I've gone through most of the preparatory steps in setting up a hybrid environment, but I'm having some strange issues that I need help with. I REALLY appreciate any guidance!

Current Environment:

- AD was original setup as OURNET (OURNET\username)

- on-Prem Exchange 2010 Sp3 (ourdomain.com)

- Exchange server (named EXCH - shows up as EXCH.OURNET.OURDOMAIN.com in EMC on ONPremise name

- Barracuda email services for antispam (inbound and outbound mail route through hosted Barracuda services. MX record for OURDOMAIN.com points to our Barracuda service then delivers to Exchange OnPrem)

- users were logging in as OURNET\username forever, but as part of the prep for O365, I changed their UPNs to username@OURDOMAIN.COM (which seems to work fine)

- Azure AD Sync setup a while ago successfully (syncing fine) before we started the move to Hybrid. Users all licensed

- recently reissued an SSL for my Exchange server so that it's keyed to OURDOMAIN.com (and wildcards EMAIL.OURDOMAIN.COM etc). Previously, we had a cert. where OURDOMAIN.COM was listed as a alternate name. Email flowed but we had Autodiscover issues. That seems to be resolved now as Autodiscover works. I have SMTP, IIS, POP, and IMAP services assigned to this cert. (had to use powershell to assign POP and IMAP)

I went through all of the steps seemingly successfully to setup a minimal hybrid deployment (O365 Admin/Setup/Data Migration wizards). I see the hybrid connectors in my OP Exchange server. However, in my OP EMC/Org. Config I see Hybrid Configuration listed but when I try to view/edit it, it says "You must add your online tenant as an additional forest"

I HAVE NOT YET CHANGED THE MX RECORDS TO POINT TO OFFICE365 (ourdomain-com.mail.protection.outlook.com) AS I'M NOT READY TO MIGRATE EVERYONE OVER. I figured that until I change this, mail would just continue to flow to my OP Exchange server as normal.

Issues (note most of these issues are sporadic and not for every user):

- my biggest issue: I have 3 users (identified so far) whose INTERNAL EMAIL are getting routed to my users' O365 mailbox but NOT to their regular OnPrem mailbox. Unfortunately, one of these 3 users is the owner of the company! I'm also one of them. Any email we send internally never shows up in users' Outlook but do show up in their O365 mailbox.

- I'm getting some email bouncebacks (from some of my users) when sending to outside organizations. I have added the required SPF record as O365 directed. Is that the cause of the problem? Is it related to the certificate name issue?

Diagnostic information for administrators:

Generating server: EXCH.OURNET.OURDOMAIN.COM

user@somedomain.com
mx1402.ess.rzc.cudaops.com #550 permanent failure for one or more recipients (user@somedomain.com:443  SPF (Sender Policy Framework) domain authentication fail. Refer to the Troubleshooting ...) ##

 - my users are getting prompted often for their passwords by Outlook (and usually, they fail). I've had everyone reset their passwords and they can successfully login to both OURDOMAIN (using username@ourdomain.com) and office.com with username@ourdomain.com and their new passwords. I've seen a lot online about this issue. I've stripped local credentials from the manager and tried some other things but nothing works.

- some users when they open Outlook are getting "Your mailbox has been temporarily moved on Exchanger Server...user temporary mailbox/Old data". I've deleted their mail profile and recreated it (it connects to their account username@ourdomain.com fine) and then their Outlook works. This keeps happening intermittently for users (some multiple times)

- When opening Outlook, we are still getting certificate errors. We get a security popup that says our cert isn't quite right because the name of our server (EXCH.OURNET.OURDOMAIN.com) is not on the certificate even though the cert is setup for wildcards for OURDOMAIN.COM. We can click OK and get in, but I fear this is also causing issues.

Again, thanks for any help you can offer.