Curious Greg builds a lab Part IV
Today Curious Greg is going to Houston to visit the Johnson Space Center. Before he leaves he wanted to share the final configuration pieces to the hybrid lab. When we last left the lab we configured our virtual directories. Today we will start with address policy. From the on-premises hybrid server open the Exchange Management Console and navigate to Organization Configuration > Hub Transport. Edit the default email address policy. On the E-mail addresses page select Add to enter the email address for your service-routing namespace. In my case service.edustl.com.
On the SMTP Email Address dialog select the Email address local part check box and select use alias. Also select the accepted domain for the email address and browse to service.edustl.com.
Apply the email address policy immediately.
Enable Outlook Anywhere.
This should be done already and I won’t cover in this blog. To enable check out this.
Configure autodiscover DNS records.
I used an A record for autodiscover.edustl.com and CNAME for autodiscover.service.edustl.com. Since my domain is a split-brain DNS I also configured my internal records.
Configure Federation Gateway
Ensure you have a delegated domain namespace. In my case I named mine exchangefederation.edustl.com.
New-Federationtrust or use EMC. Ensure you use domainproof to get proof for TXT records for both domain and service domain. In my case both edustl.com and service.edustl.com
Once created then you must configure the federation trust. If you don’t get the Application Identifier than your domain proof is probably misconfigured.
Next tab over to organization configuration and create new organization relationship. I used the shell but this can be configured in the EMC. Again all this is configured on the hybrid server.
Below I show screenshots of the properties of the org relationship. First one is the free/busy information access I give the cloud tenant.
Second is the external organization properties.
Lots of conflicting information here. I only needed edustl.com and service.edustl.com. Originally I thought I would need the service tenant (*onmicrosoft.com). This is not needed and caused issues with free/busy. I’ve also seen the app URI as both http://outlook.com and outlook.com. It worked for me with just outlook.com. Ensure you have WSSecurity at the end of the autdiscover endpoint. Also – if you recreated the virtual directory ensure to add WSSecurity. Also don’t forget the TargetSharingEpr which corresponds to the POD that you see when you remote powershell into your cloud tenant.
The organization relationship must also be configured on the cloud side. I launched powershell and configured the same information.
Set-OrganizationRelationship -Identity "To Cloud" -DomainNames "service.edustl.com","edustl.com" -MailTipsAccessEnabled $True -MailTipsAccessLevel All -DeliveryReportEnabled $True
Set-OrganizationRelationship -Identity "To On-premises" -DomainNames "exchangefederation.edustl.com","edustl.com" -MailTipsAccessEnabled $True -MailTipsAccessLevel All -DeliveryReportEnabled $True
Send and Receive Connectors with on-premises hybrid Server.
Set-SendConnector or EMC. Specify the FQDN for the connector such as mail.edustl.com. Set the Address space for the service domain. *.service.edustl.com. Use DNS and the source server is the hybrid server.
Configure the Receive Connector.
Ensure that the IP addresses you select are from the FOPE configuration. Also ensure you state the subnet mask.
Next you setup the remote domains on the on-premises server. Inbound and outbound remote domains. My inbound is edustl.com and outbound is service.edustl.com.
Using the Deployment assistant setup the remote domains:
New-ReceiveConnector -Name "From Cloud" -Usage Internet -RemoteIPRanges <FOPE Outbound IP Addresses> -Bindings 0.0.0.0:25 -FQDN mail2.contoso.com -TlsDomainCapabilities mail.messaging.microsoft.com:AcceptOorgProtocol (remember to get IP addresses from FOPE procedure outlined in deployment assistant).
When last command was setup ran into problem with duplicate domain on FOPE. It appears in domains as duplicatedomain-xxxxxxxxxxxxxxxxxxxxxxx(GUID).edustl.com.
If you use ECP and go to Mail control > Domains and Protection. Change from shared to hosted and back to shared. The error clears.
The last thing to configure is the FOPE configuration. You’ll need both inbound and outbound connectors.
From there you are all set! The last thing to do is to configure MX records based on how you want incoming mail. Use both the deployment assistant and your external DNS provider to configure this.
My service.edustl.com was setup to match service-edustl-com.mail.eo.outlook.com in the hosted namespace. My MX record for on-premises was setup for mail.edustl.com.
I’d tell you more but it appears I got in the capsule during a launch and will not be on earth in a few more seconds. Say goodbye to Curious Greg. Take care.