Listen to this Post

Introduction:
Exchange Server migrations remain one of the most high-stakes IT projects, where a single misconfigured hybrid connector or DNS record can cascade into global mail outages and data loss. As organizations accelerate their shift to Exchange Online, the demand for L2/L3 engineers who can navigate coexistence, mailbox moves, and security baselines has never been greater. This article distills a comprehensive 50-question interview resource into an actionable technical guide—arming you with the exact commands, hardening steps, and architectural insights needed to ace your next migration interview and secure your production environment.
Learning Objectives:
- Perform a complete pre-migration inventory and security assessment using native Exchange PowerShell and Microsoft tooling.
- Execute, monitor, and troubleshoot hybrid mailbox migration batches with advanced MRS proxy tuning.
- Harden mail flow, DNS authentication, and cross-forest permissions using SPF, DKIM, DMARC, and OAuth.
You Should Know:
1. Pre-Migration Recon and Security Baseline Commands
Before any migration, a thorough asset and security inventory is mandatory. Start by enumerating mailbox sizes, databases, and accepted domains, then check for stale permissions and federation trusts that will become attack surfaces during coexistence.
Exchange Management Shell - on-premises
Get-Mailbox -ResultSize Unlimited | Select DisplayName,PrimarySmtpAddress,TotalItemSize,ArchiveStatus
Get-MailboxDatabase -Status | Select Name,Server,Mounted,DatabaseSize
Get-AcceptedDomain | FL DomainName,AddressBookEnabled
Audit full access permissions for shared/executive mailboxes
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where { $<em>.User -like "" -and $</em>.IsInherited -eq $false } | Export-Csv PermissionsAudit.csv
Verify federation trust and OAuth certificate validity
Get-FederationTrust | FL Name,ApplicationUri,OrgCertificate
Test-FederationTrust -UserIdentity [email protected]
Step-by-step: Use the MAP Toolkit for OS-level data, but always supplement with PowerShell to surface orphaned permission entries. Document all X500 proxy addresses with Get-Mailbox | FL EmailAddresses; these prevent NDRs post-migration. For Linux-based monitoring of DNS readiness, use `dig MX yourdomain.com +short` and `dig TXT _dmarc.yourdomain.com +short` to validate external records before cutover.
- Hybrid Configuration Wizard (HCW) Deep Dive and Agent Hardening
The HCW sets up OAuth, organization relationships, and TLS-secured connectors. However, many engineers blindly trust the wizard without verifying the security posture of the resulting hybrid agent. For modern hybrid, the agent tunnels outbound HTTPS, avoiding inbound firewall rules—an instant security win. Validate the configuration with these checks.On-premises: confirm MRS proxy is enabled on EWS Set-WebServicesVirtualDirectory -Identity "SERVER\EWS (Default Web Site)" -MRSProxyEnabled $true Get-WebServicesVirtualDirectory | FL Identity,MRSProxyEnabled Verify OAuth connectivity from on-prem to cloud Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox [email protected] List hybrid connectors and their TLS certificate subjects Get-HybridConfiguration | FL Domains,Features,ClientAccessServers Get-SendConnector | Where {$_.Identity -like "Outbound to Office 365"} | FL Identity,TlsCertificateName
Step-by-step: If free/busy fails, run `Get-OrganizationRelationship | FL` and confirm `TargetSharingEpr` points to the correct Exchange Online EWS URL. In a Linux troubleshooting jump host, use `openssl s_client -connect yourhybridserver.contoso.com:443 -servername autodiscover.contoso.com` to manually validate the certificate chain the hybrid agent trusts.
3. Mailbox Move Execution and Stuck Migration Forensics
The core of any hybrid project is moving user data without corruption. Use `New-MigrationBatch` with a CSV file in Exchange Online, or `New-MoveRequest` for granular control on-prem. Stuck migrations at 90%+ are almost always due to bad items or throttling.
Exchange Online - create a migration batch from CSV
$cred = Get-Credential
New-MigrationEndpoint -ExchangeRemoteMove -Name "OnPremHybrid" -RemoteServer "hybrid.contoso.com" -Credentials $cred
New-MigrationBatch -Name "Batch01" -SourceEndpoint "OnPremHybrid" -CSVData ([System.IO.File]::ReadAllBytes("C:\moves.csv")) -TargetDeliveryDomain "contoso.mail.onmicrosoft.com" -AutoStart
Forensic analysis on a stuck move
Get-MoveRequestStatistics -Identity "[email protected]" -IncludeReport | FL BadItemsEncountered,LargeItemsEncountered,Message,StatusDetail
Increase bad item tolerance (use with caution)
Set-MoveRequest -Identity "[email protected]" -BadItemLimit 50 -AcceptLargeDataLoss
Step-by-step: For batches of large mailboxes (>10 GB), pre-stage with `New-MoveRequest -SuspendWhenReadyToComplete` and complete during a maintenance window. Monitor MRS resource consumption on-prem by checking the `MSExchangeMailboxReplication.exe.config` file; you can increase `MaxMRSConnections` if the server has spare CPU, but never exceed 4 per core to avoid service degradation.
- DNS, Mail Flow, and Authentication Hardening During Cutover
MX and Autodiscover changes must be surgical. Cutover premature MX pointing to Exchange Online Protection will cause mail loops if on-prem users are not yet migrated. Implement a split-DNS model and gradually update records while hardening SPF/DKIM/DMARC to prevent spoofing during coexistence.On-premises test mail flow to a cloud user Test-Mailflow -TargetEmailAddress [email protected] Validate DNS records (run from any internet-connected Windows host) Resolve-DnsName -Name "contoso.com" -Type MX Resolve-DnsName -Name "autodiscover.contoso.com" -Type CNAME Set DKIM signing for Exchange Online domains New-DkimSigningConfig -DomainName contoso.com -Enabled $true Set-DkimSigningConfig -Identity contoso.com -Selector1 "selector1-contoso-com" -Selector2 "selector2-contoso-com"
Step-by-step: Reduce MX TTL to 300 seconds 48 hours before the final cutover. On Linux, use `watch -n 5 ‘dig MX contoso.com +short’` to monitor propagation. After cutover, run the Microsoft Remote Connectivity Analyzer Inbound SMTP test to verify EOP accepts mail. For DMARC enforcement, start with `p=none` and analyze aggregate reports with `dmarcian` or a simple PowerShell script that parses XML from
Get-MailDetailReport.
5. Post-Migration Permission Reconciliation and Security Lockdown
Permissions (Full Access, Send As, Send on Behalf) are the most frequent source of help desk tickets after mailbox moves. While hybrid moves preserve them, cross-forest and IMAP migrations require manual re-application. Failure to replicate the source LegacyExchangeDN (X500 address) leads to NDRs for replies to old emails.
Export all permissions pre-migration
Get-Mailbox -ResultSize Unlimited | Get-MailboxPermission | Where {!$_.IsInherited} | Export-Csv PreMigPerms.csv
Get-RecipientPermission | Export-Csv PreMigSendAs.csv
Add X500 proxy to target mailbox (critical after cross-forest)
Set-Mailbox "John.Doe" -EmailAddresses @{add="X500:/o=First Org/ou=Exchange Administrative Group/cn=Recipients/cn=john.doe"}
Post-migration restoration of Send-As
Add-RecipientPermission "[email protected]" -AccessRights SendAs -Trustee "[email protected]"
Step-by-step: For room mailboxes, verify `Set-CalendarProcessing` settings match on-prem values; many organizations forget to re-enable AutomateProcessing: AutoAccept. Also audit `Get-MailboxFolderPermission` for calendar delegates, which do not always transfer.
6. Throttling, Concurrency, and Network Performance Tuning
Exchange Web Services throttling can silently kill migration throughput. On-prem Exchange enforces a default EWS throttle that limits concurrent connections; you must create a dedicated throttling policy for the migration service account and associate it. Simultaneously, configure the migration endpoint’s `MaxConcurrentMigrations` in Exchange Online.
On-prem: create a high-limit throttling policy for the migration account New-ThrottlingPolicy -Name "MigrationHighLimit" -EWSMaxConcurrency 100 -EWSMaxSubscriptions 200 -EWSPercentTimeInAD 100 Set-ThrottlingPolicyAssociation -Identity "migration_svc" -ThrottlingPolicy "MigrationHighLimit" Exchange Online: tune the migration endpoint Set-MigrationEndpoint "OnPremHybrid" -MaxConcurrentMigrations 150 -MaxConcurrentIncrementalSyncs 50 Monitor real-time move stats Get-MoveRequest | Get-MoveRequestStatistics | Select DisplayName,PercentComplete,BytesTransferredPerMinute
Step-by-step: On the network side, implement QoS policies that mark MRS traffic (port 443 to Exchange Online) with a DSCP value of AF41 and set a bandwidth cap. Use `Get-Counter ‘\MSExchange MRS()\Active Moves’` on Windows to track concurrency. Linux network diagnostics with `iftop` or `nload` help isolate saturation on the WAN link.
- Public Folder and Shared Resource Migration with Compliance Holds
Public folder migration is notoriously fragile. Use Microsoft’s official scripts to export modern public folder statistics and generate the CSV mapping. Crucially, ensure litigation holds and retention policies do not block mail decommissioning by running a pre-migration compliance audit.Step 1: export public folder stats (download script from Microsoft) .\Export-ModernPublicFolderStatistics.ps1 -ExportFile .\PFStats.csv Step 2: check for holds before lock-down Get-Mailbox -PublicFolder | Get-MailboxStatistics | Where {$_.IsInactiveMailbox -eq $true} Step 3: lock public folders for final sync Set-OrganizationConfig -PublicFoldersLockedForMigration $true After migration, assign default public folder mailbox Set-Mailbox -Identity "[email protected]" -DefaultPublicFolderMailbox "PFMailbox1"Step-by-step: For shared mailboxes with holds, the `New-MoveRequest` will fail unless you include the `-SuspendWhenReadyToComplete` flag and manually complete during a window. Always validate with `Get-Mailbox -RecipientTypeDetails SharedMailbox | FL LitigationHoldEnabled,InPlaceHolds` before moving.
What Shamseer Siddiqui Say:
- Pre-Migration Inventory is Non-Negotiable: The first step is a comprehensive assessment using the Exchange Analyzer Tool, MAP toolkit, and deep PowerShell enumeration of mailbox sizes, public folders, and connectors. Skipping this leads to missed dependencies and failed cutovers.
- Hybrid Coexistence Mastery Defines L2/L3 Engineers: Understanding free/busy troubleshooting, OAuth connectivity, and the difference between full hybrid and minimal express migration separates candidates who can independently run a project from those who rely on wizards.
Analysis: Siddiqui’s curated Q&A directly maps to the skills gap in today’s Exchange migration interviews. The emphasis on HCW internals, MRS proxy configuration, and scenario-based troubleshooting (e.g., stuck migrations, NDRs) highlights that theoretical knowledge alone won’t suffice—candidates must demonstrate command-line fluency and a security-first mindset. By incorporating real-world scripts and throttling tuning, the resource effectively bridges the divide between certification knowledge and production-grade implementation. The inclusion of cross-forest and tenant-to-tenant scenarios further prepares engineers for complex M&A integrations, a rapidly growing need in the M365 ecosystem.
Prediction:
Future Exchange migrations will increasingly leverage AI-driven migration assistants within Microsoft 365 Admin Center that auto-detect configuration drifts and suggest real-time command remediation. Simultaneously, zero-trust architecture will force hybrid agents to authenticate via conditional access policies, making classic HCW setups obsolete. Engineers who master the underlying PowerShell and security principles today will lead the next wave of automated, immutable migrations where every move request is cryptographically attested and every DNS change is rolled back automatically via infrastructure-as-code pipelines.
▶️ Related Video (84% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Shamseersiddiqui Exchange – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


