Step-by-Step: How to upgrade a Legacy Hybrid Exchange Server to 2016
One of the most common frustrations I hear from readers and clients alike is the requirement for keeping a hybrid Exchange server around, even well after all of your mailboxes have been moved to the cloud. Microsoft’s official stance regarding hybrid is this: If you remove the last legacy Exchange server from your domain in a hybrid environment, then you should also remove Azure Active Directory Connect (your ability to synchronize passwords to the cloud).
And that’s crazy. Because Azure AD Connect comes with so many cool features! For example, most SMB’s don’t want to lose the ability to synchronize local AD passwords and enable self-service password resets. Other organizations want to keep Azure AD Connect for enabling true Single sign-on (SSO), pairing it with Active Directory Federated Services (ADFS).
So what are we to do? You have two choices. If all you care about is password sync, and you have less than 100 users in your organization, you might consider switching to the Windows Server Essentials Experience password synchronization feature, instead. If that isn’t going to work for you, I have one more solution to offer:
Upgrade your legacy Exchange server to Exchange 2016. I know, I know–that means you still need to keep an Exchange server around. But guess what? It doesn’t need to do much–it’s basically just a management UI, and it can be installed onto any member server, or it can even be added to a Domain Controller (note: technically supported, but not necessarily recommended). Several of my clients have opted to move toward this configuration, until Microsoft figures out a way to get rid of Exchange servers on-prem for good, while still keeping Directory Synchronization (or maybe we’ll just move AD/DNS to the cloud too…).
Before you begin: Prepare for the Upgrade
The main thing you should do here is identify what you have now, what you are moving to, and where everything is going to live at the end of the day.
Azure Active Directory Connect: If you still have DirSync, you’ll need to upgrade it to Azure AD Connect. This tool can be downloaded from Microsoft and upgraded in-place, in many instances. Otherwise, see this article for more information. I will oftentimes move this utility to the same server where I intend to install Exchange 2016.
Exchange Server 2016: Before you begin, it is a good practice to install the pre-requisites and run the schema extensions & Active Directory preparations. You might also want to run updates on the source and destination servers–make sure you’re current on Windows Server patches, Exchange service packs, cumulative updates, etc.
Mailboxes and Public Folders: In most of the environments I work in, all mailboxes and public folders have already been moved to the cloud–I don’t deal that much with cases where some mailbox data remains on-premises. But you will have to provision space and databases on the new server if you intend to keep an environment like that.
Step 1. Add Exchange Server 2016 to your environment
You need to install the entire mailbox role–there isn’t like a “lite” or hybrid-only option here. To obtain the installation packages, you can simply download the latest cumulative update package from Microsoft. The setup GUI should install the majority of pre-requisites for you as well. Note that you might have to download a couple of packages such as a .NET framework update and Unified Communications runtime 4.0.
Once Exchange is installed, you can activate the server using a free hybrid license key (with qualifying Enterprise Office 365 plan). From the EAC, input the key by browsing to servers.
Update: You don’t have to get a special key now, the Hybrid Config Wizard will activate “hybrid only” mode for you.
Step 2. Update the Service Connection Point (SCP)
Next step is, you will want to update the SCP to refer to whatever name is assigned on the old Exchange server. This is pretty quick and painless, but if you skip this step, clients on the LAN might throw a certificate warning. You can update this property using the Exchange Management Shell.
To view the SCP on the old server, type:
Get-ClientAccessServer -Identity OldServerName | fl
Look for the “AutoDiscoverServiceInternalURI” property here. For example, this might look like:
https://autodiscover.company.com/Autodiscover/Autodiscover.xml
Or it might be mail.company.com/Autodiscover…. Whatever you see as the output here, this is the value you need to apply on the new server. To do this, you can type:
Set-ClientAccessServer -Identity NewServerName -AutoDiscoverServiceInternalURI https://autodiscover.company.com/Autodiscover/Autodiscover.xml
If you are executing this from the new Exchange 2016 server, you will probably get a notice that the cmdlet for Get-ClientAccessServer is being deprecated, which means after this version of Exchange, it will no longer exist. That’s because the Client Access Role no longer exists (Exchange 2016 is just the mailbox role now). Instead, you have a new cmdlet for “Get-ClientAccessService.” The legacy cmdlet still works for now, though.
Step 3. Import the Exchange UCC certificate (optional)
This part is simple, just export the certificate from the source server, and import it on the destination server. It is also optional, since certificates aren’t important if all of your mailboxes reside in the cloud, and there is no secure cross-premises mail flow requirement.
You can find the certificate settings under servers > certificates. Remember to edit the certificate afterward (using the pencil icon) and associate services with it.
Step 4. Update Exchange Virtual Directories & Outlook Anywhere settings
Although you can manually go through and update each one of these through the GUI, This can be accomplished more quickly with PowerShell. Edit the values of $ServerName and $FQDN variables below to match what is appropriate in your own environment.
$ServerName = “EXCH16”
$FQDN = “mail.company.com”Get-OWAVirtualDirectory -Server $ServerName | Set-OWAVirtualDirectory -InternalURL https://$($FQDN)/owa -ExternalURL “https://$($FQDN)/owa”
Get-ECPVirtualDirectory -Server $ServerName | Set-ECPVirtualDirectory -InternalURL “https://$($FQDN)/ecp” -ExternalURL “https://$($FQDN)/ecp”
Get-OABVirtualDirectory -Server $ServerName | Set-OABVirtualDirectory -InternalURL “https://$($FQDN)/oab” -ExternalURL “https://$($FQDN)/oab”
Get-ActiveSyncVirtualDirectory -Server $ServerName | Set-ActiveSyncVirtualDirectory -InternalURL https://$($FQDN)/Microsoft-Server-ActiveSync -ExternalURL “https://$($FQDN)/Microsoft-Server-ActiveSync”
Get-WebServicesVirtualDirectory -Server $ServerName | Set-WebServicesVirtualDirectory -InternalURL “https://$($FQDN)/EWS/Exchange.asmx” -ExternalURL https://$($FQDN)/EWS/Exchange.asmx -BasicAuthentication $true
Get-MapiVirtualDirectory -Server $ServerName | Set-MapiVirtualDirectory -InternalURL “https://$($FQDN)/mapi” -ExternalURL “https://$($FQDN)/mapi”
Get-OutlookAnywhere -Server $ServerName | Set-OutlookAnywhere -ExternalHostname $FQDN -InternalHostname $FQDN -ExternalClientsRequireSsl $true -InternalClientsRequireSsl $true -DefaultAuthenticationMethod NTLM
Step 5. Add anonymous SMTP relay connector (if applicable)
If you are using your local Exchange server as an SMTP relay for line of business applications or multifunction printers, then be sure to add a relay connector on the new server to take over this function. Here is an example of how to create a connector quickly in PowerShell that allows certain IP’s to anonymously relay from the local data subnet.
New-ReceiveConnector -Name “Allowed Anonymous Relay” -Usage Custom -TransportRole FrontEnd -PermissionGroups AnonymousUsers,ExchangeServers -AuthMechanism Tls,ExternalAuthoritative -Bindings 10.0.0.21:25 -RemoteIPRanges 10.0.0.30-10.0.0.40,10.0.0.170,10.0.0.181
Note that the “Bindings” and “RemoteIPRanges” in the above example would need to be edited to match the values that are appropriate from your own environment. Once you have this added, you can reconfigure your devices and applications to start using the new server, instead of the old one.
Step 6. Update DNS and firewall rules, and update send connectors
At this time, you can update any local DNS entries for stuff like “mail.” or “autodiscover.”–the traffic on the local LAN segment will start to flow through the new Exchange server. To make the same change for external users/services, you can just update your firewall NAT rules to point at the new server as well.
One last note, you will also want to update the send connectors by navigating to mail flow > send connectors. Associate the connector to the new server by clicking edit (the pencil), then scoping. Find the source server settings, remove the source server and add the new server.
Step 7. Migrate any remaining mailbox data (if applicable)
A quick method for finding and migrating any remaining mailbox data is to use PowerShell. Note that you should already have setup and configured your storage volumes and mailbox databases on the new server before doing this.
Get-Mailbox -Server OldServerName | New-MoveRequest
Get-Mailbox -Arbitration -Server OldServerName | New-MoveRequest
The above suggested cmdlets are probably over-simplified for larger, complex hybrid environments with a lot of on-premises mailboxes, but again in 99% of the organizations I work with, the issue is in the other direction–small to midsized businesses typically want less server footprint, period, and would be happiest if they could get rid of all their servers, so there aren’t usually any mailboxes left anyway.
Step 8. Uninstall the Legacy Exchange Server
You can now remove the old 2010 server from the environment. Go here for more details. It was written for SBS server, but the instructions are also valid for other versions of Exchnge 2010.
Step 9. Run the new hybrid configuration wizard
Last, you can update your hybrid configuration from 2010 to 2016 by running the Hybrid Configuration Wizard. Since you already have a hybrid connection, it should detect this and allow you to upgrade it. You can find the wizard download by navigating to hybrid on the left menu in the Exchange Admin Center. Be sure that you are accessing the EAC using the true FQDN (e.g. https://mail.company.com/ecp/?ExchClientVer=15)–just don’t use “localhost” or the internal server name–otherwise the wizard may fail.
Be prepared with your local and remote credentials to get through the wizard successfully.
Conclusion
This is really a straightforward process, and once it’s done, you’ll be able to get rid of that pesky old Exchange 2010 server once and for all. I have written at length about the alternatives. You could just retire DirSync/Azure AD Connect and use something simple in its place, such as the Essentials Experience with Online Services integration. But that’s not a true Directory Synchronization, and not ideal for many organizations. This is the path I typically recommend instead.
Comments (171)
Great article! I’ve found it very useful in setting up my own Exchange management server.
A couple of questions though if you mind.
Once all mailboxes have been migrated from on premise to EOP and all the DNS records have been updated to O365 is there any further need for an SSL certificate?
Shouldn’t the SCP record be removed as shown in the MS article
https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx
Thanks!
So this depends on your needs/circumstances. If you still intend to have the server act as a local relay and you want the hybrid functionality of secure mailflow from the on-premises server to 365, then you would keep the certificate in place. However, if you really don’t need that functionality, or have any need of mailboxes on-premises at all, then the cert is optional, and the front-end is really just a management interface at that point. All synchronization of that data takes place via AAD Connect, and does not depend on Exchange (but Exchange is needed to edit certain attributes related to mail). The SCP can be removed, that is okay, during a cutover, I usually leave the SCP live, because this will quickly redirect Outlook clients to 365 automatically. However, it is not needed after cutover is completed, and there are zero mailboxes on-premises.
If you find that outgoing mail to O365 isn’t working after updating the send connectors in step 6, check the permissions on your certificate. This had me hung up for a while. I enabled protocol logging on the send connector as described in the comments here:
https://social.technet.microsoft.com/Forums/lync/en-US/f3f547c0-66ec-4c27-9c4d-fcb6c749a3fb/emails-are-not-going-out-all-emails-stuck-in-queue-exchange-2013?forum=exchangesvrsecuremessaging
to discover an error with the certificate: “TLS negotiation failed with error UnknownCredentials”. I found the solution here:
https://ammarhasayen.com/2016/07/19/exchange-2016-hybrid-tls-negotiation-failed-with-error-unknowncredenta/
In the Certificates mmc snap-in, right click the exchange certificate, go to All Tasks > Manage Private Keys. Then add “NETWORK SERVICE” with read access. I’m guessing that the hybrid configuration wizard (step 9) does this for you, but I was testing as I went and didn’t want to disrupt mail flow.
Thanks for the helpful guide!
Hi Alex,
Thank you for the Great Article. my situation is similar to what is shown above. migrated all users to o365 we do password sync from AD. I am also wondering if I can have the transport server installed so I can route our smtp messages from internal printers etc to office365. My question is does the free license that microsoft is offering for the onprim exchange for management purse also route emails? Is there any license for it?
Yes, you can still use the free license and continue to use the server as a simple SMTP relay. It is also possible to configure a relay connector in O365, but you can do it either way and no additional licensing required. What is NOT included in the license is the ability to host mailboxes.
Hi
What if you don’t want your hybrid server to participate in on-premis day to day email infrastructure (especially for SCP & autodiscover)? Let’s say you want it to be solely for hybrid purposes…
Do you set the AutodiscoverinternalURL value to $null?
Yes, that is correct.
Please i need your support as we currently have Exchange 2013 on-premise hybrid with office 365, and we plan to upgrade to Exchange 2016 on-premise hybrid with office 365 where the current exchange on-premise architect is [Two CAS servers on a Load balance and two Mailboxes Servers on a DAG] and the current Exchange version in all Exchange servers is [ 15.0.1365.1 ] CU19.
Our OS is Windows Server standard 2012 R2 up to date.
And we use Azure AD to Sync users passwords.
We have some mailboxes on-premise and some on-line.
where our MX and autodiscover records points to Exchange online.
what do i need to ensure soft migration without any problems? as i found that DAGs are still version-bound, in place upgrades unsupported
Yes, this is a more complicated setup–so you still have on-premises mailboxes? Do they need to be maintained on-premises anymore, or could you migrate them to the cloud? If you do need to keep mailboxes on-premises, I would begin to stand up the new 2016 servers, switch over your front-end/CAS functions to them first–setting the SCP, virtual directories, Outlook Anywhere, etc. You can also point internal relays to them, provided you re-create the necessary relays on the 2016 boxes–this can technically be done at anytime actually, but I usually test at this point with like an MFP printer and then start moving all the other front-end functions over after it is confirmed working: running the hybrid wizard again so that the connectors, etc. are created on the new servers once you know relay is successful between the systems. At that point, you can also redirect firewall rules so they are updated to point to the new servers, forwarding external traffic like 443, 587, 25, etc. as needed, to the 2016 servers. Then I’d move any remaining on-premises mailboxes last. Going in that order, and not skipping steps, should result in successful migration. But see if you can’t get rid of the need for a DAG on-premises by moving all mailboxes to the cloud. Note: in a typical hybrid setup with best practices, your DNS records for auto-discover would still point on-premises until all the mailboxes have been migrated.
Thanks for the great article. I have a question related to this and haven’t been able to find an answer anywhere. We are about to migrate to O365 from Exchange 2010. All of our Exchange mailboxes/users will be migrated. We will be managing AD on-prem and using AAD Connect. I understand that to run in a supported fashion this will require an on-prem Exchnage server. For awhile we’ll be using the existing Exchange 2010 server (but would like to migrate to 2016 at some point which is what led me to this article). My question is this… is there any way to reduce the size of the footprint of the existing Exchange 2010 server after we’ve migrated everything to O365? My understanding is that we’ can’t delete those on-prem mailboxes but could we delete the mail that’s in them and then recoup some space by creating a new database, moving mailboxes to it, then drop and delete the old database and logs (or possibly just do an offline defrag)? Thanks in advance for any advice.
When you move the mailboxes to Office 365 they will no longer exist on-premises. It should be possible to basically remove all databases after every mailbox has been migrated.
Hi Alex, I hope you are well. I think your posts are great. Very clear and helpful, good references and explanations. Thank you very much.
I have a question. We have Exchange 2010 and want to move to Office 365. Should I install a new exchange 2016 server before the migration or after? I have already established Azure AD connection sync successfully.
I would do after–because it is supported to migrate using hybrid from Exchange 2010 natively, that is the easiest route. After no more mailboxes are left on-prem, then upgrade to 2016.
Hi Alex,
Is it also possible to do it on the Exchange server 2016? Or do you have to run the hybrid wizard on the Exchange 2010 server instead in order to migrate the mailboxes?
The hybrid wizard is compatible with all versions of Exchange server 2010 and newer, including 2016.
currently we use the Hybrid server to provision mailboxes, then we migrate them to the cloud. Also we occasionally import pst data to on-premise mailboxes before we migrate them to the cloud. There can be periods of a few days where these mailboxes will be on premise. Do we still need licensing for the hybrid server in this case or will the free Hybrid license work?
I am not sure their stance on that, probably buried in the EULA terms.
We used to do that but there’s an easier way. You can use powershell to create a Mail enabled user (meaning don’t create the user in ADUC). See PS line below (a one liner with my PS variables). I created a PS GUI. We do this from the 2016 hybrid exchange server. This skips the step of needing to create the user on the on-prem mail server. Once created and everything syncs to O365 you just turn on your licensing (which creates the mailbox).
New-RemoteMailBox -Name $DisplayName.Text -Password $SecurePassword -UserPrincipalName $UPN.Text -Alias $AliasName.Text -OnPremisesOrganizationalUnit $OU.Text -SamAccountName $NTUserName.Text -FirstName $FirstName.Text -Initials $MiddleName.Text -LastName $LastName.Text -RemoteRoutingAddress $Tenant
Very nice article! I have a test environment with Exchange 2010 and Hybrid Configuration and it is working without problems. My goal is to add Exchange 2016 Server to manage mailboxes and remove the old 2010 Exchange Server completely.
I followed this article and managed to add Exchange 2016 to my environment (I installed Mailbox role + admin tools). I can now use it to manage mailboxes. Finally I’d like to remove Exchange 2010 but I am not sure what are the correct steps. I see that Step 8 in this article covers removal of Legacy Exchange, but still I feel that none of those articles under step 8 covers my situation. Can you please enlighten me what path to take?
Once the 2016 server is in place, you should no longer need 2010, and can simply remove it (presumably there is no data on it anymore, either).
First off thanks for this article. After the upgrade, users are getting prompted for outlook(2016) password, constantly. I can’t figure out what changed caused this issue. Have you experienced this and if so, how did you correct or do you have any suggestions for me to try? Thanks again!
Make sure the SCP is null or points to autodiscover.outlook.com–you don’t need the SCP or Outlook anywhere enabled, etc. It’s just a management interface, but if the clients are local on the network and that SCP is populated it may try to latch onto that server.
By the way, there were reports over the last couple days of many customers being affected by this–so it may be a backend thing at 365, and not related to your deployment. Google search: EX152471
By the way, there were reports over the last couple days of many customers being affected by this–so it may be a backend thing at 365, and not related to your deployment. Google search: EX152471
Hi,
thanks for this helpful article.
I would like to ask you what to do with the address book. Do we need to create a new OAB on Exchange 2016? We have DL on-prem that cannot be migrated right now and I was wondering what will happen to this addresses after removing the Exchange 2010 from the environment.
Thanks,
Zafog
By adding a new exchange server to the environment before removing the old one, you will still have access to modify any objects including DL’s. A distribution list is an object that lives in AD, and the Exchange server just provides a UI for interacting with that object.
Hey Alex,
Thanks for the article but my question is that we currently have an on premise hybrid exchange 2010 server that all we use it for is to add new users or edit that attributes of old users. All connectors between Office 365 and this server have been disabled and DNS records point to Office 365. Do I follow the same steps as you listed or can I just install exchange 2016 server with the default setting and then decommission the old server? Or do I need to do some of the steps listed?
There is no “management tool” for 2016. You simply browse to the Exchange Admin Center, and login to administer the system that way.
If you installed 2016 and re-ran the HCW then you should be good to go.
First of Thank you so much this is an amazing guide.
Now I have a question will this guide work to move the configuration of a hybrid 2010 exchange server to a new server and the new server will also have exchange 2010? or is this specifically to upgrade to 2016?
2016–most people would move from 2010 to 2016 (remember the hybrid Exchange server license is free–2010 end of support is coming)
Hello Alex,
Thanks for this article. I have one question, i have 10% mailbox on ex2010 and 90% migrated to o365. Suppose i will migrate from ex2010 to ex2016. So when after all that I will run HCW again so will be there any downtime in mailflow for existing users during updating HCW??
No, shouldn’t be–or if so, very little/barely noticeable. The hybrid connectors on the old server can continue to relay mail to and from 365, until you run it for the new system. Whichever server picks up mail on prem, they can relay mail between themselves just fine. Just don’t retire the old box until everything is moved to the new one.
good article, do you have one for Exchange 2019
My name is also Greg and I was also planning to comment “ood article, do you have one for Exchange 2019”. Different Greg, though. Don’t think all Greg’s are trying to nag you.
Hey Alex
thanks for the great article:
We are about to upgrade our on premise 2010 Exchange servers to 2016.
We have 9 servers, which will be replaced by 2 * 2016 boxes as management points. The 2010 servers no longer host mailboxes, but are needed to route mail through to on premise SAP servers and im pretty sure I cannot get round removing on premise entirely.
The environment currently also uses a forefront tmg server to service some routing through to autodiscover, owa and provide end points for mailbox migration.
I suppose the question I have is around the TMG servers, assuming we can just point the auto discover currently serviced by the TMG server to a roujnd robin DNS entry on the new servers?
MX points to O365 and sap mail is routed to on premise using a connector for the sub domain.
Yes, I would move all the remaining services over to the new 2016 ones. Like, if you have any on-prem SMTP relays pointing to 2010, inventory them and then start swapping them over (make sure to enable the relay on 2016 for those IP’s, etc.). Once all the remaining items are verified as pointing to the new servers, and autodiscover URI/SCP is nulled out on both 2010 and 2016 (since auto-discover DNS now goes to 365), then test the theory that life will be okay without 2010 by simply powering them off for a couple of days. When nothing breaks, you can proceed to full removal of those legacy systems.
Hey Alex, Thank for explanation.
I am also going to migrate and old 2010 environment to O365, But the the Hybrid is already setup using Exchange 2010 Server. Now I am planning to migrate using Exchange 2016 Hybrid Server and in process to complete the 2016 installation.
Is it ok to simply run the HCW from 2016 server and make sure to not to remove 2010 from the list as we are planning to remove 2010 after completing all the migration.
You should be able to move directly from 2010, but you can stand up a new 2016, get the cert installed, update virtual directories, etc. etc. and then re-run the hybrid wizard, which should choose the 2016 system as the hybrid server.
Hi , thanks for a great article.
I have been tasked with upgrading our old Exchange 2013 v15 (sits on winsvr 2008) to Exchange 2016 (winsvr 2016).We are hybrid and no mailboxes , its just a mail relay essentially.
Its the first time i have done this and was wondering could i run them in tandem , till i am happy the new server is working as expected. Would it still be the same steps/process as above ?
I can see a few sleepless nights ahead of me !
kind regards
Suzi
Yes that would be fine to keep them running side-by-side. There should be no impact basically, as long as you null out the service connection point, etc. and just move the relays over. Just make a checklist of items that relay off local server, then go update them one at a time, enabling an entry for them on the new server. Once you are done w/ checklist, re-run hybrid wizard to connect up 2016 box, then turn off 2013 for a couple of days to make sure you didn’t miss anything. Once satisfied, uninstall 2013.
good article, Greg.
I am still in planning phase and want to migrate from 2010 to O365. hybrid is already setup but the 2010 Servers are very old so have to add new Exchange 2016 server as a hybrid migration end point without making any mail flow and client connection changes to the current 2010 Servers. Suggest what are all the setting to be done on 2016 ?? SCP = null or same as in the 2010 ? anything from DNS side ?
This article should contain the steps you would need.
Awesome! thanks for the life saving instructions. Looks like I am already half way through. Installing Exchange 2016 was the hairiest part for me. Thanks for the article again.
Great page Alex.
A quick question on the order of replacement. We have and Edge 2010 in the DMZ and two domain Exchange 2010 servers. Which ones should we replace first? I haven’t seen that scenario listed anywhere.
Thank you!
Are you moving or already moved to 365? Then you shouldn’t really need an infrastructure like that anymore, just a regular hybrid server (which is just a management UI basically). If you mean doing an upgrade from Exchange 2010 to 2016 there is a recommended order–front end services go first, followed by mailbox databases, etc. I like this series for orgs who are doing 2010 to 2016: http://techgenix.com/migrating-small-organization-exchange-2010-exchange-2016-part1/
“Are you moving or already moved to 365? Then you shouldn’t really need an infrastructure like that anymore, just a regular hybrid server (which is just a management UI basically).” Sorry I didn’t include more. We inherited two old P2V Windows 2008 R2 servers running Exchange 2010 hybrid configuration with all users in O365 except for one that is required for an application. There is also an Edge server in the DMZ running Exchange 2010. All patched to latest updates.
Thank you.
Then a single 2016 server can replace both of those other boxes. Migrate all roles to that, and then remove 2010.
If you running Exchange 2016 in minimal hybrid mode with Office 365 are you able to remove the mailbox database? If so I was wondering if there was a way to install Exchange 2016 without the mailbox role and mailbox database?
All mailboxes will already be in Office 365 after being migrated from Exchange 2010.
Thanks in advance
Oddly enough even though the intention is to keep zero mailboxes on-prem they do not support like a “management UI only” type of install for the hybrid server, so yeah the full mailbox role is required. Strange, but whatev.
We migrated mailboxes from Exchange 2003 to M365. Will this work with legacy 2003 Exchange server upgrading to hybrid 2016? Thanks!
You can’t go right from 2003 to 16, you could go to 10 then 16. Or completely tear out 2003 before you lay down 2016 and re-implement hybrid. Be sure to preserve your email attributes (e.g. proxyAddresses) when doing it that way.
Hi Alex, thank you very much for the article, very helpful. I’m in a situation where I’ve got an environment of 7 Exchange 2010 server SP3 hybrid, with no UR installed on any of the servers. To migrate to 2016 directly I will have to upgrade all 2010 servers to SP3 UR11. Is it worth the effort or should I migrate to 2013 first and then 2016? Thank you.
Updates are easier than migrations, IMO.
Hi Alex
Thanks for the article. I have a Exch2010 hybrid with O365 currently and I am in the process of migrating mailboxes from on premise to O365. I have built my Exch2016 server but as yet have not switched over the roles onto the new server. Is it possible to migrate the remaining Exch2010 mailboxes using the Exch2016 as the hybrid endpoint or would I have to migrate these mailboxes to Exch2016 first then migrate them to the tenant . The logistics of moving our users dictates the migration is quite a prolonged process and may drag on for a while. The reason I ask is from a security perspective we want to have modern authentication set on the hybrid connection so that we can disable the simple credentials login,.
For longer migrations I would recommend 2016. Move to it fully, and get rid of 2010. Then you’ll have better options for hybrid modern auth and so forth if you need to have long-term co-existence. Or, alternatively use the fact that that 2 migrations is more money than one to force management’s hand into saying okay to a quicker and more aggressive migration to 365 ;)
Hello Alex,
Thanks for your article.
We have a 2010 Hybrid with O365 moving to 2016 Hybrid. Already installed and setup 2016 Servers, but haven’t switched the DNS to point to 2016 or migrated the 2010 mailboxes.
I am a bit confused as to when to run the HCW wizard, Should I run the HCW wizard on 2016 now, so that all the connectors are updated ? or wait till all the mailboxes are moved to 2016 and 2010 decommissioned?
Thanks in Advance
As long as both Exch servers can exchange mail successfully internally then you can run HCW anytime to move hybrid mailflow over to the new box.
Hi Both and sorry to jump in on this thread, as it relates to what I was asking above. Once mail flow is switch over to.2016 is it then only possible to migrate mailboxes in a two step process i.e. 2010 to 2016, then 2016 to 365? .
Thanks for your assistance.
Moving front-end services to Exchange 2016 and then migrating mailboxes directly from 2010 to 365 would be possible, yes.
Hello Alex
we have moved all mailboxes to o365, however they all have remained as contacts on exchange 2010, do I need to move these mailbox databases to exchange 2016? so prior to moving to office 365 i already had a few disconnected mailboxes that i wish to keep for compliance purposes, so i assume we need to move these database mailboxes to newly exchange 2016? also is it necessary to create a DAG on exchange 2016 since all mailboxes reside on office 365? also when performing the schema update is it necessary to download/prepare any tenant organization config from o365? since we already have hybrid exchange 2010? also do we do the minimal mode or full hybrid configuration wizard?
Hey Jerry, don’t overthink it too much. Once you move mailboxes to the cloud, they are converted to contacts on-prem. There is no data on prem any longer. The contact object has a targetaddress property that will lead any mail handled by the on-prem server (e.g. if you use it as a local relay with a copier/printer/scanner device or LOB app) to the destination mailbox in 365. The only reason for having an Exchange server around after you’ve moved is for ease of management, changing things like aliases and so forth. So no need to move any mailbox databases, etc. as NO DATA should remain on-prem.
Hi Alex
We have used Bit Titan to migrate mailboxes to Office 365 and have AD connect setup. We were hoping to get rid of our Exchange 2010 server completely but I understand that is not supported. So i think the solution would be to install Exchange 2016, could you offer any advise on how to do this ?
The post you are commenting on is the exact process. You can still run hybrid wizard to set it up properly once you replace w/ 2016 server.
Thanks for this article. I’m a little apprehensive about the schema extensions and Active Directory preparations. I’m just hesitant because we have been held back from raising our Active Directory functional level because of the Exchange 2010 in our environment. Can I assume that these schema extensions and AD preps are fairly benign and won’t cause disruption in our environment? Or is this process a start it and get it done as quickly as possible task to minimize disruption? What exactly is happening with these schema extensions and AD preparations?
I have never seen this cause an impact. It is adding certain attributes to be compatible with the version of Exchange you are trying to install. Once you upgrade you cannot add new servers that are older than the one you prepared the directory for (but the existing older ones should be fine).
Thank you for this article. We migrated all mailboxes to 365 last year. Now I need to remove our Exchange 2010 server and build a new Exchange 2016 server. I’m following this article, everything has gone smooth. When I launch the Hybrid Wizard in step 9 from the EAC I’m taken to an Office 365 login. I provide my 365 credentials but each time it goes right back to the 365 login page. Any thoughts as to why?
I found the fix to my issue. In Internet Explorer I had to modify the security settings to allow file downloads. As soon as I did that the HCW started working.
Thanks for sharing! By the time I checked this, you already solved it. Yeah, HCW only works in Edge and IE, and IE security settings often get in the way.
we’re moving from Exchange 2010 Hybrid to Exchange 2016 Hybrid.
Is it recommended to setup the Edge server or is that not required for Hybrid communication. All mailboxes are migrated to O365 and new ones are migrated prior to user access.
Right now we have this setup:
Current Exchange 2010 environment on Server 2008
• VAPP1101 Mailbox Servers
• VAPP1102 Mailbox Servers
• VAPP1103 Mailbox Servers
• VAPP1106 Hub Transport
• VWEB1101 Client Access
• VWEB1102 Hub Transport & Client Access
• VWEB1103 Client Access
• VWEB1104 Client Access
We would like to move to one Exchange Server 2016
• VAPP1104
For the hybrid server you just do a full installation, mailbox role, even though you don’t really use it, except for mgmt.
Thanks, do i need to open ports on the firewall like you would for client access server?
The only reason to open ports on the firewall would be if you need to have mailflow between on-prem and cloud mailboxes. Once all mailboxes are in the cloud, and assuming you move your SMTP relays to 365, the only purpose your hybrid server has is management UI.
what about the creation of new users? Are we to always migrate them or should the mailboxes be created in the cloud and no longer migrated?
You should not need to migrate mailboxes. When you create a new account with New-RemoteMailbox, or using the EAC to create a new O365 Mailbox user, the account on-prem is created and when that syncs to the cloud the mailbox will be auto-created as well.
Are these the same steps for migrating from on-premise exchange 2010 to office 365 cloud in a hybrid configuration?
Do you have a guide for this?
Migration of mailboxes from any version 2010+ is here. The current article is about upgrading a “hybrid only” server (usually after all mailboxes have been migrated).
“It is also optional, since certificates aren’t important if all of your mailboxes reside in the cloud, and there is no secure cross-premises mail flow requirement.”
Wouldn’t the above only be true if you $null the CAS SCP record and/or point AutoD directly to O365? I would expect a client-side certificate error when Outlook queries the on-prem server and there is no matching certificate.
You should always have that value null if there are no mailboxes on-prem. That’s standard part of the migration. So that is correct.
Hi, we migrated all mailboxes from Exchange 2010 to O365, then we removed Arbitration Mailbox and server with role Mailbox, we only left servers with role HT (For SMTP Relay) and we keep the Hybrid scheme, now we want to change those old Exchange 2010 (HT) for a new Exchange 2016 and cannot complete the installation because there is no Arbitration Mailbox. I understand that re-running “Setup.exe / PrepareAD” should recreate the Arbitration Mailboxes but don’t have any Mailbox / Database role servers for the Mandatory User Mailbox. How can I migrate Exchange 2010 to 2016?. Thanks for help and support.
Yes you must have a mailbox role unfortunately. That has always been a hybrid requirement. The only way would be to add that role back somewhere and proceed.
Alex,
I want to run 2016 alongside my 2010 while I switch over the necessary scripts/internal relay to 2016. Since 2016 requires the HCW to activate the free hybrid license, will I need to rerun the HCW on my 2010 server to continue using that as my Hybrid endpoint? My account creation is automated and creates new user mailboxes on the 2010 Exchange, they are then migrated to o365 automatically.
If the 2016 server is my new Hybrid endpoint, does the 2010 lose all migration ability?
Thanks
There is no reason to continue using 2010 if you have a 2016 server–that should become the hybrid endpoint, and all migrations will flow through that endpoint. It does not matter if mailboxes are on 2010, the migration will still work, using 2016 as the endpoint. This is the preferred configuration.
Hi Alex,
All our mailboxes are in O365. Exchange 2010 got self signed cert and it expires all the public certs. We have ADFS farm and F5 load balancers.
When we run Full Hybrid Configuration will that accept this self signed cert? OR will ADFS impact?
Once we run the HCW, will import and create connectors in Exchange 2016?
Understand that hybrid connection will require for Free/Busy /SMTP and auto-discover.
When we set auto-discover to autodiscover.outloo.com, Will outlook client connection still going via this exchange?
So if we shut down without migration, what is the impact to the current client?
TA
Self signed certs are not a good idea. I have never operated in that configuration and whenever I find a customer who has been doing something like that I always advise them to get public cert. So I don’t know what happens there. But if all of your mailboxes are in O365 already, what is the purpose of creating hybrid now? Even if you wanted it for management with directory synchronization I don’t think the cert would matter, because there are no services locally that you depend on, right? Everything is cloud so clients will not be referring to the on-prem server for any reason–therefore certs won’t really matter. But once you actually have a client accessing the server for something–that’s when you’d have to figure out your certs.
HI Alex,
So I just setup the Ex2016 as per above and do not run the HCW ?
We use this Ex2016 server as SMTP Relay and Management.
TA
If you are keeping the server in place to serve hybrid functionality (including relay) then yes you need to run HCW.
Hi Alex,
Thanks. HCW will pickup all the current configuration from exchange 2010 and move to Exchange 2016? Will not re-create the Connectors in O365?
If something goes wrong, can we use the exchange 2010 as rollback plan?
How do i find the current configured FQDN?
TA
Running the HCW over again will update the hybrid configuration to get the new server talking with the cloud. I have never needed a rollback plan. I guess my rollback plan would be to manually configure things. I know the stuff that the HCW is doing under the hood, so it may not be so easy, but the steps are documented out there–you could find them. Basically updating the HybridConfiguration and creating some connectors. The email address policies would not be impacted if they were already done with a previous run, etc. Anything at the “organization” level does not change and doesn’t need to, since it is not tied to specific server. The server specific stuff you should plan to touch is the HCW, which will get the connectors created, as well as the certificate if you still use one for any services on prem including SMTP relay, etc.
Hi Alex,
To keep AD FS and directory synchronization and decommission most of the Exchange servers
Steps in https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange?redirectedfrom=MSDN is not mentioned in your post?
TA
The issue is not whether to decom “most” servers but rather all–you CANNOT decom the last Exchange server without also removing directory synchronization (whether with ADFS or not). So at the present time at least, you must of necessity keep an Exchange server so long as you synchronize your directory to the cloud. Only once you remove synchronization can you remove all Exchange servers.
Hi Alex,
What are the firewall ports required with a new server?
Ta
If it is just acting as a management UI and you set up minimal hybrid/modern then no ports are necessary to expose to the outside.
Hi Alex,
I just run the HCW and got below error. i think my firewall should allow 443 to new server?
HCW8078 – Migration Endpoint could not be created.
Microsoft.Exchange.Migration.MigrationServerConnectionFailedException
The connection to the server ‘webmail.domain.com’ could not be completed.
Microsoft.Exchange.MailboxReplicationService.MRSRemoteTransientException
The call to ‘https://webmail.domain.com/EWS/mrsproxy.svc’ failed because no service was listening on the specified endpoint. Error details: There was no endpoint listening at https://webmail.domain.com/EWS/mrsproxy.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details. –> Unable to connect to the remote server –> No connection could be made because the target machine actively refused it 98.76.54.21:443
Microsoft.Exchange.MailboxReplicationService.MRSRemotePermanentException
There was no endpoint listening at https://webmail.domain.com/EWS/mrsproxy.svc that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.
Microsoft.Exchange.MailboxReplicationService.MRSRemotePermanentException
Unable to connect to the remote server
Microsoft.Exchange.MailboxReplicationService.MRSRemotePermanentException
No connection could be made because the target machine actively refused it 98.76.54.21:443
Other issue is when i set send connector to new server mail queued ?
Do i have to enabled port 25 from this server?
Hi Alex,
pls remove my public domain name please.
Done!
You only need the external facing stuff if you need to perform migration or SMTP relay in/out from EXO to on-prem, etc. If you are keeping a hybrid server for only management purposes then you can close the external facing ports AFTER the HCW is run, and all migration activity is completed. Hope that makes sense.
Hi Alex,
We required the SMTP Relay and have F5. So webmail.domain.com point to 98.76.54.21.
So do I have to allow this external ip to on-premies server?
Noticed HCW has changed the O365 send and received connector.
is there a way to find the old settings?
This step is not easy as per your document..
“Default Frontend” receive connector is modified for hybrid mail flow and instead of using a list of IPs, a certificate is used to force
gain the inbound connector uses a certificate instead of IP address
Ta
This document assumes you are only using hybrid for management purposes–then it is very simple. If you need to migrate other functions such as SMTP relay that would be done like any other migration for those roles. I don’t think it keeps a history of the settings–unsure if the logs would have this. However, it should be pretty easy to configure. If you need inbound/outbound SMTP relay from the local server then configure it appropriately. The allowed relay IP’s from internal, the certificate should be exported/imported to the new server and associated to the service, etc. Firewall would need to allow said ports to the new server, and so on.
Hi Alex,
We have some service accounts with mailboxes attached in local exchange 2010. But we attach no mailboxes in O365. Nobody knows what are these accounts, so what is the safest option before decomissioned?
If nobody knows what they are for, and you don’t see any recent mail items in there, it is probably safe to whack em.
Hi Alex,
What are the process should follow before Uninstall the Legacy Exchange Server?
Also removing exchange 2010 will remove the federation trust and hybrid configuration so should Step 9(. Run the new hybrid configuration wizard} run before Step 8?
TA
You should be able to just follow the steps in the guide. I have articles on the whole migration process, all roles. I also have a paid migration guide that has a lot of detail about moving to M365 environment.
Hi Alex,
Do we need to have mrsproxy (https://webmail.domain.com/EWS/mrsproxy.svc) communication after the HCW ?
I know, this required to establish the configuration, so I Can allow port 443 directly to the server when running the HCW. but is it security risk to allow port 25/443 for External to internal server?
In 100% of my deployments, I configure the HCW, and then close all inbound traffic from the Internet to the hybrid server. Zero ports open. I make sure that all relay goes right to 365 either using client submission or just inbound connector secured by IP. Then the hybrid server only exists for the purposes of managing the Exchange attributes locally, and Azure AD Connect takes care of the rest.
Finally, complete the HCW succefully with the public SSL. Now need to remove the exchange 2010.
So in Step 8 i can see, asking to remove send connectors, public folders etc etc. and then uninstall the Exchange 2010.
But in Hybrid setup, send connectors are appearing in Exchange 2016. So i set the Exchange 2016 as per the Step 6.
So will running above command will remove these from exchange 2016?
Can’t just uninstall after moving the Systems Mailboxes?
TA
Hi Alex,
Do we need to move Arbitration? when i stop the exchange 2010 can not login the Exchange 2016 ECP. Receive an HTTP Error 500 ?
In terms of updating the SCP if all mailboxes are in the cloud and we’re trying to avoid needing a certificate we set our DNS for autodiscover to point to Exchange Online and set the SCP on the on premise server to null. Wouldn’t that stay the same for the Exchange 2016 upgrade?
Yes you can either set it to null (meaning the clients will roll over to autodiscover via DNS) or you can set it to the Exchange Online autodiscover URL (autodiscover.outlook.com); both are valid.
Hi Alex,
I’m decommissioning the Exchange 2010 but will this remove the exchange 2016 send connectors
that has created automatically?
i just try to disable and noticed that disabled the Exchange 2016 server too,
i need these connectors for SMTP Relay?
TA
If you are going to use a command like get-sendconnector | remove-sendconnector then yes that would be taking all send connectors and removing them. So if you need to keep for SMTP relay, you should not run that.
Hi Alex, nice article and a lot of useful comments.
I’m in the process of upgrading our Exchange 2013 Hybrid server to Exchange 2019.
I’ve read that Exchange 2019 is like 2016R2, so I could follow your steps?
Two questions though:
1. You uninstall the former Hybrid server before running HCW, does it still detect the old hybrid server? Isn’t it wisely to start the HCW while the old Exchange Hybrid server is still running?
2. You write a couple of times that no incoming ports are necessary if only used as hybrid management and SMTP relay for internal devices. But is there no traffic from Microsoft to on-premise? For checks or whatsoever? I’ve been looking for an official statement from Microsoft but can’t find it.
3. If the new hybrid server is only working as management and smtp relay, what are the minimum specifications? Microsoft recommends 64GB for an edge server. Is that also applicable for a Exchange 2019 Hybrid (only) server?
A lot of questions I know, but I hope you are willing to answer them.
Do not move to 2019 if you are trying to have a “Hybrid Only” server. The last version to support the free license for hybrid is Exchange 2016. Before the end of life of 2016, MSFT is going to have a method available by which you can officially remove the last Exchange server from the environment and be completely cloud-based, even if you are using Azure AD Connect to sync identities. We don’t have many details on that yet, but that is the promise; there is no reason to go to 2019 unless your plan is to host mailboxes on-prem.
As for some of the other questions–it is not a large resource requirement. If it is just a management interface you could do super low, like 8 GB or whatever you want. You should always install the new one first, yes. Remove the old after you have finished setting up the new one and moving HCW over to it.
As well, yes, if there is nothing but hybrid for management, why would you leave incoming ports open? They are not needed, especially when you do the minimal/modern topology which leverages Azure proxy services. The whole point of the proxy is to publish the web services outside of your environment without the need of a firewall. So you can have a completely isolated on-prem web server and push that out to Azure (it is an outbound connection only), and then Exchange Online can communicate as needed via the proxy. The only exception is SMTP; if you need to relay messages to/from on-prem you may need to poke holes in your FW for that. But for straight managing of attributes, no.
Licenses are not an issue for us, Exchange licenses are included in our overall agreement. (Education agreement, nationwide)
So thanks you for your advice, but would still like answer to my questions.
(Which would also apply if we would move to Exchange 2016)
I replied, did you see them?
Yes sorry, missed that part somehow.
I can’t really follow you on the proxy bit.
The new sever is only for Exchange management internally. Everything is synced with ADConnect to Azure. SMTP is only outbound for webapps and multi functional printers.
So if it’s not a requirement for Microsoft for connection tests we don’t need to open port 25 inbound. But I can’t find official documentation from Microsoft on that scenario, they only provide ports for a full blown Exchange environment.
As you point out in your description of the environment, you only have outbound connections (SMTP out, and syncing via AAD Connect). Therefore, no need to expose the server on the outside. I would shut it down. That is what I do for 100% of environments I touch–remove all inbound dependency and then close up the firewall.
Hi Alex,
Nice article. I am planning to upgrade from exchange 2010 hybrid to 2016 Hybrid. and majority of my users will be on-premises and currently i am using AD connect to sync on prem to office365. Is there any configuration change required after migration? Also after migration all mailboxes from exchange 2010 to 2016, I can decommission the exchange 2010 and run the hyrbid configuration wizard, right?
Thanks,
Vimod
You would execute the migration as normal, updating all virtual directories, SCP, DNS, moving mailboxes, etc. and then re-run the hybrid wizard (you can do this even before you decom 2010).
Thanks Alex. Appreciate your help.
Hi Alex, Thanks for this great article!
My question is if we previously had a 2016 hybrid server running during our migration and have no mailboxes left on perm and we add a new updated 2016 server to mix do we need to run the HCW afterwards? Again this server is strictly is for managing the exchange attributes and there is no mail flow going in or out of our environment.
I shutdown an old server after introducing the new server and was told by MSFT that we didn’t need to run the HCW but we’re seeing some strange email delivery issues with some email not being delivered to us. Specifically coming from the SendGrid tool.
The hybrid configuration should not impact the receiving of mail from sendgrid, unless you have your MX records pointed to the on-prem hybrid server rather than 365. I would be looking to other causes. For example, sendgrid often “impersonates” a domain to seem like it is coming from that company. In order for that to work well, the sending domain needs to include sendgrid’s information in their email authentication (DNS) records, so that receiving servers know to accept that mail source on behalf of the sender’s domain.
Hi Alex!:WE NEED SOME HELP TO CHANGE MY EMAIL ENVIRONMENT IN PRODUCTION. THESE ARE MY QUESTIONS:
1.My Exchange 2010 haS a 2016 console WHICH HAS BEEN installed recently, we need TO uninstall the old EAC 2010 and TO leave JUST the EAC 2016. IS IT THERE ANY POSSIBILITY THAT ThESE procedures cOULD affect the service? the emails transport is in O365.
2. The point 4 is the most difficult ONE FOR me because I’m afraid to execute IT and crash EVERYTHING.
3. DO We need TO coordinate a window OF maintenance ? Could the service BE AFFECTED? WHAT KIND OF RISKS COULD WE GO THROUGH? COULD WE HAVE A ROLL BACK OF THIS?
Thanks in advance, Jeronimo.
Jeronimo, it appears that your caps lock is acting up. :)
If you simply follow the steps in this article there should be zero interruption, especially if you have no transport moving through the on-prem server. It is nothing more than a management UI if all mailboxes are in cloud. The only thing that can affect client connectivity on-prem would be like Outlook anywhere, SCP settings, etc. So as long as those items are square, then you are good to go.
Hi Alex,
Thank you for writing this article.
I have to phase out an on-premises two Exchange 2016 servers with in a DAG and replace them with a single Exchange 2016 server installation in on a VM in Azure.
Would the installation of Exchange 2016 as you have explained be the same for my scenario or should I take additional steps into account?
Best regards
Marcel
It is not supported to run Exchange server in Azure, to my knowledge. Do not do this. Just migrate your mailboxes to Office 365. There is seriously no reason to have an old-world exchange server that you manage, on your own network or anywhere else. Are you a fortune 50 company? No? Then you have no business dealing with Exchange, just go to Office 365.
I forgot to mention something essential all mailboxes are already in Office 365.
My apologies!.
We don’t want to have any servers on-premises and therefore we were looking to phase out the on-premises Exchange 2016 DAG en replacing it by a Exchange 2016 Server in Azure by following your installation steps. The Exchange 2016 Server in Azure would function as the “last on-premises” server connected via VPN tp our office.
Ah, as a hybrid-only/management front end that would probably be okay.
Hi Alex,
Thanks for writing this blog. I do have one question. We have an Exchange 2010 Hybrid and all mailboxes have been migrated to Exchange Online and mx records and routing have all been changed to use Office 365. We want to introduce one Exchange 2016 box for management before we decommission our 4 Exchange 2010 boxes. Do we need to introduce the new Exchange 2016 server, set the SCP to NULL for autodiscover and then run the HCW. Or do we also need to Step 3 and Step 4 as well? Also do we need to run the HCW at all if only using for management?
Thanks in advance
Harry
The HCW should be run on the new system because it will update the hybrid configuration object. But after that you should not need to even publish the hybrid server to the outside world–just keep in 100% internal for management. I just follow the process I documented in my own article every time I have to do this. (One of the main reasons I keep this blog is because my own memory banks have limits.)
And actually, it is time to question whether you really want to maintain hybrid anymore, or just move to 100% cloud-managed.
Hi Alex, Thank you for this great article!
We are running hybrid exch2010 and all mailboxes have been migrated to O365. Just finished install Exch2016 and trying to follow your instructions to migrate to Exch2016. I have 2 questions and would like to know your answers:
1- The AutoDiscover is pointitng to: https://exch2010.company.com/Autodiscover/Autodiscover.xml, do i need to Set-ClientAccessServer on Exch2016 to the same AutoDiscover URL as: https://exch2010.company.com/Autodiscover/Autodiscover.xml. The reason that I am asking because we will decom the old exch2010.
2- Why do I need to update sends connector if I will remove them when I uninstall Exch2010 (Get-SendConnector | Remove-SendConnector)
Thank you and looking forward to your reply
1. Normally you would have an alias such as mail.company.com not the server name, then you just update the DNS entry to point at the new server; but you can change the autodiscover to the cloud (autodiscover.outlook.com) and remove the SCP if all mailboxes are in the cloud. That way you do not need Exchange exposed via the firewall anymore, either.
2. You would want to “get” the send connectors on the old server only, so you would need to specify the server name there so that you do not remove ALL connectors on both 2010 and 2016 servers.
Hi Alex,
Thanks for the great article.
I am also planning to upgrade my environment from Exchange 2010 Hybrid to Exchange 2016.
I just want to make sure that can we use the different namespace for onpremisessmarthost? when I configured Exchange 2010 Hybrid I used mail.xyz.com so now while configuring hybrid with Exchange 2016 Can I use mailnew.xyz.com? or Do we need to go with same namespace that I used in Exchange 2010 Hybrid Configuration?
I will point mailnew.xyz.com to my new exchange 2016 servers.
If it were me I would just reuse the same name and then update the DNS records after the upgrade is complete. Some on-prem apps may be using an IP too so keep that in mind as well. Any connectors have to be re-created and the allowed IP’s added to the connector on the new server.
Hi Alex,
We have an on-prem DAG with two physical EX13 Hybrid servers with O365.
We want to replace the DAG and these two EX13 servers with one virtual EX16 Hybrid server to do O365 Management and SMTP relay of internal Apps.
We would like to also use the free Hybrid license.
If the free hybrid license doesn’t support having databases on the EX16 server, what happens to all of the SearchResults, DiscoverySearch, and Arbitration (SystemMailbox, FederatedEmail, Migration) mailboxes on the EX13 server? Do I delete them?
Do I need these System and Arbitration mailboxes on the EX16 hybrid server, in which case would I then need a database and the free license can’t be used?
Don’t overthink it. The free license is good up to Exchange 2016, and just having the arbitration, etc. doesn’t invalidate the license or anything like that. It is also not possible to deploy 2016 without the mailbox database role (it’s just one role). You are not using the mailbox database for anything; you are good to go.
Hi Alex, you’ve helped me a lot already, but now almost at the end of the migration I’ve another question I hope you’re willing to answer.
In the final step, running the HCW again, you write: using the true FQDN otherwise it may fail.
But we don’t have anything published. As you can read back, no publishing or other open ports were necessary if you only want the Hybrid server as management tool. But we are federated and Get-Hybridconfiguration shows the old hybrid server, at least in Receiving and Sending TransportServers.
So how can I run the HCW safely? Just fool it by editing the hosts file?
Are there other considerations with federation?
Hope you will answer these questions.
Running HCW is very low-risk activity. It should work fine and update the HCW config. Internally make sure DNS is working and resolving the name you want to have represent the server.
When activating the free hybrid license, does the scope include only Exchange Server or does it also activate Windows Server (OSE)? Put another way, does the customer need to cover the Windows Server license to make use of the “free” hybrid Exchange server given that the Windows Server will have only one role?
Thanks for the great info!
Yes that is true, the underlying OS is not included. If you have Datacenter (unlimited VM’s) then it matters a bit less, but with Standard (2x VM’s/license) then you might come out needing an additional license, depending on how many other roles you have out there. Some folks just slap the management UI on another existing server. Even a DC (although not “recommended” it is still supported by MSFT, and the best way to mitigate the risks with that are to simply not publish the EAC through the firewall).
Hi Alex, thanks for this great article.
I have an environment where all the mailboxes are in o365 migrated with the cutover method and they synchronize password and directories with azureadconnect, we maintain an exchange server 2013 as smtp relay. My idea is to migrate to Exchange 2016 and run the HCW to make it hybrid.
Some questions:
– How do I know that the current environment is hybrid? I guess it isn’t and it has me sleepless
-If I install a new Exchange2016 and run the HCW, do I run any risk of affecting the mailboxes in the cloud?
What recommendations would you give me.
From already thank you very much.
Should be low risk to do the HCW after upgrading to 2016. I believe there is a cmdlet that allows you to get the hybrid configuration in the org if you want to check it out.
Hi Alex,
we have migrated all mailboxes off from an Exchange2010 server with the minimal hybrid solution. It has thus not created connectors (no full hybrid)
Mail flow is routing directly to O365 , also the server is not a virtual smtp server anymore for printers or apps.
We want to introduce a new Exchange2016 server just for management purposes.
Do we need to run the HCW as this is just a management server ?
kind regards,
Filip
Would it be 100% necessary? Probably not… but I would do it anyway, just to keep the config current/supported.
Hi Alex, thank you for this excellent article.
I have a legacy environment where all mailboxes are in the cloud and passwords are synchronized with Azure AD connect, but they eliminated the exchange servers (deleting the VMs). I am currently modifying attributes to manage mailboxes, can I install exchange 2016 from 0 and run HCW without risk? Should I respect the name of the organization that I see in the adsi edit tool?
The idea is to install EXCH16 hybrid license for administration only. Should I expand the schema and prepare the domain? I understand that I must install EXCH mailbox and run HCW, should I also configure the AZure AD Connect? Any recommendations that you can give me?
Thank you very much again.
Yeah I think you could try adding a 2016 server if the old version that was deleted was at least 2010. I am not sure what risks are present with deleted servers of earlier versions (never removed properly), my guess is that the risk is fairly low, and I suspect the 2016 setup will bark at you if it runs into a problem (then see what the error is and follow the breadcrumb trail).
Alex thanks for your answer, the exchanges eliminated were a 2007 that had been migrated to a 2013 and this server. In theory the administration should be in the 2013 server. But according to the legacy, there was no hybrid management, only pass hash and objects through Azure Ad Connect.
I still have doubts about taking a wrong step, do you recommend starting the installation of ex2016 as well as the scheme, or first extend the scheme according to EX2016 and then start with the installation?
Thanks again.
The installation always requires the schema update first. As long as outlook anywhere is disabled and autodiscover is null or redirecting to Exchange Online, you should be good to go; all email clients attach to the cloud rather than local server, right? So all you are doing on-prem is implementing a “front end” management UI. Attributes on-prem should be double-checked that they match cloud (email aliases, primary SMTP, etc.).
Many thanks Alex, that’s correct all clients attach to cloud. The old exch2013 was used for migrate mailboxes to cloud, and run smtp for services acount and scanners.. then it was deleted VM (apparently). Last question, after installing exch2016 I must change AzureAdCoonect to hybrid exchange? or run tool HCW on express?
thanks a lot
Yes, you can run the HCW to update hybrid configuration object after the new server is installed.
This is one of the better articles I have come across on upgrading an Exchange 2010 Hybrid environment to Exchange 2016 Hybrid.
One thing I am seeing – while I am running the Exchange 2016 setup wizard, I am presented with a dialog stating “Setup has detected that you’ve configured a hybrid deployment with Office365. Setup must verify that your Office365 tenant is ready for a hybrid deployment with Exchange Server. Enter the credentials for your Office465 tenant, and then Setup will verify that your tenant supports Exchange Server in your on-premises organization. Enter the credentials of an Office365 account thats a member of the Organization Management role group”
I am a little confused… if it sees that we have a hybrid config already (Exchange 2010 Hybrid, Azure AD Connect, ADFS, all mailboxes migrated to Exchange Online a long time ago, etc.)… then why does it need to check if our organization is ready? And – whatever credentials I provide – I assume that MFA accounts can’t be used. And will these creds be used like a service account? Or is this just a one time use… like it will just use these creds one time to check stuff?
I know this is an older post… so hope you see this question!
Thanks
Yes it would be one-time deal when it reads the config online(and it should support a modern auth prompt I assume). Not sure why it wants that but yeah.
Thank you for this great article. We have been running in Hybrid Exchange 2010 with Office365 for a few years now. Having the On-prem AD, we kept the Exchange 2010 and have been using it as part of Authority Source, to create MailUser/DistroGroups and all this would be synced to Office365 (exchange online) where UserMailboxes are and all data.
At this point, we want to upgrade hybrid 2010 to hybrid 2016 exchange, before upgrading DC’s (2008R2 towards 2019). Considering our exchange 2010 is only used for management purposes, is there anything different we should do during the upgrade process?
Nope. That just makes it easier because you don’t have to worry about moving relays, etc.
hi Alex,
A great article you’ve there. Thanks for sharing.
I have a question if you don’t mind helping.
We already currently running Exchange 2016 before we went into the Hybrid Mode.
Can I perform the same steps above, build a server, install Exchange 2019 and get rid of all Exchange 2016 servers without affecting anything?
2016 is the last version approved for the “free hybrid” license. The speculation on the street is that they will have, before the end of life for 2016, a new announcement about removing the need for hybrid altogether, though what that looks like is not yet known. I do not believe the goal will be to have 2019 hang around as a hybrid server though.
Thanks for getting back to me, Alex.
Set aside the license costs. Is it doable with Exchange 2019?
Or Can I build another server with Exchange 2016 and move all Exchange roles to it?
Thanks
I am not sure about hybrid with 2019; I have never set one up. Usually I am moving folks from on-prem, to cloud, and coming from something older than 2019. The goal in SMB is generally to get rid of servers, and I think we are getting close to being able to do away with the legacy hybrid stuff (timeframe unknown but again I would suspect before end of life on 2016).
Yeah. I won’t touch it if I don’t have to.
Unfortunately, I cannot migrate the servers (exchange 2016) from HyperV to Nutanix.
I will submit a job with Microsoft and see what they advise.
Thanks again.
I heard back from Microsoft.
This is what they’ve advised:
Exchange 2019 supports hybrid deployments with Microsoft 365 or Office 365 organizations that have been upgraded to the latest version of Microsoft 365 or Office 365. Currently, there is no plan to discontinue hybrid setup especially on the latest exchange server OS.
Hi Alex.
First of all: thank you for your great guide! It was really useful and practical.
We have been running a hybrid config with an old Exchange 2010. All mailboxes live in Office365 now.
All we needed the old 2010-box for is for AAD Connect / Legacy Management. So no real hybrid mail/flow anymore, but we do need AAD Connect.
I installed a new Exchange 2016 and got to step 8. This is where I am a little confused. The new Exchange 2016 works great and we want to get rid of the old 2010. You point to your own article (removing it from SBS2011).
But there you say: “Therefore, only proceed with the below if you are positive that you do not have a hybrid connection, and/or Directory Synchronization in place.”
But we do (the new 2016) and don’t want to lose that? Won’t uninstalling the old 2010 remove the AAD-connect/DirSync?
For the 2010 box, do not use the commands as written, as those get ALL connectors across all servers, etc. and remove them. Instead, just remove the connectors, etc. from the 2010 server specifically before running the uninstall.
Hi Alex,
Thanks for this awesome article. We have a hybrid Exchange2010 On prem environment that only is used for onboarding then in the event an employee leaves we will offboard the mailbox back on prem for a period of time until we can get rid of it. I am curious if we were to move to a free Hybrid only license and lose the ability to host mailboxes would we then lose the ability to first create the mailbox on prem to then migrate to O365 like we do currently? I cant find any clear direction on how onboarding works.
It is unnecessary to create on-prem first. Just create a user, let it sync to cloud, then add license (which provisions mailbox). Some folks script this process too, but otherwise just make a checklist.
Yes, at that point the mailbox will be provisioned in the cloud upon assigning the o365 license.
Hi Alex – hoping you can help me out. With the new 2019 CU release we were hoping to finally remove Exchange 2010. We have all our mailboxes in O365 for many years and did migration using Bit Titan. We never used Exchange hybrid at all. Have had not issues at all. The directions in new CU said you have to first get to Exchange 2016 and then can using the directions here (https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2022-h1-cumulative-updates-for-exchange-server/ba-p/3285026#comments) to finally remove Exchange on prem. Using the directions here I installed Exchange 2016 but now have users getting the certificate error when the open Outlook from the 2016 server and also get “outlook is unable to connect to the proxy server error code 20” for the old 2010 exchange server. Also users can not open a shared calendar that they have access to.- just says network problems are preventing connection to exchange server. I have done no other steps except to install 2016. There is no SCP on the old server and don’t think I need to do the other steps since we haven’t used 2010 server in years. Do I just need uninstall 2010 server and then run hybrid connection wizard? Thanks for any help.
Make sure you have no autodiscover scp, no outlook anywhere enabled on prem. If you have all mailboxes in O365 then that is simply not needed on-prem. Be advised that we now have the option to remove the last Exchange server so that is also an option for some organizations who want to take it (you don’t need to keep one anymore). Otherwise if you want to keep the hybrid exchange server on-prem you can do so with a single server, usually the newest one, and all others would be removed. For more info on removing last Exchange server, see: https://practical365.com/removing-the-last-exchange-server/
Thanks Alex – We had removed the SCP for the Exch 2010 server when we migrated to O365 but then when we just installed the new Exch 2016 server it created a new SCP for itself which was causing the problems. We deleted the SCP and the solved the issue. We plan on uninstalling Exch 2010 and then running the Exch 2019 AD Schema prep and then installing the 2019 Tools as described here – https://techcommunity.microsoft.com/t5/exchange-team-blog/released-2022-h1-cumulative-updates-for-exchange-server/ba-p/3285026. Then run the script to be able to shut down and remove (not uninstall) the Exch 2016 server. Thanks for your help.
Hi there. Thanks for this steb by step. Very helpful. I do have a question. As Ex2019 is out and now available for hybrid only, I am trying to upgrade my Ex2013 to 2019…so I have Ex2019 installed on a server, and it appears everything is working. I haven’t worried about transferring my certs over yet (I will probably create new self-signed ones, as this won’t be public facing anymore, and only used for admin). In any case, I digress…
The question I have is, you mention that the HCW should detect that you already have a hybrid config, and prompt you to upgrade it. Mine does not. When I go through it, it selects the new server as the best option, which is great, and as I navigate through, it prompts me to configure various things. Server names are defaulted to the old one, so I manually change to the new one…but I have not configured it yet, as I understood that it would prompt me to upgrade my current config, and that is not an option that was presented to me.
Also, I have not yet uninstalled 2013, as I am a little afraid to :)
One more thing. I am not using any connectors, as no email is flowing via my on prem. We have a 3rd party spam filter, and it is configured to relay direct to our MS365 tenant, and email is sent direct from MS for outging…all of our devices that need SMTP send direct through our MS365 tenant. So, when I got the certificate page on the HCW, that doesn’t really matter does it? There is no official purchased cert displayed, just a self signed one. I assume I can use that, or create my own self signed one, correct?
Sorry for the novel :)
Have a great day!
Hello Alex,
My setup is hybrid with all mailboxes in O365.
On-prem we have 2 x 2013 servers used for management and mail relay.
I would like to add 2 x 2019 servers to initially run concurrently with the 2013 ones then move all apps and services that use relay from 2013 to 2019.
My question is:
Can I configure the new 2019 boxes connectors, certs etc same as the 2013 > test email relay and mailbox management > if all OK > move all apps to use 2019 as mail relay > power off 2013 servers (test nothing is pending) > and then run HWC?
Or do I need to run HWC after the new 2019 ar in coexistence?
And then run HWC again when after decommission the 2013 boxes?
HWC scares me a lot! I’m afraid to lose connection to O365… Thanks m