Editor's Note: The following MVP Monday post is by Office 365 MVP David Greve
Did you setup Exchange Hybrid with Exchange 2010 SP2 and are ready to change your MX record? If so, follow this blog to help improve your MX record change experience. If you did not use the SP2 wizard, then this blog will generally not apply to your configuration.
Using the SP2 wizard greatly simplifies the process to integrate with Office 365. However, by simplifying the process, it now became a bit more challenging to make a MX record change, redirecting mail from on-premise to Office 365 Forefront Online Protection for Exchange (FOPE.) FOPE is essentially the gateway for all your mail entering and leaving Office 365.
The challenge with the SP2 Hybrid Wizard is that it creates connectors that you cannot easily edit, as shown in the below image. (Edit is grayed out)
Since you cannot edit the auto created connectors for the Hybrid configuration, you cannot modify the “Sender Domains.” The “Sender Domains” is set to *.*, which is in conflict with any other inbound connector your try to create. The reason why this is important is that you need to create another connector to receive inbound Internet mail with *.* as the “Sender Domains.” You cannot create another connector due to this conflicting connector address in the “Sender Domains.” If you try to create an inbound connector, you will receive the following error when you try to enforce (enable) it: “The connector could not be enforced to all domains because of the following reasons: One or more domains have a conflicting connector associated…”
Don’t bother trying to flip your MX record at this point, you will find that you will receive an NDR, indicating you cannot relay to FOPE. This is because that inbound Hybrid connector is taking priority over any other “like” connectors.
The simplest path at this point is to stop using the auto-created inbound Hybrid connector and create your own new Hybrid connector, followed by an inbound Internet mail connector. To do so, first “+Enforce”, then “-Release” the “Hybrid Mail Flow Inbound Connector.” This will stop the connector from being used/ taking priority. Second, copy the existing settings of the “Hybrid Mail Flow Inbound Connector” and create a new connector, but only changing the “Sender Domains”. Instead of adding “*.*” for the “Sender Domains”, change it to all of the domains that you will be communicating with between on-premise Exchange and Exchange Online. In our example below, I’ve just added a single domain that’s being used between on-premise and Exchange Online for the Hybrid configuration. If you miss a domain an internal user may be sending with, you may get NDRs in Hybrid communications.
Once the new connector has been created and matches the existing connector, except for “Sender Domains”, now only “+Enfoce” the new connector. The old connector can just be ignored at this point. Validate mail flow still works between on-premise and Office 365.
Third, now that you have replaced the Hybrid connector with one specific for your email domains, you are ready to create an inbound Internet mail connector. To do so, simply add a new connector with a similar configuration to the image below.
Key items to note are that the “Sender Domains” is set to *.*, there are no specific inbound IPs and all the necessary filtering is in place for standard inbound mail. Once the connector is created, now “+Enforce” it. If you replaced the Hybrid connector properly, you should not receive any errors, once you enforce it. (Like the “The connector could not be enforced to all domains because of the following reasons: One or more domains have a conflicting connector associated…” error.)
At this point, I would give it about 24 hours for FOPE to replicate before you make any MX record changes. When ready, locate the MX record address in the Office 365 Admin page, under domains.
Update your MX record and start to validate inbound Internet mail flow works, while sending to Office 365 and the email domains you updated your MX record for.
About the Author
David Greve is an Office 365 Solutions Delivery Director for Perficient, a Microsoft MVP in Office 365, and an author for an Office 365 Exchange migration book. He has over 15 years of consulting experience in the IT industry, designing and implementing Microsoft Solutions ranging from small to enterprise environments. He is the author of the upcoming book Microsoft Office 365: Exchange Online Implementation and Migration. Currently David is working on designing and developing Microsoft Cloud Computing (Office 365) solutions, with a focus on Exchange, Lync, and SharePoint as well as strategic migration planning in complex business environments. More articles from David can be found on his new blog
The MVP Monday Series is created by Melissa Travers. In this series we work to provide readers with a guest post from an MVP every Monday. Melissa is a Community Program Manager for Dynamics, Excel, Office 365, Platforms and SharePoint in the United States. She has been working with MVPs since her early days as Microsoft Exchange Support Engineer when MVPs would answer all the questions in the old newsgroups before she could get to them.
Great read David! One thing I thought was worth noting when I've dealt with FOPE is that it actually goes "live" even before you move the MX record... for other Exchange Online customers that is. Microsoft has ~75 million mailboxes in their cloud service(s) and I believe most of them use FOPE... just something I found in my travels.