Exchange Hybrid Configuration Wizard step by step guide (2023)

Deploying a hybrid environment is one of the most complicated tasks a system administrator faces during migration to Office 365. It might take weeks of collecting data about the infrastructure, reading publications, planning migration stages and testing. What is more, even with all this effort, there is no guarantee that everything will turn out just fine. This article gives a step by step guide to getting through the Exchange/Office 365 Hybrid Configuration Wizard (HCW). After that, I give an insight into what actions the HCW performs in the background. Finally, the last section is a guide on how to analyze logs and solve problems connected with deploying a hybrid environment.

To go straight to an activity performed by Hybrid Configuration Wizard, click on one of the links below:

1. Validating On-premises and Online Exchange Connection
2. Collecting data about Exchange configuration from the on-premises Active Directory
3. Collecting information on the Exchange online (Office 365) configuration
4. Creating new Federation Trust and the required certificate in the local Exchange
5. Creating new Hybrid Configuration Object in the local Active Directory
6. Changing settings of on-premises Exchange server
7. Configuring Organization Relationship between the local server and the cloud
8. Setting connectors on both Exchange servers
9. Enabling MRS Proxy
10. Configuring OAuth

Exchange/Office 365 Hybrid Configuration Wizard

Configuring your environment using the Exchange Hybrid Configuration Wizard is one of the most critical moments before the actual migration. This tool is used to configure your local domain and Office 365 tenant, so that your on-premises Exchange can merge with Exchange Online, resulting in the creation of a single, hybrid organization.

Before you run the HCW, you need to prepare:

• Credentials of an on-premises Exchange user who is a member of the Domain Admins security group
• Credentials of the Office 365 Global Administrator
• Office 365 plan which supports hybrid deployment (Enterprise, Government, Academic or Midsize)

The Wizard can be started from Exchange Admin Center (EAC) by going to the “hybrid” tab.

Clicking on the “configure” button redirects you to the Office 365 login page. To continue, you have to enter your tenant’s global administrator credentials. By default, administrator’s login has the following format: [emailprotected] In a few seconds, a page with a download link should appear:

Clicking on the link will start the download of the Office 365 Hybrid Configuration Wizard Installer. The HCW installation should start automatically. If the installation does not start on its own, just run the recently downloaded installer and follow the steps on the screen.

At this stage, the installation process should be completed, and ashortcut to the HCW should have appeared on the desktop. The Wizard should start automatically. If not, run it using the shortcut.

On the next screen, the wizard either searches automatically for the right Exchange server or waits for the user to specify it. In Exchange 2010 or Exchange 2013 it must point to the server with the Client Access Server Role. Another option is to set the location from which the Office 365 is hosted for the company. In most cases, it is Office 365 Worldwide.

At this point, you need to enter credentials of your on-premises admin and its cloud counterpart.

After entering the credentials, the Wizard attempts to log into each server using PowerShell. It is done in order to verify that the credentials, necessary for the Hybrid deployment to be completed, are valid.

Note that in this step, there is an option to “use current Windows credentials”. If the on-premises admin validation does not work, you should unmark the checkbox and enter the right user’s credentials manually.

The next step is setting up Federation Trust. Federation Trust is a required feature for the full Hybrid deployment. It enables sharing calendar free/busy information within a Hybrid environment, between all users.

Here, the Office 365 Hybrid Configuration Wizard lists your domains along with information if the Autodiscover service is available. From the domains’ list, you have to choose your public domain or domains, remembering that Autodiscover has to be configured correctly for them. At this stage, you will also need to prove you are the domain’s owner. For each domain there, a token is generated.

In your DNS, you have to create a TXT record for each of your domains, with a value corresponding to the token generated in the HCW. After having created the TXT records, you should wait for a while so that the records propagate throughout the network. When the TTL (time to live) has passed, click on “I have created a TXT record for each token in DNS” and “verify domain ownership”. The Exchange Hybrid Configuration Wizard will check whether the tokens are visible on your domain’s DNS. After the verification is complete, go to the next screen.

Now the HCW asks you how the connection between Exchange online and Exchange on-premises should be established. The first choice depends on whether you have Microsoft Edge Server or not. The next option – “Enable centralized mail transport” enables your on-premises Exchange server to function as a smart host. Thanks to that, all outbound emails sent from Office 365 have to go through the on-premises server. It gives the possibility of central management of mail flow rules and signatures throughout the company. All from one place and applied to every mail, regardless of the source of the email.

In the next window, you choose the server which is to receive emails sent from Office 365. The server should have appropriate SMTP certificate on port 25. This port also cannot be blocked by any firewall software or by the router. You can easily check which certificate does your server have with the help ofthis site.

The next step is determining on which server a Send Connector will be. Remember that the public IP address of your Exchange server should point to its internal IP address. Apart from that, the server should have its SPF (Sender Policy Framework) record configured. The PTR record should resolve the IP address to the hostname present in the certificate for SMTP service. The name is usually in format “smtp.domain.com”, or “mail.domain.com”.

The Office 365 Hybrid Configuration Wizard will also ask you to identify the Transport Certificate between on-premises Exchange and Office 365. The certificate is used to ensure secure communication between those servers.

The last step is entering the fully qualified domain name (FQDN) for the on-premises organization. FQDN is resolved to the public IP address and enables mails to be routed to the on-premises Exchange. On this address, the Exchange server is listening on port 25 and 443 (EWS, OWA). FQDN’s format usually is like in this example: mail.domain.com.

After pressing the “next” button, the HCW starts connecting the Office 365 with the local Exchange into a single hybrid organization.

If everything goes well and the Wizard does not encounter any difficulties, the following window will show:

Easy, right? However, this is where most admins wonder what was changed in their infrastructure and what to do to ensure that everything is in order.

Analyzing Hybrid Configuration Wizard logs (thorough analysis)

Hybrid Configuration Wizard, after taking input from the administrator, performs a series of activities divided into several workflows. Information on the execution of those tasks can be viewed in the wizard’s log. The log is in the following location:

%AppData%\Roaming\Microsoft\Exchange Hybrid Configuration

In this localization, there should be three files. The most important one is the txt file.

By analyzing the txt file, you can check every task performed by the Wizard. For example, you can check if the Wizard finished activity successfully and how much time did it spend on it. Also, in most cases, you can learn what kind of cmdlet was used to achieve it. The HCW normally executes the following activities:

1. Validating On-premises and Online Exchange Connection.

Simply speaking, the Hybrid Configuration Wizard checks if it is possible to connect to both servers with PowerShell. You can easily find the log entry which provides data on this activity by searching for the following phrase:

Activity=OnPremises Connection Validation and Activity=Tenant Connection Validation

It will come in handy whenever the HCW is unable to connect with On-premises Exchange or Exchange Online

2. Collecting data about Exchange configuration from the on-premises Active Directory

At this point, the Wizard gathers information about the local domain. In order to do that, the HCW executes a series of Get- cmdlets. You can check which cmdlets are used by searching for this phrase:

Activity=OnPremises Connection Validation, Session=OnPremises, Cmdlet=

As you can see in the log, HCW executed Get-OrganizationConfig command and managed to get one result, namely: “OrganizationConfig”.

3. Collecting information on the Exchange online (Office 365) configuration

This task repeats what has been done in the previous step, only for the Exchange online, instead of the on-premises one. The results can be found by typing the following phrase in the Find window:

Activity=Tenant Connection Validation, Session=Tenant, Cmdlet=

In the example, Get-AcceptedDomain returned three results. It means that in this Office 365 tenant there are three domains. Their exact names are present just below the found phrase.

4. Creating new Federation Trust and the required certificate in the local Exchange:

In the log file, it can be found using this phrase:

Activity=Enable Federation Trust

If the activity is finished successfully, a new certificate should appear on the on-premises Exchange certificates’ list. The new certificate includes “Federation” in its Subject field. To make sure the certificate is there, you can run a cmdlet: Get-ExchangeCertificate. The results will look like this:

5. Creating new Hybrid Configuration Object in the local Active Directory:

The newly created object can be viewed in a few ways:

CN=Hybrid Configuration,CN=Hybrid Configuration,CN=<organization’s_name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain>,DC=<domain>

• Through Exchange Management Shell:

Get-HybridConfiguration

• In the HCW logs, by going to the following phrase:

Functionality=RunWorkflow, Workflow=Hybrid

In the screenshot, you can also see when the wizard executed the command “New-HybridConfiguration”.

6. Changing settings of on-premises Exchange server:

EmailAddressPolicy – adds address @tenant.mail.onmicrosoft.com

Configures remote domains – adds tenant.mail.onmicrosoft.com and tenant.onmicrosoft.com

Adds new accepted domain – adds tenant.mail.onmicrosoft.com

The data about those activities can be found between the following phrases:

[Functionality=RunWorkflow, Workflow=Hybrid, Task=Recipient] START

[Functionality=RunWorkflow, Workflow=Hybrid, Task=Recipient] FINISH

Changes can also be viewed with the following cmdlets:

Get-EmailAddressPolicy | FL Name,EnabledEmailAddressTemplates

Get-RemoteDomain

Get-AcceptedDomain

7. Configuring Organization Relationship between the local server and the cloud.

This configuration is not necessary in minimal hybrid deployment. Thanks to the correct configuration, it is possible to synchronize free/busy status of mailboxes’; elements between the on-premises Exchange and Exchange online. To find information on the task’s progress, you can search for the following phrase.

Functionality=RunWorkflow, Workflow=Hybrid, Task=OrganizationRelationship

Set- and New commands are executed on both servers to make synchronization possible.

To view all data about the Organization Relationship, use your PowerShell console:

Get-OrganizationRelationship

8. Setting connectors on both Exchange servers.

During this workflow, four connectors are set – one receive and one send connector for each server. Those connectors guarantee the mail flow between the on-premises and Exchange Online. Logs include information on this process under a phrase:

Functionality=RunWorkflow, Workflow=Hybrid, Task=MailFlow

The HCW also generates tables with information on receive and send connectors’ settings. The tables provide acomparison between the current and expected configuration. The table below presents settings of on-premises receive connector:

Another table compares actual and expected settings of send connector from on-premises Exchange to tenant.mail.onmicrosoft.com.

Cmdlets used during this stage for on-premises Exchange are:

• New-SendConnector
• Set-ReceiveConnector

And for Exchange Online:

• New-OutboundConnector
• New-InboundConnector

To sum up, if you choose “Centralized Mail Transport” option, the HCW should setup:

Two connectors in Exchange Online:

• Receive connector which identifies the organization by the name set in the TLS certificate
• Send connector which reroutes all communication through a smart host (local Exchange) that identifies itself with a certificate on port 25

Two connectors in on-premises Exchange:

• New send connector, which points to mail.onmicrosoft.com
• Default receive connector is not as much created, as modified, so that it accepts TLS connections.

9. Enabling MRS Proxy

MRS Proxy makes it possible to migrate mailboxes from and to Office 365. Usually, this step is done before launching the Hybrid Configuration Wizard. However, if you didn’t do that prior to launching the wizard, it will do it for you. You can see it doing this if turn to logs to phrase:

Functionality=RunWorkflow, Workflow=Hybrid, Task=MRSProxy

10. Configuring OAuth

To see how is the OAuth authentication configured, go to the phrase:

Functionality=RunWorkflow, Workflow=Hybrid, Task=IntraOrganization

A common error which occurs during this workflow is error HCW8064. It occurs whenever there is a problem with accessing the EWS virtual directory from the Internet. You can easily verify what seems to be the problem by using https://testconnectivity.microsoft.com/. On the site, choose test synchronization, notification, availability and automatic replies. Note that sometimes, despite the correct EWS configuration, the error still shows up. Then, usually restarting your Exchange server and re-launching Hybrid Configuration Wizard does the trick.

If nothing else works, you can perform manual configuration. Here is a Microsoft documentation on how to do it.

Summary

Even though Hybrid Configuration Wizard is quite simple to use, it performs some complicated tasks. Its primary task is to introduce changes in the Exchange Server infrastructure. In my opinion, it is worthwhile to look at what exactly happens, before creating a hybrid environment. This way, you will be able to predict where problems may arise. What is more, understanding the HCW logs gives an upper hand, as it lets you easily find out what is wrong and how to deal with it.

See also:

• How to merge an Office 365 account with an on-premises AD account after hybrid configuration?
• How to sync on-premises Active Directory to Azure Active Directory with Azure AD Connect?