download an application which will automatically configure oAuth for you. Because it seems to be browser-integrated, you cannot run this step from a computer other than your Exchange Server and then copy over the executable. Beware and make sure that you run the HCW from the Exchange server itself instead from a remote workstation, like I tried the first time…
Once the first application was downloaded, you’ll be asked to run it:
Note: make sure that *.configure.office.com is added to your trusted sites or that you at least allow content to be downloaded from that website.
Then, after this first application ran, you’ll be prompted for an identical, second, application. Only this time the application (or assistant, if you will) will be a bit bigger: 22.2 MB instead of 18MB.
Once the second assistant completed successfully, you’ll see the following:
Note The configuration of the Intra-Organization Connector is the only thing that’s already handled by the Hybrid Configuration Wizard itself.
It’s definitely a good thing this is now done automatically. However, I would love to see it be more integrated with the HCW. At the moment, these changes don’t show up in the Hybrid Configuration Wizard logs.
It was already clear that Microsoft is moving forward with oAuth; potentially to replace other technologies currently used in Hybrid deployments. Personally, I wouldn’t be too surprised to see oAuth take over the duties from Microsoft’s Federation Gateway in the future. Not sure if this will actually happen, but it seems like a good thing. If you have ever been in a discussion with a pesky security administrator you would understand why… But don’t expect that to happen in a few months’ time though – as long as Exchange 2010 is officially supported, I reckon Microsoft will have to keep the MFG around.
It’s surely a good thing to move forward with oAuth as it has the potential to solve some long-standing issues regarding the handling of authentication and security in a cross-premises scenario like a hybrid deployment.
As part of a hybrid Exchange server deployment, you also deploy the so-called Hybrid Server(s). The name itself might be a little misleading though. After all it’s not some sort of new Exchange server role, nor is it an Exchange server that you deploy specifically to be able to configure a hybrid environment – at least not if you’re already running Exchange 2010 or Exchange 2013 on-premises.
In fact, once you configure a hybrid environment, every Exchange Server in your environment becomes part of that hybrid deployment and will perform one, or more, functions in that regard. However, when referring to Hybrid Exchange servers, we actually mean the Exchange servers which are directly involved in hybrid functions. More specifically these will be the servers that you select during the Hybrid Configuration Wizard.
Exchange 2003 / 2007
If you have still Exchange 2003 on-premises (shame on you!), than your only option is to deploy at least one Exchange 2010 SP3 server and use that one to setup a hybrid deployment. The reason why you have to use an Exchange 2010 server is because Exchange 2013 cannot coexist with Exchange 2003.
Once you installed the Exchange 2010 server, it is the only server capable of understanding the hybrid logic; and therefore considered to be the Hybrid Server. There’s also another reason why a server would be referred to as your Hybrid Server, but more about that later when we’ll talk about the free Hybrid Server license key.
Hybrid Server License Key
Microsoft offers eligible customers free Hybrid Edition/Server licenses. Yes, indeed: multiple licenses if needed. In fact, you’ll get a single license key which you are allowed to deploy on multiple Exchange servers, for as long as you abide to the license requirements. This allows you to maintain high availability – also for hybrid functionality.
The license requirements tell you that you cannot use these ‘dedicated’ Hybrid Servers for anything else but that: you should not host any mailboxes on them. If you do, you are required to purchase a proper Exchange Server license. Once you assigned a Hybrid License to an Exchange server, that server also becomes a Hybrid Server in the pure sense of the word.
Hybrid Server Placement
When you are doing things by the book, introducing a new Exchange Server version could be a rather disruptive action. First, you have to prepare your environment for it (Active Directory schema updates etc) and then, once you have deployed the server, you are expected to point all client access traffic to it. This means that you will have to consider all the things involved with setting up coexistence. In smaller environments this might be a trivial task, but the larger the environment gets, the bigger the implications might be.
Although I prefer this approach (“by the book”), there are times where this isn’t appropriate. Even more, doing this might cause all sorts of issues which you might want to avoid – especially if you’re just looking for a quick way to move to the cloud. If so, the placement of the Hybrid Exchange can become a game changer.
One approach that I have used in the past is to install the new server into the Exchange organization and provide it with its own hybrid namespace. This hybrid namespace is nothing more than a dedicated namespace for hybrid functionality. By doing so, I prevent having to point client access traffic to the new servers and possibly disrupt my existing environment. I can then use the Hybrid Server(s) only for mailbox moves, hybrid mail flow etc.
Multiple Internet-Connected sites
One of the tasks of hybrid servers is to facilitate mailbox moves to and from Exchange Online. The endpoint that you use for mailbox moves is normally discovered automatically using AutoDiscover. However, sometimes you might want to use Exchange Servers in a different location to perform the mailbox move. One of the reasons why you would want to do this is because that other server is maybe closer to the mailbox or it might have more bandwidth available.
When you want to use other internet-facing Exchange servers for mailbox moves, you must make sure that the MRS Proxy is enabled on those internet-facing servers. You can enable the MRS Proxy on each of these servers by executing the following command:
Secondly, you could specify a new migration endpoint using PowerShell. This will allow you to pick your desired endpoint from the Mailbox Migration wizard as well (see image below). You can create new migration endpoints through PowerShell, using New-MigrationEdpoint cmdlet.
Once you have defined multiple migration endpoints, this is how it looks like in the GUI:
One thing to note here is that – regardless of the amount of migration endpoints you create – the sum of value of the “MaxConcurrentMigrations” attribute for all endpoints cannot exceed 100. The default endpoint (created automatically) will already have that set to 100. So make sure that you modify that first before creating additional endpoints.
The following image depicts the primary endpoint (outlook.domain.com) and the new secondary (and manually created) endpoint “migrationendpoint2.domain.com”:
Alternatively – if you don’t want to create additional endpoints or you plan on using that endpoint only once – you can create the move requests with PowerShell and specify the –RemoteHostname parameter manually.
Either approach outlined above should work just fine. Which one you choose greatly depends on your current deployment and the effort that goes with introducing a newer Exchange version into your environment. Whenever possible, try to take the by-the-book approach as it might save you some headaches further down the road.