0

We have a hybrid setup.

I have a situation where certain users are not showing up on the local on-prem Exchange 2013 server under recipients.

We have two domains in our single forest. I will call our primary domain abc.com and the second domain xyz.local.

The users in the xyz.local domain just recently were added as cloud only 365 users and this past weekend, I merged their local domain accounts with their 365 accounts and modified Azure AD Connect to sync with both xyz.local as well as abc.com. Azure AD Connect syncs are working.

The users who do not show are all in the xyz.local domain. It is like the on-premise exchange server is not aware of the Active Directory partition that contains the xyz.local domain.

I tried to modify some of the attributes in AD on some of the users in xyz.local and then they started showing up in recipients -> mailboxes in the Exchange admin center for the on-prem Exchange server.

These are the attributes I modified, matching them with attributes from a user in abc.com:

targetAddress to user@tenantname.mail.onmicrosoft.com msExchRemoteRecipientType to 6 msExchRecipientDisplayType to -2147483642 msExchRecipientTypeDetails to 2147483648 msExchVersion to 44220983382016

I am not sure if it is just one of the above attribute changes that allows the user to start showing in the on-premise Exchange server recipient mailboxes, or a combo of attributes.

However, once the user from xyz.local shows up, I get an error if I try to view or modify any properties via the Exchange admin center (on-prem):

The call to Microsoft Exchange Active Directory Topology service on server ‘TopologyClientTcpEndpoint (localhost)’ returned an error. Error details No suitable domain controller was found in domain ‘xyz.local’. Errors: .

I am wondering if you might have any advice. It seems like maybe the on-premise Exchange server just needs to be made aware of xyz.local. I did a lot of searching and have not been able to figure out if there is a setting in EAC or a PowerShell command that I should run in the Exchange Management Shell. Any help would be much appreciated.

Scot
  • 303
  • 1
  • 2
  • 5

3 Answers3

0

I'm not sure I'm entirely grasping the premise of your conundrum, and I'm not convinced that what you're doing is actually possible. That being said, try this with a test xyz.com user account. Make sure to substitute your own values as needed.

Connect to Exchange Online with Powershell. Then run the following command:

  1. Get-Mailbox username | fl ExchangeGUID (Make note of the ExchangeGUID)

Open the Exchange Management Shell on the on premises Exchange server. Then run the following commands:

  1. Enable-RemoteMailbox username -RemoteRoutingAddress username@domain.mail.onmicrosoft.com

  2. Set-RemoteMailbox username -ExchangeGuid ExchangeGuid from above

If that doesn't work then open a support case with Office 365 from your tenant. It's free. They'll tell you if it's possible or not, and if it is they'll help you resolve it.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • The conundrum was that the EAC interface on the On-Premise Exchange Server could not retrieve any of the users that existed in the xyz.local domain. The mailboxes in question were already enabled as Remote mailboxes. It turns out that the On-Premise Exchange Server was lacking permissions on the primary DC for the xyz.local domain. I will be posting the solution in a separate answer. – Scot Apr 22 '21 at 20:48
0

Is the second domain xyz.local verified in Office 365? “ I merged their local domain accounts with their 365 accounts”, how did you achieve this? SMTP match?

Please add the second domain xyz.local as accepted domain in on-premises Exchange server.

The Remote Mailbox exists on the On Premise Exchange server and is the link between the Office 365 mailbox and the On Prem Exchange Organisation. Without one of these for each Office 365 mailbox, you can’t effectively manage certain Office 365 mailbox properties, you can’t offboard it back to the On Prem Exchange Server, and most importantly, not having a Remote Mailbox breaks mail flow between users On Prem and users in Office 365. So you could try enable remote mailbox mentioned in this KB https://docs.microsoft.com/en-US/exchange/troubleshoot/move-mailboxes/migrationpermanentexception-when-moving-mailboxes

Jayce
  • 804
  • 5
  • 5
  • Yes, merge accomplished with SMTP match per the Microsoft document here: https://support.microsoft.com/en-us/topic/how-to-use-smtp-matching-to-match-on-premises-user-accounts-to-office-365-user-accounts-for-directory-synchronization-75673b94-e1b8-8a9e-c413-ee5a2a1a6a78 xyz.local was previously added as an accepted domain. The mailboxes in the xyz.local domain were already enabled as Remote mailboxes and checked via PowerShell. The problem was solved. I will post the solution in a separate answer. – Scot Apr 22 '21 at 20:44
0

The problem was solved by making a change to the Default Domain Policy on the primary DC for xyz.local. The following needed to have the ABC\Exchange Servers Security Group added to the "Manage auditing and security log" policy in the following location: Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> User Rights Assignment

snip of default domain policy with relevant policy pointed out by orange arrow

Scot
  • 303
  • 1
  • 2
  • 5
  • I did not discover this solution on my own. I figured this out a couple of weeks ago, but am unable to find the URL that pointed me in this direction. I'll add it and give due credit when I find it. – Scot Apr 22 '21 at 20:58