Exchange 2016 Hybrid deployment – Part one

Fallowing my recent post (https://marcoschiavon.net/migrate-from-exchange-2010-13-to-exchange-2016-part-four/) where we leaved our environment just upgrade/migrated to Exchange 2016 now we want to deploy an Office 365 hybrid deployment .

Before we start, there are several requirements to accomplished the SSO experience both for browsers and the Apps like Outlook/Office.

First, we need to ensure the the fallowing urls aren’t inspected by any “man in the middle” device like the deep inspection of a firewall .

  • mscrl.microsoft.com HTTP/80
  • *.verisign.com HTTP/80
  • *.entrust.net HTTP/80
  • *.windows.net HTTPS/443
  • secure.aadcdn.microsoftonline-p.com HTTPS/443
  • *.microsoftonline.com HTTPS/443
  • autologon.microsoftazuread-sso.com HTTPS/443
  • aadg.windows.net.nsatc.net HTTPS/443

Secondly , we need to place a GPO that adds these urls in the “intranet zone”:

  • https:// aadg.windows.net.nsatc.net
  • https:// autologon.microsoftazuread-sso.com

Location :

User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel\Security Page

Edit the “site to zone assignment List”

The number in the right fallow this table:Zone {Zone ID}
Local intranet 1
Trusted sites 2
Internet 3
Restricted sites 4

Nb: if you want to avoid “the gray out” of the internet settings fallow the guide of Alan Burchill

Another thing to do is to enable “Modern Authentication” to permit the SSO for Apps like Outlook, Office 365, Teams and so on.

Connect to your tenant with Power Schell

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true -Verbose

Get-OrganizationConfig | Format-Table -Auto Name,OAuth*

Now we proceed with the integration of on prem AD with Azure AD.

First, we need to register our domain on 365 and wen it’s done, we can proceed.

Connect to https://portal.office365.com, go to Azure section and download the AD Connect

Install it , agree it

Select customize and then install

Select “password hash Sync” and “Enable single sing-on”

Enter global Azure credential

Connect to your AD

Let the wizard to do itself the creation of the AD Account used for the periodic sync ..

Now select next

As we see below, the domain labincloudres.com isn’t verified jet

So, go to 365 Portal and verified your domain.

Now, we can continue..

In our case the AD forest is labincloudres.local and we have also the upn labincloudres.com. For this reason , we need to flag the option below to continue.

Select the OU or the all forest to sync (we will filter after) that you want to sync

Leave default

Add a user group that you’ve created before ( in my case sync_Users_to_365) and resolve it

In this case i also add Exchange (we need to hybrid Exchange also ..)

Enter Ad Admin account

If you want enable staging mode and install

Common warnings

We continue on the next post…..

Leave a Reply

Your email address will not be published. Required fields are marked *