In at the deep end – Exchange Hybrid Goodness Part 3

Welcome back!  If you have made it this far on the hybrid journey with me I am impressed!  And so we have reached almost the end of our journey.  You will recall in part 2 of this series that we now have a working Exchange 2013 server setup and as mentioned in part 1 we need to get the URL’s configured correctly, autodiscover DNS records changed over and our Office365 tenant sorted.  Soooo….. we have a lot of work to be getting on with, shall we?

First things first, we need to make sure that the cert we have applied to the Exchange 2007 server is also applied to the Exchange 2013 server.  I am not going to go step by step in how to apply a cert to the new Exchange server, there are a bunch of blogs already out there that will walk you through that component.  The only piece of advice that I will offer here is that when you add your cert make sure that you do so using the certmgr.mmc snap in first.

Next on the list, we need to update all of the virtual directories for Exchange 2013 with the right values.  We determined what those values should have been back in part 1 of this series, so it should just be a case of a copying and pasting what we have already done!  We are not going to update the 2007 URL’s until we have finalized testing and made sure that everything is working as expected.

Note: I am only doing this because we have a long term coexistence strategy, if you are doing a hybrid and intend on being off Exchange within a short space of time its not necessary to update the virtual directory URLS.



Set-OwaVirtualDirectory –Identity “ex2013\owa (Default Web Site)” –InternalUrl –ExternalURL


Set-ActiveSyncVirtualDirectory –Identity “Ex2013\Microsoft-Server-ActiveSync (Default Web Site)” –InternalURL –ExternalURL

Outlook Anywhere

Set-OutlookAnywhere –Identity “Ex2013\Rpc (Default Web Site)” –InternalHostname –ExternalHostName –ExternalClientAuthenticationMethod Basic –IISAuthenticationMethods Basic,NTLM

Exchange Web Services

Set-WebServicesVirtualDirectory –Identity “Ex2013\EWS (Default Web Site)” –InternalURL –ExternalURL


Set-ClientAccessServer –Identity Ex2013 –AutoDiscoverServiceInternalUri


Set-EcpVirtualDirectory –Identity “Ex2013\ecp (Default Web Site)” –InternalURL –ExternalURL

Using some crafty host file manipulation on the Exchange 2013 server we should be able to do some testing to make sure that each of these URLS are working.  Two of my favorite testing commands are:



Both of these commands if we have manipulated the host records correctly should give us a success (I have hidden the URL values in this example as they are a customer).


Once we have successfully tested the Exchange 2013 component we can move onto updating the autodiscover record to point to the Exchange 2013 server both externally and internally.  This will require an update to the A record in the internal DNS and depending on who manages your external DNS a ticket raised to update the current autodiscover record to point to the 2007 server.

Once the autodiscover record has been changed over, it is time to update the 2007 URL’s to those that we specified above.


Set-OwaVirtualDirectory –Identity “ex2007\owa (Default Web Site)” –InternalUrl –ExternalURL


Set-ActiveSyncVirtualDirectory –Identity “Ex2007\Microsoft-Server-ActiveSync (Default Web Site)” –InternalURL –ExternalURL $null

Remember: Exchange 2007 does not support “Negotiate” authentication (refer to image below).  This means that the externalClientAuthenticationMethods should be configured to match whatever is configured for 2007, which is either Basic or NTLM.  For Outlook Anywhere to proxy from 2013 to 2007, the IISAuthenticationMethods on 2007 will need to be reconfigured to support both Basic and NTLM.  By default, Exchange 2007 IISAuthenticationMethods is set to just Basic.  NTLM must be added for the proxy to work.


Outlook Anywhere

Set-OutlookAnywhere –Identity “Ex2007\Rpc (Default Web Site)”  –IISAuthenticationMethods Basic,NTLM

Exchange Web Services

Set-WebServicesVirtualDirectory –Identity “Ex2007\EWS (Default Web Site)” –InternalURL –ExternalURL


Set-ClientAccessServer –Identity Ex2007 –AutoDiscoverServiceInternalUri

Ok so now that all of our virtual directories have been updated and our DNS records both internally externally, lets just recap on what those DNS records should look like now:

At this point we need to ensure that our autodiscover is working externally as expected and nothing is being blocked by firewall or otherwise.  To do this part of the testing I like to use the Remote Connectivity Analyser which is another awesome tool provided by Microsoft that helps me to my job and do it better.

There are a number of different tests that you can perform, I generally do an Outlook autodiscover and and Exchange Active Sync autodiscover test.  You can choose to do whatever is relevant to your deployment / environment.  The results of these tests are really helpful in diagnosing any potential issues should any exist.

Moving onto the hybrid components of our build.  One of the next pre-reqs that we need to do before we can start is to enable the MRS proxy service, this is the service that will perform the remote mailbox moves.

To enable the MRS service, open the EAC and navigate to Servers > Virtual directories.  Select the Client Access server, select the EWS virtual directory, and then click Edit.  Select the MRS Proxy enabled check box and click Save.

Ok so onto Office365 config!  Wow, we made it finally now we are getting to the juicy, juicy part of the blog series….

Where to start, well firstly we need to get our domain setup with Office365.  So head to the portal, get logged in and browse to Domains in the Office365 admin section.  Once there select Add Domain, you should be presented with the following window, hit Lets get Started:



The next step will ask you to verify that you do in fact own the domain, and will require you to create either a txt or mx record in your external DNS provider portal.  Once you have created either of these records, proceed with the wizard and you should see the following window once Office365 has confirmed ownership.


Select “No, I have an existing website or prefer to manage my own DNS records” when prompted on the next window.

The next steps will be configuring the advanced setup which will get Office365 setup for Hybrid.

I’ve decided to put that into another blog post as this one is already pretty late in the piece!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s