Exchange Hybrid Deployment single forest multiple email domains

Hi all,

I have a question. I have 22 email domains on prems. ( Three EXC 2016). Points to a third-party mail scan.
One primary domain and two upn Sufix added to local AD. My all users are synchronized to office 365 based on UPN. The upn Sufix based users mailboxes are online. While primary domain based mailboxes are onpremises with 17 email domains being the alias and email addresses.
I enabled the hybrid component in sync server.
Now when I add my email domains in office 365 and verify them, they become Authoritative and break the mailflow. I need to run hcw so I'm also verifying my email domains. Should I verify them and set them internal relay before running hcw or is there anything else I am missing?


35 Replies

@Abdul Farooque 


So you already have some live email accounts in O365, but you have not yet configured Exchange Hybrid?  Is that correct?  How are the O365 mail accounts setup for identity - are the cloud only?

@PeterRising  Out of 19 domains two are cloud only, so there users are syncing from local AD (UPN Suffix) but their mailboxes were provisioned in cloud.

Other all domains are just email domains added to Exchange on-premise online ( all user with these domains are syncing to cloud with UPN suffix which is common across.

These users have SMTP in local AD but not all proxy addresses which are there in exchange servers.

@Abdul Farooque 


OK, and in what way does this break mail flow for you please?  Can you give me an example?



Peter, Thank you.


When I add any email domain in office 365 and verify this.> Obviously the domain will become Authoritative but it should not break mail flow to on-premise exchange , but it does.


after verifying all these email domains I will be running Azure AD Connect to Sync and convert them manged.



@Abdul Farooque 


Ah I understand now.  Yes this would be expected behaviour.  What you would need to do is as you suggest and change the added domains to be internal relay, and then you will need to set up a send connector in Exchange Online from Office 365 to Your Organizations Email Server, and set it to deliver mail to the smart host address of your on-premises Exchange Server.  This should do the trick for you.

@Abdul Farooque  as long as all mail-enabled objects are synchronized to Azure, there should no problem with an authoritative domain. If the domain is set to authoritative, DBE (Directory Based Edge) blocking becomes active which means if a mail will be send to a non-existing recipient in EXO, it will be blocked.


During coexistence and your migration phase, change the domains to internal relay and then analyse the mail flow bevor changing it back to authoritative (and maybe consider switch the MX record to EOP as well).



Got it, and after this I can run hcw, right?

another concern I have many users doesn't have their Proxy addresses populated in AD, though exchange does have these proxy address. I am thing I should populate them before running sync or it will break the incoming to these aliases once the migration is completed?

@Abdul Farooque then you can run HCW, yes.

How can mailboxes have email addresses but they are not populated under the proxyaddresses attribute in AD? This seems to be a serious issue to me that should definitely be solved prior synchronization.

@Dominik Hoefling 


Thank you. Do you think so that if a user is created in ECP with Proxy addresses but AD doesn't have that domain added as UPN Suffix,still that proxy address will be pushed down to AD?

@Abdul Farooque you mean if you create a remote mailbox in ECP which is hosted in Exchange Online? The proxy address attribute will be written back to your on-premises AD with AAD Connect. You don't need an UPN suffix for every email address, this is only required for your UPN in your on-prem AD.


It's weird that your email addresses aren't visible in the proxy address attribute in your AD ...

@Dominik Hoefling @Abdul Farooque 


What I would add to this is that once the HCW has run, you should no longer need the domains to be set as internal relay, and the connector should not be needed either.  Coexistence should take care of things at this point.

@PeterRising it depends. Authoritative should be set if all recipients are either synchronized or migrated to Exchange Online. If you have any kind of applications on-prem like printers, scanners etc. than you need a connector - not the hybrid connector, but it's already there so why change it. Always analyze your environment and then decide if things are necessary or not.

@Dominik Hoefling 


Excellent!!! Thank you so much.

@PeterRising  Thank you so much.Appreciated.

@Dominik Hoefling 

Ah! Let me explain this. You mean that if my users are already syncing with UPNs , than I don't need to add all emails domain in local AD to sync them up? and I can migarte mailboxes even their email domain or Primary email addresses are different than upn domain?


My understanding is "users are synced based on UPN( UPN domain is not email domain), since users have their Primary domains different than UPNs so I must sync them all , your thoughts? it Peter.


and I also tested that if I create a user in Exchnage on-premise and add a proxy field manually, it does populate to AD..So I am OK here, right?


@Abdul Farooque exactly, what I mean is that you don't have to add all your 22 domains as an UPN suffix in your on-prem AD. For example, you are using just two UPNs:



Then only both need to be added in your AD, independent of the email address of the users (

@Abdul Farooque 


Good luck with it.  Please let us know how things go for you.  :smile:

Peter, I got a question. Upon Checking Dls and Resource (Room) Mailboxes I found they are synching to cloud with domain suffix because they use email address domain instead of UPN domain. How will I migrate them? Can I simply migrate them to domain? or this will through any error?