Step-by-Step: How to upgrade a Legacy Hybrid Exchange Server to 2016

Back to Blog

Step-by-Step: How to upgrade a Legacy Hybrid Exchange Server to 2016

One of the most common frustrations I hear from readers and clients alike is the requirement for keeping a hybrid Exchange server around, even well after all of your mailboxes have been moved to the cloud. Microsoft’s official stance regarding hybrid is this: If you remove the last legacy Exchange server from your domain in a hybrid environment, then you should also remove Azure Active Directory Connect (your ability to synchronize passwords to the cloud).

Image credit: Microsoft
Image credit: Microsoft

And that’s crazy. Because Azure AD Connect comes with so many cool features! For example, most SMB’s don’t want to lose the ability to synchronize local AD passwords and enable self-service password resets. Other organizations want to keep Azure AD Connect for enabling true Single sign-on (SSO), pairing it with Active Directory Federated Services (ADFS).

So what are we to do? You have two choices. If all you care about is password sync, and you have less than 100 users in your organization, you might consider switching to the Windows Server Essentials Experience password synchronization feature, instead.  If that isn’t going to work for you, I have one more solution to offer:

Upgrade your legacy Exchange server to Exchange 2016.  I know, I know–that means you still need to keep an Exchange server around. But guess what? It doesn’t need to do much–it’s basically just a management UI, and it can be installed onto any member server, or it can even be added to a Domain Controller (note: technically supported, but not necessarily recommended).  Several of my clients have opted to move toward this configuration, until Microsoft figures out a way to get rid of Exchange servers on-prem for good, while still keeping Directory Synchronization (or maybe we’ll just move AD/DNS to the cloud too…).

Before you begin: Prepare for the Upgrade

The main thing you should do here is identify what you have now, what you are moving to, and where everything is going to live at the end of the day.

Azure Active Directory Connect: If you still have DirSync, you’ll need to upgrade it to Azure AD Connect. This tool can be downloaded from Microsoft and upgraded in-place, in many instances. Otherwise, see this article for more information. I will oftentimes move this utility to the same server where I intend to install Exchange 2016.

Exchange Server 2016: Before you begin, it is a good practice to install the pre-requisites and run the schema extensions & Active Directory preparations. You might also want to run updates on the source and destination servers–make sure you’re current on Windows Server patches, Exchange service packs, cumulative updates, etc.

Mailboxes and Public Folders: In most of the environments I work in, all mailboxes and public folders have already been moved to the cloud–I don’t deal that much with cases where some mailbox data remains on-premises. But you will have to provision space and databases on the new server if you intend to keep an environment like that.

Step 1. Add Exchange Server 2016 to your environment

You need to install the entire mailbox role–there isn’t like a “lite” or hybrid-only option here. To obtain the installation packages, you can simply download the latest cumulative update package from Microsoft. The setup GUI should install the majority of pre-requisites for you as well. Note that you might have to download a couple of packages such as a .NET framework update and Unified Communications runtime 4.0.

Once Exchange is installed, you can activate the server using a free hybrid license key (with qualifying Enterprise Office 365 plan). From the EAC, input the key by browsing to servers. 

Update: You don’t have to get a special key now, the Hybrid Config Wizard will activate “hybrid only” mode for you.


Step 2. Update the Service Connection Point (SCP)

Next step is, you will want to update the SCP to refer to whatever name is assigned on the old Exchange server. This is pretty quick and painless, but if you skip this step, clients on the LAN might throw a certificate warning. You can update this property using the Exchange Management Shell.

To view the SCP on the old server, type:

Get-ClientAccessServer -Identity OldServerName | fl

Look for the “AutoDiscoverServiceInternalURI” property here. For example, this might look like:

Or it might be…. Whatever you see as the output here, this is the value you need to apply on the new server. To do this, you can type:

Set-ClientAccessServer -Identity NewServerName -AutoDiscoverServiceInternalURI

If you are executing this from the new Exchange 2016 server, you will probably get a notice that the cmdlet for Get-ClientAccessServer is being deprecated, which means after this version of Exchange, it will no longer exist. That’s because the Client Access Role no longer exists (Exchange 2016 is just the mailbox role now). Instead, you have a new cmdlet for “Get-ClientAccessService.”  The legacy cmdlet still works for now, though.

Step 3. Import the Exchange UCC certificate (optional)

This part is simple, just export the certificate from the source server, and import it on the destination server. It is also optional, since certificates aren’t important if all of your mailboxes reside in the cloud, and there is no secure cross-premises mail flow requirement.

You can find the certificate settings under servers > certificates. Remember to edit the certificate afterward (using the pencil icon) and associate services with it.


Step 4. Update Exchange Virtual Directories & Outlook Anywhere settings

Although you can manually go through and update each one of these through the GUI, This can be accomplished more quickly with PowerShell. Edit the values of $ServerName and $FQDN variables below to match what is appropriate in your own environment.

$ServerName = “EXCH16
$FQDN = “

Get-OWAVirtualDirectory -Server $ServerName | Set-OWAVirtualDirectory -InternalURL https://$($FQDN)/owa -ExternalURL “https://$($FQDN)/owa”

Get-ECPVirtualDirectory -Server $ServerName | Set-ECPVirtualDirectory -InternalURL “https://$($FQDN)/ecp” -ExternalURL “https://$($FQDN)/ecp”

Get-OABVirtualDirectory -Server $ServerName | Set-OABVirtualDirectory -InternalURL “https://$($FQDN)/oab” -ExternalURL “https://$($FQDN)/oab”

Get-ActiveSyncVirtualDirectory -Server $ServerName | Set-ActiveSyncVirtualDirectory -InternalURL https://$($FQDN)/Microsoft-Server-ActiveSync -ExternalURL “https://$($FQDN)/Microsoft-Server-ActiveSync”

Get-WebServicesVirtualDirectory -Server $ServerName | Set-WebServicesVirtualDirectory -InternalURL “https://$($FQDN)/EWS/Exchange.asmx” -ExternalURL https://$($FQDN)/EWS/Exchange.asmx -BasicAuthentication $true

Get-MapiVirtualDirectory -Server $ServerName | Set-MapiVirtualDirectory -InternalURL “https://$($FQDN)/mapi” -ExternalURL “https://$($FQDN)/mapi”

Get-OutlookAnywhere -Server $ServerName | Set-OutlookAnywhere -ExternalHostname $FQDN -InternalHostname $FQDN -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM

Step 5. Add anonymous SMTP relay connector (if applicable)

If you are using your local Exchange server as an SMTP relay for line of business applications or multifunction printers, then be sure to add a relay connector on the new server to take over this function. Here is an example of how to create a connector quickly in PowerShell that allows certain IP’s to anonymously relay from the local data subnet.

New-ReceiveConnector -Name “Allowed Anonymous Relay” -Usage Custom -TransportRole FrontEnd -PermissionGroups AnonymousUsers,ExchangeServers -AuthMechanism Tls,ExternalAuthoritative -Bindings -RemoteIPRanges,,

Note that the “Bindings” and “RemoteIPRanges” in the above example would need to be edited to match the values that are appropriate from your own environment. Once you have this added, you can reconfigure your devices and applications to start using the new server, instead of the old one.

Step 6. Update DNS and firewall rules, and update send connectors

At this time, you can update any local DNS entries for stuff like “mail.” or “autodiscover.”–the traffic on the local LAN segment will start to flow through the new Exchange server.  To make the same change for external users/services, you can just update your firewall NAT rules to point at the new server as well.

One last note, you will also want to update the send connectors by navigating to mail flow > send connectors. Associate the connector to the new server by clicking edit (the pencil), then scoping. Find the source server settings, remove the source server and add the new server.


Step 7. Migrate any remaining mailbox data (if applicable)

A quick method for finding and migrating any remaining mailbox data is to use PowerShell. Note that you should already have setup and configured your storage volumes and mailbox databases on the new server before doing this.

Get-Mailbox -Server OldServerName | New-MoveRequest
Get-Mailbox -Arbitration -Server OldServerName | New-MoveRequest

The above suggested cmdlets are probably over-simplified for larger, complex hybrid environments with a lot of on-premises mailboxes, but again in 99% of the organizations I work with, the issue is in the other direction–small to midsized businesses typically want less server footprint, period, and would be happiest if they could get rid of all their servers, so there aren’t usually any mailboxes left anyway.

Step 8. Uninstall the Legacy Exchange Server

You can now remove the old 2010 server from the environment. Go here for more details. It was written for SBS server, but the instructions are also valid for other versions of Exchnge 2010.

Step 9. Run the new hybrid configuration wizard

Last, you can update your hybrid configuration from 2010 to 2016 by running the Hybrid Configuration Wizard. Since you already have a hybrid connection, it should detect this and allow you to upgrade it. You can find the wizard download by navigating to hybrid on the left menu in the Exchange Admin Center. Be sure that you are accessing the EAC using the true FQDN (e.g.–just don’t use “localhost” or the internal server name–otherwise the wizard may fail.

Be prepared with your local and remote credentials to get through the wizard successfully.



This is really a straightforward process, and once it’s done, you’ll be able to get rid of that pesky old Exchange 2010 server once and for all. I have written at length about the alternatives. You could just retire DirSync/Azure AD Connect and use something simple in its place, such as the Essentials Experience with Online Services integration. But that’s not a true Directory Synchronization, and not ideal for many organizations.  This is the path I typically recommend instead.

Comments (171)

  • Simon Reply

    Great article! I’ve found it very useful in setting up my own Exchange management server.
    A couple of questions though if you mind.
    Once all mailboxes have been migrated from on premise to EOP and all the DNS records have been updated to O365 is there any further need for an SSL certificate?
    Shouldn’t the SCP record be removed as shown in the MS article

    September 4, 2017 at 8:56 pm
    • Alex Reply

      So this depends on your needs/circumstances. If you still intend to have the server act as a local relay and you want the hybrid functionality of secure mailflow from the on-premises server to 365, then you would keep the certificate in place. However, if you really don’t need that functionality, or have any need of mailboxes on-premises at all, then the cert is optional, and the front-end is really just a management interface at that point. All synchronization of that data takes place via AAD Connect, and does not depend on Exchange (but Exchange is needed to edit certain attributes related to mail). The SCP can be removed, that is okay, during a cutover, I usually leave the SCP live, because this will quickly redirect Outlook clients to 365 automatically. However, it is not needed after cutover is completed, and there are zero mailboxes on-premises.

      September 7, 2017 at 4:09 pm
  • David Magrath-Smith Reply

    If you find that outgoing mail to O365 isn’t working after updating the send connectors in step 6, check the permissions on your certificate. This had me hung up for a while. I enabled protocol logging on the send connector as described in the comments here:

    to discover an error with the certificate: “TLS negotiation failed with error UnknownCredentials”. I found the solution here:

    In the Certificates mmc snap-in, right click the exchange certificate, go to All Tasks > Manage Private Keys. Then add “NETWORK SERVICE” with read access. I’m guessing that the hybrid configuration wizard (step 9) does this for you, but I was testing as I went and didn’t want to disrupt mail flow.

    Thanks for the helpful guide!

    February 27, 2018 at 11:02 am
  • sriman Reply

    Hi Alex,

    Thank you for the Great Article. my situation is similar to what is shown above. migrated all users to o365 we do password sync from AD. I am also wondering if I can have the transport server installed so I can route our smtp messages from internal printers etc to office365. My question is does the free license that microsoft is offering for the onprim exchange for management purse also route emails? Is there any license for it?

    April 4, 2018 at 1:19 pm
    • Alex Reply

      Yes, you can still use the free license and continue to use the server as a simple SMTP relay. It is also possible to configure a relay connector in O365, but you can do it either way and no additional licensing required. What is NOT included in the license is the ability to host mailboxes.

      April 5, 2018 at 10:47 am
  • Mike Reply


    What if you don’t want your hybrid server to participate in on-premis day to day email infrastructure (especially for SCP & autodiscover)? Let’s say you want it to be solely for hybrid purposes…

    Do you set the AutodiscoverinternalURL value to $null?

    April 5, 2018 at 7:17 pm
    • Alex Reply

      Yes, that is correct.

      April 9, 2018 at 6:59 pm
  • Mina Attia Reply

    Please i need your support as we currently have Exchange 2013 on-premise hybrid with office 365, and we plan to upgrade to Exchange 2016 on-premise hybrid with office 365 where the current exchange on-premise architect is [Two CAS servers on a Load balance and two Mailboxes Servers on a DAG] and the current Exchange version in all Exchange servers is [ 15.0.1365.1 ] CU19.
    Our OS is Windows Server standard 2012 R2 up to date.
    And we use Azure AD to Sync users passwords.
    We have some mailboxes on-premise and some on-line.
    where our MX and autodiscover records points to Exchange online.
    what do i need to ensure soft migration without any problems? as i found that DAGs are still version-bound, in place upgrades unsupported

    July 15, 2018 at 6:04 am
    • Alex Reply

      Yes, this is a more complicated setup–so you still have on-premises mailboxes? Do they need to be maintained on-premises anymore, or could you migrate them to the cloud? If you do need to keep mailboxes on-premises, I would begin to stand up the new 2016 servers, switch over your front-end/CAS functions to them first–setting the SCP, virtual directories, Outlook Anywhere, etc. You can also point internal relays to them, provided you re-create the necessary relays on the 2016 boxes–this can technically be done at anytime actually, but I usually test at this point with like an MFP printer and then start moving all the other front-end functions over after it is confirmed working: running the hybrid wizard again so that the connectors, etc. are created on the new servers once you know relay is successful between the systems. At that point, you can also redirect firewall rules so they are updated to point to the new servers, forwarding external traffic like 443, 587, 25, etc. as needed, to the 2016 servers. Then I’d move any remaining on-premises mailboxes last. Going in that order, and not skipping steps, should result in successful migration. But see if you can’t get rid of the need for a DAG on-premises by moving all mailboxes to the cloud. Note: in a typical hybrid setup with best practices, your DNS records for auto-discover would still point on-premises until all the mailboxes have been migrated.

      July 15, 2018 at 4:20 pm
  • Rita Reply

    Thanks for the great article. I have a question related to this and haven’t been able to find an answer anywhere. We are about to migrate to O365 from Exchange 2010. All of our Exchange mailboxes/users will be migrated. We will be managing AD on-prem and using AAD Connect. I understand that to run in a supported fashion this will require an on-prem Exchnage server. For awhile we’ll be using the existing Exchange 2010 server (but would like to migrate to 2016 at some point which is what led me to this article). My question is this… is there any way to reduce the size of the footprint of the existing Exchange 2010 server after we’ve migrated everything to O365? My understanding is that we’ can’t delete those on-prem mailboxes but could we delete the mail that’s in them and then recoup some space by creating a new database, moving mailboxes to it, then drop and delete the old database and logs (or possibly just do an offline defrag)? Thanks in advance for any advice.

    August 8, 2018 at 10:41 am
    • Alex Reply

      When you move the mailboxes to Office 365 they will no longer exist on-premises. It should be possible to basically remove all databases after every mailbox has been migrated.

      August 15, 2018 at 3:54 pm
  • Lars Stegemann Reply

    Hi Alex, I hope you are well. I think your posts are great. Very clear and helpful, good references and explanations. Thank you very much.

    I have a question. We have Exchange 2010 and want to move to Office 365. Should I install a new exchange 2016 server before the migration or after? I have already established Azure AD connection sync successfully.

    August 30, 2018 at 7:50 am
    • Alex Reply

      I would do after–because it is supported to migrate using hybrid from Exchange 2010 natively, that is the easiest route. After no more mailboxes are left on-prem, then upgrade to 2016.

      September 1, 2018 at 4:17 am
      • Yuri Reply

        Hi Alex,

        Is it also possible to do it on the Exchange server 2016? Or do you have to run the hybrid wizard on the Exchange 2010 server instead in order to migrate the mailboxes?

        November 5, 2018 at 7:00 am
        • Alex Reply

          The hybrid wizard is compatible with all versions of Exchange server 2010 and newer, including 2016.

          November 5, 2018 at 4:21 pm
  • Bee Miller Reply

    currently we use the Hybrid server to provision mailboxes, then we migrate them to the cloud. Also we occasionally import pst data to on-premise mailboxes before we migrate them to the cloud. There can be periods of a few days where these mailboxes will be on premise. Do we still need licensing for the hybrid server in this case or will the free Hybrid license work?

    September 10, 2018 at 10:46 am
    • Alex Reply

      I am not sure their stance on that, probably buried in the EULA terms.

      September 10, 2018 at 4:22 pm
    • Richard Reply

      We used to do that but there’s an easier way. You can use powershell to create a Mail enabled user (meaning don’t create the user in ADUC). See PS line below (a one liner with my PS variables). I created a PS GUI. We do this from the 2016 hybrid exchange server. This skips the step of needing to create the user on the on-prem mail server. Once created and everything syncs to O365 you just turn on your licensing (which creates the mailbox).

      New-RemoteMailBox -Name $DisplayName.Text -Password $SecurePassword -UserPrincipalName $UPN.Text -Alias $AliasName.Text -OnPremisesOrganizationalUnit $OU.Text -SamAccountName $NTUserName.Text -FirstName $FirstName.Text -Initials $MiddleName.Text -LastName $LastName.Text -RemoteRoutingAddress $Tenant

      October 29, 2018 at 10:18 am
  • Mr T. Reply

    Very nice article! I have a test environment with Exchange 2010 and Hybrid Configuration and it is working without problems. My goal is to add Exchange 2016 Server to manage mailboxes and remove the old 2010 Exchange Server completely.

    I followed this article and managed to add Exchange 2016 to my environment (I installed Mailbox role + admin tools). I can now use it to manage mailboxes. Finally I’d like to remove Exchange 2010 but I am not sure what are the correct steps. I see that Step 8 in this article covers removal of Legacy Exchange, but still I feel that none of those articles under step 8 covers my situation. Can you please enlighten me what path to take?

    October 22, 2018 at 2:53 pm
    • Alex Reply

      Once the 2016 server is in place, you should no longer need 2010, and can simply remove it (presumably there is no data on it anymore, either).

      October 26, 2018 at 6:53 pm
  • Travis Reply

    First off thanks for this article. After the upgrade, users are getting prompted for outlook(2016) password, constantly. I can’t figure out what changed caused this issue. Have you experienced this and if so, how did you correct or do you have any suggestions for me to try? Thanks again!

    October 28, 2018 at 6:15 pm
    • Alex Reply

      Make sure the SCP is null or points to–you don’t need the SCP or Outlook anywhere enabled, etc. It’s just a management interface, but if the clients are local on the network and that SCP is populated it may try to latch onto that server.

      October 30, 2018 at 3:52 pm
    • Alex Reply

      By the way, there were reports over the last couple days of many customers being affected by this–so it may be a backend thing at 365, and not related to your deployment. Google search: EX152471

      October 31, 2018 at 1:19 pm
    • Alex Reply

      By the way, there were reports over the last couple days of many customers being affected by this–so it may be a backend thing at 365, and not related to your deployment. Google search: EX152471

      October 31, 2018 at 1:19 pm
  • Zafog Reply

    thanks for this helpful article.
    I would like to ask you what to do with the address book. Do we need to create a new OAB on Exchange 2016? We have DL on-prem that cannot be migrated right now and I was wondering what will happen to this addresses after removing the Exchange 2010 from the environment.


    January 14, 2019 at 7:41 am
    • Alex Reply

      By adding a new exchange server to the environment before removing the old one, you will still have access to modify any objects including DL’s. A distribution list is an object that lives in AD, and the Exchange server just provides a UI for interacting with that object.

      January 14, 2019 at 4:09 pm
  • Rodney Mills Reply

    Hey Alex,
    Thanks for the article but my question is that we currently have an on premise hybrid exchange 2010 server that all we use it for is to add new users or edit that attributes of old users. All connectors between Office 365 and this server have been disabled and DNS records point to Office 365. Do I follow the same steps as you listed or can I just install exchange 2016 server with the default setting and then decommission the old server? Or do I need to do some of the steps listed?

    February 6, 2019 at 10:30 am
    • Alex Reply

      There is no “management tool” for 2016. You simply browse to the Exchange Admin Center, and login to administer the system that way.

      If you installed 2016 and re-ran the HCW then you should be good to go.

      September 4, 2020 at 1:16 pm
  • Asher Ekstein Reply

    First of Thank you so much this is an amazing guide.

    Now I have a question will this guide work to move the configuration of a hybrid 2010 exchange server to a new server and the new server will also have exchange 2010? or is this specifically to upgrade to 2016?

    February 14, 2019 at 5:00 pm
    • Alex Reply

      2016–most people would move from 2010 to 2016 (remember the hybrid Exchange server license is free–2010 end of support is coming)

      February 14, 2019 at 5:02 pm
  • Mahtab Alam Reply

    Hello Alex,

    Thanks for this article. I have one question, i have 10% mailbox on ex2010 and 90% migrated to o365. Suppose i will migrate from ex2010 to ex2016. So when after all that I will run HCW again so will be there any downtime in mailflow for existing users during updating HCW??

    March 19, 2019 at 12:10 am
    • Alex Reply

      No, shouldn’t be–or if so, very little/barely noticeable. The hybrid connectors on the old server can continue to relay mail to and from 365, until you run it for the new system. Whichever server picks up mail on prem, they can relay mail between themselves just fine. Just don’t retire the old box until everything is moved to the new one.

      March 20, 2019 at 8:25 pm
  • Greg Reply

    good article, do you have one for Exchange 2019

    May 16, 2019 at 12:54 pm
  • Greg Reply

    My name is also Greg and I was also planning to comment “ood article, do you have one for Exchange 2019”. Different Greg, though. Don’t think all Greg’s are trying to nag you.

    May 22, 2019 at 3:26 pm
  • Robbie Jackson Reply

    Hey Alex

    thanks for the great article:

    We are about to upgrade our on premise 2010 Exchange servers to 2016.

    We have 9 servers, which will be replaced by 2 * 2016 boxes as management points. The 2010 servers no longer host mailboxes, but are needed to route mail through to on premise SAP servers and im pretty sure I cannot get round removing on premise entirely.

    The environment currently also uses a forefront tmg server to service some routing through to autodiscover, owa and provide end points for mailbox migration.

    I suppose the question I have is around the TMG servers, assuming we can just point the auto discover currently serviced by the TMG server to a roujnd robin DNS entry on the new servers?

    MX points to O365 and sap mail is routed to on premise using a connector for the sub domain.

    July 9, 2019 at 6:06 am
    • Alex Reply

      Yes, I would move all the remaining services over to the new 2016 ones. Like, if you have any on-prem SMTP relays pointing to 2010, inventory them and then start swapping them over (make sure to enable the relay on 2016 for those IP’s, etc.). Once all the remaining items are verified as pointing to the new servers, and autodiscover URI/SCP is nulled out on both 2010 and 2016 (since auto-discover DNS now goes to 365), then test the theory that life will be okay without 2010 by simply powering them off for a couple of days. When nothing breaks, you can proceed to full removal of those legacy systems.

      July 11, 2019 at 12:47 am
  • Marul Reply

    Hey Alex, Thank for explanation.
    I am also going to migrate and old 2010 environment to O365, But the the Hybrid is already setup using Exchange 2010 Server. Now I am planning to migrate using Exchange 2016 Hybrid Server and in process to complete the 2016 installation.
    Is it ok to simply run the HCW from 2016 server and make sure to not to remove 2010 from the list as we are planning to remove 2010 after completing all the migration.

    August 20, 2019 at 12:52 pm
    • Alex Reply

      You should be able to move directly from 2010, but you can stand up a new 2016, get the cert installed, update virtual directories, etc. etc. and then re-run the hybrid wizard, which should choose the 2016 system as the hybrid server.

      August 20, 2019 at 11:20 pm
  • Suzi Pearson Reply

    Hi , thanks for a great article.

    I have been tasked with upgrading our old Exchange 2013 v15 (sits on winsvr 2008) to Exchange 2016 (winsvr 2016).We are hybrid and no mailboxes , its just a mail relay essentially.
    Its the first time i have done this and was wondering could i run them in tandem , till i am happy the new server is working as expected. Would it still be the same steps/process as above ?
    I can see a few sleepless nights ahead of me !

    kind regards

    August 22, 2019 at 10:35 am
    • Alex Reply

      Yes that would be fine to keep them running side-by-side. There should be no impact basically, as long as you null out the service connection point, etc. and just move the relays over. Just make a checklist of items that relay off local server, then go update them one at a time, enabling an entry for them on the new server. Once you are done w/ checklist, re-run hybrid wizard to connect up 2016 box, then turn off 2013 for a couple of days to make sure you didn’t miss anything. Once satisfied, uninstall 2013.

      August 23, 2019 at 2:21 pm
  • Shiri Reply

    good article, Greg.
    I am still in planning phase and want to migrate from 2010 to O365. hybrid is already setup but the 2010 Servers are very old so have to add new Exchange 2016 server as a hybrid migration end point without making any mail flow and client connection changes to the current 2010 Servers. Suggest what are all the setting to be done on 2016 ?? SCP = null or same as in the 2010 ? anything from DNS side ?

    August 27, 2019 at 2:25 am
    • Alex Reply

      This article should contain the steps you would need.

      August 29, 2019 at 1:01 pm
  • colaChoMendoza Reply

    Awesome! thanks for the life saving instructions. Looks like I am already half way through. Installing Exchange 2016 was the hairiest part for me. Thanks for the article again.

    September 13, 2019 at 1:29 pm
  • Matt Reply

    Great page Alex.
    A quick question on the order of replacement. We have and Edge 2010 in the DMZ and two domain Exchange 2010 servers. Which ones should we replace first? I haven’t seen that scenario listed anywhere.

    Thank you!

    September 24, 2019 at 2:22 pm
    • Alex Reply

      Are you moving or already moved to 365? Then you shouldn’t really need an infrastructure like that anymore, just a regular hybrid server (which is just a management UI basically). If you mean doing an upgrade from Exchange 2010 to 2016 there is a recommended order–front end services go first, followed by mailbox databases, etc. I like this series for orgs who are doing 2010 to 2016:

      September 27, 2019 at 1:37 pm
  • Matt Reply

    “Are you moving or already moved to 365? Then you shouldn’t really need an infrastructure like that anymore, just a regular hybrid server (which is just a management UI basically).” Sorry I didn’t include more. We inherited two old P2V Windows 2008 R2 servers running Exchange 2010 hybrid configuration with all users in O365 except for one that is required for an application. There is also an Edge server in the DMZ running Exchange 2010. All patched to latest updates.

    Thank you.

    September 30, 2019 at 12:05 pm
    • Alex Reply

      Then a single 2016 server can replace both of those other boxes. Migrate all roles to that, and then remove 2010.

      September 30, 2019 at 2:50 pm
  • Tom Reply

    If you running Exchange 2016 in minimal hybrid mode with Office 365 are you able to remove the mailbox database? If so I was wondering if there was a way to install Exchange 2016 without the mailbox role and mailbox database?

    All mailboxes will already be in Office 365 after being migrated from Exchange 2010.

    Thanks in advance

    October 22, 2019 at 11:28 am
    • Alex Reply

      Oddly enough even though the intention is to keep zero mailboxes on-prem they do not support like a “management UI only” type of install for the hybrid server, so yeah the full mailbox role is required. Strange, but whatev.

      October 24, 2019 at 2:49 pm
  • Yen Mao Reply

    We migrated mailboxes from Exchange 2003 to M365. Will this work with legacy 2003 Exchange server upgrading to hybrid 2016? Thanks!

    October 22, 2019 at 7:33 pm
    • Alex Reply

      You can’t go right from 2003 to 16, you could go to 10 then 16. Or completely tear out 2003 before you lay down 2016 and re-implement hybrid. Be sure to preserve your email attributes (e.g. proxyAddresses) when doing it that way.

      October 24, 2019 at 2:50 pm
  • Dragos Reply

    Hi Alex, thank you very much for the article, very helpful. I’m in a situation where I’ve got an environment of 7 Exchange 2010 server SP3 hybrid, with no UR installed on any of the servers. To migrate to 2016 directly I will have to upgrade all 2010 servers to SP3 UR11. Is it worth the effort or should I migrate to 2013 first and then 2016? Thank you.

    November 17, 2019 at 10:41 pm
    • Alex Reply

      Updates are easier than migrations, IMO.

      November 18, 2019 at 6:58 am
  • Mike Reply

    Hi Alex
    Thanks for the article. I have a Exch2010 hybrid with O365 currently and I am in the process of migrating mailboxes from on premise to O365. I have built my Exch2016 server but as yet have not switched over the roles onto the new server. Is it possible to migrate the remaining Exch2010 mailboxes using the Exch2016 as the hybrid endpoint or would I have to migrate these mailboxes to Exch2016 first then migrate them to the tenant . The logistics of moving our users dictates the migration is quite a prolonged process and may drag on for a while. The reason I ask is from a security perspective we want to have modern authentication set on the hybrid connection so that we can disable the simple credentials login,.

    November 20, 2019 at 8:43 am
    • Alex Reply

      For longer migrations I would recommend 2016. Move to it fully, and get rid of 2010. Then you’ll have better options for hybrid modern auth and so forth if you need to have long-term co-existence. Or, alternatively use the fact that that 2 migrations is more money than one to force management’s hand into saying okay to a quicker and more aggressive migration to 365 ;)

      November 20, 2019 at 4:27 pm
  • Joseph Reply

    Hello Alex,

    Thanks for your article.

    We have a 2010 Hybrid with O365 moving to 2016 Hybrid. Already installed and setup 2016 Servers, but haven’t switched the DNS to point to 2016 or migrated the 2010 mailboxes.

    I am a bit confused as to when to run the HCW wizard, Should I run the HCW wizard on 2016 now, so that all the connectors are updated ? or wait till all the mailboxes are moved to 2016 and 2010 decommissioned?

    Thanks in Advance

    November 20, 2019 at 11:15 am
    • Alex Reply

      As long as both Exch servers can exchange mail successfully internally then you can run HCW anytime to move hybrid mailflow over to the new box.

      November 20, 2019 at 12:25 pm
      • Mike Reply

        Hi Both and sorry to jump in on this thread, as it relates to what I was asking above. Once mail flow is switch over to.2016 is it then only possible to migrate mailboxes in a two step process i.e. 2010 to 2016, then 2016 to 365? .

        Thanks for your assistance.

        November 21, 2019 at 5:02 am
        • Alex Reply

          Moving front-end services to Exchange 2016 and then migrating mailboxes directly from 2010 to 365 would be possible, yes.

          November 21, 2019 at 12:29 pm
  • Jerry Reply

    Hello Alex

    we have moved all mailboxes to o365, however they all have remained as contacts on exchange 2010, do I need to move these mailbox databases to exchange 2016? so prior to moving to office 365 i already had a few disconnected mailboxes that i wish to keep for compliance purposes, so i assume we need to move these database mailboxes to newly exchange 2016? also is it necessary to create a DAG on exchange 2016 since all mailboxes reside on office 365? also when performing the schema update is it necessary to download/prepare any tenant organization config from o365? since we already have hybrid exchange 2010? also do we do the minimal mode or full hybrid configuration wizard?

    December 4, 2019 at 11:38 pm
    • Alex Reply

      Hey Jerry, don’t overthink it too much. Once you move mailboxes to the cloud, they are converted to contacts on-prem. There is no data on prem any longer. The contact object has a targetaddress property that will lead any mail handled by the on-prem server (e.g. if you use it as a local relay with a copier/printer/scanner device or LOB app) to the destination mailbox in 365. The only reason for having an Exchange server around after you’ve moved is for ease of management, changing things like aliases and so forth. So no need to move any mailbox databases, etc. as NO DATA should remain on-prem.

      December 5, 2019 at 11:10 am
  • Dipit Mistry Reply

    Hi Alex

    We have used Bit Titan to migrate mailboxes to Office 365 and have AD connect setup. We were hoping to get rid of our Exchange 2010 server completely but I understand that is not supported. So i think the solution would be to install Exchange 2016, could you offer any advise on how to do this ?

    May 1, 2020 at 11:15 am
    • Alex Reply

      The post you are commenting on is the exact process. You can still run hybrid wizard to set it up properly once you replace w/ 2016 server.

      May 3, 2020 at 6:15 am
  • Anthony Miller Reply

    Thanks for this article. I’m a little apprehensive about the schema extensions and Active Directory preparations. I’m just hesitant because we have been held back from raising our Active Directory functional level because of the Exchange 2010 in our environment. Can I assume that these schema extensions and AD preps are fairly benign and won’t cause disruption in our environment? Or is this process a start it and get it done as quickly as possible task to minimize disruption? What exactly is happening with these schema extensions and AD preparations?

    May 18, 2020 at 11:26 am
    • Alex Reply

      I have never seen this cause an impact. It is adding certain attributes to be compatible with the version of Exchange you are trying to install. Once you upgrade you cannot add new servers that are older than the one you prepared the directory for (but the existing older ones should be fine).

      May 18, 2020 at 3:05 pm
  • Brian Edwards Reply

    Thank you for this article. We migrated all mailboxes to 365 last year. Now I need to remove our Exchange 2010 server and build a new Exchange 2016 server. I’m following this article, everything has gone smooth. When I launch the Hybrid Wizard in step 9 from the EAC I’m taken to an Office 365 login. I provide my 365 credentials but each time it goes right back to the 365 login page. Any thoughts as to why?

    June 17, 2020 at 10:52 pm
  • Brian Edwards Reply

    I found the fix to my issue. In Internet Explorer I had to modify the security settings to allow file downloads. As soon as I did that the HCW started working.

    June 18, 2020 at 11:34 am
    • Alex Reply

      Thanks for sharing! By the time I checked this, you already solved it. Yeah, HCW only works in Edge and IE, and IE security settings often get in the way.

      June 20, 2020 at 9:43 am
  • Markus Steele Reply

    we’re moving from Exchange 2010 Hybrid to Exchange 2016 Hybrid.
    Is it recommended to setup the Edge server or is that not required for Hybrid communication. All mailboxes are migrated to O365 and new ones are migrated prior to user access.

    Right now we have this setup:
    Current Exchange 2010 environment on Server 2008
    • VAPP1101 Mailbox Servers
    • VAPP1102 Mailbox Servers
    • VAPP1103 Mailbox Servers
    • VAPP1106 Hub Transport
    • VWEB1101 Client Access
    • VWEB1102 Hub Transport & Client Access
    • VWEB1103 Client Access
    • VWEB1104 Client Access
    We would like to move to one Exchange Server 2016
    • VAPP1104

    July 20, 2020 at 10:00 am
    • Alex Reply

      For the hybrid server you just do a full installation, mailbox role, even though you don’t really use it, except for mgmt.

      July 20, 2020 at 12:09 pm
      • Markus Steele Reply

        Thanks, do i need to open ports on the firewall like you would for client access server?

        July 20, 2020 at 3:15 pm
        • Alex Reply

          The only reason to open ports on the firewall would be if you need to have mailflow between on-prem and cloud mailboxes. Once all mailboxes are in the cloud, and assuming you move your SMTP relays to 365, the only purpose your hybrid server has is management UI.

          July 21, 2020 at 10:37 am
          • Markus Steele

            what about the creation of new users? Are we to always migrate them or should the mailboxes be created in the cloud and no longer migrated?

            July 28, 2020 at 1:36 pm
          • Alex

            You should not need to migrate mailboxes. When you create a new account with New-RemoteMailbox, or using the EAC to create a new O365 Mailbox user, the account on-prem is created and when that syncs to the cloud the mailbox will be auto-created as well.

            July 31, 2020 at 11:18 am
  • Dillon Burke Reply

    Are these the same steps for migrating from on-premise exchange 2010 to office 365 cloud in a hybrid configuration?
    Do you have a guide for this?

    July 20, 2020 at 2:31 pm
    • Alex Reply

      Migration of mailboxes from any version 2010+ is here. The current article is about upgrading a “hybrid only” server (usually after all mailboxes have been migrated).

      July 21, 2020 at 10:36 am
  • Brian Reply

    “It is also optional, since certificates aren’t important if all of your mailboxes reside in the cloud, and there is no secure cross-premises mail flow requirement.”

    Wouldn’t the above only be true if you $null the CAS SCP record and/or point AutoD directly to O365? I would expect a client-side certificate error when Outlook queries the on-prem server and there is no matching certificate.

    July 24, 2020 at 11:36 am
    • Alex Reply

      You should always have that value null if there are no mailboxes on-prem. That’s standard part of the migration. So that is correct.

      July 25, 2020 at 5:36 am
  • Hector Orozco Reply

    Hi, we migrated all mailboxes from Exchange 2010 to O365, then we removed Arbitration Mailbox and server with role Mailbox, we only left servers with role HT (For SMTP Relay) and we keep the Hybrid scheme, now we want to change those old Exchange 2010 (HT) for a new Exchange 2016 and cannot complete the installation because there is no Arbitration Mailbox. I understand that re-running “Setup.exe / PrepareAD” should recreate the Arbitration Mailboxes but don’t have any Mailbox / Database role servers for the Mandatory User Mailbox. How can I migrate Exchange 2010 to 2016?. Thanks for help and support.

    August 4, 2020 at 6:11 am
    • Alex Reply

      Yes you must have a mailbox role unfortunately. That has always been a hybrid requirement. The only way would be to add that role back somewhere and proceed.

      August 7, 2020 at 6:44 am
  • John Reply

    I want to run 2016 alongside my 2010 while I switch over the necessary scripts/internal relay to 2016. Since 2016 requires the HCW to activate the free hybrid license, will I need to rerun the HCW on my 2010 server to continue using that as my Hybrid endpoint? My account creation is automated and creates new user mailboxes on the 2010 Exchange, they are then migrated to o365 automatically.

    If the 2016 server is my new Hybrid endpoint, does the 2010 lose all migration ability?


    August 4, 2020 at 4:20 pm
    • Alex Reply

      There is no reason to continue using 2010 if you have a 2016 server–that should become the hybrid endpoint, and all migrations will flow through that endpoint. It does not matter if mailboxes are on 2010, the migration will still work, using 2016 as the endpoint. This is the preferred configuration.

      August 7, 2020 at 6:37 am
  • TankAdmin Reply

    Hi Alex,

    All our mailboxes are in O365. Exchange 2010 got self signed cert and it expires all the public certs. We have ADFS farm and F5 load balancers.

    When we run Full Hybrid Configuration will that accept this self signed cert? OR will ADFS impact?
    Once we run the HCW, will import and create connectors in Exchange 2016?

    Understand that hybrid connection will require for Free/Busy /SMTP and auto-discover.
    When we set auto-discover to, Will outlook client connection still going via this exchange?

    So if we shut down without migration, what is the impact to the current client?


    August 10, 2020 at 3:25 am
    • Alex Reply

      Self signed certs are not a good idea. I have never operated in that configuration and whenever I find a customer who has been doing something like that I always advise them to get public cert. So I don’t know what happens there. But if all of your mailboxes are in O365 already, what is the purpose of creating hybrid now? Even if you wanted it for management with directory synchronization I don’t think the cert would matter, because there are no services locally that you depend on, right? Everything is cloud so clients will not be referring to the on-prem server for any reason–therefore certs won’t really matter. But once you actually have a client accessing the server for something–that’s when you’d have to figure out your certs.

      August 10, 2020 at 11:41 am
      • TankAdmin Reply

        HI Alex,

        So I just setup the Ex2016 as per above and do not run the HCW ?

        We use this Ex2016 server as SMTP Relay and Management.


        August 10, 2020 at 9:50 pm
        • Alex Reply

          If you are keeping the server in place to serve hybrid functionality (including relay) then yes you need to run HCW.

          August 11, 2020 at 2:47 am
      • TankAdmin Reply

        Hi Alex,

        Thanks. HCW will pickup all the current configuration from exchange 2010 and move to Exchange 2016? Will not re-create the Connectors in O365?

        If something goes wrong, can we use the exchange 2010 as rollback plan?

        How do i find the current configured FQDN?


        August 11, 2020 at 4:22 am
        • Alex Reply

          Running the HCW over again will update the hybrid configuration to get the new server talking with the cloud. I have never needed a rollback plan. I guess my rollback plan would be to manually configure things. I know the stuff that the HCW is doing under the hood, so it may not be so easy, but the steps are documented out there–you could find them. Basically updating the HybridConfiguration and creating some connectors. The email address policies would not be impacted if they were already done with a previous run, etc. Anything at the “organization” level does not change and doesn’t need to, since it is not tied to specific server. The server specific stuff you should plan to touch is the HCW, which will get the connectors created, as well as the certificate if you still use one for any services on prem including SMTP relay, etc.

          August 12, 2020 at 1:38 pm
  • TankAdmin Reply

    Hi Alex,

    To keep AD FS and directory synchronization and decommission most of the Exchange servers

    Steps in is not mentioned in your post?


    August 10, 2020 at 3:57 am
    • Alex Reply

      The issue is not whether to decom “most” servers but rather all–you CANNOT decom the last Exchange server without also removing directory synchronization (whether with ADFS or not). So at the present time at least, you must of necessity keep an Exchange server so long as you synchronize your directory to the cloud. Only once you remove synchronization can you remove all Exchange servers.

      August 10, 2020 at 11:34 am
  • TankAdmin Reply

    Hi Alex,
    What are the firewall ports required with a new server?


    August 24, 2020 at 11:04 pm
    • Alex Reply

      If it is just acting as a management UI and you set up minimal hybrid/modern then no ports are necessary to expose to the outside.

      August 25, 2020 at 1:08 pm
      • TankAdmin Reply

        Hi Alex,

        I just run the HCW and got below error. i think my firewall should allow 443 to new server?

        HCW8078 – Migration Endpoint could not be created.


        The connection to the server ‘’ could not be completed.


        The call to ‘’ failed because no service was listening on the specified endpoint. Error details: There was no endpoint listening at that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. –> Unable to connect to the remote server –> No connection could be made because the target machine actively refused it


        There was no endpoint listening at that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.


        Unable to connect to the remote server


        No connection could be made because the target machine actively refused it

        Other issue is when i set send connector to new server mail queued ?

        Do i have to enabled port 25 from this server?

        September 6, 2020 at 12:17 am
        • TankAdmin Reply

          Hi Alex,

          pls remove my public domain name please.

          September 6, 2020 at 12:25 am
          • Alex


            September 7, 2020 at 12:16 pm
        • Alex Reply

          You only need the external facing stuff if you need to perform migration or SMTP relay in/out from EXO to on-prem, etc. If you are keeping a hybrid server for only management purposes then you can close the external facing ports AFTER the HCW is run, and all migration activity is completed. Hope that makes sense.

          September 7, 2020 at 12:16 pm
          • TankAdmin

            Hi Alex,
            We required the SMTP Relay and have F5. So point to

            So do I have to allow this external ip to on-premies server?

            Noticed HCW has changed the O365 send and received connector.
            is there a way to find the old settings?

            This step is not easy as per your document..
            “Default Frontend” receive connector is modified for hybrid mail flow and instead of using a list of IPs, a certificate is used to force

            gain the inbound connector uses a certificate instead of IP address


            September 8, 2020 at 6:26 am
          • Alex

            This document assumes you are only using hybrid for management purposes–then it is very simple. If you need to migrate other functions such as SMTP relay that would be done like any other migration for those roles. I don’t think it keeps a history of the settings–unsure if the logs would have this. However, it should be pretty easy to configure. If you need inbound/outbound SMTP relay from the local server then configure it appropriately. The allowed relay IP’s from internal, the certificate should be exported/imported to the new server and associated to the service, etc. Firewall would need to allow said ports to the new server, and so on.

            September 8, 2020 at 11:27 am
  • TankAdmin Reply

    Hi Alex,

    We have some service accounts with mailboxes attached in local exchange 2010. But we attach no mailboxes in O365. Nobody knows what are these accounts, so what is the safest option before decomissioned?

    August 28, 2020 at 3:16 am
    • Alex Reply

      If nobody knows what they are for, and you don’t see any recent mail items in there, it is probably safe to whack em.

      September 4, 2020 at 1:24 pm
  • TankAdmin Reply

    Hi Alex,

    What are the process should follow before Uninstall the Legacy Exchange Server?
    Also removing exchange 2010 will remove the federation trust and hybrid configuration so should Step 9(. Run the new hybrid configuration wizard} run before Step 8?


    August 30, 2020 at 6:43 am
    • Alex Reply

      You should be able to just follow the steps in the guide. I have articles on the whole migration process, all roles. I also have a paid migration guide that has a lot of detail about moving to M365 environment.

      September 4, 2020 at 1:23 pm
  • TankAdmin Reply

    Hi Alex,

    Do we need to have mrsproxy ( communication after the HCW ?
    I know, this required to establish the configuration, so I Can allow port 443 directly to the server when running the HCW. but is it security risk to allow port 25/443 for External to internal server?

    September 26, 2020 at 3:44 am
    • Alex Reply

      In 100% of my deployments, I configure the HCW, and then close all inbound traffic from the Internet to the hybrid server. Zero ports open. I make sure that all relay goes right to 365 either using client submission or just inbound connector secured by IP. Then the hybrid server only exists for the purposes of managing the Exchange attributes locally, and Azure AD Connect takes care of the rest.

      September 28, 2020 at 11:19 am
      • TankAdmin Reply

        Finally, complete the HCW succefully with the public SSL. Now need to remove the exchange 2010.

        So in Step 8 i can see, asking to remove send connectors, public folders etc etc. and then uninstall the Exchange 2010.

        But in Hybrid setup, send connectors are appearing in Exchange 2016. So i set the Exchange 2016 as per the Step 6.

        So will running above command will remove these from exchange 2016?

        Can’t just uninstall after moving the Systems Mailboxes?


        October 3, 2020 at 12:43 am
  • Aussupport Reply

    Hi Alex,

    Do we need to move Arbitration? when i stop the exchange 2010 can not login the Exchange 2016 ECP. Receive an HTTP Error 500 ?

    October 11, 2020 at 8:35 pm
  • Jim Satterfield Reply

    In terms of updating the SCP if all mailboxes are in the cloud and we’re trying to avoid needing a certificate we set our DNS for autodiscover to point to Exchange Online and set the SCP on the on premise server to null. Wouldn’t that stay the same for the Exchange 2016 upgrade?

    October 22, 2020 at 1:44 pm
    • Alex Reply

      Yes you can either set it to null (meaning the clients will roll over to autodiscover via DNS) or you can set it to the Exchange Online autodiscover URL (; both are valid.

      October 23, 2020 at 11:40 am
  • TankAdmin Reply

    Hi Alex,
    I’m decommissioning the Exchange 2010 but will this remove the exchange 2016 send connectors
    that has created automatically?

    i just try to disable and noticed that disabled the Exchange 2016 server too,

    i need these connectors for SMTP Relay?


    October 28, 2020 at 5:07 am
    • Alex Reply

      If you are going to use a command like get-sendconnector | remove-sendconnector then yes that would be taking all send connectors and removing them. So if you need to keep for SMTP relay, you should not run that.

      October 28, 2020 at 12:30 pm
  • Ron Reply

    Hi Alex, nice article and a lot of useful comments.
    I’m in the process of upgrading our Exchange 2013 Hybrid server to Exchange 2019.
    I’ve read that Exchange 2019 is like 2016R2, so I could follow your steps?
    Two questions though:
    1. You uninstall the former Hybrid server before running HCW, does it still detect the old hybrid server? Isn’t it wisely to start the HCW while the old Exchange Hybrid server is still running?
    2. You write a couple of times that no incoming ports are necessary if only used as hybrid management and SMTP relay for internal devices. But is there no traffic from Microsoft to on-premise? For checks or whatsoever? I’ve been looking for an official statement from Microsoft but can’t find it.
    3. If the new hybrid server is only working as management and smtp relay, what are the minimum specifications? Microsoft recommends 64GB for an edge server. Is that also applicable for a Exchange 2019 Hybrid (only) server?

    A lot of questions I know, but I hope you are willing to answer them.

    October 29, 2020 at 6:13 am
    • Alex Reply

      Do not move to 2019 if you are trying to have a “Hybrid Only” server. The last version to support the free license for hybrid is Exchange 2016. Before the end of life of 2016, MSFT is going to have a method available by which you can officially remove the last Exchange server from the environment and be completely cloud-based, even if you are using Azure AD Connect to sync identities. We don’t have many details on that yet, but that is the promise; there is no reason to go to 2019 unless your plan is to host mailboxes on-prem.

      As for some of the other questions–it is not a large resource requirement. If it is just a management interface you could do super low, like 8 GB or whatever you want. You should always install the new one first, yes. Remove the old after you have finished setting up the new one and moving HCW over to it.

      October 30, 2020 at 11:50 am
    • Alex Reply

      As well, yes, if there is nothing but hybrid for management, why would you leave incoming ports open? They are not needed, especially when you do the minimal/modern topology which leverages Azure proxy services. The whole point of the proxy is to publish the web services outside of your environment without the need of a firewall. So you can have a completely isolated on-prem web server and push that out to Azure (it is an outbound connection only), and then Exchange Online can communicate as needed via the proxy. The only exception is SMTP; if you need to relay messages to/from on-prem you may need to poke holes in your FW for that. But for straight managing of attributes, no.

      October 30, 2020 at 11:52 am
  • Ron Reply

    Licenses are not an issue for us, Exchange licenses are included in our overall agreement. (Education agreement, nationwide)
    So thanks you for your advice, but would still like answer to my questions.
    (Which would also apply if we would move to Exchange 2016)

    October 30, 2020 at 11:54 am
    • Alex Reply

      I replied, did you see them?

      October 30, 2020 at 12:02 pm
  • Ron Reply

    Yes sorry, missed that part somehow.
    I can’t really follow you on the proxy bit.
    The new sever is only for Exchange management internally. Everything is synced with ADConnect to Azure. SMTP is only outbound for webapps and multi functional printers.
    So if it’s not a requirement for Microsoft for connection tests we don’t need to open port 25 inbound. But I can’t find official documentation from Microsoft on that scenario, they only provide ports for a full blown Exchange environment.

    October 30, 2020 at 1:25 pm
    • Alex Reply

      As you point out in your description of the environment, you only have outbound connections (SMTP out, and syncing via AAD Connect). Therefore, no need to expose the server on the outside. I would shut it down. That is what I do for 100% of environments I touch–remove all inbound dependency and then close up the firewall.

      November 2, 2020 at 9:53 am
  • Vimod Reply

    Hi Alex,
    Nice article. I am planning to upgrade from exchange 2010 hybrid to 2016 Hybrid. and majority of my users will be on-premises and currently i am using AD connect to sync on prem to office365. Is there any configuration change required after migration? Also after migration all mailboxes from exchange 2010 to 2016, I can decommission the exchange 2010 and run the hyrbid configuration wizard, right?

    November 16, 2020 at 6:54 am
    • Alex Reply

      You would execute the migration as normal, updating all virtual directories, SCP, DNS, moving mailboxes, etc. and then re-run the hybrid wizard (you can do this even before you decom 2010).

      November 16, 2020 at 12:07 pm
      • Vimod Reply

        Thanks Alex. Appreciate your help.

        November 19, 2020 at 3:39 am
  • Josh Reply

    Hi Alex, Thanks for this great article!

    My question is if we previously had a 2016 hybrid server running during our migration and have no mailboxes left on perm and we add a new updated 2016 server to mix do we need to run the HCW afterwards? Again this server is strictly is for managing the exchange attributes and there is no mail flow going in or out of our environment.

    I shutdown an old server after introducing the new server and was told by MSFT that we didn’t need to run the HCW but we’re seeing some strange email delivery issues with some email not being delivered to us. Specifically coming from the SendGrid tool.

    January 12, 2021 at 5:02 pm
    • Alex Reply

      The hybrid configuration should not impact the receiving of mail from sendgrid, unless you have your MX records pointed to the on-prem hybrid server rather than 365. I would be looking to other causes. For example, sendgrid often “impersonates” a domain to seem like it is coming from that company. In order for that to work well, the sending domain needs to include sendgrid’s information in their email authentication (DNS) records, so that receiving servers know to accept that mail source on behalf of the sender’s domain.

      January 14, 2021 at 9:11 am
  • Jeronimo Reply

    1.My Exchange 2010 haS a 2016 console WHICH HAS BEEN installed recently, we need TO uninstall the old EAC 2010 and TO leave JUST the EAC 2016. IS IT THERE ANY POSSIBILITY THAT ThESE procedures cOULD affect the service? the emails transport is in O365.
    2. The point 4 is the most difficult ONE FOR me because I’m afraid to execute IT and crash EVERYTHING.
    3. DO We need TO coordinate a window OF maintenance ? Could the service BE AFFECTED? WHAT KIND OF RISKS COULD WE GO THROUGH? COULD WE HAVE A ROLL BACK OF THIS?

    Thanks in advance, Jeronimo.

    February 19, 2021 at 8:35 am
    • Alex Reply

      Jeronimo, it appears that your caps lock is acting up. :)

      If you simply follow the steps in this article there should be zero interruption, especially if you have no transport moving through the on-prem server. It is nothing more than a management UI if all mailboxes are in cloud. The only thing that can affect client connectivity on-prem would be like Outlook anywhere, SCP settings, etc. So as long as those items are square, then you are good to go.

      February 21, 2021 at 1:11 pm
  • Marcel Reply

    Hi Alex,
    Thank you for writing this article.
    I have to phase out an on-premises two Exchange 2016 servers with in a DAG and replace them with a single Exchange 2016 server installation in on a VM in Azure.
    Would the installation of Exchange 2016 as you have explained be the same for my scenario or should I take additional steps into account?

    Best regards

    March 17, 2021 at 10:05 am
    • Alex Reply

      It is not supported to run Exchange server in Azure, to my knowledge. Do not do this. Just migrate your mailboxes to Office 365. There is seriously no reason to have an old-world exchange server that you manage, on your own network or anywhere else. Are you a fortune 50 company? No? Then you have no business dealing with Exchange, just go to Office 365.

      March 25, 2021 at 5:31 am
      • Marcel Reply

        I forgot to mention something essential all mailboxes are already in Office 365.
        My apologies!.

        We don’t want to have any servers on-premises and therefore we were looking to phase out the on-premises Exchange 2016 DAG en replacing it by a Exchange 2016 Server in Azure by following your installation steps. The Exchange 2016 Server in Azure would function as the “last on-premises” server connected via VPN tp our office.

        March 25, 2021 at 5:44 am
        • Alex Reply

          Ah, as a hybrid-only/management front end that would probably be okay.

          March 25, 2021 at 10:49 am
  • Harry Reply

    Hi Alex,

    Thanks for writing this blog. I do have one question. We have an Exchange 2010 Hybrid and all mailboxes have been migrated to Exchange Online and mx records and routing have all been changed to use Office 365. We want to introduce one Exchange 2016 box for management before we decommission our 4 Exchange 2010 boxes. Do we need to introduce the new Exchange 2016 server, set the SCP to NULL for autodiscover and then run the HCW. Or do we also need to Step 3 and Step 4 as well? Also do we need to run the HCW at all if only using for management?

    Thanks in advance

    March 22, 2021 at 8:08 am
    • Alex Reply

      The HCW should be run on the new system because it will update the hybrid configuration object. But after that you should not need to even publish the hybrid server to the outside world–just keep in 100% internal for management. I just follow the process I documented in my own article every time I have to do this. (One of the main reasons I keep this blog is because my own memory banks have limits.)

      March 25, 2021 at 5:35 am
    • Alex Reply

      And actually, it is time to question whether you really want to maintain hybrid anymore, or just move to 100% cloud-managed.

      March 25, 2021 at 5:35 am
  • Nick Reply

    Hi Alex, Thank you for this great article!
    We are running hybrid exch2010 and all mailboxes have been migrated to O365. Just finished install Exch2016 and trying to follow your instructions to migrate to Exch2016. I have 2 questions and would like to know your answers:
    1- The AutoDiscover is pointitng to:, do i need to Set-ClientAccessServer on Exch2016 to the same AutoDiscover URL as: The reason that I am asking because we will decom the old exch2010.
    2- Why do I need to update sends connector if I will remove them when I uninstall Exch2010 (Get-SendConnector | Remove-SendConnector)
    Thank you and looking forward to your reply

    March 31, 2021 at 9:18 am
    • Alex Reply

      1. Normally you would have an alias such as not the server name, then you just update the DNS entry to point at the new server; but you can change the autodiscover to the cloud ( and remove the SCP if all mailboxes are in the cloud. That way you do not need Exchange exposed via the firewall anymore, either.
      2. You would want to “get” the send connectors on the old server only, so you would need to specify the server name there so that you do not remove ALL connectors on both 2010 and 2016 servers.

      March 31, 2021 at 12:49 pm
  • Sunny Reply

    Hi Alex,
    Thanks for the great article.
    I am also planning to upgrade my environment from Exchange 2010 Hybrid to Exchange 2016.
    I just want to make sure that can we use the different namespace for onpremisessmarthost? when I configured Exchange 2010 Hybrid I used so now while configuring hybrid with Exchange 2016 Can I use or Do we need to go with same namespace that I used in Exchange 2010 Hybrid Configuration?
    I will point to my new exchange 2016 servers.

    April 3, 2021 at 1:12 pm
    • Alex Reply

      If it were me I would just reuse the same name and then update the DNS records after the upgrade is complete. Some on-prem apps may be using an IP too so keep that in mind as well. Any connectors have to be re-created and the allowed IP’s added to the connector on the new server.

      April 6, 2021 at 2:36 pm
  • Tony Reply

    Hi Alex,
    We have an on-prem DAG with two physical EX13 Hybrid servers with O365.
    We want to replace the DAG and these two EX13 servers with one virtual EX16 Hybrid server to do O365 Management and SMTP relay of internal Apps.
    We would like to also use the free Hybrid license.

    If the free hybrid license doesn’t support having databases on the EX16 server, what happens to all of the SearchResults, DiscoverySearch, and Arbitration (SystemMailbox, FederatedEmail, Migration) mailboxes on the EX13 server? Do I delete them?
    Do I need these System and Arbitration mailboxes on the EX16 hybrid server, in which case would I then need a database and the free license can’t be used?

    May 10, 2021 at 11:57 pm
    • Alex Reply

      Don’t overthink it. The free license is good up to Exchange 2016, and just having the arbitration, etc. doesn’t invalidate the license or anything like that. It is also not possible to deploy 2016 without the mailbox database role (it’s just one role). You are not using the mailbox database for anything; you are good to go.

      May 18, 2021 at 3:00 pm
  • Ron Houet Reply

    Hi Alex, you’ve helped me a lot already, but now almost at the end of the migration I’ve another question I hope you’re willing to answer.
    In the final step, running the HCW again, you write: using the true FQDN otherwise it may fail.
    But we don’t have anything published. As you can read back, no publishing or other open ports were necessary if you only want the Hybrid server as management tool. But we are federated and Get-Hybridconfiguration shows the old hybrid server, at least in Receiving and Sending TransportServers.
    So how can I run the HCW safely? Just fool it by editing the hosts file?
    Are there other considerations with federation?
    Hope you will answer these questions.

    June 11, 2021 at 8:24 am
    • Alex Reply

      Running HCW is very low-risk activity. It should work fine and update the HCW config. Internally make sure DNS is working and resolving the name you want to have represent the server.

      June 11, 2021 at 9:16 am
  • Chris Jones Reply

    When activating the free hybrid license, does the scope include only Exchange Server or does it also activate Windows Server (OSE)? Put another way, does the customer need to cover the Windows Server license to make use of the “free” hybrid Exchange server given that the Windows Server will have only one role?

    Thanks for the great info!

    July 28, 2021 at 12:55 pm
    • Alex Reply

      Yes that is true, the underlying OS is not included. If you have Datacenter (unlimited VM’s) then it matters a bit less, but with Standard (2x VM’s/license) then you might come out needing an additional license, depending on how many other roles you have out there. Some folks just slap the management UI on another existing server. Even a DC (although not “recommended” it is still supported by MSFT, and the best way to mitigate the risks with that are to simply not publish the EAC through the firewall).

      August 4, 2021 at 1:00 pm
  • Gregor Reply

    Hi Alex, thanks for this great article.

    I have an environment where all the mailboxes are in o365 migrated with the cutover method and they synchronize password and directories with azureadconnect, we maintain an exchange server 2013 as smtp relay. My idea is to migrate to Exchange 2016 and run the HCW to make it hybrid.
    Some questions:

    – How do I know that the current environment is hybrid? I guess it isn’t and it has me sleepless
    -If I install a new Exchange2016 and run the HCW, do I run any risk of affecting the mailboxes in the cloud?

    What recommendations would you give me.

    From already thank you very much.

    July 30, 2021 at 3:09 pm
    • Alex Reply

      Should be low risk to do the HCW after upgrading to 2016. I believe there is a cmdlet that allows you to get the hybrid configuration in the org if you want to check it out.

      August 4, 2021 at 12:50 pm
  • Filip Reply

    Hi Alex,

    we have migrated all mailboxes off from an Exchange2010 server with the minimal hybrid solution. It has thus not created connectors (no full hybrid)
    Mail flow is routing directly to O365 , also the server is not a virtual smtp server anymore for printers or apps.
    We want to introduce a new Exchange2016 server just for management purposes.
    Do we need to run the HCW as this is just a management server ?

    kind regards,

    August 4, 2021 at 7:47 am
    • Alex Reply

      Would it be 100% necessary? Probably not… but I would do it anyway, just to keep the config current/supported.

      August 4, 2021 at 12:48 pm
  • Greg Reply

    Hi Alex, thank you for this excellent article.
    I have a legacy environment where all mailboxes are in the cloud and passwords are synchronized with Azure AD connect, but they eliminated the exchange servers (deleting the VMs). I am currently modifying attributes to manage mailboxes, can I install exchange 2016 from 0 and run HCW without risk? Should I respect the name of the organization that I see in the adsi edit tool?
    The idea is to install EXCH16 hybrid license for administration only. Should I expand the schema and prepare the domain? I understand that I must install EXCH mailbox and run HCW, should I also configure the AZure AD Connect? Any recommendations that you can give me?
    Thank you very much again.

    September 1, 2021 at 4:15 pm
    • Alex Reply

      Yeah I think you could try adding a 2016 server if the old version that was deleted was at least 2010. I am not sure what risks are present with deleted servers of earlier versions (never removed properly), my guess is that the risk is fairly low, and I suspect the 2016 setup will bark at you if it runs into a problem (then see what the error is and follow the breadcrumb trail).

      September 3, 2021 at 1:20 pm
      • Greg Reply

        Alex thanks for your answer, the exchanges eliminated were a 2007 that had been migrated to a 2013 and this server. In theory the administration should be in the 2013 server. But according to the legacy, there was no hybrid management, only pass hash and objects through Azure Ad Connect.
        I still have doubts about taking a wrong step, do you recommend starting the installation of ex2016 as well as the scheme, or first extend the scheme according to EX2016 and then start with the installation?
        Thanks again.

        September 6, 2021 at 12:18 pm
        • Alex Reply

          The installation always requires the schema update first. As long as outlook anywhere is disabled and autodiscover is null or redirecting to Exchange Online, you should be good to go; all email clients attach to the cloud rather than local server, right? So all you are doing on-prem is implementing a “front end” management UI. Attributes on-prem should be double-checked that they match cloud (email aliases, primary SMTP, etc.).

          September 9, 2021 at 3:40 pm
          • Greg

            Many thanks Alex, that’s correct all clients attach to cloud. The old exch2013 was used for migrate mailboxes to cloud, and run smtp for services acount and scanners.. then it was deleted VM (apparently). Last question, after installing exch2016 I must change AzureAdCoonect to hybrid exchange? or run tool HCW on express?
            thanks a lot

            September 9, 2021 at 3:56 pm
          • Alex

            Yes, you can run the HCW to update hybrid configuration object after the new server is installed.

            September 9, 2021 at 4:04 pm
  • MrHoosFoos Reply

    This is one of the better articles I have come across on upgrading an Exchange 2010 Hybrid environment to Exchange 2016 Hybrid.
    One thing I am seeing – while I am running the Exchange 2016 setup wizard, I am presented with a dialog stating “Setup has detected that you’ve configured a hybrid deployment with Office365. Setup must verify that your Office365 tenant is ready for a hybrid deployment with Exchange Server. Enter the credentials for your Office465 tenant, and then Setup will verify that your tenant supports Exchange Server in your on-premises organization. Enter the credentials of an Office365 account thats a member of the Organization Management role group”

    I am a little confused… if it sees that we have a hybrid config already (Exchange 2010 Hybrid, Azure AD Connect, ADFS, all mailboxes migrated to Exchange Online a long time ago, etc.)… then why does it need to check if our organization is ready? And – whatever credentials I provide – I assume that MFA accounts can’t be used. And will these creds be used like a service account? Or is this just a one time use… like it will just use these creds one time to check stuff?

    I know this is an older post… so hope you see this question!

    September 9, 2021 at 8:37 pm
    • Alex Reply

      Yes it would be one-time deal when it reads the config online(and it should support a modern auth prompt I assume). Not sure why it wants that but yeah.

      September 10, 2021 at 2:07 pm
  • Marko Reply

    Thank you for this great article. We have been running in Hybrid Exchange 2010 with Office365 for a few years now. Having the On-prem AD, we kept the Exchange 2010 and have been using it as part of Authority Source, to create MailUser/DistroGroups and all this would be synced to Office365 (exchange online) where UserMailboxes are and all data.
    At this point, we want to upgrade hybrid 2010 to hybrid 2016 exchange, before upgrading DC’s (2008R2 towards 2019). Considering our exchange 2010 is only used for management purposes, is there anything different we should do during the upgrade process?

    September 17, 2021 at 6:56 am
    • Alex Reply

      Nope. That just makes it easier because you don’t have to worry about moving relays, etc.

      September 19, 2021 at 10:39 am
  • Arvin Reply

    hi Alex,

    A great article you’ve there. Thanks for sharing.

    I have a question if you don’t mind helping.
    We already currently running Exchange 2016 before we went into the Hybrid Mode.
    Can I perform the same steps above, build a server, install Exchange 2019 and get rid of all Exchange 2016 servers without affecting anything?

    October 5, 2021 at 2:32 am
    • Alex Reply

      2016 is the last version approved for the “free hybrid” license. The speculation on the street is that they will have, before the end of life for 2016, a new announcement about removing the need for hybrid altogether, though what that looks like is not yet known. I do not believe the goal will be to have 2019 hang around as a hybrid server though.

      October 15, 2021 at 3:03 pm
      • Arvin Reply

        Thanks for getting back to me, Alex.

        Set aside the license costs. Is it doable with Exchange 2019?
        Or Can I build another server with Exchange 2016 and move all Exchange roles to it?


        October 17, 2021 at 4:19 pm
        • Alex Reply

          I am not sure about hybrid with 2019; I have never set one up. Usually I am moving folks from on-prem, to cloud, and coming from something older than 2019. The goal in SMB is generally to get rid of servers, and I think we are getting close to being able to do away with the legacy hybrid stuff (timeframe unknown but again I would suspect before end of life on 2016).

          October 17, 2021 at 4:34 pm
          • Arvin

            Yeah. I won’t touch it if I don’t have to.
            Unfortunately, I cannot migrate the servers (exchange 2016) from HyperV to Nutanix.

            I will submit a job with Microsoft and see what they advise.

            Thanks again.

            October 17, 2021 at 4:38 pm
  • Arvin Reply

    I heard back from Microsoft.

    This is what they’ve advised:
    Exchange 2019 supports hybrid deployments with Microsoft 365 or Office 365 organizations that have been upgraded to the latest version of Microsoft 365 or Office 365. Currently, there is no plan to discontinue hybrid setup especially on the latest exchange server OS.

    October 17, 2021 at 10:15 pm
  • Marcel Reply

    Hi Alex.
    First of all: thank you for your great guide! It was really useful and practical.
    We have been running a hybrid config with an old Exchange 2010. All mailboxes live in Office365 now.
    All we needed the old 2010-box for is for AAD Connect / Legacy Management. So no real hybrid mail/flow anymore, but we do need AAD Connect.
    I installed a new Exchange 2016 and got to step 8. This is where I am a little confused. The new Exchange 2016 works great and we want to get rid of the old 2010. You point to your own article (removing it from SBS2011).
    But there you say: “Therefore, only proceed with the below if you are positive that you do not have a hybrid connection, and/or Directory Synchronization in place.”
    But we do (the new 2016) and don’t want to lose that? Won’t uninstalling the old 2010 remove the AAD-connect/DirSync?

    October 26, 2021 at 4:52 am
    • Alex Reply

      For the 2010 box, do not use the commands as written, as those get ALL connectors across all servers, etc. and remove them. Instead, just remove the connectors, etc. from the 2010 server specifically before running the uninstall.

      October 27, 2021 at 2:32 pm
  • Anthony Paladino Reply

    Hi Alex,

    Thanks for this awesome article. We have a hybrid Exchange2010 On prem environment that only is used for onboarding then in the event an employee leaves we will offboard the mailbox back on prem for a period of time until we can get rid of it. I am curious if we were to move to a free Hybrid only license and lose the ability to host mailboxes would we then lose the ability to first create the mailbox on prem to then migrate to O365 like we do currently? I cant find any clear direction on how onboarding works.

    March 1, 2022 at 4:36 pm
    • Alex Fields Reply

      It is unnecessary to create on-prem first. Just create a user, let it sync to cloud, then add license (which provisions mailbox). Some folks script this process too, but otherwise just make a checklist.

      March 3, 2022 at 6:08 pm
  • mario Reply

    Yes, at that point the mailbox will be provisioned in the cloud upon assigning the o365 license.

    March 1, 2022 at 4:54 pm
  • Dan Reply

    Hi Alex – hoping you can help me out. With the new 2019 CU release we were hoping to finally remove Exchange 2010. We have all our mailboxes in O365 for many years and did migration using Bit Titan. We never used Exchange hybrid at all. Have had not issues at all. The directions in new CU said you have to first get to Exchange 2016 and then can using the directions here ( to finally remove Exchange on prem. Using the directions here I installed Exchange 2016 but now have users getting the certificate error when the open Outlook from the 2016 server and also get “outlook is unable to connect to the proxy server error code 20” for the old 2010 exchange server. Also users can not open a shared calendar that they have access to.- just says network problems are preventing connection to exchange server. I have done no other steps except to install 2016. There is no SCP on the old server and don’t think I need to do the other steps since we haven’t used 2010 server in years. Do I just need uninstall 2010 server and then run hybrid connection wizard? Thanks for any help.

    April 27, 2022 at 1:10 pm
    • Alex Fields Reply

      Make sure you have no autodiscover scp, no outlook anywhere enabled on prem. If you have all mailboxes in O365 then that is simply not needed on-prem. Be advised that we now have the option to remove the last Exchange server so that is also an option for some organizations who want to take it (you don’t need to keep one anymore). Otherwise if you want to keep the hybrid exchange server on-prem you can do so with a single server, usually the newest one, and all others would be removed. For more info on removing last Exchange server, see:

      April 29, 2022 at 11:53 am
      • Dan Reply

        Thanks Alex – We had removed the SCP for the Exch 2010 server when we migrated to O365 but then when we just installed the new Exch 2016 server it created a new SCP for itself which was causing the problems. We deleted the SCP and the solved the issue. We plan on uninstalling Exch 2010 and then running the Exch 2019 AD Schema prep and then installing the 2019 Tools as described here – Then run the script to be able to shut down and remove (not uninstall) the Exch 2016 server. Thanks for your help.

        April 29, 2022 at 12:54 pm
  • Quintin Giesbrecht Reply

    Hi there. Thanks for this steb by step. Very helpful. I do have a question. As Ex2019 is out and now available for hybrid only, I am trying to upgrade my Ex2013 to 2019…so I have Ex2019 installed on a server, and it appears everything is working. I haven’t worried about transferring my certs over yet (I will probably create new self-signed ones, as this won’t be public facing anymore, and only used for admin). In any case, I digress…

    The question I have is, you mention that the HCW should detect that you already have a hybrid config, and prompt you to upgrade it. Mine does not. When I go through it, it selects the new server as the best option, which is great, and as I navigate through, it prompts me to configure various things. Server names are defaulted to the old one, so I manually change to the new one…but I have not configured it yet, as I understood that it would prompt me to upgrade my current config, and that is not an option that was presented to me.

    Also, I have not yet uninstalled 2013, as I am a little afraid to :)

    One more thing. I am not using any connectors, as no email is flowing via my on prem. We have a 3rd party spam filter, and it is configured to relay direct to our MS365 tenant, and email is sent direct from MS for outging…all of our devices that need SMTP send direct through our MS365 tenant. So, when I got the certificate page on the HCW, that doesn’t really matter does it? There is no official purchased cert displayed, just a self signed one. I assume I can use that, or create my own self signed one, correct?

    Sorry for the novel :)

    Have a great day!

    August 15, 2022 at 6:53 pm
  • Doug Mitchell Reply

    Hello Alex,
    My setup is hybrid with all mailboxes in O365.

    On-prem we have 2 x 2013 servers used for management and mail relay.

    I would like to add 2 x 2019 servers to initially run concurrently with the 2013 ones then move all apps and services that use relay from 2013 to 2019.

    My question is:

    Can I configure the new 2019 boxes connectors, certs etc same as the 2013 > test email relay and mailbox management > if all OK > move all apps to use 2019 as mail relay > power off 2013 servers (test nothing is pending) > and then run HWC?

    Or do I need to run HWC after the new 2019 ar in coexistence?

    And then run HWC again when after decommission the 2013 boxes?

    HWC scares me a lot! I’m afraid to lose connection to O365… Thanks m

    March 7, 2023 at 6:46 am

Leave a Reply

Back to Blog

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.