Transcript Exchange Hybrid Deployment

Exchange Hybrid
Deployment
Scott Schnoll
Senior Program Manager
Microsoft Corporation
Agenda
Office 365 Hybrid Scenarios
Exchange Hybrid Fundamentals
Exchange Hybrid Deployment
Exchange Hybrid Advanced Topics
Managing Exchange Hybrid
Mailbox Migration
Why Exchange Hybrid?
Address
Book
Calendaring
& Free/Busy
Messaging
MRS
Exchange
on-premises
Office 365
Office 365
Hybrid Scenarios
Office 365 Hybrid Scenarios
On Prem
Office 365
Exchange Hybrid
Exchange Online
OAuth
SharePoint Hybrid
SharePoint Online
OAuth
Lync Hybrid
Lync Online
Exchange Hybrid Scenario
On-premises Exchange organization
Office 365 Active
Directory synchronization
Existing Exchange environment
(Exchange 2007 or later)
User, contacts, & groups via Azure AD Sync
Secure mail flow
Exchange 2013
client access &
mailbox server
Sharing (free/busy, Mail Tips, archive, etc.)
Mailbox data via Mailbox Replication Service (MRS)
Office 365
Hybrid
Deployment and
Configuration
Planning
Begin with the Exchange Deployment Assistant
http:://aka.ms/exdeploy
Validate existing environment is in a standard
and supported configuration
Primary namespace(s) MUST point to the latest
installed version of Exchange
Planning
You should use standard sizing guidance
Migration Traffic is more taxing than the rest
Exchange 2013 hybrid deployment
From an existing Exchange 2007 or 2010 environment—no Edge Transport server
1. Prepare
autodiscover.contoso.com
Install Exchange updates on all legacy servers
Prepare Active Directory with Exchange 2013 schema
mail.contoso.com
EWS
SMTP
2. Deploy Exchange 2013
Install both roles
Configure and enable the Mailbox Replication Service
3. Obtain and deploy Certificates
Obtain and deploy certificates on Exchange 2013 CAS
Exchange Exchange
2010/2007 2010/2007
Exchange 2013
Exchange 2010/2007
SP3/UR8 or SP3/UR15
SP3/UR8 or SP3/UR15
4. Publish protocols externally
Create public DNS A records for the EWS and SMTP
endpoints
Validate using Remote Connectivity Analyzer
5. Switch Autodiscover namespace to Exchange
2013
6. Run the Hybrid Configuration Wizard
Exchange 2010/2007
Exchange 2013
Internet-facing site
7. Move mailboxes
Intranet site
Hybrid Configuration
Wizard Fundamentals
Exchange Hybrid Wizard History
Exchange 2013
SP1
Multiple exchange
organizations now
supported
Supports Exchange
2013 Edge
Thousands of tenants and millions of mailboxes in
Office 365 using Exchange Hybrid
Hybrid Configuration Wizard
Desired state configuration engine
Applies configuration to on-prem and online orgs
Exchange Online Org
The Update-HybridConfiguration cmdlet
triggers the Hybrid Configuration Engine
to start.
2
The Hybrid Configuration Engine reads
the “desired state” stored on the
HybridConfiguration Active Directory
object.
Exchange Server Level
Configuration
Domain Level
Configuration Objects
Organization Level
Configuration Objects
3
The Hybrid Configuration Engine
connects via Remote PowerShell to both
the on-premises and Exchange Online
organizations.
(Mailbox Replication Service
Proxy, Certificate Validation,
Exchange Web Service Virtual
Directory Validation, &
Receive Connector)
(Accepted Domains, Remote
Domains, &
E-mail Address Policies)
(Exchange Federation Trust,
Organization Relationship,
Availability Address Space, &
Send Connector)
4
The Hybrid Configuration Engine
discovers topology data and current
configuration from the on-premises
Exchange organization and the Exchange
Online organization.
5
Based on the desired state, topology data,
and current configuration, across both the
on-premises Exchange and Exchange
Online organizations, the Hybrid
Configuration Engine establishes the
“difference” and then executes
configuration tasks to establish the
“desired state.”
2
Hybrid
Configuration
Object
1
Exchange
Management
Tools
4
Remote
3
Powershell
5
Organization Level
Configuration Objects
(Exchange Federation Trust,
Organization Relationship,
Forefront Inbound Connector, &
Forefront Outbound Connector)
5
3
Desired
state
Hybrid
Configuration
Engine
Internet
On-Premises Exchange Organization
1
Remote
Powershell
4
Domain Level
Configuration Objects
(Accepted Domains & Remote
Domains)
Exchange Hybrid
Advanced Topics
Multi Org Hybrid
Supported Exchange Topologies
Exchange 2013 / Exchange 2010
Exchange 2013 Service Pack 1
Single Forest Model: Accounts and
Mailboxes in single forest
Supports multiple Exchange Organizations
configured against a single O365 tenant
Resource Forest Model: Multiple Account
Forests, Single Resource Forest
Multiple forests, each containing accounts and
Exchange organizations
1:1 relationship between Exchange
Organization and single O365 tenant
N:1 relationship between Exchange
Organization and single O365 tenant
R
Hybrid
contoso.com
R
Office 365
Hybrid
contoso.com
R
Office 365
Hybrid
fabrikam.com
Exchange 2013 multi-org hybrid deployment
FIM Management Agent
AAD Conn
Federated Trust Relationship
Azure AD
Office 365
SMTP/TLS Mail Flow
Azure AD Auth
Federated Authentication
O365 Directory
Organization Relationship
3
Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2. Configure Mail Flow on-premises
fabrikam.onmicrosoft.com
3
1. Prepare
Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3
3. Configure Directory Synchronization
AD
(FIM)
4. Run Hybrid Configuration Wizard
5
ADFS
1
ADFS
Proxy
Proxy
4
contoso.com
contoso.com
ADFS
1
4
4
6
2
Prepare Office 365 Tenant
Run the HCW in contoso.com and fabrikam.com
Validate mail flow between all entities
5
ADFS
E2013
Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
AD
AAD Sync
6
SMTP
2
Two-way Forest Trust
E2013
fabrikam.com
fabrikam.com
5. Configure ADFS or use AAD with password sync
Configure ADFS in contoso.com
Configure ADFS in fabrikam.com
6. Configure Organization Relationships
Configure an Org Relationship between each Org
OAuth and
Hybrid
DAuth vs OAuth
DAuth
Organization
Relationships
OAuth
Intraorg
Connectors
Uses Microsoft Federation Gateway for Token
generation
Uses Auth Server in Azure AD (better resiliency
and faster in forest communications)
Organization Relationships
IntraOrgConnectors /Configuration
Controls what companies you share
information with
Controls what companies you can share
information with
Allows for granular control of what features are
available (free busy, mailtips)
No granular control of feature-set (all or
nothing)
Configure OAuth for Hybrid
HCW now includes automated configuration for
OAuth
Enables cross-premises discovery searches and crosspremises archive moves
Can be used for much more like free/busy and is used
by 21Vianet customers (Greater China region)
Long term authentication approach for future
capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you
are not running at least Exchange 2013
SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and
2010/2007)
Do you really need OAuth?
eDiscovery Scenarios and OAuth
eDiscovery scenario
Requires
OAuth?
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from
the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based
archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange onpremises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises
organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the
eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance
officer signed in to an Office 365 user account
No
Free/Busy and OAuth
Free/Busy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and
IntraOrgConnectors
Free/Busy using DAuth
Ben
Ben requests
free/busy info for
Joe
Mailbox
Server
Client Access
Server
Microsoft
Federation
Gateway
Free
Busy
Requ
est
From
Ben
To
Joe
On Premises
User “Ben”
On Premises
Exchange
Online
CAS Server passes
the MFG token
and requests Joe’s
free/busy on
behalf of Ben
Joe
Free/Busy using OAuth
Ben
Mailbox
Server
Client Access
Server
Free
Busy
Requ
est
From
Ben
To
Joe
On Premises
User “Ben”
On Premises
Microsoft
Federation
Gateway
Exchange
Server passes
the token and
requests Joe’s
free/busy on
behalf of Ben
Exchange
Online
Exchange
connects to
the Azure
OAUTH
endpoint
Joe
Free/Busy works through a
series of checks
1st we check to see if we can
find free/busy locally
2nd (if the mailbox is not local)
we check for an IOC
3rd (if there is no IOC) we
check for an Organization
Relationship
4th we check for an availability
address space
Public Folders
and Hybrid
Hybrid Public Folder Options
1. Office 365 mailbox can access legacy PFs on-premises
2. Office 365 mailbox can access Modern PFs on-premises
3. Exchange 2013 on-premises mailbox can access Modern PFs in
Office 365
Mailbox Version
PF Location
2007 On-Premises
2010 On-Premises
2013 On-Premises
Exchange Online
Exchange 2007
Yes
Yes
No
No
Exchange 2010
Yes
Yes
No
No
Exchange 2013
Yes
Yes
Yes
Yes*
Exchange Online
Yes*
Yes*
Yes*
Yes
Hybrid PF access
Outlook connects to Cloud Mailbox, starts by querying
autodiscover.contoso.com
Exchange Online
Autodiscover responds with the target address for the
cloud mailbox
Outlook does Autodiscover for target address of
Contoso.mail.onmicrosoft.com
EXO responds with PFMailbox information obtained by
org config or set explicitly on the mailbox:
<PublicFolderInformation>
<SmtpAddress>[email protected]
</SmtpAddress>
On-premises
Outlook performs Autodiscover against
[email protected]
Outlook settings are returned including the server name
of the PF/CAS
When PF access is initiated you then make a connection
Auth as user
over Public
MBX auth
Proxy to PF
server
(running CAS
role)
Syncing Public Folders
DirSync currently does not sync mail-enabled
public folder objects in either direction
We recommend customers run the following
scripts periodically to sync these objects from
on-premises to the cloud directory
Hybrid
Management
Can I Retire Hybrid Servers?
Maintain Exchange Hybrid servers post
migration for:
Hybrid Mailbox
Migration
Mailbox Migration
All mailbox migration paths are now supported from the Exchange
Admin Center through a unified mailbox move wizard
Moves are “pulled” from on-premises to the cloud
All move types now support the new “batch” architecture, which
allows for easier creation and management of multiple moves
As with Exchange 2010, hybrid mailbox moves support off-boarding
from the cloud to on-premises
35
Max default Concurrent
moves 100 (exceptions can
be made)
Item count is a factor with
migration performance
0.3–1.0 GB/hour range per
mailbox
Firewall configuration on the
on-premises organization
Multiple concurrent moves
allows for optimized
migrations
Migration are not considered
“User Expected” (WLM)
Source Side
performance is a
COMMON factor
Network Latency is a Factor
Latest News
Certificate Refresh
New Federation Cert will break Features
Ben
Mailbox
Server
Future Proof:
Schtasks /create /sc Daily /tn FedRefresh /tr
"C:\Windows\System32\WindowsPowerShell\
v1.0\powershell.exe -version 2.0 -command
Add-PSSnapIn
Microsoft.Exchange.Management.PowerShell
.E2010;$fedTrust = Get-FederationTrust;SetFederationTrust -Identity $fedTrust.Name RefreshMetadata" /ru System
Microsoft
Federation
Gateway
Client Access
Server
On Premises
User “Ben”
On Premises
Exchange
Online
Joe