Remote mailbox moves without Hybrid

I have been working with a customer who recently acquired a new company that has 400+ mailboxes running on two Exchange 2010 servers. They need all mailboxes moved to Office 365 where the tenant is already setup has an existing Hybrid configuration to an on-prem Exchange 2016 environment. They don’t want the new users setup with Azure ADConnect and will be created In Cloud. If possible they want to perform MRS mailbox moves instead of paying for licenses for Migration Wiz. Besides you can’t have two Hybrid configurations connecting to one tenant.

I did some testing in a lab environment and have have been successful in setting up MRS mailbox moves without having ADConnect or running the Hybrid Configuration Wizard. I decided to share the steps involved if anyone is in a similar position and needs some help.

  1. Installed Exchange 2010 SP3 as the customer on-prem server was SP1
  2. Enabled MRSProxy on the Web Services Virtual Directory
    • Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -MRSProxyEnabled $True
  3. Created new Receive Connector on the 2010 server scoped for the O365 IP addresses and configured with for Fqdn with a valid SSL certificate
  4. Add the new domain to the Office 365 portal and verify
  5. Changed the accepted domain in Exchange Online from Authoritative to Internal Relay
  6. Add outbound connector for the domain in Exchange Online
  7. Add inbound connector for the domain in Exchange Online
  8. Create a migration endpoint pointing to the on-prem Exchange server
  9. Setup federation from On-Prem Exchange to Exchange Online (this was easier to do the the EMC)
  10. Setup Organization Relationship from On-Prem to Exchange Online
  11. Setup Organization sharing from Exchange Online to On-Prem (Exchange Admin Center)
  12. Now you need to create new Mail Users in the Office 365 tenant and these can be scripted out and run from a PowerShell session
    • New-MailUser -Name “Alan Border” -Alias “alan.border” -DisplayName “Alan Border” -FirstName “Alan” -LastName “Border” -ExternalEmailAddress “alan.border@<> -MicrosoftOnlineServicesID “alan.border@<>” -Password (ConvertTo-SecureString -String ‘P@ssw0rd’ -AsPlainText -Force)

  13. Add the LegacyExchangeDN from the On-Prem 2010 to the Mail User ExchangeGUID in Exchange Online
    • Set-MailUser -Identity “alan.border@<>” -ExchangeGUID <05c362f2-120d-472f-9cf0-f846e2f52e0f>

  14. On-Prem Exchange will need to add the accepted domain for <tenant> as authoritative
  15. On-Prem mailboxes need the alias address for <>. This can be done using an Email Address Policy 
  16. Mail User recipients in Exchange Online need to have both the following addresses added <tenant>> and <tenant>
    • Set-MailUser -Identity “alan.border@<>” -EmailAddresses @{add=”smtp:alan.border@<tenant>”,”smtp:alan.border@<tenant>”}
  17. Assign the MsolUser with a valid license for Exchange Online


Note that because the MailUser has a value for ExchangeGUID the provisioning service within Exchange Online doesn’t convert this into an empty mailbox when you assign a license. Now you can perform a remote mailbox move and when the move completes the objects will convert from a MailUser to a UserMailbox in Exchange Online and from a UserMailbox to a MailUser in Exchange On-Prem.

I recommend testing this out before doing any live production mailboxes and ensure mail flow is working. You will also want to validate free/busy and ensure all mailboxes including resource and shared get provisioned as MailUser in Exchange Online before moving any mailboxes. You will also need to create Distribution Groups in Exchange Online and add the LegacyExchangeDN to prevent users getting bounce back messages when sending to them.


Update 365 License from F1 to E3

Here is a script that can be used if you need to bulk change a license subscription from an F1 to E3 for a list of 365 user. In this script the requirement is to remove the license for Office 365 F1 and also Exchange Online (Plan 2) and adds a license for Office 365 Enterprise E3. The second requirement was to turn on E3 but only enable it for some of the services. 

To review which services are included with the E3 license subscription I ran the following:

In the script below I only enable the services for To-Do (Plan 2), Azure Rights Management, Office 365 ProPlus, Skype for Business Online (Plan 2), Office Online, SharePoint Online (Plan 2) and Exchange Online (Plan 2). As you can see the remaining services were all added to the $DisabledPlans variable. You should be able to change this as necessary to meet your needs.

This script is my version of the TechNet one that changes E1 to E3 licenses. 

Let me know if you find this helpful or have any issues with running the script.


OAB Download Error

I recently completed a migration from Exchange 2013 to Exchange 2016 and after the Exchange 2013 server was uninstalled that’s when the issues with OAB started. I confirmed that all the mailbox databases were set with the Offline Address Book.

I confirmed that the OAB Virtual Directory was set with the correct URL.

I ran the Outlook Test Email AutoConfiguration and noticed that in the output it didn’t have a line for OAB.

It turns out that the Offline Address Book needed to be set for Global Web Distribution.

Now when I check the OAB both the Web Distribution settings have been enabled.

You will need to perform an IISreset for the settings to be applied.

ADFS Expired Certificate

The following event log on the ADFS server indicates the SSL certificate has expired:

ADFS Management Console shows the certificates:

Running the following command we can see the certificate settings for ADFS:

I changed the settings to Auto Rollover and have a certificate duration for 3 years.

Looking at the ADFS certificates now shows the decrypting certificate has been updated.

Without restarting any services the issue has been resolved.



Completing Individual Moves in a Migration Batch

In order to complete an individual mailbox move within a migration batch was previously done by running the commands:

Recent updates to both Exchange Online and Exchange On-Prem have changed the way move requests are created within a migration batch. Exchange Online can now set an option for when the move requests should be started and/or completed.

Now if you want to complete a move request for an individual mailbox you will need to run the following:



ADFS Logon Error

Working with an Office 365 tenant where the authentication was configured with on-prem ADFS servers and all users were getting the following error:

The event logs showed the following two errors:


To correct the certificate issue I ran the following:


The event logs now showed:


The WAP server is now showing healthy:





Exchange Database Content Index Corrupt

Fixing a corrupt content index on an Exchange database with only one copy can be done in the following method:

If you run the following command you can see the content index state and error message.

Next you will need to stop the following services:

Now you will need to delete the content index folder which is a GUID in the same location as the database edb file. It has three sub folders that all need to be deleted.


NOTE: If you try and delete the files without stopping the search services you will get an error that the file is in use.


With the files successfully deleted you can start the services:

Now wait a few minutes for the content index folder to be re-created.


To verify this worked you can run the same command from before:

SCOM alert proxying to Unknown

SCOM Alerts can be related to SSL certificates and it is worth checking the IIS BackEnd Site Binding to see if the certificate is valid. One example of this is the alert for OutlookRpcDeepTestMonitor. Also note that if the server alerting is getting a “proxying to unknown” error that the Certificate issue is likely on a different Exchange Server.

Open IIS, browse down to Site and Exchange Back End. Click bindings and edit the site bindings on port 444. The site should be bound with the certificate called “Microsoft Exchange”. When you view the certificate I found the certificate being used had an error “The CA Root certificate is not trusted”.

To fix this issue the self signed certificate needs to be exported from the Personal Store and imported into the Trusted Root CA.

Run mmc

Add the Snap-in for Certificates

Browse down to Personal and Certificates and Export the self-signed certificate where the friendly name is “Microsoft Exchange”.

Export it using the format P7B and select the option to “Include all certificates in the certification path if possible”

Name the file and Save it anywhere you like.

Browse down to Trusted Root Certification Authorities and right click Certificates -> All Tasks and Import

Select the certificate you exported, click next and ensure the certificate is placed in the Trusted Root CA.

Now back to IIS when you view the certificate that is bound to the Exchange Back End Site it should look like this:


Now you need to restart the Exchange Health Manager service MSExchangeHM on the server that reported the issue or restart it across all the Exchange Servers:


MSExchangeDelivery service is failing

The SCOM alert for MSExchangeDelivery service is failing due to this exception:

Microsoft.Forefront.Monitoring.ActiveMonitoring.Smtp.Probes.MailboxDeliveryAvailabilityProbe+MailDeliveryAvailabilityProbeException: Multiple different exceptions

at Microsoft.Forefront.Monitoring.ActiveMonitoring.Smtp.Probes.MailboxDeliveryAvailabilityProbe.CheckAllInstancesForDifferentFailures()

at Microsoft.Forefront.Monitoring.ActiveMonitoring.Smtp.Probes.MailboxDeliveryAvailabilityProbe.DoWork(CancellationToken cancellationToken)

at Microsoft.Office.Datacenter.WorkerTaskFramework.WorkItem.Execute(CancellationToken joinedToken)

at Microsoft.Office.Datacenter.WorkerTaskFramework.WorkItem.<>c__DisplayClass2.<StartExecuting>b__0()

at System.Threading.Tasks.Task.Execute()

Turns out the health mailbox was full and unable to accept new messages.

To resolve this issue I stopped the MSExchange Health Manager service and deleted all the AD accounts for Health Mailboxes. Health Mailboxes can be found in the Monitoring Mailboxes OU which is inside the Microsoft Exchange System Objects OU by default. After removing the AD objects I restarted the health manager service and new health mailboxes are created automatically.

Disable Read Receipts

Read Receipts can easily be disabled on a per message basis at the Outlook client by clicking the No button.

If you wanted to go the extra mile you can setup a rule within Exchange that would disable them on all inbound emails.

Create a new mail rule and select modify message

In the new rule window give it a name “Disable Read Receipt”

Apply this rule to all messages

Do the following and select “Remove this header” and enter the text “Disposition-Notification-To”

Now the header details that are requesting the read receipt are removed from the message and no action will be required from the end user.


If you wanted to perform the same task from the Exchange Management Shell you can run the following command: