A hybrid deployment offers organizations the ability to extend the feature-rich experience and administrative control they have with their existing on-premises Microsoft Exchange organization to the cloud. A hybrid deployment provides the seamless look and feel of a single Exchange organization between an on-premises Exchange Server 2013 organization and Exchange Online in Microsoft Office 365. In addition, a hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization.
Looking for a list of all hybrid deployment topics? See Hybrid deployment documentation. You may also want to check Release notes for Exchange 2013. And, if you would like an offline version of this Help content, you can download the Help file from the Microsoft Download Center.
|This feature of Exchange Server 2013 isn’t fully compatible with Office 365 operated by 21Vianet in China and some feature limitations may apply. For more information, see Learn about Office 365 operated by 21Vianet.|
The following list provides you with definitions of the core components associated with hybrid deployments in Exchange 2013.
- centralized mail transport
- The hybrid configuration option in which all Exchange Online inbound and outbound Internet messages are routed via the on-premises Exchange organization. This routing option is configured in the Hybrid Configuration wizard. For more information, see Transport options in Exchange 2013 hybrid deployments.
- coexistence domain
- An accepted domain added to the on-premises organization for hybrid mail flow and Autodiscover requests for the Office 365 service. This domain is added as a secondary proxy domain to any email address policies which have PrimarySmtpAddress templates for domains selected in the Hybrid Configuration wizard. By default, this domain is <domain>.mail.onmicrosoft.com.
- HybridConfiguration Active Directory object
- The Active Directory object in the on-premises organization that contains the desired hybrid deployment configuration parameters defined by the selections chosen in the Hybrid Configuration wizard. The Hybrid Configuration Engine uses these parameters when configuring on-premises and Exchange Online settings to enable hybrid features. The contents of the HybridConfiguration object are reset each time the Hybrid Configuration wizard is run.
- hybrid configuration engine (HCE)
- The Hybrid Configuration Engine executes the core actions necessary for configuring and updating a hybrid deployment. The HCE compares the state of the HybridConfiguration Active Directory object with current on-premises Exchange and Exchange Online configuration settings and then executes tasks to match the deployment configuration settings to the parameters defined in the HybridConfiguration Active Directory object. For more information, see Hybrid Configuration Engine.
- hybrid configuration wizard (HCW)
- An adaptive tool offered in Exchange 2013 that guides administrators through configuring a hybrid deployment between their on-premises and Exchange Online organizations. The wizard defines the hybrid deployment configuration parameters in theHybridConfiguration object and instructs the Hybrid Configuration Engine to execute the necessary configuration tasks to enable the defined hybrid features. For more information, see Hybrid Configuration wizard.
- Exchange 2010-based hybrid deployment
- A hybrid deployment configured using Service Pack 3 (SP3) for Exchange Server 2010 on-premises servers as the connecting endpoint for the Office 365 and Exchange Online services. A hybrid deployment option for on-premises Exchange 2010, Exchange Server 2007, and Exchange Server 2003 organizations and compatible with Office 365 service versions 14.0.000.0 and 15.0.000.0.
- Exchange 2013-based hybrid deployment
- A hybrid deployment configured using Exchange 2013 on-premises servers as the connecting endpoint for the Office 365 and Exchange Online services. A hybrid deployment option for on-premises Exchange 2013, Exchange 2010, and Exchange 2007 organizations and compatible with Office 365 service version 15.0.000.0 or later only.
- secure mail transport
- An automatically configured feature of a hybrid deployment that enables secure messaging between the on-premises and Exchange Online organizations. Messages are encrypted and authenticated using transport layer security (TLS) with a certificate selected in the Hybrid Configuration wizard. The Exchange Online Protection (EOP) service in the Office 365 tenant is the endpoint for hybrid transport connections originating from the on-premises organization and the source for hybrid transport connections to the on-premises organization from Exchange Online.
A hybrid deployment enables the following features:
- Secure mail routing between on-premises and Exchange Online organizations.
- Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the @contoso.com SMTP domain.
- A unified global address list (GAL), also called a “shared address book.”
- Free/busy and calendar sharing between on-premises and Exchange Online organizations.
- Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization.
- A single Microsoft Office Outlook Web App URL for both the on-premises and Exchange Online organizations.
- The ability to move existing on-premises mailboxes to the Exchange Online organization. Exchange Online mailboxes can also be moved back to the on-premises organization if needed.
- Centralized mailbox management using the on-premises Exchange admin center (EAC).
- Message tracking, MailTips, and multi-mailbox search between on-premises and Exchange Online organizations.
- Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment. Learn more about Exchange Online Archiving at Microsoft Office 365 Additional Services.
You should consider the following before you implement an Exchange hybrid deployment:
- Mailbox permissions On-premises mailbox permissions such as Send As, Receive As, and Full Access that are explicitly applied on the mailbox are migrated to Exchange Online. Inherited (non-explicit) mailbox permissions and any permissions on non-mailbox objects—such as distribution lists or a mail-enabled user—are not migrated. Therefore, you have to plan for configuring these permissions in Office 365 if applicable for your organization. For example, you can use the Add-RecipientPermission and Add-MailboxPermission Windows PowerShell cmdlets to set the permissions in Office 365.
- Cross-premises permissions We do not support cross-premises permission scenarios. Permissions are only migrated and functional when implementing an Exchange hybrid deployment if there are corresponding directory objects in Office 365. Additionally, all objects with special permissions such as Send As, Receive As and Full Access must be migrated at the same time. This also means that to migrate these permissions, you must make sure directory synchronization has completed before you start moving mailboxes.
- Offboarding As part of ongoing recipient management, you might have to move Exchange Online mailboxes back to your on-premises environment.
For more information about how to move mailboxes in an Exchange 2010-based hybrid deployment, see Move an Exchange Online mailbox to the on-premises organization.
For more information about how to move mailboxes in an Exchange 2013-based hybrid deployment, see Move mailboxes between on-premises and Exchange Online organizations in 2013 hybrid deployments.
- Multi-forest Active Directory environments If your organization implements multiple on-premises Exchange organizations, you must deploy Exchange 2013 SP1 or greater servers in your on-premises organization to configure a hybrid deployment with Office 365. Hybrid deployments for mixed or native multi-forest Exchange 2010, 2007, and 2003 organizations aren’t supported.
For more information, see Hybrid deployments with multiple Active Directory forests.
A hybrid deployment involves several different services and components:
- Exchange 2013 servers Exchange 2013 Client Access and Mailbox server roles are required in your on-premises Exchange organization. If needed, Exchange 2013 Edge Transport servers can also be installed in a perimeter network and support hybrid connectivity with Office 365.
Note: On-premises Exchange 2013 servers with the Client Access (CAS) or Mailbox server roles used for hybrid feature support should not be deployed in a perimeter network and isn’t supported.
- Microsoft Office 365 The Office 365 service provides a cloud-based Exchange Online organization as a part of its subscription service. Organizations configuring a hybrid deployment must create and configure this cloud-based Exchange Online organization.
- Exchange Online Protection The Microsoft Exchange Online Protection service (EOP) is included in all Office 365 for enterprises tenants by default and works with on-premises Exchange 2013 Client Access servers to provide secure message delivery between the on-premises and Exchange Online organizations. Depending on how your organization is configured, it may also handle routing incoming mail from external recipients for your Exchange Online organization and your on-premises Exchange organization.
- Hybrid Configuration wizard Exchange 2013 includes the Hybrid Configuration wizard which provides you with a streamlined process to configure a hybrid deployment between on-premises Exchange and Exchange Online organizations.
Learn more at Hybrid Configuration wizard.
- Windows Azure AD authentication system The Windows Azure AD authentication system is a free cloud-based service that acts as the trust broker between your on-premises Exchange 2010 organization and the Exchange Online organization. On-premises organizations configuring a hybrid deployment must have a federation trust with the Windows Azure AD authentication system. The federation trust can either be created manually as part of configuring federated sharing features between an on-premises Exchange organization and other federated Exchange organizations or as part of configuring a hybrid deployment with the Hybrid Configuration wizard. A federation trust with the Windows Azure AD authentication system for your Office 365 tenant is automatically configured when you activate your Office 365 service account.
Learn more at Windows Azure AD authentication system.
- Active Directory synchronization Active Directory synchronization replicates on-premises Active Directory information for mail-enabled objects to the Office 365 organization to support the unified global address list (GAL). Organizations configuring a hybrid deployment must deploy Active Directory synchronization on a separate, on-premises server.
Learn more at Directory synchronization roadmap.
Take a look at the following scenario. It’s an example topology that provides an overview of a typical Exchange 2013 deployment. Contoso, Ltd. is a single-forest, single-domain organization with two domain controllers, one Exchange 2013 server with the Client Access role installed, and one Exchange 2013 server with the Mailbox server role installed. Remote Contoso users use Outlook Web App to connect to Exchange 2013 over the Internet to check their mailboxes and access their Outlook calendar.
Let’s say that you’re the network administrator for Contoso and you’re interested in configuring a hybrid deployment. You deploy and configure a required Active Directory Synchronization server and you also decide to deploy an Active Directory Federation Services server as an option to minimize the number of prompts for account credentials for Contoso users and administrators accessing Office 365 services. After you complete the hybrid deployment prerequisites and use the Hybrid Configuration wizard to select options for the hybrid deployment, your new topology has the following configuration:
- Users will use their existing network account credentials for logging on to the on-premises and Exchange Online organizations (“single sign-on”).
- User mailboxes located on-premises and in the Exchange Online organization will use the same email address domain. For example, mailboxes located on-premises and mailboxes located in the Exchange Online organization will both use @contoso.com in user email addresses.
- All mail is delivered to the Internet by the on-premises organization. The on-premises organization controls all messaging transport and serves as a relay for the Exchange Online organization (“centralized mail transport”).
- On-premises and Exchange Online organization users can share calendar free/busy information with each other. Organization relationships configured for both organizations also enable cross-premises message tracking, MailTips, and message search.
- On-premises and Exchange Online users use the same URL to connect to their mailboxes over the Internet.
If you compare Contoso’s existing organization configuration and the hybrid deployment configuration, you’ll see that configuring a hybrid deployment has added servers and services that support additional communication and features that are shared between the on-premises and Exchange Online organizations. Here’s an overview of the changes that a hybrid deployment has made from the initial on-premises Exchange organization.
|Configuration||Before hybrid deployment||After hybrid deployment|
|Mailbox location||Mailboxes on-premises only.||Mailboxes on-premises and in Exchange Online.|
|Message transport||On-premises Client Access servers handle all inbound and outbound message routing.||On-premises Client Access server handles internal message routing between the on-premises and Exchange Online organization.|
|Outlook Web App||On-premises Client Access server receives all Outlook Web App requests and displays mailbox information.||On-premises Client Access server redirects Outlook Web App requests to either the on-premises Exchange 2013 Mailbox server or provides a link to log on to the Exchange Online organization.|
|Unified GAL for both organizations||Not applicable; single organization only.||On-premises Active Directory synchronization server replicates Active Directory information for mail-enabled objects to the Exchange Online organization.|
|Single-sign on used for both organizations||Not applicable; single organization only.||On-premises Active Directory Federation Services (AD FS) server supports using single-sign on credentials for mailboxes located either on-premises or in the Office 365 organization.|
|Organization relationship established and a federation trust with the Windows Azure AD authentication system||Trust relationship with the Windows Azure AD authentication system and organization relationships with other federated Exchange organizations may be configured.||Trust relationship with the Windows Azure AD authentication system is required. Organization relationships are established between the on-premises and Exchange Online organization.|
|Free/busy sharing||Free/busy sharing between on-premises users only.||Free/busy sharing between both on-premises and Exchange Online users.|
Now that you’re a little more familiar with what a hybrid deployment is, you need to carefully consider some important issues. Configuring a hybrid deployment could affect multiple areas in your current network and Exchange organization.
The following table contains links to topics that will help you learn about and manage hybrid deployments in Microsoft Exchange.
|What’s new in Exchange 2013 hybrid deployments||Learn more about the updates to hybrid deployments and the Hybrid Configuration wizard in Exchange 2013.|
|Hybrid Configuration wizard||Learn how the Hybrid Configuration wizard and the Hybrid Configuration Engine configure a hybrid deployment.|
|Hybrid deployment prerequisites||Learn more about hybrid deployment prerequisites, including compatible Exchange Server organizations, Office 365 requirements, and other on-premises configuration requirements.|
|Certificate requirements for hybrid deployments||Learn more about the requirements for digital certificates in hybrid deployments.|
|Transport options in Exchange 2013 hybrid deployments||Learn more about the inbound and outbound message transport options in hybrid deployments.|
|Transport routing in Exchange 2013 hybrid deployments||Learn more about inbound and outbound message routing options in a hybrid deployment.|
|Hybrid management in Exchange 2013 hybrid deployments||Learn more about managing your hybrid deployment with the Exchange admin center and Exchange Management Shell.|
|Shared free/busy in Exchange 2013 hybrid deployments||Learn more about calendar free/busy sharing between on-premises and Exchange Online organizations in a hybrid deployment.|
|Server roles in Exchange 2013 hybrid deployments||Learn more about how the Exchange 2013 Client Access and Mailbox server roles function in a hybrid deployment.|
|IRM in Exchange 2013 hybrid deployments||Learn more about how Information Rights Management functions in a hybrid deployment.|
|Permissions in Exchange 2013 hybrid deployments||Learn more about how a hybrid deployment uses Role Based Access Control (RBAC) to control permissions.|
|Edge Transport servers with hybrid deployments||Learn more about Exchange 2010 Edge Transport servers and how they are deployed and operate in a hybrid deployment.|
|Single sign-on with hybrid deployments||Learn more about how single sign-on using Active Directory Federation Services (AD FS) functions in a hybrid deployment.|
|Hybrid deployments with multiple Active Directory forests||Learn more about configuring a hybrid deployment between a multi-forest on-premises Exchange organization and a single Exchange Online tenant.|
|Hybrid Deployment procedures||Explore procedures for creating and modifying hybrid deployments for your Exchange 2013 on-premises and Exchange Online organizations.|
|Hybrid deployments with Exchange 2013 and Exchange 2010||Learn more about Exchange 2013-based hybrid deployments with Exchange 2010 organizations.|
|Hybrid deployments with Exchange 2013 and Exchange 2007||Learn more about Exchange 2013-based hybrid deployments with Exchange 2007 organizations.|