Pages

Friday, 22 April 2016

Setting up a hybrid Exchange 2010 environment with Exchange Online (Office 365)

We will need to ensure a few-prerequisites are met:

- Exchange 2010 should be running SP3
- Ensure your current exchange environment is accessible externally (can verify using the Remote Connectivity Analyzer)

We will firstly setup dirsync (now Azure AD Connect) between our on-premise environment and Azure:

Download and install: Azure AD Connect

** During the installation of Azure AD Connect ensure 'Exchange hybrid deployment' is selected under 'Optional Features. ***'

Download and install the Azure Powershell addon

Download and install Microsoft Online Services Sign-In Assistant for IT Professionals RTW 

Download and install Azure Active Directory Module for Windows PowerShell (64-bit version)

Once installed launch PowerShell with administrative privileges and import the Azure model:

Import-Module Azure

authenticate yourself with:

$login = Get-Credential

and connect to Exchange Online:

Connect-MsolService -Credential $login

and enable dirsync:

Set-MsolDirSyncEnabled -EnableDirSync $true

We should proceed by hooking up our Exchange Online environment with our on-premis install.

** Note: I have had problems sometimes connecting this way and received the following message:

Format of the Exchange object version is wrong parameter name: ExchangeBuild

Apparently Microsoft is working on a 'fix' for this - but they haven't provided any update now since late February - so please refer to below:

I had to obtain the Office 365 Hybrid Wizard and run it on the local Exchange server instead:

http://aka.ms/HybridWizard

(Run the above link from Internet Explorer - not Chrome, Firefox etc..)

After launching the wizard enter your local Exchange details (i.e. a user in the 'Organizational Management' security group.)

You will then need to enter a TXT record on your domain's zone file / DNS for verification of ownership of your domain name.

Configure the HUB transport service and specify the external IP address you would like to use to communicate with the Exchange Online service.

** Note that you should update your firewall ruleset in order to allow the Exchange Online group of IP's to communicate with the above IP - more info can be found here: https://support.office.com/en-gb/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#BKMK_EXO

I encountered the following error at the last hurdle:

HCW8073 - 
PowerShell failed to invoke 'Set-EmailAddressPolicy': The recipient policy "Default Policy" with mailbox manager settings cannot be managed by the current version of Exchange Management Console. Please use a management console with the same version as the object.

This was because the email policy had not been upgraded when migrating from an older version of Exchange. The specific feature causing problems is the 'Mailbox Manager' (now defunct in later versions of Exchange.) To fix this we should refer to the following article and then run the following command to upgrade our email address policy:

Get-EmailAddressPolicy | where {$_.RecipientFilterType –eq “Legacy”} | Set-EmailAddressPolicy –IncludedRecipients AllRecipients

After this I re-ran the configuration wizard and it finally went though.

Launch the Exchange Management Console and review the Send Connectors and Receive Connectors - you should notice that there are two Office 365 connectors (inbound and outbound.)

Ensure you have included all of the whitelisted hosts on the receive connector in your firewall config! 

Also ensure that your firewall will allow outbound access to EOP (Exchange Online Protection) as this is what your send connector will use - the IP's are here.

If you are sharing a domain between your on premis environment and Exchange Online (i.e. both have @domain.com addresses) we need to ensure that the 'remote domain' entry for the domain under the 'Office 365 Tenant' domain tab has 'Use this domain for my Office365 tenant' ticked.

We should also ensure the 'accepted domain' entry for the domain is 'Internal Relay' if it is a shared domain.

We can now create a new user in our Exchange Online Administration Portal - so go and login to your Office 365 portal and then go to Users >> Active Users >> New User and once the user is created - select it and hit the 'Assign Licenses' from the right hand navigation pane and select 'Exchange Online.'

Now proceed to go to Admin >> Exchange to launch the Exchange admin center and then go to: Recipients >> and you should now see your new user.

We can quickly propagate settings across our on-premise and Office 365 with the following commands (make sure you run this with administrative privileges!):

$OnPremisesCreds = Get-Credential
$TenantCreds = Get-Credential

Update-HybridConfiguration -OnPremisesCredentials $OnPremisesCreds -TenantCredentials $TenantCreds

To view federation information for your domain we can issue:

Get-FederationInformation yourdomain.mail.onmicrosoft.com

and to view organizational relationships we can issue:

Get-OrganizationRelationship

We can connect to our Exchange Online tenant via PS like follows:

$session = New-PSSession -ConfigurationName:Microsoft.Exchange -Authentication:Basic -ConnectionUri:https://ps.outlook.com/powershell -AllowRedirection:$true -Credential:(Get-Credential)

Import-PSSession $session


No comments:

Post a Comment