Migrate Exchange Hybrid Server to another other domain

Migrate Exchange Hybrid server

If you just want to manage the users in Exchange Online and you want to keep Exchange Hybrid, it is recommended to keep one hybrid server connected to your Office 365. You have to make sure that you migrate the rest of the mailboxes  to Office 365.

When all users are in Office 365, then Install another Exchange on the other domain an turn it hybrid.

Note: You have to change your configuration of your AD Connect to accomplish that.

In this blog i will explain step by step on how to achieve this

Install Exchange 2016 in user Forest

Install EX2016 in (new) user forest – Set SCP  to null to prevent any Auto discover. You can use the command below to perform this. Changing the SCP record  shouldn’t affect the existing deployment in the other forest. Recommended is to set the SCP to null once the installation of EX2016 was completed, this was more of a precaution than anything else as all the Autodiscover DNS entries already point to exchange online.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.0*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$null

Configure new Exchange server

Add Office 365 mail routing domain as remote domain in you exchange server. You can do this at the Exchange Admin Center (EAC) of your exchange server. If there already is a connector you can see this in the overview.

To add a mail flow click the + button

Select your Exchange server and follow the instructions. You can also perform this within Powershell (make sure you use the Exchange management Shell).

New-SendConnector -Name J3Rmeyer -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn <CertificateHostNameValue> -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts jerrymeyer.nl-com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation

This command will create a send connector as followed

  • Name   j3rmeyer
  • FQDN   mail.jerrymeyer.nl
  • SmartHosts   jerrymeyer.nl.mail.protection.outlook.com

if you have multiple connectors please take a look at the Technet page where all the details are explained.

*Source: Microsoft technet

Export Exchange Attributes

Export Exchange attributes from resource forest account. If you have read my blog about migrating Azure AD Connect to another domain/ forest you will see that there are a lot of similarities

Link to former blogpost

It is important that you export the Attributes below.

  • userPrincipalName
  • proxyAddresses
  • legacyExchangeDN
  • Targetaddress

When Hybrid you need the above and attributes below

  • msExchRecipientTypeDetails
  • msExchMasterAccountSid
  • msExchRecipientDisplayType
  • msExchRemoteRecipientType

*note check you user environment if the MUE and exchange guids are matching. Also check the MasterAccountSID if these are filled. The msExchMasterAccountSid is used to merge the users within the Metaverse of Azure AD Connect. This will result in that only one user will show up in the Office 365 tenant.

Azure AD Connect pt1

When you have exported all the attributes it is time to stop the Azure Ad Connect. You can do this with the commands bellow

To disable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $false

Check if it is enabled:


5. Remove resource forest account from AAD connect scope so it only syncs from user forest account

Import Exchange Attributes

Import Exchange attributes to user forest account and make sure to run the new-remotemailbox command to match the mailboxes online with the user accounts on-premise.

Enable-RemoteMailbox jerry -RemoteRoutingAddress jerry@j3rmeyer.mail.onmicrosoft.com

The Enable-RemoteMailbox command can be run immediately after creating the user account in Active Directory so there is no need to wait for the next AAD Connect synchronization cycle to complete before enabling the mailbox. Once the user account has been provisioned to AAD, the mailbox will automatically created or match.

Azure AD Connect pt2

When you have imported the Exchange attributes and did the match of the mailboxes it is time to enable the Azure AD connect.

To enable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $true

Check if it is enabled:


Change Azure AD configuration

When the Azure ad is doing its work and you have tested the mailboxes it is time to Remove the resource forest. To remove the resource forest account from the Azure AD connect you have to go in the configuration panel of Azure AD connect.

Go to containers and untick the domain

Decommission hybrid from resource forest

In this step we start with a note.

*note: Be sure to establish mail flow in your new environment prior decommission Exchange hybrid. Or queue the mails from on-premises

Bellow you find a list on what to do

  1. Move all legacy Exchange mailboxes to newly deployed Exchange server 2013/2016 in the organization.
  2. Move all content from the public folder database on the Exchange server to a public folder database on an Exchange  server in the organization.
  3. Remove the public folder mailbox and stores on the Exchange server
  4. On Exchange servers, for each offline address book (OAB), move the generation process to an Exchange 2013/2016 server. Ensure 2013/2016 is the one generating/serving OABs for users.
  5. Remove all added DB copies of mailbox DBs so each DB has a single copy in Exchange Server
  6. Remove all nodes from any existing Exchange Server Database Availability Group
  7. Delete the Exchange Server Database Availability Group
  8. Optional: Set the RpcClientAccessServer value of all  DBs to the FQDN of their server
  9. Optional: Remove the CAS Array Object(s)
  10. Check the SMTP logs to see if any outside systems are still sending SMTP traffic to the servers via hard coded names.
  11. Start removing mailbox databases to ensure no arbitration mailboxes still exist on Exchange  servers
  12. Verify that Internet mail flow is configured to route through your Exchange 2013/2016 transport servers
  13. Verify that all inbound protocol services (Microsoft Exchange ActiveSync, Microsoft Office Outlook Web App, Outlook Anywhere, POP3, IMAP4, Auto discover service, and any other Exchange Web service) are configured for Exchange 2013/2016.
  14. Start uninstalling Exchange Server and reboot the server.

*source: blog technet

Configure hybrid in user forest

I think most of you know on how to do this. If not please check out Jaap Wesselius his blog.


I think i have captured the most of the migration, If you notice something is missing, incomplete or wrong please notify me.

22 thoughts on “Migrate Exchange Hybrid Server to another other domain

  1. Hi

    We are in the same boat. Two different customers. They want to move to O365 + They want to move to new forest.

    I agree that moving on-prem users to exchange online must be done before moving. However what are the high level order of doing this??

    Something like this will help please…

    – Migrate all users to O365
    – Populate those few attributes for migrated users on destination forest..
    – Stop and Remove AADConnect sync on source forest
    – Install AADConnect on destination forest….

    Would you please clarify that?

    Thank you

    1. Hi Mike,

      – Stop and Remove AADConnect sync on source forest
      – Install AADConnect on destination forest….
      – Connect old domain and new domain in AADconnect
      – Migrate all users to O365
      – Populate those few attributes for migrated users on destination forest..
      – Decommision old Exchange except the Hybrid
      – Migrate the Hybrid to new domain

  2. Hi

    Thank you for that.

    One thing that is missing here is “distribution groups” that are getting synced from original forest.

    How can we go about that?

    1. Just handle these just like another Active Directory object or user just move it over with ADMT to the new domain. To sync it correctly just make sure it is mail enable and the mail attribute and UPN are filled.

      1. Hi

        I don’t know if I can just use ADMT to move a distribution group to a different forest especially if that forest doesn’t have exchange and its attributes.

        How did you go about doing this? Let’s not forget about LegacyExchangeDN as well if someone is going to reply to old emails.

        Thank you

        1. Havent you already migrated the distribution lists to EXO? if not then i would recommend to create them fresh in the new domain.

  3. Wait a second..

    Shouldn’t you also bring over “targetaddress” attribute to the new forest for all the mailboxes?

    I am sure you need that …….

    1. Yes you are right, it is so logically for me that i forgot to mention it. I have add it to the post. Thanks for noticing it 🙂

  4. Hi. Another item that I think is missing is the “accepted domains”.

    That needs to be configured on the newly built exchange server; matching the email domains that you had on the existing/old forest exchange server. Needed for both hybrid AND management setups.

    Don’t you agree?

    1. I agree only is it mandatory so i assume people know this stuff just like namespaces and email policies.

  5. Hey, I suppose I read through this and My situation is a bit different. I have a trust set up with the new company that we bought, I also migrated Azure connect to a new server and included the new domain (B). We have most of the users mailboxes migrated up to O365, there are some auxiliary mailboxes still on prem. in the B domain.

    I am looking to migrate all the users to current domain (A), my first question is about adding the B domain UPN to out A domain. Will this break anything? I need to migrate users from B to A and keep the same B UPN and also have that new migrated user still connect to the same mailbox in O365.

    In this process I also want to decommission the domain B exchange Server, what steps am I missing? anything need to be done for mailflow?

    1. As we discussed on twitter, just move the users first with ADMT the sync them from one domain. Dont forget the attributes which ADMT will not move:
      •Object globally unique identifier (GUID)

      And when syncing make sure the you change you immutable id to MSexchconguid or masteraccountsid for the Merge in AAD connect

  6. Hi

    Another thing…….

    Statement above that says “Add Office 365 mail routing domain as remote domain in you exchange server. You can do this at the Exchange Admin Center (EAC) of your exchange server. ” is incorrect.

    That change must be made in exchange online portal and NOT the on-premises exchange server. Technet article also says it.

    Those settings don’t exist on the exchange on-prem even if it is version 2016.

    Thank you

    1. This is a mention of the new connectors that are created. So your mailflow is in the right order when implementing a new hybrid server. With mail routing domain i mean tenantname.mail.onmicrosoft.com which is created by default when running the HCW. Just look at the screenshots!

  7. Hi

    How do you go about HCW and autodiscover?

    As far as I know autodisocver.emaildomain.com pointing to the local exchange server acting as hybrid is a requirement even if you choose “minimal” during the wizard run in new forest.

    What gives? After all with everything being migrated to O365 already, you have your autodiscover pointing to autodiscover.outlook.com!

    1. Most of the time i recommend to use the server that has the Hybrid service as a management server, even if all mailboxes are migrated. In this case the autodiscover keeps pointing onpremise.

  8. Hello, After reading this post and all replies, this thread is the closest to my scenario so I would really appreciate your thoughts and knowledge on the best approach to accomplish the following. (I posted this on MS Tech forum, but have not received any replies so far)

    I need to migrate my existing AD domain/forest, to a new one…below are specifics:

    Current.local domain/forest is in a hybrid configuration with Exchange 2016. All mailboxes are remote in O365 and we are using AAD with password sync.

    The plan is to migrate to New.net domain/forest in the same O365 tenancy keeping the current user’s UPN/Email addresses of user@company.com. (obviously used because .local was not routable)

    The new.net domain has the schema extended for Exchange in preparation for a new Exchange server and ADMT is deployed and testing has been done to migrate user objects successfully with the SID history. I added the @company.com UPN in AD prior to migrating the test user account, so the migrated test account had both company.net (new domain) and company.com UPNs. After logging into the new domain, all domain resources are accessible via the Trust to the old domain, and O365 is accessible using user@company.com. The thought is to be able to migrate users in batches, and keep everything in sync by making any changes in the old domain and rerunning ADMT as necessary. AAD connect is currently not running in this new domain.

    So my questions revolve around the Exchange/Hybrid configuration and AAD connect. The end goal is to have the New.net domain running in a Hybrid scenario with a new Exchange server and AAD connect syncing AD. I need to understand the order and steps needed to accomplish this hopefully with a staged approach, and little or no down time…Thanks in advance for the help!

    1. If i understand correctly you want to move to a new AD and migrate the Exchange environment and AD connect to that forest as wel. For this move i would perform the following steps.

      Move all users over to new domain. Make sure you include the attributes below to your migration script.

      msExchMasterAccountSid/ MSdsConsistencyGuid (or whatever other sourceanchor you use)

      Dont forget to include the Proxyaddresses with X500 to the script to else you get issues with resolving the mail addresses from older emails.

      When this is done you need to perform an action that makes every user Cloud only for some time. If that is done you need to install a new AD connect server in the newdomain and then it is time to sync the newly migrated users to your Office 365 tenant.

      Remove the hybrid and decommission your onpremise Exchange environment. Install a new exchange server in the new domain and add the Hybrid functionality to the newly installed exchange server. Exchange should detect every user with a mailbox just like it was in the old environment. Therfore you migrated the attributes listed before these in combination with the source anchor and the UPN will create a match with the new users.

      The second option regarding ADConnect is setup a second ADconnect server in the new domain. And let the new and old account merge based on the source anchor.

      If you need any additional advise please contact me on LinkedIN 🙂

  9. Hi, when you installed Hybrid Exchange in the new domain did you keep the existing Org name or did you change it?

  10. When you say “It is important that you export the Attributes below”…by what means are you exporting/importing them?

    1. It is important that these attributes are the same in the new environment. So when for instance you are moving from domainA.local to domainB.local you need to export them from domainA.local and import them in domainB.local. You can do this with Powershell. Just Export them to CSV or XML and import them.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.