Hi @KyleXu-MSFT ,

Thank you.

I have been doing more testing and I think I know the problem, but not how to fix it.
I have attached the following text as a png file on my findings as I had too much text to enter into this comment.

Any further help would be appreciated.

Hi @KyleXu-MSFT ,

Sorry for the very very late reply to this thread.
I had raised a call with Microsoft about the issue and they said they had not heard of the issue where running a command on one Exchange server where mail.domcin.com points to the same server causes a problem. NB I had also tested by amending host records on the Exchange server bypassing the load balancer and got the same issue. They said they would let me know if they find anything out but I haven't heard anything back.

I originally started looking at the individual command due to the warning message at the end of running the HCW: The connection to the server 'mail.domain.com' could not be completed.
Microsoft.Exchange.MailboxReplicationService.MRSRemoteTransientException.

It turns out that although we had configured our firewall to allow Exchange Endpoints and Other Office 365 IP addresses it wasn't working correctly and this turned out to be the main issue. Once this was sorted I ran the HCW again and this time there was no warning at the end. In fact at this point I then realised that the command that was being run was probably being run from Office 365 and connecting back to the Exchange on-premises so me running the individual command was actually sending me down the wrong rabbit hole.

As ever though thank you to everyone who responded and gave me ideas to try.

Hi @imamitsingh ,

Thank you for your comment.
TLS 1.2 is enabled on all of our Exchange servers.

Hi AndyDavid,

Thank you for your quick response.

I think I have got it.
So I will need one new external certificate that will be installed on the Internal Exchange servers and the Edge server.
Whatever external DNS name is used for Edge server add onto the new third party certificate SAN and then run the PowerShell command you mentioned making sure the FQDN parameter matches the external DNS name chosen.

I have a query on your comment about the new third party certificate when installed on the Internal Exchange servers: "Technically, you wouldnt need the pop or imap for hybrid however". Note when I mentioned pop and imap I did actually mean secure pop and secure Imap.

As you have mentioned this new third party certificate would replace the existing certificate and be assigned the same services such as IIS, SMTP, POP, IMAP wouldn't I still need the pop and imap entries, otherwise there would be issues connecting to those services internally?

Hi @ricardosolisvillegas-4678

I had already taken a look at the link you have provided which does explain about sensitivity labels, but I wasn't sure if I could use the same label for retention as well.

Shortly after I raised this question, I found a link which explains the different types of labels. For example I now now that Information protection labels are completely different to Retention labels and I would need to create one of each if I needed both features.
https://joannecklein.com/2019/12/24/demystifying-labels-in-office-365/

Thanks for your help.

Thank you AndyDavid for your response.

I thought it might be something like that although I find it really strange that I can't see loads of articles around the security implications of a direct incoming connection to internal servers.
In your experience has anyone ever configured a reverse proxy in this way or are most customers happy to allow incoming traffic direct from Exchange online endpoints to their Internal Exchange servers?

Thank you AndyDavid.
I am tending to agree with you on the Anti-Spam as emails will be coming through EOP anyway.

Are you able to comment on whether I would need a seperate Edge server so that I can send emails from servers on the DMZ or if the one used for Hybrid will do?

Hi Joyce,

We are just building the final two servers and once the DAG has been created I will create a mailbox for testing.

Hi,

Just as an update, I have installed Exchange 2019 CU10 on another server and I have also got the 16024 error on that as well.

Hi Both,

This is the first new server that has had Exchange 2019 installed, although eventually there will be four in a single DAG. We are migrating from Exchange 2013.
All the Microsoft Exchange services are started and everything appears to be working, however I have not yet configured all the services or added any mailboxes to the server yet as I am still configuring it.

Once Exchange 2019 had been installed, I just went through the event log to see if there were any errors.

I have checked the registry and the only MSExchange key in the path mentioned is MSExchange Management.

I have checked the log again today and the last 16024 error was on 05/11/2021, so I am not sure if it is fixed or not.
On Friday I was continuing the build of the server and configured the internal/external URLS on virtual directories, added the correct certificate and assigned it to services, configured POP3/IMAP and also amended the autodiscover path on the server. So I am not sure if any of this may have helped.