Event ID 12024 – Exchange Hybrid

 

In a hybrid mode with Exchange 2010 and when trying to send emails to on premises users the email was not getting delivered.  No bouncebacks or errors, just no delivery.

I checked out the connector from 365 to on premises and when validating the connector by setting an email address of an on premises user, the validation failed with a STARTTLS error.

The problem was I had not assigned my webmail.domain.com certificate to the SMTP service in Exchange.

After assigning the certificate – Server Configuration – Right click the webmail.domain.com certificate – Assign to services – SMTP;  email started being delivered to my on premises users.

Certificates for Exchange

I needed to run up a lab environment to test an Exchange 2010 hybrid.  For this I needed certificates but I didn’t really want to purchase a SAN cert for what was to be a short period of testing.

This came to my rescue;

 https://github.com/Lone-Coder/letsencrypt-win-simple/wiki/Create-a-SAN-certificate-for-Microsoft-Exchange-2016,-2013-&-2010

Exchange 2010 – Office 365 Hybrid

Creating an Exchange 2010 to Office 365 hybrid;

Login to your Office 365 tenancy – Admin – Exchange Admin – Hybrid – Configure

This downloads the hybrid configuration wizard (HCW).  Do the above using IE, initially I used Chrome and I got an error when executing the exe after the download.

In first part the wizard detects the optimal Exchange server to use for the hybrid connection.  In my case I only have a single Exchange 2010 server;

hybrid1

Enter your on premises account info to connect to Exchange (you can see I left the tickbox selected to use the credentials I was signed in with.  And enter your global admin details for your 365 tenancy

hybrid2

hybrid3

The wizard collects some info and connects to Exchange on premises and Exchange online via PowerShell – then click next

hybrid5

I’ve chosen ‘Full Hybrid Configuration’ as I need fill free/busy, sharing and mail flow

hybrid6

 

Click ‘enable’ to create the federation trust

hybrid7

You will need to create a txt record in your DNS zone to prove domain ownership

hybrid9

After proving your domain ownership you are asked for information on the mail flow in the hybrid configuration.  The default is good for my needs

hybrid13

You are then asked to select the hub transport server for the transport configuration.  This is the server that weill host the send connectors for mail transport to Exchange online

hybrid14

You are then asked for the public IP of your hub transport servers.  In my case this is a NAT to the internal Ex2010 server

hybrid15

You then need to choose your transport certificate.  This needs to be a public cert

hybrid16

You then need to enter the FQDN of your Exchange org.  This tells Office 365 where to send email bound for on premises users i.e. before users have been migrated. It creates an outbound connector in Exchange online.

hybrid18

 

On the next page you simply click update – in the background a number of powershell commands are run which do the all configuration work.

 

Free/Busy Exchange Online Hybrid

We have a hybrid Exchange setup with Exchange online.  On premises is Exchange 2016.

Users who had been migrated to Exchange online could only see availability of other users and resources that were still on premises.  A check of the organization relationship showed the following;

Run the below powershell on your on premises servers and look for the FreeBusyAccessLevel setting

Get-OrganizationRelationship | fl

FreeBusyAccessLevel   : AvailabilityOnly

 

This was why migrated users could only see availabilty of on premises users and not any more detail.  To change this use

Set-OrganizationRelationship -FreeBusyAccessLevel LimitedDetails

 

 

Single Active Directory account not syncing to Azure AD

A single user in AD was not being synced to Azure AD via AAD Connect.  All other users were syncing just fine.  When looking at the account the attribute msExchRecipientTypeDetails was set to 2, which indicates a linked mailbox.

We used to use linked mailboxes but stopped doing so quite some time ago.  Obviously this account got missed after we migrated all users into a single forest.

To fix

set-user -identity “useralias” -linkedmasteraccount $null