Office 365 Exchange on-premises Mailbox data MRS Calendaring & Free/Busy Messaging Address Book.

Office 365 Exchange on-premises Mailbox data MRS Calendaring & Free/Busy Messaging Address Book

Delegated authentication for on-premises/cloud web services Enables free/busy, calendar sharing, message tracking & online archive Online mailbox moves Preserve the Outlook profile and offline folders Leverages the Mailbox Replication Service (MRS) Manage all of your Exchange functions, whether cloud or on- premises from the same place: Exchange Admin Center Authenticated and encrypted mail flow between on-premises and the cloud Preserves the internal Exchange messages headers, allowing a seamless end user experience Support for compliance mail flow scenarios (centralized transport)

No Additional Servers Cloud IDs Only OST Sync All at Once DirSync needed No 2010/2013 OST Sync Batch Approach DirSync/Identity Management Hybrid Configuration Wizard, oAuth,MRS, . Auto profile updates Batch Approach Offboarding Rich Coexistence

On-Premises Exchange Hybrid Configuration Engine Desired state Internet Step 5 Exchange Management Tools Organization Level Configuration Objects (Exchange Federation Trust, Organization Relationship, Forefront Inbound Connector, & Forefront Outbound Connector) Domain Level Configuration Objects (Accepted Domains & Remote Domains) Hybrid Configuration Object Exchange Server Level Configuration (Mailbox Replication Service Proxy, Certificate Validation, Exchange Web Service Virtual Directory Validation, & Receive Connector) Domain Level Configuration Objects (Accepted Domains, Remote Domains, & E-mail Address Policies) Organization Level Configuration Objects (Exchange Federation Trust, Organization Relationship, Availability Address Space, & Send Connector) 1 2 4 5 5 4 Step 1 The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start. Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the difference and then executes configuration tasks to establish the desired state. Step 4 The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization. Step 3 The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations. Step 2 The Hybrid Configuration Engine reads the desired state stored on the HybridConfiguration Active Directory object. Remote Powershell Remote Powershell 3 3

Exchange Hybrid Scenario On-premises Exchange organization Existing Exchange environment (Exchange 2007 or later) Office 365 Active Directory synchronization Exchange 2013 client access & mailbox server Office 365 User, contacts, & groups via Azure AD Sync Secure mail flow Mailbox data via Mailbox Replication Service (MRS) Sharing (free/busy, Mail Tips, archive, etc.)

Exchange Hybrid Wizard History Exchange 2013 SP1 Multiple exchange organizations now supported Supports Exchange 2013 Edge What is coming next?

Multi Forest Hybrid with AADSYNC (TAP ongoing) Improvements to OAUTH to support Multi Forest Resolving the common upgrade issues (upgrade from 2010/2013) Better Diagnostics built in (HCW and other Troubleshooters) Service Validation for HCW (Hybrid Tested in EVERY forest EVERY day) Stand Alone HCW (New Web Based HCW) HCW updates not tied to CUs any longer HCW looks and feels familiar

Exchange 2013 and E16 can use it Allows for agility with feature releases Allows for changes outside of CUs Allows for proper piloting of features Looks and Feels Familiar Allows us to fix issues quickly Allows us to add improvements to HCW experience Newest Version is used by EVERYONE

Active Directory Federation Services (AD FS) Password Hash Synchronization (PW Sync) Cloud IDs (online username & password) A lot of organizations deploy AD FS because of different benefits: Near seamless logons (single sign-on) Most flexible solution for various clients such as Outlook, EAS etc. More granular control over authentication Most organizations deploy Password Hash Synchronization

Identity Provider (OrgID) Directory Attempt Sign-In Request mail (incl username/ password) Success! Return mail Return auth token

Identity Provider (EvoSTS) Directory Need sign-in first Sync Mail Attempt Sign-In Return auth token Sync Mail Success! Return mail (Passive Auth) (SAML token) Please update colors to match TR20 pallete Please make arrows look nicer.

Ted is happily using his windows Phone This Camera is Awesome! Sorry Then one day.. 0x86000C16 Teds mailbox was move to the cloud The nerdy admin has no options but to recreate the profile The Old Way Back in my day we just shut up and recreated profiles So what do we do now?

User is connected to on-prem mailbox The user mailbox moves to the cloud User Tries to sync again CAS determines the user is Remote (Based on TA), then looks to see if the Domain name is in an Org Relationship. If that exists and there is a Target OWA URL we use that to perform a 451 User connects seamlessly to the cloud Exchange 2013 CU8 and 2010 sp3 RU9 Unsupported scenarios: Mailbox moves from Exchange Server 2007 to Office 365 Does not support off-boarding EAS devices must support 451 redirect (Accompli does not)

Next Steps More troubleshooters on the way Feedback is needed to make them better HCW Troubleshooter .HCW fails so a customer attempts opens a case Customer is presented with the troubleshooter Customer is given clear solution ELIMINATING the need for case Support also has immediate access to the HCW log, if the case is still opened

Exchange Hybrid Configuration Diagnostic http://aka.ms/hcwcheck If FailedSolution There are certificates installed in your Exchange Hybrid environment which are missing the subject name. http://go.microsoft.com/?linkid=9846727 You need to fix your obsolete Active Directory Domain Services Federation Objects.http://go.microsoft.com/?linkid=9846726 Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group.http://go.microsoft.com/?linkid=9846728 You need to install Exchange 2010 sp3 RU3 or laterhttp://go.microsoft.com/?linkid=9846729 In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to rename your existing Organization Relationship http://go.microsoft.com/?linkid=9846730 Your Exchange Server 2013 needs to be running a version of CU6 or later, we recommend the latest version available. http://go.microsoft.com/?linkid=9846731 Some manual configurations are needed to allow Legacy Free Busy to work as expectedhttp://go.microsoft.com/?linkid=9846732 Microsoft Exchange Service Host is not running.http://go.microsoft.com/?linkid=9846733 Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed. http://go.microsoft.com/?linkid=9846734 You need to upgrade your legacy email address policy.http://go.microsoft.com/?linkid=9846735 You need to address the issues found with the TLS certificate. If running Exchange Server 2010 you'll need to acquire a certificate with a name that has less than 256 characters. If running Exchange Server 2013 please install the latest cumulative update. http://go.microsoft.com/?linkid=9846736

Hybrid Migration Troubleshooter Http://aka.ms/HMTSIgnite

Solution: Hybrid Upgrade issues 1 Updating hybrid configuration failed with error 'Subtask Configure execution failed: Upgrading hybrid configuration from Exchange 2010... Object reference not set to an instance of an object. at Microsoft.Exchange.Management.Hybrid.UpgradeConfigurationFr om14Task.UpgradeFopeConnectors [PS] C:\> Get-OrganizationConfig | fl Guid [PS] C:\> Rename the organization relationship to "O365 to On-premises -. https://support.microsoft.com/en-us/kb/2967914/ (Fixed in CU5)

Solution: Hybrid Upgrade issues 2 The Wizard did not complete successfully. Please see the list below for error details. Sending Mailbox Server isnt running Exchange 2013 or a later version. https://support.microsoft.com/en-gb/kb/3013420/en-us [PS] C:\> Get-hybridconfiguration | fl >Hybrid.txt [PS] C:\> Set-HybridConfiguration -ClientAccessServers $null ` -ReceivingTransportServers $null -SendingTransportServers $null

Solution: Hybrid Upgrade issues 3 Updating hybrid configuration failed with error 'Subtask Configure execution failed: Upgrading hybrid configuration from Exchange 2010... Execution of the Set-InboundConnector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Active Directory operation failed on or ERROR : Subtask Configure execution failed: Upgrading hybrid configuration from Exchange 2010... No Inbound connector found on the Office 365 tenant. 1. Remove hybrid configuration through ADSI edit. ADSI Edit > Connect to Configuration > CN=Services > CN=Microsoft Exchange > CN=First Organization > CN=Hybrid Configuration 2. Rerun setup /prepareAD from the on-premises Exchange Setup Directory (Schema Admin Rights needed) 3. Rerun HCW from Exchange 2013

Microsoft introduced a new feature that broke Free Busy for Hybrid Customers Microsoft made changes in the service that broke customer using the Federation Gateway Microsoft made changes in the service that prevent all 2013 customers from running the HCW Microsoft introduced a CU that prevented the ability to create and manage users accounts Microsoft made changes in the service that broke customer using the Federation Gateway Bottom Line we needed to be better at finding issues with CU/Service updates

Active Monitoring for HCW HCW tested in every forest throughout the day Cause of this we found the issue before ANY customers reported the problem

So does the monitoring work? Activating Directory Sync kicks off an important process for Hybrid The new domain is forward syncd to EXO The new routing domain gets created in MSO A new certificate is created that includes the new name Then we create the AutoD and MX DNS records

Message Size Limits for Migration Awareness

Message Size Limits for Migration FAQ Awareness 1.What Migration types will be able to take advantage of this new limit (with caveats)? 2.Will I be able to forward, resend, or move the item after the Migration is complete? 3.Will message size limit be increased so we can start sending larger messages? 4.When should I expect to see message size increase for Hybrid Migrations? 5.What do I need to do to enable this new limit? 6.Does it matter if I am moving the mailboxes from 2007, 2010 or 2013?

150 Message Size increase We can now increase the message size restrictions for a user, after the mailbox plan is associated

Max default Concurrent moves 100 (exceptions can be made) Item count is a factor with migration performance Firewall configuration on the on-premises organization Network Latency is a Factor Migration are not considered User Expected (WLM) Multiple concurrent moves allows for optimized migrations 0.31.0 GB/hour range per mailbox Source Side performance is a COMMON factor

Alternate ID and Hybrid

issue (store = "Active Directory", types = ("http://schemas.xm1soap.org/c1aims/UPN ", "http: //schemas.microsoft. com/LiveID/Federation/2008/05/ImmutablelD"),query=" samAccountName={0};userPrincipalNa me, objectGuiD; (1)", param = regexreplace(c.Value, "(? [\\)+)\$?.+)", "${user)"),param = c.Value); New Claim Rule c:[Type = "http: //schemas.microsoft. com/ws/2008/06/identity/claims/windowsaccount Name"] => issue (store = "Active Directory", types = ("http://schemas.xm1soap.org/c1aims/UPN ", "http: //schemas.microsoft. com/LiveID/Federation/2008/05/ImmutablelD"),query=" samAccountName={0};mail, objectGuiD; (1)", param = regexreplace(c.Value, "(? [\$+)\\(?.+)", "${user)"),param = c.Value);">

This is used to allow for a different UPN for ADFS in on-premises vs Office 365 Install updates Adjust claim rule Update the Management Agent in FIM Documented on TechNet Office 365 On-premises [email protected] [email protected] Old Claim Rule c:[Type = "http: //schemas.microsoft. com/ws/2008/06/identity/claims/windowsaccount Name"] => issue (store = "Active Directory", types = ("http://schemas.xm1soap.org/c1aims/UPN ", "http: //schemas.microsoft. com/LiveID/Federation/2008/05/ImmutablelD"),query=" samAccountName={0};userPrincipalNa me, objectGuiD; (1)", param = regexreplace(c.Value, "(? [\\)+)\$?.+)", "${user)"),param = c.Value); New Claim Rule c:[Type = "http: //schemas.microsoft. com/ws/2008/06/identity/claims/windowsaccount Name"] => issue (store = "Active Directory", types = ("http://schemas.xm1soap.org/c1aims/UPN ", "http: //schemas.microsoft. com/LiveID/Federation/2008/05/ImmutablelD"),query=" samAccountName={0};mail, objectGuiD; (1)", param = regexreplace(c.Value, "(? [\$+)\\(?.+)", "${user)"),param = c.Value);

Office 365 On-premises [email protected] [email protected] Outlook connected to corp Autodiscover connects to SCP and is automatically authenticated Autodiscover redirects the client to the Target Address stamped on the user User Provides Cloud UPN and password Autodiscover connects from external machine (User provides on-premises UPN) Autodiscover redirects the client to the Target Address stamped on the user User Provides Cloud UPN and password Outlook connected External

OAUTH and Federation

DAuth vs OAuth DAuthOAuth Uses Microsoft Federation Gateway for Token generation Organization Relationships Controls what companies you share information with Allows for granular control of what features are available (free busy, mailtips) Uses Auth Server in Azure AD (better resiliency and faster in forest communications) IntraOrgConnectors /Configuration Controls what companies you can share information with No granular control of feature-set (all or nothing) Organization Relationship s Intraorg Connectors

eDiscovery Scenarios and OAuth eDiscovery scenario Requires OAuth? Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization Yes Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes Yes Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on- premises organization by an administrator or compliance officer Yes Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer No Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account No

Exchange connects to the Azure OAUTH endpoint Exchange Server passes the token and requests Joes free/busy on behalf of Ben Free Busy Requ est From Ben To Joe Free/Busy works through a series of checks 1 st we check to see if we can find free/busy locally 2 nd (if the mailbox is not local) we check for an IOC 3 rd (if there is no IOC) we check for an Organization Relationship 4 th we check for an availability address space

Public Folders

Hybrid Public Folder Options Option 1: Office 365 mailboxes accessing legacy PFs on-premises Option 2: Office 365 mailboxes accessing modern PFs on-premises Option 3: Exchange 2013 on-premises mailboxes accessing modern PFs in Office 365 Mailbox Version PF Location 2007 On-Premises2010 On-Premises2013 On-PremisesExchange Online Exchange 2007Yes No Exchange 2010Yes No Exchange 2013Yes Yes* Exchange OnlineYes* Yes *Requires use of Outlook for Windows 51

Outlook connect to Cloud Mailbox, starts by querying autod.contoso.com Exchange Online On-premises Proxy to PF server (running CAS role) Auth as user over Public MBX auth Autodiscover responds with the Target address for the cloud mailbox Outlook does AutoD for TA Contoso.mail.onmicrosoft.com EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox: [email protected] Outlook performs and AutoD against [email protected] Outlook Anywhere settings are returned including the server name of the PF/CAS instead of the CASArray When PF access is initiated you then make a connection

Question or Common Issues

On-Premises Were is the Activate button for sync? If Accepted Domain was not added Why the Change? UPN mismatches and changes are costly for support UPN mismatches cause a poor user experience If you perform dirsync before adding the domain you see issues We have now prevented this in the portal [email protected] om Office 365 UPN=Ted@Contos o.Onmicrosoft.com DirSync

Mailbox Recovery changes Today To recover use New-MailboxRestoreRequest Do not Hard Delete a user That mailbox will not be recoverable In the future we may add a soft delete buffer, but today.

HCW Domain limit 250 Error When running HCW: Updating hybrid configuration failed with error 'Subtask Configure execution failed: Configure Organization Relationship Execution of the New-OrganizationRelationship cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. The total number of explicit and implicit subfilters exceeds maximum allowed number of 250. Processing stopped. at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors) '. Cause: Org Relationships allow up to 250 domains Resolution: Manually create additional Org Relationship and add the additional domain over 250 This is being added to the HCW troubleshooter along with a ton more!

HCW Domain limit 64 Issue: HCW fails with the following issue "The length of the property is too long. The maximum length is 64 and the length of the value provided is 68." Cause: We allow up to a 32 character length domain name to be added to the service When the routing domain is created for that domain it makes the length longer but still shorter than the 64 overall hard limit When HCW created the remote domain we prepend Hybrid Domain- to the identity for the remote domain This can put us over the limit Resolution: Still investigating but if we simply change the remote domain to only Prepend Hybrid- we will allow for all 32 character domain names currently still being investigated

Certificate field is empty Required on selected CAS & MBX CAS are used for Receive Connectors MBX are used for send Connectors Both need same cert installed, else HCW wont show. Third Party Proper SAN Assigned to SMTP Service Private Key Need access to CRL url over 80 from all servers

Challenges managing hybrid recipients User/Mailbox Management Converting mailboxes Group self-service management Inactive mailboxes (Procedures?) DirSync delay (e.g. archive creation) Inconsistent experience Migrated permissions vs new permissions Full Access, Send-As, Receive-as.

Solution: Hybrid Upgrade issues 1 Updating hybrid configuration failed with error 'Subtask Configure execution failed: Upgrading hybrid configuration from Exchange 2010... Object reference not set to an instance of an object. at Microsoft.Exchange.Management.Hybrid.UpgradeConfigurationFr om14Task.UpgradeFopeConnectors [PS] C:\> Get-OrganizationConfig | fl Guid [PS] C:\> Rename the organization relationship to "O365 to On-premises -. https://support.microsoft.com/en-us/kb/2967914/ (Fixed in CU5)

Solution: Hybrid Upgrade issues 2 The Wizard did not complete successfully. Please see the list below for error details. Sending Mailbox Server isnt running Exchange 2013 or a later version. https://support.microsoft.com/en-gb/kb/3013420/en-us [PS] C:\> Get-hybridconfiguration | fl >Hybrid.txt [PS] C:\> Set-HybridConfiguration -ClientAccessServers $null ` -ReceivingTransportServers $null -SendingTransportServers $null

Solution: Hybrid Upgrade issues 3 Updating hybrid configuration failed with error 'Subtask Configure execution failed: Upgrading hybrid configuration from Exchange 2010... Execution of the Set-InboundConnector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Active Directory operation failed on or ERROR : Subtask Configure execution failed: Upgrading hybrid configuration from Exchange 2010... No Inbound connector found on the Office 365 tenant. 1. Remove hybrid configuration through ADSI edit. ADSI Edit > Connect to Configuration > CN=Services > CN=Microsoft Exchange > CN=First Organization > CN=Hybrid Configuration 2. Rerun setup /prepareAD from the on-premises Exchange Setup Directory (Schema Admin Rights needed) 3. Rerun HCW from Exchange 2013

Cause: Timeout issues are not handles well by the HCW (we are getting better) Running the HCW a second time is often all that is needed HCW fails with "InvalidUri: Passed URI is not valid Cause: There are certain words such as bank, profanity, and large org names that are blocked from federating Calling Support is the only option to resolve issue Documented: http://support.microsoft.com/kb/2615183http://support.microsoft.com/kb/2615183

Cannot create users mailboxes Cannot move mailboxes Cannot change user attributes Cause: there is an issue with the backlink with EAC to EXO that prevents the proper connection Resolution: download a script that will fix the file or install CU7 when avail Cannot send mail from cloud user to the internet when CMC is enabled Resolution: call support for an IU or wait for CU7

Pre-Release Programs Be first in line! Exchange & SharePoint On-Premises Programs Customers get: Early access to new features Opportunity to shape features Close relationship with the product teams Opportunity to provide feedback Technical conference calls with members of the product teams Opportunity to review and comment on documentation Get selected to be in a program: Sign-up at Ignite at the Preview Program desk OR Fill out a nomination: http://aka.ms/joinofficehttp://aka.ms/joinoffice Questions: Visit the Preview Program desk in the Expo Hall Contact us at: [email protected]@microsoft.com

Office 365 Exchange on-premises Mailbox data MRS Calendaring & Free/Busy Messaging Address Book.

Documents

Transcript of Office 365 Exchange on-premises Mailbox data MRS Calendaring & Free/Busy Messaging Address Book.