Mail-Flow Between Online and On-Prem in Hybrid Exchange

Question

Mail-Flow Between Online and On-Prem in Hybrid Exchange

Dieter Tontsch (GMail) 972

Hello.

I have a problem with the correct understanding regarding Email-Routing between Exchange Online and on-prem according to where the Mailbox within a hybrid Setup is located, online or on-prem.
Therefor I have a few questions:

What is the correct setup re. Accepted Domains, should both Exchange have the domains configured as Authoritative, or should one be configured as Internal Relay? From what I understand here it should be Authoritative (https://blog.expta.com/2019/07/authoritative-vs-internal-relay-domains.html), and I am not talking about the "implicit" domains like tenant.onmicrosoft.com and tenant.mail.onmicrosoft.com, these two are only configured in Exchange Online as Authoritative. The mail flow on-prem --> online is clear to me, that happens based on the fact whether there is a targetAddress (remote routing address @tenant .mail.onmicrosoft.com) attribute present or not.
How is routing performed online --> on-prem (specifically this direction), since there the targetAddress attribute does not exist, we are synching our users via AzureADSync on-prem --> azure. I fell like the primary email value, also seen with uppercase SMTP: is kind of a replacement for targetAddress in EXO. And somehow, probably because of the hybid setup EXO knows that for mydomain.com either an online mailbox exists,or if not, the email is forwarded to the on-prem server, right? For now, since we just started migrating mailboxes for most of the domains, at least the productive ones, there is NO MX record for EXO, but only for on-prem. This means, emails fro outside always come to the on-prem server, which, according to targetAddress eventually forwards the mail to EXO, else it delivers it to a local mailbox. And as I said, the forwarding on-prem --> online is something I understand, where I am not sure is the online --> on-prem direction.
I have an user/mailbox on-prem which has a primary mail address like mydomain.biz. and mydomain.biz, yet as the only domain, only has an MX-record pointing to EXO. As long this user, who is synced to AzureAD keeps this primary address mydomain.biz and mydomain.biz is configured as authoritative, emails, no mater whether from internet or EXO mailbox users, are rejected because that mailbox does not exist in EXO. Why is this not forwarded to on-prem? If I change the primary email address to something mydomain.com, which yt has no MX-record pointing to EKO but only to on-prem, the mail, even if still sent to mydomain.biz is forwarded from EXO to on-prem. This is what bothers me and I am trying to understand the logic behind this.
Even if I configure mydomain.biz as internal relay address in EXO and add a secondary MX-record pointing to the on-prem server, where the mail should be forwarded in order to be delivered, the delivery still fails. The only way to make this work for this mydomain.biz alias if if I set the primary address to that user to mydomain.com, keeping mydomain.biz as an alias only.

My main concern is, based on what does EXO decide whether it gives an email for an user which is in AzureAD, but has no online mailbox (is not yet migrated), to give it another try and forward the email to the peer on-prem server, or to reject it? Why is the domain for the primary user mail-address so decisive, especially because both domains mydomain.com and mydoman.biz are configured the same way, authoritative on both Exchange server.

And what is a good approach re. MX records, when should I switch from on-prem MX to online MX or keep both with different priority for while etc...? How does this affect the mail flow, not from the perspective of the mail servers in internet, these are fine, but fro the hybrid mail flow between on-prem <--> online.

See also my initial post from where this all started here https://learn.microsoft.com/en-us/answers/questions/811088/user-was-not-found-in-domaincom-if-not-synched-fro.html

kind regards,
Dieter

2 answers

Your answer

Answer 1

Andy David - MVP 157.8K MVP Volunteer Moderator

If you have any objects that arent synced to Azure and exist on-prem only, then the accepted domain in ExO must be set to Internal Relay and have a connector to On-prem with that address space

https://learn.microsoft.com/en-us/exchange/mail-flow-best-practices/manage-accepted-domains/manage-accepted-domains

As far as the MX record, I always recommend changing it to Exchange Online as soon as possible.

Dieter Tontsch (GMail) 972 Reputation points

2022-04-14T12:19:43.883+00:00

Ok, but it not about NOT synchronized users. It is about synchronized users who do not have a primary email-address with the same domain as their UPN (their login name to AzureAD) is. This is the weird thing.

Let's asume the users UPN and primary Email address is ******@mydomain.com, in this case an email sent to ******@mydomain.biz (or .eu) is properly delivered via EXO to the mailbox on-prem.
If the user's UPN is still ******@mydomain.com, but his primary email-address 8reply address) is like ******@mydomain.biz (or .eu), the email is rejected by EXO. If I change primary email back to ******@mydomain.com and sync AD with Azure, emails for the same ******@mydomain.biz are properly routed again.

All my Accepted Domains are authoritative in EXO, and there exist an inbound and an outbound connector between online and on-prem.

Actually I do not understand why this ******@mydomain.com = UPN makes the difference.
Andy David - MVP 157.8K Reputation points MVP Volunteer Moderator

2022-04-14T13:06:45.12+00:00
Ok, trying to understand this.
1You have mydomain.biz set as an accepted domain in Exo and its rejected if the UPN and Primary do not match?

Does ******@mydomain.biz exist on another object as a UPN?
Is it rejected because it doesnt exist? If so,

wht does this sow when it fails?

get-recipient ******@mydomain.biz
Dieter Tontsch (GMail) 972 Reputation points

2022-04-14T13:32:31.013+00:00
No,

the UPN is always firstname.lastname@keyman .de for all my users, it never changes. usually this is also their reply-address

Some users are already migrated to online, most of the users are still on-prem with their mailboxes.

all users in charge are Synched to AzureAD via AzureADSync

for the user in charge, he is NOT migrated with his mailbox. And if I change his reply-address from firstname.lastname@keyman .de to whatever@keyman .biz (and send an email to that address, otherwise it would not go to EKO but to our on-prem server which would accept the mail) emails to this user, received by EXO (because of MX Record pointing to it) are NOT forwarded to the on-prem. The sender get's an NDR saying that the user does not exist in domain.biz.

if I change the reply-address back to firstname.lastname@keyman .de (it is also the UPN by change but I am not sure if it counts), it might also work if the reply-address is lastname@keyman .de (need to check), an email sent the same way again to whatever@keyman .biz will be properly forwarded by EXO to on-prem.

by changing the reply-address this causes this change to be reflected in the AzureAD object as being it's email address, and also if I have a look to all proxy-addresses of the user, this address listed with upper case SMTP:... - all the others are smtp:....

The only thing I need to check is if it just has to be the firstname.lastname@keyman .de address as "real" address, or any other @keyman .de address would also do it. The later wouldn't be it's UPN at the same time.
Dieter Tontsch (GMail) 972 Reputation points

2022-04-14T13:44:22.043+00:00

it doesn't need to be the UPN as primary email-address, any other @keyman .de address also delivers emails for the alias @keyman .biz

what is different, what triggers EXO to check for remote mailboxes if primary email-address is @keyman .de, and fails for the same alias if primary address is not @keyman .de?

I see in Office Portal Admin that @keyman .de is shown as Managed externally‎ - ‎Federated domain‎ while the others are just shown as Managed externally‎

It is true that this is the domain we have setup the tenant and the ADFS Federation etc. This is what we sync with UPN in order to be able to login with Domain Account in Azure AD etc... But does this play any role when it comes to mail routing?

Answer 2

Dieter Tontsch (GMail) 972

I got the solution from @ KyleXu-MSFT here https://learn.microsoft.com/en-us/answers/questions/811088/user-was-not-found-in-domaincom-if-not-synched-fro.html

I need to have all the domains which should be routed from O365 to On-Prem to my HCW-created connector O365 --> on-prem. Before I only had my xxxag.de domain specified there, and therefor xxxag.biz domains (as primary Email-Address) did not route.

Share via

Mail-Flow Between Online and On-Prem in Hybrid Exchange

2 answers

Your answer