Hybrid Endpoint – To Be or Not to Be

Well in my case it wasn’t to be until I found out what the underlying issue was! Read on to find out.

Hey folks! Pure Awesomeness back again for 2019 with my first blog post of the year! I can just imagine some of the questions going through your minds…

Q1) Where in the world have you been?

A1) In my man cave


Q2) What have you been up to?

A2) Watching all the Batman movies to understand how Joel Schumacher got it so wrong with Batman Forever and Batman and Robin!


Q3) Are you going to grace us with a whole stack of new blog material and jam-pack our cerebrums with vast knowledge about the Exchange and Office 365 worlds in 2019?

A3) Absolutely!

Buckle up!

So I’ve been working on an Exchange on-premises to Exchange Online migration for one of my many customers and once we had gone through and ticked off all the prerequisite tasks that we needed to complete, it came down to the exciting part…running the all-important Hybrid Configuration Wizard (aka the HCW because you know, us consultants are all about acronyms and having another one added to our vocabulary can’t be a bad thing right?)

Continue reading…

1. Log into the Office 365 portal
2. Download the HCW
3. Progress through the HCW prompts – (things are looking good at this point)
4. Be presented with the error below –  (commence scratching of head, looking aimlessly into the abyss and wonder what steak you’re going to eat tonight)

5. Read this blog to find the answer!…of the error…not what steak you’re going to eat tonight

Naturally, the first thing to check were the MRS proxy, firewalls and rules configured. Both I and the customer confirmed that the required ports for the hybrid were open and operational.

Secondly, I tried creating a migration endpoint directly from the Exchange Admin Centre in O365. No success! At this point, I did what any consultant would do…duck out for a cup of liquid gold and come back with a caffeine-infused mindset and try and tackle this issue once more by referring to a good friend…Dr. Google.

Searching and searching across various articles and comments posted by like-minded individuals from all corners of the globe, I came across an article which at first glance looked like a long shot but after reading it over and over again, I thought that this might actually solve the issue.

This is the part where you tell us what the article stated and how you solved the issue right? Quite possibly my apprentice but first, sign up to Insentragram! Yep, you knew this was coming! 🙂

So, the article basically stated that the Exchange servers in the organisation should only be a part of a specific set of security groups, listed below (because what kind of blog would this be if I didn’t help my fellow Exchange/O365 consultants)

  • Domain Computers
  • Exchange Install
  • Domain Servers
  • Exchange Servers
  • Exchange Trusted Subsystem
  • Managed Availability Servers

After logging onto Active Directory, locating the Exchange server objects and checking their memberships, I was gobsmacked to find that whilst the servers in question were part of the above-mentioned groups, there were a couple of other non Windows built-in security groups these servers were members of. Yes, I will admit that at this point, I may have done a bit of an Evan Almighty dance in my chair.

After discussing with the customer about the additional groups, they agreed that the servers could be removed from the groups (these were just legacy security groups which now did basically nothing in the organisation).

After the servers were removed, I logged back into the Exchange Admin Centre in O365 and attempted to configure the migration endpoint again manually and SUCCESS!! *Queue the Carlton dance (Fresh Prince of Bel-Air – you know the one!*

Tested the endpoint by migrating a test mailbox successfully to Exchange Online! Happy days!

Moral of the story: Ugly duckling legacy security groups can cause hybrid endpoint issues!

Until next time, Pure Awesomeness signing off!

Our greatest weakness lies in giving up. The most certain way to succeed is always to try just one more time. – Thomas Edison

Join the Insentra Community with the Insentragram Newsletter

Hungry for more?

[Modern Workplace]

Torsion – Who has access to what and should they? – Get control & be ready for anything

By [Lee Foster]

It only takes one file containing sensitive information to get into the hands of the wrong person. A serious security breach, or regulatory non-compliance can be catastrophic.

[Modern Workplace]

Project Management and Change Management – How Insentra ensures projects run smoothly

By [Marni Noble]

I am going to say something that will really blow your mind… are you ready? It seems in business today that change is the only constant in this crazy fast-paced world of variables.

[Modern Workplace]

Farewell Smart Scale, Hello Autoscale…

In some cases, ‘farewells’ can carry a little sadness and it’s no different in the land of technology when a product or service that brought value, gets sent to the chopping block via a decision made by the vendor for the greater good (in most cases