SVC307 Office 365 Hybrid Architecture and Deployment Eddie Chua, Onboarding Engineer
On Prem Office 365 Exchange Hybrid SharePoint Hybrid Lync Hybrid OAuth OAuth
Cloud Identity Directory & Password Synchronization Federated Identity * No integration to on-premises directories Integration without federation Single federated identity and credentials * Federated ID scenario can use Azure AD Sync as a backup in case of a Federation platform outage on-prem
On-premises Exchange organization Office 365 Active Directory synchronization Office 365 Existing Exchange environment Exchange 2007 or later User, contacts, & groups via Azure AD Sync Secure mail flow Exchange 2013 Client Access & Mailbox server Sharing (free/busy, Mail Tips, Archive, PF, etc.) Mailbox data via Mailbox Replication Service (MRS)
On-premises Lync organization Office 365 Active Directory synchronization Existing Lync environment Lync Server 2010 or 2013 User, contacts, & groups via Azure AD Sync Office 365 Signaling (SIP) via split SIP domain Lync Edge Server Environment Lync Serve 2010 or 2013 Media Connectivity (SRTP) Migration of Data (Contact Lists / Scheduled Meetings)
Customer scenario Lync Online and Exchange On-Prem Lync On-Prem and Exchange Online Lync and Sharepoint hybrid Supported Note Supported Note Supported View presence or IM a contact in Outlook Schedule and join meeting through Outlook View presence or IM a contact in Outlook Web Access View presence or IM a contact in Lync Mobile Client Join meeting from Lync Mobile Client Modify Contact List (via Unified Contact Store in Exchange) View or Modify Contact Photo in Lync Web App Delegate schedules meeting on-behalf of Boss * Archiving meeting content Searching archived meeting content Leaving or retreiving voicemail Publish status based on Outlook calendar free/busy Missed Conversations history and Call Logs are written to user s exchange mailbox Schedule meeting through Outlook Web Access View presence or IM a contact in Sharepoint Search contact by skill keyword Exchange 2013 Only Lync Server 2013 and Exchange only. A Lync 2013 client is required. Lync Server 2013 Only Lync Server 2013 only Lync Server 2013 only * Supported only when both users are homed online in the same forest or both are homed on-premises.
Delegated authentication for on-premises/cloud web services Enables free/busy, calendar sharing, message tracking & online archive Online mailbox moves Preserve the Outlook profile and offline folders Leverages the Mailbox Replication Service (MRS) Manage all of your Exchange functions, whether cloud or onpremises from the same place: Exchange Admin Center Authenticated and encrypted mail flow between on-premises and the cloud Preserves the internal Exchange messages headers, allowing a seamless end user experience Support for compliance mail flow scenarios (centralized transport)
Exchange Hybrid Wizard History Exchange 2013 SP1 Multiple exchange organizations now supported Supports Exchange 2013 Edge Thousands of tenants and millions of mailboxes in Office 365 using Exchange Hybrid
I n t e r n e t Step 1 The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start. On-Premises Exchange Step 2 Step 3 Step 4 Step 5 The Hybrid Configuration Engine reads the desired state stored on the HybridConfiguration Active Directory object. The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations. The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization. Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the difference and then executes configuration tasks to establish the desired state. Exchange Server Level Configuration (Mailbox Replication Service Proxy, Certificate Validation, Exchange Web Service Virtual Directory Validation, & Receive Connector) Hybrid Configuration Object 1 Exchange Management Tools Domain Level Configuration Objects (Accepted Domains, Remote Domains, & E-mail Address Policies) Desired state Organization Level Configuration Objects (Exchange Federation Trust, Organization Relationship, Availability Address Space, & Send Connector) Remote 3 2 4 5 Powershell Hybrid Configuration Engine 4 5 3 Remote Powershell Organization Level Configuration Objects (Exchange Federation Trust, Organization Relationship, Forefront Inbound Connector, & Forefront Outbound Connector) Domain Level Configuration Objects (Accepted Domains & Remote Domains)
Exchange Topologies Supported Exchange 2013 RTM Single Forest Model: Accounts and Mailboxes in single forest Resource Forest Model: Multiple Account Forests, Single Resource Forest 1:1 relationship between Exchange Organization and single O365 tenant Exchange 2013 Service Pack 1 Supports multiple Exchange Organizations configured against a single O365 tenant Multiple forests, each containing accounts and Exchange organizations Multi-Org Hybrid Support Office 365 N:1 relationship between Exchange Organization and single O365 tenant R R R Office 365 Hybrid Hybrid Hybrid contoso.com contoso.com fabrikam.com
Tenant Name: contoso.onmicrosoft.com Coexistence Name: contoso.mail.onmicrosoft.com FIM Org Relationship (F/B, Sharing) ForestA Forest: contoso.com Authoritative for contoso.com SMTP Mail Flow (TLS connectors) Not Configured by Hybrid Configuration Wizard ForestB Forest: fabrikam.com Authoritative for fabrikam.com Shares: contoso.com
Feedback Answered Get-Federation Information fallback logic If the on-premises Autodiscover endpoint is not published properly when the wizard executes, it will warn not fail. Autodiscover domain You can now specify which domain is used for the federated Autodiscover query. Set-HybridConfiguration -Domains "contoso.com, fabrikam.com, autod:nwtraders.com" Email address policy protection measures New UpdateSecondaryAddressesOnly parameter added to Update-EmailAddressPolicy. Protects customers that have manually edited their directory. Only missing proxies will be added. No addresses will be changed/removed. Note: This is still a very bad state to be in. Hybrid Product Key Availability You can now obtain a FREE Exchange 2013 or 2010 Hybrid Edition product key without the dreaded call to support. You can simply go to http://aka.ms/hybridkey OAUTH Wizard No more manual configuration of OAUTH, this is an integrated experience in specific deployment scenarios today
Hybrid logging improvements
Hybrid Product Key (http://aka.ms/hybridkey) You get a free Hybrid Edition key if You have an existing, non-trial, Office 365 Enterprise subscription You currently do not have a licensed Exchange 2013 or Exchange 2010 SP3 server in your on-premises organization. You will not host any on-premises mailboxes on the Exchange 2013 or Exchange 2010 SP3 server on which you apply the Hybrid Edition product key. For IE 11 only: others will get the link to the KB Short Link: http://aka.ms/hybridkey KB Link: http://support.microsoft.com/kb/2939261
What does this button do? There is now an automated configuration for OAUTH! OAUTH is allows us to perform cross premises discovery searches and cross premises archive moves OAUTH can be used for much more and actually is for 21Vianet customers (Greater China region) OAUTH is a replacement for the feature that relied on called XTC and will be used for many additional features in the future Click once application
HEY! Where is the OAUTH config button? Do you have Have Exchange 2013 sp1 + in the environment Are running Exchange 2013 cu5+ version of the HCW So, just cause you have 2010 and/or 2007 you cannot use OAUTH? Actually you can use OAUTH in a coexistence organization You would have to run the steps manually (documented on TechNet) Forcing you to run scripts and manual configure this is something that we are aiming to remove in future updates but for now.
Do All Hybrid features use OAUTH? Currently the only hybrid feature that require the use OAUTH by default are Cross premises Discovery and certain cross premises archive features Keep in mind this is not changing the way features work before we introduced OAUTH this is instead adding new functionality that has not been their since the release of Wave 15. Having Regular Hybrid and OAUTH configured will give you the most complete robust feature set for your hybrid deployment ediscovery scenario Search Exchange on-premises mailboxes and Exchange Online mailboxes in the same ediscovery search initiated from the Exchange on-premises organization. Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes. Search Exchange Online mailboxes from an ediscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer. Search on-premises mailboxes using an ediscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer. Search Exchange Online mailboxes from an ediscovery search initiated from Exchange Online or the ediscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account. Requires OAuth? Yes Yes Yes No No
What about Free Busy?
What about Free Busy? Refresher Ben Mailbox Server Microsoft Federation Gateway Client Access Server Free Busy Requ est From Ben To Joe On Premises User Ben On Premises Exchange Online Joe
What about Free Busy (2013) OAUTH? Ben Client Access Server Free Busy Requ est From Ben To Joe Mailbox Server Microsoft Federation Gateway Free Busy works through a series of checks 1 st we check to see if we can find the free busy locally 2 nd (if the mailbox is not local) we check for an IOC 3 rd (if there is no IOC) we check for an Organization Relationship 4 th we then check for an availability address space On Premises User Ben On Premises Exchange Online Joe The Key point here is that OAUTH is not a fall back option for Free busy, it is one or the other The OAuth method gets the preference 21 Vianet simply does not have Org or a federation trust and relies on only OUATH
Ben Exchange 2010 Exchange 2013 Free Busy Requ est From Ben To Joe What about Free Busy from 2010 OAUTH? Free Busy works through a series of checks 1 st we check to see if we can find the free busy locally 2 nd we check for an Organization Relationship 3 rd we then check for an availability address space Joe
What if there is still an Org relationship for 2010? Ben Exchange 2013 Free Busy works through a series of checks 1 st we check to see if we can find the free busy locally 2 nd we check for an Organization Relationship 3 rd we then check for an availability address space Exchange 2010 Free Busy Requ est From Ben To Joe Joe
What about Free Busy from 2007 OAUTH? Ben Exchange 2013 Free Busy Requ est From Ben To Joe Free Busy works through a series of checks 1 st we check to see if we can find the free busy locally 2 nd we then check for an availability address space Exchange 2007 Joe
DAuth vs OAuth DAuth Uses Microsoft Federation Gateway for Token generation Organization Relationships Controls what companies you share information with Allows for granular control of what features are available (free busy, mailtips) OAuth Uses Auth Server in Azure AD (better resiliency and faster in forest communications) IntraOrgConnectors /Configuration Controls what companies you can share information with No granular control of feature-set (all or nothing) Organization Relationships Intraorg Connectors
In order to test OAUTH after the HCW is run or the manual configuration are done you will want to 1 st get a cup of Coffee 2 nd kick off your shoes, maybe start that book you were eyeing 3 rd After ~45 minutes run the verification cmdlets Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx - Mailbox <On-Premises Mailbox> -Verbose fl And Test-OAuthConnectivity -Service EWS -TargetUri <external hostname authority of your Exchange On- Premises deployment> -Mailbox <Exchange Online Mailbox> -Verbose fl
Running Get-AuthServer from the on-premises environment will yield the metadata and trust information used by OAUTH TokenIssuingEndpoint the endpoint we will connect to for delegation token retrieval AuthMetadatURL- is the tenants specific endpoint for token validation CertificateString- is similar to the certificate Metadata exchange we do with the traditional MFG trust
Running Get-ExchangeCertificate will reveal that a new self signed certificate is created for OAUTH communication. The public Hash of this certificate is exchanged with the trust broker (the Auth Server)
Running Get-IntraOrganizationConfiguration from both on-premises and cloud yield one full set of results. Between them you can see that we have One full set of data that is needed for the proper URL that will be used to communicate to the opposing orgs Similar information was in the AutodiscoverURI and TargetSharingEPR values in org relationships
Running Get-IntraOrganizationConnector from both premises shows the rest of the configuration DiscoveryEndpoints- are obtained from the IntraOrgConfig TargetAddressDomain- means the same thing it meant in org relationship, the domain name this IOC applies to
What are the hybrid public folder options Option 1: O365 mailboxes access legacy PFs on-prem Option 2: O365 mailboxes access Modern PFs on-prem Option 3: Exchange 2013 on-prem mailboxes access Modern PFs in O365 Documentation in process PF location > 2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online Mailbox version: Exchange 2007 Yes Yes No No Exchange 2010 Yes Yes No No Exchange 2013 Yes Yes Yes Yes New Exchange Online Yes Yes Yes Yes
Configure Legacy PF access 1. 2. 3. 4. 5. Set-OrganizationConfig PublicFoldersEnabled Remote RemotePublicFolderMailboxes PFMbx1, PFMbx2
Hybrid PF access 1. Outlook connect to Cloud Mailbox, starts by querying autod.contoso.com 2. Autodiscover responds with the Target address for the cloud mailbox 3. Outlook does AutoD for TA Contoso.mail.onmicrosoft.com 4. EXO responds with PFMailbox information obtained by org config or set explicity on the mailbox: <PublicFolderInformation> <SmtpAddress>PFmailbox1@Contoso.com</SmtpAddress> 5. Outlook performs and AutoD against PFmailbox1@Contoso.com Exchange Online On-premises 6. Outlook Anywhere settings are returned including the server name of the PF/CAS instead of the CASArray 7. When PF access is initiated you then make an OA connection Auth as user over Public MBX auth Proxy to PF server (running CAS role)
Configure Legacy Modern PF access 1. 2. 3. 4. 5. Set-OrganizationConfig PublicFoldersEnabled Remote RemotePublicFolderMailboxes PFMbx1, PFMbx2
Configure Legacy PF access DirSync currently does not sync MEPF objects in either direction. We recommend customers run the following scripts periodically to sync MEPF objects from onpremise to the cloud directory. Below scripts works for E2010/E2007 on-premise. Export-MailPublicFoldersForMigration.ps1 -ExportFile [exportfilename] (run on-premise) Import-MailPublicFolders.ps1 -ImportFile [importfilename] (run on cloud) The Scripts are linked on TechNet but now are also in the scripts container on the Exchange server In the future we plan to eliminate the script and rely on DirSync Known issue with script When we import the MEPF we stamp all of the accepted domain that are verified in the tenant, not just he domain that were added as a proxy address Why is that an issue?
error: Subtask CheckPrereqs execution failed: Check Tenant Prerequisites Deserialization fails due to one SerializationException: Microsoft.Exchange.Compliance.Serialization.Formatters.BlockedTypeException: The type to be (de)serialized is not allowed: Microsoft.Exchange.Data.Directory.DirectoryBackendType Cause: We modified the Office 365 Schema in order to allow for certain (non-pii) information about your on-premises to be captured (run get-onpremisesconfiguration) some of these schema changes were not supported by HCW Solution: Update to CU6 / CU7
Cause: we previously defaulted to allowing zero corrupt item with a hybrid move Solution: it was determined that allowing 10 corrupt item in a move allowed 90+% of the moves that failed with this issue to succeed. We now allow for 10 corrupted items per mailbox and we properly report on the skipped items Issue: When you move an item that is over 35 mb in size the move will fail Solution: We are working on adjusting this limit to make sure that most of the moves will succeed. We have to have limits and the limits are tied to transport limits, so this is not trivial
Cause 1: We changes the naming convention for org relationships to support multi forest Solution 1: use the latest builds of Exchange 2013 were the issue has been addressed Cause 2: you got too creative with the deployment and did not deploy 2013 properly Solution 2: Deploy 2013 properly, Hybrid is NOT a separate role and should be deployed correctly Cause: you ran HCW with sp2 before we knew about multi forest Remove the connectors and rerun HCW Content: http://support.microsoft.com/kb/2977293
and MFG Cause: XTC has been retire and (undocumented) OAuth was the replacement Documented: http://technet.microsoft.com/en-us/library/dn497703(v=exchg.150).aspx Resolution: Implement OAuth for hybrid Discovery Searches OAUTH and IOC are an option in Exchange server are 2013 sp1+ and you run HCW from cu5 If you have a Legacy mix you have to use the manual steps For Gallatin you need to ensure the Availability address space is configured I cannot see cross-premises Free/Busy? Happy Retirement Consumer MFG!! Cause: Consumer MFG retired on February 25, 2014 Resolution: recreate federation trust and org relationships Documented: http://support.microsoft.com/kb/2937358
"Length of the property is too long" Cause: TLS Certificate Name is greater than 256 characters Documented: http://support.microsoft.com/kb/2860844 Resolution: coming soon, for now you need to get a different certificate (this one was fixed 3 times now ) Often, customers need guidance on how to configure their perimeter devices Here is a Wiki on how to configure TMG for hybrid: http://community.office365.com/enus/wikis/exchange/1042.aspx?sort=mostrecent&pageindex=1
Error: Mailbox move to the cloud fail with error: Transient error CommunicationErrorTransientException has occurred. The system will retry Cause: Intrusion Detection Systems can often see migration traffic as an attack Flood mitigation in TMG can cause this as well This Wiki explains how to address the issue: http://community.office365.com/en-us/wikis/exchange/office-365-move-mailbox-failswith-transient-exception.aspx
Cause: Timeout issues are not handles well by the HCW (we are getting better) Running the HCW a second time is often all that is needed "InvalidUri: Passed URI is not valid Cause: There are certain words such as bank, profanity, and large org names that are blocked from federating Calling Support is the only option to resolve issue Documented: http://support.microsoft.com/kb/2615183 This is being looked at and may be a thing of the past soon
Common Issues Runtime Cloud FB request mail.contoso.com Layer 4 LB Set 2010 externalurl to: `mail.contoso.com E2013 CAS HTTP PROXY E2010 CAS Cross site proxy request E2013 MBX Internet facing site E2010 MBX Intranet site Resolution: http://technet.microsoft.com/en-us/library/hh529912(v=exchg.150).aspx
Cause: Bad password for admin, publishing issues, MRS disabled, etc. Errors: NONE The error in Wave 14 was the following, but in Wave 15 there isn t an indication of failure: Resolution: Use the EAC in EXO
Common Issues Runtime From Exchange 2010 sp3 ru2 you will see the domain proof missing Workaround: use Shell Get-FederatedDomainProof This is addressed in Exchange 2010 SP3 RU3 From Exchange 2010 SP3 RU2 you will not be able to add additional domains to a federation trust from the UI, you have to use the Shell as a workaround. This has been addressed in Exchange 2010 SP3 RU3
Session Evaluation http://aka.ms/svc307