A hybrid configuration for your on-premises and cloud-based organizations, created with the New Hybrid Configuration wizard. The wizard creates a HybridConfiguration object that must be accessible to manage and configure changes in your hybrid deployment. For more information, see Create a New Hybrid Deployment.

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Hybrid configuration" entry in the Exchange and Shell Infrastructure Permissions topic.

1. In the console on-premises organization tree, select the Organization Configuration node and then select the Hybrid Configuration tab.
   
   
2. In the Organization Configuration pane on the Hybrid Configuration tab, select the Hybrid Configuration object.
   
   
3. In the action pane, click Manage Hybrid Configuration.
   
   
4. On the Introduction page of the Manage Hybrid Configuration wizard, click Next.
   
   
5. On the Credentials page, complete the following fields:
   
   
   • For the on-premises organization:
     
     
     • Username   Type the domain and user name for an account that is a member of the Organization Management role group in the on-premises organization. For example, “corp\administrator”.
       
       
     • Password   Type the password for the on-premises account you entered in the Username text box.
       
       
     • Remember my credentials   Select this check box to allow the wizard to automatically use this on-premises account while configuring the hybrid deployment. If you do not select this check box, you’ll have to manually enter the on-premises account credentials later when the hybrid configuration changes are executed.
       
       
   • For the Microsoft Office 365 organization:
     
     
     • Username   Type the new domain and user name for an account that is a member of the Organization Management role group in the Office 365 organization. For example, “administrator@contoso.onmicrosoft.com”.
       
       
     • Password   Type the password for the Office 365 account you entered in the previous step.
       
       
     • Remember my credentials   Select this check box to allow the wizard to automatically use this Office 365 account while configuring the hybrid deployment. If you do not select this check box, you’ll have to manually enter the Office 365 account credentials later when the hybrid configuration changes are executed.
       
       
6. Click Next.
   
   
7. On the Domains page, complete the following fields:
   
   
   • Click Add to add hybrid domains for your organization.
     
     
   • In the Select Accepted Domain dialog box, select accepted domains for the hybrid configuration. You should select the primary SMTP domain for your organization and any other accepted domains that will be used in the hybrid deployment. For example, select “contoso.com” and “sales.contoso.com”.
     
     
   • Click OK on the Select Accepted Domain dialog box.
     
     
   •    To remove a domain from the hybrid configuration, select a hybrid domain name from the list and then click this button to remove it from the hybrid configuration.
     
     

     Note:
     At least one domain is required in a hybrid deployment.

8. Click Next.
   
   
9. On the Domain Proof of Ownership page, note the values listed in the Record Value field for each of the new hybrid domains you selected in the previous step. You must create a TXT record for each new domain in your public DNS so that the domain can be added to the Exchange federation trust for your organization. If you have kept a domain from your previous hybrid configuration and the TXT record for this domain has already been created on your public DNS, you don’t need to re-create the TXT record on your public DNS. For example, you would only need to create additional TXT records in your public DNS for the new domains similar to the following:
   
   

   Domain	DNS record type	Text
   contoso.com	TXT	7Zyr2i/fE/M/T3AwCpitDbF30Fk/TdzXME6f7d1lDaKGthPdoS+UF94t43D2nU5hLNnIAP+5A3jJR2ik9HDPgg==
   sales.contoso.com	TXT	Eh/po5qT098GMPklJU2DShrYO9mPseTn5i9wWKOKebmceLPuLCpaejYj83W53H/YcuzPy2VSo621BHO4DNS7jg==

   Warning:

   The federated domain proof is a lengthy string of alphanumeric characters. To avoid input errors, we recommend that you copy the domain string from the wizard by pressing CTRL+C, paste it into a text editor such as Notepad, copy it from the text editor to the Clipboard, and then paste the string into the Text field of the TXT record. If the TXT record is created with an incorrect federated domain proof string, the Microsoft Federation Gateway won't be able to verify proof of domain ownership, and you won't be able to add it to the federated organization identifier or complete the hybrid configuration.

   After you have created the TXT records for the new hybrid domains in your public DNS and the DNS zone file has replicated, select the Check to confirm that the TXT records have been created in public DNS for the domains above check box.
   
   
10. Click Next.
    
    
11. On the Servers page, complete the following fields:
    
    
    • For the Client Access servers:
      
      
      • Click Add to select the Client Access servers in your on-premises organization that will be configured for your hybrid deployment.
        
        
      • In the Select Client Access Server dialog box, select one or more servers that have the Exchange 2010 SP2 Client Access server role installed.
        
        
      • Click OK on the Select Client Access Server dialog box.
        
        
      •    To remove a Client Access server from the hybrid configuration, select the Client Access server from the list and then click this button to remove it from the hybrid configuration.
        
        

        Note:
        At least one Exchange 2010 SP2 Client Access server is required in a hybrid deployment.

    • For the Hub Transport servers:
      
      
      1. Click Add to select the Hub Transport servers in your on-premises organization that will be configured for mail flow in your hybrid deployment.
         
         
      2. In the Select Hub Transport Server dialog box, select one or more servers that have the Exchange 2010 SP2 Hub Transport server role installed.
         
         
      3. Click OK on the Select Hub Transport Server dialog box.
         
         
      4.    To remove a Hub Transport server from the hybrid configuration, select the Hub Transport server from the list and then click this button to remove it from the hybrid configuration.
         
         

         Note:
         At least one Exchange 2010 SP2 Hub Transport server is required in a hybrid deployment.

12. Click Next.
    
    
13. On the Mail Flow Settings page, complete the following fields:
    
    
    • For the Forefront Online Protection for Exchange inbound connector:
      
      
      1. Click Add and enter the publicly accessible IP address for a Hub Transport server in your hybrid deployment. Repeat this step to enter IP addresses for multiple Hub Transport servers in your hybrid deployment.
         
         

         Note:

         If you’re using a network firewall device in your on-premises organization, you may have to enter the external IP address of the firewall for the FOPE inbound connector instead of the external IP address of you hybrid Hub Transport servers. FOPE examines the sending IP address for messaging traffic originating from the on-premises organization and verifies that it matches the IP addresses configured for this inbound connector. If these IP addresses don’t match, FOPE refuses the message traffic and messages sent from recipients in the on-premises organization to recipients in the Exchange Online organization aren’t delivered. Additionally, be sure to use IPv4-based IP addresses because IPv6-based IP addresses aren’t supported.

    • For the Forefront Online Protection for Exchange outbound connector:
      
      
      1. In the Specify the FQDN of the on-premises hybrid Hub Transport servers field, enter the FQDN of a Hub Transport server in your hybrid deployment. For example, enter “mail.contoso.com”.
         
         
14. Click Next.
    
    
15. On the Mail Flow Security page, complete the following fields:
    
    
    • For Select Transport Certificate, select the drop-down arrow for the Select transport certificate field and then select a valid digital certificate from a trusted certificate authority (CA) that has been installed on all Hub Transport servers in your hybrid deployment.
      
      
    • For Mail Flow Path, select one of the following hybrid mail routing options for outbound messages for your Office 365-based mailboxes:
      
      
      • Deliver Internet-bound messages directly using the external recipient’s DNS settings   Select this option if you want Office 365 to bypass your on-premises transport servers when routing outbound messages to external recipients.
        
        
      • Route all Internet-bound messages through your on-premises Exchange servers   Select this option if you want Office 365 to send all outbound messages to external recipients to your on-premises transport servers. The on-premises hybrid transport servers will be responsible for delivering the messages to external recipients.
        
        
16. On the Progress page, review the properties for the hybrid configuration changes. Click Manage to update the hybrid configuration.
    
    
17. On the Completion page, review the following, and then click Finish to close the wizard:
    
    
    • A status of Completed indicates that the wizard completed the task successfully.
      
      
    • A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.
      
      

You need to be assigned permissions before you can perform this procedure. To see what permissions you need, see the "Hybrid configuration" entry in the Exchange and Shell Infrastructure Permissions topic.

This example updates a default hybrid deployment and disables the secure mail and centralized transport hybrid deployment features. All other default hybrid deployment features, such as free/busy sharing, MailTips, and message tracking, remain enabled.

1. Use the following command to disable the secure mail and centralized transport hybrid deployment features.
   
   

   	Copy Code
   Set-HybridConfiguration -Features FreeBusy,MoveMailbox,MailTips,OWARedirection,OnlineArchive,MessageTracking

2. Use the following command to specify your on-premises credentials. For example, run this command and then enter “admin@contoso.com” and the associated account password in the credentials dialog when prompted.
   
   

   	Copy Code
   $OnPremisesCreds = Get-Credential

3. Use the following command to specify your cloud-based service credentials. For example, run this command and then enter “admin@contoso.onmicrosoft.com”and the associated account password in the credentials dialog when prompted.
   
   

   	Copy Code
   $TenantCreds = Get-Credential

4. Use the following command to define the specified credentials that will be used when updating the hybrid configuration object and connecting to the cloud-based service.
   
   

   	Copy Code
   Update-HybridConfiguration -OnPremisesCredentials $OnPremisesCreds -TenantCredentials $TenantCreds

For more information about these hybrid deployment cmdlets, see Set-HybridConfiguration and Update-HybridConfiguration.