Exchange/Office 365 Hybrid Configuration Wizard

Configuring your environment using the Exchange Hybrid Configuration Wizard is one of
the most critical moments before the actual migration. This tool is used to configure your
local domain and Office 365 tenant, so that your on-premises Exchange can merge with
Exchange Online, resulting in the creation of a single, hybrid organization.

Before you run the HCW, you need to prepare:

 Credentials of an on-premises Exchange user who is a member of the Domain

Admins security group
 Credentials of the Office 365 Global Administrator
 Office 365 plan which supports hybrid deployment (Enterprise, Government,
Academic or Midsize)

The Wizard can be started from Exchange Admin Center (EAC) by going to the “hybrid” tab.

Clicking on the “configure” button redirects you to the Office 365 login page. To continue,
you have to enter your tenant’s global administrator credentials. By default, administrator’s
login has the following format: [email protected]. In a few seconds, a
page with a download link should appear:
Clicking on the link will start the download of the Office 365 Hybrid Configuration Wizard
Installer. The HCW installation should start automatically. If the installation does not start on
its own, just run the recently downloaded installer and follow the steps on the screen.

At this stage, the installation process should be completed, and a shortcut to the HCW
should have appeared on the desktop. The Wizard should start automatically. If not, run it
using the shortcut.
On the next screen, the wizard either searches automatically for the right Exchange server or
waits for the user to specify it. In Exchange 2010 or Exchange 2013 it must point to the
server with the Client Access Server Role. Another option is to set the location from which
the Office 365 is hosted for the company. In most cases, it is Office 365 Worldwide.
At this point, you need to enter credentials of your on-premises admin and its cloud
counterpart.
After entering the credentials, the Wizard attempts to log into each server using PowerShell.
It is done in order to verify that the credentials, necessary for the Hybrid deployment to be
completed, are valid.

Note that in this step, there is an option to “use current Windows credentials”. If the on-
premises admin validation does not work, you should unmark the checkbox and enter the
right user’s credentials manually.
The next step is setting up Federation Trust. Federation Trust is a required feature for the
full Hybrid deployment. It enables sharing calendar free/busy information within a Hybrid
environment, between all users.
Here, the Office 365 Hybrid Configuration Wizard lists your domains along with information
if the Autodiscover service is available. From the domains’ list, you have to choose your
public domain or domains, remembering that Autodiscover has to be configured correctly
for them. At this stage, you will also need to prove you are the domain’s owner. For each
domain there, a token is generated.
In your DNS, you have to create a TXT record for each of your domains, with a value
corresponding to the token generated in the HCW. After having created the TXT records,
you should wait for a while so that the records propagate throughout the network. When
the TTL (time to live) has passed, click on “I have created a TXT record for each token in
DNS” and “verify domain ownership”. The Exchange Hybrid Configuration Wizard will check
whether the tokens are visible on your domain’s DNS. After the verification is complete, go
to the next screen.

Now the HCW asks you how the connection between Exchange online and Exchange on-
premises should be established. The first choice depends on whether you have Microsoft
Edge Server or not. The next option – “Enable centralized mail transport” enables your on-
premises Exchange server to function as a smart host. Thanks to that, all outbound emails
sent from Office 365 have to go through the on-premises server. It gives the possibility of
central management of mail flow rules and signatures throughout the company. All from
one place and applied to every mail, regardless of the source of the email.
In the next window, you choose the server which is to receive emails sent from Office 365.
The server should have appropriate SMTP certificate on port 25. This port also cannot be
blocked by any firewall software or by the router. You can easily check which certificate does
your server have with the help of this site.
The next step is determining on which server a Send Connector will be. Remember that the
public IP address of your Exchange server should point to its internal IP address. Apart from
that, the server should have its SPF (Sender Policy Framework) record configured. The PTR
record should resolve the IP address to the hostname present in the certificate for SMTP
service. The name is usually in format “smtp.domain.com”, or “mail.domain.com”.
The Office 365 Hybrid Configuration Wizard will also ask you to identify the Transport
Certificate between on-premises Exchange and Office 365. The certificate is used to ensure
secure communication between those servers.
The last step is entering the fully qualified domain name (FQDN) for the on-premises
organization. FQDN is resolved to the public IP address and enables mails to be routed to
the on-premises Exchange. On this address, the Exchange server is listening on port 25 and
443 (EWS, OWA). FQDN’s format usually is like in this example: mail.domain.com.
After pressing the “next” button, the HCW starts connecting the Office 365 with the local
Exchange into a single hybrid organization.

If everything goes well and the Wizard does not encounter any difficulties, the following
window will show:
Easy, right? However, this is where most admins wonder what was changed in their
infrastructure and what to do to ensure that everything is in order.

Analyzing Hybrid Configuration Wizard logs

(thorough analysis)
Hybrid Configuration Wizard, after taking input from the administrator, performs a series of
activities divided into several workflows. Information on the execution of those tasks can be
viewed in the wizard’s log. The log is in the following location:

%AppData%\Roaming\Microsoft\Exchange Hybrid Configuration

In this localization, there should be three files. The most important one is the txt file.
By analyzing the txt file, you can check every task performed by the Wizard. For example,
you can check if the Wizard finished activity successfully and how much time did it spend on
it. Also, in most cases, you can learn what kind of cmdlet was used to achieve it. The HCW
normally executes the following activities:

1. Validating On-premises and Online Exchange Connection.

Simply speaking, the Hybrid Configuration Wizard checks if it is possible to connect to both
servers with PowerShell. You can easily find the log entry which provides data on this activity
by searching for the following phrase:

Activity=OnPremises Connection Validation and Activity=Tenant Connection Validation

It will come in handy whenever the HCW is unable to connect with On-premises Exchange
or Exchange Online

2. Collecting data about Exchange configuration from the on-premises Active

Directory

At this point, the Wizard gathers information about the local domain. In order to do that,
the HCW executes a series of Get- cmdlets. You can check which cmdlets are used by
searching for this phrase:

Activity=OnPremises Connection Validation, Session=OnPremises, Cmdlet=

As you can see in the log, HCW executed Get-OrganizationConfig command and managed
to get one result, namely: “OrganizationConfig”.

3. Collecting information on the Exchange online (Office 365) configuration

This task repeats what has been done in the previous step, only for the Exchange online,
instead of the on-premises one. The results can be found by typing the following phrase in
the Find window:

Activity=Tenant Connection Validation, Session=Tenant, Cmdlet=

In the example, Get-AcceptedDomain returned three results. It means that in this Office 365
tenant there are three domains. Their exact names are present just below the found phrase.

4. Creating new Federation Trust and the required certificate in the local
Exchange:

In the log file, it can be found using this phrase:

Activity=Enable Federation Trust

If the activity is finished successfully, a new certificate should appear on the on-premises
Exchange certificates’ list. The new certificate includes “Federation” in its Subject field. To
make sure the certificate is there, you can run a cmdlet: Get-ExchangeCertificate. The results
will look like this:
 5. Creating new Hybrid Configuration Object in the local Active Directory:

The newly created object can be viewed in a few ways:

CN=Hybrid Configuration,CN=Hybrid Configuration,CN=<organization’s_name>,CN=Microsoft

Exchange,CN=Services,CN=Configuration,DC=<domain>,DC=<domain>

 Through Exchange Management Shell:

Get-HybridConfiguration

 In the HCW logs, by going to the following phrase:

Functionality=RunWorkflow, Workflow=Hybrid

In the screenshot, you can also see when the wizard executed the command “New-
HybridConfiguration”.

6. Changing settings of on-premises Exchange server:

EmailAddressPolicy – adds address @tenant.mail.onmicrosoft.com

Configures remote domains –

adds tenant.mail.onmicrosoft.com and tenant.onmicrosoft.com

Adds new accepted domain – adds tenant.mail.onmicrosoft.com

The data about those activities can be found between the following phrases:

[Functionality=RunWorkflow, Workflow=Hybrid, Task=Recipient] START

[Functionality=RunWorkflow, Workflow=Hybrid, Task=Recipient] FINISH

Changes can also be viewed with the following cmdlets:

Get-EmailAddressPolicy | FL Name,EnabledEmailAddressTemplates

Get-RemoteDomain

Get-AcceptedDomain

7. Configuring Organization Relationship between the local server and the cloud.
This configuration is not necessary in minimal hybrid deployment. Thanks to the correct
configuration, it is possible to synchronize free/busy status of mailboxes’; elements between
the on-premises Exchange and Exchange online. To find information on the task’s progress,
you can search for the following phrase.

Functionality=RunWorkflow, Workflow=Hybrid, Task=OrganizationRelationship

Set- and New commands are executed on both servers to make synchronization possible.

To view all data about the Organization Relationship, use your PowerShell console:

Get-OrganizationRelationship
 8. Setting connectors on both Exchange servers.

During this workflow, four connectors are set – one receive and one send connector for
each server. Those connectors guarantee the mail flow between the on-premises and
Exchange Online. Logs include information on this process under a phrase:

Functionality=RunWorkflow, Workflow=Hybrid, Task=MailFlow

The HCW also generates tables with information on receive and send connectors’ settings.
The tables provide a comparison between the current and expected configuration. The table
below presents settings of on-premises receive connector:

Another table compares actual and expected settings of send connector from on-premises
Exchange to tenant.mail.onmicrosoft.com.

Cmdlets used during this stage for on-premises Exchange are:

 New-SendConnector
 Set-ReceiveConnector

And for Exchange Online:

 New-OutboundConnector
  New-InboundConnector

To sum up, if you choose “Centralized Mail Transport” option, the HCW should setup:

Two connectors in Exchange Online:

 Receive connector which identifies the organization by the name set in the TLS
certificate
 Send connector which reroutes all communication through a smart host (local
Exchange) that identifies itself with a certificate on port 25

Two connectors in on-premises Exchange:

 New send connector, which points to mail.onmicrosoft.com

 Default receive connector is not as much created, as modified, so that it accepts TLS
connections.

9. Enabling MRS Proxy

MRS Proxy makes it possible to migrate mailboxes from and to Office 365. Usually, this step
is done before launching the Hybrid Configuration Wizard. However, if you didn’t do that
prior to launching the wizard, it will do it for you. You can see it doing this if turn to logs to
phrase:

Functionality=RunWorkflow, Workflow=Hybrid, Task=MRSProxy

10. Configuring OAuth

To see how is the OAuth authentication configured, go to the phrase:

Functionality=RunWorkflow, Workflow=Hybrid, Task=IntraOrganization

A common error which occurs during this workflow is error HCW8064. It occurs whenever
there is a problem with accessing the EWS virtual directory from the Internet. You can easily
verify what seems to be the problem by using https://testconnectivity.microsoft.com/. On
the site, choose test synchronization, notification, availability and automatic replies. Note
that sometimes, despite the correct EWS configuration, the error still shows up. Then,
usually restarting your Exchange server and re-launching Hybrid Configuration Wizard does
the trick.

If nothing else works, you can perform manual configuration. Here is a Microsoft
documentation on how to do it.