Hybrid Exchange on Exchange Server 2019

Prerequisites

Unified Communication Managed API 4
Visual C++ Redistributable Packages for Visual Studio 2013
Install the IIS URL Rewrite Module
Reboot the machine before running the install.

High-level headaches

Make sure the ramifications of changing User Principal Name are understood, if a non-routable domain is being used as part of On-Premises User Principal Names
- It may be easier to use the mail attribute to be the Azure AD User Principal Name rather than change User Principal Names.
Mailbox and Public Folder Mailbox Forwarding configurations are lost during the migration.
- Ensure you take a copy of these configurations before migration.
Public Folders cannot have been used in the Cloud prior to the migration.
- They will need to have the content within them moved, and then be deleted.
You need to have signature block management sorted out before migrating.
Make sure that any domains that are not being moved into Azure AD/Exchange Online are removed from Accepted Domains, User mailboxes and Public Folder Mailboxes.
The larger the number of Public Folders, the longer it will take for the Public Folder migration scripts to run. For reference, 7000 Public Folders took anywhere from 15 minutes to 1 hour to iterate over whenever this was required.

Order of Operations

Pre-Work

This should all be completed before Exchange is installed on the new server.

Configure Entra ID Connect if not already setup.
Gather all information on Mailboxes and Public Folders.
Clean up old Accepted Domains and remove these from Mailboxes, Groups and Public Folders.
For any domains that will be used both On-Premises and Online, set them to be Internal Relays inside the Accepted Domain area of Exchange Online Admin Centre rather than Authoritative.
- This means Online will pass the email to On-Prem to see if there is a valid address there, rather than just bouncing it at Online.
Fix attribute syncing using IDFix or manually
- Remove non-routable TLDs
- Domains in Azure AD match domains on user accounts
Implement NAT and Firewall Rules for the new server on the firewall.
- Outbound on Port 25
- Inbound on Port 25
- Inbound on Port 443
Add the new server into any SMTP configurations that are required (UTM and XGS devices generally require this)
Build the new Exchange Virtual Machine.
Resolve Signature Block Solution.
- No cloud-managed signature
- New Solution
- Centralised Management Transport (Cloud mail routes to On-Prem to use existing solution)

After-hours

Expect that this will take approximately 8 hours to complete. It is recommended to do this on a Saturday to ensure that you have the most time to troubleshoot any issues.

Install Exchange Server on new Virtual Machine.
Move Exchange Services to new Server (except System Mailboxes)
Implement new Hybrid certificate.
Update Send Connector to include new server.
Configure Centralised Management Transport (if using On-Premises Signature Block Solution).
Configure Hybrid Exchange.

Gather Information

Not all properties are preserved when a mailbox is migrated to Exchange Online. It is advantageous to confirm that there is no mailbox forwarding exists anywhere, as when either the source or destination mailbox is migrated, this is lost.

Check Mailboxes


$Mailboxes = Get-Mailbox -ResultSize "Unlimited" | select *
$Mailboxes | select Name,PrimaryEmailAddress,ForwardingAddress,ForwardingSmtpAddress

Check Mail-Enabled Public Folders


$MailPublicFolders = Get-MailPublicFolder -ResultSize "Unlimited" | select *
$MailPublicFolders | select Name,PrimaryEmailAddress,DeliverToMailboxAndForward,ForwardingAddress

Network Changes

You will need to permit access to the Exchange Server through the client's firewall. You'll also need a DNAT and SNAT rule so all traffic to and from the New Server on HTTPS and SMTP is routed to the correct location.

Install steps

Exchange Server Installation

If the prerequisites are all installed, then you should be clear to move through to installation.

Accept the T&Cs, but don't send data to Microsoft.

Step 1 and 2 take about 10 minutes. Step 3 takes about 20 minutes.

Remaining steps should finish in about 60 minutes Reboot the server Add the product key to the new server via PowerShell using:

Set-ExchangeServer -Identity "Server Name" -ProductKey <PRODUCT_KEY>

The Product Key should not be wrapped in quotes.

Restart the Microsoft Exchange Information Store service as soon as you can.

Import the certificate from the old box into the new box and in IIS Manager.

Set the bindings for HTTPS to the new certificate, otherwise users will receive Security Warnings in Outlook when they try to open their mailbox.

Moving Exchange Services to the new Server

Run the following PowerShell to align the two servers and their Virtual Directory configurations

Get-WebServicesVirtualDirectory -Server "EXCH2019" | Set-WebServicesVirtualDirectory -InternalUrl "https://mail.domain.com.au/ews/exchange.asmx" -ExternalURL "https://mail.domain.com.au/ews/exchange.asmx"
Set-OWAVirtualDirectory -identity "EXCH2019\owa (Default Web Site)" -InternalURL "https://mail.domain.com.au/owa" -ExternalURL "https://mail.domain.com.au/owa"
Get-OABVirtualDirectory -Server "EXCH2019" | Set-OABVirtualDirectory -InternalURL "https://mail.domain.com.au/OAB" -ExternalURL "https://mail.domain.com.au/OAB"
Get-ECPVirtualDirectory -Server "EXCH2019" | Set-ECPVirtualDirectory -InternalURL "https://mail.domain.com.au/ECP" -ExternalURL "https://mail.domain.com.au/ECP"
Get-MAPIVirtualDirectory -Server "EXCH2019" | Set-MAPIVirtualDirectory -InternalURL "https://mail.domain.com.au/MAPI" -ExternalURL "https://mail.domain.com.au/MAPI "-IISAuthenticationMethods NTLM,Negotiate
Get-ActiveSyncVirtualDirectory -Server "EXCH2019" | Set-ActiveSyncVirtualDirectory -InternalURL "https://mail.domain.com.au/Microsoft-Server-ActiveSync" -ExternalURL "https://mail.domain.com.au/Microsoft-Server-ActiveSync"
Set-OutlookAnywhere -identity "EXCH2019\RPC (Default Web Site)" -ExternalHostname "mail.domain.com.au" -InternalHostname "mail.domain.com.au" -InternalClientsRequireSSL $true -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod:NTLM
Set-ClientAccessService -Identity "EXCH2019" -AutoDiscoverServiceInternalUri "https://mail.domain.com.au/Autodiscover/Autodiscover.xml"

Rename the default Database (Optional) Move the DB and logs to a secondary drive Run Set-AdServerSettings -ViewEntireForest $true first

Check for Archive Mailboxes

$MailboxDBs = Get-MailboxDatabase
$MailboxDBs | % {Get-Mailbox -AuditLog -Database $_.Name -Archive | ft Name,ServerName,Database -auto}

In most cases, there aren't any.

Update the Send Connector

You can add the new server into the Send Connector.

However, if they use an On-Premises Signature Block tool, it's probably tied into the existing server.

If this is the case, add the server into the Send Connector after you've solved the Signature Block problem.

Configure Hybrid Exchange

At this point, this is where you stop before you configure Hybrid Exchange. This should be done out of hours, as there is some impact on mail flow.

You want to make sure that you have mail flowing correctly in all directions, so doing this when people aren't expecting relatively instant email delivery.

If you are configuring Hybrid Exchange between 1 April 2023 and 1 October 2023 in a tenant that was created after 1 April 2023, you will need to manually re-enable Remote PowerShell (RPS) for Exchange Online, which you do at https://aka.ms/PillarEXORPS.

You may find that you need to run the diagnostics wizard on the above link a couple of times in order to enable it.

You will know if this was successful, as when the Hybrid Wizard tries to connect to both On-Premises Exchange and Exchange Online PowerShells, you won't receive an error.

You may also need to run the following PowerShell to enable the MRS Proxy:

Set-WebServicesVirtualDirectory -Identity "[<Server>\]EWS (Default Web Site)" -MRSProxyEnabled $true

Then run IISRESET to kick IIS over for the change to be picked up.

Mailboxes

Add Exchange Online Routing Domain

Mailboxes must contain the {tenantdomain}.mail.onmicrosoft.com domain. Below is an example script to run when some mailboxes do not have the Email Address Policy Flag set.

```
$Mailboxes = Get-Mailbox -OrganizationalUnit "OU=Path,OU=To,OU=Users,DC=domain,DC=com,DC=au"

$i = 0
$AutoReceive = 0
$ManuallyAdd = 0
$TenantName = "<tenantname>" # This is the prefix to your onmicrosoft.com domain

foreach ($M in $Mailboxes) {
    Write-Host "Processing [$($M.DisplayName)] - [$i of $($Mailboxes.Count)]"
    # Check if the mailbox has the email address policy flag on it

    if ($M.EmailAddressPolicyEnabled -eq $false) {
        Write-Host "`t-- Email Address Policy is not enabled" -ForegroundColor "Yellow"
        $ManuallyAdd++
        
        $Alias = $M.Alias
        $NewAddress = "$($Alias)@$TenantName.mail.onmicrosoft.com"
        $SmtpNewAddress = "smtp:$NewAddress"
        $EmailAddresses = $M.EmailAddresses

        if ($EmailAddresses.ProxyAddressString -contains $SmtpNewAddress) {
            Write-Host "`t-- User already has the alias added" -ForegroundColor "Cyan"
            continue
        }

        Set-Mailbox -Identity $M.Alias -EmailAddresses @{add=$NewAddress}

        Write-Host "`t`t--Adding [$NewAddress] to EmailAddresses"

    } else {
        Write-Host "`t-- Email Address Policy is enabled" -ForegroundColor "Green"
        $AutoReceive++
    }

    $i++
}

Write-Host "Receiving via policy: [$AutoReceive]"
Write-Host "Receiving manually: [$ManuallyAdd]"
```

Remove Non-Routable Domains

All non routable domains (.local, .lan) need to be removed from Email Address Policies.

For any mailboxes that do not receive an Email Address Policy, a similar script to the above will need to be run over mailboxes that do not receive the email address policy.

```
$Mailboxes = Get-Mailbox -OrganizationalUnit "OU=Path,OU=To,OU=Users,DC=domain,DC=com,DC=au"

$i = 0
$AutoReceive = 0
$ManuallyAdd = 0
$NonRoutableDomain = "domain.local"

foreach ($M in $Mailboxes) {
    Write-Host "Processing [$($M.DisplayName)] - [$i of $($Mailboxes.Count)]"

    if ($M.EmailAddressPolicyEnabled -eq $false) {
        Write-Host "`t-- Email Address Policy is not enabled" -ForegroundColor "Yellow"
        $ManuallyAdd++
        
        $EmailAddresses = $M.EmailAddresses

        if ($EmailAddresses.ProxyAddressString -match $NonRoutableDomain) {
            Write-Host "`t-- User does has [$NonRoutableDomain] in their Email Addresses" -ForegroundColor "Cyan"
        } else {
            $i++
            Write-Host "`t-- User does not have [$NonRoutableDomain] in their Email Addresses" -ForegroundColor "Green"
            continue
        }

        $AddressToRemove = $($EmailAddresses.ProxyAddressString -match $NonRoutableDomain).Replace("smtp:","")
        Set-Mailbox -Identity $M.Alias -EmailAddresses @{remove=$AddressToRemove}

        Write-Host "`t`t--Removed [$AddressToRemove] from EmailAddresses"

    } else {
        Write-Host "`t-- Email Address Policy is enabled" -ForegroundColor "Green"
        $AutoReceive++
    }

    $i++
}

Write-Host "Receiving via policy: [$AutoReceive]"
Write-Host "Receiving manually: [$ManuallyAdd]"
```

Ideally, this is assessed and accounts are cleaned up before running any synchronisations to Azure AD.

Running IDFix will show you all of the accounts that have an issue with being synced to Azure AD. Depending on the number of accounts you need to contend with, using PowerShell to resolve may be quicker.

Remove any domains not in Azure AD

Mailbox migrations will fail if an On-Premises Mailbox contains a domain that is not verified in Azure AD.

Ideally, this is assessed and accounts are cleaned up before running any synchronisations to Azure AD.

Running IDFix will show you all of the accounts that have an issue with being synced to Azure AD. Depending on the number of accounts you need to content with, using PowerShell to resolve may be quicker.

Set Certificate to be used for SMTP

The certificate that you setup earlier needs to be enabled to be used for SMTP. Without this checked, mail between Cloud and On-Prem will not get delivered.

Public Folders

If the environment uses Public Folders, you will need to synchronise the public folders to Exchange Online.

Where there is an Exchange 2013 or Exchange 2016 server, follow these steps.

You should do this before any mailboxes are migrated to Microsoft 365.

The time this will take depends on the number of Public Folders that are in the environment.

Migrations

Shared Mailboxes

Gather up all mailboxes that would be considered Shared in Exchange Online and place those into a migration batch.

Depending on the number of mailboxes in the migration batch and the speed of the network, allowing for a week for content to migrate is generally safe.

Anecdotally, 1TB of mailbox content seems to take just under 5 days to migrate to the cloud.

Configure the migration to complete/finalise at a time that suits you, or set it to manually be completed/finalised.

As soon as you complete the mailboxes, they should be visible in Exchange Online. You will then need to set them all to Shared Mailboxes, otherwise mailbox delegation will fail and the mailboxes will disappear in 30 days.

Once the mailboxes have been migrated and finalised, restore any mail forwards and Send As permissions that were previously setup. These are often lost in a Hybrid Migration.

User Mailboxes

Create migration batches for user mailboxes so they can be migrated in the most appropriate batch sizes and cadence.

Configure the migration to complete/finalise at a time that suits you, or set it to manually be completed/finalised.

Public Folders to Exchange Online

Word of advice: don't do it. Just don't.

If you absolutely need to, look to move them to Microsoft 365 groups; however, how useful this will be will depend on how the client uses Public Folders currently. There are some limitations to how Microsoft 365 groups work, so these need to be understood by the client.

If the Client is adamant they need Public Folders, review Microsoft's guidance.

There is a script pack that you download and the first script to run is SourceSideValidations.ps1. This will tell you where there are issues with the various Public Folders. The majority of errors will likely be Bad Permissions or Item Size. The script will handle removing invalid permissions when re-run with the -RemoveInvalidPermissions switch, which will significantly reduce the number of issues reported by Exchange Online.

Run these before creating any migration jobs. If you run into issues with the migration manager reporting errors on items, you need to be able to show a "clean bill of health" to Microsoft Support, otherwise they'll blame the On-Prem Exchange.

Public Folders cannot have been used in Online prior to the migration. If they have, content must be moved and the hierarchy deleted. You effectively need a clean slate for the migrations to work.

You also need to have removed any domains that are not going to be used in Entra ID/Exchange Online from all Public Folders prior to running the first sync. This will need to be done manually.

Decommission old Exchange Server

All Mailboxes and Public Folders must be removed prior to decommissioning the Exchange Server. If there are any items left behind, the uninstall process will fail and should tell you what is still sitting on the server.

Move System Mailboxes

$OldServerName = "OldServerName"
$OldServerDb = "OldServerDb"
$NewServerName = "NewServerName"
$NewServerDb = "NewServerDb"

Get-Mailbox -AuditLog -Database $OldServerDb | New-MoveRequest -TargetDatabase $NewServerDb
Get-Mailbox -AuditLog -Database $OldServerDb -Arbitration | New-MoveRequest -TargetDatabase $NewServerDb
Get-Mailbox -Monitoring -Server $OldServerName | New-MoveRequest -TargetDatabase $NewServerDb
Get-Mailbox DiscoverySearchMailbox* | New-MoveRequest -TargetDatabase $NewServerDb

Decommission Exchange Server

If you uninstall Exchange Server from where it is installed, it will remove the attributes from Active Directory accounts, which will then remove them from Exchange Online.

Microsoft's recommendation is that you just turn off the Exchange Server and then remove the server from Active Directory manually, but leave the attributes alone.

This does leave the unenviable position of having users that were created pre-migration that need to be managed via Active Directory attributes and any new users be managed in Entra ID and Exchange Online.

References

https://www.petenetlive.com/kb/article/0001472
https://learn.microsoft.com/en-us/exchange/collaboration/public-folders/migrate-to-exchange-online?view=exchserver-2019
https://learn.microsoft.com/en-us/exchange/hybrid-deployment/set-up-modern-hybrid-public-folders.

PreviousTimeoutErrorTransientException Error When Migrating Mailbox NextHuman Readable Mailbox Delegations

Last updated 1 year ago