Applies to: Exchange Server 2013, Exchange Online

Topic Last Modified: 2013-07-10

Configuring a hybrid deployment in Microsoft Exchange Server 2013 with the Hybrid Configuration wizard greatly minimizes the potential that the hybrid deployment will experience problems. However, there are some typical areas outside the scope of the Hybrid Configuration wizard that, if misconfigured, may present problems in a hybrid deployment. This topic discusses the following common areas where problems may arise and outlines basic steps to verify or correct issues:

For additional information, see Exchange Server 2013 Hybrid Deployments.

For additional management tasks related to hybrid deployments, see Hybrid Deployment procedures.

ImportantImportant:
This feature of Exchange Server 2013 isn’t fully compatible with Office 365 operated by 21Vianet in China and some feature limitations may apply. For more information, see Learn about Office 365 operated by 21Vianet.

What do you need to know before you begin?

  • Estimated time to complete this task: Varies, depending on type of hybrid deployment issues

  • You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the "Hybrid deployments" entry in the Exchange and Shell infrastructure permissions topic.

  • The guidance in this topic applies to hybrid deployments configured using the Hybrid Configuration wizard in Exchange 2013. Hybrid deployments configured with previous versions of Exchange, or hybrid deployments that have been manually configured, are not supported.

  • For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard shortcuts in the Exchange admin center.

TipTip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection.

What do you want to do?

Troubleshoot issues with on-premises Client Access servers

The configuration of the on-premises Client Access servers is typically the area where most problems may occur in a hybrid deployment. Usually, the areas in the Client Access servers that need to be examined are the following:

  • Availability   Correctly publishing the on-premises Client Access servers to the Internet is vital to features working correctly in your hybrid deployment. For hybrid features to work correctly, you must configure your on-premises firewall or other security appliances to allow inbound access from the Internet to the Autodiscover and Exchange Web Services (EWS) endpoints on the on-premises Client Access servers. Additionally, the Client Access servers must also be configured to accept inbound SMTP mail. If the Microsoft Exchange Online Protection (EOP) service included in your Office 365 tenant organization can't reach the on-premises Client Access servers, secure mail transport from the Exchange Online organization to the on-premises organization will not function correctly.

  • Certificates   The digital certificate used for secure mail transport between the on-premises and Exchange Online organizations must be installed on all on-premises Client Access servers, must be issued from a third-party certificate authority (CA), must not be expired, and must have the IIS and SMTP services assigned. If these certificate requirements are not met, secure mail transport from the Exchange Online organization to the on-premises organization will not function correctly. More information about certificate requirements is provided in "Troubleshoot issues with Certificates" later in this topic.

How do you know if your Client Access servers are configured correctly?

To verify that you have successfully published your on-premises Client Access servers, use the Microsoft Remote Connectivity Analyzer to verify inbound Internet connectivity to your on-premises Client Access servers. Do the following:

  1. Go to the Remote Connectivity Analyzer tool.

  2. This step is for a general test of EWS tasks to confirm they are working, and that the EWS endpoint is configured.

    Run the Synchronization, Notification, Availability, and Automatic Replies (OOF) test in the Microsoft Exchange Web Services Connectivity Tests section, and verify that there aren’t any errors. If errors occur, correct the items that the test identified.

  3. This step is for a general test of the Autodiscover service to confirm that it’s working, and that the Autodiscover endpoint is configured.

    Run the Outlook Autodiscover test in the Microsoft Office Outlook Connectivity Tests section, and verify that there aren’t any errors. If errors occur, correct the items that the test identified.

  4. This step is for a general test of SMTP connectivity, and confirms that the Client Access servers can receive inbound Internet mail.

    Run the Inbound SMTP E-Mail test in the Internet E-Mail Tests section, and verify that there aren’t any errors. If errors occur, correct the items that the test identified.

Troubleshoot issues with certificates

The configuration of the certificates installed on the on-premises Client Access and Mailbox servers may be the source of problems occurring in a hybrid deployment. In most cases, the following certificate-related issues affect hybrid functionality:

  • Certificate type   The digital certificate used for secure hybrid transport and defined in the Hybrid Configuration wizard must be issued from a third-party CA. Self-signed certificates can't be used for hybrid transport authentication. If a self-signed certificate is inadvertently selected or assigned, secure mail transport between the Exchange Online and the on-premises organizations will not function correctly.

  • Assigned services   The Internet Information Service (IIS) and the Simple Mail Transport Protocol (SMTP) services must be assigned to the digital certificate used for hybrid transport. If these services aren't assigned, secure mail transport between the Exchange Online and the on-premises organizations will not function correctly.

  • Installation   The digital certificate used for secure mail transport between the on-premises and Exchange Online organizations must be installed on all on-premises Client Access and Mailbox servers. If you’re deploying hybrid with on-premises Edge Transport servers, the digital certificate must also be installed on your Edge Transport servers. If the certificate isn’t installed on the on-premises servers, secure mail transport between the Exchange Online and the on-premises organizations will not function correctly.

  • Expiration   The digital certificate used for secure mail transport between the on-premises and Exchange Online organizations must not be expired. If the certificate is expired, secure mail transport between the Exchange Online and the on-premises organizations will not function correctly.

How do you know if your certificates are configured correctly?

To verify that the certificate for hybrid mail transport is correctly configured on your on-premises Client Access and Mailbox servers, do the following:

  1. On an on-premises Client Access or Mailbox server, open the Exchange Management Shell.

  2. In the Shell, run the following command.

    Copy Code
    Get-ExchangeCertificate| format-list
    
  3. Locate the information for the certificate you defined in the Hybrid Configuration wizard that will be used for secure mail transport.

  4. Verify the following parameter values are assigned to the certificate:

    • IsSelfSigned parameter   This parameter value should be False.

    • RootCAType parameter   This parameter value should be Third Party.

    • Services parameter   This parameter value should be IIS, SMTP.

    • NotAfter parameter   This parameter value is the certificate expiration date. The date listed here should not be expired.

Troubleshooting specific errors of the Hybrid Configuration wizard

If you receive an error while running the Hybrid Configuration wizard, you can frequently resolve the issue by performing a few simple checks or actions. See the following suggestions for resolving specific messages or issues that you may encounter while running the Hybrid Configuration wizard.

  • Message: “Default Receive Connector cannot be found on server <Server Name>”   This message appears if the Receive connector on any Exchange 2013 Client Access server listed in the following attribute isn’t listening on TCP port 25 for both the IPv4 and IPv6 protocols: (Get-HybridConfiguration).ReceivingTransportServers.

    To verify that the Receive connector on the Exchange 2013 Client Access servers have the correct bindings, run the following command in the Shell.

    Copy Code
    Get-ReceiveConnector -Server <Server Name> | FT Identity, Bindings
    

    You should see the following entry listed for your Exchange 2013 Client Access servers: {[::]:25, 0.0.0.0:25}

    If this binding isn’t listed, you need to add it to your Receive connector using the Bindings parameter of the Set-ReceiveConnector cmdlet. For details, see Set-ReceiveConnector.