Hybrid exchange
1.Thành phần
+Exchange server: phải là phiên bản mới nhất
+Office 365 (admin account)
+hybrid configuration wizard
+Azure Active Directory synchronization (được khuyến nghị) / ADFS (được sử dụng trong tổ chức lớn như
là đa forest) uses Azure AD Connect (on-premise) to replicate on-premises Active Directory
information for mail-enabled objects to the Office 365 organization to support the unified
global address list (GAL) and user authentication

2.Những sự thay đổi trong hybrid so với on-premises


On-premises

hybrid

3.Một số thứ cần xem xét
•
•
•
•
•

AD sync: đồng bộ 30p/lần, giới hạn 50.000 objects (đây cũng chính là số objects được tạo trong
Office 365)
Quản lý hybrid bằng EAC
Certificate: fai mua từ bên thứ 3
Clients use Outlook 2016 or Outlook 2013
Di chuyển mailbox tới Office 365 cần xem xét:
• Determine the average mailbox size for mailboxes that will be moved to Office

365.
• Determine the average connection and throughput speed for your connection to
the Internet from your on-premises organization.
• Calculate the average expected transfer speed, and plan your mailbox moves
accordingly.

•

Mỗi một mailbox trong Office 365 đều có một licenses

•

Antivirus và anti-spam: Mailboxes moved to Office 365 are automatically provided
with antivirus and anti-spam protection by Exchange Online Protection (EOP), a
service provided by Office 365


4.Những điều kiện trước khi cấu hình
4.1. Add primary SMTP domain to Office 365
Cấu hình Office 365 với primay SMTP namespace của tổ chức on-premises
1.
2.
3.
4.

Log on to: Office 365 admin center preview
Click Settings
> Domains > Add domain.
Enter the primary SMTP namespace. For example, contoso.com. Then, click Next.
Follow the instructions provided to verify your domain ownership. When complete,

wait 15 minutes and then click Verify. If the wizard says it can't verify your domain
ownership, you might need to wait longer for your DNS records to update across the
Internet; this might take several hours. Also verify that the record you created is
correct.
5. On the Required DNS settings page, click Continue setup. Don't update your
DNS records right now. Instead, you'll update your DNS records later in your hybrid
deployment.
6. On the Set up your online services page, select I'll manage my own DNS
records and click Next.
7. On the Update DNS settings page, select Skip this step - I have custom DNS
records, so I'll add the records I need later. I understand that some Office
365 services may be unavailable until I manually add the records with my
registrar. Click Skip, and then click Finish.

4.2. Cấu hình Azure AD connect
1. Download Azure Active Directory Connect on the computer where you'll install it, and
then open it.

2. On the Welcome page, click Continue if you agree to the license terms and privacy
notice.

3. On the Express Settings page, click Use express settings.
4. On the Connect to Azure AD page, enter the username and password for a user
account that is a Global Administrator in your Office 365 organization, and then
click Next.

5. On the Connect to AD DS page, enter the username and password for a user account
in your on-premises organization that is an Enterprise Administrator, and then
click Next.


6. On the Ready to configure page, select both Start the synchronization process as
soon as the configuration completes and Exchange hybrid deployment, and then
click Install.
At this point, Azure AD Connect will synchronize your on-premises user accounts and
their information, including passwords, to your Office 365 organization. Depending on
how many accounts need to be synchronized, this might take a while.


7. On the Configuration complete page, click Exit.

4.3. Kiểm tra sự đồng bộ và gán giấy phép
To create a mailbox in the Exchange Online organization, do the following:
1. Open Active Directory Users and Computers on an Active Directory domain
controller in your on-premises organization.
2. Expand the container or organizational unit (OU) where you want to create a new
Active Directory user.
3. Click Action in the menu bar, and then click New > User.
4. Enter the required user information. Because this user will be associated with a test
mailbox, we recommend that you clearly identify the user as such. For example,
name the user "Test User".
5. In the User logon name field, provide the user name that the user should specify
when logging into their user account. This user name, combined with the user
principal name (UPN) in the drop-down box next to the User logon name field,
makes up the Microsoft Online Identity of the user. The Microsoft Online Identity
typically matches the user's email address, and the domain suffix chosen should
match the federated domain configured in Active Directory Federation Services. For
example, Click Next.
6. Enter a password for the new user, specify any options you want to set, and then
click Next.
7. Click Finish.

8. Wait for directory synchronization to synchronize the new user to the Office 365
organization.
Mặc định đông bộ mất 30p. Để đồng bộ ngay lập tức vào Windows
Powershell
Start-ADSyncSyncCycle -PolicyType Delta

9. Log on to: Office 365 service administration portal
10. Assign a license to the new user. Learn more at: Activate synced users

4.4. Cấu hình bản ghi DNS: Autodiscover, SPF records

4.5. Cấu hình Exchange Web service (Cấu hình URL Virtual Directory)
1. Open the EAC and navigate to Servers > Virtual directories.
2. In the Select server field, click the down arrow
and select the Exchange 2016
Mailbox server to update.


3. Click Configure external access domain .
4. On the Configure external access domain page, click Add .
5. On the Select a Server page, select the Exchange 2016 Mailbox servers you want to
configure and click Add. Click OK.
6. On the Configure external access domain page, enter the externally accessible
FQDN of your Internet-facing Exchange 2016 Mailbox server in the Enter the
domain name you will use with your external Client Access servers text box.
For example, mail.contoso.com.
7. Click Save.
8. Click Close when the wizard completes.

4.5. Cấu hình Cert

Như trong on-premises (Cert lấy từ bên thứ 3)
5. Cấu hình Hybrid trên EAC trong on-premises
1. Trong mục Hybrid , click Configure to enter your Office 365 credentials.

Important:

If your on-premises organization is located in China and your Office 365 tenant is hosted by 21Vianet,
2. At the prompt to log in to Office 365, select sign in to Office 365 and enter the
account credentials. The account you log into needs to be a Global Administrator in
Office 365.
3. Click Configure again to start the Hybrid Configuration wizard.
4. On the Microsoft Office 365 Hybrid Configuration Wizard Download page,
click Click here to download wizard. When you're prompted, click Install on
the Application Install dialog.

Note:

If you're doing this on a server using Internet Explorer, you might need to enable cookies (Internet Op
5. Click Next, and then, in the On-premises Exchange Server Organization section,
select Detect a server running Exchange 2013 CAS or Exchange 2016. The
wizard will attempt to detect an on-premises Exchange 2016 server. If the wizard
doesn't detect an Exchange 2016 server, or if you want to use a different server,
select Specify a server running Exchange 2013 CAS or Exchange 2016 and
then specify the internal FQDN of an Exchange 2016 Mailbox server.
6. In the Office 365 Exchange Online section, select Microsoft Office 365 and then
click Next.
7. On the Credentials page, in the Enter your on-premises account
credentials section, select Use current Windows credentials to have the wizard
use the account you're logged into to access your on-premises Active Directory and
Exchange 2016 servers. If you want to specify a different set of credentials,



8.
9.

10.
11.

unselect Use current Windows credentials and specify the username and
password an Active Directory account you want to use. Whichever selection you
choose, the account used needs to be a member of the Organization Management
role group.
In the Enter your Office 365 credentials section, specify the username and
password of an Office 365 account that has Global Administrator permissions.
Click Next.
On the Validating Connections and Credentials page, the wizard will connect to
both your on-premises organization and your Office 365 organization to validate
credentials and examine the current configuration of both organizations.
Click Next when it's done.
On the Hybrid Features page, select Full Hybrid Configuration and then
click Next.
On the Hybrid Domains, select the domains you want to include in your hybrid
deployment. In most deployments you can leave the Auto Discovercolumn set
to False for each domain. Only select True next to a domain if you need to force the
wizard to use the Autodiscover information from a specific domain. Click Next.

Important:

The Hybrid Domains page only appears if you have more than one on-premises accepted domain add
12. On the Federation Trust page, click Enable and click then Next.

13. On the Domain Ownership page, click Click copy to clipboard to copy the
domain proof token information for the domains you’ve selected to include in the
hybrid deployment. Open a text editor such as Notepad and paste the token
information for these domains. Before continuing in the Hybrid Configuration wizard,
you must use this info to create a TXT record for each domain in your public DNS.
Refer to your DNS host's Help for information about how to add a TXT record to your
DNS zone. Click Next after the TXT records have been created and the DNS records
have replicated.

Important:

The TXT proof of ownership wizard page only displays if there is a non-federated domain selected in t
14. On the Hybrid Configuration page, select the Configure my Client Access and
Mailbox servers for secure mail transport (typical) option to configure your onpremises Client Access and Mailbox servers for secure mail transport with the Office
365. Click Next.

Important:


If you want Office 365 to send all outbound messages to external recipients to your on-premises transp
15. On the Receive Connector Configuration page, select the Receive connector that
will be used to accept secure mail from Exchange Online, and then click Next.

16. On the Send Connector Configuration page, select the Send connector that will
used to send secure mail to Exchange Online, and then click Next.

17. On the Transport Certificate page, select the certificate to use for secure mail

18.


19.

20.
21.

transport. This list displays the digital certificates issued by a third-party certificate
authority (CA) installed on the Exchange server selected in the previous step.
Click Next.
On the Organization FQDN page, enter the externally accessible FQDN for your
Internet-facing Exchange 2016 Mailbox server. Office 365 uses this FQDN to configure
the service connectors for secure mail transport between your Exchange
organizations. For example, enter “mail.contoso.com”. Click Next.
The hybrid deployment configuration selections have been updated, and you’re ready
to start the Exchange services changes and the hybrid deployment configuration.
Click Update to start the configuration process. While the hybrid configuration
process is running, the wizard displays the feature and service areas that are being
configured for the hybrid deployment as they are updated.
When the wizard has completed all of the tasks it can perform automatically, it'll list
any tasks that you need to address manually before your hybrid deployment
configuration is complete.
The wizard displays a completion message and the Close button is displayed.
Click Close to complete the hybrid deployment configuration process and to close
the wizard.

6. Test
6.1. Move mailbox tới Office 365
1. Open the EAC and navigate to Office 365 > Recipients > migration.
2. Click Add and select Migrate to Exchange Online.
3. On the Select a migration type page, select Remote move migration and then
4.

5.

6.
7.

click Next.
On the Select the users page, click Add
, select the on-premises users to move
to Office 365 and click Add, and then click OK. Click Next.
On the Enter the Windows user account credential page, enter the on-premises
administrator account name in the On-premises administrator name text field
and enter the associated password for this account in the On-premises
administrator password text field. For example, “corp\administrator” and a
password. Click Next.
On the Confirm the migration endpoint page, verify that the FDQN of your onpremises Mailbox server is listed when the wizard confirms the migration endpoint.
For example, “mail.contoso.com”. Click Next.
On the Move configuration page, enter a name for the migration batch in the New
migration batch name text field. Use the down arrow to select the target delivery
domain for the mailboxes that are migrating to Office 365. In most hybrid


deployments, this will be the primary SMTP domain used for both on-premises and
Office 365 mailboxes. For example, Verify that the Move
primary mailbox along with archive mailboxoption is selected, and then
click Next.
8. On the Start the batch page, select at least one recipient to receive the batch
complete report. Verify that the Automatically start the batch and Automatically
complete the migration batch options are selected. Click New.
Sau khi mailboxes đã được moved thì trong trạng thái migration chuyển từ Synching
thành Completed


6.2. Tạo Mailbox trên Office 365
1.
2.
3.
4.

Log into the EAC on an on-premises Exchange 2016 server.
In the EAC, navigate to Enterprise > Recipients > Mailboxes.
Click Add
and select Office 365 mailbox.
On the new Office 365 mailbox page, specify the following settings:
o First Name Type the first name of the new user.
o Initials Type the initials of the new user.
o Last Name Type the last name of the new user.
o Name Type the full name of the user if the automatically generated name is
not correct.
o User logon name Type the user logon name of the new user and select the
primary SMTP domain used for your other on-premises users. For example,
@contoso.com.
o Mailbox type Use to select the mailbox type for the new mailbox. For
example, select User mailbox for a new user.
o New Password Type the password.
o Confirm password Retype the password.
5. Verify that the Create an archive mailbox check box is not selected. Click Save to
create the new mailbox.
6. Mặc định đồng bộ mấy một tới 3 tiếng, để đồng bộ ngay lập tức, trên cmd Azure AD
connect server gõ lệnh
"%ProgramFiles%\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe"


7. Log on tới tài khoản admin Office 365
8. Assign a license to the new user

6.3. Cấu hình bản ghi MX để chuyển hướng mail tới Office 365
To find the FQDN that you should use for your MX record, do the following:

1. Log on to: Office 365 admin portal
2. Select Domains.
3. Select the primary SMTP namespace for your Office 365 organization (for example,
contoso.com) and then click Domain settings.


4. On the DNS management page, verify that Exchange Online is listed under Domain
purpose. If it's not, do the following:

a. Under Domain purpose, click Change domain purpose.
b. Select Outlook on the web for email, calendar, and contacts, and then
click Next.

Important:

On the next couple pages, you'll see instructions on how to configure MX, Autodiscover, MSOID, and SP

c. On the Add the following DNS records... page, click Okay, I've added the
records.

d. On the next page, you'll see Some DNS records have to be fixed and one or
more DNS records will show an error. You can safely ignore these errors.
Click Ignore these errors at the bottom of the page, and then click Finish.


e. On the Manage domains page, select your primary SMTP namespace again
and click Domain settings.
Exchange Online should now be listed under Domain purpose.

5. In the Exchange Online DNS records table, find the row where Type equals MX. Use
the value in the Points to address field. For example, contosocom.mail.protection.outlook.com.

Important:
Don't change the Autodiscover record for your domain to the value in the Exchange Online table. Doing so will

6. After you've found the FQDN to use with your MX record, create the MX record in your
DNS zone.
For example, the MX record for contoso.com is the following:


Primary SMTP namespace

contoso.com

Để troubleshoot các vấn đê kết nối: sử dụng Microsoft Remote Connectivity Analyzer tool
(là một free web-based)