IMAP Cutover migration IMAP migration Staged migration Hybrid
IMAP Cutover migration IMAP migration Staged migration Hybrid Supports wide range of email platforms Email only (no calendar, contacts, or tasks) Exchange 5. 5 X Cutover Exchange migration Exchange 2000 X Exchange 2003 X X* Exchange 2007 X X Exchange 2010 X X X Exchange 2013 X X X Notes/Domino X Group. Wise X Other X Good for fast, cutover migrations No Exchange upgrade required on-premises Staged Exchange migration No Exchange upgrade required on-premises Optional Identity federation with on-premises directory Hybrid deployment Manage users on-premises and online Enables cross-premises calendaring, smooth migration, and easy off-boarding
Delegated authentication for on-premises/Office 365 web services Enables free/busy, calendar sharing, message tracking & online archive Manage all of your Exchange functions, whether Exchange Online or on-premises from the same place: Exchange Admin Center Online mailbox moves Preserve the Outlook profile and offline folders Leverages the Mailbox Replication Service (MRS) Authenticated and encrypted mail flow between on-premises and Exchange Online Preserves the internal Exchange messages headers, allowing a seamless end user experience Support for compliance mail flow scenarios (centralized transport)
On-premises Exchange organization Office 365 Active Directory synchronization Existing Exchange environment (Exchange 2007 or later) User, contacts, & groups via dirsync Secure mail flow Exchange 2013 client access & mailbox server Sharing (free/busy, Mail Tips, archive, etc. ) Mailbox data via Mailbox Replication Service (MRS) Office 365
Sign up for Office 365 Register your domains with Office 365 General Office 365 deployment tasks Deploy Windows Azure AD Sync with Office 365 Install Exchange 2013 CAS & MBX Servers (Edge opt) Publish the CAS Server (Assign SSL certificate, firewall rules) Exchange specific deployment tasks (deep dive on next slide) Run the Hybrid Wizard
From an existing Exchange 2007 or 2010 environment—Edge Transport server 1. Prepare autodiscover. contoso. com Install Exchange SP and/or updates across the ORG Prepare AD with E 2013 schema mail. contoso. com EWS E 2010 or 2007 Hub E 2010 or 2007 CAS E 2013 CAS E 2010 or E 2013 EDGE SP 3/RU 10 2. Deploy Exchange 2013 servers SMTP Install both E 2013 MBX and CAS servers Configure Legacy namespace for 2007 (2007/2013) Install E 2010 or E 2013 SP 1 EDGE servers Set an External. Url & enable MRSProxy on the Exchange Web Services v. Dir Exchange 2010 or 2007 Servers SP 3/RU 10 3. Obtain and deploy certificates on E 2013 CAS servers & E 2010 EDGE servers 4. Publish protocols externally Create public DNS A records for the EWS and SMTP endpoints Validate using Remote Connectivity Analyzer 5. Switch Autodiscover namespace to E 2013 CAS E 2010 or 2007 MBX Change the public Autodiscover DNS record to resolve to E 2013 CAS E 2013 MBX Internet-facing site Intranet site 6. Run the Hybrid Configuration Wizard 7. Move mailboxes
Hybrid wizard history
Step 1 The Update-Hybrid. Configuration cmdlet triggers the Hybrid Configuration Engine to start. On-Premises Exchange reads the “desired state” stored on the Hybrid. Configuration Active Directory object. Step 3 The Hybrid Configuration Engine connects via Remote Power. Shell to both the on-premises and Exchange Online organizations. Step 4 The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization. Step 5 Based on the desired state, topology data, and current configuration, across both the on -premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the “difference” and then executes configuration tasks to establish the “desired state. ” Exchange Server Level Configuration Domain Level Configuration Objects Organization Level Configuration Objects (Mailbox Replication Service Proxy, Certificate Validation, Exchange Web Service Virtual Directory Validation, & Receive Connector) (Accepted Domains, Remote Domains, & E-mail Address Policies) (Exchange Federation Trust, Organization Relationship, Availability Address Space, & Send Connector) 4 2 Hybrid Configuration Object Remote 3 Powershell 5 Hybrid Configuration Engine 4 Organization Level Configuration Objects (Exchange Federation Trust, Organization Relationship, Forefront Inbound Connector, & Forefront Outbound Connector) 5 3 Remote Powershell Desired state 1 Exchange Management Tools Internet Step 2 The Hybrid Configuration Engine Domain Level Configuration Objects (Accepted Domains & Remote Domains)
Feedback…Answered Get-Federation Information fallback logic If the on-premises Autodiscover endpoint is not published properly when the wizard executes, it will warn not fail. Autodiscover domain You can now specify which domain is used for the federated Autodiscover query. Set-Hybrid. Configuration -Domains "contoso. com, fabrikam. com, autod: nwtraders. com" Email address policy protection measures New “Update. Secondary. Addresses. Only” parameter added to Update-Email. Address. Policy. Protects customers that have manually edited their directory. Only missing proxies will be added. No addresses will be changed/removed. Note: This is still a very bad state to be in. Hybrid Product Key Availability You can now obtain a FREE Exchange 2013 or 2010 Hybrid Edition product key without the dreaded call to support. You can simply go to http: //aka. ms/hybridkey
Hybrid logging improvements
Hybrid Product Key (http: //aka. ms/hybridkey) You get a free Hybrid Edition key if… • You have an existing, non-trial, Office 365 Enterprise subscription • You currently do not have a licensed Exchange 2013 or Exchange 2010 SP 3 server in your on-premises organization. • You will not host any on-premises mailboxes on the Exchange 2013 or Exchange 2010 SP 3 server on which you apply the Hybrid Edition product key. For IE 11 only: others will get the link to the KB Short Link: http: //aka. ms/hybridkey KB Link: http: //support. microsoft. com/kb/2939261
Topologies Supported Exchange 2013 RTM Exchange 2013 Service Pack 1 Single Forest Model: Accounts and Mailboxes in single forest Supports multiple Exchange Organizations configured against a single O 365 tenant Resource Forest Model: Multiple Account Forests, Single Resource Forest Multiple forests, each containing accounts and Exchange organizations 1: 1 relationship between Exchange Organization and single O 365 tenant Multi-Org Hybrid Support N: 1 relationship between Exchange Organization and single O 365 tenant Office 365 Hybrid contoso. com Hybrid fabrikam. com
Tenant Name: contoso. onmicrosoft. com Coexistence Name: contoso. mail. onmicrosoft. com FIM Org Relationship (F/B, Sharing) SMTP Mail Flow (TLS connectors) Forest: contoso. com Authoritative for contoso. com Not Configured by Hybrid Configuration Wizard Forest: fabrikam. com Authoritative for fabrikam. com Shares: contoso. com
Autodiscover – Single Org MX contoso. com = Forest. A autodiscover. contoso. com = Forest. A CAS 1 ben@contoso. com 1. ) What is the Auto. D endpoint for ben@contoso. com? 2 3 2. ) Send Auto. D request to DNS FQDN contoso. com ben@contoso. com 3. ) Client authenticates, CAS returns profile data in XML format
Autodiscover – Two Orgs Office 365 1 yann@contoso. com 1. ) What is the Auto. D endpoint for yann@contoso. com? 2. ) Send Auto. D request to DNS FQDN for contoso. com 4 6 2 3 MX contoso. com = Forest. A autodiscover. contoso. com = Forest. A CAS autodiscover. fabrikam. com = Forest. B CAS 5 Public DNS Share: contoso. com Owns: fabrikam. com Owns: contoso. com Yann Forest A Primary: yann@contoso. com Target. Address: yann@fabrikam. com Yann 3. ) Redirect Auto. D request to DNS FQDN for fabrikam. com 4. ) What is the Auto. D endpoint for yann@fabrikam. com 5. ) Send Auto. D request to DNS FQDN for fabrikam. com 6. ) Client authenticates, CAS returns profile data in XML format Primary: yann@contoso. com Proxy: yann@fabrikam. com Forest B
FIM Management Agent AAD Conn Federated Trust Relationship 1. Prepare Azure AD SMTP/TLS Mail Flow Azure AD Auth Federated Authentication O 365 Directory Organization Relationship contoso. onmicrosoft. com fabrikam. onmicrosoft. com Update each Exchange organization to Service Pack 1 Validate Auto. Discover is properly configured and published in each Exchange organization Validate public certificates for Exchange org are unique Create 2 way forest trust 2. Configure Mail Flow on-prem Configure SMTP domain sharing as required Configure mail flow between on-prem organizations 3. Configure Directory Synchronization AD FIM AD Configure FIM + AAD Connector to synchronize mail recipients in each forest and the Office 365 tenant 4. Run Hybrid Configuration Wizard ADFS Proxy ADFS Prepare Office 365 Tenant Run the HCW in contoso. com and fabrikam. com Validate mail flow between all entities 5. Configure ADFS in contoso. com Configure ADFS in fabrikam. com E 2013 contoso. com E 2013 SMTP fabrikam. com 2 way Forest Trust 6. Configure Organization Relationships Configure an Org Relationship between each Org
Mail Routing
Mail Routing
and MFG • Cause: XTC has been retire and (undocumented) OAuth was the replacement • Documented: http: //technet. microsoft. com/en-us/library/dn 497703(v=exchg. 150). aspx • Resolution: Implement OAuth for hybrid Discovery Searches I cannot see cross-premises Free/Busy? Happy Retirement Consumer MFG!! • Cause: Consumer MFG retired on February 25, 2014 • Resolution: recreate federation trust and org relationships • Documented: http: //support. microsoft. com/kb/2937358
"Length of the property is too long" • Cause: TLS Certificate Name is greater than 256 characters • Documented: http: //support. microsoft. com/kb/2860844 • Resolution: coming soon, for now you need to get a different certificate • Often, customers need guidance on how to configure their perimeter devices • Here is a Wiki on how to configure TMG for hybrid: http: //community. office 365. com/enus/wikis/exchange/1042. aspx? sort=mostrecent&pageindex=1
• Error: “Mailbox move to the cloud fail with error: Transient error Communication. Error. Transient. Exception has occurred. The system will retry” • Cause: Intrusion Detection Systems can often see migration traffic as an attack • Flood mitigation in TMG can cause this as well • This Wiki explains how to address the issue: • http: //community. office 365. com/en-us/wikis/exchange/office-365 -move-mailbox-failswith-transient-exception. aspx
• Cause: Timeout issues are not handles well by the HCW (we are getting better) • Running the HCW a second time is often all that is needed… "Invalid. Uri: Passed URI is not valid“ • Cause: There are certain words such as “bank”, profanity, and large org names that are blocked from federating • Calling Support is the only option to resolve issue • Documented: http: //support. microsoft. com/kb/2615183
"Federation. Information could not be received" • • Cause: IIS is missing a handler mapping which causes connection to EWS and AUTOD to fail Errors: Get-Federation Information returns “ 405 Method Not Allowed” Resolution: from a cmd prompt run “Service. Model. Reg. exe –r” Documented: http: //support. microsoft. com/kb/2773628 • Cause: If you have an outbound proxy, you may be blocking required traffic • Resolution: ensure that your server have access to the proper IP and URL • Recommendation: If you require an outbound proxy try to use URL filtering instead of IP, it is easier to maintain • Documented: There is an EHLO blog on this here
Common Issues – Runtime Cloud FB request mail. contoso. com Set 2010 external. URL to: `mail. contoso. com Layer 4 LB HTTP PROXY E 2013 CAS E 2013 MBX Internet facing site E 2010 CAS Cross site proxy request E 2010 MBX Intranet site Resolution: http: //technet. microsoft. com/en-us/library/hh 529912(v=exchg. 150). aspx
• Cause: Bad password for admin, publishing issues, MRS disabled, etc…. • Errors: NONE • The error in Wave 14 was the following, but in Wave 15 there isn’t an indication of failure: • Resolution: Use the EAC in EXO
"Free/Busy information couldn’t be retrieved because the attendee's Mailbox server is busy" • Cause: Target. Sharing. EPR is configured • More Information: • • SOAP request will include the following element: <ext: Request. Server. Version="Exchange 2012" xmlns: ext="http: //schemas. microsoft. com/exchange/services/2006/types" /> When an Exchange 2010 CAS server receives the EWS call, it will throw an HTTP 500 response Autodiscover response will have the following element: <h: Server. Version. Info Major. Version="14" Minor. Version="3" Major. Build. Number="123" Minor. Build. Number="3" 2010 soap: <ext: Request. Server. Version="Exchange 2009" xmlns: ext="http: //schemas. microsoft. com/exchange/services/2006/types" /> • Resolution: Fix Autodiscover! • http: //support. microsoft. com/kb/2838688
Common Issues – Runtime • Issue: Hybrid OWA redirection does not work as expected, this was addressed in CU 3 • This is not an issue on 2010 hybrid environments • http: //support. microsoft. com/kb/2890814
Common Issues – Runtime • From Exchange 2010 sp 3 ru 2 you will see the domain proof missing • Workaround: use Shell Get-Federated. Domain. Proof • This is addressed in Exchange 2010 SP 3 RU 3 • From Exchange 2010 SP 3 RU 2 you will not be able to additional domains to a federation trust from the UI, you have to use the Shell as a workaround. • This has been addressed in Exchange 2010 SP 3 RU 3
Common Issues – Runtime • Cause: Exchange cannot manage “newer version” objects • This means 2010 EMC cannot manage org settings for an Exchange 2013 -based tenant. • Resolution: Use EAC instead for org management
Summary http: //aka. ms/hybridkey http: //aka. ms/exdeploy
Related Sessions Session Name Session Type Date Time Speaker MVP Follow up Q & A Today 12: 10 PM Us MNG-IN 301 Breakout Wednesday 2: 45 PM Vincent Yim DMI 301 Breakout Wednesday 8: 30 AM Michael Van Horenbeeck PAR 003 Hands on lab Wednesday 12: 00 PM Federic Bourget MNG 301 Breakout Wednesday 10: 15 AM Warren Johnson
- Slides: 47