Migrating on prem 2016 to a cloned Azure VM in a hybrid environment

Copper Contributor

We have a multipath hybrid setup with connectors set up between the following:

1. On Prem 2016 exchange CU 23

2. Exchange 365

3. Mimecast

pk_fwd_0-1676869269006.png

What options do I have to move the on prem exchange to an Azure VM?
Can I clone the existing VM to the Azure then just decommission the old one before using the cloned one?

6 Replies
Best practice is that you build a new server in Azure and migrate all mailboxes and services from the old server to the new. You can try the clone method and it may work, but I don't believe Exchange is designed for this type of migration. As long as the server is in maintenance mode prior to cloning it should be OK. Just make sure that everything referencing that server is updated after the change of IP (Mimecast connector, SPF, send/receive connectors etc). Also, Azure blocks port 25 traffic by default unless you have certain subscriptions, so make sure those prerequisites are met too.

@Dan Snape 

Thank you for your reply Dan

The cloning sounded risky.

I am looking at recreating the exchange server from a fresh install and then using the "move to a different database" option in EAC to move any on prem mailboxes to the new server.

I found 7 arbitration mailboxes and am unsure whether I need to move these or if these are unique and are created by default on each exchange installation.

I am in the process of recreating all on prem recipients (mailboxes, groups, resources, contacts, shared) in 365 so that there are none on prem.

IIS is another area I am looking at as there are default sites like EAC etc. which are recreated by default however others look manually created.
Apart from using on prem exchange server as an SMTP relay I don't see any other reason for continuing the hybrid setup in the future, however as our ERP team may be using this functionality (including IIS) I have to continue being hybrid until a new solution is found there.

Hello @pk_fwd,

First of all cloning will be a bad idea and will not work as the guts of exchange resides in AD.

Please use the following steps in the same order. 

  • Setup a subscription in Azure. Select the correct type of subscription as not all subscription will allow port 25 access. Pay as you go and enterprise subscription allows. 
  • After the correct subscription log a ticket with Microsoft to open and exempt port 25
  • Create required Vnet / landing zone if one does not exist. Stick to atleast Hub-Spoke topology with some sort of firewall like Azure Fw or even Pfsense with one public ip for exchange. Extend the on premise connectivity using gateway VPN or express route.
  • Deploy new exchange 2016 in Azure with latest CU and patches. Add the Azure Public ip in mimecast as "authorized outbound ips" so that the new exchange server can send email to Mimecast as an upstream server. You may need to configure delivery routes in mimecast to add this too
  • Move all mailboxes including arbitration to the new exchange server. Configure the server with all the services and cert
  • For the send connector edit the send connector and add this server too and for the receive connector edit and create it as needed.
  • Move all mailboxes including arbitration mailboxes etc to the new server, address book etc. Run hybrid configuration wizard to configure the new server. You will need dns changed to the new public ip for successfully running hybrid configuration wizard 
  • Then put the old server in maintenance mode and turn it off and leave it off for 2 weeks. 
  • When you are confident all services are successfully migrated to the new server, Uninstall the old exchange server. You will also need to remove any delivery routes to in prem in mimecast.

Let me know if you did not understand any part. Happy to assist. 

 

Kind Regards 

Rana

The Arbitration mailboxes will also need to be migrated. You shouldn't need to create anything in IIS for Exchange manually. Hybrid requires AAD Connect, so you shouldn't need to recreate any recipients...they should just be synced to Azure AD from on-prem AD
Hi Rana
I have been advised by MS to use port 587 rather than 25. Will this be an issue?