Exchange Hybrid deployment | Backgroud Process of Hybrid - Part2

Hello All

 Welcome to the second part  of Exchange Hybrid deployment series.

 In the last part 1, we discussed what is Exchange Hybrid deployment, we discussed types of exchange hybrid deployments that are available, what features are available with different type of exchange hybrid deployments. And we discussed the difference between classic and modern hybrid deployment.

 In this particular part , we will be discussing what is hybrid configuration wizard or H C W. 

How to run the HCW and what are the back ground process / commands executing , while running the HCW 

Before you run hybrid configuration wizard, we need to meet certain prerequisites. And once these prerequisites are met, we are ready to run Hybrid Configuration Wizard. We can download hybrid configuration wizard from multiple ways.

If you are using Exchange Server 2013, 2016 or 2019. You can download the latest version of hybrid configuration wizard from on premises Exchange admin centre. Or you can simply type this URL in Internet Explorer  and you can download Hybrid Configuration Wizard.

When you will launch it HCW you will see this homepage.

On the next screen Hybrid Configuration Wizard will either automatically search for the right Exchange Server or you can manually specify the Exchange Server Name.

If you're using Exchange Server 2010 or 2013. This must point to the exchange server that has Client Access Server Role installed.

And on the section where it says my office 365 organisation is hosted by select office 365 worldwide.

On the next screen, you will be asked to enter your onpremise admin credentials and administrator credentials for office 365 tenant.

 Once you have entered credentials for on premise and office 365 admin accounts.

 HCW will try to log in each server to validate if the credentials are valid on the next page

select if you want to configure minimal hybrid or full hybrid deployment. 

If you want to configure hybrid for only mailbox move, you can select minimal hybrid. 

And if you want all the features of hybrid, you can select full hybrid configuration.

For this part 2 , I have selected full hybrid configuration. 

On the next section you can select if you want to enable centralised mail flow in your environment.

On the next screen, you need to choose an on premise Exchange server that will be responsible to see emails that are sent from office 365. The server should have an SMTP certificate on port 25 and port 25 should be open on your firewall. On the next page it HCW will ask you on which on premise Exchange server you want to create a send connector.

On the next screen it will ask you to identify the transport certificate between on premises exchange and Exchange Online. This certificate will be used to ensure a secure communication between on premise and Exchange Online.

In the next step, it CW will ask you to enter the fully qualified domain name for your on premise organisation.

This FQDN will be resolved to the public IP address and it will enable mails to be routed to the on premise exchange. When you click next on this screen, it CW will connect office 360 Five to on premise exchange to configure a single organisation. 

Starting the configuration

If everything is fine  and you do not come across any issues during the configurations you will see this window below

Now let's understand what happens in the back end when you run HCW

There are around 11 steps or process running behind the scenes

1. when you run HCW or hybrid configuration wizard. The first step of the  HCW is  validates if it is possible to connect with Exchange Server and Exchange Online.

To validate this HCW runs get hyphen Exchange Server command in on premise. And then it tries to connect to Exchange Online authorising connection.

2  Then  HCW collects data about on premises exchange organisation from local Active Directory. To collect this information it HCW executes a series of PowerShell commands like below

3. then Hybrid Configuration Wizard collects Exchange Online configuration for your office 365 tenant it executes few commands in Exchange Online to retrieve this information

4.If Federation trust between on premises exchange organisation and Microsoft Federation Gateway is not created already. Then it HCW will give you a prompt and will ask you to enable Federation trust.

A Federation trust creates a trust relationship between two different organisations. When you sign up for office 365 tenant of Federation trust is automatically created with Microsoft Federation Gateway.

When you sign up for office 365 tenant of Federation trust is automatically created with Microsoft Federation Gateway.

But for on premises exchange organisation either you can create this trust manually or it HCW will create this federation trust automatically.

When this federation trust between on premises and Microsoft Federation Gateway is created. A self signed certificate is stored on on premises Exchange Server and that can be verified by running the below command

5. The fifth step that HCW performs it creates hybrid configuration objects in local Active Directory. To create these objects

HCW executes two commands in the back end. 

We can verify this configuration by running  Get-hybridconfiguartion | fl from On premise  servers

6.The next step that HCW performs it adds username@domain.mail.on microsoft.com in email address policy in on premise exchange. Then it adds domain.mail.on microsoft.com and domain.on microsoft.com domains in remote domains and it adds domain.mail.on microsoft.com domain in excepted domains. To configure this setting. HCW executes

7. The next step that HCW performs, it creates organisation relationships between on premise exchange and Exchange Online. 

The next step that HCW performs, it creates organisation relationships between on premise exchange and Exchange Online. 

If you are running full hybrid deployment then it creates one organisation relationship in on premise that will point to Exchange Online

and the second organisation relationship is created in exchange online that will point to on premise Exchange Server. 

HCW executes the series of below commands to enable the free busy configurations, and create availability address space objects that are used to share free busy data across exchange organisations

To verify the above configurations, use get-organizationrelationship | fl on both exchange on premise and exchange online 

8.The next step that HCW performs, it checks if mail flow connectors are already created. If not, it creates mail flow connectors in on premise and in exchange online.

If you select centralised mail flow while running HCW in that case, it creates two connectors in Exchange Online. It creates an inbound connector that identifies the on premise organisation by the name specified within the TLS certificate.

 It creates an outbound connector that routes all emails to the smart host that is your on premise Exchange Server. 

Then HCW creates a send connector in on premise exchange organisation that will point to mail.on microsoft.com and it modifies the receive connector to accept TLS communication

9. HCW enables Oauth authentication between on premises exchange and Exchange Online

It executes the below commands in the back end to configure the settings

It executes get -authconfig to check if this is already enabled.

It runs get-exchangeCertificate 

New -AauthServer to create an authorisation server object in Microsoft Exchange

It runs get-partnerapplication to fetch configuration of Exchange Online and then runs set-partner application to configure these settings.

To verify the above configurations settings use test-oauthconnectivty 

10. HCW enables Mrs proxy on premises Exchange server so that mailbox migration can be performed. By running get -WebServicesvirtualdirectory command we can verify if Mrs proxy is enabled or not.

11.Finally HCW  runs Set-onpremisesorganisation command and it completes the hybrid installation.

If you want to analyse hybrid configuration logs you can collect them from this location from the hybrid server and you can analyse those logs.