Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
Topic Last Modified: 2012-02-21
Before you create and configure a hybrid deployment using the Hybrid Configuration wizards, your existing on-premises Exchange organization must meet certain requirements. If you don't meet these requirements, you won't be able to complete the steps within the Hybrid Configuration wizards and you won't be able to configure a hybrid deployment between your on-premises Exchange organization and the Exchange Online organization in Microsoft Office 365.
Prerequisites for Hybrid Deployment
The following prerequisites are required for configuring a hybrid deployment:
- On-premises Exchange
organization On-premises Exchange 2003-based
organizations or later are required for a hybrid deployment. For
Exchange 2003 and Exchange 2007 organizations, at least one
Exchange 2010 Service Pack 2 (SP2) server must be installed in the
on-premises organization to run the Hybrid Configuration wizards
and support hybrid deployment functionality. All other on-premises
Exchange servers must have the latest service packs installed.
Learn more at: What's New in Exchange 2010 SP2.
- Install Exchange rollup packages You
must install the latest Exchange 2010 SP2 rollup packages on all
hybrid servers to properly configure and avoid problems when
configuring a hybrid deployment. Microsoft releases update rollup
packages approximately every six to eight weeks. The rollup
packages are available via Microsoft Update and also through the
Microsoft Download Center. In the Search box on the Microsoft
Download Center, type "Exchange 2010 SP2 update rollup" to find
links to the Exchange 2010 SP2 rollup packages.
Find update rollup packages at: Microsoft Download Center
- Office 365 for enterprises An
Office 365 for enterprises tenant and administrator account
and user licenses available on the cloud service to configure a
Learn more at: Sign up for Office 365
- Custom domains Register any custom
domains you want to use in your hybrid deployment with
Office 365. You can do this by using the Office 365
Administrative portal, or by optionally configuring Active
Directory Federation Services (AD FS) in your on-premises
Learn more at: Add your domain to Office 365
- Active Directory synchronization Deploy
Office 365 Active Directory synchronization in your
Important: If you signed up for your Office 365 tenant organization during the Office 365 beta program and enabled Active Directory synchronization, you must run the following Shell command in your Office 365 organization to create a coexistence domain (<domain>.mail.onmicrosoft.com) for your organization.
Set-MsolDirsyncEnabled -EnableDirsync $true
- Client Access and Hub Transport
servers Install one or more Exchange 2010 SP2
Client Access and Hub Transport servers in your on-premises
organization. If you’re configuring a hybrid deployment for an
Exchange 2003 on-premises organization, you must also install the
Mailbox Server role on at least one Exchange 2010 SP2 server added
for the hybrid deployment.
- Autodiscover DNS records Configure the
Autodiscover public DNS records for your existing SMTP domains to
point to an on-premises Exchange 2010 SP2 Client Access server.
- Office 365 organization in the Exchange Management Console
(EMC) Add the Office 365 organization to
the EMC. This will allow you to manage both the on-premises and
cloud Exchange organizations from a single management console.
Learn more at: Add an Exchange
- Exchange Web Services Configure the
ExternalURL parameter for the default Exchange Web Services
(EWS) virtual directory with the externally accessible, fully
qualified domain name (FQDN) of the hybrid Exchange 2010 SP2 Client
Access server included in your hybrid deployment. Learn more at:
Exchange Web Services Virtual Directories
Important: Pre-authentication connections to the /EWS/exchange.asmx/wssecurity, /autodiscover/autodiscover.svc/wssecurity, and /EWS/MRSProxy.svc/wssecurity virtual directories must be turned off. Authentication for these virtual directories must use the Exchange federation trust certificate and federation claims.
- Certificates Install and assign
Exchange services to a valid digital certificate purchased from a
trusted certificate authority (CA). Although self-signed
certificates can be used for the on-premises federation trust with
the Microsoft Federation Gateway, self-signed certificates can’t be
used for Exchange services in a hybrid deployment. The Internet
Information Services (IIS) instance on the Client Access servers
configured in the hybrid deployment must have a valid digital
certificate purchased from a trusted certificate authority (CA).
Additionally, the EWS external URL and the Autodiscover endpoint
specified in your public DNS must be listed in Subject Alternative
Name (SAN) of the certificate. The Hub Transport servers used for
mail transport in the hybrid deployment must all use the same
certificate (have matching certificate thumbprints).
After you’ve made sure your Exchange organization meets these requirements, you’re ready to use the New Hybrid Deployment wizard. For detailed guidance, see Create a New Hybrid Deployment.
Recommended Tools and Services
In addition to the required prerequisites described earlier, other tools and services are beneficial when you’re configuring hybrid deployments with the Hybrid Configuration wizards:
- Remote Connectivity Analyzer tool The
Microsoft Remote Connectivity Analyzer tool checks the external
connectivity of your on-premises Exchange organization and makes
sure that you’re ready to configure your hybrid deployment. We
strongly recommend that you check your on-premises organization
with the Remote Connectivity Analyzer tool prior to configuring
your hybrid deployment with the Hybrid Configuration wizard.
Learn more at: Remote Connectivity Analyzer Tool
- Single sign-on Although not a
requirement for hybrid deployments, single sign-on enables users to
access both the on-premises and cloud-based organizations with a
single user name and password. Single sign-on provides users with a
familiar sign-on experience and allows administrators to easily
control account policies for cloud-based organization mailboxes by
using on-premises Active Directory management tools. If you decide
to deploy single sign-on with your hybrid deployment, we recommend
that you deploy it in conjunction with Active Directory
synchronization and before using the Hybrid Configuration
Learn more at: Prepare for single sign-on