Requirements:

At least 2 VMware or Hyper-V virtual machines. 3, if you want to add a client machine.

• A custom domain (optional)

• 2 Windows 2012 R2 or Windows 2016 Datacenter edition servers. One to install the Domain Controller (DC) and the other to install Exchange Server. Windows Server 2016 ISO

• Exchange 2016 CU 23 Exchange Server 2016 CU 23 ISO

• Windows 10/11 for the client machine Download Windows 11 ISO

Create the VMs:

For the DC, create a virtual machine with at least 8 GB of RAM, 2 CPU cores and 25 GB disk space. You can reduce the RAM to 4 GB once Windows Server is installed and promoted to DC if you do not have enough resources on the host machine.

For the Exchange Server, create a virtual machine with at least 8 GB (16 GB preferably) of RAM, 2 CPU cores and 50 GB of disk space.

Setting up the Domain Controller

For the purpose of this tutorial, we will be installing Windows 2016 Datacenter edition. Once Windows is installed, we need to add the Active Directory Domain Services role on the server. Follow the below steps in order:

• Name the Server: Run sysdm.cpl and in the Computer Name tab click on Change. Enter a relevant name for the VM, example DC or DC1. Click Ok and restart the machine.

• Configure IP settings: Open cmd and run ipconfig to list the details of your network. Now simultaneously open Network Connections by running ncpa.cpl. Double-click your network adapter and go to Properties. Then double-click on the Internet Protocol Version 4 and select use the following IP address and put the existing IP, subnet mask and gateway you got from the ipconfig command as shown below. Then in the Preferred DNS server put the loopback IP 127.0.0.1. This is to ensure that the IP does not change when we restart the VM, since this VM will also be our DNS server.

• Install ADDS (Active Directory Domain Services) Role: To install AD, go to Server Manager > Manage > Add Roles and Features. In the dialog box, click next, Role based or feature based option will be pre-selected > Click Next. In the next page the current server will be already selected, keep it as it and click Next. In the Select Server roles, tick the checkbox for Active Directory Domain Services.

• Here you need to add your domain that you own OR you can also add a .local domain. If you already have ADDS setup, you can add the UPN suffix.

Reboot the machine and login to the Domain:

At this point we are done with installing Active Directory with domain as idiotbox.com. We can now create the users or groups if required. We can now proceed with the installation of Exchange Server.

In case you already have ADDS setup with a different domain or have a .local domain, you can add the UPN suffix using AD Domains & Trusts as below, the important thing is that one of these domains needs to be verified in M365 as well.

---

Installing Exchange Server

Before we start installing Exchange on the VM, we'll need to do a couple other things:

• Change the DNS server to the DC we previously created:

• Rename the VM (same steps we followed for the DC above), example we rename it to Exch1

• Connect the VM to the AD domain

Now, we can proceed with the installation of the Exchange Server 2016 prerequisites for Windows Server 2016:

• Open PowerShell as admin and run the below cmd:
• Install-WindowsFeature NET-Framework-45-Core, NET-Framework-45-ASPNET, NET-WCF-HTTP-Activation45, NET-WCF-Pipe-Activation45, NET-WCF-TCP-Activation45, NET-WCF-TCP-PortSharing45, Server-Media-Foundation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS
• Install .NET framework
• Install December 13, 2016 (KB3206632) security update (You can only install this update if your Windows Server 2016 version is 14393.576 or earlier (circa December, 2016)).
• Install Visual C++ Redistributable Package for Visual Studio 2012
• Install Visual C++ Redistributable Package for Visual Studio 2013
• Install IIS URL Rewrite Module
• Install Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit (If you get an error, reboot and try again)

At this point of time, we'll restart the VM a couple of times to ensure all pending reboots are complete.

Installing the Exchange 2016 Server:

After you restart the server, make sure to log back in using an AD admin account. If you have followed the previous steps, it will be default Administrator account we setup for our DC. Else, it needs to be an admin account with Domain Admin and Schema Admin privileges.

Mount the Exchange Server ISO, open command prompt as an admin and navigate to the root of the drive where the ISO was mounted, then run the below commands: Example, if the ISO was mounted on D drive, run

cd D:

Extend the AD Schema to include the Exchange attributes

<Virtual DVD drive letter>:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareSchema

Example: Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareSchema

Preparing the AD to create containers, objects, and other items in Active Directory to store information

<Virtual DVD drive letter>:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAD /OrganizationName:"<Organization name>"

Example: Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAD /OrganizationName:"Evil Corp"

Preparing the Domain to create additional containers and security groups, and set the permissions so Exchange can access them

<Virtual DVD drive letter>:\Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains

Example: Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /PrepareAllDomains

Installing the Mailbox server Role

Setup.exe /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /Mode:Install /Roles:Mailbox /on:"Evil Corp"

Verify Installation

Check if all the required Exchange services are running:

Check if you are able to access ECP and OWA

Check if you are able to access Exchange Management Shell

Post installation configurations:

• Renaming the Virtual Directories

• Purchasing a 3rd party SAN certificate for the domain

You can either purchase a 3rd party SSL certificate or Get and install a FREE Exchange SAN certificate

Install and Configure AADConnect

• Download AADConnect (Microsoft Entra Connect) tool from Microsoft Entra Connect
• Install AADConnect. Use custom installation.
• On the User Sign-in page, we will select Password Hash Synchronization and enable Single Sign-on for the purpose of this tutorial. Read more about PHS and SSO:

• Enter the username of the AAD account with the following least privileges:

• Let AADConnect create a separate AD account that will be used for synchronization. Enter your Admin credentials to validate:

• Since I have not added the idiotbox.com domain to my M365 tenant (as I do not own this), I will click on 'Continue without matching...'. But you can add your custom domain to M365.

• Select the OU's whose objects you want to sync to AAD. I have selected the Users and Computers default OU, however you can create a new OU and use it as well.

Configuring Exchange Hybrid

• Download the Hybrid Configuration wizard from aka.ms/hybridwizard. Use Internet Explorer or Edge to download else you will get an error about different Security Zones

• If you get an error saying download is blocked, enable the downloads from:

• The HCW will open:

• Click on Next and select license this server. Your Exchange Server will be licensed:

• Click Next and sign in to your AAD account with a Global Admin or Exchange Admin role.

• Click Next and select Full Hybrid

• We can either go with Classic or Modern Hybrid depending upon if we procured a 3rd party SAN certificate and have the EWS virtual directory published in public DNS. For the purpose of this lab, we will go with Modern Hybrid.

• Keep the default selection:

• If you have not configured the Virtual Directories and populated the Internal/External URLs particularly the External URL for EWS, it will ask you to do that, enter the domain that has a public DNS:

• Enter the On-prem Admin credentials, this account will be used for hybrid mailbox migrations. It is also possible that the password expires in the near future. At that time you'll have to update the migration endpoint using PowerShell:

• Now, the Hybrid Agent setup will happen:

• On the next page, we will select CAS, as we do not intend to deploy an Edge Server:

• Next, you'll be asked to select the server to host the Receive and Send Connectors:

• Next, you'll be asked to select the certificate. If you have installed a 3rd party certificate, you'll select that one.
• Next, enter the FQDN of your organization
• The setup will complete or maybe have one or more issues. Depending upon the issues you encounter, you can fix them later by running the respective cmdlets in EMS:

I received an error because I did not install a new certificate on the server, however I can safely close it and later configure it manually.

Verify Exchange Hybrid Setup

• We can now try to provision a remote mailbox from Exchange on-premises and verify that the mailbox is provisioned in Exchange Online:
• Open EMS and run:

• Then run Delta Sync or wait for the next sync cycle
• Verify the mailbox is created in Exchange Online:

Our Exchange Hybrid Setup is complete!