December 21, 2024
040718_2002_MigrateExch3.png
The process described mainly focuses on a typical transition of Exchange services to Office 365 environment, converting the Exchange servers to Office 365 CAS role, HUB role and MBX role. Additional role options such as the Unified Messaging Server role and Edge Transport role, are out-of-scope within this document.

Today, my client asked me to provide MOP (Method of Procedure) to them, the MOP will help to migrate their exchange services to Office 365. I am going to do multi-post and let you know how to migrate your exchange services to Office 365 via step by step.

The process described mainly focuses on a typical transition of Exchange services to Office 365 environment, converting the Exchange servers to Office 365 CAS role, HUB role and MBX role. Additional role options such as the Unified Messaging Server role and Edge Transport role, are out-of-scope within this document.

Let’s start on part 1 for pre-requisites, add on-premises domain to office 365 and deploy certificate to ADFS (optional).

Prerequisites

On-premises Exchange organization

On-premises

environment

Exchange 2016-based hybrid deployment Exchange 2013-based hybrid deployment Exchange 2010-based hybrid deployment
Exchange 2016 Supported Not supported Not supported
Exchange 2013 Supported Supported Not supported
Exchange 2010 Supported Supported Supported
Exchange 2007 Not supported Supported Supported

On-premises Exchange releases

Hybrid deployments require the latest cumulative update or update rollup available for the version of Exchange you have installed in your on-premises organization. If you can’t install the latest cumulative update or update rollup, the immediately previous release is also supported. Older cumulative updates or update rollups aren’t supported.

On-premises server roles

On-premises

environment

Requirement
Exchange 2010 At least one server with the Mailbox, Hub Transport, and Client Access server roles installed. While it’s possible to install the Mailbox, Hub Transport, and Client Access roles on separate servers, we strongly recommend that you install all of the roles on each server to provide additional reliability and improved performance
Exchange 2013 At least one server with the Mailbox and Client Access server roles installed. While it’s possible to install the Mailbox and Client Access roles on separate servers, we strongly recommend that you install both roles on each server to provide additional reliability and improved performance
Exchange 2016 and newer At least one server that has the Mailbox server role installed

Office 365

Hybrid deployments are supported in all Office 365 plans that support Azure Active Directory synchronization. All Office 365 Enterprise, Government, Academic and Midsize plans support hybrid deployments. Office 365 Business and Home plans don’t support hybrid deployments.

Custom domains

Register any custom domains you want to use in your hybrid deployment with Office 365. You can do this by using the Office 365 Administrative portal, or by optionally configuring Active Directory Federation Services (AD FS) in your on-premises organization.

Active Directory synchronization

Deploy the Azure Active Directory Connect tool to enable Active Directory synchronization with your on-premises organization.

Autodiscover DNS records

Configure the Autodiscover public DNS records for your existing SMTP domains to point to an on-premises Exchange 2010 (2013) Client Access server.

Office 365 organization in the Exchange admin center (EAC)

The Office 365 organization node is included by default in the on-premises EAC, but you must connect the EAC to your Office 365 organization using your Office 365 administrator credentials before you can use the Hybrid Configuration wizard. This also allows you to manage both the on-premises and Exchange Online organizations from a single management console.

Certificates

Install and assign Exchange services to a valid digital certificate purchased from a trusted public certificate authority (CA). Although self-signed certificates should be used for the on-premises federation trust with the Microsoft Federation Gateway, self-signed certificates can’t be used for Exchange services in a hybrid deployment. The Internet Information Services (IIS) instance on the Exchange servers configured in the hybrid deployment must have a valid digital certificate purchased from a trusted CA. Additionally, the EWS external URL and the Autodiscover endpoint specified in your public DNS must be listed in Subject Alternative Name (SAN) of the certificate. The certificate installed on the Exchange servers used for mail transport in the hybrid deployment must all use the same certificate (that is, they are issued by the same CA and have the same subject).

Hybrid deployment protocols, ports, and endpoints

Hybrid deployment features and components require certain incoming protocols, ports and connection endpoints to be accessible to Office 365 in order to work correctly. Before configuring your hybrid deployment, verify that your on-premises network and security configuration can support the features and components in the table below.

Transport Protocol Upper Level Protocol Feature/Component On-premises Endpoint On-premises Path Authentication Provider Authorization Method
TCP 25 (SMTP) SMTP/TLS Mail flow between Office 365 and on-premises Exchange 2016 Mailbox/Edge

Exchange 2013 CAS/Edge

Exchange 2010 HUB/Edge

N/A N/A Certificate-based
TCP 443 (HTTPS) Autodiscover Autodiscover Exchange 2016 Mailbox

Exchange 2013/2010 CAS

/autodiscover/autodiscover.svc/wssecurity

/autodiscover/autodiscover.svc

Azure AD authentication system WS-Security Authentication
TCP 443 (HTTPS) EWS Free/busy, MailTips, Message Tracking Exchange 2016 Mailbox

Exchange 2013/2010 CAS

/ews/exchange.asmx/wssecurity Azure AD authentication system WS-Security Authentication
TCP 443 (HTTPS) EWS Multi-mailbox search Exchange 2016 Mailbox

Exchange 2013/2010 CAS

/ews/exchange.asmx/wssecurity

/autodiscover/autodiscover.svc/wssecurity

/autodiscover/autodiscover.svc

Auth Server WS-Security Authentication
TCP 443 (HTTPS) EWS Mailbox migrations Exchange 2016 Mailbox

Exchange 2013/2010 CAS

/ews/mrsproxy.svc Basic Basic
TCP 443 (HTTPS) Autodiscover

EWS

OAuth Exchange 2016 Mailbox

Exchange 2013/2010 CAS

/ews/exchange.asmx/wssecurity

/autodiscover/autodiscover.svc/wssecurity

/autodiscover/autodiscover.svc

Auth Server WS-Security Authentication
TCP 443 (HTTPS) N/A AD FS (included with Windows) Windows 2008/2012 Server /adfs/* Azure AD authentication system Varies per config.

On-premises Active Directory

  • The AD schema version and forest functional level must be Windows Server 2003 or later. The domain controllers can run any version as long as the schema and forest level requirements are met.
  • If you plan to use the feature password writeback, then the Domain Controllers must be on Windows Server 2008 (with latest SP) or later. If your DCs are on 2008 (pre-R2), then you must also apply hotfix KB2386717
  • The domain controller used by Azure AD must be writable. It is not supported to use a RODC (read-only domain controller) and Azure AD Connect does not follow any write redirects.
  • It is not supported to use on-premises forests/domains using SLDs (Single Label Domains).
  • It is not supported to use on-premises forests/domains using “dotted” (name contains a period “.”) NetBios names.
  • It is recommended to enable the Active Directory recycle bin

Hybrid Identity Required Ports and Protocols

Protocol Ports Description
HTTP 80 (TCP/UDP) Used to download CRLs (Certificate Revocation Lists) to verify SSL certificates.
HTTPS 443(TCP/UDP) Used to synchronize with Azure AD.
Azure Service Bus 5671 (TCP/UDP) Outbound

Add and verify the on-premise domain in Azure AD (Office 365)

We need to connect on-premise domain with office 365.

  1. Login to office 365 tenant and then click Admin.


2. On the Home Page, click Add a domain.


3. Enter on-premise domain name to Enter a domain you own, click Next.


4. On the Verify domain page, select Add a TXT record instead (if you own domain was not register with GoDaddy), click Next.


5. Add the TXT records to your DNS hosting and then click Verify.


6. Select I’ll add the DNS records myself, click Next.


7. Add all records and to your DNS hosting and then click Verify.


8. Make sure all settings are correct and click Finish.


Deployment Certificate (If Active Directory Federation Services is being deployed, ADFS is optional)

We need certificate for ADFS to configure DirSync and Single Sign-On.

  1. Logon to ADFS Server.
  2. In the Windows start menu, type Internet Information Services (IIS) Manager and open it.
  3. In the Connections menu tree (left pane), locate and click the server name.
  4. On the server name Home page (center pane), in the IIS section, double-click Server Certificates.
  5. On the Server Certificates page (center pane), in the Actions menu (right pane), click the Create Certificate Request… link.
  6. In the Request Certificate wizard, on the Distinguished Name Properties page, provide the information and then click Next.
  7. On the Cryptographic Service Provider Properties page, provide the information below and then click Next.
  8. Cryptographic service provider – In the drop-down list, select Microsoft RSA SChannel…, unless you have a specific cryptographic provider.
  9. Bit length – In the drop-down list, select 2048 (or higher).
  10. On the File Name page, under Specify a file name for the certificate request, click the … box to browse to a location where you want to save your CSR and then click Finish.
  11. Use a text editor (such as Notepad) to open the file. Then, copy the text, including the —–BEGIN NEW CERTIFICATE REQUEST—– and —–END NEW CERTIFICATE REQUEST—– tags, and paste it into the third-party certificate providers order form.
  12. After you receive your SSL Certificate from third-party providers, you can install it.
  13. Use certificate you’ve purchased from third-party to import onto the ADFS server virtual machine.
  14. Click Complete Certificate Request from the Actions panel.
  15. Locate to your certificate, and enter Friendly name. Select Personal.
  16. Verify the certificate you just installed.
  17. On the Start menu click Run and then type mmc.
  18. Click File, select Add/Remove Snap-in.
  19. Click Certificates and then select Add.
  20. Select Computer Account and then click Next.
  21. Select Local Computer and then click Finish.
  22. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  23. Right-click on the certificate you want to backup and select ALL TASKS and then click Export.
  24. Choose Yes, export the private key and include all certificates in certificate path if possible.
  25. Leave the default settings and then enter your password if required and then click Finish.
  26. Imported certificates to all virtual machines which are required to connect to Microsoft Office 365.

Configure UPN suffix

You need to configure UPN suffix if the internal domain name doesn’t match the domain to federate with office 365. Membership in Domain Admins or Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

  1. Logon to Domain control server
  2. From the Start menu, click Administrative Tools, and then click Active Directory Domains and Trusts.
  3. In the console tree, right-click Active Directory Domains and Trusts, and then click Properties.
  4. On the UPN Suffixes tab, type an alternative UPN suffix suffixes field the domain name to match the external domain used to federate with Office 365, and then click Add.
  5. Click OK and close Active Directory Domain and Trust window.
Note

a custom UPN suffix must match the external name space, The new UPN suffix must be assigned to the users before performing the authentication with federated domain

  1. From the Start menu, click Administrative Tools, and then click Active Directory Users and Computers.
  2. Select the users, right click the selection and choose Properties option.
  3. Thick UPN suffix, select the external domain name and click OK.
  4. Check the user’s Properties, the User logon name field is now set with the UPN suffix just configured.

Enable Active Directory Recycle Bin

  1. Logon Domain control server.
  2. Open the Active Directory Administrative Center.
  3. Right-click your domain.
  4. Select Enable Recycle Bin…..

Hope you enjoy this post.

Cary Sun

Twitter: @SifuSun

Personal Web Site: www.carysun.com

Author: Cary Sun

Cary Sun has a wealth of knowledge and expertise in data center and deployment solutions. As a Principal Consultant, he likely works closely with clients to help them design, implement, and manage their data center infrastructure and deployment strategies.
With his background in data center solutions, Cary Sun may have experience in server and storage virtualization, network design and optimization, backup and disaster recovery planning, and security and compliance management. He holds CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) from 1999. Cary is also a Microsoft Most Valuable Professional (MVP), Microsoft Azure MVP, Veeam Vanguard and Cisco Champion. He is a published author with several titles, including blogs on Checkyourlogs.net, and the author of many books.
Cary is a very active blogger at checkyourlogs.net and is permanently available online for questions from the community. His passion for technology is contagious, improving everyone around him at what they do.

Blog site: https://www.checkyourlogs.net
Web site: https://carysun.com
Blog site: https://gooddealmart.com
Twitter: @SifuSun
in: https://www.linkedin.com/in/sifusun/
Amazon Author: https://Amazon.com/author/carysun