Office 365 - The Magic Behind The Hybrid Config Wizard (2013) - Perficient Blogs
Blog
  • Topics
  • Industries
  • Partners

Explore

Topics

Industries

Partners

Office 365 – The Magic Behind The Hybrid Config Wizard (2013)


 
 
 
 
 
 
 
 
 
 
 
 
In a previous article, I extracted the changes made by the Exchange 2010 Hybrid Configuration Wizard (HCW) to get a better idea of what is going on behind the scenes when you run the HCW.
The same questions apply to Exchange 2013:
So what does the wizard do?
What does it change?
What is the impact?
If you submitted a change control request stating that you’re going to “run the hybrid wizard”, you’re probably being asked these same questions.
For those that are implementing Exchange hybrid on a regular basis, what the wizard does should not be a mystery at this point. If you’re new to Exchange hybrid, I’ve outlined below the individual commands run by the wizard and areas where there might be potential risk.

My Process

I gathered this data by running the HCW on an Exchange server using the “-verbose” switch. I’ve excluded anything that was just a “Get-” command and pulled out only the commands where a change is being made. When you run the HCW, you’ll find the log file in “C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration\“.
This was done on an Exchange 2013 CU6 server, it’s possible that the HCW changes with updates and it has slightly changed over the years.

Eleven Stages

There essentially are 11 stages of the Exchange 2013 HCW:

  • Creation of Hybrid Configuration Object
  • Check Tenant Prerequisites
  • Upgrading Hybrid Configuration from Exchange 2010
  • Check Prerequisites
  • Configure Recipient Settings
  • Creating Organization Relationship
  • Configure Free/Busy Settings
  • Configure Mail Flow
  • Configure MRS Proxy Settings
  • Configure IntraOrganization Connector
  • Configure OAuth

Within each section, there are commands run in the tenant or on-premises, I’ve outlined those in the sections below.

Stage 1: Creation of Hybrid Configuration Object

In this stage, a “Hybrid Configuration Object” is created in your on-premises Active Directory containing the responses to the questions you answered in the initial part of the Hybrid Configuration Wizard. You can see this object in Active Directory by running “Get-HybridConfiguration” on-premises.

Stage 2: Check Tenant Prerequisites

Nothing is actually changed in this stage. As the name implies, it’s a prerequisite check where you’ll see a lot of “Get-” commands in the log but no actual changes.

Stage 3: Upgrading Hybrid Configuration from Exchange 2010

This step checks the version of the Hybrid Configuration Object in Active Directory. I assume if the object was previously created with Exchange 2010, it is upgraded at this stage.

Stage 4: Check Prerequisites

Nothing is actually changed in this stage. As the name implies, it’s a prerequisite check for both the tenant and on-premises where you’ll see a lot of “Get-” commands in the log but no actual changes.

Stage 5: Configure Recipient Settings

All of the commands in this stage are run in the on-premises environment.
First, the “coexistence domain” (tenant.mail.onmicrosoft.com) is setup as a remote domain and an accepted domain in the on-premises environment.

New-RemoteDomain -Name 'Hybrid Domain - tenant.mail.onmicrosoft.com' -DomainName 'tenant.mail.onmicrosoft.com'
Set-RemoteDomain -Identity 'Hybrid Domain - tenant.mail.onmicrosoft.com' -TargetDeliveryDomain 'True'
New-AcceptedDomain -DomainName 'tenant.mail.onmicrosoft.com' -Name 'tenant.mail.onmicrosoft.com'

The coexistence domain is then added to the email addresses policies that contain the SMTP domains selected in the wizard and those email address policies are applied only to the secondary addresses via the “UpdateSecondaryAddressesOnly” switch.

Set-EmailAddressPolicy -Identity [Recipient Policy] -EnabledEmailAddressTemplates [Proxy Addresses]
Update-EmailAddressPolicy -Identity [Recipient Policy] -UpdateSecondaryAddressesOnly: $true

 

Stage 6: Creating Organization Relationships

In this stage, commands are run both on-premises and in the tenant in order to setup the trust with the Microsoft Federation Gateway (if you don’t have one already). Organization Relationships are also created between on-premises and the cloud to support free/busy between the two environments. These commands should have virtually no impact in your environment.
These are run on-premises:

Set-Federationtrust -RefreshMetadata -Identity 'Microsoft Federation Gateway' -RefreshMetadata: $false
Set-FederatedOrganizationIdentifier -AccountNamespace 'company.com' -DelegationFederationTrust 'Microsoft Federation Gateway' -Enabled 'True' -DefaultDomain $null
New-OrganizationRelationship -Name 'On-premises to O365 - {GUID}' -TargetApplicationUri 'outlook.com' -TargetAutodiscoverEpr 'https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity' -Enabled: $true -DomainNames [SMTP Domains]

This command is run in the tenant:

New-OrganizationRelationship -Name 'O365 to On-premises - {GUID}' -TargetApplicationUri 'FYDIBOHF25SPDLT.company.com' -TargetAutodiscoverEpr 'https://autodiscover.company.com/autodiscover/autodiscover.svc/WSSecurity' -Enabled: $true -DomainNames [SMTP Domains]

 

Stage 7: Configure Free/Busy Settings

In this stage, commands are run both on-premises and in the tenant in order to configure the Organization Relationship for OWA redirection and free/busy. These commands should have virtually no impact in your environment.
These are run on-premises:

Set-OrganizationRelationship -MailboxMoveEnabled: $true -FreeBusyAccessEnabled: $true -FreeBusyAccessLevel 'LimitedDetails' -ArchiveAccessEnabled: $true -MailTipsAccessEnabled: $true -MailTipsAccessLevel 'All' -DeliveryReportEnabled: $true -PhotosEnabled: $true -TargetOwaURL 'http://outlook.com/owa/tenant.onmicrosoft.com' -Identity 'On-premises to O365 - {GUID}'
Add-AvailabilityAddressSpace -ForestName 'tenant.mail.onmicrosoft.com' -AccessMethod 'InternalProxy' -UseServiceAccount: $true -ProxyUrl 'https://mail.company.com/EWS/Exchange.asmx'

This command is run in the tenant:

Set-OrganizationRelationship -FreeBusyAccessEnabled: $true -FreeBusyAccessLevel 'LimitedDetails' -MailTipsAccessEnabled: $true -MailTipsAccessLevel 'All' -DeliveryReportEnabled: $true -PhotosEnabled: $true -Identity 'O365 to On-premises - {GUID}'

 

Stage 8: Configure Mail Flow

This stage configures the SMTP connectors in the on-premises environment and in Exchange Online Protection (EOP) in the tenant. These commands should have virtually no impact in your environment unless you are currently using EOP Standalone in which case there could be an impact to mail routing.
The commands below are run on-premises. A send connector called “Outbound to Office 365” is created it send messages with your coexistence domain (tenant.mail.onmicrosoft.com) to EOP using TLS. The default frontend receive connector is modified to use a certificate for inbound communication from EOP.

New-SendConnector -Name 'Outbound to Office 365' -AddressSpaces [Coexistence Domain] -SourceTransportServers [Servers] -DNSRoutingEnabled: $true -TLSDomain 'mail.protection.outlook.com' -RequireTLS: $true -TLSAuthLevel 'DomainValidation' -ErrorPolicies 'Default' -TLSCertificateName [CERTIFICATE] -CloudServicesMailEnabled: $true -Fqdn $null
Set-ReceiveConnector -Identity 'SERVER\Default Frontend SERVER' -TLSCertificateName [CERTIFICATE] -TLSDomainCapabilities [CERTIFICATE]

The commands below are run in the tenant. Inbound and outbound connectors are created in EOP for SMTP traffic cross-premises; the “RouteAllMessagesViaOnPremises” parameter is dependent upon whether you selected the option for “Centralized Transport” during the HCW. Additionally, an “OnPremisesOrganization” object is created in the tenant that contains a number of the settings configured by the HCW.

New-InboundConnector -Name 'Inbound from {GUID}' -ConnectorType 'OnPremises' -RequireTLS: $true -SenderDomains {smtp:*;1} -TLSSenderCertificateName [CERTIFICATE] -CloudServicesMailEnabled: $true
New-OutboundConnector -Name 'Outbound to {GUID}' -RecipientDomains {company.com} -SmartHosts {mx1.company.com} -ConnectorType 'OnPremises' -TLSSettings 'DomainValidation' -TLSDomain 'mx1.company.com' -CloudServicesMailEnabled: $true -RouteAllMessagesViaOnPremises: $false -UseMxRecord: $false
New-OnPremisesOrganization -HybridDomains {company.com} -InboundConnector 'Inbound from {GUID}' -OutboundConnector 'Outbound to {GUID}' -OrganizationRelationship 'O365 to On-premises - {GUID}' -OrganizationName 'Tenant' -Name '{GUID}' -OrganizationGuid '{GUID}'

 

Stage 9: Configure MRS Proxy Settings

Here the MRS Proxy is enabled on on-premises the Exchange Web Services (EWS) virtual directory.

Set-WebServicesVirtualDirectory -Identity 'CN=EWS (Default Web Site),CN=HTTP,CN=Protocols,CN=SERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=company,DC=com' -MRSProxyEnabled: $true

 

Stage 10: Configure IntraOrganization Connector

Here the Intra-Organization connector is created between on-premises and Exchange Online.
The command below is run on-premises:

New-IntraOrganizationConnector -Name 'HybridIOC - {GUID}' -DiscoveryEndpoint 'https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc' -TargetAddressDomains {tenant.mail.onmicrosoft.com} -Enabled: $true

The command below is run in the tenant:

New-IntraOrganizationConnector -Name 'HybridIOC - {GUID}' -DiscoveryEndpoint 'https://autodiscover.company.com/autodiscover/autodiscover.svc' -TargetAddressDomains {company.com} -Enabled: $true

 

Stage 11: Configure OAuth

At this point, the Hybrid Configuration Wizard has basically completed and it will ask you to launch a small executable for configuration of OAuth if you’re running CU5 or later. My experience has been that the application needs to be run on the Exchange 2013 server and from Internet Explorer.
The OAuth configuration is basically the commands in the following article with the exception of steps #6 and #7 as those were configured previously by the Hybrid Configuration Wizard: Configure OAuth authentication between Exchange and Exchange Online organizations
Did you find this article helpful?
Leave a comment below or follow me on Twitter (@JoePalarchio) for additional posts and information on Office 365.
Looking to do some more reading on Office 365?
Catch up on my past articles here: Joe Palarchio.

4 thoughts on “Office 365 – The Magic Behind The Hybrid Config Wizard (2013)

  1. Great article!
    Well structured, clear language, straight to the point.
    Really sheds light over what HCW exactly does.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to the Weekly Blog Digest:

Sign Up

Categories