Exchange 2019: Setting up a hybrid environment (part 1)

I've often been asked if I could write an article on setting up a hybrid environment with Exchange 2019 and Microsoft 365. The last articles on this topic are a bit older, but they still work well apart from a few minor details. Nevertheless, it's time to publish an updated version again. This series of articles covers the setup of an Exchange 2019 hybrid environment with Microsoft 365 and also the complete migration to Microsoft 365.

The first part of this series of articles describes the structure of the Lab environment. The other articles will follow as soon as they are ready.

The Hybrid Lab environment

For this series of articles, I have created a simple Exchange 2019 environment. The environment consists of only one Exchange 2019 server and one domain controller. However, the procedure is basically the same, even if there are several domain controllers and Exchange servers. Of course, I can't recreate highly complex environments in a lab, so I'm limiting myself to a very small environment here:

Domain Controller and Exchange Server are installed on Windows Server 2019. The Active Directory was installed with the name frankysweblab.de, which is also the email domain of the Exchange Server. There is also a client with Outlook 2019 in this small lab.

On the router, ports 25 (smtp), 80 (http) and 443 (https) are forwarded to the Exchange server via NAT:

Readers of the previous articles might now be wondering where a web application firewall or reverse proxy comes into play here. The simple answer: not at all. Since I myself migrated my private environment to Microsoft 365 some time ago, I no longer have any use for a WAF (in the past a Sophos UTM).

In the public DNS there are the following entries for the lab domain frankysweblab.de: outlook.frankysweb.de and autodiscover.frankysweb.de, both pointing to my WAN IP. Outlook.frankysweb.de is also used as MX for the domain. In addition, there is an SPF entry which authorizes the public IP for sending mail:

Exchange configuration in the Hybrid Lab environment

The Exchange configuration in this Hybrid Lab is quite simple. The Exchange EX1 uses and receives mails directly from the Internet. There is only one send connector which sends the mails based on the MX record:

Exchange also receives the mails based on the MX record for the domain frankysweblab.de. A SPAM filter is not used in this lab.

All virtual directories have been configured to the name outlook.frankysweb.de (internal and external URL), here is the example for OWA:

The autodiscover URL has been configured to the name autodiscover.frankysweblab.de:

The SSL certificate for the Exchange services was issued by Let's Encrypt for the names outlook.frankysweblab.de and autodiscover.frankysweblab.de. It is therefore a valid public certificate which is bound to the SMTP, IIS, POP3 and IMAP services:

So far there are only two test mailboxes. I will probably create more test mailboxes and resources when I write the other articles in this series.

Active Directory / DNS configuration in the Lab

The Active Directory configuration is similarly lean as the Exchange configuration. As already mentioned, the name of the Active Directory is frankysweblab.de. There is a domain controller DC1 with the IP 192.168.100.111. There are currently 2 test users within the lab, I will probably create more users as I write the following articles.

The next article

The next article will cover the setup of the Microsoft 365 tenant and Azure AD Connect. If you have any questions about configuring the lab at this point, please leave a comment. I will then update this article and, if necessary, go into more detail in the following articles.

However, as I cannot go into more complex environments and every situation in the articles, please feel free to ask your questions about your specific environment. in the forum place.