Configuring Hybrid Exchange the Easy Way
Ben ApplebySenior Program ManagerMicrosoft Corporation
EXL303
Session Objectives and Takeaways
Session Objective(s): Understand how the Hybrid Configuration Engine worksUnderstand the common pitfalls when configuring hybrid, and how to avoid them
Dependencies are key. You must have your certificates, DNS names, etc. working before you attempt to configure hybrid. Otherwise, it’s going to be harder than necessary.
Agenda
Migration optionsHybrid overviewThe new SP2 deployment processHow does the Hybrid Configuration Wizard work?Common deployment pitfalls
IMAP migration
Cutove
r migration
Staged
migration
Hybrid
Exchange 5.5 X
Exchange 2000 X
Exchange 2003 X X X X
Exchange 2007 X X X X
Exchange 2010 X X X
Notes/Domino X
GroupWise X
Other X
* Additional options available with tools from migration partners
Mig
rati
on
Hyb
rid
IMAP migrationSupports wide range of e-mail platformsE-mail only (no calendar, contacts, or tasks)
Cutover Exchange migration (CEM)Good for fast, cutover migrationsNo server required on-premises
Staged Exchange migration (SEM)No server required on-premisesIdentity federation with on-premises directory
Hybrid deploymentManage users on-premises and onlineEnables cross-premises calendaring, smooth migration, and easy off-boarding
Office 365 Migration OptionsChoices to fit your organization
How to pick an Exchange migration solution?
1 150 5,000 25,000
Organizational Size in Users
C-EM
S-EM
Hybrid
Mig
ratio
n S
olu
tion
s
<1 Week 2 Weeks 3 Weeks Several Months
Features
None Mailflow/GalSync Free/Busy, Archive in Cloud
Time For Migration including Planning
HybridStaged Exchange Migration vs Hybrid Feature-set
Feature Staged Hybrid
Mail routing between on-premises and cloud (recipients on either side)
Mail routing with shared namespace (if desired) - @company.com on both sides
Unified GAL
Free/Busy and calendar sharing cross-premises
Mailtips, messaging tracking, and mailbox search work cross-premises
OWA Redirection cross-premise (single OWA URL for both on-premises and cloud)
Exchange Online Archive
Exchange Management Console used to manage cross-prem relationship & mailbox migrations
Native mailbox move supports both onboarding and offboarding
No outlook reconfiguration or OST resync required after mailbox migration
Online Mailbox Move allows users to start logged into their mailbox while it is being moved to the cloud
Secure Mail ensure emails cross-premises are encrypted, and the internal auth headers are preserved
Centralized mailflow control, ensures that all email routes inbound/outbound via On Premises
HybridFeature summary
Makes your on-premises organization and cloud organization work together like a single, seamless organization
Offers near-parity of features/experience on-premises and in the cloudSeamless interactions between on-premises and cloud mailboxesMigrations in and out of the cloud transparent to end-user
Features not supported:
Coexistence of mailbox permissions –Permissions are migrated, but do not work when Delegator and Delegate are split between on-prem & cloudMigration of Send As for non mailbox recipientsMulti-forest – Only single forest source environmentsPublic FoldersAddress Book Policies
Hybrid Server Roles2 Required Server Roles:
Office 365 Active Directory SynchronizationExchange Server 2010 SP1 CAS/Hub*
Exchange Server 2010 SP1 CAS/Hub
Unified Global Address ListOffice 365 Directory Sync
Exchange SharingAD FSSingle Sign On
1 Optional Server Role:Active Directory Federation Services
Mailbox Move
Secure Transport
* Mbx role is required for legacy Public Folder based free/busy support
Exchange Server 2010 SP1 CAS/Hub
FREE!with paid Exchange
Online subscription
Exchange Deployment Assistant
Exchange Deployment Assistant http://technet.microsoft.com/exdeploy2010
Currently supports hybrid configuration with:
Exchange Server 2003Exchange Server 2007Exchange Server 2010
Guidance provided is for the Hybrid Configuration Wizard with Exchange 2010 SP2
The new SP2 Process
Hybrid Configuration Wizard
What’s new in Exchange 2010 SP2?
Coexistence Domain – Replaces the requirement for the customer to create a “service.contoso.com” domainFederation Trust improvements – Removes the requirement to create a “exchangedelegation.contoso.com” domain
SP2 automatically prepends a well know string (“FYDIBOHF25SPDLT”) to the beginning of the account namespace.
Dedicated hybrid management experienceHybrid Config WizardNew/Get/Set/Update-HybridConfiguration cmdlets
The wizard & cmdlets will configure the following things for you:Exchange federation trustOrganization relationshipsRemote domains/accepted domainsEmail address policiesSend/Receive connectorForefront inbound/outbound connectorsMRSProxyPre-req checks (i.e. Office365 Active Directory Sync, Exchange certificates, registered custom domains, etc…)
Pre-SP2: Over 50+ manual steps
With SP2: Now only 6 steps, all within the UI
SP2 Hybrid Deployment Process
Sign up for Office 365
Register your
domains with Office
365
Deploy Office 365 Directory
Sync
Install Exchange 2010 SP2
CAS & HUB Servers
Publish the CAS & Hub
Servers(Assign SSL certificate,
firewall rules)
Run the Hybrid Wizard
Use the Exchange Remote Connectivity
Analyzer to verify this stage
The new Hybrid Configuration Wizard
New organization level tab that contains a the “Hybrid Configuration
Object”
End to end wizard that guides you through each
step of configuring
hybrid
demo
Hybrid Configuration Wizard
How does the Hybrid Configuration Wizard work?
The Wizard & the Configuration Engine
The Wizard records the information collected from the user via the “Set-HybridConfiguration” cmdletAll deployment actions are taken by the Hybrid Configuration Engine, which is called by the Update-HybridConfiguration cmdlet
Update-HybridConfiguration
Hybrid Configuration Engine
Desired State
Topology & Current
Configuration State
Execute Configuratio
n Tasks
Hybrid Configuration Engine
ON-PREMISES EXCHANGE ORGANIZATION
IN
TE
RN
ET
EXCHANGE ONLINE
ORGANIZATIONStep 1
Step 2
Step 3
Step 4
Step 5Exchange
Management Tools
Organization Level
Configuration Objects
(Exchange Federation Trust, Organization
Relationship, Forefront Inbound Connector, & Forefront Outbound
Connector)
Domain Level Configuration
Objects(Accepted Domains &
Remote Domains)
Hybrid Configuration
Object
Exchange Server Level
Configuration(Mailbox Replication
Service Proxy, Certificate Validation, Exchange Web Service Virtual
Directory Validation, & Receive Connector)
Domain Level Configuration
Objects(Accepted Domains, Remote Domains, &
E-mail Address Policies)
Organization Level Configuration
Objects(Exchange Federation
Trust, Organization Relationship, Availability Address Space, & Send
Connector)
1
2 4 55
4
The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start.
Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the “difference” and then executes configuration tasks to establish the “desired state.”
The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization.
The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations.
The Hybrid Configuration Engine reads the “desired state” stored on the HybridConfiguration Active Directory object.
REMOTE POWERSHEL
L
REMOTE POWERSHELL
Organization Relationship Creation
Hybrid Configuration
Engine
Exchange 2007 Client Access Server
Exchange 2010 Client Access Server
Exchange OnlineClient Access Server
Exchange OnlineMailbox Server
Exchange 2007 Mailbox Server
C:\Get-FederationInformation –DomainName “contoso.com”
ON-PREMISES EXCHANGE ORGANIZATION EXCHANGE ONLINE ORGANIZATION
MICROSOFT
FEDERATION GATEWAY
PUBLIC DNS
(4) Client Access Server responds with Federation Trust details:
ApplicationUri: FYDIBOHF25SPDLT.contoso.comDomainNames: contoso.comTargetAutodiscoverEpr: http://autodiscover.contoso.com/autodiscover.svc/WSSecurityTokenIssuerUris: urn:federation:Microsoft Online
(1) Get-FederationInformati
on requests a delegation token
from the MFG over HTTPS
(2) It then attempts to find the
autodiscover endpoint through DNS
(3) Then connects to autodiscover via HTTPS with the MFG delegation token
“POST /Autodiscover/Autodiscover.svc/WSSe
curity”
REMOTE POWERSHEL
L
Hybrid Mail Flow – w/o Centralized Transport
ForeFront Online Protection for Exchange
The Exchange Send Connector” is scoped to the coexistence domain
(e.g. “contoso.mail.onmicrosoft.
com”
The FOPE Inbound Connector is scoped
to the public IP addresses entered
in the HCW
The FOPE Outbound Connector is scoped to the
domains selected in the HCW (e.g.
“contoso.com”), and it will deliver email to the FQDN
entered in the HCW (e.g.
“mail.contoso.com”)
The Exchange Receive
Connector is scoped to
FOPE’s public IP addresses
ON-PREMISES EXCHANGE ORGANIZATION
Exchange 2010 Hub Transport Server
External Recipient”
Third Party Email
Security System
Internal Mail Flow
Hybrid Mail Flow – with Centralized Transport
ForeFront Online Protection for Exchange
The Exchange Send Connector” is scoped to the coexistence domain
(e.g. “contoso.mail.onmicrosoft.
com”
The FOPE Inbound Connector is scoped to the
public IP addresses entered in the HCW
This connector is marked so that all email inbound
to the tenant must be delivered through it
The FOPE Outbound Connector is scoped to all
domains (e.g. *.*), and it will deliver
all outbound email to the FQDN
entered in the HCW (e.g.
“mail.contoso.com”)
The Exchange Receive
Connector is scoped to
FOPE’s public IP addresses
ON-PREMISES EXCHANGE ORGANIZATION
Exchange 2010 Hub Transport Server
External Recipient”
Third Party Email
Security System
Internal Mail Flow
Common Deployment Issues – Publishing CASAutodiscover is not published correctly
The external public DNS record for primary smtp domains must resolve to an Exchange Server 2010 SP1+ Client Access ServerThe CAS server must have a public SSL certificate bound to itThe certificate must include the autodiscover DNS name within the Subject or SAN
Pre-authentication is used in front of the Client Access ServerIf using pre-authentication, the following URLs must be excluded and allow anonymous connections:
/EWS/Exchange.asmx/WSSecurity/EWS/MRSProxy.svc/WSSecurity/Autodiscover/Autodiscover.svc/WSSecurity/autodiscover/autodiscover.svc
SSL Off loading is being used in front of CASEnabled in Rollup1 and guidance published to TechNet here
Common Deployment Issues – Mail Flow
Third party SMTP security devices in use between Exchange on-premises and ForeFront Online Protection for Exchange
TLS connection between Exchange on-premises and FOPE, for internal mail flow, must initiate/terminate on 2010 SP1+ Hub Transport or Edge Transport
MX record is pointed to FOPE with Centralized Transport Control enabled
This scenario only works if FOPE was already in use prior to creating the Office 365 tenant
Wildcard certificate used for TLSRollup1 enables support for wildcard certificates
Recap
Session Objective(s): Understand how the Hybrid Configuration Engine worksUnderstand the common pitfalls when configuring hybrid, and how to avoid them
Dependencies are key. You must have your certificates, DNS names, etc. working before you attempt to configure hybrid. Otherwise, it’s going to be harder than necessary.
Exchange Sessions this week
EXL301 Archiving in the Cloud with Exchange Online Archiving (EOA) – Thursday 08:30 – Hall 10BEXL306 Best Practices for Virtualizing Microsoft Exchange Server 2010 – Thursday 12:00 – Hall 9BEXL401 Microsoft Exchange Server 2010 High Availability Deep Dive – Thursday 16:30 – Hall 9AEXL201 Understanding Microsoft Forefront Online Protection for Exchange – Friday 08:30 – G106EXL307 Using a load balancer in your Exchange 2010 environment – Friday 13:00 – Hall 9B
Geek Out with Perry Blog: http://blogs.technet.com/b/perryclarke/
Track Resources
Exchange Team Blog: http://blogs.technet.com/b/exchange/
Exchange TechNet Tech Center: http://technet.microsoft.com/exchange
MEC Website and Registration: http://www.mecisback.com/
Resources
Connect. Share. Discuss.
http://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Evaluations
http://europe.msteched.com/sessions
Submit your evals online
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
Top Related