Migrating To O365

Migrating to Office 365 –
Step by Step
Volume 1
Dave Kawula - MVP

Cristal Kawula - MVP
Cary Sun – Cisco Champion (CCIE )
PUBLISHED BY
MVPDays Publishing
http://www.mvpdays.com
Copyright © 2018 by MVPDays Publishing
All rights reserved. No part of this book may be reproduced or transmitted in any form or by any
means without the prior written permission of the publisher.
ISBN:TBA
Warning and Disclaimer

Every effort has been made to make this manual as complete and as accurate as possible, but no
warranty or fitness is implied. The information provided is on an “as is” basis. The authors and
the publisher shall have neither liability nor responsibility to any person or entity with respect to
any loss or damages arising from the information contained in this book.
Feedback Information
We’d like to hear from you! If you have any comments about how we could improve the quality
of this book, please don’t hesitate to contact us by visiting www.checkyourlogs.net or sending an
email to feedback@mvpdays.com.
Acknowledgements
iii
Acknowledgements
Acknowledgements
From Dave
Cristal, you are my rock and my source of inspiration. For the past 20 + years you have been
there with me every step of the way. Not only are you the “BEST Wife” in the world you are my
partner in crime. Christian, Trinity, Keira, Serena, Mickaila and Mackenzie, you kids are so patient
with your dear old dad when he locks himself away in the office for yet another book. Taking the
time to watch you grow in life, sports, and become little leaders of this new world is incredible to
watch.
Thank you, Mom and Dad (Frank and Audry) and my brother Joe. You got me started in this crazy
IT world when I was so young. Brother, you mentored me along the way both coaching me in
hockey and helping me learn what you knew about PC’s and Servers. I’ll never forget us as
teenage kids working the IT Support contract for the local municipal government. Remember
dad had to drive us to site because you weren’t old enough to drive ourselves yet. A great
career starts with the support of your family and I’m so lucky because I have all the support one
could ever want.
A book like this filled with amazing Canadian MVP’s would not be possible without the support
from the #1 Microsoft Community Program Manager – Simran Chaudry. You have guided us
along the path and helped us to get better at what we do every day. Your job is tireless and
your passion and commitment make us want to do what we do even more.
Last but not least, the MVPDays volunteers, you have donated your time and expertise and
helped us run the event in over 20 cities across North America. Our latest journey has us
expanding the conference worldwide as a virtual conference. For those of you that will read this
book your potential is limitless just expand your horizons and you never know where life will take
you.
iv
About the Authors
About the Authors

Dave Kawula - MVP
Dave is a Microsoft Most Valuable Professional (MVP) with over 20 years of experience in the IT
industry. His background includes data communications networks within multi-server
environments, and he has led architecture teams for virtualization, System Center, Exchange,
Active Directory, and Internet gateways. Very active within the Microsoft technical and
consulting teams, Dave has provided deep-dive technical knowledge and subject matter
expertise on various System Center and operating system topics.
Dave is well-known in the community as an evangelist for Microsoft, 1E, and Veeam
technologies. Locating Dave is easy as he speaks at several conferences and sessions each year,
including TechEd, Ignite, MVP Days Community Roadshow, and VeeamOn.
Recently Dave has been honored to take on the role of Conference Co-Chair of TechMentor with
fellow MVP Sami Laiho. The lineup of speakers and attendees that have been to this conference
over the past 20 years is really amazing. Come down to Redmond or Orlando in 2018 and you
can meet him in person.
As the founder and Managing Principal Consultant at TriCon Elite Consulting, Dave is a leading
technology expert for both local customers and large international enterprises, providing optimal
guidance and methodologies to achieve and maintain an efficient infrastructure.
BLOG: www.checkyourlogs.net
Twitter: @DaveKawula
v
About the Authors
Cristal Kawula – MVP

Cristal Kawula is the co-founder of MVPDays Community Roadshow and #MVPHour live Twitter
Chat. She is the President of TriCon Elite Consulting where she manages the day to day
operations of the field consulting and sales teams.
Cristal is also only the 2nd Woman in the world to receive the prestigious Veeam Vanguard
Community excellence award. In July of 2017 she was awarded the designation of Microsoft
MVP.
Early in her career Cristal worked as a consultant with Microsoft authoring content for internal
SMSGR and GTR teams. This content was used to train internal support engineers and global
escalation engineering teams.
Cristal can be found speaking at Microsoft Ignite, MVPDays, and other local user groups. She is
extremely active in the community and has recently helped publish a book for other Women
MVP’s called Voices from the Data Platform.
BLOG: http://www.checkyourlogs.net
Twitter: @supercristal1
vi
About the Authors
Cary Sun – CCIE #4531 (Cisco Champion)
Cary Sun is CISCO CERTIFIED INTERNETWORK EXPERT (CCIE No.4531) and MCSE, MCIPT, Citrix
CCA with over twenty years in the planning, design, and implementation of network technologies
and Management and system integration. Background includes hands-on experience with multi-
platform, all LAN/WAN topologies, network administration, E-mail and Internet systems, security
products, PCs and Servers environment. Expertise analyzing user’s needs and coordinating
system designs from concept through implementation. Exceptional analysis, organization,
communication, and interpersonal skills. Demonstrated ability to work independently or as an
integral part of team to achieve objectives and goals. Specialties: CCIE /CCNA / MCSE / MCITP /
MCTS / MCSA / Solution Expert / CCA
Cary’s is a very active blogger at checkyourlogs.net and always available online for questions
from the community. He passion about technology is contagious and he makes everyone around
him better at what they do.
Blog:http://www.checkyourlogs.net
Twitter:@SifuSun
vii
About the Authors
viii
Contents
Contents
Acknowledgements ...................................................................................................... iv
From Dave ............................................................................................................. iv
About the Authors ......................................................................................................... v

Dave Kawula - MVP ..................................................................................................... v
Cristal Kawula – MVP ................................................................................................. vi
Cary Sun – CCIE #4531 (Cisco Champion) ............................................................... vii
Contents........................................................................................................................ ix
Introduction ................................................................................................................. 13
North American MVPDays Community Roadshow ................................................... 13

Sample Files ............................................................................................................. 14
Additional Resources ................................................................................................ 14
Chapter 1...................................................................................................................... 16
Environment Overview ................................................................................................ 16

Exchange Migration to Office 365 ............................................................................. 16
Prerequisites ............................................................................................................. 17
On-premises Exchange organization .................................................................... 17
On-premises Exchange releases.......................................................................... 18
On-premises server roles ..................................................................................... 18
Office 365............................................................................................................. 19
ix
Contents
Custom domains .................................................................................................. 19

Active Directory synchronization........................................................................... 19
Autodiscover DNS records ................................................................................... 19
Office 365 organization in the Exchange admin center (EAC) .............................. 19
Certificates (If Active Directory Federation Services is being deployed) ............... 20
Hybrid deployment protocols, ports, and endpoints .............................................. 20
On-premises Active Directory ............................................................................... 22
Hybrid Identity Required Ports and Protocols ....................................................... 23
Chapter 2...................................................................................................................... 24
Configure Azure AD (Office365) ................................................................................. 24

Add and verify the on-premise domain in Azure AD (Office 365)............................... 24
Chapter 3...................................................................................................................... 31
Configuring Hybrid Identity with Office 365 .............................................................. 31

Add and verify the on-premise domain in Azure AD (Office 365)............................... 31
Deployment Certificate (If Active Directory Federation Services is being deployed) .. 38
Configure UPN suffix ................................................................................................ 41
Enable Active Directory Recycle Bin ......................................................................... 42
Deployment Azure AD Connect ................................................................................ 43
Prerequisites ........................................................................................................ 44
Install Azure AD Connect with Express settings ................................................... 45
Install Azure AD Connect with Customized settings ............................................. 55
Enable Password Change for ADFS .................................................................... 90
Deploy Active Directory Federation Service (ADFS) ................................................. 94
x
Contents
Install Active Directory Federation Services Server (if you Install Azure AD Connect
with Customized settings, this was being installed) .............................................. 95
Install the AD FS server role via Windows PowerShell ......................................... 96
Configure External DNS A Record for ADFS ........................................................ 96
Configure Internal DNS for ADFS ......................................................................... 96
Configure the first federation server in a new federation server farm (if you Install
Azure AD Connect with Customized settings, this was being configured)............. 98
Verify Active Directory Federated Services (ADFS) ............................................ 104
Federate your Domain with office 365 ................................................................ 105
Chapter 4.................................................................................................................... 110

Configure Hybrid Services between on-premises Exchange 2016 (2013/2010) with
Office 365 ............................................................................................................... 110
Install and Run Hybrid Configuration wizard with Hybrid Configuration (without
ADFS) ................................................................................................................ 111
Install and Run Hybrid Configuration wizard with Minimal Hybrid Configuration (with
ADFS) ................................................................................................................ 130
Install and Run Hybrid Configuration wizard with Full Hybrid Configuration (with
ADFS) ................................................................................................................ 140
Verify Hybrid Configuration................................................................................. 157
Add Office 365 Forest to Exchange Management Console ................................ 161
Set up connectors to route mail between Office 365 and on-premises exchange
Server ..................................................................................................................... 163
Create a connector from Office 365 to on-premises email server (It will be added
automatically if you were using Full Hybrid configuration) .................................. 163
Create a connector from on-premises email server to Office 365 (It will be added
Configure on-premises email server send connector to Office 365 (It will be added
xi
Contents
Configure on-premises email server Receive Connector to relay email .............. 187
Change MX record to redirect mail flow from the Internet to Office 365 .............. 194
Migration Mailboxes between on-premises exchange server with Office 365 .......... 195
Review and Enable the MRSProxy service ........................................................ 195
Create a migration endpoint ............................................................................... 196
Move on-premises mailboxes to Exchange Online ............................................. 203
Move Exchange Online mailboxes to the on-premises organization ................... 210
Chapter5..................................................................................................................... 216
Meet great MVP’s like this in person ........................................................................ 216

Live Presentations .................................................................................................. 216
Video Training......................................................................................................... 216
Live Instructor-led Classes ...................................................................................... 216
Consulting Services ................................................................................................ 217
Twitter ..................................................................................................................... 218
xii
Introduction North American MVPDays Community Roadshow
Introduction
North American MVPDays

Community Roadshow
The purpose of this book is to showcase the amazing expertise of our guest speakers at the
North American MVPDays Community Roadshow. They have so much passion, expertise, and
expert knowledge that it only seemed fitting to write it down in a book.
MVPDays was founded by Cristal and Dave Kawula back in 2013. It started as a simple idea;
“There’s got to be a good way for Microsoft MVPs to reach the IT community and share their
vast knowledge and experience in a fun and engaging way” I mean, what is the point in
recognizing these bright and inspiring individuals, and not leveraging them to inspire the
community that they are a part of.
We often get asked the question “Who should attend MVPDays”?
Anyone that has an interest in technology, is eager to learn, and wants to meet other like-
minded individuals. This Roadshow is not just for Microsoft MVP’s it is for anyone in the IT
Community.
Make sure you check out the MVPDays website at: www.mvpdays.com. You never know maybe
the roadshow will be coming to a city near you.
The goal of this particular book is to bring you real world step-by-step guidance from our expert
MVP Authors on Migrating to Office 365 from an on premisies Exchange environment. It has
been written with the most current techniques possible to help with your migraitons and
learning process.
13
Sample Files
All sample files for this book can be downloaded from www.checkyourlogs.net and
www.github.com/dkawula
Additional Resources
In addition to all tips and tricks provided in this book, you can find extra resources like articles
and video recordings on our blog http://www.checkyourlogs.net.
14
15
Chapter 1 Environment Overview
Chapter 1
Environment Overview
Exchange Migration to Office 365
This document serves as both a guideline for redeployment document for the Exchange
Migration performed at the [Company]. The information within will be primarily prescriptive,
but will include annotations of any issues encountered, as well as any issues that might arise
should the need to redeploy occur.
The process described mainly focuses on a typical transition of Exchange 2010 (2016) to Office
365 environment, converting the Exchange 2010 (2016) server to Office 365 CAS role, HUB role
and MBX role. Additional role options such as the Unified Messaging Server role and Edge
Transport role, are out-of-scope within this document.
16
Prerequisites
On-premises Exchange organization
On-premises Exchange 2016-based Exchange 2013-based Exchange 2010-

hybrid deployment hybrid deployment based hybrid
environment
deployment
17
Exchange 2016 Supported Not supported Not supported
Exchange 2013 Supported Supported Not supported
Exchange 2010 Supported Supported Supported
Exchange 2007 Not supported Supported Supported
On-premises Exchange releases

Hybrid deployments require the latest cumulative update or update rollup available for the
version of Exchange you have installed in your on-premises organization. If you can't install the
latest cumulative update or update rollup, the immediately previous release is also supported.
Older cumulative updates or update rollups aren't supported.
On-premises server roles
On-premises Requirement
environment
Exchange 2010 At least one server with the Mailbox, Hub Transport, and Client Access
server roles installed. While it's possible to install the Mailbox, Hub
Transport, and Client Access roles on separate servers, we strongly
recommend that you install all of the roles on each server to provide
additional reliability and improved performance
Exchange 2013 At least one server with the Mailbox and Client Access server roles
installed. While it's possible to install the Mailbox and Client Access roles
on separate servers, we strongly recommend that you install both roles
on each server to provide additional reliability and improved
performance
18
Exchange 2016 At least one server that has the Mailbox server role installed
and newer
Office 365
Hybrid deployments are supported in all Office 365 plans that support Azure Active Directory
synchronization. All Office 365 Enterprise, Government, Academic and Midsize plans support
hybrid deployments. Office 365 Business and Home plans don’t support hybrid deployments.
Custom domains
Register any custom domains you want to use in your hybrid deployment with Office 365. You
can do this by using the Office 365 Administrative portal, or by optionally configuring Active
Directory Federation Services (AD FS) in your on-premises organization.
Active Directory synchronization

Deploy the Azure Active Directory Connect tool to enable Active Directory synchronization with
your on-premises organization.
Autodiscover DNS records

Configure the Autodiscover public DNS records for your existing SMTP domains to point to an on-
premises Exchange 2010 (2013) Client Access server or Exchange 2016 server.
Office 365 organization in the Exchange admin center (EAC)

The Office 365 organization node is included by default in the on-premises EAC, but you must
connect the EAC to your Office 365 organization using your Office 365 administrator credentials
before you can use the Hybrid Configuration wizard. This also allows you to manage both the on-
premises and Exchange Online organizations from a single management console.
19
Certificates (If Active Directory Federation Services is being

deployed)
Install and assign Exchange services to a valid digital certificate purchased from a trusted public
certificate authority (CA). Although self-signed certificates should be used for the on-premises
federation trust with the Microsoft Federation Gateway, self-signed certificates can’t be used for
Exchange services in a hybrid deployment. The Internet Information Services (IIS) instance on the
Exchange servers configured in the hybrid deployment must have a valid digital certificate
purchased from a trusted CA. Additionally, the EWS external URL and the Autodiscover endpoint
specified in your public DNS must be listed in Subject Alternative Name (SAN) of the certificate.
The certificate installed on the Exchange servers used for mail transport in the hybrid
deployment must all use the same certificate (that is, they are issued by the same CA and have
the same subject).
Hybrid deployment protocols, ports, and endpoints

Hybrid deployment features and components require certain incoming protocols, ports and
connection endpoints to be accessible to Office 365 in order to work correctly. Before
configuring your hybrid deployment, verify that your on-premises network and security
configuration can support the features and components in the table below.
Transp Upper On- Authentica Authorizat
Feature/Comp
ort Level premises On-premises Path tion ion
Protoc onent
Protocol Endpoint Provider Method
ol
Exchange
2016
Mailbox/E
dge
Mail flow
TCP 25 SMTP/TL between Office Exchange Certificate-
N/A N/A
(SMTP) S 365 and on- 2013 based
premises CAS/Edge
Exchange
2010
HUB/Edge
Exchange
TCP Autodisc /autodiscover/autodiscover.svc Azure AD WS-
Autodiscover 2016
443 over /wssecurity authentica Security
Mailbox
20
(HTTPS Exchange /autodiscover/autodiscover.svc tion Authentica

) 2013/201 system tion
0 CAS
Exchange
TCP Free/busy, 2016 Azure AD WS-
443 MailTips, Mailbox /ews/exchange.asmx/wssecurit authentica Security
EWS
(HTTPS Message Exchange y tion Authentica
) Tracking 2013/201 system tion
0 CAS
Exchange /ews/exchange.asmx/wssecurit
TCP 2016 y WS-
443 Multi-mailbox Mailbox Auth Security
EWS /autodiscover/autodiscover.svc
(HTTPS search Exchange Server Authentica
/wssecurity
) 2013/201 tion
0 CAS /autodiscover/autodiscover.svc
Exchange
TCP 2016
443 Mailbox Mailbox
EWS /ews/mrsproxy.svc Basic Basic
(HTTPS migrations Exchange
) 2013/201
0 CAS
Exchange /ews/exchange.asmx/wssecurit
TCP 2016 y WS-
Autodisc
443 Mailbox Auth Security
over OAuth /autodiscover/autodiscover.svc
(HTTPS Exchange Server Authentica
EWS /wssecurity
) 2013/201 tion
0 CAS /autodiscover/autodiscover.svc
TCP Azure AD
Windows
443 AD FS (included authentica Varies per
N/A 2008/201 /adfs/*
(HTTPS with Windows) tion config.
2 Server
) system
21
On-premises Active Directory

 The AD schema version and forest functional level must be Windows Server 2003
or later. The domain controllers can run any version as long as the schema and
forest level requirements are met.
 If you plan to use the feature password writeback, then the Domain Controllers
must be on Windows Server 2008 (with latest SP) or later. If your DCs are on 2008
(pre-R2), then you must also apply hotfix KB2386717
 The domain controller used by Azure AD must be writable. It is not supported to

use a RODC (read-only domain controller) and Azure AD Connect does not follow
any write redirects.
 It is not supported to use on-premises forests/domains using SLDs (Single Label

Domains).
 It is not supported to use on-premises forests/domains using "dotted" (name

contains a period ".") NetBios names.
 It is recommended to enable the Active Directory recycle bin
22
Hybrid Identity Required Ports and Protocols

Protocol Ports Description
HTTP 80 (TCP/UDP) Used to download CRLs

(Certificate Revocation Lists)
to verify SSL certificates.
HTTPS 443(TCP/UDP) Used to synchronize with

Azure AD.
Azure Service Bus 5671 (TCP/UDP) Outbound
23
Chapter 2 Configure Azure AD (Office365)
Chapter 2
Configure Azure AD
(Office365)
Add and verify the on-premise domain in

Azure AD (Office 365)
We need to connect on-premise domain with office 365.
1. Login to office 365 tenant and then click Admin.
2. On the Home Page, click Add a domain.
24
3. Enter on-premise domain name to Enter a domain you own, click Next.
4. On the Verify domain page, select Add a TXT record instead (if you own domain was
not register with GoDaddy), click Next.
25
5. Add the TXT records to your DNS hosting and then click Verify.
26
6. Select I’ll add the DNS records myself, click Next.
27
7. Add all records and to your DNS hosting and then click Verify.
28
8. Make sure all settings are correct and click Finish.
29
30
Chapter 3 Configuring Hybrid Identity with Office 365
Chapter 3
Configuring Hybrid Identity

with Office 365
Add and verify the on-premise domain in
Azure AD (Office 365)
We need to connect on-premise domain with office 365.
1. Login to office 365 tenant and then click Admin.
2. On the Home Page, click Add a domain.
31
3. Enter on-premise domain name to Enter a domain you own, click Next.
4. On the Verify domain page, select Add a TXT record instead (if you own domain was
not register with GoDaddy), click Next.
32
5. Add the TXT records to your DNS hosting and then click Verify.
33
6. Select I’ll add the DNS records myself, click Next.
34
7. Add all records and to your DNS hosting and then click Verify.
35
8. Make sure all settings are correct and click Finish.
36
37
Deployment Certificate (If Active Directory

Federation Services is being deployed)
We need certificate for ADFS to configure DirSync and Single Sign-On.
1. Logon to ADFS Server.
2. In the Windows start menu, type Internet Information Services (IIS) Manager and
open it.
3. In the Connections menu tree (left pane), locate and click the server name.
38
4. On the server name Home page (center pane), in the IIS section, double-click Server
Certificates.
5. On the Server Certificates page (center pane), in the Actions menu (right pane), click
the Create Certificate Request… link.
6. In the Request Certificate wizard, on the Distinguished Name Properties page, provide
the information and then click Next.
7. On the Cryptographic Service Provider Properties page, provide the information below
and then click Next.
Cryptographic service provider - In the drop-down list, select Microsoft RSA SChannel...,
unless you have a specific cryptographic provider.
Bit length - In the drop-down list, select 2048 (or higher).
8. On the File Name page, under Specify a file name for the certificate request, click the
… box to browse to a location where you want to save your CSR and then click Finish.
9. Use a text editor (such as Notepad) to open the file. Then, copy the text,
including the -----BEGIN NEW CERTIFICATE REQUEST----- and -----END
NEW CERTIFICATE REQUEST----- tags, and paste it into the third-party
certificate providers order form.
10. After you receive your SSL Certificate from third-party providers, you can install it.
11. Use certificate you’ve purchased from third-party to import onto the ADFS server
virtual machine.
12. Click Complete Certificate Request from the Actions panel.
13. Locate to your certificate, and enter Friendly name. Select Personal.
14. Verify the certificate you just installed.
15. On the Start menu click Run and then type mmc.
16. Click File, select Add/Remove Snap-in.
17. Click Certificates and then select Add.

39
18. Select Computer Account and then click Next.
19. Select Local Computer and then click Finish.
20. Click the + to expand the certificates (local computer) console tree and look for the
personal directory/folder. Expand the certificates folder.
21. Right-click on the certificate you want to backup and select ALL TASKS and then click
Export.
22. Choose Yes, export the private key and include all certificates in certificate path if
possible.
23. Leave the default settings and then enter your password if required and then click
Finish.
24. Imported certificates to all virtual machines which are required to connect to
Microsoft Office 365.
40
Configure UPN suffix

You need to configure UPN suffix if the internal domain name doesn’t match the domain to
federate with office 365. Membership in Domain Admins or Enterprise Admins, or equivalent, is
the minimum required to complete this procedure.
1. Logon to Domain control server
2. From the Start menu, click Administrative Tools, and then click Active Directory
Domains and Trusts.
3. In the console tree, right-click Active Directory Domains and Trusts, and then click
Properties.
4. On the UPN Suffixes tab, type an alternative UPN suffix suffixes field the domain name
to match the external domain used to federate with Office 365, and then click Add.
5. Click OK and close Active Directory Domain and Trust window.
Note
a custom UPN suffix must match the external name space, The new UPN suffix must
be assigned to the users before perform the authentication with federated domain
6. From the Start menu, click Administrative Tools, and then click Active Directory Users
and Computers.
7. Select the users, right click the selection and choose Properties option.
8. Thick UPN suffix, select the external domain name and click OK.
9. Check the user’s Properties, the User logon name field is now set with the UPN suffix
just configured.
41
Enable Active Directory Recycle Bin
1. Logon Domain control server.
2. Open the Active Directory Administrative Center.
3. Right-click your domain.
4. Select Enable Recycle Bin…..
42
Deployment Azure AD Connect
If you need a tool to connect your on-premises directory with Azure AD and Office
365, Azure AD Connect is the best way to do it. Azure AD Connect has two
installation types for new installation: Express and customized.
Note
Windows Azure Active Directory Sync (DirSync) or Azure AD Sync as these
tools are now deprecated and will reach end of support on April 13, 2017
43
Prerequisites
 It must be installed on Windows Server standard or better.
 It supports full GUI installed only.
 Azure AD Connect must be installed on Windows Server 2008 or later. This server
may be a domain controller or a member server when using express settings. If
you use custom settings, then the server can also be stand-alone and does not
have to be joined to a domain.
 If you plan to use the feature password synchronization, then the Azure AD
Connect server must be on Windows Server 2008 R2 SP1 or later.
 If you plan to use a group managed service account, then the Azure AD Connect
server must be on Windows Server 2012 or later.
 Disable PowerShell Transcription Group Policy.
 .NET Framework 4.5.1 or later and Microsoft PowerShell 3.0 or later installed.
 If Active Directory Federation Services is being deployed, the servers where AD FS

or Web Application Proxy are installed must be Windows Server 2012 R2 or later.
Windows remote management must be enabled on these servers for remote
installation.
 You need SSL Certificates if Active Directory Federation Services is being deployed
 An Azure AD Global Administrator account for the Azure AD tenant you wish to
integrate with. This account must be a school or organization account and cannot
be a Microsoft account.
 Create a A record for AD FS federation service name on both intranet and internet.
 Check the link for https://docs.microsoft.com/en-us/azure/active-

directory/connect/active-directory-aadconnect-ports if you have firewalls on your
intranet.
44
Note
Please review the latest prerequires before Install.
https://docs.microsoft.com/en-us/azure/active-directory/connect/active-
directory-aadconnect-prerequisites
Install Azure AD Connect with Express settings
45
If you have a signal forest AD or User sign with the same password using password
synchronization, then this is the recommended option to use.
Azure AD Connect Express Settings is used when you have a single-forest topology and password
synchronization for authentication.
Before you start installing Azure AD Connect, make sure to download Azure AD Connect and
complete the pre-requisite steps in Azure AD Connect: Hardware and prerequisites.
1. Sign in as a local Administrator to Azure AD Connect Server.
2. Navigate to and double-click AzureADConnect.msi.
3. On the Security Warning page, click Run.
46
4. On the Welcome screen, select the box agreeing to the licensing terms and click
Continue.
47
5. On the Express settings screen, click Use express settings.
48
6. On the Enter your Azure AD credentials page, enter the username and password of a
global administrator for your Azure AD. Click Next.
49
7. On the Enter the Active Directory Services enterprise administrator credentials page,
enter the username and password for an enterprise admin account. You can enter the
domain part in either NetBios or FQDN format, Click Next.
50
Note
The Azure AD sign-in configuration page only shows if you did not
complete verify your domains in the prerequisites.
If you see this page, then review every domain marked Not Added and Not
Verified. Make sure those domains you use have been verified in Azure AD.
Click the Refresh symbol when you have verified your domains.
51
8. On the Ready to configure screen, click Install.
52
Note
If you have Exchange in your on-premises Active Directory, then you also
have an option to enable Exchange Hybrid deployment. Enable this option
if you plan to have Exchange mailboxes both in the cloud and on-premises
at the same time.
9. When the installation completes, click Exit.
10. After the installation has completed, sign off and sign in again before you use
Synchronization Service Manager or Synchronization Rule Editor.
53
54
Install Azure AD Connect with Customized settings
If you have multiple forests or you need to customized your sign-in option or customize
synchronization feature, then this is the recommended option to use.
1. If your internal domain is not a routable domain, you need to select the customization
settings to configure user sign-in.
2. On the Install required components page, check Use an existing service account and
type service account name and password, click Install.
55
Note
By default Azure AD Connect uses a virtual service account for the
synchronization services to use. If you use a remote SQL server or use a
proxy that requires authentication, you need to use a managed service
account or use a service account in the domain and know the password. In
those cases, enter the account to use. Make sure the user running the
installation is an SA in SQL so a login for the service account can be created
56
3. On User sign-in page, select pass-through authentication to be the Sign On method,

users can sign in to Office 365 using the same password as on-premises network, also,
select Enable sign sign-on and then click Next.
4. On Connect to Azure AD page, enter global admin account and password, click Next.
57
58
Note
Please use an account in the default onmicrosoft.com domain, it will
happen error if using the federation domain account.
5. On Connect your directories page, select local domain and click Add Directory.
59
6. It will pop up AD Forest account page, select Create new account and enter the service
account name and password, click OK and then click Next.
60
61
7. On Azure AD sign-in configuration page, make sure the UPN domains present in on-
premises AD DS and be verified in Azure AD, click Next.
62
8. On Domain and OU filtering page, click Sync selected domains and OUs.
9. Select OUs you do want to synchronize to Azure AD, click Next.
63
10. Click Next on the Uniquely identifying your users page.
64
11. Click Next on the Filter users and devices page.
65
12. On Optional features page, select optional features if required, click Next.
66
13. On the Enable single sign-on page, click Enter credentials.
67
14. Enter domain admin service account, click OK and then click Next.
68
69
15. Select Start the synchronization process when configuration completes on the Ready
to Configure page, click Install.
70
16. Click Next on Configuration complete page and then click Exit.
71
17. In order to allow Azure AD to accept Kerberos tickets you need to configure a client
GPO. You need to publish these two URL’s to your Internet Zone Settings.
https://autologon.microsoftazureread-sso.com
https://aadg.windows.net.nsatc.net
18. Open Group Policy Management Editor, go to User

ConfigurationPoliciesAdministrative TemplatesWindows
ComponentsInternet ExplorerInternet Control Panel, click Security Page, and
then double click Site to Zone Assignment List.
72
19. On the Site to Zone Assignment List page, click Enabled and then click Show…
73
20. Add two urls as above and click OK.
74
21. Link this GPO to your domain.
75
You may need more setting steps as follow if you selected ADFS
22. On AD FS farm page, click Use a certificate installed on the federation servers.
(optional, If Active Directory Federation Services is being deployed)
76
23. It will pop up Select Federation Server page, enter AD FS server name in Search field.
24. Select AD FS server and click OK.
77
25. Select CERTIFICATE and select SUBJECT NAME.
78
26. Enter ad fs server name in SUBJECT NAME PREFIX, click Next.
79
27. On the AD FS Servers page, enter AD FS Server name in the SERVER field, click Add.
80
28. Click Next after verifying server connectivity completed.
29. On the Web Application Proxy servers page, enter WAP Server name in the SERVER
field, click Add.
81
30. Click Next after verifying server connectivity completed.
31. Enter local domain administrator user name and password on the Domain
Administrator credentials page, click Next.
82
32. Enter AD FS service account user name and password on the AD FS service account
page.
83
33. On the Azure AD Domain page, select federation domain name, click Next.
84
34. Select Start the synchronization process when configuration completes on the Ready
to Configure page, click Install.
85
86
Note
If it happens Unable to create the synchronization service account for
Azure Active Directory Error, please check your firewall settings and make
sure application control function not be enable and then click Retry.
35. Click Next on Configuration complete page.
87
36. On the Verify federation configuration page, select I have created DNS A records that
allow clients to resolve……was configured click Verify.
88
37. Click Exit after Intranet configuration was successfully verified.
89
Enable Password Change for ADFS
If you have an ADFS or Dirsync with Password sync identity it will not allow you to change your
password in the cloud. You will receive. But you can configure change password functionality for
ADFS server to solve the issue.
The change password functionality is disabled in ADFS, you can follow below steps to enable it.
1. Logon to ADFS Server.
2. Open AD FS Management and run as administrator.
3. Expand Service and select Endpoint.
4. Right click /adfs/portal/updatepasword and click Enable.
90
5. It will pop up warning message said “This action requires a restart of the AD FS
Windows Service”, click OK.
6. Right click /adfs/portal/updatepassword again and then click Enable on Proxy.
91
7. It will pop up warning message said “This action requires a restart of the AD FS
Windows Service on federation server and all federation server proxies”, click OK.
8. Restart Active Directory Federation Services.
92
9. Once enabled this functionality, users can access the change password page via
https://adfsFQDN/adfs/portal/updatepassword/.
93
Deploy Active Directory Federation Service

(ADFS)
Active Directory Federation Service, the main thing is to allow office 365 services through the
federation service host to us AD to verify, and then achieve the goal of Single Sign-On with Office
365.
94
Install Active Directory Federation Services Server (if you Install

Azure AD Connect with Customized settings, this was being
installed)
Depending on your environment, you may setup a single server or a load-balanced configuration
with multiple servers.
1. Logon ADFS server.
2. Open Server Manager. To open Server Manager, click Server Manager in the taskbar on
the desktop.
3. In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and
features. Alternatively, you can click Add Roles and Features on the Manage menu.
4. On the Before you begin page, click Next.
5. On the Select installation type page, click Role-based or Feature-based installation,

6. On the Select destination server page, click Select a server from the server pool, verify
that the target computer is selected, and then click Next.
7. On the Select server roles page, click Active Directory Federation Services, and then
click Next.
8. On the Select features page, click Next. The required prerequisites are preselected for
you. You do not have to select any other features.
9. On the Active Directory Federation Service (AD FS) page, click Next.
10. After you verify the information on the Confirm installation selections page, click
Install.
11. On the Installation progress page, verify that everything installed correctly, and then
click Close.
95
Install the AD FS server role via Windows PowerShell

1. On the computer that you want to configure as a federation server, open the Windows
PowerShell command window, and then run the following command: Install-
windowsfeature adfs-federation –IncludeManagementTools
Configure External DNS A Record for ADFS

To resolve the ADFS name adfs.domain.com from external, an A record must be created in the
public DNS that points to the public IP of the ADFS server.
Configure Internal DNS for ADFS

You need to configure internal DNS as follow if the internal domain name doesn’t match the
domain to federate with office 365.
1. Logon to Domain control Server.
2. Open the DNS Manager, right click the Forward Lookup Zones item and select New
Zone option.
3. The New Zone Wizard opens. Click Next.
4. Select Primary zone option and thick Store the zone in Active Directory. Click Next.
5. Select option To all DNS servers running on domain controllers in this domain:
domain.local then click Next.
6. Type the Zone name giving same name assigned to the ADFS and click Next.
7. Select Allow only secure dynamic updates and click Next.
8. Click Finish to create the new zone.
9. right click the new created zone adfs.domain.com and select New Host (A or AAAA)
option.
96
10. Leave the Name blank and type the IP address of the ADFS server previously
configured.
11. Don’t enable Create associate pointer (PTR) record. Click Add Host when done.
12. Click OK to close the confirmation window.
97
Configure the first federation server in a new federation server

farm (if you Install Azure AD Connect with Customized settings,
this was being configured)
1. Logon ADFS server.
2. On the Server Manager Dashboard page, click the Notifications flag, and then click
Configure the federation service on the server.
3. On the Welcome page, select Create the first federation server in a federation server
farm, and then click Next.
98
4. On the Connect to AD DS page, specify an account by using domain administrator

permissions for the Active Directory (AD) domain to which this computer is joined, and
then click Next.
5. On the Specify Service Properties page, select the certificate which you were import.
6. Select the Federation Service Name which you were assign for the external FQDN.
7. Provide a display name for your federation service in Federation Service Display
Name and then click Next.
8. On the Specify Service Account page, specify a service account. You can either create
or use an existing group Managed Service Account (gMSA) or use an existing domain
user account. If you select the option to create a new gMSA account, specify a name
99
for the new account. If you select the option to use an existing gMSA or domain
account, click Select to select an account and then click Next.
If you receive the warning message as shown in the picture, it means that the KDS Root
Key has not been set yet. This is part of the new Group Managed Service Accounts
Windows 2012 feature.
100
Note
The benefit of using a gMSA account is its auto-negotiated password update feature.
If you want to use a gMSA account, you must have at least one domain controller in
your environment that is running the Windows Server 2012 operating system.
If the gMSA option is disabled, and you see an error message, such as Group Managed
Service Accounts are not available because the KDS Root Key has not been set, you
can enable gMSA in your domain by running the following Windows PowerShell
command on a domain controller, which runs Windows Server 2012 or later, in your
Active Directory domain: Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10).
Then return to the wizard, click Previous, and then click Next to re-enter the Specify
Service Account page. The gMSA option should now be enabled. You can select it and
enter a gMSA account name that you want to use.
9. On the Specify Configuration Database page, specify an AD FS configuration database,

and then click Next. You can either create a database on this computer by using
Windows Internal Database (WID), or you can specify the location and the instance
name of Microsoft SQL Server.
101
Note
If you want to create an AD FS farm and use SQL Server to store your configuration data, you
can use SQL Server 2008 and newer versions, including SQL Server 2012 and SQL Server 2014.
10. On the Review Options page, verify your configuration selections, and then click Next.
11. On the Pre-requisite Checks page, verify that all prerequisite checks are successfully
completed, and then click Configure.
102
12. On the Results page, review the results and check whether the configuration is
completed successfully, and then click Next steps required for completing your
federation service deployment.
13. Wait until the installation is complete and open AD FS Management to review
information.
103
Verify Active Directory Federated Services (ADFS)
1. To verify whether you have successfully published WAP or not, open the URL
https://adfs.domain.com/adfs/ls/idpinitiatedsignon on a computer which has Internet
connection.
2. Sign in an account of your Active Directory.
3. If you have done these steps above successfully without any error, when opening an
Office 365 site, you shall be redirected to federation URL for federation trust.
104
Federate your Domain with office 365
1. Logon ADFS Server.
2. Download the Azure Active Directory Module for Windows PowerShell.
3. Run AdministrationConfig-en.msi.
4. When the installation wizard opens, click Next to begin the installation.
105
5. Accept the EULA then click Next.
6. Use default Install location and click Next.
7. On Ready to Install page, click Next.
8. When the installation has completed successfully, click Finish to exit the Setup.
106
9. Right-click Windows Azure Active Directory Module for Windows PowerShell icon on
the desktop and select Run as administrator.
10. To connect to Office 365, use the cmdlet:
PS C:\Windows\system32> Connect-MsolService
11. Enter the Office 365 Admin credentials then click OK.
107
12. Use the cmdlet to check domain status and make sure it’s verified.
PS C:\Windows\system32> Get-MsolDomain
13. Use the cmdlet to federate a single domain.
PS C:\Windows\system32> Convert-MsolDomainToFederated -DomainName

domain.com
Note
To use the same ADFS servers to federate other domains in the same tenant, use the
command:
PS C:\> Convert-MsolDomainToFederated -DomainName domain.com -

SupportMultipleDomains:$true
108
14. Use the cmdlet to make sure the domain Authentication change to Federated.
PS C:\Windows\system32> Get-MsolDomain
109
Chapter 4
Configure Hybrid Services between on-

premises Exchange 2016 (2013/2010) with
Office 365
The Hybrid Configuration wizard helps you establish your hybrid deployment by creating the
HybridConfiguration object in your on-premises Active Directory and gathering existing Exchange
and Active Directory topology configuration data. The Hybrid Configuration wizard also enables
you to define and configure several organization parameters for your hybrid deployment,
including secure mail transport options.
Note
A version of the Hybrid Configuration wizard was included in the Exchange

Management Console (EMC) in Exchange 2010 SP3. However, a newer version of the Hybrid
Configuration wizard is available for download. Be sure to use the Hybrid Configuration wizard
available from the download link provided in the steps below. Don't use the wizard that's
included in the EMC.
110
Install and Run Hybrid Configuration wizard with Hybrid

Configuration (without ADFS)
1. Logon office 365 portal with administrator account, open Exchange Admin
Center.
2. Select hybrid and then click configure on An Exchange hybrid allows you to
connect and manage both your on-promises and Exchange Online organizations.
111
3. Click Open when it pop up Do you want to open

Microsoft.Online.CSE.Hybrid.Client.application from
mshrcstorageprod.blob.core.windows.net.
112
4. Click Install to install Microsoft Office 365 Hybrid Configuration Wizard and then
click Run.
5. On the Security Warning page, click Run.
113
6. On the Hybrid Configuration Wizard page, click Next.
114
7. The wizard will attempt to detect an on-premises Exchange 2016 server (or 2013
or 2010 SP3 Client Access server). If the wizard doesn't detect an Exchange 2016
(or 2013 or 2010 SP3 server), or if you want to use a different server, select
Specify a server running Exchange 2010, Exchange 2013 or Exchange 2016 and
then specify the internal FQDN of an Exchange 2016 (2013 or 2010 SP3 Client
Access server).
115
8. In the Office 365 Exchange Online section, select Office 365 Worldwide and then
click Next.
9. On the Credentials page, in the Enter your on-premises account credentials

section, select Use current Windows credentials to have the wizard use the
account you're logged into to access your on-premises Active Directory and
Exchange 2016 (or 2013 or 2010 SP3) servers. If you want to specify a different set
of credentials, unselect Use current Windows credentials and specify the
116
username and password an Active Directory account you want to use. Whichever
selection you choose, the account used needs to be a member of the Enterprise
Admins security group.
10. Click Sign in… at Office 365 Exchange Online Account.

11. In the Sign in credentials section, specify the username and password of an Office
365 account that has Global Administrator permissions. Click Next.
117
12. On the Office 365 Hybrid Configuration page, click Next.
118
13. On the Gathering Configuration Information page, the wizard will connect to both
your on-premises organization and your Office 365 organization to validate
credentials and examine the current configuration of both organizations. Click
Next when it's done.
119
120
Note
If it happens error message as follow, please make sure the application control is be
disabled for your firewall devices.
14. On the Hybrid Configuration page, select Configure my Client Access and Mailbox
servers for secure mail transport (typical).
15. Select Enable centralized mail transport and then click Next.
121
16. On the Receive Connector Configuration page select exchange 2016 server and
then click Next.
17. After created TXT record, select I have created a TXT record for each token in DNS
and then click Verify domain ownership.
122
18. On Send Connector Configuration page, select Exchange 2016 server, click Next.
123
19. On the Transport Certificate page, Select the right certificate (public SSL
Certificate) click Next.
124
20. Enter the Exchange organization FQDN on the Organization FQDN page, and then
click Next.
125
21. On the Ready for Update page, select Yes, upgrade the current configuration and
then click update.
126
22. On the Configurations page, click close.
127
23. Open Exchange admin center and make sure the connectors be created.
128
129
Install and Run Hybrid Configuration wizard with Minimal Hybrid

Configuration (with ADFS)
The Minimal Hybrid Configuration only configures the bare essentials to support a
hybrid configuration with office 365, The Minimal Hybrid Configuration allows you
to just to perform migration and administration in a hybrid deployment, the
following feature are not configured:
 Secure cross-premises mail flow
 Cross-premises Free/Busy, e-Discover or Archiving
 OWA redirection for migrated users
Center.
2. Select hybrid and then click Enable.
130
click Run.
131
5. The wizard will attempt to detect an on-premises Exchange 2010 SP3 Client Access
server. If the wizard doesn't detect an Exchange 2010 SP3 server, or if you want to
use a different server, select Specify a server running Exchange 2010, Exchange
2013 or Exchange 2016 and then specify the internal FQDN of an Exchange 2010
SP3 Client Access server.
132
click Next.

Exchange 2010 SP3 servers. If you want to specify a different set of credentials,
unselect Use current Windows credentials and specify the username and
password an Active Directory account you want to use. Whichever selection you
choose, the account used needs to be a member of the Enterprise Admins security
group.
133
8. In the Enter your Office 365 credentials section, specify the username and
password of an Office 365 account that has Global Administrator permissions.
Click Next.
134
9. On the Validating Connections and Credentials page, the wizard will connect to
both your on-premises organization and your Office 365 organization to validate
135
136
Note
If it happens error message as follow, please make sure the application control is be
disabled for your firewall devices.
10. On Hybrid Feature page, select Minimal Hybrid Configuration (Recommend), click
Next.
137
11. On the Ready for Update page, click Update.
138
12. The Congratulations page will show when the update configures completed, and
then click Close.
139
Install and Run Hybrid Configuration wizard with Full Hybrid

Configuration (with ADFS)
Center.
2. Select hybrid and then click Enable.
140
click Run.
141
5. The wizard will attempt to detect an on-premises Exchange 2010 SP3 Client Access
server. If the wizard doesn't detect an Exchange 2010 SP3 server, or if you want to
use a different server, select Specify a server running Exchange 2010, Exchange
2013 or Exchange 2016 and then specify the internal FQDN of an Exchange 2010
SP3 Client Access server.
142
click Next.

Exchange 2010 SP3 servers. If you want to specify a different set of credentials,
unselect Use current Windows credentials and specify the username and
password an Active Directory account you want to use. Whichever selection you
choose, the account used needs to be a member of the Enterprise Admins security
group.
143
8. In the Enter your Office 365 credentials section, specify the username and
password of an Office 365 account that has Global Administrator permissions.
Click Next.
144
9. On the Validating Connections and Credentials page, the wizard will connect to
both your on-premises organization and your Office 365 organization to validate
145
10. On Hybrid Feature page, select Full Hybrid Configuration, click Next.
146
11. Click enable on the Federation Trust page. It enables sharing calendar free/busy
information within a Hybrid environment.
147
12. On the Domain Ownership page, copy the token and create a TXT record on your
public DNS records.
148
13. Select I have created a TXT record for each token in DNS., and then click verify
domain ownership.
149
14. After the verification is complete, click next.
15. On the Hybrid Configuration page, select Enable centralized mail transport if you
want have centralized mail transport, click next.
150
16. On the Hub Transport Server Configuration page, select on-premises Exchange
Client Access Server, click next.
151
17. On Public IP Addresses page, enter the public IP addresses of the transport
servers, click next.
152
18. Select certificate on the Transport Certificate page, click next.
153
19. Enter full FQDN name on the Organization FQDN page, click next.
154
20. On the Ready for Update page, click update.
155
21. The Congratulations page will show when the update configures completed, and
then click Close.
156
Verify Hybrid Configuration

To further verify that you have successfully created and configured your hybrid deployment.
157
1. Logon to on-premises exchange server.
2. Open the Exchange Management Console.
3. Select Organization Configuration and then click Hybrid Configuration, you will
see the Hybrid Configuration which you were new added.
4. Select Organization Configuration and then click Hub Transport, you will see the
new added office 365 tenant domains under Remote Domains.
158
5. Click Accepted Domains, the new added office 365 tenant domains also show
there.
6. Select recipient. Select mailboxes and open any mailbox, you will see the new
stmp address from Exchange Online.
159
160
Add Office 365 Forest to Exchange Management Console
2. Open Exchange Management Console.
3. In the console tree, click the Microsoft Exchange node.
4. In the action pane, click Add Exchange Forest
5. Enter name to Specify a friendly name for this Exchange forest field.
6. Select Exchange Online on Specify FQDN or URL of the server running the
Remote PowerShell Instance, click OK.
7. Type Office 365 tenant global admin user name and password, click OK.
161
8. The Office 365 forest will show on Exchange Management Console.
162
Set up connectors to route mail between

Office 365 and on-premises exchange Server
Create a connector from Office 365 to on-premises email server

(It will be added automatically if you were using Full Hybrid
configuration)
Center.
163
2. Select mail flow and click connectors.
3. Click + to start the wizard.
4. On the Select your mail flow scenario page, select office 365 at From: and select
Your Organization’s email server at To: , click Next.
164
5. On New connector page, enter the name for your connector, click Next.
165
6. On When do you want to use this connector? page, select For email messages
sent to all accepted domains in your organization, click Next.
166
7. On How do you want to route email messages? page, click +.
167
8. The add smart host page will pop up, type on-premises Exchange CAS Server
External FQDN name, click Save and then click Next.
168
9. On How should Office 365 connect to your email server? page, keep the
recommended default setting, click Next.
169
10. Review the settings and click Next.
170
11. On validate this connector page, click + .
171
12. On add email page, type test email address and then click OK.
172
13. On validate this connector page, click Validate.
173
14. Click Close after test is done.
174
15. Login your email account your will see the Test email for connector validation.
175
16. On the Validation Result page, make sure task status is Succeeded, and then click
Save.
176
Create a connector from on-premises email server to Office 365

(It will be added automatically if you were using Full Hybrid
configuration)
Center.
2. Select mail flow and click connectors.
3. Click + to start the wizard.
4. On the Select your mail flow scenario page, select Your Organization’s email
server at From: and select office 365 at To: , click Next.
177
5. On New connector page, enter the name for your connector, click Next.
178
6. On the How should Office 365 identify email from your email server? page, select
By verifying that the subject name on the certificate that the sending server uses
to authenticate with Office 365 matches this domain name (recommended),
enter your external domain name, click Next.
179
7. Review the settings and click Save.
180
181
Configure on-premises email server send connector to Office

365 (It will be added automatically if you were using Full Hybrid
configuration)
3. In the console tree, expand Organization Configuration, select Hub Transport, and
then in the work pane, click the Send Connectors tab.
4. In the action pane, click New Send Connector. The New SMTP Send Connector
wizard starts.
5. On the Introduction page, type name in the Name field and then select Internet
in the Select the intended use for this connector field, click Next.
182
6. On the Address space page, click +Add….
7. Make sure Type is SMTP and the type office365 tenant domain
name.mail.onmicrosoft.com in the Address space field.
8. Make sure Cost is 1, click OK and then click Next.
183
9. On the Network settings page, select Route mail through the following smart
hosts. if you have no smart hosts, keep settings as default (bypass step 10 to 12)
184
10. Click +ADD..., select Fully qualified domain name (FQDN).
11. Type smart host name, click OK and then click Next.
12. On the Configure smart host authentication settings page, click Next.
13. On the Source Server page, make sure added every Hub Transport servers and
then click Next.
185
14. On the New Connector page, click New.
15. Click Finish on the Completion page.
Note
If mail flow to Office365 hosted users is slow when the server points to a Smart Host
on Exchange, the you can open Exchange management Shell and run follow command.
Set-SendConnector -identity ‘Outbound to Office365’ -RequireTLS $False -RequireTLS

$False -TlsAuthLevel $NULL -TlsDomain $NULL -ErrorPolicies Default
186
Configure on-premises email server Receive Connector to relay

email
By default, Exchange 2010 does not allow clients to use the SMTP service for anonymous relay,
so we need to configure a Receive Connector for this purpose
3. In the console tree, expand Server Configuration, select Hub Transport, and then
in the work pane, click the Receive Connectors tab.
4. In the action pane, click New Receive Connector. The New Receive Connector
wizard starts.
5. On the Introduction page, type name in the Name field and then select Custom in
the Select the intended use for this connector field, click Next.
187
6. On the Local Network settings page, click Next.
188
7. On the Remote Network settings page, Select the existing 0.0.0.0 -

255.255.255.255 entry, and then click .
189
8. Click Add, and add all Exchange Online Protection IP addresses, click Next.
Americas EMEA APAC
23.103.148.0/22 23.103.132.0/22 23.103.136.0/21

23.103.156.0/22 23.103.144.0/22 23.103.152.0/22
23.103.198.0/24 40.92.0.0/18 40.92.128.0/17
23.103.200.0/22 40.93.0.0/18 40.93.128.0/17
23.103.212.0/22 40.94.0.0/18 40.94.128.0/17
40.92.64.0/18 40.95.0.0/18 40.95.128.0/17
40.93.64.0/18 40.107.0.0/18 40.107.128.0/18
40.94.64.0/18 52.100.0.0/18 52.100.128.0/17
190
40.95.64.0/18 52.101.0.0/18 52.101.128.0/17

40.107.64.0/18 52.102.0.0/18 52.102.128.0/17
52.100.64.0/18 52.103.0.0/18 52.103.128.0/17
52.101.64.0/18 94.245.120.64/27 65.55.88.0/24
52.102.64.0/18 104.47.0.0/19 104.47.64.0/18
52.103.64.0/18 157.55.234.0/24 134.170.132.0/2
65.55.169.0/24 157.56.112.0/24 4
157.56.110.0/23 213.199.154.0/24 134.170.140.0/2
207.46.100.0/24 213.199.180.128/26 4
207.46.163.0/24 207.46.51.64/26
216.32.180.0/23 2a01:111:f400:7e00::/
58 2a01:111:f400:7e80::/57
2a01:111:f400:7d00::/
57
2a01:111:f400:7e40::/
58
9. On the New Connector page, review the configuration summary for the
connector, click New.
10. On the Completion page, click Finish.
11. In the work pane, select the Receive connector that you created.
12. Under the name of the Receive connector in the action pane, click Properties to
open the Properties page.
13. Click the Authentication tab, select Transport Layer Security (TLS).
191
14. Click the Permission Groups tab, select Anonymous users.
192
15. Click OK to save your changes and exit the Properties page.
16. Open Exchange Management Shell, enter follow command.
Get-ReceiveConnector "Inbound from Office 365" | Add-ADPermission -User "NT

AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-
Recipient"
193
Change MX record to redirect mail flow from the Internet to

Office 365
To redirect email flow to Office 365, change the MX (mail exchange) record for your
domain.
Note
If you want to do pilot test before cut over, please keep your MX record and
autodiscover settings direct to on-premises Exchange server, but you need to add spf
TXT recode as follow format:
v=spf1 mx include:mail.gdm.ca include:spf.protection.outlook.com ~all
mail.gdm.ca =Exchange CAS Server external FQDN
194
Migration Mailboxes between on-premises

exchange server with Office 365
Review and Enable the MRSProxy service
1. Logon on-primes exchange server.
2. Open PowerShell as Administrator and run follow cmdlet.

Import-Module servermanager
Servermanagercmd -I RPC-over-HTTP-proxy
3. Open Exchange Management Shell, and run follow cmdlet, make sure MRS proxy
is enable.
Get-WebServiceVirtualDirectory | fl server,mrs*
4. Run follow cmdlet to enable MRS proxy if it’s disable.

Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)" -
MRSProxyEnabled $true - MRSMaxConnections 50
195
Create a migration endpoint
Prior to performing on-boarding and off-boarding remote move migrations in an

Exchange hybrid deployment, we recommend that you create Exchange remote
migration endpoints. The migration endpoint contains the connection settings for
an on-premises Exchange server that is running the MRS proxy service, which is
required to perform remote move migrations to and from Exchange Online.
1. Logon office 365 portal with administrator account, open Exchange

Admin Center.
2. Select Recipients and click migration.
196
3. Click … and select Migration endpoints.
4. On the migration endpoints page, click +.
197
5. On the new migration endpoint page, select Exchange Remote and then click
Next.
198
6. On the Enter on-premises account credentials page, enter Email address, name
and password, make sure it has administrative privileges, and then click Next.
199
7. Type Remote MRS proxy server FQDN on the Confirm the migration endpoint
page, click Next.
200
8. On the Enter general information page, type Migration endpoint name, Maximum
concurrent migrations, Maximum concurrent incremental sync and then click
New.
201
9. Click Close after complete creating migration endpoint.
202
Move on-premises mailboxes to Exchange Online
203
You can use the remote move migration wizard on the Office 365 to move existing
user mailboxes in the on-premises organization to the Exchange Online
organization.

Admin Center.
3. Click Add , and then select Migrate to Exchange Online.
4. On the Select a migration type page, select Remote move migration and then
click Next.
204
5. On the Select the users page, click Add and select the on-premises users and
click Add.
205
6. Click OK, and then click Next.
7. On the Confirm the migration endpoint page, verify that the FDQN of your on-
premises Exchange server is listed when the wizard confirms the migration
endpoint.
206
8. On the Move configuration page, enter name in New migration batch name and
then click Next.
207
9. On the Start the batch page, select at least one recipient to receive the batch
complete report. Verify that the Automatically start the batch option is selected,
and then select the Automatically complete the migration batch check box. Click
New.
208
209
Move Exchange Online mailboxes to the on-premises

organization

Admin Center.
3. Click Add , and then select Migrate from Exchange Online.
4. On the Select the users page, select Select the users that you want to move and
then click Next.
210
5. On the Select the users page, click Add and then select the Exchange Online
users to move to the on-premises organization, click Add and then click OK. Click
Next.
211
6. On the Confirm the migration endpoint page, verify that the FDQN of your on-
premises Exchange server is listed when the wizard confirms the migration
endpoint. Click Next.
212
7. On the Move configuration page, enter a name for the migration batch in the
New migration batch name text field. Then enter the target delivery domain in
the Target delivery domain for the mailboxes that are migrating to Office 365
field.
8. Choose whether to also move the archive mailbox for the selected user and enter
the database name you’d like to move this mailbox to in the Target database text
field.
213
9. On the Start the batch page, select at least one recipient to receive the batch
complete report. Verify that Automatically start the batch is selected, and then
select the Automatically complete the migration batch check box. Click New.
214
215
Chapter5 Meet great MVP’s like this in person
Chapter5
Meet great MVP’s like this in

person
If you liked their book, you will love to hear them in person.
Live Presentations
Dave frequently speaks at Microsoft conferences around North America, such as TechEd,
VeeamOn, TechDays, and MVPDays Community Roadshow.
Cristal runs the MVPDays Community Roadshow.
You can find additional information on the following blog:
www.checkyourlogs.net
www.mvpdays.com
Video Training
For video-based training, see the following site:
www.mvpdays.com
Live Instructor-led Classes

Dave has been a Microsoft Certified Trainer (MCT) for more than 15 years and presents
scheduled instructor-led classes in the US and Canada. For current dates and locations, see the
following sites:
216
 www.truesec.com
 www.checkyourlogs.net
Consulting Services
Dave and Cristal have worked with some of the largest companies in the world and have a
wealth of experience and expertise. Customer engagements are typically between two weeks
and six months.
217
Twitter
Dave, Cristal, Allan, Cary on Twitter tweet on the following aliases:
 Dave Kawula: @DaveKawula
 Cristal Kawula: @SuperCristal1
 Cary Sun: @SifuSun
218

Migrating To O365

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Migrating To O365

Încărcat de

Drepturi de autor:

Formate disponibile

Migrating to Office 365 –

Dave Kawula - MVP

Copyright © 2018 by MVPDays Publishing

Warning and Disclaimer

About the Authors

Cristal Kawula – MVP

Cary Sun – CCIE #4531 (Cisco Champion)

About the Authors ......................................................................................................... v

North American MVPDays Community Roadshow ................................................... 13

Environment Overview ................................................................................................ 16

Custom domains .................................................................................................. 19

Configure Azure AD (Office365) ................................................................................. 24

Configuring Hybrid Identity with Office 365 .............................................................. 31

Chapter 4.................................................................................................................... 110

Meet great MVP’s like this in person ........................................................................ 216

North American MVPDays

We often get asked the question “Who should attend MVPDays”?

On-premises Exchange 2016-based Exchange 2013-based Exchange 2010-

Exchange 2016 Supported Not supported Not supported

Exchange 2013 Supported Supported Not supported

Exchange 2010 Supported Supported Supported

Exchange 2007 Not supported Supported Supported

On-premises Exchange releases

On-premises server roles

Active Directory synchronization

Autodiscover DNS records

Office 365 organization in the Exchange admin center (EAC)

Certificates (If Active Directory Federation Services is being

Hybrid deployment protocols, ports, and endpoints

(HTTPS Exchange /autodiscover/autodiscover.svc tion Authentica

On-premises Active Directory

 The domain controller used by Azure AD must be writable. It is not supported to

 It is not supported to use on-premises forests/domains using SLDs (Single Label

 It is not supported to use on-premises forests/domains using "dotted" (name

 It is recommended to enable the Active Directory recycle bin

Hybrid Identity Required Ports and Protocols

HTTP 80 (TCP/UDP) Used to download CRLs

HTTPS 443(TCP/UDP) Used to synchronize with

Azure Service Bus 5671 (TCP/UDP) Outbound

Add and verify the on-premise domain in

1. Login to office 365 tenant and then click Admin.

2. On the Home Page, click Add a domain.

6. Select I’ll add the DNS records myself, click Next.

8. Make sure all settings are correct and click Finish.

Configuring Hybrid Identity

1. Login to office 365 tenant and then click Admin.

2. On the Home Page, click Add a domain.

6. Select I’ll add the DNS records myself, click Next.

8. Make sure all settings are correct and click Finish.

Deployment Certificate (If Active Directory

We need certificate for ADFS to configure DirSync and Single Sign-On.

1. Logon to ADFS Server.

Bit length - In the drop-down list, select 2048 (or higher).

12. Click Complete Certificate Request from the Actions panel.

14. Verify the certificate you just installed.

16. Click File, select Add/Remove Snap-in.

17. Click Certificates and then select Add.

18. Select Computer Account and then click Next.

19. Select Local Computer and then click Finish.

Configure UPN suffix

1. Logon to Domain control server

5. Click OK and close Active Directory Domain and Trust window.

Enable Active Directory Recycle Bin