office 365 hybrid deployments – part...
TRANSCRIPT
SVC307
Office 365 Hybrid Architecture and Deployment
Eddie Chua, Onboarding Engineer
On Prem Office 365
Exchange Hybrid
SharePoint Hybrid
Lync Hybrid
OAuth
OAuth
Cloud Identity
No integration to on-premises
directories
Directory & Password Synchronization
Integration without federation
Federated Identity *
Single federated identity
and credentials
* Federated ID scenario can use Azure AD Sync as a backup in case of a Federation platform outage on-prem
On-premises Exchange organization
Existing Exchange environment
Exchange 2007 or later
Office 365 Active
Directory synchronization
Exchange 2013
Client Access &
Mailbox server
Office 365
User, contacts, & groups via Azure AD Sync
Secure mail flow
Mailbox data via Mailbox Replication Service (MRS)
Sharing (free/busy, Mail Tips, Archive, PF, etc.)
On-premises Lync organization
Existing Lync environment
Lync Server 2010 or 2013
Office 365 Active
Directory synchronization
Lync Edge Server
Environment
Lync Serve 2010 or 2013
Office 365
User, contacts, & groups via Azure AD Sync
Migration of Data (Contact Lists / Scheduled Meetings)
Media Connectivity (SRTP)
Signaling (SIP) via split SIP domain
Lync and
Sharepoint hybrid
Supported Note Supported Note Supported
View presence or IM a contact in Outlook
Schedule and join meeting through Outlook
View presence or IM a contact in Outlook Web Access
View presence or IM a contact in Lync Mobile Client
Join meeting from Lync Mobile Client
Modify Contact List (via Unified Contact Store in Exchange)
Lync Server 2013 and
Exchange only. A Lync 2013
client is required.
View or Modify Contact Photo in Lync Web App Lync Server 2013 Only
Delegate schedules meeting on-behalf of Boss * Exchange 2013 Only
Archiving meeting content Lync Server 2013 only
Searching archived meeting content Lync Server 2013 only
Leaving or retreiving voicemail
Publish status based on Outlook calendar free/busy
Missed Conversations history and Call Logs are written to user’s
exchange mailbox
Schedule meeting through Outlook Web Access
View presence or IM a contact in Sharepoint
Search contact by skill keyword
* Supported only when both users are homed online in the same forest or both are homed on-premises.
Customer scenario
Lync Online and
Exchange On-Prem
Lync On-Prem and
Exchange Online
Delegated authentication for on-premises/cloud web services
Enables free/busy, calendar sharing, message tracking & online archive
Online mailbox moves
Preserve the Outlook profile and offline folders
Leverages the Mailbox Replication Service (MRS)
Manage all of your Exchange functions, whether cloud or on-premises from the same place: Exchange Admin Center
Authenticated and encrypted mail flow between on-premises and the cloud
Preserves the internal Exchange messages headers, allowing a seamless end user experience
Support for compliance mail flow scenarios (centralized transport)
Exchange Hybrid Wizard History
Exchange 2013
SP1
Multiple exchange
organizations now
supported
Supports Exchange
2013 Edge
Thousands of tenants and millions of mailboxes in
Office 365 using Exchange Hybrid
On-Premises Exchange
Hybrid Configuration Engine
Desired state
Inte
rn
et
Step 5
Exchange
Management
Tools
Organization Level
Configuration
Objects (Exchange Federation Trust,
Organization Relationship,
Forefront Inbound
Connector, & Forefront
Outbound Connector)
Domain Level
Configuration
Objects (Accepted Domains &
Remote Domains)
Hybrid
Configuration
Object
Exchange Server Level
Configuration
(Mailbox Replication Service
Proxy, Certificate Validation,
Exchange Web Service
Virtual Directory Validation,
& Receive Connector)
Domain Level
Configuration Objects
(Accepted Domains,
Remote Domains, &
E-mail Address Policies)
Organization Level
Configuration Objects
(Exchange Federation Trust,
Organization Relationship,
Availability Address Space,
& Send Connector)
1
2 4 5 5
4
Step 1 The Update-HybridConfiguration
cmdlet triggers the Hybrid
Configuration Engine to start.
Based on the desired state,
topology data, and current
configuration, across both the
on-premises Exchange and
Exchange Online organizations,
the Hybrid Configuration Engine
establishes the “difference” and
then executes configuration tasks
to establish the “desired state.”
Step 4 The Hybrid Configuration
Engine discovers topology data
and current configuration from
the on-premises Exchange
organization and the Exchange
Online organization.
Step 3 The Hybrid Configuration Engine
connects via Remote PowerShell
to both the on-premises and
Exchange Online organizations.
Step 2 The Hybrid Configuration Engine
reads the “desired state” stored
on the HybridConfiguration
Active Directory object.
Remote
Powershell
Remote
Powershell3
3
Exchange Topologies Supported Exchange 2013 RTM
Single Forest Model: Accounts and Mailboxes in single forest
Resource Forest Model: Multiple Account Forests, Single Resource Forest
1:1 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests, each containing accounts and Exchange organizations
Multi-Org Hybrid Support
N:1 relationship between Exchange Organization and single O365 tenant
Office 365
Hybrid
Office 365
Hybrid Hybrid
contoso.com fabrikam.com contoso.com
R R R
Not Configured by Hybrid Configuration
Wizard
ForestA ForestB
FIM
Tenant Name: contoso.onmicrosoft.com
Coexistence Name: contoso.mail.onmicrosoft.com
Forest: contoso.com
Authoritative for contoso.com Forest: fabrikam.com
Authoritative for fabrikam.com
Shares: contoso.com
Org Relationship (F/B, Sharing)
SMTP Mail Flow (TLS connectors)
Feedback…Answered Get-Federation Information fallback logic If the on-premises Autodiscover endpoint is not published properly when the wizard executes, it will warn not fail.
Autodiscover domain You can now specify which domain is used for the federated Autodiscover query.
Set-HybridConfiguration -Domains "contoso.com, fabrikam.com, autod:nwtraders.com"
Email address policy protection measures New “UpdateSecondaryAddressesOnly” parameter added to Update-EmailAddressPolicy.
Protects customers that have manually edited their directory.
Only missing proxies will be added. No addresses will be changed/removed.
Note: This is still a very bad state to be in.
Hybrid Product Key Availability You can now obtain a FREE Exchange 2013 or 2010 Hybrid Edition product key without the dreaded call to support. You can simply go to http://aka.ms/hybridkey
OAUTH Wizard No more manual configuration of OAUTH, this is an integrated experience in specific deployment scenarios today
Hybrid logging improvements
Hybrid Product Key (http://aka.ms/hybridkey)
Short Link: http://aka.ms/hybridkey
KB Link: http://support.microsoft.com/kb/2939261
For IE 11 only:
others will get
the link to the KB
You get a free Hybrid Edition key if… • You have an existing, non-trial, Office 365 Enterprise subscription
• You currently do not have a licensed Exchange 2013 or Exchange 2010 SP3 server in your on-premises organization.
• You will not host any on-premises mailboxes on the Exchange 2013 or Exchange 2010 SP3 server on which you apply the Hybrid Edition product key.
What does this button do? • There is now an automated configuration for OAUTH!
• OAUTH is allows us to perform cross premises discovery searches and cross premises archive moves…
• OAUTH can be used for much more and actually is for 21Vianet customers (Greater China region)
• OAUTH is a replacement for the feature that relied on called XTC and will be used for many additional features in the future
• Click once application
HEY! Where is the OAUTH config button?
• So, just cause you have 2010 and/or 2007 you cannot use OAUTH?
• Actually you can use OAUTH in a coexistence organization
• You would have to run the steps manually (documented on TechNet)
• Forcing you to run scripts and manual configure this is something that we are aiming to remove in future updates but for now….
• Do you have…
• Have Exchange 2013 sp1 + in the environment
• Are running Exchange 2013 cu5+ version of the HCW
Do All Hybrid features use OAUTH? • Currently the only hybrid feature that require the use OAUTH by default are Cross premises Discovery and
certain cross premises archive features
• Keep in mind this is not changing the way features work before we introduced OAUTH this is instead adding new functionality that has not been their since the release of Wave 15.
• Having Regular Hybrid and OAUTH configured will give you the most complete robust feature set for your hybrid deployment
eDiscovery scenario Requires
OAuth?
Search Exchange on-premises mailboxes and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange
on-premises organization. Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes. Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an
administrator or compliance officer. Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator
or compliance officer. No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint
Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account. No
What about Free Busy?
On Premises
On Premises User “Ben”
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Free Busy
Requ
est From
Ben To
Joe
What about Free Busy? Refresher
On Premises
On Premises User “Ben”
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Free Busy
Requ
est From
Ben To
Joe
What about Free Busy… (2013) OAUTH? • Free Busy works through a series of
checks
• 1st we check to see if we can find the free busy locally
• 2nd (if the mailbox is not local) we check for an IOC
• 3rd (if there is no IOC) we check for an Organization Relationship
• 4th we then check for an availability address space
• The Key point here is that OAUTH is not a fall back option for Free busy, it is one or the other
• The OAuth method gets the preference
• 21 Vianet simply does not have Org or a federation trust and relies on only OUATH
Joe
BenFree Busy
Requ
est From
Ben To
Joe
What about Free Busy from 2010 OAUTH?
• Free Busy works through a series of checks
• 1st we check to see if we can find the free busy locally
• 2nd we check for an Organization Relationship
• 3rd we then check for an availability address space
Exchange 2013
Exchange 2010
Joe
Ben
Free Busy
Requ
est From
Ben To
Joe
What if there is still an Org relationship for 2010?
Exchange 2013
Exchange 2010
• Free Busy works through a series of checks
• 1st we check to see if we can find the free busy locally
• 2nd we check for an Organization Relationship
• 3rd we then check for an availability address space
Joe
BenFree Busy
Requ
est From
Ben To
Joe
What about Free Busy from 2007 OAUTH?
• Free Busy works through a series of checks
• 1st we check to see if we can find the free busy locally
• 2nd we then check for an availability address space
Exchange 2013
Exchange 2007
DAuth vs OAuth DAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy, mailtips)
OAuth
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors /Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
• In order to test OAUTH after the HCW is run or the manual configuration are done you will want to…
• 1st get a cup of Coffee
• 2nd kick off your shoes, maybe start that book you were eyeing
• 3rd After ~45 minutes run the verification cmdlets
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox <On-Premises Mailbox> -Verbose | fl
And
Test-OAuthConnectivity -Service EWS -TargetUri <external hostname authority of your Exchange On-Premises deployment> -Mailbox <Exchange Online Mailbox> -Verbose | fl
• Running Get-AuthServer from the on-premises environment will yield the metadata and trust information used by OAUTH
• TokenIssuingEndpoint – the endpoint we will connect to for delegation token retrieval
• AuthMetadatURL- is the tenants specific endpoint for token validation
• CertificateString- is similar to the certificate Metadata exchange we do with the traditional MFG trust
• Running Get-ExchangeCertificate will reveal that a new self signed certificate is created for OAUTH communication.
• The public Hash of this certificate is exchanged with the trust broker (the Auth Server)
• Running Get-IntraOrganizationConfiguration from both on-premises and cloud yield one full set of results….
• Between them you can see that we have One full set of data that is needed for the proper URL that will be used to communicate to the opposing orgs
• Similar information was in the AutodiscoverURI and TargetSharingEPR values in org relationships
• Running Get-IntraOrganizationConnector from both premises shows the rest of the configuration
• DiscoveryEndpoints- are obtained from the IntraOrgConfig
• TargetAddressDomain- means the same thing it meant in org relationship, the domain name this IOC applies to
What are the hybrid public folder options
• Option 1: O365 mailboxes access legacy PFs on-prem
• Option 2: O365 mailboxes access Modern PFs on-prem
• Option 3: Exchange 2013 on-prem mailboxes access Modern PFs in O365
• Documentation in process
PF location > 2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Mailbox version:
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
New Exchange
Online Yes Yes Yes Yes
1.
2.
3.
4.
5. Set-OrganizationConfig–PublicFoldersEnabled Remote –RemotePublicFolderMailboxes PFMbx1, PFMbx2
Configure Legacy PF access
1. Outlook connect to Cloud Mailbox, starts by querying autod.contoso.com Exchange
Online
On-premises
2. Autodiscover responds with the Target address for the cloud mailbox
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access 3. Outlook does AutoD for TA Contoso.mail.onmicrosoft.com
4. EXO responds with PFMailbox information obtained by org config or set
explicity on the mailbox: <PublicFolderInformation>
<SmtpAddress>[email protected]</SmtpAddress>
5. Outlook performs and AutoD against [email protected]
6. Outlook Anywhere settings are returned including the server name of the
PF/CAS instead of the CASArray
7. When PF access is initiated you then make an OA connection
1.
2.
3.
4.
5. Set-OrganizationConfig–PublicFoldersEnabled Remote –RemotePublicFolderMailboxes PFMbx1, PFMbx2
Configure Legacy Modern PF access
• DirSync currently does not sync MEPF objects in either direction.
• We recommend customers run the following scripts periodically to sync MEPF objects from on-
premise to the cloud directory. Below scripts works for E2010/E2007 on-premise.
• Export-MailPublicFoldersForMigration.ps1 -ExportFile [exportFileName] (run on-premise)
• Import-MailPublicFolders.ps1 -ImportFile [importFileName] (run on cloud)
• The Scripts are linked on TechNet but now are also in the scripts container on the Exchange server
• In the future we plan to eliminate the script and rely on DirSync
• Known issue with script
• When we import the MEPF we stamp all of the accepted domain that are verified in the tenant,
not just he domain that were added as a proxy address…
• Why is that an issue?
Configure Legacy PF access
error: Subtask CheckPrereqs execution failed: Check Tenant Prerequisites
Deserialization fails due to one SerializationException:
Microsoft.Exchange.Compliance.Serialization.Formatters.BlockedTypeException: The type to be (de)serialized is not allowed:
Microsoft.Exchange.Data.Directory.DirectoryBackendType
• Cause: We modified the Office 365 Schema in order to allow for certain (non-PII)
information about your on-premises to be captured (run get-OnPremisesConfiguration)
some of these schema changes were not supported by HCW
• Solution: Update to CU6 / CU7
• Cause: we previously defaulted to allowing zero corrupt item with a hybrid move
• Solution: it was determined that allowing 10 corrupt item in a move allowed 90+% of the
moves that failed with this issue to succeed. We now allow for 10 corrupted items per
mailbox and we properly report on the skipped items
• Issue: When you move an item that is over 35 mb in size the move will fail
• Solution: We are working on adjusting this limit to make sure that most of the moves will
succeed. We have to have limits and the limits are tied to transport limits, so this is not trivial
• Cause 1: We changes the naming convention for org relationships to support multi forest
• Solution 1: use the latest builds of Exchange 2013 were the issue has been addressed
• Cause 2: you got too creative with the deployment and did not deploy 2013 properly
• Solution 2: Deploy 2013 properly, Hybrid is NOT a separate role and should be deployed
correctly
• Cause: you ran HCW with sp2 before we knew about multi forest
• Remove the connectors and rerun HCW
• Content: http://support.microsoft.com/kb/2977293
and MFG
• Cause: XTC has been retire and (undocumented) OAuth was the replacement
• Documented: http://technet.microsoft.com/en-us/library/dn497703(v=exchg.150).aspx
• Resolution: Implement OAuth for hybrid Discovery Searches
• OAUTH and IOC are an option in Exchange server are 2013 sp1+ and you run HCW from cu5
• If you have a Legacy mix you have to use the manual steps
• For Gallatin you need to ensure the Availability address space is configured
I cannot see cross-premises Free/Busy?
Happy Retirement Consumer MFG!!
• Cause: Consumer MFG retired on February 25, 2014
• Resolution: recreate federation trust and org relationships
• Documented: http://support.microsoft.com/kb/2937358
"Length of the property is too long"
• Cause: TLS Certificate Name is greater than 256 characters
• Documented: http://support.microsoft.com/kb/2860844
• Resolution: coming soon, for now you need to get a different certificate (this one was fixed 3
times now)
• Often, customers need guidance on how to configure their perimeter devices
• Here is a Wiki on how to configure TMG for hybrid: http://community.office365.com/en-
us/wikis/exchange/1042.aspx?sort=mostrecent&pageindex=1
• Error: “Mailbox move to the cloud fail with error: Transient error
CommunicationErrorTransientException has occurred. The system will retry”
• Cause: Intrusion Detection Systems can often see migration traffic as an attack
• Flood mitigation in TMG can cause this as well
• This Wiki explains how to address the issue:
• http://community.office365.com/en-us/wikis/exchange/office-365-move-mailbox-fails-
with-transient-exception.aspx
• Cause: Timeout issues are not handles well by the HCW (we are getting better)
• Running the HCW a second time is often all that is needed…
"InvalidUri: Passed URI is not valid“
• Cause: There are certain words such as “bank”, profanity, and large org names that are
blocked from federating
• Calling Support is the only option to resolve issue
• Documented: http://support.microsoft.com/kb/2615183
• This is being looked at and may be a thing of the past soon…
Layer 4 LB
mail.contoso.com
Cloud FB request
Internet facing site
E2013 MBX
E2013 CAS
Intranet site
E2010 MBX
E2010 CAS
HTTP
PROXY Cross
site
proxy
request
Set 2010 externalURL to:
`mail.contoso.com
Common Issues – Runtime
http://technet.microsoft.com/en-us/library/hh529912(v=exchg.150).aspx Resolution:
• Cause: Bad password for admin, publishing issues, MRS disabled, etc….
• Errors: NONE
• The error in Wave 14 was the following, but in Wave 15 there isn’t an indication of failure:
• Resolution: Use the EAC in EXO
Common Issues – Runtime
• From Exchange 2010 sp3 ru2 you will see the domain proof missing
• Workaround: use Shell Get-FederatedDomainProof
• This is addressed in Exchange 2010 SP3 RU3
• From Exchange 2010 SP3 RU2 you will not be able
to add additional domains to a federation trust from
the UI, you have to use the Shell as a workaround.
• This has been addressed in Exchange 2010 SP3 RU3
http://aka.ms/SVC307
Session Evaluation