SVC307

Office 365 Hybrid Architecture and Deployment

Eddie Chua, Onboarding Engineer

On Prem Office 365

Exchange Hybrid

SharePoint Hybrid

Lync Hybrid

OAuth

OAuth

Cloud Identity

No integration to on-premises

directories

Directory & Password Synchronization

Integration without federation

Federated Identity *

Single federated identity

and credentials

* Federated ID scenario can use Azure AD Sync as a backup in case of a Federation platform outage on-prem

On-premises Exchange organization

Existing Exchange environment

Exchange 2007 or later

Office 365 Active

Directory synchronization

Exchange 2013

Client Access &

Mailbox server

Office 365

User, contacts, & groups via Azure AD Sync

Secure mail flow

Mailbox data via Mailbox Replication Service (MRS)

Sharing (free/busy, Mail Tips, Archive, PF, etc.)

On-premises Lync organization

Existing Lync environment

Lync Server 2010 or 2013

Office 365 Active

Directory synchronization

Lync Edge Server

Environment

Lync Serve 2010 or 2013

Office 365

User, contacts, & groups via Azure AD Sync

Migration of Data (Contact Lists / Scheduled Meetings)

Media Connectivity (SRTP)

Signaling (SIP) via split SIP domain

Lync and

Sharepoint hybrid

Supported Note Supported Note Supported

View presence or IM a contact in Outlook

Schedule and join meeting through Outlook

View presence or IM a contact in Outlook Web Access

View presence or IM a contact in Lync Mobile Client

Join meeting from Lync Mobile Client

Modify Contact List (via Unified Contact Store in Exchange)

Lync Server 2013 and

Exchange only. A Lync 2013

client is required.

View or Modify Contact Photo in Lync Web App Lync Server 2013 Only

Delegate schedules meeting on-behalf of Boss * Exchange 2013 Only

Archiving meeting content Lync Server 2013 only

Searching archived meeting content Lync Server 2013 only

Leaving or retreiving voicemail

Publish status based on Outlook calendar free/busy

Missed Conversations history and Call Logs are written to user’s

exchange mailbox

Schedule meeting through Outlook Web Access

View presence or IM a contact in Sharepoint

Search contact by skill keyword

* Supported only when both users are homed online in the same forest or both are homed on-premises.

Customer scenario

Lync Online and

Exchange On-Prem

Lync On-Prem and

Exchange Online

Delegated authentication for on-premises/cloud web services

Enables free/busy, calendar sharing, message tracking & online archive

Online mailbox moves

Preserve the Outlook profile and offline folders

Leverages the Mailbox Replication Service (MRS)

Manage all of your Exchange functions, whether cloud or on-premises from the same place: Exchange Admin Center

Authenticated and encrypted mail flow between on-premises and the cloud

Preserves the internal Exchange messages headers, allowing a seamless end user experience

Support for compliance mail flow scenarios (centralized transport)

Exchange Hybrid Wizard History

Exchange 2013

SP1

Multiple exchange

organizations now

supported

Supports Exchange

2013 Edge

Thousands of tenants and millions of mailboxes in

Office 365 using Exchange Hybrid

On-Premises Exchange

Hybrid Configuration Engine

Desired state

Inte

rn

et

Step 5

Exchange

Management

Tools

Organization Level

Configuration

Objects (Exchange Federation Trust,

Organization Relationship,

Forefront Inbound

Connector, & Forefront

Outbound Connector)

Domain Level

Configuration

Objects (Accepted Domains &

Remote Domains)

Hybrid

Configuration

Object

Exchange Server Level

Configuration

(Mailbox Replication Service

Proxy, Certificate Validation,

Exchange Web Service

Virtual Directory Validation,

& Receive Connector)

Domain Level

Configuration Objects

(Accepted Domains,

Remote Domains, &

E-mail Address Policies)

Organization Level

Configuration Objects

(Exchange Federation Trust,

Organization Relationship,

Availability Address Space,

& Send Connector)

1

2 4 5 5

4

Step 1 The Update-HybridConfiguration

cmdlet triggers the Hybrid

Configuration Engine to start.

Based on the desired state,

topology data, and current

configuration, across both the

on-premises Exchange and

Exchange Online organizations,

the Hybrid Configuration Engine

establishes the “difference” and

then executes configuration tasks

to establish the “desired state.”

Step 4 The Hybrid Configuration

Engine discovers topology data

and current configuration from

the on-premises Exchange

organization and the Exchange

Online organization.

Step 3 The Hybrid Configuration Engine

connects via Remote PowerShell

to both the on-premises and

Exchange Online organizations.

Step 2 The Hybrid Configuration Engine

reads the “desired state” stored

on the HybridConfiguration

Active Directory object.

Remote

Powershell

Remote

Powershell3

3

Exchange Topologies Supported Exchange 2013 RTM

Single Forest Model: Accounts and Mailboxes in single forest

Resource Forest Model: Multiple Account Forests, Single Resource Forest

1:1 relationship between Exchange Organization and single O365 tenant

Exchange 2013 Service Pack 1

Supports multiple Exchange Organizations configured against a single O365 tenant

Multiple forests, each containing accounts and Exchange organizations

Multi-Org Hybrid Support

N:1 relationship between Exchange Organization and single O365 tenant

Office 365

Hybrid

Office 365

Hybrid Hybrid

contoso.com fabrikam.com contoso.com

R R R

Not Configured by Hybrid Configuration

Wizard

ForestA ForestB

FIM

Tenant Name: contoso.onmicrosoft.com

Coexistence Name: contoso.mail.onmicrosoft.com

Forest: contoso.com

Authoritative for contoso.com Forest: fabrikam.com

Authoritative for fabrikam.com

Shares: contoso.com

Org Relationship (F/B, Sharing)

SMTP Mail Flow (TLS connectors)

Feedback…Answered Get-Federation Information fallback logic If the on-premises Autodiscover endpoint is not published properly when the wizard executes, it will warn not fail.

Autodiscover domain You can now specify which domain is used for the federated Autodiscover query.

Set-HybridConfiguration -Domains "contoso.com, fabrikam.com, autod:nwtraders.com"

Email address policy protection measures New “UpdateSecondaryAddressesOnly” parameter added to Update-EmailAddressPolicy.

Protects customers that have manually edited their directory.

Only missing proxies will be added. No addresses will be changed/removed.

Note: This is still a very bad state to be in.

Hybrid Product Key Availability You can now obtain a FREE Exchange 2013 or 2010 Hybrid Edition product key without the dreaded call to support. You can simply go to http://aka.ms/hybridkey

OAUTH Wizard No more manual configuration of OAUTH, this is an integrated experience in specific deployment scenarios today

Hybrid logging improvements

Hybrid Product Key (http://aka.ms/hybridkey)

Short Link: http://aka.ms/hybridkey

KB Link: http://support.microsoft.com/kb/2939261

For IE 11 only:

others will get

the link to the KB

You get a free Hybrid Edition key if… • You have an existing, non-trial, Office 365 Enterprise subscription

• You currently do not have a licensed Exchange 2013 or Exchange 2010 SP3 server in your on-premises organization.

• You will not host any on-premises mailboxes on the Exchange 2013 or Exchange 2010 SP3 server on which you apply the Hybrid Edition product key.

What does this button do? • There is now an automated configuration for OAUTH!

• OAUTH is allows us to perform cross premises discovery searches and cross premises archive moves…

• OAUTH can be used for much more and actually is for 21Vianet customers (Greater China region)

• OAUTH is a replacement for the feature that relied on called XTC and will be used for many additional features in the future

• Click once application

HEY! Where is the OAUTH config button?

• So, just cause you have 2010 and/or 2007 you cannot use OAUTH?

• Actually you can use OAUTH in a coexistence organization

• You would have to run the steps manually (documented on TechNet)

• Forcing you to run scripts and manual configure this is something that we are aiming to remove in future updates but for now….

• Do you have…

• Have Exchange 2013 sp1 + in the environment

• Are running Exchange 2013 cu5+ version of the HCW

Do All Hybrid features use OAUTH? • Currently the only hybrid feature that require the use OAUTH by default are Cross premises Discovery and

certain cross premises archive features

• Keep in mind this is not changing the way features work before we introduced OAUTH this is instead adding new functionality that has not been their since the release of Wave 15.

• Having Regular Hybrid and OAUTH configured will give you the most complete robust feature set for your hybrid deployment

eDiscovery scenario Requires

OAuth?

Search Exchange on-premises mailboxes and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange

on-premises organization. Yes

Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes. Yes

Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an

administrator or compliance officer. Yes

Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator

or compliance officer. No

Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint

Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account. No

What about Free Busy?

On Premises

On Premises User “Ben”

Client Access Server

Microsoft Federation Gateway

Exchange Online

Mailbox Server

Joe

Ben

Free Busy

Requ

est From

Ben To

Joe

What about Free Busy? Refresher

On Premises

On Premises User “Ben”

Client Access Server

Microsoft Federation Gateway

Exchange Online

Mailbox Server

Joe

Ben

Free Busy

Requ

est From

Ben To

Joe

What about Free Busy… (2013) OAUTH? • Free Busy works through a series of

checks

• 1st we check to see if we can find the free busy locally

• 2nd (if the mailbox is not local) we check for an IOC

• 3rd (if there is no IOC) we check for an Organization Relationship

• 4th we then check for an availability address space

• The Key point here is that OAUTH is not a fall back option for Free busy, it is one or the other

• The OAuth method gets the preference

• 21 Vianet simply does not have Org or a federation trust and relies on only OUATH

Joe

BenFree Busy

Requ

est From

Ben To

Joe

What about Free Busy from 2010 OAUTH?

• Free Busy works through a series of checks

• 1st we check to see if we can find the free busy locally

• 2nd we check for an Organization Relationship

• 3rd we then check for an availability address space

Exchange 2013

Exchange 2010

Joe

Ben

Free Busy

Requ

est From

Ben To

Joe

What if there is still an Org relationship for 2010?

Exchange 2013

Exchange 2010

• Free Busy works through a series of checks

• 1st we check to see if we can find the free busy locally

• 2nd we check for an Organization Relationship

• 3rd we then check for an availability address space

Joe

BenFree Busy

Requ

est From

Ben To

Joe

What about Free Busy from 2007 OAUTH?

• Free Busy works through a series of checks

• 1st we check to see if we can find the free busy locally

• 2nd we then check for an availability address space

Exchange 2013

Exchange 2007

DAuth vs OAuth DAuth

Uses Microsoft Federation Gateway for Token generation

Organization Relationships

Controls what companies you share information with

Allows for granular control of what features are available (free busy, mailtips)

OAuth

Uses Auth Server in Azure AD (better resiliency and faster in forest communications)

IntraOrgConnectors /Configuration

Controls what companies you can share information with

No granular control of feature-set (all or nothing)

Organization

Relationships

Intraorg

Connectors

• In order to test OAUTH after the HCW is run or the manual configuration are done you will want to…

• 1st get a cup of Coffee

• 2nd kick off your shoes, maybe start that book you were eyeing

• 3rd After ~45 minutes run the verification cmdlets

Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox <On-Premises Mailbox> -Verbose | fl

And

Test-OAuthConnectivity -Service EWS -TargetUri <external hostname authority of your Exchange On-Premises deployment> -Mailbox <Exchange Online Mailbox> -Verbose | fl

• Running Get-AuthServer from the on-premises environment will yield the metadata and trust information used by OAUTH

• TokenIssuingEndpoint – the endpoint we will connect to for delegation token retrieval

• AuthMetadatURL- is the tenants specific endpoint for token validation

• CertificateString- is similar to the certificate Metadata exchange we do with the traditional MFG trust

• Running Get-ExchangeCertificate will reveal that a new self signed certificate is created for OAUTH communication.

• The public Hash of this certificate is exchanged with the trust broker (the Auth Server)

• Running Get-IntraOrganizationConfiguration from both on-premises and cloud yield one full set of results….

• Between them you can see that we have One full set of data that is needed for the proper URL that will be used to communicate to the opposing orgs

• Similar information was in the AutodiscoverURI and TargetSharingEPR values in org relationships

• Running Get-IntraOrganizationConnector from both premises shows the rest of the configuration

• DiscoveryEndpoints- are obtained from the IntraOrgConfig

• TargetAddressDomain- means the same thing it meant in org relationship, the domain name this IOC applies to

What are the hybrid public folder options

• Option 1: O365 mailboxes access legacy PFs on-prem

• Option 2: O365 mailboxes access Modern PFs on-prem

• Option 3: Exchange 2013 on-prem mailboxes access Modern PFs in O365

• Documentation in process

PF location > 2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online

Mailbox version:

Exchange 2007 Yes Yes No No

Exchange 2010 Yes Yes No No

Exchange 2013 Yes Yes Yes Yes

New Exchange

Online Yes Yes Yes Yes

1.

2.

3.

4.

5. Set-OrganizationConfig–PublicFoldersEnabled Remote –RemotePublicFolderMailboxes PFMbx1, PFMbx2

Configure Legacy PF access

1. Outlook connect to Cloud Mailbox, starts by querying autod.contoso.com Exchange

Online

On-premises

2. Autodiscover responds with the Target address for the cloud mailbox

Proxy to PF

server

(running CAS

role)

Auth as user

over Public

MBX auth

Hybrid PF access 3. Outlook does AutoD for TA Contoso.mail.onmicrosoft.com

4. EXO responds with PFMailbox information obtained by org config or set

explicity on the mailbox: <PublicFolderInformation>

<SmtpAddress>PFmailbox1@Contoso.com</SmtpAddress>

5. Outlook performs and AutoD against PFmailbox1@Contoso.com

6. Outlook Anywhere settings are returned including the server name of the

PF/CAS instead of the CASArray

7. When PF access is initiated you then make an OA connection

1.

2.

3.

4.

5. Set-OrganizationConfig–PublicFoldersEnabled Remote –RemotePublicFolderMailboxes PFMbx1, PFMbx2

Configure Legacy Modern PF access

• DirSync currently does not sync MEPF objects in either direction.

• We recommend customers run the following scripts periodically to sync MEPF objects from on-

premise to the cloud directory. Below scripts works for E2010/E2007 on-premise.

• Export-MailPublicFoldersForMigration.ps1 -ExportFile [exportFileName] (run on-premise)

• Import-MailPublicFolders.ps1 -ImportFile [importFileName] (run on cloud)

• The Scripts are linked on TechNet but now are also in the scripts container on the Exchange server

• In the future we plan to eliminate the script and rely on DirSync

• Known issue with script

• When we import the MEPF we stamp all of the accepted domain that are verified in the tenant,

not just he domain that were added as a proxy address…

• Why is that an issue?

Configure Legacy PF access

error: Subtask CheckPrereqs execution failed: Check Tenant Prerequisites

Deserialization fails due to one SerializationException:

Microsoft.Exchange.Compliance.Serialization.Formatters.BlockedTypeException: The type to be (de)serialized is not allowed:

Microsoft.Exchange.Data.Directory.DirectoryBackendType

• Cause: We modified the Office 365 Schema in order to allow for certain (non-PII)

information about your on-premises to be captured (run get-OnPremisesConfiguration)

some of these schema changes were not supported by HCW

• Solution: Update to CU6 / CU7

• Cause: we previously defaulted to allowing zero corrupt item with a hybrid move

• Solution: it was determined that allowing 10 corrupt item in a move allowed 90+% of the

moves that failed with this issue to succeed. We now allow for 10 corrupted items per

mailbox and we properly report on the skipped items

• Issue: When you move an item that is over 35 mb in size the move will fail

• Solution: We are working on adjusting this limit to make sure that most of the moves will

succeed. We have to have limits and the limits are tied to transport limits, so this is not trivial

• Cause 1: We changes the naming convention for org relationships to support multi forest

• Solution 1: use the latest builds of Exchange 2013 were the issue has been addressed

• Cause 2: you got too creative with the deployment and did not deploy 2013 properly

• Solution 2: Deploy 2013 properly, Hybrid is NOT a separate role and should be deployed

correctly

• Cause: you ran HCW with sp2 before we knew about multi forest

• Remove the connectors and rerun HCW

• Content: http://support.microsoft.com/kb/2977293

and MFG

• Cause: XTC has been retire and (undocumented) OAuth was the replacement

• Documented: http://technet.microsoft.com/en-us/library/dn497703(v=exchg.150).aspx

• Resolution: Implement OAuth for hybrid Discovery Searches

• OAUTH and IOC are an option in Exchange server are 2013 sp1+ and you run HCW from cu5

• If you have a Legacy mix you have to use the manual steps

• For Gallatin you need to ensure the Availability address space is configured

I cannot see cross-premises Free/Busy?

Happy Retirement Consumer MFG!!

• Cause: Consumer MFG retired on February 25, 2014

• Resolution: recreate federation trust and org relationships

• Documented: http://support.microsoft.com/kb/2937358

"Length of the property is too long"

• Cause: TLS Certificate Name is greater than 256 characters

• Documented: http://support.microsoft.com/kb/2860844

• Resolution: coming soon, for now you need to get a different certificate (this one was fixed 3

times now)

• Often, customers need guidance on how to configure their perimeter devices

• Here is a Wiki on how to configure TMG for hybrid: http://community.office365.com/en-

us/wikis/exchange/1042.aspx?sort=mostrecent&pageindex=1

• Error: “Mailbox move to the cloud fail with error: Transient error

CommunicationErrorTransientException has occurred. The system will retry”

• Cause: Intrusion Detection Systems can often see migration traffic as an attack

• Flood mitigation in TMG can cause this as well

• This Wiki explains how to address the issue:

• http://community.office365.com/en-us/wikis/exchange/office-365-move-mailbox-fails-

with-transient-exception.aspx

• Cause: Timeout issues are not handles well by the HCW (we are getting better)

• Running the HCW a second time is often all that is needed…

"InvalidUri: Passed URI is not valid“

• Cause: There are certain words such as “bank”, profanity, and large org names that are

blocked from federating

• Calling Support is the only option to resolve issue

• Documented: http://support.microsoft.com/kb/2615183

• This is being looked at and may be a thing of the past soon…

Layer 4 LB

mail.contoso.com

Cloud FB request

Internet facing site

E2013 MBX

E2013 CAS

Intranet site

E2010 MBX

E2010 CAS

HTTP

PROXY Cross

site

proxy

request

Set 2010 externalURL to:

`mail.contoso.com

Common Issues – Runtime

http://technet.microsoft.com/en-us/library/hh529912(v=exchg.150).aspx Resolution:

• Cause: Bad password for admin, publishing issues, MRS disabled, etc….

• Errors: NONE

• The error in Wave 14 was the following, but in Wave 15 there isn’t an indication of failure:

• Resolution: Use the EAC in EXO

Common Issues – Runtime

• From Exchange 2010 sp3 ru2 you will see the domain proof missing

• Workaround: use Shell Get-FederatedDomainProof

• This is addressed in Exchange 2010 SP3 RU3

• From Exchange 2010 SP3 RU2 you will not be able

to add additional domains to a federation trust from

the UI, you have to use the Shell as a workaround.

• This has been addressed in Exchange 2010 SP3 RU3

http://aka.ms/SVC307

Session Evaluation