Step-by-Step: How to upgrade a Legacy Hybrid Exchange Server to 2016Alex Fields
One of the most common frustrations I hear from readers and clients alike is the requirement for keeping a hybrid Exchange server around, even well after all of your mailboxes have been moved to the cloud. Microsoft’s official stance regarding hybrid is this: If you remove the last legacy Exchange server from your domain in a hybrid environment, then you should also remove Azure Active Directory Connect (your ability to synchronize passwords to the cloud).
And that’s crazy. Because Azure AD Connect comes with so many cool features! For example, most SMB’s don’t want to lose the ability to synchronize local AD passwords and enable self-service password resets. Other organizations want to keep Azure AD Connect for enabling true Single sign-on (SSO), pairing it with Active Directory Federated Services (ADFS).
So what are we to do? You have two choices. If all you care about is password sync, and you have less than 100 users in your organization, you might consider switching to the Windows Server Essentials Experience password synchronization feature, instead. If that isn’t going to work for you, I have one more solution to offer:
Upgrade your legacy Exchange server to Exchange 2016. I know, I know–that means you still need to keep an Exchange server around. But guess what? It doesn’t need to do much–it’s basically just a management UI, and it can be installed onto any member server, or it can even be added to a Domain Controller (note: technically supported, but not necessarily recommended). Several of my clients have opted to move toward this configuration, until Microsoft figures out a way to get rid of Exchange servers on-prem for good, while still keeping Directory Synchronization (or maybe we’ll just move AD/DNS to the cloud too…).
Before you begin: Prepare for the Upgrade
The main thing you should do here is identify what you have now, what you are moving to, and where everything is going to live at the end of the day.
Azure Active Directory Connect: If you still have DirSync, you’ll need to upgrade it to Azure AD Connect. This tool can be downloaded from Microsoft and upgraded in-place, in many instances. Otherwise, see this article for more information. I will oftentimes move this utility to the same server where I intend to install Exchange 2016.
Exchange Server 2016: Before you begin, it is a good practice to install the pre-requisites and run the schema extensions & Active Directory preparations. You might also want to run updates on the source and destination servers–make sure you’re current on Windows Server patches, Exchange service packs, cumulative updates, etc.
Mailboxes and Public Folders: In most of the environments I work in, all mailboxes and public folders have already been moved to the cloud–I don’t deal that much with cases where some mailbox data remains on-premises. But you will have to provision space and databases on the new server if you intend to keep an environment like that.
Step 1. Add Exchange Server 2016 to your environment
You need to install the entire mailbox role–there isn’t like a “lite” or hybrid-only option here. To obtain the installation packages, you can simply download the latest cumulative update package from Microsoft. The setup GUI should install the majority of pre-requisites for you as well. Note that you might have to download a couple of packages such as a .NET framework update and Unified Communications runtime 4.0.
Once Exchange is installed, you can activate the server using a free hybrid license key (with qualifying Enterprise Office 365 plan). From the EAC, input the key by browsing to servers.
Update: You don’t have to get a special key now, the Hybrid Config Wizard will activate “hybrid only” mode for you.
Step 2. Update the Service Connection Point (SCP)
Next step is, you will want to update the SCP to refer to whatever name is assigned on the old Exchange server. This is pretty quick and painless, but if you skip this step, clients on the LAN might throw a certificate warning. You can update this property using the Exchange Management Shell.
To view the SCP on the old server, type:
Get-ClientAccessServer -Identity OldServerName | fl
Look for the “AutoDiscoverServiceInternalURI” property here. For example, this might look like:
Or it might be mail.company.com/Autodiscover…. Whatever you see as the output here, this is the value you need to apply on the new server. To do this, you can type:
Set-ClientAccessServer -Identity NewServerName -AutoDiscoverServiceInternalURI https://autodiscover.company.com/Autodiscover/Autodiscover.xml
If you are executing this from the new Exchange 2016 server, you will probably get a notice that the cmdlet for Get-ClientAccessServer is being deprecated, which means after this version of Exchange, it will no longer exist. That’s because the Client Access Role no longer exists (Exchange 2016 is just the mailbox role now). Instead, you have a new cmdlet for “Get-ClientAccessService.” The legacy cmdlet still works for now, though.
Step 3. Import the Exchange UCC certificate (optional)
This part is simple, just export the certificate from the source server, and import it on the destination server. It is also optional, since certificates aren’t important if all of your mailboxes reside in the cloud, and there is no secure cross-premises mail flow requirement.
You can find the certificate settings under servers > certificates. Remember to edit the certificate afterward (using the pencil icon) and associate services with it.
Step 4. Update Exchange Virtual Directories & Outlook Anywhere settings
Although you can manually go through and update each one of these through the GUI, This can be accomplished more quickly with PowerShell. Edit the values of $ServerName and $FQDN variables below to match what is appropriate in your own environment.
$ServerName = “EXCH16”
$FQDN = “mail.company.com”
Get-OWAVirtualDirectory -Server $ServerName | Set-OWAVirtualDirectory -InternalURL https://$($FQDN)/owa -ExternalURL “https://$($FQDN)/owa”
Get-ECPVirtualDirectory -Server $ServerName | Set-ECPVirtualDirectory -InternalURL “https://$($FQDN)/ecp” -ExternalURL “https://$($FQDN)/ecp”
Get-OABVirtualDirectory -Server $ServerName | Set-OABVirtualDirectory -InternalURL “https://$($FQDN)/oab” -ExternalURL “https://$($FQDN)/oab”
Get-ActiveSyncVirtualDirectory -Server $ServerName | Set-ActiveSyncVirtualDirectory -InternalURL https://$($FQDN)/Microsoft-Server-ActiveSync -ExternalURL “https://$($FQDN)/Microsoft-Server-ActiveSync”
Get-WebServicesVirtualDirectory -Server $ServerName | Set-WebServicesVirtualDirectory -InternalURL “https://$($FQDN)/EWS/Exchange.asmx” -ExternalURL https://$($FQDN)/EWS/Exchange.asmx -BasicAuthentication $true
Get-MapiVirtualDirectory -Server $ServerName | Set-MapiVirtualDirectory -InternalURL “https://$($FQDN)/mapi” -ExternalURL “https://$($FQDN)/mapi”
Get-OutlookAnywhere -Server $ServerName | Set-OutlookAnywhere -ExternalHostname $FQDN -InternalHostname $FQDN -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM
Step 5. Add anonymous SMTP relay connector (if applicable)
If you are using your local Exchange server as an SMTP relay for line of business applications or multifunction printers, then be sure to add a relay connector on the new server to take over this function. Here is an example of how to create a connector quickly in PowerShell that allows certain IP’s to anonymously relay from the local data subnet.
New-ReceiveConnector -Name “Allowed Anonymous Relay” -Usage Custom -TransportRole FrontEnd -PermissionGroups AnonymousUsers,ExchangeServers -AuthMechanism Tls,ExternalAuthoritative -Bindings 10.0.0.21:25 -RemoteIPRanges 10.0.0.30-10.0.0.40,10.0.0.170,10.0.0.181
Note that the “Bindings” and “RemoteIPRanges” in the above example would need to be edited to match the values that are appropriate from your own environment. Once you have this added, you can reconfigure your devices and applications to start using the new server, instead of the old one.
Step 6. Update DNS and firewall rules, and update send connectors
At this time, you can update any local DNS entries for stuff like “mail.” or “autodiscover.”–the traffic on the local LAN segment will start to flow through the new Exchange server. To make the same change for external users/services, you can just update your firewall NAT rules to point at the new server as well.
One last note, you will also want to update the send connectors by navigating to mail flow > send connectors. Associate the connector to the new server by clicking edit (the pencil), then scoping. Find the source server settings, remove the source server and add the new server.
Step 7. Migrate any remaining mailbox data (if applicable)
A quick method for finding and migrating any remaining mailbox data is to use PowerShell. Note that you should already have setup and configured your storage volumes and mailbox databases on the new server before doing this.
Get-Mailbox -Server OldServerName | New-MoveRequest
Get-Mailbox -Arbitration -Server OldServerName | New-MoveRequest
The above suggested cmdlets are probably over-simplified for larger, complex hybrid environments with a lot of on-premises mailboxes, but again in 99% of the organizations I work with, the issue is in the other direction–small to midsized businesses typically want less server footprint, period, and would be happiest if they could get rid of all their servers, so there aren’t usually any mailboxes left anyway.
Step 8. Uninstall the Legacy Exchange Server
You can now remove the old 2010 server from the environment. Go here for more details. It was written for SBS server, but the instructions are also valid for other versions of Exchnge 2010.
Step 9. Run the new hybrid configuration wizard
Last, you can update your hybrid configuration from 2010 to 2016 by running the Hybrid Configuration Wizard. Since you already have a hybrid connection, it should detect this and allow you to upgrade it. You can find the wizard download by navigating to hybrid on the left menu in the Exchange Admin Center. Be sure that you are accessing the EAC using the true FQDN (e.g. https://mail.company.com/ecp/?ExchClientVer=15)–just don’t use “localhost” or the internal server name–otherwise the wizard may fail.
Be prepared with your local and remote credentials to get through the wizard successfully.
This is really a straightforward process, and once it’s done, you’ll be able to get rid of that pesky old Exchange 2010 server once and for all. I have written at length about the alternatives. You could just retire DirSync/Azure AD Connect and use something simple in its place, such as the Essentials Experience with Online Services integration. But that’s not a true Directory Synchronization, and not ideal for many organizations. This is the path I typically recommend instead.