Even after a migration to Exchange Online from a hybrid configuration, it's likely your organization will maintain...
a hybrid deployment for a few reasons.
This arrangement is necessary because of the Exchange attribute integrations that remain behind even after migrating every distribution group, shared mailbox, public folder or regular mailbox. Some organizations prefer to leave their Exchange relays on premises for security reasons.
Admins who run an Exchange 2013 hybrid setup might need to upgrade to an Exchange 2016 hybrid deployment at some point. Here are some recommendations and considerations to keep in mind during this process.
Get to know your environment
You may be in a situation where you are inheriting someone else's work and there is little to no documentation. Before the upgrade, it can only benefit you to spend some time monitoring and learning the Exchange Server configuration.
Learn if there are email gateways configured to broker your web-based email components such as the Exchange Control Panel (ECP), Outlook on the web (OWA), remote PowerShell and ActiveSync. Document every configuration setting and research whether these portions of the environment are active. Check the mail flow connectors from the outbound email flow connectors to your email relay connectors to determine their status before the transition to the Exchange 2016 system.
Also, take a close look at your third-party Exchange Server certificates. See which protocols – Simple Mail Transfer Protocol (SMTP), Post Office Protocol, Internet Message Access Protocol -- the certificates are bound to. Check the expiration dates and track down the private key to ensure that you can move the certificates to your new servers.
Depending on what you uncover during your discovery process, you may want to implement new certificates on the new servers. If you do, be sure to import them right into the server's personal certificates. This will enable Exchange to detect them upon installation. This is important to prevent any Outlook pop-ups about invalid certificates during the Exchange 2016 hybrid setup.
Are you running Exchange 2013 with the latest cumulative update?
Maintaining a hybrid deployment requires updating the on-premises services and applying Windows patches. If you migrated mailboxes to Exchange Online with Exchange 2013 deployed on premises, you will want to continue to maintain the Client Access Server role and Mailbox role.
While preparing servers for an upgrade to Exchange 2016, install the latest Exchange cumulative update and Windows Server updates. Also, be sure the Azure Active Directory Connector is up to date.
Next, it's time to build the servers for Exchange 2016. Keep in mind these machines are being installed alongside your Exchange 2013 servers and they will accept and route the mail flow after installing Exchange. This is typically not a concern because the mail flow connectors remain unchanged and should not disrupt email delivery.
Get ready for the Exchange 2016 installation
To prepare for your Exchange 2016 hybrid installation you must first decide how many Client Access Server/Mailbox servers you need. If everything except the relays have been moved to Office 365, then you can likely move forward with two servers, primarily for redundancy purposes.
For the operating system, I would also recommend implementing the latest available server OS, which is currently Windows Server 2016 Standard edition. For the purposes of this article, we are not running a database availability group because all the enterprise mail data is in the cloud.
Exchange 2016 installation prerequisites
Once your server is built, be sure to evaluate and install all of the Exchange 2016 prerequisites on both of your Exchange servers. There is an entire TechNet article on this process that can help you prepare for the install.
After completing this work on all the Exchange 2016 servers, then it is time to install Exchange Server.
Pointers on the Exchange 2016 installation
Before you begin the Exchange installation process, I have a few recommendations. First, use a service account instead of your own account for the install. It provides a cleaner deployment, which will benefit the next administrator if you leave the organization or change roles.
Also, prepare your third-party certificates on the server by importing them with the MMC snap-in certificates into the computer's personal certificates. This helps Exchange detect them during the installation. Once this is all in place, install Exchange 2016 on each server.
Setting up the Exchange Relay Connector
If you want your Exchange servers to continue to relay email for internal services with your servers and enterprise applications, then it's time to set the relay connectors up on your servers.
Because these are new servers, the connectors can be created and all the entries can be automatically deployed from one of your Exchange 2013 servers. Set the permissions for SMTP-Any-Recipient on each connector to ensure an external relay will also exist for messages to be sent outside of the organization.
Cutover to the new Exchange 2016 servers
Now it's time to prepare for the cutover migration to the new Exchange 2016 servers. Keep in mind that all Exchange relays will require a domain name system record change to point to the new servers. For example, relay.companyname.com should point to the new server IPs.
Also, at the time of cutover, any gateways for Outlook Web Access, ECP, ActiveSync, remote PowerShell and others will need to transition to the new IPs. Then, configure the Exchange Server virtual directories to use your friendly names for these services, such as https:\\OWA.companyname.com. Verify these domains by cross-checking the virtual directory names on the Exchange 2013 servers, and then setting them on the Exchange 2016 servers in the Exchange Administration Console.
Now it's time to run the Hybrid Configuration Wizard. I recommend going through the TechNet documentation to prepare for this portion of the move.
Finalizing the Exchange 2016 hybrid configuration
After the cutover to the Exchange 2016 hybrid deployment, keep the old servers online for a few weeks to make sure there isn't anything running on them that wasn't caught during the research phase. This will make it easy to access settings or perform a failback if needed.