Exchange Hybrid requirements

Written by Arne Tiedemann on Monday October 21, 2019

Many customers plan to migrate to Exchange Online services, and all of them have to know the requirements to build a secure infrastructure with Exchange on-Premises and Exchange Online "EXO". This article describes all the requirements for the Exchange hybrid deployments.

Exchange Hybrid

The main goal of an Exchange hybrid deployment is that the customer enables the Exchange on-premises organization to move his on-premises mailboxes and public folders to Exchange Online.
But when the customer plan to start the Office 365 workloads and Exchange is not the first project, then you have to think about the dependencies of Exchange hybrid for example with Microsoft Teams.

This article describes the requirements for Exchange hybrid deployment not for Microsoft Teams.

Exchange hybrid deployment features

When you establish an Exchange hybrid deployment, you will get these additional features in your Exchange organization:

  1. Secure mail flow between on-premises and Exchange Online mailboxes
  2. Mail routing with the same accepted domains 
  3. A global address list for on-premises and Exchange Online mailboxes
  4. Centralized inbound and outbound mail flow
  5. Sharing of Free/Busy information between on-premises and online users
  6. Move mailboxes from on-premises to Exchange Online and back to on-premises

Sources:

  1. Exchange Server hybrid deployments
  2. Learn more about Exchange Online Archiving at Archive Features in Exchange Online Archiving.

Requirements

To successfully establish an Exchange hybrid deployment your on-premises Exchange organization must meet the requirements.

  1. Exchange organizations from Version 2007 and later are supported
  2. Exchange organizations require the latest cumulative updates or update rollups. If this is not possible, install the previous one
  3. Exchange 2010 & Exchange 2013
    1. At least one server with the mailbox, hub transport, and client access server role must be installed
    2. If public folders are in use, install the client access server role on each mailbox server. This is needed to publish the public folder to Exchange Online users trough a public folder proxy mailbox on each mailbox server.
  4. Exchange Server 2016 and newer
    1. At least one server with mailbox server role installed
  5. Customer domains: Register any accepted domain from your on-premises Exchange organization in Office 365
  6. AzureAD Connect: You need an Active Directory synchronization between your on-premises Active Directory and your AzureAD tenant, read here for best practices: Secure Install of Azure AD Connect
  7. DNS Records: All these records must be published for any registered domain in your tenant
    1. Autodiscover
    2. Exchange Web Services
    3. Outlook on the Web
  8. Exchange organization publishing
    1. Internal and external URLs must be configured correctly 
    2. Internal and external access to the services must be configured and an external client must have access to the mailbox via Outlook on the Web and Outlook Anywhere
    3. Autodiscover must be published and accessible from external clients
  9. Publishing certificates: The certificates must be public, certificates from internal certification authorities are not supported.
    1. If you have different namespaces for IIS and SMTP, then you need for all services public certificates!
  10. Microsoft .Net Framework 4.6.2 or later is required to run the hybrid wizard
  11. If you have Unified Messaging enabled, see this article: https://docs.microsoft.com/en-us/exchange/hybrid-deployment-prerequisites
  12. Exchange Edge Server: If you plan to use Edge Server, remember that you have to configure some Exchange connectors manually

In my Exchange projects, I keep noticing that the company firewalls bring the project on halt. Take care that the firewalls meet the requirements for Exchange hybrid deployments.
See: Office 365 IPs and services

Check Remote Connectivity

To Test the external configuration and connectivity to your on-premises environment, you can use the Microsoft Remote connectivity analyzer to verify the needed connection.

Start http://aka.ms/exrca and test every domain that your users have as an reply address. Please test for each domain the following:

Exchange Server tests:

  • Exchange Webservices
    • Synchronization, Notification, Availability, and Automatic Replies
  • Outlook
    • Connectivity
    • Autodiscover

      Accepted Domains

      Note: All accepted Domains in your on-premises Exchange organization should be activated as Exchange Online accepted domains! If you send an email from Exchange Online mailboxes to on-premises mailboxes, that have a primary address that is not registered as EXO accepted domain, the mail flow will not be marked as internal.

      Additional information:

      1. Hybrid deployment prerequisites

      2. Add your domain to Office 365

      3. Learn more at Azure AD Connect User Sign-on options.

      4. Learn more at Hybrid management in Exchange hybrid deployments

      5. Learn more at Certificate requirements for hybrid deployments.

      6. Learn more at Edge Transport servers with hybrid deployments

      7. Office 365 IPs and services

      8. Learn more at Microsoft Remote Connectivity Analyzer.

      9. Learn more at Single sign-on with hybrid deployments.