none
Change Exchange 2010 configured with Classic Hybrid method by Modern Hybrid one. Problems? Implications? RRS feed

  • Question

  • Hi,
    We complete Hybrid configuration Wizard choosing the Full Hybrid with classic typology. The problem is that we are not able to perform the migration because Remote Migration required having the certificate in Exchange 2010 with at least IIS services assigned. We thought that It wasn't necessary to assign services and just having the Wildcard certificate for the mail flow between Exchange 2010 and Office365.
    We are afraid to change the certificate due we can cause troubles to our mobile and desktop users.

    So, we are thinking about change this classic typology we previously configured by chossing the modern typology one, rerunning the HCW picking this time the modern.

    What implicantions, problems or issues could happen if we do that?

    Thank you in advance.

    Thursday, September 5, 2019 10:36 AM

All replies

  • Hi,
    We complete Hybrid configuration Wizard choosing the Full Hybrid with classic typology. The problem is that we are not able to perform the migration because Remote Migration required having the certificate in Exchange 2010 with at least IIS services assigned. We thought that It wasn't necessary to assign services and just having the Wildcard certificate for the mail flow between Exchange 2010 and Office365.
    We are afraid to change the certificate due we can cause troubles to our mobile and desktop users.

    So, we are thinking about change this classic typology we previously configured by chossing the modern typology one, rerunning the HCW picking this time the modern.

    What implicantions, problems or issues could happen if we do that?

    Thank you in advance.

    You can't switch to Modern Hybrid once you have already run the classic hybrid.

    Thursday, September 5, 2019 11:35 AM
    Moderator
  • Hi,

    That's what i heard... Well... Alternatives?? Uninstall Hibrid config could work?? Or once you apply for classic one there's no way to change it??

    Cheers.

    Thursday, September 5, 2019 2:23 PM
  • Hi,

    That's what i heard... Well... Alternatives?? Uninstall Hibrid config could work?? Or once you apply for classic one there's no way to change it??

    Cheers.

    You'll need to fix that cert issue really. If you dont want to assign to IIS ( And it should be a trusted 3rd party cert and automatically trusted by the clients), then the alternative is to bring up a new 2010 Exchange server and assign it the cert and use that as your "hybrid server", and keep it out of any load balancing pool and set the URLs on it to the existing pool. But really, I would just assign IIS to the cert correctly.
    Thursday, September 5, 2019 2:39 PM
    Moderator
  • Hi,

    Yeah, Assign IIS to the cert is the best option... But the thing is we are afraid of having issues with clients, because once you change the certificate, it will ask to the Outlook desktop clients that certificate change and is not a correct name, because their Outlook still pointing out to the domain.local

    Right?

    I also asked about duplicate IIS as alternative to not being force to change certificate and possibly having issues with the clients.

    here is the post:

    https://social.technet.microsoft.com/Forums/exchange/en-US/a55ad609-b39f-4b31-a56b-bbcc6556ed02/duplicate-iis-services-as-use-as-alternative-to-originals-ones-pointing-out-to-exchange-hybrid-it-is?forum=exchange2010

    Thursday, September 5, 2019 3:29 PM
  • Hi,

    Yeah, Assign IIS to the cert is the best option... But the thing is we are afraid of having issues with clients, because once you change the certificate, it will ask to the Outlook desktop clients that certificate change and is not a correct name, because their Outlook still pointing out to the domain.local

    Right?

    I also asked about duplicate IIS as alternative to not being force to change certificate and possibly having issues with the clients.

    here is the post:

    https://social.technet.microsoft.com/Forums/exchange/en-US/a55ad609-b39f-4b31-a56b-bbcc6556ed02/duplicate-iis-services-as-use-as-alternative-to-originals-ones-pointing-out-to-exchange-hybrid-it-is?forum=exchange2010

    I can only imagine that would break Exchange if you did that.
    Thursday, September 5, 2019 6:22 PM
    Moderator
  • Hi,

     

    If the certificate in your Exchange organization is purchased from a trusted third-party CA. It's safe to assign IIS services.


    Regards

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com


    Friday, September 6, 2019 3:42 AM
  • Hi,
    First, thanks for all help I'm receiving.

    I will try to explain better our situation. The thing is that we are afraid that changing the certificate could provoke that users using Outlook client could be notified about this change in a popup everytime they open Outlook desktop client or there's a desconnection.
    Im afraid of something that I show you below:


    This problem is something that happen frequently when our client didn't configure external URLs before.

    So our client had something similar to this:

    Name                 : EWS (Default Web Site)
    InternalUrl          : https://contoso.local/ews/exchange.asmx
    ExternalUrl          :

    then, for the hybrid configuration we add the externarlUrl as documented but didn't change yet the internal one.

    Outlook Desktop client after we checked, is connecting by the local URL as it suppose to.

    So my question is:

    Changing all services with an external URL would be enough to not encounter certificate errors in Outlook?

    Something like that with all services EWS, Autodiscover, Outlook Anywhere etc.
    Example:
    Name                 : EWS (Default Web Site)
    InternalUrl          : https://mail.contoso.com/ews/exchange.asmx
    ExternalUrl          : https://mail.contoso.com/ews/exchange.asmx

    I just wanna know if there's something more to consider to be sure that this operation will be transparent for the user.

    Friday, September 6, 2019 9:21 AM
  • Hi,
    First, thanks for all help I'm receiving.

    I will try to explain better our situation. The thing is that we are afraid that changing the certificate could provoke that users using Outlook client could be notified about this change in a popup everytime they open Outlook desktop client or there's a desconnection.
    Im afraid of something that I show you below:


    This problem is something that happen frequently when our client didn't configure external URLs before.

    So our client had something similar to this:

    Name                 : EWS (Default Web Site)
    InternalUrl          : https://contoso.local/ews/exchange.asmx
    ExternalUrl          :

    then, for the hybrid configuration we add the externarlUrl as documented but didn't change yet the internal one.

    Outlook Desktop client after we checked, is connecting by the local URL as it suppose to.

    So my question is:

    Changing all services with an external URL would be enough to not encounter certificate errors in Outlook?

    Something like that with all services EWS, Autodiscover, Outlook Anywhere etc.
    Example:
    Name                 : EWS (Default Web Site)
    InternalUrl          : https://mail.contoso.com/ews/exchange.asmx
    ExternalUrl          : https://mail.contoso.com/ews/exchange.asmx

    I just wanna know if there's something more to consider to be sure that this operation will be transparent for the user.

    Yes, the subject name on the cert needs to match the client URLs.

    If that is a trusted 3rd party cert and those URLs are accessible to the client, it will be transparent to the end user.

    Friday, September 6, 2019 11:27 AM
    Moderator
  • Hi,

     

    I am writing here to confirm with you how the thing going now?

     

    If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.

     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com


    Wednesday, September 11, 2019 8:56 AM
  • Hi,

    Sorry for my delay update about this topic.

    So, I feel relieve that at least if we match both URLs it shouldn't be problem for the end User.

    But here is my new question, if client have an MDM (Like Airwatch), and they have a configuration that is pointing out to the local URLs. If we change this local URLs we could have problems with mobile clients right?

    So we wanted to avoid to change any configuration. The problem is that now modern topology which provide us the posibility to not change those URLs is no available now.

    So, now, client is mounting a CAS Exchange in another sever to avoid to change the certificate, because we are not totally sure about what the change of certificate can do.

    Do you think that with CAS Exchange it could work the hybrid Asistant?

    Any other suggestion?

    Thursday, September 12, 2019 2:26 PM
  • Additionally, I would like to know if there's some documentation about mounting an additional CAS Server to avoid change configs at the original Exchange. If is viable, and if there's not any documentation could you explain me how to proceed?

    Im up to different possibilities just to learn which are all alternatives about this situation.

    I hope you can help.

    Again, I would like to ask, how sound uninstall the hybrid classic mode to let us again to choose modern one. I just wanna know if this is possible or just, you drop this possibility like not recomended.

    Let me know what you think.
    Thursday, September 12, 2019 2:41 PM
  • Hi,

     

    You can do this by deleting your existing migration batches and migration endpoint and re-running the Hybrid Configuration wizard and selecting Modern Hybrid.  For more info, see the article Switching modes from Classic to Modern .

     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com



    Tuesday, September 17, 2019 1:13 AM
  • Hi Kelvin

    Im glad to hear that is possible to switching mode from classic to Modern one. Is this some new feature that it wasn't available before. I read in previous documentation about it that it wasn't possible to switch between both of them...

    Actually, we didn't create any migration endpoint or migration batches due the certificate problem. So we should see then two option if we run again the Hybrid Configuration Wizard?

    Thanks in advance for all your support.

    PD. The  link "Checklist: Perform a New Installation of Exchange 2010" is not working...
    • Edited by Ppetatul Wednesday, September 18, 2019 2:14 PM Added PD
    Wednesday, September 18, 2019 2:13 PM
  • Hi,

     

    Sorry for the invalid link. If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.

     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com


    Monday, September 23, 2019 8:03 AM
  • Hi Kelvin Deng

    I was mounting a lab to make sure that changing from Classic to Modern is possible.

    and I found a few problems about it.

    As documented I removed the migration endpoint and migration batches.

    Also, this wasn't documented I changed the EWS url and Autodiscover  url, due I think I didn't need them...

    First run, I chose Modern Hybrid Agent option. At first I saw that progress was going on... Hybrid agent was downloaded correctly, then in in the install, ask me for login to Office365, and seemed to move to the next step, but something happen and it stops.
    I decide to move back and try again, but now in the install step, stops. With an exit code 1603.
    I tried numerous times, but none of them work since then, still the same error.

    I'm thinking maybe is something about, when Install stops at first time somehow, installed something already and now is unable to continue becuase it detects something is not right installed.

    Any clue or tips?

    What can I do?

    PD. Also if there's somebody who know something about this, also can share solutions.

    Thanks in advance for your help.

    Tuesday, October 1, 2019 3:11 PM
  • ADDING NEW INFORMATION IF IT HELPS:

    I tried the module to test the connection, there's some test which fails, but I didn't have any problem before when i installed the classic one.

    I dont know if this is something that it needs to consider or not... 

    Let me know.

    cheers.


    • Edited by Ppetatul Wednesday, October 2, 2019 8:20 AM Grammar corrections
    Tuesday, October 1, 2019 3:31 PM
  • Hi,

     

    Based on your description, the issue is that running HCW is stuck after changing Hybrid method, about this kind of issue, I suggest you ask a service request on the Office 365 Admin portal.

     


     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com


    Monday, October 7, 2019 8:16 AM
  • Switching from Classic to Modern mode.
    Hi Kelvin,
    Finally it wasn't necessary. I think there's a weak installation process for Modern Hybrid Topology.
    I fixed the solution, restarting the server, also I think it could help, waiting a little bit after the installation have failed.
    The think was curious, and it happen to me, more than one time...
    Step one (Downloading the hybrid agent)
    Step Two (Installing the hybrid agent)
    In this step an screen shows up and asked me for my Office365 credentials. The problem was that, when I though I was writing on the textbox, seems, my pointer was actually pointing to the main window instead the popup credentials. So when I writed I pushed a letter which for the setup means go back, so my hybrid install go back and then when I tried to try again, installation failed
    Seems stupid, but it happened to me a few time before being able to install it.
    I guess, when I waited a while, the temp files gets removed, so I could try from 0, to try again with the configuration, this time being aware of pointing to popup window office365 credentials.

    Seems, switching to Classic to Modern was successful, ¿now what?

    I just would like if you can answer me some questions about limitation of modern hybrid.

    What we can do, or cant?

    Hybrid Modern Authentication is not supported with the Hybrid Agent
    This basically means that, during migration process or hybrid coexistence, we cannot use multi factor authentication right?

    Team's Calendaring features
    Ok... this means, or about sharing calendar, free/busy states?? can be this information more detailed?

    Mailbox Permissions are possible?

    it will be helpful, any other information refering this.

    Monday, October 7, 2019 12:59 PM
  • Hi,

     

    If you plan to use the Hybrid Agent in your environment, here are some constraints you need to consider:

    • MailTips
    • Message Tracking
    • Multi-mailbox searches
    • The hybrid agent will not handle any SMTP mail flow, so you still need a public certificate for mail flow between Exchange Online and your Exchange environment
    • Don’t use the Hybrid Agent if you plan on enabling Hybrid Modern Auth as this requires you to publish AutoDiscover, EWS, MAPI and OAB.

     

    Regards,

    Kelvin Deng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com


    Thursday, October 10, 2019 5:39 AM