I’ve previously discussed the different migration methods for Office 365, and the benefits of a Hybrid deployment. In this article, I’ll prepare my Exchange organization for Hybrid deployment.

The current on-premises environment is running:

  • 2 x Exchange 2016 Mailbox servers
  • 1 x Exchange 2013 multi-role server
  • 1 x Exchange 2013 Edge Transport server
  • 1 x Exchange 2010 multi-role server

All servers are full patched and updated to meet the support requirements for running a Hybrid configuration.

There is a load balancer in place for both internal and external client access to Exchange, which distributes client traffic between the available Exchange 2013 and 2016 servers. User mailboxes are distributed across all three versions of Exchange.

When mailboxes are migrated to Exchange Online I want users to log on using their on-premises Active Directory credentials, so I’ll be deploying directory synchronization with password sync as the identity model.

The Exchange organization is experiencing a problem with spam, so inbound mail flow will be moved to the cloud to take advantage of Exchange Online Protection, using the Edge Transport server between the cloud and on-premises environments.

An Office 365 tenant with E3 licenses has been provisioned, ready to use for the Hybrid deployment.

Adding Domain Names to Office 365

The Exchange organization uses a domain of “exchangeserverpro.net”, so I need to add that custom domain to the Office 365 tenant. This task is performed in the Office 365 admin portal, in the Domains section.


When you add a domain Microsoft will provide you with a TXT record value to add to the public DNS zone for that domain, which proves that you own and control the domain.


After successfully verifying domain ownership we’re also given the option to update existing user accounts to use the new domain, or add new accounts. I’ve skipped both options in this case, and proceeded to the DNS records. For this organization I host my own DNS records in Amazon Web Services Route 53.


I’m also planning to use the domain for Outlook, Skype, and MDM. The selections at this step determine which DNS records Microsoft will ask you to create.


The full list of DNS records to add is presented. A word of caution here; I’m not ready to direct mail flow and Autodiscover to Office 365 yet, because I’m just making preparations for my Hybrid deployment at this stage. So the Autodiscover, SPF and MX records will not be added to my DNS zone now. The other records can be added at this time though.


We can ignore the errors for the records that aren’t ready to be deployed or changed at this stage.


Configuring Active Directory Synchronization

To get started with Active Directory synchronization I need to enable it in my Office 365 tenant. After logging in to the Office 365 portal with a tenant admin account, go to Users -> Active Users, and click Manage for Active Directory synchronization.



The directory sync status should be set at “deactivated” if this is the first time you’ve looked here. Click the button to Activate directory sync.


Preparing for Directory Synchronization

While we’re here I’ll also download the IdFix Tool to run in the on-premises Active Directory. IdFix scans your Active Directory for any objects or attributes that might cause a problem with directory synchronization, and you should always run it as part of your preparation. Fortunately in my case, there are no problems reported.


Installing Azure Active Directory Connect

Next, I’m going to download and install Azure Active Directory Connect (AAD Connect). AAD Connect is the latest tool from Microsoft for deploying directory synchronization, replacing the earlier DirSync and AADSync tools. If you’re deploying a Hybrid configuration today, I recommend you start with AAD Connect. However, there are some scenarios where the other tools may be required instead. You can read more about those in our eBook, Office 365 for Exchange Professionals.

AAD Connect has an express setup option, which I am going to use to speed up the install since it meets the basic requirements of my scenario.


Enter the Azure AD credentials (this is the Office 365 tenant admin account that was created while provisioning the tenant).


Then enter on-premises Active Directory enterprise admins credentials.


Before completing setup I need to uncheck the box so that synchronization doesn’t start immediately, and then check the box for Exchange hybrid deployment.


Finally, I click Install to let setup go ahead and install AAD Connect on my server.


Configuring Azure Active Directory Connect

I want to customize my AAD Connect configuration before I start synchronizing, but before I do anything I first need to log out and log back in to the server. After logging back in, open the Synchronization Service Manager. Select Connectors, then open the properties of the Active Directory Domain Services connector.


In Configure Directory Partitions go to Containers. There’s a prompt for credentials at this step, so just enter your administrator credentials to proceed.


By default, all of the containers in Active Directory are selected for synchronization. The customization I want to make in this case is to remove all but my “Company” OU, so that every object in the on-premises Active Directory is not synchronized to the cloud (for example, I don’t want service accounts synchronizing).


After applying that change, it’s time to enable synchronization.

Enabling the Synchronization Schedule

On the AAD Connect server a Task Scheduler task has been configured by AAD Connect for the synchronization schedule. The task is disabled because I chose not to start initial synchronization at the end of setup. All I need to do now is enable it.


Simply wait for the next run time of the task. Or run it manually if you’d like to see results straight away.

Verifying Active Directory Synchronization

If Active Directory synchronization was successful we see user accounts populated in the Office 365 admin portal, with a status of “Synced with Active Directory”.


You can also go to https://portal.office.com and log in with one of the user accounts to verify that the username and password works.



In this tutorial I demonstrated how to prepare for a Hybrid Exchange deployment with Office 365 by adding domain names to the Office 365 tenant, and by installing and configuring AAD Connect to provide directory synchronization.

In the next part of this series I’ll demonstrate how to create the Hybrid configuration.

[adrotate banner=”50″]

About the Author

Paul Cunningham

Paul is a former Microsoft MVP for Office Apps and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul no longer writes for Practical365.com.


  1. Dejan Fid

    Does it recommended to install and run Azure AD Connect V2 on separate Windows server domain joined ?
    Also I need to sync only particular OU users, can I customize that, and also sync some another time different OU users?

  2. Fortune

    Thank you for this post. Do i need to setup 2-way synchronization for Exchange hybrid? Typically, AD connect syncs feon on-premis to Azure

  3. Jeff


    We are currently running Exchange 2016 Hybrid. We have “Migrated” maybe 5 on-prem mailboxes to the cloud for testing but can not seems to do a couple of things. Can’t seem to get the mailbox to open using Outlook. Does this have anything to do with AutoDiscover? I keep getting that error on the analyzer tool. Also the Free-Busy I can’t see on-prem users free or busy status just shows a bunch of hashes. your help would be great.


  4. JDB

    We have implemented a greenfield AD, with Azure AD Connect (synched accounts), and ADFS. No Exchange was deployed in this environment. It was noted that you can’t manage Exchange attributes unless you use ADSI or AD Attributes (not supported by MS). How can we go back into environment and setup a Hybrid connection with Exchange 2016 into the mix without affecting the current deployment? Or should we?

  5. novih sandra

    Hallo Paul,

    can i implement hybrid exchange online with exchange onpremises without adfs ?


  6. Lucas

    “An Office 365 tenant with E3 licenses has been provisioned, ready to use for the Hybrid deployment.”

    is E3 a minimum enterprise plan that one needs to have in order to configure a Hybrid environment?

    I am thinking of doing this in my home lab, only for learning purposes so I would like to reduce the possible cost as much as possible.


  7. Phillip Milopteris

    Hi Paul

    We have setup Exchange 2010 on prem with Exchange Online – Hybrid mode.
    Email flow working, AD syncing with Azure AD OK, so for email all good.
    Issue is free busy time in CAL, (Meeting rooms) not showing up with users that are online or vise versa on prem, two users can see free busy time if both online but cannot see user’s that is On premise. Any ideas ?

  8. Rockk

    Hello Paul,
    I’m in search of document which gives the steps to check/fix if any issues in Exch2010 or if we need to restore backup. Pls advise.

  9. Alder Chew

    Hi Paul,

    There’s other website talking about ADFS set up on the organisation, so it allow single sign-on, with this Azure AD Connect, will it provide the single sign-on? or I will still have to set up ADFS and Azure AD Connect to have the ability single sign-on for exchange 2013 hybrid with Office 365

  10. Paul Slade

    Why don’t Microsoft sort out cross site permissions for shared maiboxes. Trying to migrate large numbers of mailboxes when access to shared mailboxes only works when you have to be on the same environment e.g. on prem or cloud is not realistic. We have a hybrid setup with Exc2013 and O365 but this is making the migration a real issue. Users do not like being told they are going to lose functionality until the migration is complete.

    1. TeamTerry

      Hi Paul Slade.
      Yes it is a pain losing permissions during the migration and that will most likely never change. It will also affect Enterprise Office 365 customers if there tenant is old and the Datacenter is being relocated overseas back to Australia (as an example).
      To assist in capturing users and their delegates, I have created some scripts that will target a bunch of user mailboxes in a csv and report any delegated users.
      You can then massage this information into your spreadsheet to minimise broken permissions.
      Would love some feedback if you use them.
      Scripts are in my GitHub – https://github.com/TeamTerry/Scripts/tree/master/Enterprise%20Admin/Get-MailboxPermissions
      Main GitHub – https://github.com/TeamTerry/Scripts

      *** All Care – But no responsibility ***

  11. Milton Lopez

    Question on AD sync: is it possible to sync a selected OU first and other(s) later?



  12. Farooque



    Don’t point your records to office365. Just add your domain there and create online mailboxes.

  13. Omer

    Hi Paul ,
    Thank for sharing nice stuff with us.
    i am new in Office 365 and have a question.
    My On Premises Exchange 2016 is running , i want to host few users Mailboxes on Office 365 . is it possible without hybrid configuration wizard? i don’t want directory synchronization.,centralize management etc.

    My domain MX will be point to Office 365 , if User exist on Office 365 then EMail will be deliver to office365 user’s mailbox otherwise email will be route to my on premises exchange 2016. ? is it possible only with office365 connectors configurations and my domain as “internal relay” instead of authoritative in both Office365 and Exchange on premises ?

    1. Avatar photo
      Paul Cunningham

      Short answer is no.

      What you’re describing is what Hybrid is designed to achieve.

    2. Farooque

      Hey Umar,

      I would say, you can achieve this. with internal relay and setting up a connector….office 365 will look for user mailbox online and if it finds there it will deliver that email if not, it will use your outbound connector to rout email to your On-Premise host.

  14. John B

    We are looking at moving our senior staff email accounts to the cloud so they have access in case of a disaster (hurricane country here). I I correct in thinking that auto discover will point them to the on prem servers which will them send them to their account on 365 ? If so, what happens to that redirection if the local server is unavailable?

    1. Avatar photo
      Paul Cunningham

      Once the Outlook profile is set up it will keep working even if Autodiscover is intermittently unavailable.

  15. Jon

    If you don’t put a checkmark next to Hybrid deployment during AAD Connect installation, is there way to enable this after it is installed.

  16. Matt Pollock

    I have a question regarding AAD Connect/Office 365 Hybrid deployment…..

    I am syncing one OU in AD containing a handful of accounts to Office 365.

    The on prem mailboxes can view all users in the GAL (On prem and Office 365 users)
    The Office 365 users can only see users synced with AAD Connect in the GAL.

    Is this normal behaviour?
    Do you need to sync all AD objects up to Office 365 in order to give Office 365 mailboxes access to the “complete” GAL?


  17. filip

    I’m a bit confused though and it’s cracking up my head all day now.
    In this MS article https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx it states in “Scenario two”

    After you have moved all of the mailboxes to Exchange Online, the first thing you would want to do to decommission most of the Exchange servers is point the MX and Autodiscover DNS records to Exchange Online instead of to on-premises. For more information, see Reference: External Domain Name System records for Office 365.

    So if we have autodiscover.abc.com and autodiscover.def.com and abc users are on-prem and in office 365 and all def.com users are in office 365. We have configured Autodiscover Domain Feature for acb and def.com (so that def.com leverages from the autodiscover of abc.com) could we still not point autodiscover to office 365 as in above article?

    1. Avatar photo
      Paul Cunningham

      At the start of that article it says “Read this article if you are ready to move from an Exchange hybrid deployment to a full cloud implementation.”

      It’s talking about scenarios where you are *removing* the Hybrid configuration. If you no longer have a Hybrid configuration, then the question of where to point Autodiscover in a Hybrid deployment is no longer relevant.

      1. filip

        Sometime the answer is in front of your eyes, thanks for pointing to the remove hybrid config. I was not aware of that and we will keep hybrid so we will point autodiscover to on-prem.

        Last question and bothering you , what would be adviseable, run HCW with abc.com and then use Autodiscover Domain Feature for def.com , or use only autodiscover records and not use autod: ?

        If we have autodiscover DNS records will they get “higher prio” or will they be used first or will autod: (autodiscover domain feature) be used if both are configured?

        1. Avatar photo
          Paul Cunningham

          You should decide on one approach and implement it. If you implement both approaches I don’t know what will happen, as I’ve never tried that.

          1. filip

            Makes sense, but ‘Autodiscover Domain Feature’ works only for EWS etc but not for client initialization/client setup. So that answers the question 🙂 go for only autodiscover.

            BTW. will you be attending Ignite this year?

          2. Avatar photo
            Paul Cunningham

            At this stage I have no plans to attend Ignite in Atlanta.

  18. filip

    When can You switch autodiscover To o365 in hybrid?

    1. Avatar photo
      Paul Cunningham

      In a Hybrid configuration Autodiscover points at the on-premises Exchange server.

      1. filip

        Hi Paul,
        Even if all mailboxes are in office 365?
        And if we have 2 SMTP domains in hybrid and domain 1 users are on-prem and domain 2 users are all in cloud does autodiscover still point to on-prem for domain 2?

          1. filip

            Hi Paul,
            Thanks a lot!

  19. Steve D.

    Hi Paul,

    Great article. I have a question about adding domains to the Azure AD Connector. I am working on a project with one forest that has multiple domains. I have got as far as creating the Active Directory Connector and have ran a staging sync to verify the information and accounts that will be synchronized. My question is that once that domain is synchronizing, how would I run a staging sync on the next domain or is it even necessary? They are all listed in the Configure directory partitions in the properties for the existing connector so I’m assuming I would just click the checkbox by the next domain and configure the OU filtering, but how do I make sure it will sync the correct info?

    1. Avatar photo
      Paul Cunningham

      Ah yeah, I’ve encountered that as well on one deployment, but most of the time it’s not an issue.

Leave a Reply