Migrate a SQL Server database to Azure SQL Database

Azure Database Migration Service partners with DMA to migrate existing on-premises SQL Server, Oracle, and MySQL databases to Azure SQL Database, Azure SQL Database Managed Instance or SQL Server on Azure virtual machines.

 

SQL Migration.png
Azure SQL Migration (Source Microsoft Corp)

 

Moving a SQL Server database to Microsoft Azure SQL Database with Data Migration Assistant is a three-part process:

  1. Prepare a database in a SQL Server for migration to Azure SQL Database using the Data Migration Assistant (DMA).
  2. Export the database to a BACPAC file.
  3. Import the BACPAC file into an Azure SQL Database.

Using Microsoft Data Migration Assistant

Step 1: Prepare for migration

Complete these prerequisites:

  • Install the newest version of Microsoft SQL Server Management Studio (SSMS). Installing SSMS also installs the newest version of SQLPackage, a command-line utility that can be used to automate a range of database development tasks.
  • Download and Install the Microsoft Data Migration Assistant (DMA).
  • Identify and have access to a database to migrate.

Follow these steps to use Data Migration Assistant to assess the readiness of your database for migration to Azure SQL Database:

  1. Open the Microsoft Data Migration Assistant. You can run DMA on any computer with connectivity to the SQL Server instance containing the database that you plan to migrate; you do not need to install it on the computer hosting the SQL Server instance.
  2. In the left-hand menu, click New to create an Assessment project. Fill in the form with a Project name (all other values should be left at their default values), and then click Create.
  3. On the Options page, click Next.
  4. On the Select sources page, enter the name of SQL Server instance containing the server you plan to migrate. Change the other values on this page if necessary, and then click Connect.
  5. In the Add sources portion of the Select sources page, select the checkboxes for the databases to be tested for compatibility, and then click Add.
  6. Click Start Assessment.
  7. When the assessment completes, look for the checkmark in the green circle to see if the database is sufficiently compatible to migrate.
  8. Review the results the SQL Server feature parity results. Specifically review the information about unsupported and partially supported features, and the recommended actions.
  9. Review the Compatibility issues by clicking that option in the upper left. Specifically review the information about migration blockers, behavior changes, and deprecated features for each compatibility level. For the AdventureWorks2008R2 database, review the changes to Full-Text Search since SQL Server 2008, and the changes to SERVERPROPERTY(‘LCID’) since SQL Server 2000. For details about these changes, links for more information are provided. Many search options and settings for Full-Text Search have changed.
  10. Optionally, click Export report to save the report as a JSON file.
  11. Close the Data Migration Assistant.

Step 2: Export to BACPAC file

Follow these steps to use the SQLPackage command-line utility to export the AdventureWorks2008R2 database to local storage.

  1. Open a Windows command prompt and change your directory to a folder in which you have the 130 version of SQLPackage, such as C:\Program Files (x86)\Microsoft SQL Server\130\DAC\bin.
  2. Execute the following SQLPackage command at the command prompt to export the AdventureWorks2008R2 database from localhost to AdventureWorks2008R2.bacpac. Change any of these values as appropriate to your environment.

SQLPackageCopy

sqlpackage.exe /Action:Export /ssn:localhost /sdn:AdventureWorks2008R2 /tf:AdventureWorks2008R2.bacpac

Once the execution is complete the generated BACPAC file is stored in the directory where the sqlpackage executable is located. In this example, C:\Program Files (x86)\Microsoft SQL Server\130\DAC\bin.

  1. Log in to the Azure portal.
  2. Create a SQL Server logical server

A SQL Server logical server acts as a central administrative point for multiple databases. Follow these steps to create a SQL server logical server to contain the migrated Adventure Works OLTP SQL Server database.

  1. Click the New button found on the upper left-hand corner of the Azure portal.
  2. Type sql server in the search window on the New page, and select SQL server (logical server) from the filtered list.
  3. Click Create, and enter the properties for the new SQL Server (logical server).
  4. Complete the SQL server (logical server) form with the values from the red box in this image.
  5. Click Create to provision the logical server. Provisioning takes a few minutes.

Step 3: Create a server-level firewall rule

  1. Click All resources from the left-hand menu, and click the new server on the All resources page. The overview page for the server opens and provides options for further configuration.
  2. Click Firewall in the left-hand menu under Settings on the overview page.
  3. Click Add client IP on the toolbar to add the IP address of the computer you are currently using, and then click Save. This creates a server-level firewall rule for this IP address.
  4. Click OK.

Step 3: Import a BACPAC file to Azure SQL Database

The SQLPackage command-line utility is the preferred method to import your BACPAC database to Azure SQL Database for most production environments.

SqlPackage.exe /a:import /tcs:”Data Source=<your_server_name>.database.windows.net;Initial Catalog=<your_new_database_name>;User Id=<change_to_your_admin_user_account>;Password=<change_to_your_password>” /sf:AdventureWorks2008R2.bacpac /p:DatabaseEdition=Premium /p:DatabaseServiceObjective=P6

Connect using SQL Server Management Studio (SSMS)

  1. Open SQL Server Management Studio.
  2. In the Connect to Server dialog box, enter this information.
  • Server type: Specify Database engine
  • Server name: Enter your fully qualified server name, such as mynewserver20170403.database.windows.net
  • Authentication: Specify SQL Server Authentication
  • Login: Enter your server admin account
  • Password: Enter the password for your server admin account
  1. Click Connect.
  2. In Object Explorer, expand Databases, and then expand myMigratedDatabase to view the objects in the sample database.

Using Azure Database Migration Service

Azure Database Migration Service (ADMS), now in limited preview, can help you migrate existing on-premises SQL Server, Oracle, and MySQL databases to Azure SQL Database, Azure SQL Database Managed Instance, or SQL Server on an Azure Virtual Machine.

ADMS is designed to simplify the complex workflows you can encounter when migrating various database types to databases in Azure.

  1. In the Azure portal, select Data Migration Service, and then click New Migration Project.
  2. In New Migration Project, enter a unique project name, server source type and a target server type.
  3. Click Start.
  4. Provide all options under Migration target details, and then click Save.
  5. Provide all options under Migration source detail, and then click Save.
  6. In the Select source databases list, select each source database you want to migrate, and then click Save.
  7. Review the details summary, and then click Run Migration to start the migration. The amount of time the migration will run depends on a variety of factors including size and complexity of the database, source disk speed, and network speed.
  8. Once the migration is finished, a Completed status will be displayed in the SQL Migration dashboard.

Migrating VMware Virtual Workloads to Microsoft Azure Cloud

Overview

Migrating to the cloud doesn’t have to be difficult, but many organizations struggle to get started. Before they can showcase the cost benefits of moving to the cloud or determine if their workloads will lift and shift without effort, they need deep visibility into their own environment and the tight interdependencies between applications, workloads, and data. Azure Migrate, Azure Database Migration Service, and Azure Cost Management provides a frictionless approach to moving VMware VMs to Azure.

VMware to Azure.PNG

Microsoft – Cloud Security Certification

Microsoft Azure has been certified by Australian Signals Dicrectorate (ASD), Department of Defence. Check your region to verify Azure certification by the regulator if you have regulatory compliance requirements.

  • Microsoft has undergone an Information Security Registered Assessors Program (IRAP) assessment of Australian Signals Directorate (ASD) and been certified on the Certified Cloud Services List (CCSL) by ASD for Azure, Dynamics 365, and Office 365
  • Microsoft Azure has been awarded PROTECTED classification level by the Australian Signals Directorate (ASD). Microsoft Azure is the first global cloud provider which has been awarded PROTECTED
  • Azure, Cloud App Security, Intune, Office 365, Dynamics 365 and Power BI are awarded certification after rigorous independent assessments of cloud providers by the Cloud Security Alliance (CSA)
  • Azure, Cloud App Security, Intune, Office 365, Dynamics 365 and Power BI are awarded ISO/IEC 27001 certification meeting criteria specified in the ISO certification

Licensing Cost & Azure Hybrid Benefit

  • customers with Software Assurance to run Windows Server VMs on Azure at a lower rate.
  • save up to 40 percent on Windows Server VMs
  • Use existing SQL Server licenses toward SQL Database managed instances
  • Azure Reserved Virtual Machine Instances to further reduce costs—up to 72% on PAYG prices per year or per three years terms on both Windows and Linux virtual machines.
  • pay only for the underlying compute and storage for SQL VM
  • 82% savings over PAYG rates on Azure and up to 67% compared to AWS RIs for Windows VMs.
  • 49% cost savings estimated using the Azure TCO calculator comparing on-premsies VMware VMs. Actual savings may vary based on region, instance type and usage. Reference Nucleus Research
  • You can specify whether you’re enrolled in Software Assurance and can use the Azure Hybrid Use Benefit.

Hybrid Cloud1

Migration Path

Microsoft offers an end-to-end solution to provide you with a proven framework and tools to migrate your first workload and give you a complete roadmap for discovery, migration, and continual optimization, including better insights and strategies for running your entire datacenter portfolio on Azure. Migrating to Azure is simple three-stage process and focuses on how to identify virtual machines, applications, and data that can easily be moved to the cloud.

Hybrid Cloud.PNG

Supported Platform

  • VMware vCenter Server 5.5, 0 and later version managed virtual machines
  • Any On-premises Storage (vSAN, FC SAN, NFS or iSCSI)
  • Appliance-based, agentless, and non-intrusive discovery of on-premises virtual machines.
  • Currently Azure Migrate supports only Locally redundant storage (LRS). However, once you migrated to Azure, you can use Geo-redundant storage.
  • Lift & Shift migration to Azure IaaS Cloud
  • Azure migrate will recommend the use of Azure Database Migration Service
  • Use Azure Site Recovery Manager to migrate business critical and large VMs to Azure Cloud

Stage 1 – Assess Your VMware vSphere Environment

Use these four steps to discover and assess your on-premises workloads for migration to Azure.

  1. Prepare your environment.
  2. Discover virtual machines.
  3. Group virtual machines.
  4. Assess the groups of virtual machines.

Step 1: Prepare your environment

  1. To get started with Azure Migrate, you need a Microsoft Azure account or the free trial.
  2. Assess VMware Virtual machines located on vSphere ESXi hosts that are managed with a vCenter server running version 5.5 or 6.0.
  3. The ESXi host or cluster on which the Collector VM (version 8.0) runs must be running version 5.0 or later.
  4. To discover virtual machines, Azure Migrate needs an account with read-only administrator credentials for the vCenter server.
  5. Create a vCenter virtual machine in .ova format. Download an appliance and import it to the vCenter server to create the virtual machine. The virtual machine must be able to connect to the internet to send metadata to Azure.
  6. Set statistics settings for the vCenter server to statistics level 2. The default Level 1 will work, but Azure Migrate won’t be able to collect data for performance-based sizing for storage.

Tag your virtual machines in vCenter (optional)

Use these steps to tag your virtual machines in vCenter server.

  1. In the VMware vSphere Web Client, navigate to the vCenter server instance.
  2. To review current tags, click Tags.
  3. To tag a virtual machine, click Related Objects > Virtual Machines, and select the virtual machine.
  4. In Summary > Tags, click Assign.
  5. Click New Tag, and specify a tag name and description.
  6. To create a category for the tag, select New Category in the drop-down list.
  7. Specify a category name and description and the cardinality, and click OK.

Step 2: Discover virtual machines

Using Azure Migrate to discover on-premises workloads involves these steps.

  1. Create a Project.
  2. Download the Collector appliance.
  3. Create the Collector virtual machine.
  4. Run the Collector to discover virtual machines.
  5. Verify discovered virtual machines in the portal.

Create a Project

Azure Migrate projects hold the metadata of your on-premises machines and enables you to assess migration suitability.  Use these steps to create a project.

  1. Log on to the Azure portal and click New.
  2. Search for Azure Migrate in the search box, and select the service Azure Migrate (preview) in the search results, and then click Create.
  3. Select the Azure Migrate service from the search results.
  4. Click Create.
  5. Specify a name for the new project.
  6. Select the subscription you want the project to get associated to.
  7. Create a new resource group, or select an existing one.
  8. Specify an Azure location.
  9. To quickly access the project from the Dashboard, select Pin to dashboard.
  10. Click Create. The new project appears on the Dashboard, under All resources, and in the Projects blade.

Download the Collector appliance

  1. Select the project, and click Discover & Assess on the Overview blade.
  2. Click Discover Machines, and then click Download.
  3. Copy the Project ID and project key values to use when you configure the Collector.

Deploy the Collector virtual machine

In the vCenter Server, import the Collector appliance as a virtual machine using the Deploy OVF Template wizard.

  1. In vSphere Client console, click File > Deploy OVF Template.
  2. In the Deploy OVF Template Wizard > Source, specify the location for the .ovf file.
  3. In Name and Location, specify a friendly name for the Collector virtual machine, the inventory object in which the virtual machine will be hosted.
  4. In Host/Cluster, specify the host or cluster on which the Collector virtual machine will run.
  5. In Storage, specify the storage destination for the Collector virtual machine.
  6. In Disk Format, specify the disk type and size.
  7. In Network Mapping, specify the network to which the Collector virtual machine will connect. The network must be connected to the internet to send metadata to Azure.
  8. Review and confirm the settings, and then click Finish.

Run the Collector to discover virtual machines

  1. In the vSphere Client console, right-click the virtual machine > Open Console.
  2. Provide the language, time zone, and password preferences for the appliance.
  3. In the Azure Migrate Collector, open Set Up Prerequisites, and then

o Accept the license terms, and read the third-party information.

o The Collector checks that the virtual machine has internet access. If the virtual machine accesses the internet via a proxy, click Proxy settings, and specify the proxy address and listening port. Specify credentials if proxy access needs authentication.

o The Collector checks that the Windows profiler service is running. The service is installed by default on the Collector virtual machine.

o Select to download and install the VMware PowerCLI.

  1. In Discover Machines, do the following:

o Specify the name (FQDN) or IP address of the vCenter server and the read-only account the Collector will use to discover virtual machines on the vCenter server.

o Select a scope for virtual machine discovery. The Collector can only discover virtual machines within the specified scope. Scope can be set to a specific folder, datacenter, or cluster, but it shouldn’t contain more than 1000 virtual machines.

o If you’re using tagging on the vCenter server, select tag categories for virtual machine grouping. Azure Migrate automatically groups virtual machines based on tag values in the category. If you’re not using tagging, you can group virtual machines in the Azure portal.

  1. In Select Project, specify the Azure Migrate project ID and key you copied from the Azure portal. If didn’t copy them, open Azure in a browser from the Collector virtual machine. In the project Overview page, click Discover Machines, and copy the values.
  2. In Complete Discovery, you can monitor the discovery status, and check that metadata is collected from the virtual machines in scope. The Collector provides an approximate discovery time.

Verify discovered virtual machines in the portal

  1. In the migration project, click Manage > Machines.
  2. Check that the virtual machines you want to discover appear in the portal.

Step 3: Group virtual machines

Enterprises typically migrate virtual machines with dependencies together at the same time to ensure their functionality after migration to Azure. Azure Migrate allows you to categorize the virtual machines by group so you can assess all the virtual machines in a group.

  • If you provided a tag category—which was an optional step while configuring the Collector—groups will be automatically created for the workloads based on the tag values.
  • If a tag category is not provided while configuring the Collector, you can create groups of virtual machines in the Azure Migrate portal.

Optional: Assess machine dependencies before adding them to a group

  1. In Manage > Machines, search the Machine for which you want to view the dependencies.
  2. In the Dependencies column for the machine, click Install agent.
  3. To calculate dependencies, download and install these agents on the machine: o Microsoft Monitoring agent

o Dependency agent

  1. Copy the workspace ID and key to use later when you install the Microsoft Monitoring agent on a machine.
  2. After you install the agents on the machine, return to the portal and click Machines. This time the Dependencies column for the machine should contain the text View dependencies. Click View dependencies.
  3. By default, the dependency time range is an hour. Click the time range to shorten it, specify start and end dates, or change the duration. Press Ctrl + Click to select multiple machines on the map, and then click Group machines.
  4. In Group machines, specify a group name. Verify the machines you added have the dependency agents installed and have been discovered by Azure Migrate. Machines must be discovered to assess them. We recommend that you install the dependency agents to complete dependency mapping.
  5. Click OK to save the group settings. Alternatively, you can add machines to an existing group.

Create a Group

You can create groups of virtual machines from the Machines blade or from the Groups blade, using a similar process.

Create a group from the Machines blade

  1. Navigate to the Dashboard of a project and click the Machines tile.
  2. Click Group Machines.
  3. Specify a name for the group in the Name box, and then select the machines that you want to add to the group.
  4. Click Create.

Add/Remove machines to/from an existing group if you require

  1. Navigate to the dashboard of a project and click the Groups tile.
  2. Select the Group you want to add/remove machines to/from.
  3. Click Add Machines or Remove Machines.
  4. Select the machines that you want to add/remove to/from the group.
  5. Click Add or Remove.

Step 4: Assess groups of virtual machines

Create an assessment

Follow these steps to generate an assessment for the group.

  1. Select the project you want under Project.
  2. On the project dashboard, click Groups.
  3. Create a new group or select an existing group to assess under Group.
  4. Click Create Assessment to create a new assessment for the group.

The assessment includes these details.

  • Summary of the number of machines suitable for Azure which is referred to as Azure Readiness.
  • Monthly estimate of the cost for running the machines in Azure after migration.
  • Storage monthly cost estimate.

Assessment calculation

Azure Migrate performs three checks on virtual machines in this order:

  1. Azure Suitability Analysis
  2. Performance-based sizing
  3. Monthly cost estimate

Stage 2: Migrate virtual machines using Azure Site Recovery

Before you start deployment, review the architecture and make sure you understand all the components you need to deploy.

Next, make sure you understand the prerequisites and limitations for a Microsoft Azure account, Azure networks, and storage accounts. You also need:

  • On-premises Site Recovery components
  • On-premises VMware prerequisites
  • Mobility service component installed on the virtual machine you want to replicate.

These are the general steps to migrate:

  1. Set up Azure services such as Virtual Networks, Availability Group, Network Load Balancer, Address Space, Subnets, Resource Group, Storage Accounts, Public IPs.
  2. Connect to VMware servers.
  3. Set up the target environment.
  4. Complete migration.

I assume, you have completed the step1. So I am moving on to step 2.

Create a Recovery Services vault

  1. Sign in to the Azure portal > Recovery Services.
  2. Click New > Monitoring & Management > Backup and Site Recovery.
  3. In Name, specify a friendly name to identify the vault. If you have more than one subscription, select one of them.
  4. Create a resource group, or select an existing one. Specify an Azure region. To check supported regions, see geographic availability in Azure Site Recovery Pricing Details.
  5. If you want to quickly access the vault from the dashboard, click Pin to dashboard, and then click Create.
  6. The new vault will appear on Dashboard > All resources and on the main Recovery Services vaults blade.

Select a protection goal

In this task, select what you want to replicate, and where you want to replicate to.

  1. Click Recovery Services vaults > vault.
  2. In the Resource Menu, click Site Recovery > Prepare Infrastructure > Protection goal.
  3. In Protection goal, select To Azure > Yes, with VMware vSphere Hypervisor.

Set up the source environment

In this task, set up the configuration server, register it in the vault, and discover virtual machines.

  1. Click Site Recovery > Step 1: Prepare Infrastructure > Source.
  2. If you don’t have a configuration server, click Configuration server.
  3. In Add Server, check that Configuration Server appears in Server type.
  4. Download the Site Recovery Unified Setup installation file.
  5. Download the vault registration key. You need this when you run Unified Setup. The key is valid for five days after you generate it.

Register the configuration server in the vault

The next task requires you to run Unified Setup to install the configuration server, the process server, and the master target server. First however, do these three steps.

  1. On the configuration server virtual machine, make sure that the system clock is synchronized with a Time Server. It should match. If it’s 15 minutes in front or behind, setup might fail.
  2. Run setup as a Local Administrator on the configuration server virtual machine.
  3. Make sure TLS 1.0 is enabled on the virtual machine.

Now you are ready to run Setup.

  1. Run the Unified Setup installation file.
  2. In Before You Begin, select Install the configuration server and process server.
  3. From the Third-Party Software License screen, click I Accept to download and install MySQL.
  4. From the Registration screen, select the registration key you downloaded from the vault, and then click Next.
  5. From the Internet Settings screen, specify how the Provider running on the configuration server connects to Azure Site Recovery over the Internet.
  6. If you want to connect with the proxy that’s currently set up on the machine, select Connect to Azure Site Recovery using a proxy server.
  7. If you want the Provider to connect directly, select Connect directly to Azure Site Recovery without a proxy server.
  8. If the existing proxy requires authentication, or if you want to use a custom proxy for the Provider connection, select Connect with custom proxy settings. o If you use a custom proxy, you need to specify the address, port, and credentials.
  9. From the Prerequisites Check screen, run a check to make sure that installation can run. If a warning appears about the Global time sync check, verify that the time on the system clock (Date and Time settings) is the same as the time zone.
  10. In the MySQL Configuration screen, create credentials for logging on to the MySQL server instance that is installed.
  11. From the Environment Details screen, select whether to replicate VMware virtual machines. If you will, Setup checks that PowerCLI 6.0 is installed.
  12. From the Install Location screen, select where you want to install the binaries and store the cache. The drive you select must have at least 5 GB of disk space available, but we recommend a cache drive with at least 600 GB of available space.
  13. From the Network Selection screen, specify the listener (network adapter and SSL port) on which the configuration server sends and receives replication data. Port 9443 is the default port used for sending and receiving replication traffic, but you can modify this port number to suit your environment’s requirements. In addition to the port 9443, we also open port 443, which is used by a web server to orchestrate replication operations. Do not use port 443 for sending or receiving replication traffic.
  14. In the Summary screen, review the information and click Install. When installation finishes, a passphrase is generated. You will need this when you enable replication, so copy it and keep it in a secure location. After registration finishes, the server is displayed on the Settings > Servers in the vault.

Step 2: Connect to VMware servers

To allow Azure Site Recovery to discover virtual machines running in your on-premises environment, you need to connect your VMware vCenter Server or vSphere ESXi hosts with Site Recovery. Note the following before you start:

  • If you add the vCenter server or vSphere hosts to Site Recovery with an account without administrator privileges on the server, the account needs these privileges enabled:

o Datacenter, Datastore, Folder, Host, Network, Resource, Virtual machine, vSphere Distributed Switch.

o The vCenter server needs Storage views permissions.

  • When you add VMware servers to Site Recovery, it can take 15 minutes or longer for them to appear in the portal.

Step 3: Set up the target environment

Before you set up the target environment, make sure you have an Azure storage account and a virtual network set up.

  1. Click Prepare infrastructure > Target, and select the Azure subscription you want to use.
  2. Specify whether your target deployment model is Resource Manager-based, or classic.
  3. Site Recovery verifies that you have one or more compatible Azure storage accounts and networks.

Create replication policy

You need a replication policy to automate the replication to Azure.

  1. To create a new replication policy, click Site Recovery infrastructure > Replication Policies > Replication Policy.
  2. Under RPO threshold, specify the RPO limit. This value specifies how often data recovery points are created. An alert is generated if continuous replication exceeds this limit.
  3. Under Recovery point retention, specify (in hours) how long the retention window is for each recovery point. Replicated virtual machines can be recovered to any point in a window. Up to 24 hours retention is supported for machines replicated to premium storage, and 72 hours for standard storage.
  4. Under App-consistent snapshot frequency, specify how often (in minutes) recovery points containing application-consistent snapshots will be created.
  5. Click OK to create the policy.
  6. When you create a new policy it’s automatically associated with the configuration server. By default, a matching policy is automatically created for failback. For example, if the replication policy is rep-policy then the failback policy will be rep-policy-failback. The failback policy isn’t used until you initiate a failback from Azure.

Prepare for push installation of the Mobility service

The Mobility service must be installed on all virtual machines you want to replicate. There are several ways to install the service, including manual installation, push installation from the Site Recovery process server, and installation using methods such as System Center Configuration Manager. Here you can review prerequisites and installation methods for the Mobility Service.

If you want to use push installation from the Azure Site Recovery process server, you need to prepare an account that Azure Site Recovery can use to access the virtual machine.

The following describes the options:

  • You can use a domain or local account

For Windows, if you’re not using a domain account, you need to disable Remote User Access control on the local machine. To do this, in the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System, add the DWORD entry LocalAccountTokenFilterPolicy, with a value of 1.

  • If you want to add the registry entry for Windows from a CLI, type: REG ADD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1.
  • For Linux, the account should be root on the source Linux server.

Install Mobility Service manually by using the GUI

  1. Copy the installer executable to the virtual machine that is being migrated to Azure, and then open the installer.
  2. On the Installation Option pane, select Install Mobility Service.
  3. Select the install location and click Install to being the installation procedure.
  4. You can use Installation Progress page to monitor the installer’s progress.
  5. Once installation is complete, click the Proceed to Configuration button to register the Mobility Service with your Configuration server.
  6. Click on the Register button to complete the registration.

Configure replication

After you have installed and configured both the Process Server and the Mobility Service agents, continue configuring replication in Azure.

  1. In the Azure portal, navigate to Site Recovery > Step1: Replicate Application > Enable Replication, and then click Step 1: Source Configure > Source.
  2. In Source, select On-Premises.
  3. In Source location, select your Configuration Server.
  4. In Machine type, select Virtual Machines.
  5. In vCenter/vSphere Hypervisor, select the vCenter server that manages the vSphere host, or select the host.
  6. Select the process server or the configuration server if you haven’t created any additional process servers, and then click OK.
  7. In Target, select the subscription and the resource group in which you want to create the migrated virtual machines. Choose the deployment model for the migrated virtual machines that you want to use in Azure (classic or resource manager).
  8. Select the Azure storage account you want to use for replicating data. If you don’t want to use an account you’ve already set up, you can create a new one.
  9. Select the Azure network and subnet to which Azure Virtual Machines will connect when they’re created after migration. Select Configure now for selected machines to apply the network setting to all machines you select for protection, or select Configure later to select the Azure network per virtual machine.
  10. Point to Virtual Machines > Select, select each enabled machine you want to replicate, and then click OK.
  11. In Properties > Configure properties, select the process server account that will automatically install the Mobility service on the machine.
  12. By default, all disks are replicated. Click All Disks and clear any disks you don’t want to replicate, and then click OK. You can set additional virtual machine disk properties later if needed.
  13. In Replication settings > Configure replication settings, verify that the correct replication policy is selected. If you modify a policy, changes will be applied to the replicating machine and to new machines.
  14. Enable Multi-VM consistency if you want to gather machines into a replication group, specify a name for the group, and then click OK.
  15. Click Enable Replication. You can track progress of the Enable Protection job in Settings > Jobs > Site Recovery Jobs. After the Finalize Protection job runs the machine is ready for failover.

Step 4: Complete migration

Because migration is different than failover, it is important to configure Site Recovery for a migration.

For migration, you don’t need to commit a failover or delete machines. Instead, select the Complete Migration option for each machine you want to migrate.

  1. In Replicated Items, right-click the virtual machine, and then click Complete Migration.
  2. Click OK to complete the migration.

You can track progress in the virtual machine properties by monitoring the Complete Migration job in Site Recovery jobs. The Complete Migration action completes the migration process, removes replication for the machine, and stops Site Recovery billing for the machine.

At this point, your virtual machine has been migrated to Azure and you can begin using the IP addresses you set up in Networking. If you must migrate a database, the next section outlines migrating SQL Server databases using Migration Data Assistant and Azure Database Migration Service. Otherwise, the migration process continues with

Stage 3: Optimize migrated workloads

Cloudyn helps ensure migrated virtual machines continue to deliver targeted resource utilization and best cost by recommending changes. Track costs against budget using spending reports that help identify which virtual machine types are consuming budget and support decisions on how to modify the Azure environment to maximize ROI. Cloudyn benefits include:

  • Visibility into resource costs
  • Visibility into application and departmental costs
  • Budgeting
  • Cost optimization with right-sizing guidance

As organizations move on-premises virtual machines to Azure, a best practice is to move workloads through three stages: discover, migrate, and optimize. Microsoft and its partners offer tools to help increase the efficiency and reduce the complexity of those stages.

EMC Unity Hybrid Storage for Azure Cloud Integration

The customers who have placed their workload in both on-premises and cloud forming a “Hybrid Cloud” model for your Organisation, you probably need on-premises storage which meets the requirement of hybrid workloads. EMC’s Unity hybrid flash storage series may be the answer to your business critical problem. This unified storage array is designed for organisations from midmarket to the enterprise. Cover the broadest range of workloads – SAN and NAS both. The EMC unity has been designed for workloads rather than a tin seating on your data centre consuming power and cooling bills, and you are calling it a SAN. After all, that was a traditional tin-based SAN solution.

Previously I wrote an article about Dell Compellent. I received an overwhelming response from the Compellent user. I have been asked many occasion what other option do we have if not the Compellent storage.

To answer the question, I would choose from either EMC Unity Hybrid Storage, Nimble and NetApp Storage subject to the in-depth analysis of workloads, casestudy and business requirements. But again, this is a “Subject to x,y,z” question. The tin-based storage does not fulfil the modern business requirement. I would personally like to use Azure or AWS than procure any tin and pay for power, cooling and racks.

EMC Unity

The Unity midrange storage for flash and rich data services based on dense SSD technology helps provide outstanding TCO. The Unity provides intelligent insight into SAN health with CloudIQ, which provides cloud-based proactive monitoring and predictive analytics. Additionally, the ongoing operation is simple with proactive assistance and automated remote support.

What I like about Unity is that the Unity Software, most notably CloudIQ, Appsync and Cloud Tiering Appliance. The Unity has the capabilities include point-in-time snapshots, local and remote data replication, built-in encryption, and deep integration with VMware, Microsoft Apps, Hyper-v, Azure Blob, AWS S3 and OpenStack ecosystems. The Unity provides an automated tiering and flash-caching, the most active data is served from flash.

Management

The Unity provides the most user-friendly GUI management interface. After installing and powering on the purpose-built Dell EMC Unity system for the first time, the operating environment will boot. The interfaces are well-defined and highlighted for areas of interest – drive faults, network link failures, etc. Within Unisphere are some options for support, including Unisphere Online Help and the Support page where FAQs, videos, white papers, chat sessions, and more

Provisioning Storage

The EMC Unity offers both block and file provisioning in the same enclosure. The Disk Drives are provisioned into Pools that can be used to host both block and file data. Connectivity is offered for both block and file protocols using iSCSI and Fibre Channel. You can access LUNs, Consistency Groups, Thin Clones, VMware Datastores (VMFS), and VMware Virtual Volumes.

Fast VP

The FAST VP (Fully Automated Storage Tiering for Virtual Pools) is a very smart solution for dynamically matching storage requirements with changes in the frequency of data access. Fast VP segregate disk drives in three tiers

  • Extreme Performance Tier – SSD
  • Performance tier – SAS
  • Capacity Tier – NL-SAS

Fast VP Policies – FAST VP is an automated feature but provide controls to setup user-defined tiering policies to ensure the best performance for various environments. FAST VP uses an algorithm to make data relocation decisions based on the activity level of each slice.

  • Highest Available Tier
  • Auto-Tier
  • Start High then Auto-Tier
  • Lowest Available Tier
  • No Data Movement

Cloud Tiering Appliance (CTA)

If you are an organisation with hybrid cloud and you would like to move data from on-premises to Azure Cloud or AWS S3, then Cloud Tiering Appliance (CTA) is the best solutions for you to move data to a cloud-based on user-configured policies. The other way is also true which means you can return your data to on-premises using this appliance.

Why do you need this appliance? If you run of storage or free-up space, you can do it on the fly without capital expenditure. This ability optimises primary storage usage, dramatically improves storage efficiency, shortens the time required to back up data, and reduces overall TCO for primary storage. This functionality also reduces your own data centre footprint. You can move both file and block data to Azure Cloud or AWS S3 using CTA.

EMC CloudIQ

Another cool feature is CloudIQ. CloudIQ provides the operational insights and overall health scores EMC midrange storage. CloudIQ provides Central monitoring, predictive analytics and health monitoring.

CloudIQ is a no-cost SaaS application that non-disruptively provides overall health scores for Unity systems through cloud-based proactive monitoring and intelligent, predictive analytics.

AppSync Data Protection

Your priority is workload. You must protect workloads and simplify management of workloads. AppSync empowers you to satisfy copy demand for data repurposing, operational recovery, and disaster recovery with AppSync.

AppSync simplifies, orchestrates, and automates the process of generating and consuming copies of production data. You can integrate AppSync with Oracle, Microsoft SQL Server, and Microsoft Exchange for application-consistent copy management. AppSync is the single user interface and provides VM-consistent copies of data stores and individual VM recovery for VMware environments

RecoveryPoint

EMC RecoverPoint provides continuous data protection with multiple recovery points to restore applications instantly to a specific point in time. EMC RecoveryPoint protects applications with bidirectional synchronous and asynchronous replication for recovery of physical, virtual, and cloud infrastructures. Minimize network utilisation with unique bandwidth compression and deduplication, significantly reducing replicated data over the network.

RecoveryPoint is software-only solutions to manage the disaster recovery provisioning and control their replication policies and recovery, ensuring that VM service levels are met.

EMC Storage Analytics

The Storage Analytics software lets you extend VMware vRealize Operations analytics to supported EMC storage platforms. Optimize performance and diagnose issues across physical storage and virtual machines with EMC Storage Analytics (ESA).

The Storage Analytics is dashboards based visual tools provide deep visibility into EMC infrastructure. Actionable capacity and performance analysis help you troubleshoot, identify, and act on issues fast.

Encryption

EMC Unity lets you encrypt user data as it is written to the backend drives, and decrypted during departure. Because encryption and decryption are handled via a dedicated hardware piece on the SAS interface, there is minimal impact on Unity Storage. The system also supports external key management through the use of the Key Management Interoperability Protocol (KMIP).

Conclusion

The Unity Hybrid Storage reduce cost, datacentre footprint, complexity and management overhead of your SAN systems while maintaining workload performance, protection and path to migrate data to Azure Cloud or AWS.

Office 365 Hybrid Deployment with Exchange 2016 Step by Step

Hybrid Configuration Business Case.

  • On-premises IRM- Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages that they send.
  • Antispam and malware protection- Mailboxes moved to Office 365 are automatically provided with antivirus and anti-spam protection by Exchange Online Protection (EOP), a service provided by Office 365. However, for corporate compliance reason, mail must flow through via on-premises anti-spam and firewall devices.
  • Public Folder- You have on-premises public folder and you would like to retain on-premises public folder.
  • Legacy Application- You have legacy applications that only support localised email server instead internet based email server
  • On-prem UM- You have on-premises unified messaging infrastructure or telephony systems that only communicate with localised email servers
  • Use of current CAPEX- You want to utilise current on-premises investment until the equipment expires and you are not ready to move into cloud completely.

In a hybrid deployment when you connect your Office 365 Exchange Online organization to your existing on-premises Exchange organization using the Hybrid Configuration wizard. After configuring the hybrid deployment, the following features are enabled:

  • Secure mail routing between on-premises between the organizations.
  • Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the @domain.com SMTP domain.
  • A unified global address list (GAL), also called a “shared address book,” showing full details of recipients.
  • Free/busy calendar information sharing between the organizations.
  • Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization.
  • A single Outlook on the web URL for both the organizations.
  • Automatic Exchange ActiveSync profile redirection when mailboxes are moved to Office 365 (dependent on device support).
  • The ability to move on-premises mailboxes to the Exchange Online organization and vice versa.
  • Centralized mailbox management using the on-premises Exchange Administration Center (EAC).
  • Message tracking, internal MailTips and Out of Office replies, and multi-mailbox search between the organizations.
  • Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment

A hybrid deployment involves several different services and components:

  • Exchange 2016 Servers-   The Exchange 2016 Mailbox server role is required in your on-premises Exchange organization. All on-premises Exchange 2016 servers need to have the latest release of Exchange 2016, or the release immediately prior to the current release, installed to support hybrid functionality with Office 365.
  • Office 365-   Hybrid deployments are supported with Office 365 Enterprise, Government and Academic plans.
  • Hybrid Configuration wizard-   Exchange 2016 includes the Hybrid Configuration wizard which provides you with a streamlined process to configure a hybrid deployment between on-premises Exchange and Exchange Online organizations.
  • Azure AD authentication system-   The Azure Active Directory (AD) authentication system is a free cloud-based service that acts as the trust broker between your on-premises Exchange 2016 organization and the Exchange Online organization. On-premises organizations configuring a hybrid deployment must have a federation trust with the Azure AD authentication system. The Hybrid Configuration wizard as part of configuring a hybrid deployment creates the federation trust. A federation trust with the Azure AD authentication system for your Office 365 tenant is automatically configured when you activate your Office 365 service account.
  • Azure Active Directory synchronization-   Azure AD synchronization uses Azure AD Connect to replicate on-premises Active Directory information for mail-enabled objects to the Office 365 organization to support the unified global address list (GAL) and user authentication. Organizations configuring a hybrid deployment need to deploy Azure AD Connect on a separate, on-premises server to synchronize your on-premises Active Directory with Office 365.
  • Active Directory Federation Services- AD FS provides simplified, secured identity federation and Web single sign-on (SSO) capabilities for end users who want to access applications within an AD FS-secured enterprise, in federation partner organizations, or in the cloud.
  • Web Application Proxy Server- The Web Application Proxy under the Remote Access role that allows administrators to securely publish applications for external access. This service acts as a reverse proxy and as an Active Directory Federation Services (AD FS) proxy.

Hybrid infrastructure

To be able to configure your current on-premises Exchange organization for a hybrid deployment, the following components are required.

Exchange Server 2016 with Mailbox Role EXCH2016
Exchange Server 2016 with Edge Transport Role EXCH2016EDGE
Windows Server 2016 with Azure Active Directory Connect (AAD Connect) Installed AADCONNECT
Active Directory Federation Server(s) ADFS2016
Web Application Proxy Server in perimeter EDGE2016
Domain Controller running on minimum Windows Server 2008 R2 DC01
Office 365 Subscriptions with default domain configured i.e. Service tenant FQDN Domain.onmicrosoft.com
Accepted Domain in Office 365 and On-premises Domain.com
On-premises domain type Authoritative
Office 365 Domain Type Internal Relay
User principal name domain and Microsoft Online ID domain @domain.com
External Azure AD Connect with AD FS FQDN sts.domain.com
On-premises Autodiscover FQDN Autodiscover.domain.com
Office 365 Autodiscover Autodiscover.outlook.com

Configuring Hybrid Exchange Server

Step1: Add and validate primary Email domain to Office 365

Perform the following steps to add the primary SMTP namespace to Office 365:

  1. Log on to: Office 365 admin center preview
  2. Click Settings > Domains > Add domain.
  3. Enter the primary SMTP namespace. For example, domain.com. Then, click Next.
  4. Copy the TXT record from the Wizard, go to domain management portal and add a text record ms=msxxxxxxx record and verify the domain. Setup TTL to 10 minutes. When complete, wait 10 minutes and then click Verify. If the wizard says it can’t verify your domain ownership, you might need to wait longer for your DNS records to update across the Internet; this might take several hours. Also verify that the record you created is correct.
  5. On the Required DNS settings page, click Continue setup. Don’t update your DNS records right now. Instead, you’ll update your DNS records later in your hybrid deployment.
  6. On the Set up your online services page, select I’ll manage my own DNS records and click Next.
  7. On the Update DNS settings page, select Skip this step – I have custom DNS records, so I’ll add the records I need later. I understand that some Office 365 services may be unavailable until I manually add the records with my registrar. Click Skip, and then click Finish.

Step2: Setup Primary SMTP Domain to Internal Relay

Definitions of Domain Type

Authoritative – Selecting this option means that email is delivered to email addresses that are listed for recipients in Office 365 for this domain. Emails for unknown recipients are rejected.

Internal relay – Selecting this option means that recipients for this domain can be in Office 365 or your on-premises mail servers. Email is delivered to known recipients in Office 365 or is relayed to your own email server if the recipients aren’t known to Office 365.

Use the Exchange Online EAC to change the domain type

  1. In the EAC, navigate to Mail flow > Accepted domains.
  2. Select the domain and click Edit .
  3. In the Accepted Domain window, in the This accepted domain is section, select the domain type. Edit the domain value to Internal relay.

Step3: Configure Active Directory synchronization

  1. Download Azure Active Directory Connect on the computer where you’ll install it, and then open it.
  2. On the Welcome page, click Next if you agree to the license terms and privacy notice.
  3. On the Express Settings page, click Customize.
  4. On the Install required components page, click Install.
  5. On the User sign-in page, select Federation with AD FS and then click Next.
  6. On the Connect to Azure AD page, enter the username and password for a user account that is a Global Administrator in your Office 365 organization , and then click Next.
  7. On the Connect your directories page, select the Active Directory forest that contains the Exchange organization you want to configure for hybrid deployment, and then enter the username and password for a user account that’s a member of the Enterprise Administrators group in that forest. Click Next.
  8. On the Domain and OU filtering page, select Sync all domains and OUs if you want to synchronize all of your on-premises Active Directory users to Office 365. If you want to select a specific organizational unit (OU), select Sync selected domains and OUs, and then select the Active Directory domains and OUs you want to synchronize. Click Next.
  9. On the Uniquely identifying your users page, make sure that Users are represented only once across all directories is selected, and then click Next.
  10. On the Filter users and devices page, make sure that Synchronize all users and devices is selected, and then click Next.
  11. On the Optional Features page, select Exchange hybrid deployment, and then click Next.
  12. On the AD FS farm page, select Configure a new Windows server 2016 AD FS farm.
  13. In the Certificate File field, browse to the third-party certificate that includes a subject alternative name (SAN) that matches the external FQDN of the AD FS server. This certificate needs to include a private key. In the Subject Name field, select the SAN you want to use, for example sts.domain.com. Click Next.
  14. On the AD FS Servers page, click Browse, select the name of the server where you’re installing Azure AD Connect with AD FS, and then click Add.
  15. On the Web application proxy servers page, click Browse, select the name of the server that will act as a web proxy for external connections, and then click Add.
  16. On the Proxy trust credentials page, enter the username and password of a user account that can access the certificate store on the AD FS server that contains the certificate you specified earlier in these steps, and then click Next.
  17. On the AD FS service account page, select Create a group Managed Service Account, enter the username and password for a user that’s a member of the Enterprise Admins group, and then click Next.
  18. On the Azure AD Domain page, select the domain that matches the custom domain that you added to your Office 365 organization and matches the User Principal Name users with which users will log in. For example, if you added the custom domain domain.com, and usernames are @domain.com, select domain.com from the list. Click Next.
  19. On the Ready to configure page, select Start the synchronization process as soon as the configuration completes, and then click Next.
  20. On the Configuration complete page, click Exit.
  21. Make sure that your firewall is configured to allow connections on TCP port 443 from external sources to your AD FS web proxy server.
  22. At this point, Azure AD Connect will synchronize your on-premises user accounts and their information to your Office 365 organization. Depending on how many accounts need to be synchronized, this might take a while.

Step4: Create Federation with Azure Active Directory

Remote into the Primary ADFS Server, Run the below cmdlets

Connect-MsolService
Set-MsolAdfsContext -Computer “adfsserver.domain.com”
Convert-MsolDomainToFederated -Domain “domain.com” -SupportMultipleDomain

If you have multiple userprincipalname, you have run the below cmdlets to federate with Azure AD.
Convert-MsolDomainToFederated -Domain “domain1.com” -SupportMultipleDomain
Convert-MsolDomainToFederated -Domain “domain2.com” -SupportMultipleDomain
Update-MsolFederatedDomain -Domain “domain1.com” -SupportMultipleDomain
Update-MsolFederatedDomain -Domain “domain2.com” -SupportMultipleDomain

Further reading ADFS Configuration Guide

Step5: Verify tenant configuration

To create a mailbox in the Exchange Online organization, do the following:

  1. Open Active Directory Users and Computers on an Active Directory domain controller in your on-premises organization.
  2. Expand the container or organizational unit (OU) where you want to create a new Active Directory user.
  3. Click Action in the menu bar, and then click New > User.
  4. Enter the required user information. Because this user will be associated with a test mailbox, we recommend that you clearly identify the user as such. For example, name the user “Test User”.
  5. In the User logon name field, provide the user name that the user should specify when logging into their user account. This user name, combined with the user principal name (UPN) in the drop-down box next to the User logon name field, makes up the Microsoft Online Identity of the user. The Microsoft Online Identity typically matches the user’s email address, and the domain suffix chosen should match the federated domain configured in Active Directory Federation Services. For example, testuser@domain.com. Click Next.
  6. Enter a password for the new user, specify any options you want to set, and then click Next.
  7. Click Finish.
  8. Run delta synchronization to synchronize the new user to the Office 365 organization  using this PowerShell Cmdlet. Start-ADSyncSyncCycle -PolicyType Delta
  9. Log on to: Office 365 service administration portal
  10. Assign a E1 or E3 license to the new user.

Step6: Install Edge Transport server

The Edge Transport server role is typically deployed on a computer located in an Exchange organization’s perimeter network and is designed to minimize the attack surface of the organization. The Edge Transport server role handles all Internet-facing mail flow, which provides SMTP relay and smart host services for the on-premises Exchange organization. Use Edge Transport servers if you don’t want to expose internal Exchange 2016 Mailbox servers directly to the Internet.

If you already have an Edge Transport server deployed in your on-premises organization, you can skip this checklist step unless you’d like to install additional Edge Transport servers.

Step7: Configure Edge servers

After installing the Exchange 2016 Edge Transport server, or if you already have an Edge Transport server in your on-premises Exchange organization, you must configure the following services and parameters to enable the Edge Transport server to handle secure communications between the on-premises Exchange servers, clients, and Office 365. If you already have an Edge Transport Server, skip this step.

Follow additional guidelines to Edge Transport Server.

Further References on Edge Transport Server.

Step8: Configure DNS

Hybrid requirement DNS record Record type Value
Required for all hybrid deployments autodiscover.domain.com CNAME or A If using CNAME DNS:  mail.domain.com

If using Host A DNS:  External IP address of an Exchange 2016 Mailbox server or firewall

Recommended as a best practice for all hybrid deployments SPF TXT v=spf1 include:spf.protection.outlook.com ~all
ADFS Public record sts.domain.com A Public IP address of the AD FS web proxy server or firewall
Internal record by editing Hosts File located %SystemRoot%\system32\drivers\etc\HOSTS of WAP server sts.domain.com A Internal IP address of the AD FS Servers

Step9: Firewall Configuration

If your organization uses Office 365 and restricts computers on your network from connecting to the Internet, below you’ll find the endpoints (FQDNs, Ports, URLs, IPv4, and IPv6 address ranges) that you should include in your outbound allow lists to ensure your computers can successfully use Office 365.

Hybrid deployment configuration changes may require you to modify security settings for your on-premises network and protection solutions. Exchange 2016 Mailbox servers must be accessible on TCP port 443, and Edge Transport and Mailbox servers must be accessible on TCP port 25. Other Office 365 services, such as SharePoint Online and Lync Online, may require additional network security configuration changes. If you’re using Microsoft Threat Management Gateway (TMG) in your on-premises organization, additional configuration steps will also be needed to allow full Office 365 integration in the hybrid deployment.

Step10: Configure Exchange Web Services

The external fully qualified domain name (FQDN) of your Internet-facing Exchange 2016 Mailbox server needs to be configured on several virtual directories for a hybrid deployment. By completing this checklist step, the external URL on the Exchange Web Services (EWS), Outlook Address Book (OAB), Outlook Web App (OWA), Exchange Control Panel (ECP), and the Exchange ActiveSync (Microsoft-Server-ActiveSync) virtual directories will be reset to the external FQDN of your Internet-facing Exchange 2016 Mailbox server.

Follow additional guidelines to configure web services.

Further References on Web Services.

Step11: Configure MRS Proxy

The Exchange 2016 Mailbox servers are the internet-facing servers for the organization, with a load balancer distributing traffic across them. Since those servers will be internet-facing for the Hybrid configuration, they need to be MRS Proxy enabled. Currently they are not MRS Proxy enabled, as seen here in the output of Get-WebServicesVirtualDirectory.

GetWebServicesVirtualDirectory ADPropertiesOnly | Where {$_.MRSProxyEnabled ne $true} | SetWebServicesVirtualDirectory MRSProxyEnabled $true

Step12: Configure Exchange certificates

Digital certificates are an important requirement for secure communications between on-premises Exchange 2016 servers, clients, and Office 365. You need to obtain a certificate that will be installed on Mailbox and Edge Transport servers from a third-party trusted certificate authority (CA).

Before you can configure certificates on Exchange servers, you need to get a certificate from a trusted CA. Complete the following task on an Exchange 2016 Mailbox server if you need to generate a request for a new certificate for use with the hybrid deployment.

Follow additional guidelines to install certificates.

Further References on Exchange Certificates.

Step13: Run Hybrid Configuration wizard

The Hybrid Configuration wizard helps you establish your hybrid deployment by creating the HybridConfiguration object in your on-premises Active Directory and gathering existing Exchange and Active Directory topology configuration data. The Hybrid Configuration wizard also enables you to define and configure several organization parameters for your hybrid deployment, including secure mail transport options.

You can use the Hybrid Configuration wizard in the EAC on an Exchange 2016 server in your on-premises organization to create and configure the hybrid deployment.

  1. In the EAC on an Exchange 2016 server in your on-premises organization, navigate to the Hybrid, In the Hybrid node, click Configure to enter your Office 365 credentials.
    At the prompt to log in to Office 365, select sign in to Office 365 and enter the account credentials. The account you log into needs to be a Global Administrator in Office 365.
  2. Click Configure again to start the Hybrid Configuration wizard.
  3. On the Microsoft Office 365 Hybrid Configuration Wizard Download page, click Click here to download wizard. When you’re prompted, click Install on the Application Install, Click Next, and then, in the On-premises Exchange Server Organization section, select Detect a server running Exchange 2013 CAS or Exchange 2016. The wizard will attempt to detect an on-premises Exchange 2016 server. If the wizard doesn’t detect an Exchange 2016 server, or if you want to use a different server, select Specify a server running Exchange 2013 CAS or Exchange 2016 and then specify the internal FQDN of an Exchange 2016 Mailbox server.
  4. In the Office 365 Exchange Online section, select Microsoft Office 365 and then click Next.
  5. On the Credentials page, in the Enter your on-premises account credentials section,  specify a different set of credentials, specify the username and password an Active Directory account you want to use. Whichever selection you choose, the account used needs to be a member of the Enterprise Admins security group.
  6. In the Enter your Office 365 credentials section, specify the username and password of an Office 365 account that has Global Administrator permissions. Click Next.
  7. On the Validating Connections and Credentials page, the wizard will connect to both your on-premises organization and your Office 365 organization to validate credentials and examine the current configuration of both organizations. Click Next when it’s done.
  8. On the Hybrid Features page, select Full Hybrid Configuration and then click Next.
  9. On the Hybrid Domains, select the domain or multiple accepted domains you want to include in your hybrid deployment. In most deployments you can leave the Auto Discover column set to False for each domain. Only select True next to a domain if you need to force the wizard to use the Autodiscover information from a specific domain.
  10. Click Next.
  11. On the Federation Trust page, click Enable and click then Next.
  12. On the Domain Ownership page, click Click copy to clipboard to copy the domain proof token information for the domains you’ve selected to include in the hybrid deployment. Open a text editor such as Notepad and paste the token information for these domains. Before continuing in the Hybrid Configuration wizard, you must use this info to create a TXT record for each domain in your public DNS.
  13. Click Next after the TXT records have been created and the DNS records have replicated.
  14. On the Hybrid Configuration page, select the Configure my Edge Transport servers for secure mail transport option to configure your on-premises Edge Transport servers for secure mail transport with Office 365. Click Next.
  15. If you want Office 365 to send all outbound messages to external recipients to your on-premises transport servers, select the Enable centralized mail transport check box in the More options section.The on-premises transport servers will be responsible for delivering the messages to external recipients. This approach is helpful in compliance scenarios where all mail to and from the Internet must be processed by on-premises servers. If this check box is not selected, Office 365 will bypass the on-premises organization and deliver messages to external recipients directly using the recipient’s external DNS settings.You select this option if you want to use your own Spam Filter.
  16. On the Edge Transport Servers page, select the Edge Transport server you want to configure for secure mail transport. click Next. In this section, you have to provide the public IP addresses of edge servers or public FQDN of edge servers.
  17. On the Transport Certificate page, in the Select a reference server field, select Exchange 2016 Mailbox server that has the certificate you configured earlier in the checklist.
  18. In the Select a certificate field, select the certificate to use for secure mail transport. This list displays the digital certificates issued by a third-party certificate authority (CA) installed on the Mailbox server selected in the previous step. Click Next.
  19. On the Organization FQDN page, enter the externally accessible FQDN for your Internet-facing Exchange 2016 Mailbox server. Office 365 uses this FQDN to configure the service connectors for secure mail transport between your Exchange organizations. For example, enter “mail.domain.com”. Click Next.
  20. The hybrid deployment configuration selections have been updated, and you’re ready to start the Exchange services changes and the hybrid deployment configuration. Click Update to start the configuration process. While the hybrid configuration process is running, the wizard displays the feature and service areas that are being configured for the hybrid deployment as they are updated.
  21. When the wizard has completed all of the tasks it can perform automatically, it’ll list any tasks that you need to address manually before your hybrid deployment configuration is complete.
  22. The wizard displays a completion message and the Close button is displayed. Click Close to complete the hybrid deployment configuration process and to close the wizard.
  23. You’ll probably need to configure the Receive connector on your Edge Transport server by doing the following.
    Open the Exchange Management Shell on your Exchange 2016 Edge Transport server.
    Run the following command to list the Receive connectors on your Edge Transport server. Make note of the Receive connector that’s listening on TCP port 25.Get-ReceiveConnectorRun the following command to configure the Receive connector. Replace the name of the Receive connector in the following command with the name of the connector you identified in the previous step.Set-ReceiveConnector “Edge\Default internal receive connector Edge” -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -Fqdn “mail.domain.com”24. Additional Steps for Centralised Mailflow or Route all inbound-outbound emails through on-premises servers. You need to enable remote mailbox using enable-remotemailbox and set target address using set-remotemailbox for this each mailbox as user1@domain.mail.onmicrosoft.com where domain is your domain name in Office 365. You must run full sync after this on the AAD Connect Server. You must run start-edgesynchronization –Server EXCH2016MailboxServer on the Edge Transport 2016 Server

Step14: Send Connector and Receive Connector Configuration on the on-premises server

Use the EAC to create an Internet Send connector

  1. In the EAC, navigate to Mail flow > Send connectors, and then click Add . This starts the New Send connector
  2. On the first page, enter the following information: Name: To Office 365 and Type: Internet When you are finished, click Next.
  3. On the next page, verify that MX record associated with recipient domain is selected. When you are finished, click Next.
  4. On the next page, In the Address space section, click Add . In the Add domain dialog box that appears, in Fully Qualified Domain Name (FQDN), enter an asterisk (*), and then click Save. This value indicates that the Send connector applies to messages addressed to all external domains. When you are finished, click Next.
  5. On the next page, in the Source server section, click Add . In the Select a Server dialog box that appears, select one or more Edge Transport Servers if you route email through Edge Server if not enter mailbox servers that you want to use to send mail to the Internet. If you have multiple Mailbox servers in your environment, select the ones that can route mail to the Internet. If you have only one Mailbox server, select that one. After you’ve selected at least one Mailbox server, click Add, click OK, and then click Finish.

Use the EAC to Create a Receive Connector to Receive Secure Messages from a Partner

  1. In the EAC, navigate to Mail flow > Receive connectors. Click Add to create a new Receive connector.
  2. On the New receive connector page, specify a name for the Receive connector and then select Frontend Transport for the Role. Since you are receiving mail from a partner in this case, we recommend that you initially route mail to your front end server to simplify and consolidate your mail flow.
  3. Choose Partner for the type. The Receive connector will receive mail from a trusted third party.
  4. For the Network adapter bindings, observe that All available IPV4 is listed in the IP addresses list and the Port is 25. (Simple Mail Transfer Protocol uses port 25.) This indicates that the connector listens for connections on all IP addresses assigned to network adapters on the local server. Click Next.
  5. If the Remote network settings page lists 0.0.0.0-255.255.255.255, which means that the Receive connector receives connections from all IP addresses, click Remove 0.0.0-255.255.255.255 to remove it. Click Add EOP IP Addresses, and Datacentre IP Addresses add the IP address for your partner’s server, and click Save.
  6. Click Finish to create the connector.
  7. Run the below Cmdlets in Mailbox Server

Get-ReceiveConnector “Inbound from Office 365“ | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

  1. Verify Receive Connector using below Cmdlets

Get-ADPermission -Identity “ Inbound from Office 365” -User “NT AUTHORITY\ ANONYMOUS LOGON” | where {($_.Deny -eq $false) -and ($_.IsInherited -eq $false)} | Format-Table User,ExtendedRights

  1. Add Datacentre IP Addresses using this Link
  2. Troubleshoot using this link

Step14: Create a test mailbox

You can use the Office 365 Mailbox wizard in the EAC on an Exchange server to create a test mailbox in Office 365. If you want to create more than one test mailbox, you’ll have to use this wizard for each test mailbox. You can’t use the wizard to create multiple test mailboxes.

  1. Log into the EAC on an on-premises Exchange 2016 server.
  2. In the EAC, navigate to Enterprise > Recipients > Mailboxes.
  3. Expand the menu at the Add  control and select Office 365 mailbox.
  4. On the New Office 365 mailbox page, specify the following settings:
    • First Name   Type the first name of the new user.
    • Initials   Type the initials of the new user.
    • Last Name   Type the last name of the new user.
    • User logon name   Type the user logon name of the new user and select the primary SMTP domain used for your other on-premises users. For example, @domain.com.
    • Mailbox type   Choose the type of mailbox to create. For example, User mailbox.
    • Password   Type the password.
    • Confirm password   Retype the password.
    • Make sure the Create an archive mailbox check box is not selected.
  5. Click Save to continue.
  1. Start-ADSyncSyncCycle -PolicyType Delta

Step15: Move or create mailboxes

You can use the remote move migration wizard in the Office 365 tab in the Exchange admin center (EAC) on an Exchange server to move existing user mailboxes in the on-premises organization to Office 365:

  1. Open the EAC and navigate to Office 365 > Recipients > migration.
  2. Click Add  and select Migrate to Exchange Online.
  3. On the Select a migration type page, select Remote move migration and then click Next.
  4. On the Select the users page, click Add , select the on-premises users to move to Office 365 and click Add, and then click OK. Click Next.
  5. On the Enter the Windows user account credential page, enter the on-premises administrator account name in the On-premises administrator name text field and enter the associated password for this account in the On-premises administrator password text field. For example, “Domain\administrator” and a password. Click Next.
  6. On the Confirm the migration endpoint page, verify that the FDQN of your on-premises Mailbox server is listed when the wizard confirms the migration endpoint. For example, “mail.domain.com”. Click Next.
  7. On the Move configuration page, enter a name for the migration batch in the New migration batch name text field. Use the down arrow  to select the target delivery domain for the mailboxes that are migrating to Office 365. In most hybrid deployments, this will be the primary SMTP domain used for both on-premises and Office 365 mailboxes. For example, user@domain.com. Verify that the Move primary mailbox along with archive mailbox option is selected, and then click Next.
  8. On the Start the batch page, select at least one recipient to receive the batch complete report. Verify that the Automatically start the batch and Automatically complete the migration batch options are selected. Click New.
  9. While the mailboxes are being moved, you will see a status of Synching in the migration status for each mailbox moved to Office 365. After the mailbox move request reaches a status of Completed, the mailbox migration process is complete.

Step16: Test hybrid deployment connectivity

Testing the external connectivity for critical Exchange 2016 and Office 365 features is an important step in ensuring that your hybrid deployment features are functioning correctly. The Microsoft Remote Connectivity Analyzer is a free online web service that you can use to analyze, and run tests for, several Exchange 2016 and Office 365 services, including Exchange Web Services, Outlook, Exchange ActiveSync, and Internet email connectivity.

Exchange 2010/2013 to Exchange 2016 Migration Step by Step

  • Deployment Location: On-premises
  • Target Environment: Exchange Server 2016 CU4
  • Current Environment: Exchange Server 2010 or Exchange Server 2013 or mixed
  • Public Folder Location: Exchange Server 2013

Understanding of Exchange Server 2016: Exchange Server 2016 wraps up in two Exchange roles to simplify hassle of many roles evolution in previous versions of Exchange Servers:

  • Mailbox- The Mailbox server includes the Client Access protocols, the Transport service, the Mailbox databases, and Unified Messaging. The Mailbox server handles all activity for the active mailboxes on that server.
  • Edge Transport- The Edge Transport server role is deployed in your organization’s perimeter network and outside your internal Active Directory forest. Designed to minimize the attack surface, the Edge Transport server handles all Internet-facing mail flow and provides SMTP relay and smart host services, anti-spam features, message protection, and transport security for the Exchange organization.

Extend AD DS Schema and Prepare AD DS: To make sure Active Directory Forest is ready to run Exchange 2016 Setup. Open a Windows Command Prompt window and go to where you downloaded the Exchange 2016 installation files. Run the following command to extend the schema.

set-executionpolicy unrestricted

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

Setup.exe /PrepareAD /OrganizationName:”<organization name>” /IAcceptExchangeServerLicenseTermsSetup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms

(Optional Steps, Only required if you have multiple Domains in a single forest)

Certificates: When deploying Exchange 2016, Microsoft strongly recommend that you obtain a public certificate issued by a third either party CA or use current certificate from existing environment. Export current certificate from Exchange Server 2013 and save the PFX format certificate into new Windows Server 2016 where Exchange Server 2016 will be installed. Add Common Name mail.domain.com and SAN autodiscover.domain.com or use *.domain.com

Supported Client: Exchange 2016 and Exchange Online support the following versions of Outlook:

  • Outlook 2016
  • Outlook 2013
  • Outlook 2010
  • Outlook for Mac for Office 365
  • Outlook for Mac 2011

Hybrid Deployment Consideration with office 365: The hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization. To configure a hybrid deployment after initial Exchange 2016 installation or migration is complete, select Hybrid Configuration Wizard from EAC and configure desired mailflow architecture to suit your needs.

Exchange Server 2016 Systems Requirements:

  • Update Rollup 11 Exchange 2010 SP3 or later on all Exchange 2010 servers in the organization, including Edge Transport servers.
  • Exchange 2013 Cumulative Update 10 or later on all Exchange 2013 servers in the organization, including Edge Transport servers.
  • Windows Server 2008 domain functional level
  • Windows Server 2016 with desktop experience or Windows Server 2012 R2
  • 2vCPU, 8GB RAM, 30GB free space and space for mailboxes
  • .NET Framework 4.6.2
  • Unified Communications Managed API (UCMA) 5.0

Permission and RBAC:

Task Permissions required
Install the Mailbox server role

(first server installed)

Local Administrator

Enterprise Administrator

Schema Administrator

Install additional Mailbox servers Organization Management
Install the Edge Transport server role Local Administrator

Exchange Server 2016 Deployment Datasheet

Description Example value in checklist
Active Directory forest domain.com
Internal Exchange 2016 Mailbox EXCH2016
Internal Exchange 2016 Edge Transport EXCH2016EDGE
Internal Exchange 2013 Mailbox and CAS EXCH2013
Internal Exchange 2013 Edge Transport EXCH2013EDGE
Internal Exchange 2010 Mailbox and CAS EXCH2010
Internal Exchange 2010 Edge Transport EXCH2010EDGE
External and Internal Exchange 2016 FQDN for the following services:

  • Outlook Anywhere
  • Offline Address Book
  • Remote Windows PowerShell
  • Exchange Web Services (EWS)
  • Exchange ActiveSync
  • Outlook on the web
  • ECP (Exchange admin center)
mail.domain.com
Internal and External Autodiscover FQDN autodiscover.domain.com
Primary SMTP namespace domain.com
User principal name domain @domain.com

Note:

  • Edge Transport- If you have existing Edge Transport servers or if you plan to install Edge Transport servers, or both.
  • Co-existence Scenario- Applicable only if your existing organization has Exchange 2010/2013 servers.
  • Availability- Add multiple servers for availability and site resiliency

Configure default offline address book:

Configure offline address book if OAB has not been already configured in the current environment.

Get-MailboxDatabase | Format-Table Name, Server, OfflineAddressBook -AutoGet-MailboxDatabase | Set-MailboxDatabase -OfflineAddressBook “Default Offline Address Book”

Servers Build:

  • Build Windows Server 2016 and assign IPv4 to the network interface of to be Exchange Servers.
  • Rename all other Windows Server 2016 prepared for Exchange 2016 and Join them to domain
  • Rename Computer and create DNS prefix for Exchange 2016 Edge Server
  1. Log on to the computer where you want to install the Edge Transport role as a user that’s a member of the local Administrators group.
  2. Open the Control Panel, and then double-click System.
  3. In the Computer name, domain, and workgroup settings section, click Change settings.
  4. In the System Properties window, make sure the Computer Name tab is selected, and then click Change.
  5. In Computer Name/Domain Changes, click More .
  6. In Primary DNS suffix of this computer, enter the DNS domain name for the Edge Transport server. For example, domain.com.
  7. Click OK to close each window.
  8. Restart the computer.
  • Windows Server 2016 Roles and Features Prerequisites for Mailbox Role:

Open Windows PowerShell. Run the following command to install the required Windows components.

Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

After you have installed the operating system roles and features, reboot computer. Install the following software in the order shown:

  1. Microsoft Knowledge Base article KB3206632
  2. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit

Windows Server 2016 Roles and Features Prerequisites for Edge Transport Role:

Open Windows PowerShell. Run the following command to install the required Windows components.

Install-WindowsFeature ADLDS

Installation of Exchange Server 2016:

  1. Download latest release of Exchange 2016 to an accessible network location.
  2. Log on to the computer where you want to install Exchange and navigate to the network location of the Exchange 2016 installation files.
  3. Start Exchange 2016 Setup by double-clicking Setup.exe. You must right-click Setup.exe, and then select Run as administrator.
  4. On the Check for Updates page, choose whether you want Setup to connect to the Internet and download product and security updates for Exchange 2016. If you select Connect to the Internet and check for updates, Setup will download updates and apply them before continuing. If you select Don’t check for updates right now, you can download and manually install updates later. We recommend that you download and install updates now. Click Next to continue.
  5. The Introduction page begins the process of installing Exchange into your organization. It will guide you through the installation. Several links to helpful deployment content are listed. We recommend that you visit these links before continuing setup. Click Next to continue.
  6. On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next.
  7. On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, Exchange will automatically send Microsoft your error reports and information about your computer hardware and how you use Exchange. If you select Don’t use recommended settings, these settings remain disabled, but you can enable them at any time after Setup completes.
  8. On the Server Role Selection page, select Mailbox role. The management tools are installed automatically if you install any server role.
  9. Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer to complete the installation of some Windows features. If you don’t select this option, you must manually install the Windows features.
  10. Click Next to continue.
  11. On the Installation Space and Location page, either accept the default installation location or click Browse to choose a new location. Make sure that you have enough disk space available in the location where you want to install Exchange. Click Next to continue.
  12. On the Malware Protection Settings page, choose whether you want to enable malware scanning. If you disable malware scanning, it can be enabled in the future. Unless you have a specific reason to disable malware scanning, we recommend that you keep it enabled. Click Next to continue.
  13. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If they haven’t completed successfully, you must resolve any reported errors before you can install Exchange 2016. You don’t need to exit Setup when resolving some of the prerequisite errors. After resolving a reported error, click Back, and then click Next to run the prerequisite check again. Be sure to also review any warnings that are reported. If all readiness checks have completed successfully, click Install to install Exchange 2016.
  14. On the Completion page, click Finish.
  15. Restart the computer after Exchange 2016 installation is complete. Repeat the steps for all other Exchange Server 2016 Mailbox Role.

Installation of Edge Server 2016

  1. After you download Exchange 2016, log on to the computer where you want to install it.
  2. Go to the network location of the Exchange 2016 installation files.
  3. Start Exchange 2016 Setup by double-clicking Setup.exe as an administrator.
  4. On the Check for Updates page, choose whether you want Setup to connect to the Internet and download product and security updates for Exchange 2016. If you select Connect to the Internet and check for updates, Setup will download updates and apply them before continuing. If you select Don’t check for updates right now, you can download and manually install updates later. We recommend that you download and install updates now. Click Next to continue.
  5. The Introduction page begins the process of installing Exchange into your organization. It will guide you through the installation. Several links to helpful deployment content are listed. We recommend that you visit these links before continuing setup. Click Next to continue.
  6. On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next.
  7. On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, Exchange will automatically send Microsoft your error reports and information about your computer hardware and how you use Exchange. If you select Don’t use recommended settings, these settings remain disabled, but you can enable them at any time after Setup completes. For more information about these settings and how information sent to Microsoft is used, click ?.
  8. On the Server Role Selection page, select Edge Transport. Remember that you can’t add the Mailbox server role to a computer that has the Edge Transport role installed. The management tools are installed automatically if you install either server role.
  9. Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer to complete the installation of some Windows features. If you don’t select this option, you need to install the Windows features manually.
  10. Click Next to continue.
  11. On the Installation Space and Location page, either accept the default installation location or click Browse to choose a new location. Make sure that you have enough disk space available in the location where you want to install Exchange. Click Next to continue.
  12. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If they haven’t completed successfully, you need to resolve any reported errors before you can install Exchange 2016. You don’t need to exit Setup when resolving some of the prerequisite errors. After resolving a reported error, click back, and then click Next to run the prerequisite check again. Be sure to also review any warnings that are reported. If all readiness checks have completed successfully, click Next to install Exchange 2016.
  13. On the Completion page, click Finish
  14. Restart the computer after Exchange 2016 installation is complete.

Post Installation Tasks:

Check or Add Exchange Organisation Management Role

  1. In the EAC https://EXCH2016/ecp?ExchClientVer=15, go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management.
  2. In the details pane, view the Members list. If the Exchange 2016 mailbox has been successfully added as a member of the Organization Management role group, the mailbox will be listed here.

Create a test mailbox

  1. Open the EAC https://EXCH2016/ecp?ExchClientVer=15 by browsing to the URL of your Exchange 2016 Mailbox server.
  2. Enter the user name and password of the account you used to install Exchange 2016 in Domain\user name and Password, and then click Sign in.
  3. Go to Recipients > Mailboxes. On the Mailboxes page, click Add , and then select User mailbox.
  4. Provide the information required for the new user, and then click Save.
  5. Go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management, and then click Edit .
  6. Under Members, click Add .
  7. Select the Exchange 2016 mailbox you just created, click Add , then click OK. Then click Save.

Install Exchange Server 2016 Product key

  1. Open the EAC by browsing to https://Exch2016/ecp.
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Servers > Servers. Select the server you want to license, and then click Edit .
  4. (Optional) If you want to upgrade the server from a Standard Edition license to an Enterprise Edition license, on the General page, select Change product key. You’ll only see this option if the server is already licensed.
  5. On the General page, enter your product key in the Enter a valid product key text boxes.
  6. Click Save.
  7. If you licensed an Exchange server running the Mailbox server role, do the following to restart the Microsoft Exchange Information Store service:
    1. Open Control Panel, go to Administrative Tools, and then open Services.
    2. Right-click on Microsoft Exchange Information Store and click Restart.

Simply use the below PowerShell Cmdlets to install product key.

Set-ExchangeServer ExCH2016Server01 -ProductKey XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Configure Exchange Server 2016 External URL:

There are several settings that you need to configure on the Exchange 2016 virtual directories, which include Outlook Anywhere, Exchange ActiveSync, Exchange Web Services, Offline Address Book (OAB), Outlook on the web, the Exchange admin center, and the availability service.

  1. Open the EAC by browsing to the URL of your Exchange 2016 Mailbox server. For example, https://EXCH2016/ECP or https://EXCH2016/ecp?ExchClientVer=15 .
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Servers > Servers, select the name of the Internet-facing Exchange 2016 Mailbox server, and then click Edit.
  4. Click Outlook Anywhere.
  5. In the Specify the external hostname field, specify the externally accessible FQDN of the Mailbox server. For example, mail.domain.com.
  6. While you’re here, let’s also set the internally accessible FQDN of the Mailbox server. In the Specify the internal hostname field, enter the FQDN you used in the previous step. For example, mail.domain.com.
  7. Click Save.
  8. Go to Servers > Virtual directories.
  9. In the Select server field, select the Internet-facing Exchange 2016 Mailbox server.
  10. Select the virtual directory you want to change, and then click Edit.
  11. In External URL, replace the host name between https:// and the first forward slash (/ ) with the new FQDN you want to use. For example, if you want to change the EWS virtual directory FQDN from EXCH2016.domain.com to mail.domain.com, change the external URL from https://EXCH2016.domain.com/ews/exchange.asmx to https://mail.domain.com/ews/exchange.asmx.
  12. Click Save.
  13. Repeat steps 9, 10 and 11 for each virtual directory you want to change.

To verify that you successfully configured the external URL on the Internet-facing Exchange 2016 Mailbox server virtual directories, do the following:

  1. In the EAC, go to Servers > Virtual directories.
  2. In the Select server field, select the Internet-facing Exchange 2016 Mailbox server.
  3. Select a virtual directory and then, in the virtual directory details pane, verify that the External URL field is populated with the correct FQDN and service as shown below:

Virtual directory External URL value
Autodiscover No external URL displayed
ECP https://mail.domain.com/ecp
EWS https://mail.domain.com/EWS/Exchange.asmx
Mapi https://mail.domain.com/mapi
Microsoft-Server-ActiveSync https://mail.domain.com/Microsoft-Server-ActiveSync
OAB https://mail.domain.com/OAB
OWA https://mail.domain.com/owa
PowerShell http://mail.domain.com/PowerShell

Configure internal and external URLs to be the same:

Note: I personally prefer to have same URL for internal and external web access. The same URL eliminates confusion when using OWA internally and externally. Microsoft also recommends that you use the same URL for both internal and external URLs. Using the same URL makes it easier for users to access your Exchange servers because they only have to remember one address. Regardless of the choice you make, you need to make sure you configure a private DNS zone for the address space you configure.

  1. Open the Exchange Management Shell on your Exchange 2016 Mailbox server.
  2. Store the host name of your Exchange 2016 Mailbox server in a variable that will be used in the next step. For example, EXCH2016.

$HostName = “EXCH2016”

  1. Run each of the following commands in the Shell to configure each internal URL to match the virtual directory’s external URL.

Set-EcpVirtualDirectory “$HostName\ECP (Default Web Site)” -InternalUrl ((Get-EcpVirtualDirectory “$HostName\ECP (Default Web Site)”).ExternalUrl)7.

Set-WebServicesVirtualDirectory “$HostName\EWS (Default Web Site)” -InternalUrl ((Get-WebServicesVirtualDirectory “$HostName\EWS (Default Web Site)”).ExternalUrl)

Set-MapiVirtualDirectory “$HostName\mapi (Default Web Site)” -InternalUrl ((Get-MapiVirtualDirectory “$HostName\mapi (Default Web Site)”).ExternalUrl)

Set-ActiveSyncVirtualDirectory “$HostName\Microsoft-Server-ActiveSync (Default Web Site)” -InternalUrl ((Get-ActiveSyncVirtualDirectory “$HostName\Microsoft-Server-ActiveSync (Default Web Site)”).ExternalUrl)

Set-OabVirtualDirectory “$HostName\OAB (Default Web Site)” -InternalUrl ((Get-OabVirtualDirectory “$HostName\OAB (Default Web Site)”).ExternalUrl)

Set-OwaVirtualDirectory “$HostName\OWA (Default Web Site)” -InternalUrl ((Get-OwaVirtualDirectory “$HostName\OWA (Default Web Site)”).ExternalUrl)

Set-PowerShellVirtualDirectory “$HostName\PowerShell (Default Web Site)” -InternalUrl ((Get-PowerShellVirtualDirectory “$HostName\PowerShell (Default Web Site)”).ExternalUrl)

While you are in the Shell, let’s also configure the Offline Address Book (OAB) to allow Autodiscover to select the right virtual directory for distributing the OAB. Run the following command to do this.

Get-OfflineAddressBook | Where {$_.ExchangeVersion.ExchangeBuild.Major -Eq 15} | Set-OfflineAddressBook -GlobalWebDistributionEnabled $True -VirtualDirectories $Null

To verify that you successfully configured the internal URL on the Exchange 2016 Mailbox server virtual directories, do the following:

  1. In the EAC, go to Servers > Virtual directories.
  2. In the Select server field, select the Internet-facing Exchange 2016 Mailbox server.
  3. Select a virtual directory, and then click Edit.
  4. Verify that the Internal URL field is populated with the correct FQDN and service as shown below:
Virtual directory Internal URL value
Autodiscover No internal URL displayed
ECP https://mail.domain.com/ecp
EWS https://mail.domain.com/EWS/Exchange.asmx
Mapi https://mail.domain.com/mapi
Microsoft-Server-ActiveSync https://mail.domain.com/Microsoft-Server-ActiveSync
OAB https://mail.domain.com/OAB
OWA https://mail.domain.com/owa
PowerShell http://mail.domain.com/PowerShell

Configure Exchange 2016 certificates

Outlook Anywhere and Exchange ActiveSync, require certificates to be configured on your Exchange 2016 server. You can choose whether you want to re-use the SSL certificate installed from an existing Exchange server or purchase a new SSL certificate from a third-party certificate authority (CA). If you decide to re-use a certificate, the host names you have configured on the Exchange 2016 virtual directories must match the host names configured on the SSL certificate.

  1. Open the EAC by browsing to the URL of your Mailbox server. For example, https://EXCH2016/ECP.
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Servers > Certificates. On the Certificates page, make sure your Mailbox server is selected in the Select server field, and then click New.
  4. In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority, and then click Next.
  5. Specify a name for this certificate, and then click Next.
  6. If you want to request a wildcard certificate, select Request a wild-card certificate, and then specify the root domain of all subdomains in the Root domain If you don’t want to request a wildcard certificate and instead want to specify each domain with SAN like mail.domain.com, edge.domain.com and sts.domain.com (for future hybrid configuration with ADFS)you want to add to the certificate, leave this page blank. Click Next.
  7. Click Browse, and specify an Exchange server to store the certificate on. The server you select should be the Internet-facing Mailbox server. Click Next.
  8. For each service in the following list, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example:
    • If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from the Internet) and Outlook Web App (when accessed from the Intranet) should show mail.domain.com. OAB (when accessed from the Internet) and OAB (when accessed from the Intranet) should show mail.domain.com, edge.domain.com and sts.domain.com (for future hybrid configuration with ADFS)
  9. These domains will be used to create the SSL certificate request. Click Next.
  10. Add any additional domains you want included on the SSL certificate.
  11. Select the domain that you want to be the common name (for example, domain.com) for the certificate and click Set as common name. Click Next.
  12. Provide information about your organization. This information will be included with the SSL certificate. Click Next.
  13. Specify the network location where you want this certificate request to be saved. Click Finish.

After you’ve saved the certificate request, submit the request to your CA. After you receive the certificate from the CA, complete the following steps:

  1. On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.
  2. In the certificate request details pane, under Status, click Complete.
  3. On the Complete pending request page, specify the path to the SSL certificate file, and then click OK.
  4. Select the new certificate you just added, and then click Edit.
  5. On the certificate page, click Services.
  6. Select the services you want to assign to this certificate. At minimum, you should select IIS, but you can also select IMAP, POP, and UM call router if you use these services. If you want to use secure transport, you can also select SMTP to make this certificate available to Exchange 2016 transport. Click Save.
  7. click Yes.

To re-use certificate you need to export your certificate from your pre-exiting Exchange server with the certificate’s private key using the following steps:

  1. Log on directly to a pre-existing Exchange Client Access server with an administrator user account.
  2. Open an empty Microsoft Management Console (MMC).
  3. Click File, then Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, select Certificates, and then click Add >.
  5. In the Certificates snap-in window that appears, select Computer account, and then click Next.
  6. Select Local computer and click Finish. Then click OK.
  7. Under Console Root, expand Certificates (Local Computer), Personal, and then Certificates.
  8. Select the third-party certificate that’s used by Exchange that matches the host names you’ve configured on the Exchange 2016 server. This must be a third-party certificate and not a self-signed certificate.
  9. Right-click the certificate, select All Tasks, and then click Export.
  10. In the Certificate Export Wizard, click Next.
  11. Select Yes, export the private key, and then click Next.
  12. Make sure Personal Information Exchange – PKCS #12 (.PFX) and Include all certificates in the certification path if possible are selected. Make sure no other options are selected. Click Next.
  13. Select Password and enter a password to help secure your certificate. Click Next.
  14. Specify a file name for the new certificate. Use the file extension .pfx. Click Next and then click Finish.
  15. You’ll receive a confirmation prompt if the certificate export was successful. Click OK to close it.
  16. Copy the .pfx file you created to your Internet-facing Exchange 2016 Mailbox server.

After you’ve exported the certificate from your pre-existing Exchange server, you need to import the certificate on your Exchange 2016 server using the following steps:

  1. Log on to your Internet-facing Exchange 2016 Mailbox server with an administrator user account.
  2. Open an empty MMC.
  3. Click File, then Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, select Certificates, and then click Add >.
  5. In the Certificates snap-in window that appears, select Computer account, and then click Next.
  6. Select Local computer and click Finish. Then click OK.
  7. Under Console Root, expand Certificates (Local Computer), and then Personal.
  8. Right-click Personal, select All Tasks, and then click Import.
  9. In the Certificate Import Wizard, click Next.
  10. Click Browse, and select the .pfx file you copied to your Exchange 2016 Mailbox server. Click Open and then click Next.
  11. In the Password field, enter the password you used to help secure the certificate when you exported it on the pre-existing Exchange server.
  12. Verify that Include all extended properties is selected, and then click Next.
  13. Verify that Place all certificates in the following store is selected and Personal is shown in Certificate store. Click Next and then Finish.
  14. You’ll receive a confirmation prompt if the certificate import was successful. Click OK to close it.

Now that the new certificate has been imported on your Exchange 2016 Mailbox server, you need to assign it to your Exchange services using the following steps:

  1. Open the EAC by browsing to the URL of your Exchange 2016 Mailbox server. For example, https://EXCH2016/ECP.
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. On the Server > Certificates page in the EAC, select the new certificate you just added, and then click Edit.
  4. On the certificate page, click Services.
  5. Select the services you want to assign to this certificate. At minimum, you should select IIS, but you can also select IMAP, POP, and UM call router if you use these services. If you want to use secure transport, you can also select SMTP to make this certificate available to Exchange 2016 transport. Click Save.
  6. click Yes.

Configure Outlook Anywhere

  • The Outlook Anywhere external URL is set to the external host name of the Exchange 2016 server.
  • Client authentication, which is used to allow clients like Outlook 2016 to authenticate with Exchange, is set to Basic.
  • Internet Information Services (IIS) authentication, which is used to allow Exchange servers to communicate, set to NTLM and Basic.

Perform the following steps to enable and configure Outlook Anywhere on your Exchange 2010 servers. The following command will change the configuration of Outlook Anywhere on any Exchange 2010 server in your organization on which it’s already enabled.

  1. Open the Exchange Management Shell on your Exchange 2010 Client Access server.
  2. Store the external host name of your Internet-facing Exchange 2016 Mailbox server in a variable that will be used in the next steps. For example, mail.domain.com.

$Exchange2016HostName = “mail.domain.com”

  1. Run the following command to configure Exchange 2010 servers that already have Outlook Anywhere enabled to accept connections from Exchange 2016 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Set-OutlookAnywhere “$_\RPC (Default Web Site)” -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2016HostName -IISAuthenticationMethods NTLM, Basic}

  1. Run the following command to enable Outlook Anywhere and configure Exchange 2010 to accept connections from Exchange 2016 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2016HostName -IISAuthenticationMethods NTLM, Basic

To verify that you successfully configured Outlook Anywhere on your Exchange 2010 servers to accept connections redirected from Exchange 2016, do the following:

  1. Open the Exchange Management Shell on your Exchange 2010 Client Access server.
  2. Run the following command to view the Outlook Anywhere configuration on your Exchange 2010 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-OutlookAnywhere | Format-Table Server, ClientAuthenticationMethod, IISAuthenticationMethods, SSLOffloading, ExternalHostname -Auto

Configure Edge Transport server

To make the best use of an Edge Transport server, you need to configure an Edge Subscription between the Edge Transport server and an Exchange 2016 Mailbox server in an Active Directory site. Edge Subscriptions automatically create Send connectors on the Edge Transport server based on the configuration of the Mailbox server it’s subscribed to. They also replicate recipient and other information to the Edge Transport server to improve anti-spam functionality.

Perform the following steps to configure your Edge Transport server 2016.

  1. Run the following command on the Edge Transport server.

New-EdgeSubscription -FileName “C:\Edge2016.xml”

  1. Copy the Edge2016.xml to your Mailbox server. Open the Exchange Management Shell on the Mailbox server that you want to subscribe to the Edge Transport server. This Mailbox server should be in the Active Directory site to which you want to subscribe the Edge Transport server.
  2. On the Mailbox server, run the following command. Specify the path to the location where you copied the Edge2016.xml file, and the Active Directory site where your Mailbox server is located.

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “C:\Edge2016.xml” -Encoding Byte -ReadCount 0)) -Site “Default-First-Site-Name” -CreateInternetSendConnector $true -CreateInboundSendConnector $true

  1. On the Mailbox server, run the following command.

Start-EdgeSynchronization

  1. On the Mailbox server, run the Test-EdgeSynchronization This cmdlet gives you detailed information about whether the subscribed Edge Transport servers have current and accurate synchronization status.

Test-EdgeSynchronization

Remove legacy Edge Subscriptions

Now that you’ve installed an Exchange 2016 Edge Transport server in your perimeter network, we need to remove the Edge Subscription between your legacy Edge Transport and Hub Transport servers. This needs to be done so that mail will flow through your new Exchange 2016 Edge Transport server. Make sure your firewall rules are changed and pointed to new Edge Servers.

Perform the following steps to remove the Edge Subscription between your legacy Edge Transport and Hub Transport servers.

  1. Log on to your legacy Edge Transport server.
  2. Run the following command to find the name of the Edge Subscription on the server.

Get-EdgeSubscription

  1. Remove the Edge Subscription using the following command and the name of the subscription found in the previous step.

Remove-EdgeSubscription EXCH2013EDGE

  1. Log on to your legacy Hub Transport server.
  2. Run the following command to find the name of the Edge Subscription on the server.

Get-EdgeSubscription

  1. Remove the Edge Subscription using the following command and the name of the subscription found in the previous step.

Remove-EdgeSubscription EXCH2013

On the Edge Transport and Hub Transport servers server, run the Get-EdgeSubscription cmdlet. No Edge Subscriptions should be listed.

Get-EdgeSubscription

Configure service connection point

  1. Open the Exchange Management Shell on your Exchange 2010 Client Access server.
  2. Store the Autodiscover host name of your Internet-facing Exchange 2016 Mailbox server in a variable that will be used in the next step. For example, autodiscover.domain.com.

$AutodiscoverHostName = “autodiscover.domain.com”

  1. Run the following command to set the SCP object on every Exchange 2010 server to the Autodiscover URL of the new Exchange 2016 server.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml

Perform the following steps to configure the SCP object on your Exchange 2013 servers.

  1. Open the Exchange Management Shell on your Exchange 2013 Client Access server.
  2. Store the Autodiscover host name of your Internet-facing Exchange 2016 Mailbox server in a variable that will be used in the next step. For example, autodiscover.domain.com.

$AutodiscoverHostName = “autodiscover.domain.com”

  1. Run the following command to set the SCP object on every Exchange 2013 server to the Autodiscover URL of the new Exchange 2016 server.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.0*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml

Perform the following steps to configure the SCP object on your Exchange 2016 servers.

  1. Open the Exchange Management Shell on your Exchange 2016 Mailbox server.
  2. Store the Autodiscover host name of your Exchange 2016 Mailbox server in a variable that will be used in the next step. For example, autodiscover.domain.com.

$AutodiscoverHostName = “autodiscover.domain.com”

  1. Run the following command to set the SCP object on every Exchange 2016 server to the Autodiscover URL of the new Exchange 2016 server.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.1*”) -And ($_.ServerRole -Like “*Mailbox*”)} | Set-ClientAccessService -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml

To verify that you successfully configured the AutoDiscoverServiceInternalUrl property on your Exchange 2010 servers with the value of the Exchange 2016 Autodiscover URL, do the following:

  1. Open the Exchange Management Shell on your Exchange 2010/2013 Client Access server.
  2. Run the following command to view the SCP object configuration on Exchange 2010 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Format-Table Name, AutoDiscoverServiceInternalUri –Auto Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Format-Table Name, AutoDiscoverServiceInternalUri -Auto

To verify that you successfully configured the AutoDiscoverServiceInternalUrl property on your Exchange 2010 servers with the value of the Exchange 2016 Autodiscover URL, do the following:

Configure DNS records

It’s time to change your DNS records to direct connections to your new Exchange 2016 servers. You’ll move the host names (for example, mail.domain.com) users have been using to connect to Outlook Web Access (now known as Outlook on the web in Exchange 2016), Autodiscover, and so on, from existing Exchange servers to new Exchange 2016 server.

Other option is without changing the DNS records to point your public DNS records to a new external IP address for Exchange 2016 Edge server, you can reconfigure your firewall to route connections for the original IP address to the Exchange 2016 server instead of the Exchange 2010/2013 server. The existing Exchange Client Access server no longer needs to be accessible from the Internet because all connections will be proxied by the Exchange 2016 server. If you choose to reconfigure your firewall, you don’t need to change your public DNS records. TTL 10 minutes to minimize impact. If you dc change DNS records, it should be like the below DNS records.

External DNS Record
FQDN Record type Value TTL
domain.com MX mail.domain.com 10 minutes
mail.domain.com A Public IP Address i.e. 203.17.x.x 10 minutes
autodiscover.domain.com A Public IP Address i.e. 203.17.x.x 10 minutes

Internal DNS Record
FQDN Record type Value TTL
mail.domain.com CNAME EXCH2016.domain.com 10 Minutes
autodiscover.domain.com A Internal IP Address i.e. 10.142.x.x 10 Minutes

 

Migrating Mailboxes from Exchange 2010/2013 to Exchange 2016:

Move arbitration mailbox

  1. In the EAC, go to Recipients > Migration.
  2. Click New , and then click Move to a different database.
  3. On the New local mailbox move page, click Select the users that you want to move, and then click Add .
  4. On the Select Mailbox page, add the mailboxes that have the following aliases:
    • SystemMailbox{1f05a927-7bd0-47e5-9b6a-0b5ec3f44403}
    • FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
    • DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}
    • SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
    • SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
    • Migration.8f3e7716-2011-43e4-96b1-aba62d229136
  5. Click OK, and then click Next.
  6. On the Move configuration page, type the name of the migration batch, and then click Browse next to the Target database box.
  7. On the Select Mailbox Database page, add the mailbox database to move the system mailbox to. Verify that the version of the mailbox database that you select is Version 15.1, which indicates that the database is located on an Exchange 2016 server.
  8. Click OK, and then click Next.
  9. On the Start the batch page, select the options to automatically start and complete the migration request, and then click New.

Move mailboxes to Exchange 2016

Since you have built a co-existence environment, you can move mailboxes to your Exchange 2016 Mailbox server. To move mailboxes to your Exchange 2016 Mailbox server, you’ll need to use the

  1. Open the EAC by browsing to the URL of your Mailbox server. For example, https://EXCH2016/ECP.
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Recipients > Migration, click Add , and then select Move to a different database.
  4. Under Select the users that you want to move, click Add .
  5. In the Select Mailbox window, select the mailboxes you want to move, and then click Add and then OK.
  6. Verify that the mailboxes you want to move are listed, and then click Next.
  7. Specify a name for the new mailbox move, and verify that Move the primary mailbox and the archive mailbox, if one exists, is selected.
  8. Under Target database, click Browse.
  9. In the Select Mailbox Database window, select a mailbox database on the Exchange 2016 server that you want to move the mailboxes to, click Add and then OK.
  10. Verify that the mailbox database displayed in Target database is correct, and then click Next.
  11. Decide which user should receive the mailbox move report once the move is complete. By default, the current user will receive the move report. If you want to change which user receives the report, click Browse, and then select a different user.
  12. Verify Automatically start the batch is selected.
  13. Decide whether you want to have mailbox moves complete automatically. During the finalization phase, the mailbox is unavailable for a short time. If you choose to manually complete the mailbox move, you can decide when the move is finalized. For example, you might want to finalize the move during off-work hours. Select or clear Automatically complete the migration batch.
  14. Click New.

Migrate public folders from Exchange 2013 to Exchange 2016

To migrate your Exchange 2013 public folders to Exchange 2016, you need to move all of your Exchange 2013 public folder mailboxes to an Exchange 2016 server. Before you move your public folder mailboxes, here are some things you should think about:

  • Exchange 2016 capacity Make sure the Exchange 2016 servers where you’ll move your public folder mailboxes have enough storage capacity.
  • Time to move It might take a while for your public folder mailboxes to be moved to Exchange 2016. Things that could impact how long it’ll take include public folder mailbox size, the number of public folder mailboxes, available network capacity, and other factors.

Perform the following steps to move your public folder mailboxes from Exchange 2013 to Exchange 2016.

  1. Open the Exchange Management Shell on your Exchange 2016 Mailbox server.
  2. Run the following command to get a list of Exchange 2016 mailbox databases you can move your public folder mailboxes to. You can use this information to check how much drive space is available for each Exchange 2016 mailbox database.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.1*”) -And ($_.ServerRole -Like “*Mailbox*”)} | Get-MailboxDatabase | Format-Table Name, EdbFilePath, Server

  1. Run the following command to get a list of Exchange 2013 public folder mailboxes. The list this command creates includes the public folder mailbox name, its size, and what Exchange 2013 server it’s on.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.0*”) -And ($_.ServerRole -Like “*Mailbox*”)} | Get-Mailbox -PublicFolder | Get-MailboxStatistics | Format-Table DisplayName, TotalItemSize, ServerName

  1. You can use the information from the previous command to decide which Exchange 2016 server to move some or all of your public folder mailboxes to. For example, you might not want to move three large public folder mailboxes to a server with low available drive space. Replace the Exchange server, database, and public folder mailbox names with your own.
  2. Move all Exchange 2013 public folder mailboxes at once.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.0*”) -And ($_.ServerRole -Like “*Mailbox*”)} | Get-Mailbox -PublicFolder | New-MoveRequest -TargetDatabase EXCH2016MbxDatabase

  1. Move all public folder mailboxes on a specific Exchange 2013 server at once.

Get-Mailbox -PublicFolder -Server EXCH2013Mbx | New-MoveRequest -TargetDatabase EXCH2016MbxDatabase

  1. Move a specific Exchange 2013 public folder mailbox.

New-MoveRequest “Sales Public Folder Mailbox” -TargetDatabase EXCH2016MbxDatabase

  1. Use the following command to see the status of the move requests you created. Depending on the size of the public folder mailboxes you’re moving and your available network capacity, it could take several hours or days for the moves to complete.

Get-MoveRequest

Do the following to check the status of your move requests:

  1. Open the Exchange Management Shell on your Exchange 2016 Mailbox server.
  2. Run the following command to see the status of the move requests you created.

Get-MoveRequest

The command above will return each move request you created along with one of the following statuses:

  • Completed The public folder mailbox was successfully moved to the target Exchange 2016 mailbox database.
  • CompletedWithWarning The public folder mailbox was moved to the target Exchange 2016 mailbox database, but one or more issues were encountered during the move.
  • CompletionInProgress The public folder mailbox’s move to the target Exchange 2016 mailbox database is in its final stages. Public folders hosted in this mailbox may be unavailable for a brief period of time while the move is finalized.
  • InProgress The public folder mailbox’s move to the target Exchange 2016 mailbox database is underway. Public folders hosted in this mailbox are available during this portion of the move.
  • Failed The public folder mailbox’s move failed for one or more reasons. You can find more information by viewing the move report that was delivered to the Administrator mailbox.
  • Queued The public folder mailbox’s move has been submitted but the move hasn’t started yet.
  • AutoSuspended The public folder mailbox’s move is ready to enter its final stages but won’t proceed further until you manually resume the move. To resume the move when you’re ready, use the Resume-MoveRequest
  • Suspended The public folder mailbox’s move has been suspended by Suspend-MoveRequest cmdlet and won’t proceed further until you manually resume the move. To resume the move when you’re ready, use the Resume-MoveRequest

Do the following to view the location of your public folder mailboxes after their move request has completed:

  1. Open the Exchange Management Shell on your Exchange 2016 Mailbox server.
  2. Run the following command to see the location of your public folder mailboxes.

Get-Mailbox -PublicFolder | Get-MailboxStatistics | Format-Table DisplayName, TotalItemSize, ServerName

In the list public folder mailboxes that are returned, verify that they’ve each been moved to an Exchange 2016 mailbox server.

Post Cutover Tasks

Remove Legacy Exchange Servers Removing Exchange 2010 after Coexistence with Exchange 2010/2013

If you’re removing Exchange 2010 after being in coexistence mode with Microsoft Exchange Server 2013, make sure you have completed the following checklist before you uninstall Exchange 2010 from your organization:

  • All Client Access server FQDNs are pointing to Exchange 2013.
  • All mail flow connectors are pointing to Exchange 2013.
  • All user and arbitration mailboxes have been moved to Exchange 2013.
  • If you were using public folders, make sure the public folders databases have been migrated to Exchange 2013.
  • Any Exchange 2010 CAS arrays you have configured must be removed.
  • Make a list of applications that may be using Exchange 2010 and then make sure to configure these applications to start using Exchange 2013 if necessary.

Mount Exchange 2010/2013 ISO. You can either run Exchange 2010/2013 Setup.exe or navigate to Control Panel to modify or remove Exchange 2010/2013 (either server roles or an entire installation).

  1. The Maintenance Mode page of the Exchange Server 2010/2013 Setup wizard begins the process of changing or removing your Exchange installation. Click Next to continue.
  2. On the Server Role Selection page, select the Exchange server roles that you want to add (if you’re changing an installation) or remove (if you’re removing one or more server roles or an entire installation). Click Next to continue.
  3. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If the prerequisites check doesn’t complete successfully, review the Summary page to help troubleshoot and fix any issues that are preventing Setup from completing. If the checks have completed successfully, click Install if you want to add a server role or Uninstall to remove the specified server role(s) or the entire installation of Exchange 2010.
  4. On the Completion page, click Finish.
  5. De-join computer from domain and shutdown the computer.

Similar Articles:

Exchange 2010 to exchange 2013 migration

Exchange 2013 Upgrade, Migration and Co-existence

Office 365: Configuring catch-all mailbox during migration

Step1: Create Catch-All Mailbox

1. Sign in to portal.office.com>Active Users

2. Create a new user named “Catch-All-Mailbox” and assign licenses either E1 or E3.

Step2: Create exception Security Group (Optional Step)

1. Log onto Office 365 admin portal

2. Go to Admin>Exchange>Recipients>Groups

3. Create a new Security Group named Catch-All-Exception

4. Add members to this group

Step3: Create a Transport Rule

5. Log onto Office 365 admin portal

6. Go to Admin>Exchange>Click “Mail Flow” icon, Click “Rules”

7. Click the “+” icon, then “Create a new rule”

8. As soon as the new rule box appears, click “More Options…” link towards the bottom of the page

9. Give rule a name, CatchAll-Mailbox Migration

10. Change the “apply this rule if…” to “The Sender is…”–>”Internal/External”–>”Outside this Organisation”

11. Change the “do the following…” to “Redirect the message to…”–>”These recipients”–> then select “Catch-All-Mailbox”

12. *OPTIONAL*  Click “Add Action” and then “Modify the message properties”–>”Set a message header”, then set the header to “X-Catchall-Migration-Rule” and value to “Yes”

13. Under “Except if”, Click “Add action” and then “If Recipient…”–>”Is this person”–>and select the “all” Group which contains all exclusions (this should be the “All” group which contains all users/groups INCLUDING the Catchall mailbox/group that you don’t want diverted)

14. Save

15. Once Migration is complete, delete the rule.

 

Migrate On-premises Exchange Server to Office 365 using MigrationWiz

Assumptions:

  • An operational on-premises Microsoft messaging environment or an IMAP Source
  • An operational Microsoft Office 365 tenant for Exchange Online
  • Active Directory synchronised with Microsoft Azure Active Directory using DirSync
  • Licenses are assigned to Active Users.
  • There are place holder mailboxes e.g. user@tenant.onmicrosoft.com or real mailboxes e.g. user@domain.com as destination mailboxes.

Credit: BitTitan knowledge Base Articles. KBs mentioned here are BitTitan KBs not Microsoft KB.

Prepare Source: Exchange Environment

  1. Set up an administrator account “Domain\MigrationWiz” for migration on the Source Exchange mailbox server. Grant Domain Admins and Organisation Management Role for this Admin Account. KB004944
  2. Test OWA using https://mail.domain.com/owa. KB004392
  3. Test mailbox access. KB004616
  4. Disable the Exchange throttling policy during migration. KB004945
  5. Allow impersonation by MigrationWiz account

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:MigrationWiz

  1. Grant Full Access to MigrationWiz Admin Account for all mailboxes

Get-Mailbox -Resultsize Unlimited | Add-MailboxPermission -User MigrationWiz -AccessRights FullAccess -InheritanceType All

  1. Enable Circular Logging on the Mailbox Database properties. De-mount Mailbox Database and remount mailbox database after running the below command.

Get-MailboxDatabase | Set-MailboxDatabase -CircularLoggingEnabled $true

  1. Grant higher CPU and Memory to the source Server.
  2. Allocate minimum 50MB/s to 100MB/s bandwidth to outgoing network from on-premises Exchange Environment to internet
  3. Allow outbound Office 365 Ports and URLs on the firewall devices

Prepare the Destination: Exchange Online Environment

  1. Create an administrator account “MigrationWiz@tenant.onmicrosoft.com” in Office 365 to be used for migration, or use the global admin account for the tenant. KB004948
  2. If Microsoft DirSync was used to create and synchronize the local AD accounts up to Office 365, remember to disable it prior to using MigrationWiz. KB004336

Note: BitTitan recommend stopping DirSync during migration however I have migrated mailboxes without stopping DirSync. You must not change mail attribute and UPNs of any Active Directory Account during migration phase. You can do it later using PowerShell Cmdlets in bulk.

  1. Set up accounts on Office 365 and assign licenses. These can be created in several ways:
    • By bulk import using PowerShell via CSV file input.
    • By Microsoft DirSync. Read this very important Knowledge Base article before running Microsoft DirSync, to see if it should be run prior to migration. KB004336
    • By BitTitan Sync tool. KB004336
  2. Prepare tenant to send and receive large mail items. KB005139
  3. Contact Microsoft to ask to have the tenant EWS throttling limits raised for 60 days. Note: This step is only required if your Source environment will support migration speeds that are faster than the Destination. KB005493
  4. Allow impersonation by MigrationWiz Account

New-ManagementRoleAssignment –Name:impersonationAssignmentName –Role:ApplicationImpersonation –User:MigrationWiz@tenant.onmicrosoft.com

  1. Grant Full Access Permission to MigrationWiz Account

Create a CSV file with these CSV Headers

name, user

mailbox1@domain.com, MigrationWiz@tenant.onmicrosoft.com

mailbox2@domain.com, MigrationWiz@tenant.onmicrosoft.com

$Mailboxes = import-csv C:\CSV\FullAccess.csv

Foreach ($Mailbox in $Mailboxes)

{Add-MailboxPermission -Identity $Mailbox.Name -user $Mailbox.User -AccessRights ‘FullAccess’ -InheritanceType All}

 Migrating On-premises Mailbox to Office 365 using MigrationWiz

Buy Licenses

Note: This step can be completed by a re-seller. You must provide company email address (migrationadmin@company.com ) to associate your company with MigrationWiz Portal. This Email Address is the log on details of Migration Admin who will perform the migration task.

  1. Create the customer. KB005421
  2. Create the Source and Destination endpoints. KB005427
  3. Purchase licenses. From your MSPComplete dashboard, click on Purchase > Mailbox Migration > select MigrationWiz-Mailbox and enter the number of licenses you wish to purchase. Check to see if there are any available bundles for discounts (e.g., MigrationWiz-Mailbox and DeploymentPro Bundle). KB004647
  4. Deploy DMA to users. Once DMA has been deployed to users, check the Users tab in MSPComplete. This will be populated with the user accounts that have DMA installed. DMA can be deployed by either of these options:
  5. Via Group Policy Object (GPO). Note: This is the recommended methodology, because no end user interaction is required. KB005412, KB005411

m6

Pre-stage Mailboxes

  1. Create the Mailbox Migration project. KB005070. Create the Mailbox Migration project > Select the customer > Select the Source endpoint > Select the Destination endpoint. Add the accounts (also referred to as “items”) that will be migrated to the project. KB004842
  1. Set the Project Advanced Options. KB004834
  • Set to use impersonation at the Destination. Checkmark the Use impersonation at Destination box. KB004727
  • Set Maximum concurrent migrations e.g. 500. If the Source server has enough server resources, set this parameter based on the bandwidth guideline of three (3) mailboxes per 1Mbps of bandwidth. Therefore, for example, if there is a 10Mbps connection, we recommend setting the maximum concurrent migrations parameter to be 30.
  • Set maximum error to 100.
  • Set successful and failed migration report to migrationadmin@company.com . Do not send a report to end user. This may cause confusion among users when you run credential checks and run pre-stage.
  1. Select the Project> Bulk Add using CSV file. CSV Headers

Source Email,Source Login Name,Source Password,Destination Email,Destination Login Name,Destination Password,Flags

Note: Since MigrationWiz has full access rights to source email and destination email. There is no need to populate password on the password column.

m3

 

 

 

 

 

  1. Run Verify Credentials for all mailboxes. KB004511
  2. Notify users that a migration is occurring. Send email to all users telling them the time and date of the migration.
  3. Pre-Stage pass: Select the users > Click on the Start button from the top, and select Pre-Stage Migration > Under the Migration Scheduling section, from the drop-down list, select 30 days ago > Click on Start Migration. KB004938
  4. If you notice any failed migration, just filter those failed migration> Pause Failed Migration. Select all Paused migration>Pre-stage all paused migration to complete migration simultaneously instead of waiting for migration to complete and retry error.

m2   m5

 

 

 

 

 

 

 

 

 

Final Migration or MX Cutover

  1. MX Record Cutover. Change over MX records on the DNS provider’s portal. Also include the AutoDiscover (CName) setting.
  2. Full (Delta) pass: Select the users > Click on the Start button from the top, select Full Migration > Click on Start Migration. KB004938
  3. Run Retry Errors. KB004658
  • Look through the user list and click on any red “failed migration” errors. Review information and act accordingly.
  • If problems persist, contact Support. KB004529
  • If not using DeploymentPro, users must create new Outlook profiles, and set up their signatures again, and reattach any PST files that were attached to their previous profile.
  1. Click on the pie chart icon in the MigrationWiz dashboard to receive an email containing all the project migration statistics. KB004626

Outlook Client Migration to new Office 365

DeploymentPro Steps

  1. Go to All Products > DeploymentPro and follow the prompts to launch.
  2. Select a customer from the list by clicking on the customer name. Note: The status column will show enabled when a customer account has had DMA deployed. Configure customer DeploymentPro module:
  • Enter Domain.
  • Select the Source endpoint.
  • Checkmark the Auto-populate box.

m4

 

 

 

Note: In the Client Interface Configurations section, upload your company logo and add supporting text. Note: We strongly recommend doing this, because this is the logo and text that end users will see in a desktop pop-up when they are prompted to reconfigure their Outlook profiles. If you do not upload your own logo, the default BitTitan logo will be included instead.

  1. Save and continue.
  2. Activate DeploymentPro module for users.
  3. Either select all users (by checkmarking the box to the left of the Primary Email column heading), or select the individual users (by checkmarking the boxes to the left of the user email addresses). Note: You will need to purchase DeploymentPro licenses for each user that will be using DeploymentPro. KB004647
  4. Click on the Run Module button.
  5. Schedule the profile cutover date.
  6. Set the date and time for the Outlook profile configuration to occur, and click on the Run Module button.

Notes:

  • The DeploymentPro module will install on user devices immediately, and then run silently until this date.
  • The profile cutover date should be set to a date and time that is shortly after MX record cutover.
  • On the profile cutover date, users will be guided through the reconfiguration of their Outlook profile.

References:

On-prem to Office 365 Migration: PowerShell Script Collection

On-Premises Exchange (versions 2007 and later) to Office 365 Migration Guide

Mailflow Co-existence between Hosted Mail and Office 365 during IMAP Migration