Mailbox Migration

When it comes to leveraging the full Office 365 feature set, migrating mailboxes to Exchange Online is one of the greatest challenges. Unlike migrating within an organization, moving to Exchange Online is problematic, because mailboxes are shifted between two separately managed organizations.

This connection between an on-premises Exchange instance and Exchange Online is known as a hybrid connection. Microsoft refers to this connection as the Exchange Modern Hybrid and has extended its Hybrid Configuration Wizard (HCW) with Hybrid Agent (Figure 1) to facilitate the connection. With HCW, Hybrid Agent establishes a connection between the local Exchange and Exchange Online, reducing the requirements for external DNS records, certificate updates, and incoming firewall network connections – all of which made the task complex in the past.

Multiple Choices

Hybrid Agent does not support Hybrid Modern Authentication, which includes, for example, multifactor authentication and authentication with client certificates. If your setup uses Hybrid Modern Authentication, you need to keep on using the classic Exchange Hybrid topology. Additionally, Hybrid Agent does not cover MailTips, Message Tracking, and Multi-Mailbox Search. If your setup uses these functions across the board, again, keep on using the classic model.

Hybrid Agent is constantly being optimized – improvements to the preview were delivered just two months after the first launch. In its first release in February 2019, Hybrid Agent only supported a single installation, which was a big limitation because it offered no redundancy options, free/busy information could not be viewed in an offline scenario, and move actions were not carried out. With the April 2019 updated version, several agents now can be installed in a local organization, and you can now view status information for Hybrid Agent and use Hybrid Agent instead of specific Exchange servers to address load balancers.

Hybrid Agent Preparation

You can install Hybrid Agent either on a standalone server (agent server) or on an Exchange server with the Client Access Server (CAS) role. Exchange 2010 or newer is required. It must be installed on Windows Server 2012 R2 or 2016 with .NET Framework 4.6.2 or higher. If Hybrid Agent and Exchange are set up on a server, you need to ensure compatibility between Exchange and .NET [1] to avoid the use of an unsupported combination. Beyond this, the server only needs to be a domain member and have access to the Internet.

The only required output connections are ports 443 and 80; the latter is only used for certificate revocation list checks. The agent communicates with Azure Application Proxy, an Azure proxy service with a client-specific endpoint that leads to your online environment. Availability information and mailbox migrations are managed by the Azure Application Proxy. If the agent is not installed on an Exchange server with CAS, you also need to enable ports 5985 and 5986 to the CAS servers so communications actually work. Additionally, all CAS servers need to be able to connect to Office 365 over port 443 to retrieve available/busy information.

Microsoft provides a script [2] for checking the connection settings before installation. Start by integrating the script as follows:

Import Modules .\HybridManagement.psm1

The following call runs the actual test:

Test-HybridConnectivity -testO365Endpoints

For everything to run smoothly, you need to make sure that at least one identical email domain is set up as the accepted domain in each Exchange organization.

Installing the Agent

Hybrid Agent is part of the Office 365 HCW. The installer automatically downloads the latest version of Hybrid Agent in the background. The easiest way to start HCW is in the Exchange Admin Center (EAC) from the Hybrid menu item. HCW (Figure 2) is a click-to-run application that you download directly from Microsoft – the latest version is always launched. To run it, you need to be an Exchange Online global administrator. You can see the HCW version number in the top right corner, and further information is added during the next few steps.

After launching, select a local Exchange server that is configured for the hybrid connection. To continue, the server needs to be licensed. You can also license an Exchange Hybrid server at this point. When using the Hybrid license, no mailboxes can reside on the server. You also need to select the target platform, which is where you enter the location of your online environment – this could be a cloud environment or the standard Microsoft environment.

First, you will be prompted to choose your hybrid configuration. Hybrid Agent is available in two variants: minimal and full. The full Hybrid configuration is primarily intended for long-term coexistence and takes the mail flow, eDiscovery, and sharing of available/busy information into account. Because the minimal configuration is mainly designed to transfer mailboxes to Exchange Online seamlessly, I am selecting the minimal configuration here. If you do not see the Hybrid configuration window, you have already successfully set up a hybrid topology.

Next, you need to check the domain ownership. Verification is similar to domain verification in Office 365: Enter the displayed DNS-TXT record in your DNS zone and confirm ownership. Now select the topology. Hybrid Agent is offered to you as part of the Exchange Modern Hybrid topology, which you can download after confirming.

Once this is done, set up the send and receive connectors. Email traffic is secured by TLS; you need to select a valid certificate for this in the next step. The external hostname must be entered in the certificate; it must be possible to resolve this name externally, and it must be accessible over port 25. Hybrid Agent is not responsible for routing email, only for making the appropriate configurations. You can see the result after completion of the configuration in the EAC under mail flow | connectors.

After you have entered the specifications, the corresponding configuration is performed in the Exchange organizations. If all goes well, this completes the hybrid connection between your on-premises Exchange instance and Exchange Online. During the installation, shortcuts are also created on the server; you can use them to restart the HCW in case of changes in your Exchange organization.

Test Connection

Once the hybrid connection has been set up, you need to test a number of features. First, check email transport by sending messages back and forth between local and online mailboxes. You will also want to test accessibility from an external source.

Next, try creating mailboxes. You can now create mailboxes for Exchange Online in the local EAC (Figure 3), although you may experience a short delay before the account becomes available in Office 365. First, you need to assign a license to the account so that the user can log in to the mailbox. Second, migrate some mailboxes in Office 365 from your local environment to Exchange Online. To do this, go to the Exchange Online EAC and select recipients | migration and then Migrate to Exchange Online. Third, test the client experience by checking the available/busy information for mailboxes from different environments in a new event.

Between Two Worlds

Admins need to be aware that the two Exchange organizations are independent of each other in terms of configuration. In the EAC, you can quickly switch between the two worlds with the Enterprise and Office 365 tabs. Basically, policies such as the Retention Policy, OWA Policy, or Mobile Device Policy need to be created and configured separately. The Organization Configuration Transfer (OCT) wizard helps you migrate the settings. The first OCT version was released in June 2018 and only supported the guidelines at that time. The next version (released in October 2018) added features, such as Active Sync Device Access Rule, Address List, and Policy Tip Config.

The first version only supported the initial transfer; in other words, if the wizard saw a setting with an identical name, it was just ignored. The second version now overwrites settings in Exchange Online. Although this is not the same as synchronization, it is an easy way to transfer settings quickly. OCT requires the latest cumulative update locally and supports Exchange Server 2010 or newer. OCT is part of the HCW; you select the transfer during hybrid configuration.

The Last Exchange Server Standing

Once all the mailboxes have been migrated to Exchange Online, you can uninstall the last Exchange server, but only if you will not be synchronizing the users with Azure Active Directory (AD) Connect, which integrates your local directories into Azure AD, giving users a single identity. Because it is not a prerequisite for the use of a hybrid configuration, I won't discuss it in detail here.

If you use this function, you need an Exchange server to maintain the local Exchange attributes. If no local Exchange server is available, the Exchange extensions for the AD objects, which are essential for smooth hybrid operation with Office 365, are missing. As a result of this requirement, you need to continue to import Exchange updates, including potential schema extensions.

Conclusions

Microsoft has removed the complexity from migrating between local Exchange environments and Exchange Online. Even small and medium-sized enterprises, which Microsoft identifies as potential users of Office 365, can benefit from an easier migration, thanks to Hybrid Agent.