MicrosoftShaneD347
I just revised my notes and we ended up running 12 HCW using 2 new EXH servers (eventually migrating 10k+ mailboxes from a 8 server legacy EXH farm to EXO across 12 tenants).
During the initial HCW deployment we ran the configuration with a single-SAN certificate (ews.company.com) to minimize the disruption of the SMTP flow, because HCW updated the certificate on both the on-prem Receive Connector and the EXO Outbound Connector.
After the initial HCW configuration completed, we updated the certificate on the both these connectors:
Verify if the HCW has disabled the existing Intra-Organization Connectors:
On-prem Exchange:
Get-IntraOrganizationConnector | ft Identity, TargetAddressDomains, Enabled -AutoSize
Enable any disabled connectors:
Get-IntraOrganizationConnector | Set-IntraOrganizationConnector -Enabled $True
Repeat for Exchange Online:
Get-IntraOrganizationConnector | fl
Get-IntraOrganizationConnector | Set-IntraOrganizationConnector -Enabled $True
Get-IntraOrganizationConnector | fl
Update Outbound connector for new HCW
Here I ran through the EXO Outbound connector configuration and updated it to the ews.company.com smarthost and the corresponding certificate.
Ensure each on-prem Send Connector is changed to a specific single-SAN certificate
During the HCW the certificate used in the Receive Connector (ews.company.com) must be specified, otherwise the SMTP mail flow will break.
So now replace the Send Connector certificate on the on-prem Exchange to the corresponding brand domain (smtp.affiliateA.com).
The subsequent HCW configurations was run through the single-SAN certificate (smtp.affiliateB...X.com), again to avoid disrupting the SMTP flow, while leaving the Organizational FQDN at ews.company.com.
Afterwards:
1) Ensured each on-prem Send Connector was updated to the smtp.affiliateB...X.com single-SAN certificate (no change required).
2) Updated the on-prem Receive Connector certificate from smtp.affiliateB...X.com back to ews.company.com
(used this script:
$cert = Get-ExchangeCertificate -Thumbprint <string>
@tlsCertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"
# To Replace Send Connector -
Set-ReceiveConnector "NewEXH1\Default Frontend NewEXH1" -TlsCertificateName $tlscertificatename
Set-ReceiveConnector "NewEXH2\Default Frontend NewEXH2" -TlsCertificateName $tlscertificatename
)
3) Verified if the HCW has disabled the existing Intra-Organization Connectors (and re-enabled it)
Get-IntraOrganizationConnector | fl
Get-IntraOrganizationConnector | Set-IntraOrganizationConnector -Enabled $True
Get-IntraOrganizationConnector | fl
4) Updated the Outbound connector for AffiliateB...X EXO
Get-OutboundConnector | fl *tls*
-> Using EXO portal, change the certificate SAN name back to ews.company.com
5) Updated e-mail address policy to include <tenant>.mail.onmicrosoft.com domain.
Note:
If the EXO tenant include multiple SMTP domains, the primary domain must be selected for Autodiscover.
