Address Book Calendaring FreeBusy Messaging MRS Exchange onpremises
Address Book Calendaring & Free/Busy Messaging MRS Exchange on-premises Mailbox data Office 365
Delegated authentication for on-premises/cloud web services Enables free/busy, calendar sharing, message tracking & online archive Manage all of your Exchange functions, whether cloud or onpremises from the same place: Exchange Admin Center Online mailbox moves Preserve the Outlook profile and offline folders Leverages the Mailbox Replication Service (MRS) Authenticated and encrypted mail flow between on-premises and the cloud Preserves the internal Exchange messages headers, allowing a seamless end user experience Support for compliance mail flow scenarios (centralized transport)
• • No Additional Servers Cloud ID’s Only OST Sync All at Once… • • Dir. Sync needed No 2010/2013 OST Sync Batch Approach • Dir. Sync/Identity Management • Hybrid Configuration Wizard, o. Auth, MRS, …. • Auto profile updates • Batch Approach • Offboarding • Rich Coexistence
Step 1 The Update-Hybrid. Configuration cmdlet triggers the Hybrid Configuration Engine to start. On-Premises Exchange reads the “desired state” stored on the Hybrid. Configuration Active Directory object. Step 3 The Hybrid Configuration Engine connects via Remote Power. Shell to both the on-premises and Exchange Online organizations. Step 4 The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization. Step 5 Based on the desired state, topology data, and current configuration, across both the on -premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the “difference” and then executes configuration tasks to establish the “desired state. ” Exchange Server Level Configuration Domain Level Configuration Objects Organization Level Configuration Objects (Mailbox Replication Service Proxy, Certificate Validation, Exchange Web Service Virtual Directory Validation, & Receive Connector) (Accepted Domains, Remote Domains, & E-mail Address Policies) (Exchange Federation Trust, Organization Relationship, Availability Address Space, & Send Connector) 4 2 Hybrid Configuration Object Remote 3 Powershell 5 Hybrid Configuration Engine 4 Organization Level Configuration Objects (Exchange Federation Trust, Organization Relationship, Forefront Inbound Connector, & Forefront Outbound Connector) 5 3 Remote Powershell Desired state 1 Exchange Management Tools Internet Step 2 The Hybrid Configuration Engine Domain Level Configuration Objects (Accepted Domains & Remote Domains)
Exchange Hybrid Scenario On-premises Exchange organization Office 365 Active Directory synchronization Existing Exchange environment (Exchange 2007 or later) User, contacts, & groups via Azure AD Sync Secure mail flow Exchange 2013 client access & mailbox server Sharing (free/busy, Mail Tips, archive, etc. ) Mailbox data via Mailbox Replication Service (MRS) Office 365
Exchange Hybrid Wizard History Exchange 2013 SP 1 Multiple exchange organizations now supported Supports Exchange 2013 Edge What is coming next?
Multi Forest Hybrid with AADSYNC (TAP ongoing) Resolving the common upgrade issues (upgrade from 2010/2013) Service Validation for HCW (Hybrid Tested in EVERY forest EVERY day) HCW updates not tied to CU’s any longer Improvements to OAUTH to support Multi Forest Better Diagnostics built in (HCW and other Troubleshooters) Stand Alone HCW (New Web Based HCW) HCW looks and feels familiar
• • Exchange 2013 and E 16 can use it Allows for agility with feature releases Allows for changes outside of CU’s Allows for proper piloting of features Looks and Feels Familiar Allows us to fix issues quickly Allows us to add improvements to HCW experience Newest Version is used by EVERYONE
• • Will I be able to run in on Exchange 2013? • Can I upgrade from Exchange 2010 to newer version? • Can I opt out of the new HCW experience? • Will I need to add any additional URL to my outbound proxy device? • Will running the Stand Alone HCW change any of my settings?
Cloud ID’s (online username & password) Password Hash Synchronization (PW Sync) Active Directory Federation Services (AD FS) A lot of organizations deploy AD FS because of different benefits: Near seamless logons (single sign-on) Most flexible solution for various clients such as Outlook, EAS etc. More granular control over authentication Most organizations deploy Password Hash Synchronization
Attempt Sign-In Return auth token Request mail (incl username/ password) Success! Return mail Identity Provider (Org. ID) Directory
Identity Provider (Evo. STS) Success! Attempt Return mail first Need sign-in Sign-In Sy nc M ail Mail Sync Directory Return auth (Passive Auth) token (SAML token)
This Camera is Awesome! Ted is happily using his windows Phone Then one day. . 0 x 86000 C 16 Ted’s mailbox was move to the cloud Back in my day we just shut up and recreated profiles Sorry… The nerdy admin has no options but to recreate the profile The Old Way So what do we do now?
User connects seamlessly to the cloud The user mailbox moves to the cloud User is connected User Tries to sync to on-prem again Exchange 2013 CU 8 and 2010 sp 3 RU 9 mailbox CAS determines the user is Remote (Based on TA), then looks to see if the Unsupported scenarios: Domain name is in an Org Relationship. • Mailbox moves from. If. Exchange Server to Office 365 OWA that exists and 2007 there is a Target • Does not support off-boarding URL we use that to perform a 451 • EAS devices must support 451 redirect (Accompli does not)
HCW Troubleshooter …. HCW fails so a customer attempts opens a case Customer is presented with the troubleshooter Customer is given clear solution ELIMINATING the need for case Next Steps • More troubleshooters on the way • Feedback is needed to make them better Support also has immediate access to the HCW log, if the case is still opened
Exchange Hybrid Configuration Diagnostic http: //aka. ms/hcwcheck If Failed There are certificates installed in your Exchange Hybrid environment which are missing the subject name. You need to fix your obsolete Active Directory Domain Services Federation Objects. Solution http: //go. microsoft. com/? linkid=9846727 Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group. http: //go. microsoft. com/? linkid=9846728 You need to install Exchange 2010 sp 3 RU 3 or later http: //go. microsoft. com/? linkid=9846729 In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to rename your existing Organization Relationship http: //go. microsoft. com/? linkid=9846730 Your Exchange Server 2013 needs to be running a version of CU 6 or later, we recommend the latest version available. Some manual configurations are needed to allow Legacy Free Busy to work as expected http: //go. microsoft. com/? linkid=9846731 Microsoft Exchange Service Host is not running. http: //go. microsoft. com/? linkid=9846733 Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed. You need to upgrade your legacy email address policy. http: //go. microsoft. com/? linkid=9846734 You need to address the issues found with the TLS certificate. If running Exchange Server 2010 you'll need to acquire a certificate with a name that has less than 256 characters. If running Exchange Server 2013 please install the latest cumulative update. http: //go. microsoft. com/? linkid=9846736 http: //go. microsoft. com/? linkid=9846726 http: //go. microsoft. com/? linkid=9846732 http: //go. microsoft. com/? linkid=9846735
Hybrid Migration Troubleshooter Http: //aka. ms/HMTSIgnite
Hybrid Upgrade issues 1 Updating hybrid configuration failed with error Subtask Configure execution failed: Upgrading hybrid configuration from Exchange 2010. . . Object reference not set to an instance of an object. at Microsoft. Exchange. Management. Hybrid. Upgrade. Configuration. Fr om 14 Task. Upgrade. Fope. Connectors Solution: [PS] C: > Get-Organization. Config | fl Guid [PS] C: > Rename the organization relationship to "O 365 to On-premises - <GUID>. https: //support. microsoft. com/en-us/kb/2967914/ (Fixed in CU 5)
Hybrid Upgrade issues 2 The Wizard did not complete successfully. Please see the list below for error details. Sending Mailbox Server ‘<Server. Name>’ isn’t running Exchange 2013 or a later version. Solution: [PS] C: > Get-hybridconfiguration | fl >Hybrid. txt [PS] C: > Set-Hybrid. Configuration -Client. Access. Servers $null ` -Receiving. Transport. Servers $null -Sending. Transport. Servers $null https: //support. microsoft. com/en-gb/kb/3013420/en-us
Hybrid Upgrade issues 3 Updating hybrid configuration failed with error Subtask Configure execution failed: Upgrading hybrid configuration from Exchange 2010. . . Execution of the Set-Inbound. Connector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Active Directory operation failed on or ERROR : Subtask Configure execution failed: Upgrading hybrid configuration from Exchange 2010. . . No Inbound connector found on the Office 365 tenant. Solution: 1. Remove hybrid configuration through ADSI edit. ADSI Edit > Connect to Configuration > CN=Services > CN=Microsoft Exchange > CN=First Organization > CN=Hybrid Configuration 2. Rerun setup /prepare. AD from the on-premises Exchange Setup Directory (Schema Admin Rights needed) 3. Rerun HCW from Exchange 2013
Microsoft made changes in the service that broke customer using the Federation Gateway Microsoft introduced a CU that prevented the ability to create and manage users accounts Microsoft introduced a new feature that broke Free Busy for Hybrid Customers Microsoft made changes in the service that prevent all 2013 customers from running the HCW Bottom Line – we needed to be better at finding issues with CU/Service updates Microsoft made changes in the service that broke customer using the Federation Gateway
Active Monitoring for HCW tested in every forest throughout the day • Cause of this we found the issue before ANY customers reported the problem •
So does the monitoring work? The new routing domain gets created in MSO Activating Directory Sync kicks off an important process for Hybrid The new domain is forward sync’d to EXO A new certificate is created that includes the new name Then we create the Auto. D and MX DNS records
Awareness Message Size Limits for Migration
Awareness 1. What Migration types will be able to take advantage of this new limit (with caveats)? 2. Will I be able to forward, resend, or move the item after the Migration is complete? Message Size Limits for Migration FAQ 3. Will message size limit be increased so we can start sending larger messages? 4. When should I expect to see message size increase for Hybrid Migrations? 5. What do I need to do to enable this new limit? 6. Does it matter if I am moving the mailboxes from 2007, 2010 or 2013?
150 Message Size increase We can now increase the message size restrictions for a user, after the mailbox plan is associated
Max default Concurrent moves 100 (exceptions can be made) Item count is a factor with migration performance 0. 3– 1. 0 GB/hour range per mailbox Firewall configuration on the on-premises organization Multiple concurrent moves allows for optimized migrations Migration are not considered “User Expected” (WLM) Source Side performance is a COMMON factor Network Latency is a Factor
Alternate ID and Hybrid
This is used to allow for a different UPN for ADFS in on-premises vs Office 365 • Install updates • Adjust claim rule • Update the Management Agent in FIM • Documented on Tech. Net Old Claim Rule c: [Type = "http: //schemas. microsoft. com/ws/2008/06/identity/claims/windowsaccount Name"] => issue (store = "Active Directory", types = ("http: //schemas. xm 1 soap. org/c 1 aims/UPN ", "http: //schemas. microsoft. com/Live. ID/Federation/2008/05/Immutablel. D"), query="sam. Account. Name={0}; user. Principal. Na On-premises Office 365 me, object. Gui. D; (1)", param = regexreplace(c. Value, "(? <domain>[’\)+)\(? <user>. +)", "${user)"), param = c. Value); New Claim Rule c: [Type = "http: //schemas. microsoft. com/ws/2008/06/identity/claims/windowsaccount Name"] => issue (store = "Active Directory", types = ("http: //schemas. xm 1 soap. org/c 1 aims/UPN ", "http: //schemas. microsoft. com/Live. ID/Federation/2008/05/Immutablel. D"), query="sam. Account. Name={0}; mail, object. Gui. D; (1)", param = regexreplace(c. Value, "(? <domain>[’\)+)\(? <user>. +)", "${user)"), param = c. Value); Bill@Contoso. Local Bill@Contoso. com
Outlook connected to corp On-premises Autodiscover connects to SCP and is automatically authenticated Autodiscover redirects the client to the Target Address stamped on the user User Provides Cloud UPN and password Bill@Contoso. Local Outlook connected External Autodiscover connects from external machine (User provides on-premises UPN) Autodiscover redirects the client to the Target Address stamped on the user User Provides Cloud UPN and password Bill@Contoso. com Office 365
OAUTH and Federation
DAuth vs OAuth DAuth Organization Relationships OAuth Intraorg Connectors Uses Microsoft Federation Gateway for Token generation Uses Auth Server in Azure AD (better resiliency and faster in forest communications) Organization Relationships Intra. Org. Connectors /Configuration Controls what companies you share information with Controls what companies you can share information with Allows for granular control of what features are available (free busy, mailtips) No granular control of feature-set (all or nothing)
e. Discovery Scenarios and OAuth e. Discovery scenario Requires OAuth? Search on-premises and Exchange Online mailboxes in the same e. Discovery search initiated from the Exchange on-premises organization Yes Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes Yes Search Exchange Online mailboxes from an e. Discovery search initiated from the Exchange onpremises organization by an administrator or compliance officer Yes Search on-premises mailboxes using an e. Discovery search initiated from the Exchange on-premises organization by an administrator or compliance officer No Search Exchange Online mailboxes from an e. Discovery search initiated from Exchange Online or the e. Discovery Center in Share. Point Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account No
CAS finds that Joe’s mailbox is external and there is an IOC Ben requests free/busy info for Joe Exchange Free Busy Requ est From Ben To Joe’s free/busy is returned to the Outlook client Free/Busy info is Server passes returnedthe token and requests Joe’s free/busy on Exchange behalf of Ben connects to the Azure OAUTH endpoint WAAD returns a Delegation Token Free/Busy works through a series of checks 1 st we check to see if we can find free/busy locally 2 nd (if the mailbox is not local) we check for an IOC 3 rd (if there is no IOC) we check for an Organization Relationship 4 th we check for an availability address space
Public Folders
5 1 Hybrid Public Folder Options Option 1: Office 365 mailboxes accessing legacy PFs on-premises Option 2: Office 365 mailboxes accessing modern PFs on-premises Option 3: Exchange 2013 on-premises mailboxes accessing modern PFs in Office 365 Mailbox Version PF Location 2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online Exchange 2007 Yes No No Exchange 2010 Yes No No Exchange 2013 Yes Yes* Exchange Online Yes* Yes *Requires use of Outlook for Windows
Outlook connect to Cloud Mailbox, starts by querying autod. contoso. com Exchange Online Autodiscover responds with the Target address for the cloud mailbox Outlook does Auto. D for TA Contoso. mail. onmicrosoft. com EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox: <Public. Folder. Information> <Smtp. Address>PFmailbox 1@Contoso. com </Smtp. Address> On-premises Outlook performs and Auto. D against PFmailbox 1@Contoso. com Outlook Anywhere settings are returned including the server name of the PF/CAS instead of the CASArray When PF access is initiated you then make a connection Auth as user over Public MBX auth Proxy to PF server (running CAS role)
Question or Common Issues
Were is the Activate button for sync? Why the Change? • UPN mismatches and changes are costly for support • UPN mismatches cause a poor user experience • If you perform dirsync before adding the domain you see issues • We have now prevented this in the portal If Accepted Domain was not added Dir. Sync UPN=Ted@Contoso. com On-Premises UPN=Ted@Contoso. Onmicrosoft. com Office 365
Mailbox Recovery changes Today • To recover use New-Mailbox. Restore. Request • Do not Hard Delete a user • That mailbox will not be recoverable • In the future we may add a soft delete buffer, but today….
HCW Domain limit 250 Error When running HCW: Updating hybrid configuration failed with error Subtask Configure execution failed: Configure Organization Relationship Execution of the New-Organization. Relationship cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. The total number of explicit and implicit subfilters exceeds maximum allowed number of 250. Processing stopped. at Microsoft. Exchange. Management. Hybrid. Remote. Powershell. Session. Run. Command. String cmdlet, Session. Parameters parameters, Boolean ignore. Not. Found. Errors)'. Cause: Org Relationships allow up to 250 domains Resolution: Manually create additional Org Relationship and add the additional domain over 250 This is being added to the HCW troubleshooter along with a ton more!
HCW Domain limit 64 Issue: HCW fails with the following issue "The length of the property is too long. The maximum length is 64 and the length of the value provided is 68. " Cause: • We allow up to a 32 character length domain name to be added to the service • When the routing domain is created for that domain it makes the length longer but still shorter than the 64 overall hard limit • When HCW created the remote domain we prepend “Hybrid Domain-” to the identity for the remote domain • This can put us over the limit Resolution: Still investigating but if we simply change the remote domain to only Prepend “Hybrid-” we will allow for all 32 character domain names… currently still being investigated
Certificate field is empty • Required on selected CAS & MBX • CAS are used for Receive Connectors • MBX are used for send Connectors • Both need same cert installed, else HCW won’t show. • Third Party • Proper SAN • Assigned to SMTP Service • Private Key • Need access to CRL url over 80 from all servers
Challenges managing hybrid recipients User/Mailbox Management Converting mailboxes Group self-service management Inconsistent experience Migrated permissions vs new permissions Full Access, Send -As, Receive-as…. Inactive mailboxes (Procedures? ) Dir. Sync delay (e. g. archive creation)
Hybrid Upgrade issues 1 Updating hybrid configuration failed with error Subtask Configure execution failed: Upgrading hybrid configuration from Exchange 2010. . . Object reference not set to an instance of an object. at Microsoft. Exchange. Management. Hybrid. Upgrade. Configuration. Fr om 14 Task. Upgrade. Fope. Connectors Solution: [PS] C: > Get-Organization. Config | fl Guid [PS] C: > Rename the organization relationship to "O 365 to On-premises - <GUID>. https: //support. microsoft. com/en-us/kb/2967914/ (Fixed in CU 5)
Hybrid Upgrade issues 2 The Wizard did not complete successfully. Please see the list below for error details. Sending Mailbox Server ‘<Server. Name>’ isn’t running Exchange 2013 or a later version. Solution: [PS] C: > Get-hybridconfiguration | fl >Hybrid. txt [PS] C: > Set-Hybrid. Configuration -Client. Access. Servers $null ` -Receiving. Transport. Servers $null -Sending. Transport. Servers $null https: //support. microsoft. com/en-gb/kb/3013420/en-us
Hybrid Upgrade issues 3 Updating hybrid configuration failed with error Subtask Configure execution failed: Upgrading hybrid configuration from Exchange 2010. . . Execution of the Set-Inbound. Connector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Active Directory operation failed on or ERROR : Subtask Configure execution failed: Upgrading hybrid configuration from Exchange 2010. . . No Inbound connector found on the Office 365 tenant. Solution: 1. Remove hybrid configuration through ADSI edit. ADSI Edit > Connect to Configuration > CN=Services > CN=Microsoft Exchange > CN=First Organization > CN=Hybrid Configuration 2. Rerun setup /prepare. AD from the on-premises Exchange Setup Directory (Schema Admin Rights needed) 3. Rerun HCW from Exchange 2013
• Cause: Timeout issues are not handles well by the HCW (we are getting better) • Running the HCW a second time is often all that is needed… HCW fails with "Invalid. Uri: Passed URI is not valid“ • Cause: There are certain words such as “bank”, profanity, and large org names that are blocked from federating • Calling Support is the only option to resolve issue • Documented: http: //support. microsoft. com/kb/2615183
Cannot create users mailboxes Cannot move mailboxes Cannot change user attributes Cause: there is an issue with the backlink with EAC to EXO that prevents the proper connection • Resolution: download a script that will fix the file or install CU 7 when avail • • • Cannot send mail from cloud user to the internet when CMC is enabled • Resolution: call support for an IU or wait for CU 7
Pre-Release Programs Be first in line! Exchange & Share. Point On-Premises Programs Customers get: Early access to new features Opportunity to shape features Close relationship with the product teams Opportunity to provide feedback Technical conference calls with members of the product teams Opportunity to review and comment on documentation Get selected to be in a program: Sign-up at Ignite at the Preview Program desk OR Fill out a nomination: http: //aka. ms/joinoffice Questions: Visit the Preview Program desk in the Expo Hall Contact us at: ignite 2015 taps@microsoft. com
http: //myignite. microsoft. com
- Slides: 68
