Вы находитесь на странице: 1из 29

Course MS-201.

1
Defining a Hybrid Messaging Strategy

LAB: Implementing a Hybrid Environment

Introduction
The exercises in this lab require you to log on to the Microsoft Labs Online environment to complete the
lab steps in both an Exchange Server 2016 on-premises environment and an Office 365 cloud
environment. Please follow the instructions in the Microsoft Virtual Lab User Guide on how to access
Microsoft virtual hands-on labs.

WARNING: This lab will take approximately 3 to 5 hours to complete, depending, in part, on your level of
experience and how quickly you are able to work through the lab steps. The duration of the lab is set to
8 hours, which means you have 8 hours in which to complete the lab before you are prompted to extend
the lab duration, if necessary. Each extension is good for an additional 30 minutes.

Please note that once the lab ends (or if you click the End Lab button in the training lab environment),
you will lose all work completed up to that point, which means you will have to start over from the
beginning if you wish to finish the lab. Therefore, please make sure that you have blocked off enough
time to complete the lab before beginning. If you need to take a break and then resume the lab at a later
time, do NOT click the End Lab button; you can resume the lab at a later time within the 8 hour window
from when you started and pick right up from where you left off, even if you previously closed your
browser.

RECOMMENDATION: This is a complicated lab with lots of interrelated tasks. If you do not complete the
tasks in order and as presented, chances are you will not successfully complete the lab. Before you begin
a task, take your time and read through ALL the instructions for the task. That way, you will have a
general understanding of what you will be doing in the task prior to starting, which should help you stay
on track as you work through the steps. There are lots of notes and instruction that explain what you're
doing and why you're doing it, as well as tips on what to do and what not to do. Take your time to
thoroughly read through this instruction. You should also carefully read through the Introduction in the
MS-201.1 Student Lab Manual, which provides an explanation of the domains referenced in the lab, as
well as some helpful hints on how to enter the PowerShell commands that you must process. </p>

1
This lab references two domains:

• onmicrosoft.com – This is the domain associated with the Office 365 tenant that was provided
by the lab hosting environment.
• xtremelabs.us – Companies typically do not use the onmicrosoft.com domain to run their work
services; rather, they prefer to have their name header display their company name in their
production environment. Also, when setting up a hybrid environment, as you’re doing in this lab,
both the on-premises environment and the cloud tenant must share responsibility over at least
one domain. For this lab, you will be creating a custom xtremelabs.us domain that will be shared
between the on-premises and cloud environments.

IMPORTANT: Each of these domains has their own unique UPN Name. This is critical because throughout
this lab, you will be asked to enter the UPN Name for the xtremelabs.us domain, as well as the UPN
suffix portion of the UPN Name for the onmicrosoft.com domain.

• UPN Name for the onmicrosoft.com domain: The domain name for the onmicrosoft.com
domain is in the format @M365aZZZZZZ.onmicrosoft.com, where the UPN name is
M365aZZZZZZ. The UPN suffix portion of the UPN name is ZZZZZZ. This information can be
retrieved from the Files menu at the top of your lab by selecting the O365 Credentials option
from the Files drop-down menu.

In the O365 Credentials window, the Tenant Email displays the Office 365 Tenant Email account
for your lab environment. In some lab steps you will copy in the entire Tenant Email account of
admin@M365aZZZZZZ.onmicrosoft.com (such as when logging in to Office 365); in other cases,
you will only need to copy the domain name when entering non-admin user accounts (such as
holly@M365aZZZZZZ.onmicrosoft.com), during which you must replace ZZZZZZ with the UPN
suffix from the UPN name.

For example, if your Tenant Email is admin@M365a609668.onmicrosoft.com, the UPN suffix is


609668. When logging in as Holly when entering this domain, you would replace ZZZZZZ with
609668 (for example, holly@M365a609668.onmicrosoft.com). When you come to an instruction
that requires the UPN suffix for the onmicrosoft.com domain, remember to simply click the Files
drop-down menu and select the O365 Credentials menu option.

• UPN Name for the xtremelabs.us domain: The domain name for the xtrememlabs.us domain is
in the format @XXYYZZa.xtremelabs.us, where the UPN name is XXYYZZa. When performing the
lab steps that require you to enter this xtremelabs.us domain, you must replace XXYYZZa with
the uniquely assigned UPN name in the lab interface.

From the Files menu option at the top of your lab environment, click the drop-down arrow and
select Lab Network Info from the drop-down menu. Whenever you see references to XXYYZZa,
you will replace it with the value that appears under the UPN Name in this Lab Network Info
window. When you get to those instructions that require the UPN Name field for the
xtremelabs.us domain, remember to simply click the Files drop-down menu and select the Lab

2
Network Info menu option.

• RECOMMENDATION: It is highly recommended that you write down the values of the ZZZZZZ
UPN suffix from the O365 Credentials window, and the XXYYZZa UPN name and the IP address
from the Lab Network Info window. This will save you from having to constantly open these
windows to retrieve this information.

IMPORTANT: In this lab, you will be in the role of the Messaging Administrator for Adatum Corporation.
In the fictitious organizational structure that has been created for this lab, Contoso Ltd. is the parent
company of two subsidiaries, Adatum and xtremelab.us. As such, the Office 365 tenant has been set up
to reflect the Contoso name, which appears wherever the company name from the tenant is displayed in
the Office 365 environment. In a real-world scenario, the tenant letterhead can easily be changed by
editing the Organizational Profile. For the purposes of this lab, since all three organizations are fictitious,
the tenant organization has been left as Contoso. If you see the Contoso name displayed on any of the
Office 365 windows, just remember that this is by design and that there is no problem with your lab
environment.

POWERSHELL HINT: Several of the tasks in Exercise 1 require you to enter PowerShell commands
involving the UPN Name for the xtremelabs.us domain (@XXYYZZa.xtremelabs.us). In these commands,
you must replace the UPN Name of XXYYZZa with your unique UPN Name that can be found in the Lab
Network Info window in the Files drop-down menu.

Copy and pasting these commands into PowerShell with the XXYYZZa placeholder text is not very
efficient, since it forces you to manually replace these values within PowerShell. PowerShell does not
allow you to click into the middle of a command line and make changes without having to re-enter the
remaining portion of the command. Therefore, to save you from manually entering commands into
PowerShell as well as manually replacing all the occurrences of the XXYYZZa UPN name, it’s
recommended that you turn these steps into copy and paste exercises. Since you cannot edit the
Student Lab Manual because it’s a pdf document, it’s recommended that when you’re ready to run these
PowerShell commands, you should first copy the commands from your Student Lab Manual and paste
them into a Word document. You should then do a mass replace on XXYYZZa with your UPN Name from
the Lab Network Info window.

By copying in these PowerShell commands from the Student Lab Manual to a Word document and
performing these mass replace statements, you can simply copy and paste each individual command
from your Word document into PowerShell without having to manually edit any of the commands. This
will cut the time to complete these steps to a fraction of what it would take to enter these commands
into PowerShell and then manually make these UPN changes.

3
Scenario
In this lab you are the Messaging Administrator for A. Datum Corporation. Adatum has decided to
transition from their current Microsoft Exchange on-premises deployment to a hybrid deployment that
utilizes Exchange Online within Office 365. Adatum’s Enterprise Administrator, Holly Dickson, has asked
you to implement this hybrid deployment.

To complete this task, you must first prepare Azure Active Directory to support the hybrid
synchronization between Exchange on-premises and the cloud. This will require that you:

• Configure your lab environment to support local mail transport


• Add an accepted domain to your Azure AD forest
• Configure the UPN Name for the new domain
• Configure Exchange to use the new domain
• Enable directory synchronization by installing and running the Microsoft Azure Active Directory
Connect tool

Once you have Azure AD configured for hybrid synchronization, you should then set up Exchange for a
hybrid deployment and then test your new deployment. This will require that you:

• Run the Hybrid Configuration Wizard to create your hybrid deployment


• Configure EAC settings to accommodate cloud and on-premises users within the same domain
• Configure the Outbound Connector from Office 365 to your Exchange Server
• Test the hybrid configuration by sending emails between on-premises and cloud users
• Migrate a user mailbox from Exchange on-premises to Exchange Online to test your connectors
• Test the newly migrated mailbox

4
Exercise 1: Prepare Azure Active Directory for Hybrid Synchronization
While your trial tenant is already set up, you must first ensure that your local Active Directory is ready
for hybrid synchronization before you create your hybrid deployment. You’ll do this by adding a custom,
accepted domain to the Azure Active Directory forest and then configure Exchange to use the new
accepted domain.

Task 1: Configure your lab environment to support local mail transport

Before you begin setting up Adatum’s hybrid deployment, you must first configure your hosted lab
environment to support local mail transport.

IMPORTANT: The steps that you perform in this task are NOT required to set up a hybrid environment in
a real-world scenario. Instead, they must be performed to configure the hosted virtual machines used in
this training lab so that email can be sent locally between on-premises and cloud users when testing your
hybrid deployment.

1. On your EX1 VM (for example, LON-EX1), log on as ADATUM\Administrator and password


Pa55w.rd. To do this, at the top of the lab, click the Actions drop-down arrow and select
Ctrl+Alt+Delete. This will display the log-in credentials for the Administrator account. Enter
Pa55w.rd as the password. This will log you in and open the Server Manager application.
2. Click the X in the upper-right corner of the screen to close Server Manager.
3. You need to open the Network and Sharing Center. To do so, click on the network icon on the
right-side of the system tray at the bottom of the screen (which displays Adatum.com Internet
access), and in the menu that appears, click Network settings.
4. In the Settings window, under the Related settings group, select Network and Sharing Center.
5. In the Network and Sharing Center, under the View your active networks group, click on
Ethernet (which appears to the right of Connections:).
6. In the Ethernet Status window, click on the Properties button that appears at the bottom of the
window.
7. In the Ethernet Properties window, click on Internet Protocol Version 4 (TCP/IPv4) and then
click the Properties button.
WARNING: Do NOT click on the checkbox for Internet Protocol Version 4 (TCP/IPv4) to uncheck
it. This checkbox MUST remain checked. Simply click on this item to highlight it so that you can
update its properties.
8. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click the Advanced button in
the bottom-right corner of the screen.
9. In the Advanced TCP/IP Settings window, in the IP Settings tab, it displays two groups: IP
addresses and Default gateways. Under the IP addresses group, click the Add… button.
10. A TCP/IP Address pop-up window is displayed. Enter 10.0.0.6 in the IP address field, enter
255.255.255.0 in the Subnet mask field, and then click Add.

NOTE: If you enter the IP address or subnet mask incorrectly, you will receive an error when

5
clicking Add. If this occurs, you must close the window and then reopen it before entering the
correct values. If you do not close the window and reopen it, you will still receive the error even
if you enter the values correctly.
11. In the Advanced TCP/IP Settings window, it should now display 10.0.0.5 and 10.0.0.6 as
supported IP addresses, each with a subnet mask of 255.255.255.0. Click OK.
12. In the Internet Protocol Version 4 (TCP/IPv4) Properties window, click OK.
13. In the Ethernet Properties window, click Close.
14. In the Ethernet Status window, click Close.
15. Close the Network and Sharing Center window.
16. Close the Settings window.

Task 2: Add an accepted domain

In this task, you will log into your Domain Controller (DC1) VM and add an accepted domain. In a real-
world scenario, companies typically do not use the onmicrosoft.com domain to run their work services.
They usually want their name header to display their company name in their environment. Also, when
setting up a hybrid environment, both the on-premises environment and the cloud tenant must share
responsibility over at least one domain, which in this case is the xtremelabs.us domain. In this task, you
will add the accepted xtremelabs.us domain.

1. On your DC1 VM (for example, LON-DC1), log on as ADATUM\Administrator and password


Pa55w.rd. To do this, at the top of the lab, click the Actions drop-down arrow and select
Ctrl+Alt+Delete. This will display the log-in credentials for the Administrator account. Enter
Pa55w.rd as the password. This will log you in and open the Server Manager application.
2. Click the X in the upper-right corner of the screen to close Server Manager.
3. You must now open Windows PowerShell. Click the magnifying glass (Search Windows) icon on
the taskbar at the bottom of the screen and enter powershell in the Search box that appears.
4. In the menu that appears, right-click on Windows PowerShell and select Run as administrator in
the drop-down menu.
5. In Windows PowerShell, you should run the following command to create a new zone in DNS
(remember to copy the following command to a Word doc, then replace XXYYZZa with the UPN
Name from the Lab Network Info window in the Files drop-down menu, and then copy and paste
the command into PowerShell; see the POWERSHELL HINT at the start of this lab):

dnscmd /zoneadd XXYYZZa.xtremelabs.us /DsPrimary

Note: Leave Windows PowerShell open after running this command; simply minimize it for now
until it’s needed later in this task.

6. On the taskbar, click on the Internet Explorer icon. Maximize your browser window when it
opens.
7. Go to the Office 365 Admin Center by entering the following URL: https://portal.office.com/

6
8. In the Sign in dialog box, copy and paste in the Tenant Email account from the O365 Credentials
window (in the format: admin@M365xZZZZZZ.onmicrosoft.com, where ZZZZZZ is the UPN suffix
for this domain), and then click Next.
9. In the Enter password dialog box, copy and paste in the Tenant Password from the O365
Credentials window and then click Sign in.
10. On the Stay signed in? dialog box, click Yes.
11. If a Get your work done with Office 365 dialog box appears, click the X to close it.
12. In the Office 365 Admin Center, in the Apps section, click on the Admin app.
13. If a How likely are you to recommend Microsoft 365 to a friend or colleague window opens,
click Cancel.
14. If a Welcome to the Microsoft 365 Admin Center pop-up window appears, click the Skip button
to skip the tour.
15. In the left-hand navigation bar, click the ellipsis … (Show all) icon to show all the navigation menu
options.
16. In the left-hand navigation bar, hover over the wrench (Setup) icon, and in the menu that
appears, select Domains.
17. On the Domains window, click the + Add domain button to start the Domain Setup wizard.
18. In the Add a domain window, enter your new custom domain name in the form of
XXYYZZa.xtremelabs.us (where XXYYZZa is your unique UPN Name from the Lab Network Info
window in the Files drop-down menu), and then click Next.
19. In the Verify domain window, you can verify that you own this domain by using either the TXT
record or the MX record. For this lab, you will use the TXT record. In the Verify by: line, the TXT
record option is already selected by default (note the TXT name, TXT value, and TTL fields
displayed below it; if you click MX Record, notice how these fields change).

Make sure the TXT Record option is selected, and then record the TXT value, which will be in the
form of MS=msXXXXXXXX. Record this value: MS=_______________________

20. You must now open up DNS Manager. To do so, click on the Windows icon on the taskbar, then
in the menu click on the Windows Administrative Tools group, and then in the drop-down menu
scroll down and select DNS.
21. In DNS Manager, under your DC1 VM name (for example, LON-DC1), expand the Forward Lookup
Zones folder. This will display the new DNS zone that you just created called
XXYYZZa.xtremelabs.us (where XXYYZZa is your unique UPN Name from the Lab Network Info
window in the Files drop-down menu).
22. Click on this XXYYZZa.xtremelabs.us forward lookup zone to display the records associated with
this zone in the details pane on the right.
23. Right-click on the XXYYZZa.xtremelabs.us forward lookup zone and in the drop-down menu that
is displayed, click Other New Records.
24. In the Resource Record Type window, under Select a resource record type, scroll down and
select Text (TXT), and then click the Create Record button.
25. In the New Resource Record window, leave the Record name field blank. In the Text field, enter
MS=msXXXXXXXX (replacing XXXXXXXX with the value you recorded in Step 19), and then click
OK to create the record.

7
26. This returns you to the Resource Record type dialog box. Click Done.
NOTE: In DNS Manager, the XXYYZZa.xtremelabs.us forward lookup zone should still be
highlighted in the left-hand pane. In the details pane, you should now see a Text (TXT) record
whose Data value equals the MS=msXXXXXXXX value that you recorded in Step 19 and added to
the TXT record in the prior steps.
27. Minimize the DNS Manager window.
28. You should now be back to the Microsoft 365 admin center in your browser, which should still be
displaying the Verify domain window. Scroll to the bottom of the page and click the Verify
button.
29. In the Choose your online services window, the Exchange checkbox is selected by default. This is
the only service we want to activate for this lab. Scroll down and click Next.
30. In the Update DNS settings window, scroll down to the bottom of the window and select the Skip
this step checkbox.
NOTE: Review the message associated with this checkbox; specifically, that some 365 services
may be unavailable until you manually add the records with your registrar. The reason we point
this out here is that once you finish setting up this domain in the next couple of steps, the status
for this new XXYYZZa.xtremelabs.us domain will indicate “Possible service issues.” Just be aware
that this status does not indicate any type of error; it simply refers back to this checkbox that
you’re skipping some Office 365 services.
31. After selecting the Skip this step checkbox and reviewing this message, click the Skip button.
32. In the Update DNS settings window, click Finish to complete the new domain setup.
33. In the Domains window in the Microsoft 365 admin center, you should now see your new
XXYYZZa.xtremelabs.us (Default) domain and the M365xZZZZZZ.onmicrosoft.com domain.
NOTE: The status of the XXYYZZa.xtremelabs.us (Default) domain is Possible service issues. This
does not indicate an error; it simply ties back to the Skip this step message that was displayed in
step 30.
34. Switch back to the Windows PowerShell by locating the Windows PowerShell icon on the taskbar
and then clicking on it.
35. You must now create the following three DNS records in PowerShell for the accepted
XXYYZZa.xtremelabs.us domain:
a. Host record (A) – point to the IP Address provided in the Lab Network Info window.

To create the Host record (A), run the following command in Windows PowerShell
(change XXYYZZa to the UPN Name and change n.n.n.n to your unique IP address, both
of which can be found in the Lab Network Info window in the Files drop-down, and then
copy and paste the command into PowerShell; see the POWERSHELL HINT at the start of
this lab):

dnscmd /recordadd XXYYZZa.xtremelabs.us '@' A n.n.n.n

b. Mail Exchanger (MX) – point to the XXYYZZa.xtremelabs.us accepted domain, where


XXYYZZa is your unique UPN Nname in the Lab Network Info window.

To create the Mail Exchanger (MX) record, run the following command in Windows

8
PowerShell (change XXYYZZa to the UPN Name for the xtremelabs.us domain following
the same copy and paste instruction previously mentioned):

dnscmd /recordadd XXYYZZa.xtremelabs.us '@' MX 10 XXYYZZa.xtremelabs.us

c. Mail Exchanger (MX) – you need to create an additional MX record for Microsoft 365
because the user accounts that are using the XXYYZZa.xtremelabs.us domain will need a
mail record that routes mail to the cloud from external hosts.

To create the Mail Exchanger (MX) record, run the following command in Windows
PowerShell (change XXYYZZa to the UPN Name for the xtremelabs.us domain following
the same copy and paste instruction previously mentioned):

dnscmd /recordadd XXYYZZa.xtremelabs.us '@' MX 10 XXYYZZa-xtremelabs-


us.mail.protection.outlook.com

36. To verify that these records were successfully created, switch back to DNS Manager by locating
the DNS Manager icon on the taskbar and then clicking on it.
37. In DNS Manager, you want to refresh the display for the XXYYZZa.xtremelabs.us forward lookup
zone. To do so, right-click on XXYYZZa.xtremelabs.us and click Refresh in the drop-down menu.

In the details pane, you should now see the Host (A) record and the two Mail Exchanger (MX)
records that you just created using the PowerShell commands. Note the IP address displayed for
the Host (A) record and the values that you entered for the Mail Exchanger (MX) records.
38. Minimize the DNS Manager window.
39. Leave Windows PowerShell and DNS Manager open in the DC1 VM for the upcoming tasks.

Task 3: Configure the UPN name for the accepted domain

Adatum was recently acquired by Xtremelabs. Instead of adding every individual Adatum user account to
Xtremelabs, they have decided to replicate the existing Adatum accounts to their cloud suite. Since
Adatum is an affiliate company with a larger brand, Xtremelabs will use its servers to validate the domain
name rather than the external DNS host.

To do this, you will log into the Domain Controller (DC1) VM and update the UPN name for the domain
and for every user in Active Directory Domain Services. This will change the user principal name (i.e. the
primary name) for each user to reflect the XXYYZZa.xtremelabs.us domain (where XXYYZZa is your lab’s
UPN Name). By doing so, the old adatum.com domain doesn’t go away; it simply becomes a secondary
alias.

1. If you have your DC1 VM open from the previous task, then proceed to the next step; otherwise, log
into your DC1 VM with the Administrator account just as you did in the prior task.

9
2. If Windows PowerShell is still open, then proceed to the next step; otherwise, open PowerShell just
as you did in the prior task.
3. You must run the following PowerShell commands to update the UPN name for both the
@XXYYZZa.xtremelabs.us domain and on the UPN of every user in AD DS to the accepted domain
that was added to your local DNS. Remember to copy the following commands to a Word doc, then
do a mass replace on XXYYZZa with the UPN Name from the Lab Network Info window in the Files
drop-down menu, and then copy and paste each command into PowerShell (see the POWERSHELL
HINT at the start of this lab):

Set-ADForest -identity "adatum.com" -UPNSuffixes @{replace="XXYYZZa.xtremelabs.us"}

Get-ADUser -Filter * -Properties SamAccountName | foreach { Set-ADUser $_ -UserPrincipalName


($_.SamAccountName + "@XXYYZZa.xtremelabs.us" )}

5. Close the Windows PowerShell window.

Task 4: Enable Exchange for the new accepted domain

In this task, you will log into the Exchange Server (EX1) VM and enable your Exchange on-premises
environment for the accepted domain (XXYYZZa.xtremelabs.us ) that you added and configured in the
prior tasks.

1. On your EX1 VM (for example, LON-EX1), log on as ADATUM\Administrator and password


Pa55w.rd. To do this, at the top of the lab, click the Actions drop-down arrow and select
Ctrl+Alt+Delete. This will display the log-in credentials for the Administrator account. Enter
Pa55w.rd as the password.
2. You will enter a series of Exchange-specific PowerShell commands through the Exchange
Management Shell. These commands will enable your on-premises Exchange environment for the
new XXYYZZa.xtremelabs.us accepted domain.

To open the Exchange Management Shell, click the Windows icon on the bottom left corner of the
taskbar, and then in the menu click on Exchange Management Shell. Maximize the Exchange
Management Shell window once it opens.

3. In the Exchange Management Shell, run the following commands in order as they appear below to
enable Exchange for the lab domain. Remember to copy steps “a” through “l” below to a Word doc,
then do a mass replace on XXYYZZa with the UPN Name from the Lab Network Info window in the
Files drop-down menu (it should replace 17 instances of XXYYZZa; this includes the text describing
the command in each numbered step, plus the commands themselves), and then copy and paste
each of the 12 commands into PowerShell (see the POWERSHELL HINT at the start of this lab) in the
order in which they appear below:

10
a. Run the following command to add a new send connector with a wildcard “*” to accept all
emails from any domain:

New-SendConnector -Name "To Internet" -AddressSpaces "*"

b. Run the following command to add the accepted XXYYZZa.xtremelabs.us domain, set it as a
trusted domain, and assign it the Alias of A.Datum:

New-AcceptedDomain -DomainName "XXYYZZa.xtremelabs.us" -DomainType Internalrelay -


Name "A.Datum"

c. Run the following command to set the default email policy for every user to have its primary
email address as the accepted domain of XXYYZZa.xtremelabs.us:

Set-EmailAddressPolicy -Identity "Default Policy" -EnabledPrimarySMTPAddressTemplate


"SMTP:%m@XXYYZZa.xtremelabs.us"

d. Run the following command to update the default email policy that was just changed in the
previous command:

Update-EmailAddressPolicy -Identity "Default Policy"

e. Run the following command to enable the root authority from a third-party certificate as well as
the POP, IMAP, SMTP, and IIS services on the certificate:

Get-ExchangeCertificate | Where-Object { $_.RootCAType -eq "ThirdParty" } | Enable-


ExchangeCertificate -Services POP,IMAP,SMTP,IIS

NOTE: For this Get-Exchange Certificate command, you must respond to a prompt that asks
whether you want to replace the existing default SMTP certificate with the new certificate.
Enter Y for Yes and then press Enter.
f. Run the following command to set the internal and external address for the OWA Virtual
Directory to https://XXYYZZa.xtremelabs.us/OWA:

Set-OwaVirtualDirectory -Identity "LON-EX1\OWA (Default Web Site)" -ExternalUrl


https://XXYYZZa.xtremelabs.us/OWA

NOTE: Ignore the warning that’s displayed. This warning is addressed when you run the next
command.
g. Run the following command to set the internal and external address for the ECP Virtual Directory
to https://XXYYZZa.xtremelabs.us/ECP:

11
Set-EcpVirtualDirectory -Identity "LON-EX1\ECP (Default Web Site)" -ExternalUrl
https://XXYYZZa.xtremelabs.us/ECP
h. Run the following command to set the internal and external address for the Active Sync Virtual
Directory to https://XXYYZZa.xtremelabs.us/Microsoft-Server-Activesync:

Set-ActivesyncVirtualDirectory -Identity "LON-EX1\Microsoft-Server-ActiveSync (Default


Web Site)" -ExternalUrl https://XXYYZZa.xtremelabs.us/Microsoft-Server-Activesync
i. Run the following command to set the internal and external address for the Web Services Virtual
Directory to https://XXYYZZa.xtremelabs.us/ews/exchange.asmx:

Set-WebServicesVirtualDirectory -Identity "LON-EX1\EWS (Default Web Site)" -ExternalUrl


https://XXYYZZa.xtremelabs.us/ews/exchange.asmx -InternalUrl
https://XXYYZZa.xtremelabs.us/ews/exchange.asmx
j. Run the following command to set the internal and external address for the OAB Virtual Directory
to https://XXYYZZa.xtremelabs.us/OAB:

Set-OabVirtualDirectory -Identity "LON-EX1\OAB (Default Web Site)" -ExternalUrl


https://XXYYZZa.xtremelabs.us/OAB
k. Run the following command to set the internal and external address for the Outlook Anywhere
external host name to XXYYZZa.xtremelabs.us and to set the authentication method to NTLM and
to require external clients to use SSL to make the connection:

Set-OutlookAnywhere -Identity "LON-EX1\Rpc (Default Web Site)" -ExternalHostname


XXYYZZa.xtremelabs.us -ExternalClientsRequireSsl $true -
ExternalClientAuthenticationMethod NTLM
l. Run the following command to set the outlook certificate to *.xtremelabs.us:

Set-OutlookProvider EXPR -CertPrincipalName:*.xtremelabs.us

4. Close your Exchange Management Shell window by clicking the X in the upper-right hand corner.

Task 5: Enable Directory Synchronization

In this lab, you will log into the Domain Controller (DC1) VM and enable directory synchronization. To do
this, you must first download the setup wizard for the Microsoft Azure Active Directory Connect tool. You
will then run the installation wizard to enable and configure directory synchronization.

1. Switch to your DC1 VM. If you have your DC1 VM open from the earlier task, then proceed to the
next step; otherwise, log into your DC1 VM with the Administrator account, open Internet Explorer,

12
navigate to the Office 365 Admin Center, log in, and navigate to the Admin app, just as you did in
the first task in this exercise.
2. In the Microsoft 365 admin center, in the left-hand navigation bar, hover over the Users icon and in
the menu that appears, select Active users.
3. On the Active users page, click on the More drop-down arrow to display a list of menu options.
Select Directory Synchronization.
4. On the Active Directory preparation window, click on Download Microsoft Azure Active Directory
tool. This will open a new tab in your browser that displays the Microsoft Azure Active Directory
Connect page in the Microsoft Download Center.
5. Scroll down to the Microsoft Azure Active Directory Connect section and click the Download button.
6. On the window that displays at the bottom of the page asking whether you want to Run or Save the
AzureADConnect.msi program, click Save.
7. In the same window at the bottom of the page, once the download of the AzureADConnect.msi
program has completed, click the Run button. This initiates the Microsoft Azure Active Directory
Connect setup wizard.
8. The first page of the setup wizard (the Welcome to Azure AD Connect page) opens and then gets
minimized. You must display it by clicking on the Microsoft Azure Active Directory Connect icon on
the taskbar.
9. On the Welcome to Azure AD Connect page, click the I agree to the license terms and privacy
notice checkbox and then click Continue (depending on your monitor, you may have to move the
window up to see the Continue button).
10. On the Express Settings page, select the Customize button.
11. On the Install required components page, select the Use an existing service account checkbox.
12. This displays Managed Service Account and Domain Account radio buttons, where the Domain
Account radio button is selected by default. We want to use the Domain Account option; therefore,
enter ADATUM\Administrator in the SERVICE ACCOUNT NAME field and enter Pa55w.rd in the
SERVICE ACCOUNT PASSWORD field, and then click Install.

NOTE: If you copy and paste in the account and password from this instruction, make sure you do
not include a trailing space after the account or password; otherwise, the account validation will fail.
If this happens, simply delete the extra blank space(s) and click Install again.
13. This will initiate the installation of the Synchronization Service, which may take anywhere from
several seconds to a minute or two to complete. Once the Synchronization Service has been
installed, the User sign-in page is displayed.
14. On the User sign-in page, the Password Hash Synchronization option should be selected by default;
leave this option selected. Select the Enable single sign-on checkbox, and then click Next.
15. On the Connect to Azure AD page, copy and paste in the Tenant Email account
(admin@M365xZZZZZZ.onmicrosoft.com) from your O365 Credentials window (see the Files drop-
down menu at the top of the lab and select O365 Credentials) in the USERNAME field. Enter the
Tenant Password in the PASSWORD field. Click Next.
16. On the Connect your directories page, confirm that Adatum.com is entered in the Forest field and
then click the Add Directory button.

13
17. This will open an AD forest account window. Select the Use existing AD account option and enter
ADATUM\Administrator in the DOMAIN USERNAME field and Pa55w.rd in the PASSWORD field.
Click OK.
18. On the Connect your directories page, Adatum.com (Active Directory) is now displayed under
CONFIGURED DIRECTORIES along with a checkmark to indicate it was successfully validated. Click
Next.

NOTE: This will synchronize your local directory with the cloud, which may take a minute or so to
complete, at which time it will display the Azure AD sign-in configuration page.
19. On the Azure AD sign-in configuration page, select the Continue without matching all UPN suffixes
to verified domains checkbox at the bottom of the page, and then click Next.

NOTE: The local Active Directory for this training lab does not have any issues given the
preconfigured virtual lab environment. However, as a best practice in a real-world scenario, you
should always check your Active Directory before you configure directory synchronization.
20. On the Domain and OU filtering page, click Next (this accepts the default settings in which the Sync
all domains and OUs option is selected).
21. On the Uniquely identifying your users page, click Next (this accepts the default settings).
22. On the Filter users and devices page, click Next (this accepts the default settings in which the
Synchronize all users and devices option is selected).
23. On the Optional features page, select the Exchange hybrid deployment checkbox and then click
Next.
24. On the Enable single sign-on page, click the Enter credentials button.
25. In the Forest Credentials pop-up window, enter Administrator in the User name field and Pa55w.rd
in the Password field, and then click OK.
26. On the Enable single sign-on page, a checkmark now appears next to the Enter credentials button,
indicating the credentials were successfully validated. Click Next.
27. On the Ready to configure page, click Install (this accepts the default settings in which the Start the
synchronization process when configuration completes checkbox is selected).

NOTE: This initiates the configuration process, which may take several minutes to complete.
28. Once the configuration is complete, review the notes on the Configuration complete window and
then click Exit.
29. Once you exit the setup wizard, you will return to the tab in your browser that displayed the
Microsoft Azure Active Directory Connect page in the Microsoft Download Center. Click the X in this
tab to close it.
30. This will return you to the browser tab that displays the Active Directory preparation window from
which you originally downloaded the Microsoft Azure Active Directory Connect tool. Click the Close
button.

End of Exercise 1

14
Exercise 2: Set Up and Test your Hybrid Deployment
You now have directory synchronization configured and you’re ready to set up Exchange for a hybrid
deployment. You will do this by running the Hybrid Configuration Wizard on your Exchange server. Once
your hybrid deployment is installed, you will then test your hybrid deployment to verify that it’s
functioning properly.

Task 1: Run the Hybrid Configuration Wizard to create your hybrid deployment

IMPORTANT: In a real-world environment, you would normally run the Hybrid Configuration Wizard on
the Exchange Server using the on-premises EAC. However, due to how the VM’s are configured in the
hosted lab training environment, you must begin by running the Hybrid Configuration Wizard on the
Domain Controller (DC1) VM, and then at a certain point in the process, you will cancel out of the wizard
and then switch over to the Exchange Server (EX1) VM and then run the wizard from the Exchange
Server. This is due to a federation trust issue that exist in the hosted lab training environment between
the Exchange Server and the Domain Controller.

To work around this federation issue in the hosted lab environment, you must begin by running the first
part of the wizard on the Domain Controller to configure federation trust for the domain to prepare it for
hybrid configuration. You must then run the wizard on the Exchange Server using the on-premises EAC to
complete the hybrid configuration process. Normally, you would not run the wizard twice like this in a
real-world environment; you would simply run the entire wizard from the Exchange Server using the on-
premises EAC.

1. On your DC1 VM (for example, LON-DC1), if you have your DC1 VM open from the earlier task, then
proceed to the next step; otherwise, log into your DC1 VM with the ADATUM\Administrator
account, open Internet Explorer, navigate to the Office 365 Admin Center, log in, and navigate to
the Admin app, just as you did in the first task in the prior exercise.
2. To run the Hybrid Configuration Wizard, you must first navigate to the Exchange Administrative
Center (EAC) in Office 365. To do so, open up Internet Explorer (if necessary) and enter the following
URL: https://XXYYZZa.xtremelabs.us/ecp (where XXYYZZa is your unique UPN Name from the Lab
Network Info window).
3. Log into the EAC as ADATUM\Administrator and password Pa55w.rd.
4. Select your Language and Time zone and then click Save.
5. In the Exchange admin center, click on hybrid in the left-hand navigation pane.
6. On the setup page, click the configure button.
7. An information pop-up window appears indicating that you must first log into Office 365 before you
can run the Hybrid Configuration Wizard. Click sign in to Office 365.
8. At this point, if the Sign in page appears, then proceed to the next step. However, because of
security features in the VMs within your lab hosting environment, the Sign in page may not appear,
and instead, the setup page in the EAC will be displayed. If this occurs, then you must open an
InPrivate Browsing session within Internet Explorer to bypass the security constraints built into your
training lab environment (this would not occur in a real world scenario).

15
To open an InPrivate Browsing session, right click on the Internet Explorer icon on the taskbar and in
the menu, select Start InPrivate Browsing. This will open a new, InPrivate IE session that is separate
from the IE session that you were just in. Maximize the InPrivate browser window, repeat steps 2
through 7, and then continue with the next step to sign into Office 365.

9. On the Sign in page, copy and paste in the Tenant Email value
(admin@M365xXXXXXX.onmicrosoft.com) from your O365 Credentials window (Files drop-down
menu > O365 Credentials), and then click Next. Then enter the Tenant Password from the O365
Credentials window and click Sign in. Click Yes to stay signed in.
10. After signing into Office 365, you will return to the setup page in the Exchange admin center. Click
the configure button to start the Hybrid Configuration Wizard.
11. On the Do you want to install this application? window, click Install. This downloads the Hybrid
Configuration Wizard.
12. On the Do you want to run this file? window, click Run.
13. This starts the Hybrid Configuration Wizard (it may take several seconds to a minute or so to start
the setup wizard). On the first page, click next.
14. Wait for the server detection to complete, which then displays the On-premises Exchange Server
Organization window. Accept the default settings by clicking next.
15. The next page displays the On-premises Exchange Account and the Office 365 Exchange Online
Account. Under the Office 365 Exchange Online Account section, click the sign in… button.
16. In the Sign in window, copy and paste in the Tenant Email value
(admin@M365xXXXXXX.onmicrosoft.com) from your O365 Credentials window (Files drop-down
menu > O365 Credentials) and then click Next. Then enter the Tenant Password from the O365
Credentials window and click Sign in.
17. This returns you to the On-premises Exchange Account page, which now displays the Tenant Email
account that you entered for the Office 365 Exchange Online Account. Click next.
18. On the Gathering Configuration Information page, wait until the information gathering process is
complete for both Exchange (on-premises) and Office 365 (Exchange Online). Once both indicate
they have Succeeded, click next.
19. On the Hybrid Features page, select the Full Hybrid Configuration option and then click next.
20. On the Federation Trust page, click the enable button.
21. On the Domain Ownership page, it displays copy to clipboard and copy to notepad options. Click
the copy to notepad option.
22. A Notepad window opens that displays the domain name and the text description in both a Space
Separated section and a Comma Separated section. In the Space Separated section, it displays the
XXYYZZa.xtremelabs.us domain name, and to the right of this, it displays the text description. You
must copy the text description so that you can create a TXT record in DNS Manager that contains this
text description for the domain.

Highlight the ENTIRE text description (which may end in == or some other special characters; make
sure these special characters are highlighted as well) that appears to the right of the
XXYYZZa.xtremelabs.us domain name. After highlighting the description, right-click on it and select
Copy.

16
23. Close the Notepad window.
24. If you closed DNS Manager in a previous task, then open it again using the instruction from Exercise
1, Task 1; otherwise, click the DNS Manager icon on the taskbar.
25. In DNS Manager, expand Forward Lookup Zones (if necessary), right-click on
XXYYZZa.xtremelabs.us (where XXYYZZa is your unique UPN Name from the Lab Network Info
window), and then in the drop-down menu, select Other New Records…
26. In the Resource Record Type window, under Select a resource record type, scroll down and select
Text (TXT), and then select Create Record…
27. In the New Resource Record window, leave the Record name field blank. Click in the Text field, then
right-click and select Paste from the drop-down menu that appears. This should paste in the text
description for the domain that you previously copied from the Notepad file. Click OK.
28. In the New Resource Record window, click Done. This Text (TXT) record should now appear as the
last entry in the details pane.
29. Close the DNS Manager window.
30. If you had to open an InPrivate Browsing session back in step 8, then proceed to the next step;
otherwise, on the taskbar, click on the Office 365 Hybrid Configuration Wizard icon (which appears
to the right of the File Explorer icon).
31. The Domain Ownership window should be displayed since this is where you left off prior to copying
the domain information to Notepad. Select the I have created a TXT record for each token in DNS
checkbox, and then click on the verify domain ownership button. This may take a minute or so to
process.
32. Prior to the start of this task was an IMPORTANT note. If you did not read it before starting this task,
then please do so now. Due to a federation issue in the hosted lab training environment, we must
work around it by now switching over to the Exchange Server (EX1) VM and running the Hybrid
Configuration Wizard again. You needed to run the wizard in the prior steps to configure the
federated trust with the Domain Controller. With that now done, you can simply cancel out of the
wizard on the Domain Controller and run it again on the Exchange Server. When you run the wizard
again on the Exchange Server, it will skip the Federated Trust steps since federation was configured
when you ran the wizard on the Domain Controller.

Therefore, on the Hybrid Topology page, click cancel, and then click Yes to confirm that you want to
cancel the wizard. Close the Office 365 window that asks you to help improve the experience.

NOTE: If you do not cancel the wizard at this point and instead continue to click through the wizard
on the Domain Controller, you will end up receiving an error indicating there is no valid third-party
certificate in DNS. This doesn’t hurt anything, but cancelling the wizard at this point on the Domain
Controller will save you from going through those unnecessary steps once the federated trust is
configured.
33. Switch to the Exchange Server (EX1) VM. Click the Actions drop-down arrow and select
Ctrl+Alt+Delete. This will display the log-in credentials for the Administrator account. Enter
Pa55w.rd as the password.
34. To run the Hybrid Configuration Wizard, you must first navigate to the on-premises Exchange
Administrative Center (EAC). On the taskbar at the bottom of the page, click on the Windows icon. In
the menu, click on the Microsoft Exchange Server 2016 group, and in the drop-down list, click on
Exchange Administrative Center.

17
35. This will open Internet Explorer, which will attempt to access the EAC.
36. Internet Explorer will display an error page indicating “There is a problem with this website’s security
certificate”. You receive this message because a certificate for the EAC was not needed for this
hosted lab training environment. Therefore, click the Continue to this website (not recommended)
option.
37. Maximize your browser window and then log into the EAC as ADATUM\Administrator and password
Pa55w.rd.
38. In the on-premises Exchange admin center, click on hybrid in the left-hand navigation pane.
39. On the setup page, click the configure button.
40. An information pop-up window appears indicating that you must first log into Office 365 before you
can run the Hybrid Configuration Wizard. Click sign in to Office 365.
41. In the Sign in page, copy and paste in the Tenant Email value
(admin@M365xXXXXXX.onmicrosoft.com) from your O365 Credentials window (Files drop-down
menu > O365 Credentials), and then click Next. Then enter the Tenant Password from the O365
Credentials window and click Sign in. Click Yes to stay signed in.
42. This returns you to the setup page in the Exchange admin center. Click the configure button to start
the Hybrid Configuration Wizard.
43. On the Do you want to install this application? window, click Install. This downloads the Hybrid
Configuration Wizard.
44. On the Do you want to run this file? window, click Run.
45. This starts the Hybrid Configuration Wizard (it may take several seconds to a minute or so to start
the setup wizard). On the first page, click next.
46. Wait for the server detection to complete, which then displays the On-premises Exchange Server
Organization window. Accept the default settings by clicking next.
47. The next page displays the On-premises Exchange Account and the Office 365 Exchange Online
Account. Under the Office 365 Exchange Online Account section, click the sign in… button.
48. In the Sign in window, copy and paste in the Tenant Email value
(admin@M365xXXXXXX.onmicrosoft.com) from your O365 Credentials window (Files drop-down
menu > O365 Credentials) and then click Next. Then enter the Tenant Password from the O365
Credentials window and click Sign in.
49. This returns you to the On-premises Exchange Account page, which now displays the Tenant Email
account that you entered for the Office 365 Exchange Online Account. Click next.
50. On the Gathering Configuration Information page, wait until the information gathering process is
complete for both Exchange (on-premises) and Office 365 (Exchange Online). Once both indicate
they have Succeeded, click next.
51. On the Hybrid Features page, select the Full Hybrid Configuration option and then click next.
52. The Federation Trust page will be bypassed (this is due to running the wizard on the Domain
Controller earlier in this task) and will bring you to the Hybrid Topology page.
53. On the Hybrid Topology page, click next (this accepts the default setting in which the Use Exchange
Classic Hybrid Topology option is selected).
54. On the On-premises Account for Migration page, click the enter… button. In the pop-up window,
ADATUM\Administrator is already entered in the Domain\username field. Enter Pa55w.rd in the
Password field and then click ok.

18
55. In the On-premises Account for Migration window, the ADATUM\Administrator account appears as
the credentials to use when connecting to your on-premises Exchange Web Service. Click next.
56. In the Hybrid Configuration window, click next (this accepts the default setting in which the
Configure my Client Access and Mailbox servers for secure mail transport (typical) option is
selected).
57. In the Receive Connector Configuration window, click the drop-down arrow and select the checkbox
for your Exchange Server (for example, LON-EX1), and then click next.
58. In the Send Connector Configuration window, click the drop-down arrow and select the checkbox
for your Exchange Server (for example, LON-EX1), and then click next.
59. In the Transport Certificate window, click the drop-down arrow and select the *.xtremelabs.us
certificate (which is the last certificate on the page) for the Transport Certificate, and then click
next.
60. In the Organization FQDN window, enter XXYYZZa.xtremelabs.us (replace XXYYZZa with your UPN
Name from the Lab Network Info window) in the text box and then click next.
61. On the Ready for Update page, click update.
62. Wait for the hybrid configuration process to complete, which may take a few minutes.
63. On the Congratulations! page, click the close button.

IMPORTANT: If the Hybrid Configuration Wizard fails, it’s typically the result of an Access is Denied
error. As you just saw, there are several pages that require you to enter username and password
credentials. The wizard does not validate the credentials at the time you enter them; rather, it
simply stores them and then validates the credentials in this final update step. Experience has shown
that an Access is Denied error is usually the result of entering an incorrect username and/or
password (for example, if you copy and paste in a username or password, copying in a trailing space
after the username or password will cause it to fail). If this occurs, you can simply repeat this task
and re-run the Hybrid Configuration Wizard, which has been designed to allow multiple re-runs
without negatively affecting the system.
64. Close Internet Explorer so that you start with a fresh instance of the browser in the next task.

Task 2: Configure EAC settings to accommodate cloud and on-premises users within the
same domain

In this task, there are two issues that you must address by configuring settings in both the on-premises
and Office 365 Exchange Admin Centers (EAC). First, you will log into the Exchange Server (EX1) VM and,
through the on-premises EAC, you will configure the onmicrosoft.com domain so that on-premises users
can send emails to cloud users within the same domain.

Second, you must verify the default settings in the Office 365 EAC so that emails from cloud users to on-
premises users in the same domain don’t get stuck in an internal loop and never make it to their
recipients’ on-premises mailboxes.

19
1. On your EX1 VM (for example, LON-EX1), on the taskbar at the bottom of the page, click on the
Windows icon. In the menu, click on the Microsoft Exchange Server 2016 group, and in the drop-
down list, click on Exchange Administrative Center.
2. This will open Internet Explorer, which will attempt to access the EAC.
3. Internet Explorer will display an error page indicating “There is a problem with this website’s security
certificate”. You receive this message because a certificate for the EAC was not needed for this VM
training environment. Therefore, click the Continue to this website (not recommended) option.
4. Maximize your browser window and then log into the EAC as ADATUM\Administrator and password
Pa55w.rd.
5. In the on-premises Exchange admin center, click on mail flow in the left-hand navigation pane.
6. On the ribbon at the top of the page, click on accepted domains.
7. Select the M365xZZZZZZ.mail.onmicrosoft.com domain (where ZZZZZZ is the UPN suffix from the
O365 Credentials window).
8. In the Details pane on the right, note that the Domain type is set to Authoritative. You must change
it to Internal relay. To do so, click the pencil (Edit) icon.
9. In the M365xZZZZZZ.mail.onmicrosoft.com window, under This accepted domain is:, select the
Internal relay option and then click Save.
10. This returns you to the accepted domains page. On the ribbon, select send connectors.
11. In the list of send connectors, select the Outbound to Office 365 connector and click on the pencil
(Edit) icon.
12. On the Outbound to Office 365 send connector page, click on scoping in the left-hand navigation
pane.
13. Under the Address space group at the top of the page, click the plus (+) sign to add the accepted
domain.
14. In the add domain window, in the Full Qualified Domain Name (FQDN) field, enter *.xtremelabs.us
and then click Save.

NOTE: If you copy and paste *.xtremelabs.us into the FQDN field, ensure that you do not have a
space after *.xtremelabs.us. This will result in an error if there are any extraneous spaces following
*.xtremelabs.us. If this occurs, simply delete the extraneous spaces and click Save again.
15. In the Outbound to Office 365 send connector page, click Save.
16. Click on a new tab in Internet Explorer and then enter the following URL to open the Office 365
Exchange Admin Center: https://outlook.office365.com/ecp
17. On the Exchange Admin Center page, select your Language and Time zone and then click Save.
18. In the Office 365 Exchange admin center, in the left-hand navigation pane, select mail flow.
19. On the ribbon at the top of the page, select accepted domains.
20. In the list of accepted domains, select the XXYYZZa.xtremelabs.us domain and then click the pencil
(Edit) icon.
21. In the XXYYZZa.xtremelabs.us window, under This accepted domain is:, select the Internal relay
option and then click Save.
22. This returns you to the accepted domains page. On the ribbon at the top of the page, select
connectors.

20
23. The list of connectors displays an Inbound and Outbound connector. You want to validate the
settings for the Inbound connector, which is already selected by default. Therefore, simply click on
the pencil (Edit) icon.
24. On the Edit Connector page that displays the name and description, click Next.
25. On the Edit Connector page that asks How should Office 365 identify email from your email
server?, verify that the option is selected that asks: By verifying that the subject name on the
certificate that the sending server uses to authenticate with Office 365 matches this domain name
(recommended). You should also verify that *.xtremelabs.us is displayed in the corresponding
domain name field; if not, you should enter it now. Click Next.
26. On the Confirm your settings page, click Save.

Task 3: Prepare for testing by assigning product licenses to Office 365 user accounts

In this task you will log into your Domain Controller (DC1) VM and then update the user account for an
Office 365 user named Ada Russell. You will reset Ada’s password and assign her an Office 365 Enterprise
E3 license.

You are setting up Ada’s Office 365 account now because later in this exercise, you will test your hybrid
topology by sending an email from an on-premises user account to Ada’s Office 365 mailbox, and then
Ada will reply back to the on-premises user. To accomplish this, you must first assign Ada an Office 365
Enterprise E3 license so that she can access Outlook.

1. Switch to your DC1 VM. If you have your DC1 VM open from the earlier task, then proceed to the
next step; otherwise, log into your DC1 VM with the Administrator account just as you did
earlier.
2. Click on the Internet Explorer icon on the taskbar, maximize your browser window when it
opens, and then browse to the Office 365 Admin Center by entering the following URL:
https://portal.office.com/
3. In the Office 365 Admin Center, in the Apps section, click on Admin.
4. If a We would love to hear from you window appears, click cancel.
5. On the left-hand navigation bar, hover over the Users icon and in the menu that appears, select
Active users.
6. In the Active users window, click on Ada Russell (do not select the checkbox to the left of her
name; you want to update her properties, so click on her name).
7. In the Ada Russell properties window, click on the Reset password button.
8. In the Reset password window, select the Let me create the password option and then enter
Pa55w.rd in the Password field. If the Make this user change their password when they first
sign in checkbox is selected, then click on the checkbox to uncheck it. Click Reset.
9. In the Reset password window, it displays ********* for the Password. Click on (show) to
display the password to verify you entered the correct password.

NOTE: You must HOLD DOWN your mouse click to display the password. As soon as you release

21
the mouse click, it displays the ********* again. After verifying that you entered the correct
password, click the X in the upper right-hand corner to close the window.
10. In the Ada Russell properties window, the Product licenses attribute currently indicates that no
products have been assigned to Ada’s Office 365 account. To assign her a license, click on Edit
for her Product licenses attribute.
11. In Ada Russell’s Product licenses window, click on the drop-down arrow for the Location field. In
the drop-down menu, select a country/region where Ada resides.
12. You want to assign Ada an Office 365 Enterprise E3 license. Click the On/Off icon for the Office
365 Enterprise E3 license, which will switch the icon from Off to On.
13. Scroll to the bottom of the Product licenses window and click Save.
14. You will then receive a window indicating the product information was updated for Ada Russell.
Click the Close button.
15. On the Ada Russell properties window, note the Product license attribute now indicates Ada has
been assigned an Office 365 Enterprise E3 license. Scroll to the bottom of this window and click
the Close button.
16. This returns you to the Active users lists. Note that the status of Ada’s account also indicates she
has an Office 365 Enterprise E3 license.

Task 4: Prepare for testing by creating on-premises user mailboxes

In this task, you will log on to your Exchange Server (EX1) VM, navigate to the on-premises Exchange
Admin Center, and create on-premises mailboxes for Allan Yoo and Beth Burke. You will later use Allan
and Beth to test your hybrid environment.

1. Switch to your EX1 VM (for example, LON-EX1); if necessary, log on as ADATUM\Administrator and
password Pa55w.rd.
2. If Internet Explorer is open from the previous task and a tab exists that says send connectors –
Microsoft Exchange (this should be your on-premises Exchange Admin Center), then click on this
tab; otherwise, open the on-premises EAC by following the same instructions from the start of task
2.
3. In the on-premises Exchange admin center, click on recipients in the left-hand navigation pane, and
then click on mailboxes in the ribbon.
4. Click on the plus (+) sign to add a new on-premises mailbox. In the drop-down menu, select User
mailbox.
5. In the new user mailbox window, you want to create a mailbox for Allan Yoo, who’s an existing user.
6. The Existing user option is selected by default, so click the Browse button.
7. In the Select User window, select Allan Yoo and click OK.
8. In the new user mailbox window, click Save.

NOTE: In the list of mailboxes, Allan Yoo’s mailbox should now appear. In the next task, you will send
a test email to Allan’s on-premises mailbox (Allan@XXYYZZa.xtremelabs.us) to validate whether the
outbound connector from Office 365 to your on-premises environment works.

22
9. Repeat steps 4 through 7 to create an on-premises mailbox for Beth Burke. You will use Beth’s on-
premises mailbox when testing mailbox migration at the end of the lab.

Task 5: Configure the Outbound Connector from Office 365 to your Exchange Server

In this task, you will remain in your on-premises Exchange Server (EX1) VM and then open up the Office
365 Exchange Admin Center (not the on-premises EAC that you used in previous tasks). From the Office
365 EAC, you will then configure the outbound connector from Office 365 to Adatum’s on-premises
Exchange environment.

STOP: After finishing the previous two tasks, you should wait at least 15 minutes before starting this task.
The reason for this delay is that when you update Ada Russell’s account and create the on-premises
Exchange mailboxes for Allan Yoo and Beth Burke, it may take up to 15 minutes to propagate these
updates throughout the system. If you do not wait at least 15 minutes before starting this task, the next
several tasks will fail.

1. In your EX1 VM (for example, LON-EX1), if Internet Explorer is open from the previous task and a
tab exists that says connectors – Microsoft Exchange (this should be your Office 365 Exchange
Admin Center), then click on this tab; otherwise, enter the following URL to open the Office 365
Exchange Admin Center: https://outlook.office365.com/ecp
2. In the Office 365 Exchange admin center, in the left-hand navigation pane, select mail flow.
3. On the ribbon at the top of the page, select connectors.
4. The list of connectors currently displays an Inbound and Outbound connector. Select the
Outbound connector to highlight it.

NOTE: In the Details pane on the right-side of the screen, under the Mail flow scenario, it
indicates that this is the outbound connector from Office 365 to your organization’s (on-
premises) email server.
5. With the Outbound connector highlighted, click on the pencil (Edit) icon.
6. On the Edit Connector page that displays the Name and Description, click Next.
7. On the next Edit Connector page that asks When do you want to use this connector? select the
For email messages sent to all accepted domains in your organization option and then click
Next.
8. On the next Edit Connector page that asks How do you want to route email messages?, click
Next (this accepts the default value of XXYYZZa.xtremelabs.us as the Fully Qualified Domain
Name).
9. On the next Edit Connector page that asks How should Office 365 connect to your server?, click
Next (this accepts the default settings).
10. On the Confirm your settings page, review the settings and click Next.
11. On the Validate this connector page, click the plus (+) sign to send an email and validate this
connector.
12. On the add email pop-up window, enter Allan Yoo’s email address of
Allan@XXYYZZa.xtremelabs.us (where XXYYZZa is your unique UPN Name from the Lab

23
Network Info window) and then click OK.

NOTE: If it’s been less than 15 minutes since you completed the previous task in which you
created the on-premises mailbox for Allan, then you may receive an error message indicating
that the email address is invalid. If this occurs, click Cancel, then wait several more minutes and
try again.
13. Allan’s email address should now appear on the Validate this connector page. Click Validate.
14. Once the validation is complete, click Close.
15. On the Validation Result page, the two validation tasks are displayed - checking connectivity to
the accepted XXYYZZa.xtremelabs.us domain and sending a test email to an on-premises user
mailbox in this accepted domain. The status of both tasks should be Succeeded.

NOTE: If either task failed, click on the task to highlight it, then click on the pencil icon to display
the Details about that task. This will help you troubleshoot the issue that caused the task failure.

IMPORTANT: If the Send test email task failed, it’s usually because you did not wait at least 15
minutes after the prior task finished (creating Allan Yoo’s on-premises mailbox) before
performing this task. If this occurs, wait several minutes, click the Back button, and then click the
Validate button again.
16. On the Validation Result page, once both tasks show a status of Succeeded, click Save.

Task 6: Test the Hybrid topology

In this task, you will verify that your hybrid environment is functioning properly. From your on-premises
Exchange Server (EX1) VM, you will first send an email from Allan Yoo’s on-premises Exchange mailbox
to Ada Russell, who has a mailbox in Office 365. You will then open an InPrivate Browsing session in
Internet Explorer so that you can log into Ada’s mailbox in Office 365 and verify that she received the
email from Allan. You will then send a reply from Ada to Allan, and then verify that Allan received the
reply in his on-premises mailbox.

1. In your EX1 VM (for example, LON-EX1), click on a new tab in Internet Explorer and open
Outlook Web App by entering the following URL: https://XXYYZZa.xtremelabs.us/owa (where
XXYYZZa is your unique UPN Name from the Lab Network Info window).
2. You are now going to send an email from Allan Yoo’s on-premises mailbox to Ada Russell’s Office
365 mailbox; therefore, you must sign into Outlook using Allan’s email account. In Outlook, sign
in as ADATUM\Allan and password Pa55w.rd, and then click sign in.
3. Select your Language and Time zone and then click Save.
4. In Allan’s Inbox, note the email he received from the prior connector validation task.
5. You should now send an email from Allan to Ada Russell. Click New in the ribbon, and in the
email’s To address line, enter Ada@XXYYZZa.xtremelabs.us (where XXYYZZa is your unique UPN
Name from the Lab Network Info window).

24
6. Enter Testing hybrid topology - On-premises to O365 email in the Subject line, enter This is a
test email from an on-premises user mailbox (Allan Yoo) to an Office 365 user mailbox (Ada
Russell) in the body of the email, and then click Send.
7. At this point, you want to log into Ada Russell’s Outlook mailbox in Office 365 to verify she
received the email from Allan Yoo’s on-premises mailbox. You then want to send a reply from
Ada’s Office 365 mailbox back to Allan’s on-premises mailbox.

IMPORTANT: Since you already have Allan’s mailbox open in Internet Explorer, you CANNOT
open Ada’s mailbox in another tab in the same IE session. Doing so will block email from Allan’s
on-premises account from being sent to Ada’s Office 365 account. Therefore, you must start an
InPrivate Browsing session and then open Ada’s mailbox in that session.

To open an InPrivate Browsing session, right click on the Internet Explorer icon on the taskbar
and in the menu, select Start InPrivate Browsing. This will open a new, InPrivate IE session that
is separate from the IE session that contains the tab with Allan’s mailbox. Maximize the InPrivate
browser window and enter the following URL: https://portal.office365.com

8. In the Sign in window, enter Ada@XXYYZZa.xtremelabs.us (where XXYYZZa is your unique UPN
Name from the Lab Network Info window) and then click Sign in.
9. In the Enter password window, enter Pa55w.rd and then click Sign in.
10. If a Get your work done with Office 365 window appears, click the X to close it.
11. In Ada’s Office 365 portal, note all the applications that are listed. These are the apps that are
enabled when you assigned Ada an Office 365 Enterprise E3 product license in the prior task.
Click Outlook.
12. Select your Language and Time zone and then click Save.
13. When Outlook opens for Ada, if a pop-up window is displayed prompting you to Try the new
Outlook, click on the Try the new Outlook button.
14. The new Outlook mailbox opens for Ada. If a Welcome window appears, click the X in the upper-
right corner to close it.
15. If the email sent by Allan appears in Ada’s Inbox, then open the email and reply to the message.
Indicate in the reply that this message is from Ada’s Office 365 mailbox to Allan’s on-premises
mailbox.
16. Hover over the Internet Explorer icon on the taskbar and click back on the session that displays
Allan’s on-premises mailbox. Refresh the Inbox and verify whether Allan received the reply from
Ada.
17. Close all Internet Explorer sessions.

25
Task 7: Migrate an on-premises mailbox to Office 365 to test your connectors

In this task, you will log into your Exchange Server (EX1) VM, open the on-premises Exchange Admin
Center, and migrate Allan Yoo’s on-premises mailbox (along with his mail) to Office 365. The purpose of
this task is to verify whether your connectors are correctly set up and to provide a level of simplicity for
the user. When users are cloud-hosted they don’t have to use a VPN tunnel to access company files; they
can log in from any PC or device and work from any location that has a stable internet connection. In
contrast, hosting mailboxes on-premises and accessing files typically requires a VPN tunnel to keep
company data secure.

1. If you have your EX1 VM open from the earlier task, then proceed to the next step; otherwise, log
into your EX1 VM with the ADATUM\Administrator account and password Pa55w.rd.
2. You need to navigate to the on-premises Exchange Admin Center (EAC). On the taskbar at the
bottom of the page, click on the Windows icon. In the menu, click on the Microsoft Exchange Server
2016 group, and in the drop-down list, click on Exchange Administrative Center.
3. This will open Internet Explorer, which will attempt to access the EAC. Note: IE will display an error
page indicating “There is a problem with this website’s security certificate”. You receive this message
because a certificate for the EAC was not needed for this VM training environment. Therefore, click
the Continue to this website (not recommended) option.
4. Maximize your browser window and then log into the EAC as ADATUM\Administrator and password
Pa55w.rd.
5. In the left-hand navigation pane, select recipients, and in the list of mailboxes, select Allan Yoo.
6. In the Details pane on the right, scroll down to the bottom, and under the Move Mailbox section,
click To Exchange Online.
7. In the information pop-up screen, click sign in to Office 365.
8. If a pop-up window appears that displays a critical error message, click OK. In the EAC, click on
hybrid on the left-hand navigation pane and click on modify. In the information pop-up window,
click sign in to Office 365. Sign in if required. In the blue heading line above Exchange admin center
at the top of the window, it displays Enterprise and Office 365. Note the arrow pointing to which
EAC is being displayed. Ensure that Enterprise (on-premises) is selected before you continue to the
next step. If it is not selected at the top, close your browser and start again at step 1 of this task;
otherwise, repeat steps 5 and 6, and then continue with the next step.
9. On the Confirm the migration endpoint page, click Next (this accepts the default setting in which
the Remote MRS proxy server is set to XXYYZZa.xtremelabs.us).
10. On the Move configuration page, enter Migrating Allan Yoo as the migration batch name and then
click Next.
11. On the Start the batch page, under the Please select the preferred option to complete the batch
section at the bottom of the screen, select the Automatically complete the migration batch option
and then click new.
12. On the information pop-up window that asks Do you want to go to the migration dashboard to see
the status of your migration batch? click Yes.
13. On the migration page, monitor the status of the migration. The Status column will begin by
displaying Syncing, and eventually it will change to Completed.

26
WARNING: The migration may take up to an hour to complete.

NOTE: If you click F5 to refresh your browser, the EAC will change from displaying the Office 365 EAC
to the Enterprise (on-premises) EAC. In the blue heading line above Exchange admin center at the
top left-side of the window, it displays Enterprise and Office 365. Prior to refreshing your browser,
the arrow will be pointing to Office 365, which indicates the Office 365 EAC is being displayed. The
list of migration batches is displayed under Office 365. However, after refreshing your browser, the
arrow will point to Enterprise, indicating that the on-premises EAC is being displayed. When this
occurs, click on Office 365 to return to the Office 365 EAC, click on recipients on the left-hand
navigation bar, and then click on migration on the ribbon. This will return you to the list of migration
batches.

IMPORTANT: You can select your migration batch and then click on View details in the Details pane
on the right side of the screen to see more information on the migration. The details window that
appears also displays the batch status. HOWEVER, please note that this status is NOT the same as
the status that displays on the migration window in the Office 365 EAC. This details window status is
reflective of the objects being moved from on-premises to the cloud, so while this status may display
Completed, that does NOT mean the migration is complete. In fact, this details window may indicate
Completed, but the status on the migration window can still show Syncing. The reason for this is that
even after the objects are moved, there are still several additional tasks that the migration must
perform before it’s complete. In summary, you should NOT proceed to the next task until the status
on the migration window displays Completed for your batch.

14. To prepare for the next task, sign out of Office 365 by clicking the drop-down arrow next to the
Administrator name in the upper-right corner of the window and then selecting Sign out.

15. Close all open instances of Internet Explorer (click on the IE icon on the taskbar to view all instances).

Task 8: Test the newly migrated mailbox

The prior exercise migrated Allan Yoo’s on-premises mailbox to Office 365. In this task, you will validate
that Outlook functions are working properly for Allan’s new Office 365 mailbox. When testing in a real-
world environment, ensure that mail flow isn’t impeded, and that the user can access his or her mail by
going to outlook.office365.com. This ensures that no complications occurred during the migration
process. As a best practice, you should always test your mail flow to validate a migration.

In this task, you will test mail flow by sending an email from Allan’s new Office 365 mailbox to Beth
Burke’s on-premises mailbox (which you created back in Task 4). You will also send meeting requests
from Allan to Beth.

1. If you have your EX1 VM open from the earlier task, then proceed to the next step; otherwise, log
into your EX1 VM with the Administrator account just as you did earlier.

27
2. Open Internet Explorer and then browse to https://outlook.office365.com/owa/ and sign in as
Allan@XXYYZZa.xtremelabs.us (where XXYYZZa is your unique UPN Name from the Lab Network
Info window) and password Pa55w.rd.
3. If prompted, select your Language and Time zone and then click Save.
4. Create a new test email and send it to Beth Burke. Beth’s email address is
Beth@XXYYZZa.xtremelabs.us (where XXYYZZa is your unique UPN Name from the Lab Network
Info window).
5. At this point, you want to log into Beth Burke’s on-premises mailbox to verify she received the email
from Allan Yoo’s Office 365 mailbox. You then want to send a reply from Beth’s on-premises mailbox
back to Allan’s Office 365 mailbox.

IMPORTANT: Since you already have Allan’s mailbox open in Internet Explorer, you cannot open
Beth’s mailbox in another tab in the same IE session. Doing so will block email from Beth’s on-
premises account from being sent to Allan’s Office 365 account. Therefore, you must start an
InPrivate Browsing session and then open Beth’s mailbox in that InPrivate session.

To do so, right click on the Internet Explorer icon on the taskbar and in the menu, select Start
InPrivate Browsing. This will open a new, InPrivate IE session that is separate from the IE session
that contains the tab with Allan’s mailbox.

Maximize the InPrivate browser window and enter the following URL:
https://XXYYZZa.xtremelabs.us/owa (where XXYYZZa is your unique UPN Name from the Lab
Network Info window).

6. In Outlook, sign in as ADATUM\Beth with a Password of Pa55w.rd.


7. If you receive a message directing you to click on a link to open this mailbox with the best
performance, then click on the link.
8. If prompted, select your Language and Time zone and then click Save.
9. The email that Allan just sent to Beth should appear in her Inbox. Open the email and reply to the
message.
10. Hover over the Internet Explorer icon on the taskbar and click on the session that displays Allan’s
Office 365 mailbox. Refresh the Inbox and verify whether Allan received the reply from Beth.
11. In Allan’s mailbox, click on the calendar icon in the bottom-left corner of the window.
12. Create a new meeting with a subject Test.
13. Add Beth Burke as a required meeting attendee, then click on Scheduling Assistant.
14. Both users’ calendars will be displayed, and they should both show that their respective user is free.
Click OK to accept the time and then click on Send to send the meeting request to Beth.
15. Hover over the Internet Explorer icon on the taskbar and click on the InPrivate Browsing session that
displays Beth’s on-premises mailbox.
16. In Beth’s Inbox, Accept the meeting request and select Send the response now.
17. Hover over the Internet Explorer icon on the taskbar and click on the session that displays Allan’s
Office 365 mailbox.
18. Create another meeting request with a subject of Test 2. Add Beth Burke as a meeting attendee
again, then click on Scheduling Assistant.

28
NOTE: Beth’s calendar should now show her as busy for the first meeting request.
19. Click OK to accept the time and then click on Send to send the meeting request to Beth.
20. Hover over the Internet Explorer icon on the taskbar and click on the InPrivate Browsing session that
displays Beth’s on-premises mailbox. Accept the meeting request and select Send the response
now.
21. You have now verified that you can send and receive emails and calendar requests between on-
premises and Office 365 mailboxes. Sign out of both mailboxes and close Internet Explorer.

End of Exercise 2

End of Lab

29

Вам также может понравиться