Full Exchange 2019 deployment, hybrid configuration with Exchange Online, forest/domain functional level upgrade to 2019, and PKI/CA modernisation — sprint-based with zero mail loss across 1,000+ mailboxes.
Metro Lisboa operated an ageing Exchange 2016 environment that had reached its supportability ceiling. The organisation needed to modernise its messaging infrastructure — deploying Exchange 2019 on-premises as an interim platform while establishing the hybrid configuration required to begin phased mailbox migration to Exchange Online.
Compounding the messaging challenge, the Active Directory forest and domain functional levels had not been updated since the original Exchange deployment. Both needed to be raised to Windows Server 2019 before Exchange 2019 could be fully deployed. The existing PKI infrastructure was also due for a full refresh — the root CA certificate was approaching expiry and the CA hierarchy did not meet current standards.
The engagement needed to sequence these interdependent workstreams without disrupting live mail operations for over 1,000 mailboxes.
The architecture mattered because Exchange 2019, Active Directory modernisation, and PKI renewal could not be treated as separate upgrades. Each dependency had to be sequenced so that the hybrid target state was supportable, auditable, and safe to operate during the transition to Exchange Online.
The migration design sequenced Active Directory uplift, PKI renewal, Exchange 2019 deployment, and hybrid mail routing so the target coexistence model could be introduced without breaking live messaging operations.
The target architecture comprised three layers:
Active Directory modernisation — Forest and domain functional level upgrade from 2016 to 2019, validated against all dependent services before execution. Schema extensions for Exchange 2019 applied post-upgrade.
Exchange 2019 on-premises — New Exchange 2019 servers deployed alongside the existing 2016 infrastructure. Mailbox databases migrated from 2016 to 2019 via online moves. Exchange 2016 decommissioned once 2019 was fully operational.
Hybrid configuration — Exchange Hybrid Configuration Wizard executed after Exchange 2019 was stable, establishing the OAuth trust and send/receive connector pair required for hybrid mail flow and Autodiscover coexistence with Exchange Online.
PKI refresh — New two-tier PKI hierarchy (offline root CA, online issuing CA) deployed before the hybrid configuration, ensuring all Exchange and IIS certificates were issued from the new CA with correct subject alternative names.
The engagement was structured in formal sprints with CAB-aligned change windows for every environment-impacting change.
Sprint 1 — AD functional level upgrade
A full dependency audit was performed before any AD changes: Kerberos constrained delegation configurations, SYSVOL replication health, domain controller OS versions, and third-party application service accounts that might be affected by schema changes.
The forest functional level upgrade was executed during a Saturday maintenance window, with a full AD backup verified beforehand and a documented rollback procedure in place. The domain functional level followed the next weekend after 7 days of validation. Both changes completed without incident.
Sprint 2 — PKI refresh
The new CA hierarchy was deployed and validated before any certificate renewals. Exchange server certificates, IIS certificates, and the internal CA trust chain were all renewed from the new issuing CA. The legacy CA was kept in service until all dependent systems were migrated, then decommissioned.
Sprint 3 — Exchange 2019 deployment
Exchange 2019 servers were deployed in a DAG configuration for high availability. All Exchange services were validated — OWA, ActiveSync, EWS, PowerShell remoting — before any mailbox moves. Transport rules, retention policies, accepted domains, and send connectors were reviewed and replicated to the new environment.
Mailbox database moves from Exchange 2016 to 2019 were executed using online move requests — users remained operational throughout. A pilot group of 50 mailboxes was moved first, validated over 48 hours, then the remainder moved in batches of 100 over subsequent weekends.
Sprint 4 — Hybrid configuration and cutover
The Hybrid Configuration Wizard was run after Exchange 2019 was fully operational. OAuth configuration, Send/Receive connectors, and Autodiscover service connection points were validated end-to-end. Free/Busy lookups across the hybrid boundary were confirmed working.
MX record TTL was reduced to 300 seconds 48 hours before the DNS cutover. The cutover window on a Saturday night updated the MX record to Exchange Online Protection, completed the final delta sync for the cutover batch, and validated mail flow from external sources within 30 minutes.
The full engagement completed across four sprints with zero mailbox data loss and no unplanned outages. Every change was executed within pre-approved CAB change windows with documented rollback plans validated before execution.
Exchange 2019 provided an immediate improvement in performance and reliability compared to the existing 2016 infrastructure. The hybrid configuration established the technical foundation for future phased migration to Exchange Online.
The PKI refresh resolved a time-critical compliance risk — the expiring root CA certificate — while establishing a properly structured CA hierarchy suitable for the organisation's five-year roadmap. All Exchange, IIS, and internal service certificates are now issued from the new CA with correct validity periods and subject alternative names.
The programme gave Metro Lisboa a stable transition platform instead of a one-off technical cutover. Messaging services were modernised, certificate risk was removed, and the organisation gained a hybrid foundation that could support subsequent mailbox migration planning without reopening core infrastructure decisions.
The work also improved change confidence. By sequencing AD, PKI, Exchange, and hybrid configuration through formal CAB-ready delivery steps, the client now has a clearer template for executing high-risk infrastructure changes in a transport environment where service interruption carries immediate operational consequences.
Book a discovery call to discuss your Microsoft environment.