Office 365 for IT Pros

Similar documents
Exchange Deployment Options: On-premises, cloud, or hybrid? Jeff Mealiffe Principal Program Manager Microsoft

Exchange Server Hybrid Deployment for Exchange Online Dedicated

Hybrid Architecture. Office 365. On-premises Exchange org (Exchange 2007+) Provisioned via DirSync. Secure Mail flow

Before you begin with an Exchange 2010 hybrid deployment Sign up for Office 365 for an Exchange 2010 hybrid deployment... 10

Migrating Exchange Server to Office 365

Installing GFI MailEssentials

Trend Micro Hosted Security. Best Practice Guide

Configuration Guide for Exchange 2003, 2007 and 2010

Dell One Identity Cloud Access Manager How to Configure Microsoft Office 365

Exchange 2003 Standard Journaling Guide

Office 365 Exchange Online Protection Administration Guide

Before you begin with an Exchange 2010 hybrid deployment Sign up for Office 365 for an Exchange 2010 hybrid deployment... 10

ArcMail Technology Defender Mail Server Configuration Guide for Microsoft Exchange Server 2003 / 2000

Test Lab Guide: Creating a Windows Azure AD and Windows Server AD Environment using Azure AD Sync

Special thanks to the following people for reviewing and providing invaluable feedback for this document: Joe Davies, Bill Mathers, Andreas Kjellman

AADSync Installation Guide

Setup Guide: Server-side synchronization for CRM Online and Exchange Server

Archive Migrator Install Guide

Converting Prospects to Purchasers.

Using Avaya Aura Messaging

Reconfiguring VMware vsphere Update Manager

How To Configure A Windows 8.1 On A Windows (Windows) With A Powerpoint (Windows 8) On A Blackberry) On An Ipad Or Ipad (Windows 7) On Your Blackberry Or Black

F-Secure Messaging Security Gateway. Deployment Guide

Configuration Guide. SafeNet Authentication Service AD FS Agent

Configuration Guide for SQL Server This document explains the steps to configure LepideAuditor Suite to add and audit SQL Server.

Exchange 2010 Journaling Guide

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Smart Control Center. User Guide. 350 East Plumeria Drive San Jose, CA USA. November v1.0

Hands-On Lab: WSUS. Lab Manual Expediting WSUS Service for XP Embedded OS

Avaya one-x Mobile User Guide for iphone

Basic Exchange Setup Guide

Network Configuration/Bandwidth Planning Scope

SolarWinds Migrating SolarWinds NPM Technical Reference

Hybrid for SharePoint Server Search Reference Architecture

360 Online authentication

Configuration Guide. BES12 Cloud

PHD Virtual Backup for Hyper-V

How To Use Gfi Mailarchiver On A Pc Or Macbook With Gfi From A Windows 7.5 (Windows 7) On A Microsoft Mail Server On A Gfi Server On An Ipod Or Gfi.Org (

Lepide Exchange Recovery Manager

LAB 2: Identity Management

Basic Exchange Setup Guide

8.7. Target Exchange 2010 Environment Preparation

Workshop purpose and objective

Enterprise Self Service Quick start Guide

Microsoft Azure ExpressRoute

CA Nimsoft Service Desk

Windows Server Update Services 3.0 SP2 Step By Step Guide

Exchange Integration DME 4.4 Microsoft Exchange 2007, 2010, 2013

Table of Contents Introduction... 2 Azure ADSync Requirements/Prerequisites:... 2 Software Requirements... 2 Hardware Requirements...

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Professional Mailbox Software Setup Guide

RoomWizard Synchronization Software Manual Installation Instructions

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

Configure Microsoft Dynamics AX Connector for Mobile Applications

E2E Complete 4.1. Installation and Configuration Guide

How To Set Up Chime For A Coworker On Windows (Windows) With A Windows 7 (Windows 7) On A Windows 8.1 (Windows 8) With An Ipad (Windows).Net (Windows Xp

Customer admin guide. UC Management Centre

How To Migrate From 2003 To 2010 On An Exchange 2003 Server 2003 (For A Large Organization)


From SPAMfighter SMTP Anti Spam Server to SPAMfighter Mail Gateway

Server Installation ZENworks Mobile Management 2.7.x August 2013

Microsoft Lync Server 2010

Configuration Guide. SafeNet Authentication Service. SAS Agent for Microsoft Outlook Web Access 1.06

Navigate your checklist Before you begin with Exchange Sign up for Office

6.9. Administrator Guide

How to set up Outlook Anywhere on your home system

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

GFI Product Guide. GFI Archiver and Office 365 Deployment Guide

ADFS for. LogMeIn and join.me authentication

PROMODAG REPORTS 10 FOR MICROSOFT EXCHANGE SERVER. Reporting on Exchange made simple! Getting started

Stellar Phoenix Exchange Server Backup

Dell Command Integration Suite for System Center Version 4.1. Installation Guide

SPAMfighter Mail Gateway

Citrix EdgeSight for Load Testing Installation Guide. Citrix EdgeSight for Load Testing 3.5

mailtunnel Quick Guide ENCRYPTED TUNNEL COMENDO DATA CENTER SECURITY CENTER SPAM+VIRUS LOGS

Defender Token Deployment System Quick Start Guide

Storage Sync for Netgear Version Installation Guide for Netgear ReadyNAS 6.0 Intel Base NAS

Sophos Mobile Control User guide for Android. Product version: 4

User guide. Business

Add in Guide for Microsoft Dynamics CRM May 2012

How to Prepare for the Upgrade to Microsoft Dynamics CRM 2013 (On-premises)

Sophos Mobile Control User guide for Android

DocuSign for SharePoint

Setup guide. TELUS AD Sync

Master Data Services. SQL Server 2012 Books Online

Patching the Windows 2000 Server Operating System on S8100 Media Servers, IP600 Communications Servers, & DEFNITY ONE Communications Systems

MaaS360 On-Premises Cloud Extender

AVG Business SSO Connecting to Active Directory

Journaling Guide for Archive for Exchange 2007

Get started with cloud hybrid search for SharePoint

INTEGRATION GUIDE. DIGIPASS Authentication for Google Apps using IDENTIKEY Federation Server

Integration Guide. SafeNet Authentication Service. SAS Using RADIUS Protocol with Microsoft DirectAccess

Dell One Identity Cloud Access Manager Installation Guide

GWAVA 5. Migration Guide for Netware GWAVA 4 to Linux GWAVA 5

SHAREPOINT HYBRID AND IMPLICATIONS OF 2016

OneLogin Integration User Guide

Installing and Configuring vcloud Connector

Microsoft Corporation. Project Server 2010 Installation Guide

Transcription:

Office 365 for IT Pros Third edition Running the Hybrid Configuration Wizard Published by Tony Redmond, Paul Cunningham, and Michael Van Horenbeeck Copyright 2015-2016 by Tony Redmond, Paul Cunningham, and Michael Van Horenbeeck All rights reserved. No part of this book may be reproduced or transmitted in any form or by any means without the written permission of the authors. The example companies, organizations, products, domain names, email addresses, logos, people, places and event depicted herein are fictitious. No association with any real company, organization, people, domain name, email address, logo, person, place, or event is intended or should be inferred. The book expresses the views and opinions of the authors. The information presented in the book is provided without any express, statutory, or implied warranties. The authors cannot be held liable for any damages caused or alleged to be caused either directly or indirectly by this book. Although the three authors are members of Microsoft s Most Valuable Professional (MVP) program, the content of this book solely represents their views and opinions about Office 365 and any other technologies mentioned in the text and is not endorsed in any way by Microsoft Corporation. Please be respectful of the rights of the authors and do not make copies of this ebook available to others. This information supplements the content presented in Chapter 3 of Office 365 for IT Professionals, which presents the overall context and outline for Identities and Authentication in Office 365.

Part of creating a hybrid Exchange connection with Office 365 is running the Hybrid Configuration Wizard. However, before you can do so you must carefully consider the implications of a hybrid connection and configure the necessary prerequisites, all of which is covered in Chapter 6. Once you have successfully configured all prerequisites, you are ready to run the Hybrid Configuration Wizard. Note that when running the wizard for the first time, the steps you will have to go through might be a little different from when you run it for a second or third time. This is mainly because some aspects of the Hybrid Configuration, like the federation trust with Azure AD Authentication System, only need to be configured once and never change afterwards. Some situations will prevent you to successfully run the HCW and force you to revert to PowerShell first. For instance, if an Exchange server which was previously part of the hybrid configuration is uninstalled without being removed from the hybrid configuration first, the HVW will display an error message and not let you continue before you corrected the situation. To do so, you must manually remove the server from the existing hybrid configuration using the following PowerShell command: [PS] C:\> Set-HybridConfiguration ReceivingTransportServers @{Remove="Server1"} The following steps describe how to step through the HCW for the first time, dated April 2016. Even though the HCW is a web-based wizard, you should run it from an Exchange server because some components need local interaction with the server. Real World. The Hybrid Configuration Wizard is initiated from https://confgure.office.com, but the sources are downloaded from https://mshrcstorageprod.blob.core.windows.net/ o365exchangehybrid/. If you have a locked down environment or if Internet Explorer's Enhanced Security is enabled, you will not be able to run the applets unless you add an exception to Internet Explorer's safe sites for said hostname. Another issue for automatic configuration is that it requires the wizard to be run from an Exchange server. Although most administrators will likely do this anyway, the EAC could be run from any workstation/server in the organization. Login to the EAC. Navigate to hybrid and then click configure. If you have not previously logged on to Office 365 in the EAC, you will be asked to do so now. If not, skip to step 3. Click sign in to Office 365. If you are presented with a cookie warning, make sure that your local domain name is allowed to store cookies on the computer. Before the HCW is loaded, a landing page (configure.office.com) is loaded. This page might seem redundant, but it serves several purposes. First, the page contains a link to the latest public version of the Hybrid Configuration Wizard and is used to start the actual wizard. Secondly, the page allows Microsoft to provide targeted customers with an alternative link to a different version of the Hybrid Configuration Wizard. For instance, customers participating in Microsoft s Preview Program might get a link pointing to a preview version of an updated wizard. Thirdly, the landing page allows Microsoft to detect conditions that might affect your setup experience, such as the browser you use and/or if you have a popup-blocker activated. Once you click the link, the necessary components will be downloaded onto your server and the wizard will start. At time

of writing, the total size of the download was around 8 MB. If you have previously run the wizard and no updated version is available, the wizard will re-use the previously downloaded bits. Find click here on the landing page to continue. At this point, the latest HCW code is downloaded. You will be prompted to install the wizard, and you must click Install to continue. Depending on your internet connection speed this might take anywhere between a few seconds and a few minutes. Once the latest bits have been downloaded and the applets have been initiliazed, the HCW will automatically start. The first page in the wizard is the Welcome page. This page serves no other purpose than informing you that you are about to start the wizard and provide some information about what the wizard does in the form of links to TechNet documentation. Click next.

The next page is the server detection page. Unlike earlier versions of the wizard which connect to a server based on the Remote PowerShell connection, you can now determine from which server you want to run the wizard. By default, the wizard selects a server running the highest version of Exchange available in the environment. Typically, this is the server you are using to run the HCW from. On this page, you can also select what version of Office 365 you use. Today, there are three options: Office 365 (by Microsoft), Office 365 hosted by 21Vianet, or Office 365 Dedicated. The different versions of Office 365 exist to meet specific regional regulations that prevent an organization to sign up for an Office 365 tenant, hosted by Microsoft. As such, if you select 21Vianet, the federation trust is not configured. It is possible that this list might expand in the future as new locations that support other requirements become available. Click next to continue.

Now, enter the credentials to connect to both Exchange on-premises and Exchange Online. Unlike previous versions of the wizard, the credentials are verified before you can continue to the next step. If the wizard determines it cannot connect using the credentials you provided, it will allow you to go back and re-enter them. Also, instead of having to type in the credentials for the on-premises environment, you now have to option to use the credentials from the currently logged on user. Click next. If the credentials were verified successfully, click next again.

Depending on the size of your organization, you might be presented with a web page stating that Microsoft does not believe that creating a hybrid connection is the right option for you. If not, skip this step. While there is no arbitrary number to depict if and when the use a hybrid connection, it is true that for very small environments other (migration) options might be a better fit. To continue, check the check box next to I understand that a Hybrid Configuration... and then click next. If this is the first time you run the wizard, and you have not configured a trust with the Azure AD Authentication System beforehand, the wizard guides you through an additional step where the wizard searches for a domain name which is shared across the Office 365 tenant and the on-premises Exchange organization. For each domain in scope (configurable), you are given a TXT record value which serves as proof of ownership of the domain. If you have multiple domains that could be included in the hybrid configuration, the wizard allows you to add or remove them from the hybrid configuration, and you can designate one of the domains as a so-called Autodiscover domain. This is the domain that will be used to determine the on-premises Autodiscover endpoint which the HCW then uses to configure the hybrid configuration and some of its components like Organization Relationships. Even though you already had to go through a similar process when adding the domain(s) to the tenant, you must do so again here. This is because Exchange Federation, that is configured here, uses a separate infrastructure from Office 365 and thus does not know about the domain already being verified in the Office 365. During the domain federation process, when you copy the value for the TXT record from the Domain Ownership page, the wizard now only copies the actual value of the record instead of including all the metadata. This minimizes the risk of someone accidentally including the metadata in the value of the record. Once you have added the TXT records to the public-facing DNS zone for the domain(s), select I have created a TXT record for each token in DNS and then click verify domain ownership. If the domains have been validated successfully, click next.

Real World. While verifying domain ownership, the wizard must obtain federation information for the onpremises organization. As part of this process, the wizard uses Autodiscover to discover that information. Sometimes, Autodiscover is not configured correctly for the internal organization and caused previous versions of the wizard to fail. In an attempt to minimize failures during that process, the wizard now automatically attempts to launch an external DNS query by connecting to an DNS server whenever it detects a problem with the internal Autodiscover process. The wizard then tries to connect to the external Autodiscover endpoint and, hopefully, acquires the required information to proceed. Of course, if Autodiscover is broken both internally and externally, this will not help. On the following page, you select the options for mail routing. The default value is to only configure selected Client Access and Mailbox servers. However, you can opt to include the configuration of Edge Transport servers as well as to enable centralized mail transport. Click next.

In the next step, you must select the Exchange Servers for which the HCW will configure Receive Connectors. Using the drop-down menu, you can select one or more servers and then click next The next page (Send Connector Configuration) is similar to the previous one, albeit that you now select the servers for which the HCW will create a Send Connector. Note that you can only select servers that are running either Exchange 2013 or Exchange 2016. Click next to continue.

After you have selected the servers to include in the hybrid configuration, you must select the appropriate transport certificate. On the Transport Certificate selection page, the wizard allows you to pick the correct certificate from a pre-populated list. The list of available certificates only includes certificates that are present on all selected servers and have successfully been installed and configured for the SMTP service on those servers. If the wizard cannot find a certificate that matches these criteria, a warning is displayed a valid certificate could not be found. You cannot move forward until you correct the issue. Once you have selected the correct certificate (mail.office365lab.be in this example), click next.

On the Organization FQDN page, you must enter the endpoint which connects to the on-premises internetfacing Exchange Servers. The endpoint is used for sending- and receiving mail to and from Office 365, and will also be configured as the first migration endpoint for mailbox moves. For example, enter hybrid.domain.com if your public namespace pointing to your on-premises Exchange servers is hybrid.domain.com. Then, click next. The last page informs you that you are about to make changes to your hybrid configuration. If you are unsure about the changes you have made, you can always go back. Else, clicking update will start the configuration process.

After all input has been gathered, the Hybrid Configuration Engine makes the necessary configuration changes. As part of the process, the engine collects information about the existing environments by executing a set of PowerShell cmdlets, very much like how an administrator would do it manually. The gathered information contains details on items such as Accepted Domains, Current Organization Configuration and Organization Relationships. When the wizard detects the configuration of your environment, it uses the ADPropertiesOnly switch to gather EWS Virtual Directory information. This makes the process significantly faster. In previous versions, this process would sometimes take over 8 hours to complete in large environments and cause the wizard to time out as a result. The problem was caused by how the Get-WebServicesVirtualDirectory cmdlet queries information from a remote server. Without the ADPropertiesOnly switch, the cmdlet requests the data from the IIS metabase on the remote server, resulting into delays that can span multiple minutes per server. Once the engine finishes collecting the information, it determines the difference between the existing- and requested configuration. If there is a difference, which is the case if you run the wizard for the first time or when you make configuration changes, the engine continues to update the environment's configuration. First, the service domain is added as a Remote and Accepted Domain to the on-premises environment. Typically, the service domain will have the format of tenantname.mail.onmicrosoft.com. In addition, the wizard also adds the tenant name (tenant.onmicrosoft.com) as a Remote Domain to the environment. Next, the engine modifies the default Email Address policy to include the service domain, so that all recipients in the organization get stamped with the additional proxy address that matches the service domain. This is required to ensure mail flow continues after mailboxes are moved to or from Office 365. To ensure that existing objects are also stamped, the Email Address policy is re-applied to all recipients. Real World. When the email address policy is updated, the wizard uses the UpdateSecondaryAddressesOnly switch to ensure that no primary email address is changed, and only a new proxyaddresses is added. The configuration engine updates the default email address policy assuming that it is applied to each recipient in the organization, and that each recipient is configured to automatically update email addresses based on an email address policy. In many environments, the check box used when setting mailbox properties to automatically update addresses is unchecked and email addresses are added manually on an as-needed basis. Before you can move a mailbox to Exchange Online, it must be stamped with a proxy address based

on the service domain and the changes must be synchronized to Office 365. The solution is to either add the proxy address manually or to re-enable automatic updating of the recipients. After the wizard completes, you can use the following PowerShell code to verify if a recipient was stamped correctly: [PS] C:\> Get-Mailbox smorris Select -ExpandProperty EmailAddresses Format-Table SmtpAddress,Prefix,IsPrimaryAddress -AutoSize SmtpAddress Prefix IsPrimaryAddress ----------- ------ ---------------- smorris@hybridexlab1.mail.onmicrosoft.com SMTP False smorris@o365.exchangedemo.info SMTP True After recipient configuration, the wizard creates the Organization Relationships between both environments. The Organization Relationships underpin the Exchange Federation capabilities (such as exchanging Free/Busy information) and exist in both the on-premises Exchange organization and Office 365. In both environments, the objects in are named similarly: On-Premises to O365 - <GUID> and O365 to On-Premises - <GUID>. The GUID that is used in the Organization Relationships stems from the Organizational GUID of the onpremises organization and can be queried using the following cmdlet in the on-premises organization: [PS] C:\> Get-OrganizationConfig Select guid Guid ---- 5b394b2f-8d59-4df4-8eb4-a784111a2fe4 After the Organization Relationships have been created, the engine will also configure an Availability Address space. Although the address space is not used in a native Exchange 2010, Exchange 2013, Exchange 2016, or mixed Exchange 2010/2013/2016 environments, it is added in case a legacy Exchange 2007 server still exists. Of course, this would only apply to Exchange 2010 or 2013 as Exchange 2016 cannot be installed in an Exchange 2007 organization. Adding the availability address space ensures that requests for Free/Busy information originating from an Exchange 2007 mailbox are proxied through an Exchange 2010 or 2013 server. Lastly, the wizard makes the necessary configuration changes with regards to mail flow by making the following changes in the on-premises Exchange organization: A new send connector by the name of Outbound to Office 365. The connector is configured to Force TLS encryption (-RequireTLS: $true) and updated with the certificate information from the Hybrid Configuration Wizard. The Default Receive Connector is modified to enforce TLS for hybrid mail flow and ensure that SMTP headers from Exchange Online are maintained by setting the AcceptCloudServicesMail attribute to $true Similarly, in Exchange Online the following changes are made: A new Inbound Connector named Inbound from <GUID> to which the certificate information of the on-premises organization is added so that only connections coming from the on-premises organization are accepted. A new Outbound Connector named Outbound to <GUID>. If no centralized mail flow is selected, the connector will be scoped to the accepted domains selected in the Hybrid Configuration Wizard only. In a centralized mail flow, the scope includes all internal and external domains and is depicted by a wildcard. The connector also includes smart host and certificate information which was entered in the Wizard. The latter is used to ensure that mail is encrypted and only sent to the on-premises Exchange servers.

The Hybrid Configuration wizard also configures OAUTH if it detects only Exchange 2013 and Exchange 2016 servers are present in the environment. There is no need to run a separate OAUTH wizard, as it used to be the case before. If you still have older Exchange servers in the environment, like Exchange 2007 or Exchange 2010, the wizard will not configure OAUTH. It is up to the administrator to complete those steps manually afterwards. As part of the OAUTH configuration, an Intra-Organization Connector is created in both the on-premises environment and Exchange Online. These connectors work in a similar way as the Organization Relationships. In addition to the connectors, there are several other elements are configured too. If the OAuth configuration wizard fails to successfully configure OAUTH, it automatically disables the Intra-Organization Connectors and notifies you of the problem. This is to ensure that the environment is not configured with a corrupt OAUTH configuration as this can cause all sorts of issues. Once the wizard is ready configuring both environments, you will be presented with a page that confirms the wizard ran successfully. If the process was able to complete, but could not perform one or more non-critical actions, you might see a page similar to the following: In this particular case, the HCW was unable to communicate with the on-premises Autodiscover endpoint, which prevented it to update some properties on the Organization Relationship in Office 365. In order not to fail the entire process, the HCW used an autodiscover endpoint which is based on the domain name(s) included in the hybrid configuration. If you specified multiple domain names, the autodiscover endpoint for the domain designated as the Autodiscover domain is used. At this point you completed your hybrid configuration and you can continue testing various features such as secure mail flow or moving mailboxes to Office 365. Both of these are explained in more detail in Chapter 6.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information