View
295
Download
2
Category
Preview:
Citation preview
Exchange Hybrid DeploymentMichael Van Horenbeeck
OFC-B317
Office 365 Hybrid ScenariosExchange Hybrid FundamentalsExchange Hybrid DeploymentExchange Hybrid Advanced TopicsManaging Exchange HybridExchange Hybrid MigrationCommon Pitfalls
Agenda
Why Exchange Hybrid?
User Experienc
es
MailMigrations
Office 365Exchange on-
prem
Mailbox dataMRS
Office 365 Hybrid Scenarios
On PremOffice 365
Office 365 Hybrid Scenarios
Exchange Online
SharePoint Online
Lync Online
Identity
Exchange Hybrid
SharePoint Hybrid
Lync Hybrid
Identity Synchronization
Identity Authorization
OAuth
OAuth
Exchange Hybrid Scenario
On-premises Exchange organization
Existing Exchange environment (Exchange 2007 or later)
Office 365 Active Directory
synchronization / AAD (verify)
Exchange 2013 client access & mailbox server
Office 365User, contacts, & groups via dirsync
Secure mail flow
Mailbox data via Mailbox Replication Service (MRS)
Sharing (free/busy, Mail Tips, archive, etc.)
Hybrid Deployment and Configuration
Properly Plan Your Hybrid EnvironmentBegin with the Exchange Deployment Assistanthttp://aka.ms/exdeploy
Validate on-prem environment is in a standard and supported working configurationPrimary namespace(s) MUST point to the latest installed version of ExchangeThis keeps the you in a supported scenarioAny deviation can put you at risk!
Sizing Guidance for Hybrid?You should use normal CAS/HUB/MBX guidanceHybrid is not a separate RoleAs you move mailboxes to Office 365 you use less capacity on-premisesHow is your mail flow configured? Migration Traffic is more taxing than the rest
Can I have a separate set of servers for Migration?You can have a separate bank of servers for migrationOR just add servers to your existing array/poolOR You could however just perform moves during off hours to mitigate some concernsAll of these scenarios are being used; they are supported scenarios
High Availability?No different from ‘regular’ Exchange deploymentsDeploy multiple CAS/MBX behind a load balancer to distribute (incoming) load.Add these Exchange servers to the Hybrid Configuration:
Think about other components too (ADFS, DirSycn...)
Exchange 2013 hybrid deploymentfrom an existing Exchange 2007 or 2010 environment—no Edge Transport server
Hybrid Servers should be maintained on current release
Clients Office 365
autodiscover.contoso.com
mail.contoso.com
E2010 or 2007 Hub
E2010 or 2007 CAS
E2010 or 2007 MBX
E2013 CAS
E2013 MBX
Exchange 2010 or 2007 Servers
Intranet site
SP3/RU10
SP3/RU10
Internet-facing site
1. PrepareInstall Exchange SP and/or updates across the ORG Prepare AD with E2013 schema
2. Deploy Exchange 2013 serversInstall both E2013 MBX and CAS serversSet an ExternalUrl (and enable the MRSPRoxy on the Exchange Web Services vDir)
3. Obtain and deploy CertificatesObtain and deploy certificates on E2013 CAS servers
4. Publish protocols externallyCreate public DNS A records for the EWS and SMTP endpointsValidate using Remote Connectivity Analyzer
5. Switch Autodiscover namespace to E2013 CASChange the public Autodiscover DNS record to resolve to E2013 CAS
6. Run the Hybrid Configuration Wizard
7. Move mailboxes
1 2
3
EWS SMTP
45
6
7
1 2
3
45
6
Hybrid Configuration Wizard Fundamentals
Exchange Hybrid Wizard History
Exchange 2010 SP2
HCW introduced
Removed confusing
requirements for additional domains:
exchangedelegation and
service.contoso.com
Exchange 2013
HCW with web-based UI
Greatly simplified transport
configuration
Exchange 2013 SP1
Multiple exchange organizations now
supported
Supports Exchange 2013 Edge
Exchange 2010 SP1
72 pages of documentation
Extremely complex and low
adoption
1
1
2
2
3
3
4
4Thousands of tenants and millions of mailboxes in Office 365 using Exchange
Hybrid
Exchange 2013 CU5
Native OAUTH and China Region
Support
5
Hybrid Configuration WizardDesired state configuration engineApplies configuration to on-prem and online orgs
Exchange Online Org
On-Premises Exchange Organization
Hybrid Configuration Engine
Desired state
Topology & Currentstate
Execute Configuration Tasks
Inte
rne
t
Exchange Management Tools
Organization Level Configuration Objects(Exchange Federation Trust, Organization Relationship,
Forefront Inbound Connector, & Forefront Outbound Connector)
Domain Level Configuration
Objects(Accepted Domains &
Remote Domains)
Hybrid Configuration Object
Exchange Server Level Configuration
(Mailbox Replication Service Proxy, Certificate
Validation, Exchange Web Service Virtual
Directory Validation, & Receive Connector)
Domain Level Configuration
Objects(Accepted Domains, Remote Domains, &
E-mail Address Policies)
Organization Level Configuration
Objects(Exchange Federation
Trust, Organization Relationship, Availability Address Space, & Send
Connector)
1
24 5
5
4
Remote Powershell
RemotePowershell
3
3
The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start.
1
The Hybrid Configuration Engine reads the “desired state” stored on the HybridConfiguration Active Directory object.
2
The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations.
3
The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization.
4
Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the “difference” and then executes configuration tasks to establish the “desired state.”
5
Running the Hybrid Configuration Wizard
Exchange Hybrid Advanced Topics
Multi Org Hybrid
Exchange Topologies SupportedExchange 2013 / Exchange 2010
Single Forest Model: Accounts and Mailboxes in single forest
Resource Forest Model: Multiple Account Forests, Single Resource Forest
1:1 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests, each containing accounts and Exchange organizations
Multi-Org Hybrid Support
N:1 relationship between Exchange Organization and single O365 tenant
Office 365Hybrid
Office 365Hybrid Hybrid
contoso.com
fabrikam.com
contoso.com
A A R R R
Exchange 2013 multi-org hybrid deployment
Office 365 1. PrepareUpdate each Exchange organization to Service Pack 1Validate AutoDiscover is properly configured and published in each Exchange organizationValidate public certificates for Exchange org are uniqueCreate 2 way forest trust
2. Configure Mail Flow on-premConfigure SMTP domain sharing as requiredConfigure mail flow between on-prem organizations
3. Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each forest and the Office 365 tenant
4. Run Hybrid Configuration WizardPrepare Office 365 TenantRun the HCW in contoso.com and fabrikam.comValidate mail flow between all entities
5. Configure ADFS / PW SyncConfigure ADFS in contoso.comConfigure ADFS in fabrikam.com
6. Configure Organization RelationshipsConfigure an Org Relationship between each Org
fabrikam.com
E2013
contoso.com
ADFS
AD
fabrikam.onmicrosoft.com
fabrikam.comcontoso.com
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
2 way Forest Trust
FIM Management Agent
Federated Trust
Relationship
SMTP/TLS Mail Flow
Federated
Authentication
Organization
Relationship
4
Multi-Org Identity OptionsAADSync Services*GA since Sept. 2014
Lightweight alternative to O365 Connector
Easier to use thanks to built-in wizard:
O365 Connector (FIM)Used for ‘complex’ scenarios, including non-AD environments (e.g. LDAP, SQL)
Requires FIM 2010 R2 Sync Engine (available through Azure subscription)
http://technet.microsoft.com/library/dn511001.aspx
* Also supports PWSync, as of 29/10/2014
OAUTH in Hybrid
What does this button do?HCW now includes automated configuration for OAUTH
But Why do I want OAUTH?Enables cross premises discovery searches and cross premises archive movesCan be used for much more like free/busy and is used for 21Vianet customers (Greater China region)Long term authentication approach for future capabilities
If you click this…
We will launch this
Click once application
Where is the OAUTH config button?Do you have…Any Exchange less than Exchange 2013 SP1
So, just cause you have 2010 and/or 2007 you cannot use OAUTH? Actually you can use OAUTH in a coexistence organizationYou would have to run the steps manually (documented on TechNet)Forcing you to run scripts and manual configure this is something that we are aiming to remove in future updatesBut do you really need OAUTH – best for those who need cross-prem discovery
OAUTH Validation• In order to test OAUTH after the HCW is run or the manual configuration are done you will want
to…• 1st get a cup of Coffee• 2nd kick off your shoes, maybe start that book you were eyeing • 3rd After ~45 minutes run the verification cmdlets
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox <On-Premises Mailbox> -Verbose | flAndTest-OAuthConnectivity -Service EWS -TargetUri <external hostname authority of your Exchange On-Premises deployment> -Mailbox <Exchange Online Mailbox> -Verbose | fl
Microsoft Federation Gateway
DAuth vs OAuth DAuthUses Microsoft Federation Gateway for Token generation
Organization Relationships
• Controls what companies you share information with
• Allows for granular control of what features are available (free busy, mailtips)
OAuthUses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors /Configuration
• Controls what companies you can share information with
• No granular control of feature-set (all or nothing)
Organization
Relationships
AuthServerIntraOrg
Connectors
Do All Hybrid features use OAUTH?Cross premises Discovery and certain cross premises archive features require OAUTHOAUTH is adding new functionality Having Regular Hybrid and OAUTH configured = the most complete feature set for your hybrid deployment
eDiscovery scenario Requires OAuth?
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization. Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes. Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer. Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer. No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account.
No
What about Free Busy?Free Busy DOES work with OAUTHOnce OAUTH is configured, it is used by default for hybrid Free/Busy and removes the reliance on the Microsoft Federation Gateway (MFG)Have Exchange 2013 SP1+ in the environmentAre running Exchange 2013 CU5+ version of the HCWIt is the default for Greater China Region
Are there any features that do not work…Certain things like OWA redirection do not work with OAUTH
HCW configures both Org Relationship and IntraOrgConnectorsRunning HCW will ensure that you get all of the features today
What about Free Busy? Refresher
On Premises
On Premises User “Ben”
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests free/busy info for
Joe
CAS Server finds that
Joe’s mailbox is external and
there is a matching
Organization Relationship
Joe
Ben
CAS connects to the MFG to request a
Delegation Token
CAS Server passes the MFG token
and requests Joe’s
free/busy on behalf of Ben
MFG returns a
Delegation Token
FreeBusyRequestFrom BenTo Joe
Free/busy info is
returned to the CAS Server
Joe’s free/busy is returned to the Outlook
client
What about Free Busy… (2013) OAUTH? Free Busy works through a series of
checks1st we check to see if we can find the free busy locally2nd (if the mailbox is not local) we check for an IOC3rd (if there is no IOC) we check for an Organization Relationship4th we then check for an availability address space
The Key point here is that OAUTH is not a fall back option for Free busy, it is one or the otherThe OAuth method gets the preferenceGCR simply does not have Org or a federation trust and relies on only OUATH
On Premises
On Premises User “Ben”
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests free/busy info for
Joe
Exchange Server finds that Joe’s mailbox is
external and there is an IOC
Joe
Ben
Exchange connects to the Azure OAUTH
endpoint
Exchange Server passes the token and
requests Joe’s
free/busy on behalf of Ben
WAAD returns a
Delegation Token
FreeBusyRequestFrom BenTo Joe
Free/busy info is
returned
Joe’s free/busy is returned to the Outlook
client
Public Folders and Hybrid
Hybrid Public Folder OptionsOption 1: O365 mailboxes access legacy PFs on-premOption 2: O365 mailboxes access Modern PFs on-premOption 3: Exchange 2013 on-prem mailboxes access Modern PFs in O365
Mailbox VersionPF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes*
Exchange Online Yes* Yes* Yes* Yes
*Requires use of Outlook for Windows
Outlook connect to Cloud Mailbox, starts by querying autod.contoso.com Exchange Online
On-premises
Proxy to PF server
(running CAS role)Auth as
user over Public MBX
auth
Hybrid PF access
12
3
4
56
7
1
Autodiscover responds with the Target address for the cloud mailbox
2
Outlook does AutoD for TA Contoso.mail.onmicrosoft.com
3
EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox: <PublicFolderInformation> <SmtpAddress>PFmailbox1@Contoso.com </SmtpAddress>
4
Outlook performs and AutoD against PFmailbox1@Contoso.com
5
Outlook Anywhere settings are returned including the server name of the PF/CAS instead of the CASArray
6
When PF access is initiated you then make an OA connection
7
7
Syncing Public FoldersDirSync currently does not sync MEPF objects in either direction.
Customers recommended to run the following scripts periodically to sync MEPF objects from on-premises to the cloud directory. Below scripts works for E2010/E2007 on-premises.Export-MailPublicFoldersForMigration.ps1 -ExportFile [exportFileName] (run on-premises)Import-MailPublicFolders.ps1 -ImportFile [importFileName] (run on cloud)
The Scripts are linked on TechNet but now are also in the scripts container on the Exchange server
Microsoft plans to eliminate the script and rely on DirSync
Hybrid Management
Can I Retire Hybrid Servers?
Unauthenticated SMTP Relay
3rd party applications not compatible with Office 365
Maintain MRS move capability between online/on-prem
Mailboxes that cannot move online due to
regulatory/compliance issues
Maintain Exchange Hybrid servers post migration for:
Modify Directory Attributes for common Exchange tasks
Although you could remove the last Exchange server, it’s the only supported way to manage Exchange-related objects!
Hybrid Mailbox Migration
Mailbox migration All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard.Moves are “pulled” from on-premises to the cloud. This means that you initiate a migration from the cloud.All move types now support the new “batch” architecture. This allows for easier creation and management of multiple mailbox moves.As with Exchange 2010, hybrid (MRS based) mailbox moves support off-boarding from the cloud to on-premises.
Migration Throughput Factors?Max default Concurrent moves 100 (exceptions
can be made)Item count is a factor
with migration performance
Firewall configuration on the on-premises
organization
Network Latency is a Factor
Migration are not considered “User Expected” (WLM)
Multiple concurrent moves allows for
optimized migrations
0.3–1.0 GB/hour range per mailbox
Source Side performance is a COMMON factor
Common Pitfalls
Certificate Refresh
Future Proof:Schtasks /create /sc Daily /tn FedRefresh /tr "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -version 2.0 -command Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010;$fedTrust = Get-FederationTrust;Set-FederationTrust -Identity $fedTrust.Name -RefreshMetadata" /ru System
New Federation Cert will break Features
On Premises
On Premises User “Ben”
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests free/busy info for
Joe
CAS Server finds that
Joe’s mailbox is external and
there is a matching
Organization Relationship
Joe
Ben
CU6 issuesRecipient Management
• Cannot create users mailboxes• Cannot move mailboxes• Cannot change user attributes• Cause: there is an issue with the backlink with EAC to EXO that prevents the
proper connection • Resolution: download script that will fix the file or install CU7 when available
Centralized MailFlow (CMC) broken
• Cannot send mail from cloud user to the internet when CMC is enabled • Resolution: call support for an IU or wait for CU7
Summary
Exchange 2013 and the new Office 365 support a range of ways for moving to the cloud; cutover, staged and hybridHybrid is now more flexible and easier to deploy
Summary
Questions?
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
OFC-B3222 Identity Management is Easy
Related content
Microsoft Solutions Experience Location (MSE)
Find Me Later At: the Exchange booth
Documentation – http://aka.ms/Ex2013Docs
Track resources
Blog – http://aka.ms/EHLO
Yammer Technical Network
Blog – http://blogs.office.com
Ignite – http://ignite.office.com
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC
TechEd Mobile appPhone or Tablet
QR code
Evaluate this session
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Recommended