Hybrid Deployment Prerequisites
Applies to: Exchange Server 2013, Exchange Online
Topic Last Modified: 2013-04-10
Before you create and configure a hybrid deployment using Microsoft Exchange Server 2013 and the Hybrid Configuration wizard, your existing on-premises Exchange organization must meet certain requirements. If you don't meet these requirements, you won't be able to complete the steps within the Hybrid Configuration wizard and you won't be able to configure a hybrid deployment between your on-premises Exchange organization and the Exchange Online organization in Microsoft Office 365.
The following prerequisites are required for configuring a hybrid deployment:
- On-premises Exchange organization Hybrid deployments can be configured for on-premises Exchange 2007-based organizations or later. For Exchange 2007 and Exchange 2010 organizations, at least one Exchange 2013 Client Access and one Exchange 2013 Mailbox server must be installed in the on-premises organization to run the Hybrid Configuration wizard and support Exchange 2013-based hybrid deployment functionality. We recommend combining the Exchange 2013 Client Access and Mailbox server roles on a single server when configuring hybrid deployments with Exchange 2007 and Exchange 2010 environments. All on-premises Exchange 2013 servers must have installed Cumulative Update 1 (CU1) or greater for Exchange 2013 to support hybrid functionality with Office 365. For more information, see Cumulative Updates for Exchange 2013.
For a complete listing of Exchange Server and Office 365 for enterprises tenant hybrid deployment compatibility, see the requirements listed in the following table for Exchange 2013-based and Exchange 2010-based hybrid deployments.
Note: To verify your Office 365 tenant version and status, see Verify Office 365 tenant version and status later in this topic. On-premises environment Exchange 2010-based hybrid with tenant version v14 Exchange 2010-based hybrid with tenant version v15 Exchange 2013-based hybrid with tenant version v15
Exchange 2013 (CU1)
Exchange 2010 SP3
Exchange 2010 SP2
Exchange 2010 SP1
Exchange 2007 SP3 RU10
Exchange 2007 SP3
Exchange 2003 SP2
Note: 1 Blocked in Exchange 2013 setup
2 Tenant upgrade notification provided in Exchange Management Console
3 Requires at least one on-premises Exchange 2010 SP2 server
4 Requires at least one on-premises Exchange 2010 SP3 server
5 Requires at least one on-premises Exchange 2013 CU1 or greater server
- Office 365 for enterprises An Office 365 for enterprises tenant and administrator account and user licenses available on the tenant service to configure a hybrid deployment. The Office 365 tenant version must be 15.0.620.28 or greater to configure a hybrid deployment with Exchange 2013. Additionally, your Office 365 tenant status must not be transitioning between service versions. For a complete summary, see the preceding table. To verify your Office 365 tenant version and status, see Verify Office 365 tenant version and status later in this topic.
Learn more at Sign up for Office 365.
- Custom domains Register any custom domains you want to use in your hybrid deployment with Office 365. You can do this by using the Office 365 Administrative portal, or by optionally configuring Active Directory Federation Services (AD FS) in your on-premises organization.
Learn more at Add your domain to Office 365.
- Active Directory synchronization Deploy Office 365 Active Directory synchronization in your on-premises organization.
Learn more at Active Directory synchronization: Roadmap.
- Autodiscover DNS records Configure the Autodiscover public DNS records for your existing SMTP domains to point to an on-premises Exchange 2013 Client Access server.
- Office 365 organization in the Exchange admin center (EAC) The Office 365 organization node is included by default in the on-premises EAC, but you must connect the EAC to your Office 365 organization using your Office 365 tenant administrator credentials before you can use the Hybrid Configuration wizard. This also allows you to manage both the on-premises and Exchange Online organizations from a single management console.
Learn more at Hybrid Management in Exchange 2013 Hybrid Deployments.
- Certificates Install and assign Exchange services to a valid digital certificate purchased from a trusted public certificate authority (CA). Although self-signed certificates should be used for the on-premises federation trust with the Microsoft Federation Gateway, self-signed certificates can’t be used for Exchange services in a hybrid deployment. The Internet Information Services (IIS) instance on the Client Access servers configured in the hybrid deployment must have a valid digital certificate purchased from a trusted CA. Additionally, the EWS external URL and the Autodiscover endpoint specified in your public DNS must be listed in Subject Alternative Name (SAN) of the certificate. The certificate installed on the Mailbox and Client Access (and Edge Transport if deployed) servers used for mail transport in the hybrid deployment must all use the same certificate (that is, they are issued by the same CA and have the same subject).
Learn more at Certificate Requirements for Hybrid Deployments.
- EdgeSync If you’ve deployed Edge Transport servers in your on-premises organization and want to configure the Edge Transport servers for hybrid secure mail transport, you must configure EdgeSync prior to using the Hybrid Configuration wizard.
Learn more at Edge Transport Servers with Hybrid Deployments.
Important: Although EdgeSync is a requirement in deployments with Edge Transport servers, additional manual transport configuration settings will be required when you configure Edge Transport servers for hybrid secure mail transport.
After you’ve made sure your Exchange organization meets these requirements, you’re ready to use the Hybrid Configuration wizard. For more detailed guidance, see Create a Hybrid Deployment with the Hybrid Configuration Wizard.
In addition to the required prerequisites described earlier, other tools and services are beneficial when you’re configuring hybrid deployments with the Hybrid Configuration wizard:
- Remote Connectivity Analyzer tool The Microsoft Remote Connectivity Analyzer tool checks the external connectivity of your on-premises Exchange organization and makes sure that you’re ready to configure your hybrid deployment. We strongly recommend that you check your on-premises organization with the Remote Connectivity Analyzer tool prior to configuring your hybrid deployment with the Hybrid Configuration wizard.
Learn more at Remote Connectivity Analyzer Tool.
- Single sign-on Although not a requirement for hybrid deployments, single sign-on enables users to access both the on-premises and Exchange Online organizations with a single user name and password. Single sign-on provides users with a familiar sign-on experience and allows administrators to easily control account policies for Exchange Online organization mailboxes by using on-premises Active Directory management tools.
Single sign-on is also highly recommended for organizations that plan on deploying Exchange Online Archiving (EOA) in their Exchange organization.
If you decide to deploy single sign-on with your hybrid deployment, we recommend that you deploy it with Active Directory synchronization and before using the Hybrid Configuration wizard.
Learn more at Prepare for single sign-on.
To verify the version and status of your Office 365 tenant, follow the steps below:
Connect to the Office 365 tenant using remote Windows PowerShell. For step-by-step connection instructions, see Connect Windows PowerShell to the Service.
After connecting to the Office 365 tenant, run the following command.
Get-OrganizationConfig | Format-List AdminDisplayVersion,IsUpgradingOrganization
- AdminDisplayVersion parameter value is equal to or greater than 15.0.620.28
- IsUpgradingOrganization parameter is False
Warning: If your Office 365 tenant version and status don’t meet the hybrid deployment requirements, the Hybrid Configuration wizard won’t complete successfully.
- AdminDisplayVersion parameter value is equal to or greater than 15.0.620.28
Disconnect from the Office 365 tenant remote PowerShell session. For step-by-step disconnection instructions, see Connect Windows PowerShell to the Service.