I upgraded my On-Premises Hybrid Exchange server recently, from Exchange 2016 to Exchange 2019. I remembered to add the new server onto the Office 365 send connector, but there was no mail flow between an on premises mailbox and an office365 mailbox?
Solution
This happens because, (even if you are using the same certificate on the new and old servers) the certificate that is used for TLS security between your on-premises Exchange server and Exchange online, does not get ’embedded’ properly on the send/receive connectors. You may see either (or both) of the following two problems.
Check The Office 365 Mail Flow
Log into Office 365 > Admin > Exchange Admin Center > Mail Flow > Connectors > Select the ‘Outbound’ connector > Validate this connector.
Herein lies the problem!
450 4.4.317 Cannot connect to remote server [Message=SubjectMismatch] [LastAttemptedServerName={on-prem-fqdn}] [LastAttemptedIP={on-prem-ip}}:25] [{outlook-FQDN}]
At first I thought the on-premises server was presenting the wrong cert for TLS, turns out it was not presenting a cert at all! You can check by executing the following command on the RECEIVE CONNECTOR;
If it returns no entry (like the image below), then you need to simply attach the correct certificate. To do that first get the ‘thumbprint’ of the correct certificate;
[box]
Get-ExchangeCertificate
[/box]
Copy the correct thumbprint, and embed it with the following commands;
This post continues from Part-One where we connected both our domain, and on-premises Exchange server to Office 365. Now we will add our public domain, and migrate our mailboxes.
Step 3 Adding Domains to Office 365
Before proceeding you will need administrative access to your public DNS records so you can create new records.
Log into Office 365 > Admin Console.
Add a domain.
Enter your public domain name > Next.
Now you need to create a ‘Text Record” in you public domain, the TTL does not really matter but the TXT value must match exactly.
As below, once created click (Verify).
Ill manage my own DNS records > Next.
We are only concerned with Exchange > Next.
STOP: These are the DNS records you need to create if you want everything to point to Office 365, DO NOT CREATE THEM if you want your mail to still get routed to your on-premises, and you want your Autodiscover to point there. I leave everything pointing to my on-premises server!
So I DON’T create the records (below) unless I’m about to decommission an on-premises Exchange server.
If you DID want all mail and auto discover to route to Office 365 that’s fine BUT change the SPF record that Microsoft gives you to include the public IP of your on-premises server of you may start getting mail blocked.
i.e.
Microsoft Suggests: “v=spf1 mx include:servers.mcsv.net ?all”
If you have made any public DNS changes, then before you do anything else, make sure mail continues to flow in and out of your on-premises Exchange organisation as it did before!
Step 4 Mailbox Migration
Log into Office 365 and locate a user to perform a test migration on, then allocate them an office 365 licence.
Then from the Office365 Admin Center > Recipients > Migration > Add > Migrate to Exchange Online > Remote move migration > Next.
Add in your ‘Test user’ > Next.
Supply your Exchange administrative credentials > Next.
Select an email address to be sent a migration report, Note: For the test migration I’m leaving it on ‘Manual Complete’ once Im happy I would select ‘Automatically Complete’ > New.
You can view a ‘hight level’ progress, or click the download link;
To view a more detailed report.
Note: You can connect to O365 PowerShell online, and view the migrations from command line like we normally do with an on-premises mailbox migration. See the following link;
This is Part-One of a migration from ‘on-premise’ Microsoft Exchange, to Office 365 (Exchange Online). I’m using my spare ‘test domain’ (.co.uk). And I’m using the 5 user E3 Office 365 subscription that the good folk at Microsoft let me have, as part of my MVP benefits.
Note: I’m using Exchange 2016, with a ‘full-hybrid’ migration into Office 365.
Step 1: Pre-Requisites
DNS: You will need access to the DNS records for your public domain, both to ‘prove’ it is your domain, and to divert mail flow, and client requests to Exchange online, rather than your on premise Exchange.
Licenses/Subscription: You need an office 365 subscription, and available licences for all the users you want to migrate. At time of writing the minimum subscription level that includes Exchange Online is E3. (Note that’s not strictly true, you do get Exchange online with E1, but you dont get any office products, so I’ve never seen an E1 licensed migration). You’ll need to have access to Office 365 with a ‘global administrator‘ account.
Backups: Not really a pre-requisite, but how are you going to backup your cloud mailboxes? As far as Microsoft is concerned, your online email gets deleted after its retention period, (amount of time after a user deletes it, i.e. up to 100 days). If your business continuity plan, requires you to keep mail ‘x‘ years, then you will need to think about Azure Backup, or a third party backup solution.
Existing Exchange: Unless you are going to use a third party migration tool, then your on premise Exchange needs to be at Exchange 2010. So if you’re still at Exchange 2007/2003/2000, then you need to either; 1) Upgrade your on-prem Exchange, 2) Do another on-prem migration before you start, or 3) Purchase a third part migration tool. Note: With Exchange 2007 you can add one Exchange 2010 Exchange server, then migrate.
Certificates: You MUST HAVE a certificate on your Exchange that is publicly singed by a third party certificate vendor. There’s no excuse to use self signed certificates these days, (for Exchange). For this exercise I bought a certificate for a year and it cost me less than ten dollars, thats half the price of a one users monthly licence for Office 365? WARNING even with a correctly setup PKI environment with publicly published CRLs etc, your own certificates wont work, and you wont find out what’s wrong, until you have migrated users, and carnage/downtime will ensue! BUY A CERTIFICATE: I’d recommend a wildcard cert for your public mail domain.
User UPN’s: I’ve already covered this before in the past, things will be a lot easier, if you change all your users UPN’s to match their Email addresses.
What most people fail to do is make sure both their AD domain, and existing Exchange is healthy, (just because everything appears to be working, doesn’t mean everything is healthy). Install the latest cumulative update for your on-premise Exchange server ,and dig into the logs to make sure everything is as it should be!
Mailbox Replication Proxy Service
MRS Proxy is at the same solution we use for ‘cross-forest’ mailbox migrations, and your on-prem Exchange will act as the MRS proxy for your mailbox migration. To enable MRS Proxy: Exchange Admin Center > Servers > Virtual Directories > EWS > Edit.
General > Enable MRS Proxy Endpoint > Save
You can also check the service is running, (Windows Key +R > Services.msc {Enter}).
Exchange 2010 Note: If you’re running Exchange 2010, you can enable MRS Proxy with the following PowerShell command;
[box]Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyConnections 50[/box]
Azure Active Directory Connector
You can download the Azure AD connector from Microsoft, it can be installed on any member server. It will replicate your users and groups etc, into Office 365. Download and execute the installer > Tick ‘I agree….’ > Continue.
Use Express Settings.
Note: You would only NOT use Express settings if you only wanted to replicate certain groups or sub domains, or if you wanted to use ADFS, (for example because you already had Azure secured services).
Provide your office 365 logon details > Next.
Provide logon details for your on-premise domain > Next.
You will probably only see your local domain, and it will be flagged ‘Not Added’ that’s fine, below you can see my public domain because it’s already been added to office 365, (I’ll cover that later) > Next.
Tick ‘Exchange hybrid deployment’ > Install.
Read and act on any warnings > Exit.
Note: If, (as above) it asks you to enable the ‘AD Recycle bin’, see the following post;