Office 365 Exchange on-premises Mailbox data MRS Calendaring
& Free/Busy Messaging Address Book
Slide 5
Delegated authentication for on-premises/cloud web services
Enables free/busy, calendar sharing, message tracking & online
archive Online mailbox moves Preserve the Outlook profile and
offline folders Leverages the Mailbox Replication Service (MRS)
Manage all of your Exchange functions, whether cloud or on-
premises from the same place: Exchange Admin Center Authenticated
and encrypted mail flow between on-premises and the cloud Preserves
the internal Exchange messages headers, allowing a seamless end
user experience Support for compliance mail flow scenarios
(centralized transport)
Slide 6
No Additional Servers Cloud IDs Only OST Sync All at Once
DirSync needed No 2010/2013 OST Sync Batch Approach
DirSync/Identity Management Hybrid Configuration Wizard, oAuth,MRS,
. Auto profile updates Batch Approach Offboarding Rich
Coexistence
Slide 7
On-Premises Exchange Hybrid Configuration Engine Desired state
Internet Step 5 Exchange Management Tools Organization Level
Configuration Objects (Exchange Federation Trust, Organization
Relationship, Forefront Inbound Connector, & Forefront Outbound
Connector) Domain Level Configuration Objects (Accepted Domains
& Remote Domains) Hybrid Configuration Object Exchange Server
Level Configuration (Mailbox Replication Service Proxy, Certificate
Validation, Exchange Web Service Virtual Directory Validation,
& Receive Connector) Domain Level Configuration Objects
(Accepted Domains, Remote Domains, & E-mail Address Policies)
Organization Level Configuration Objects (Exchange Federation
Trust, Organization Relationship, Availability Address Space, &
Send Connector) 1 2 4 5 5 4 Step 1 The Update-HybridConfiguration
cmdlet triggers the Hybrid Configuration Engine to start. Based on
the desired state, topology data, and current configuration, across
both the on-premises Exchange and Exchange Online organizations,
the Hybrid Configuration Engine establishes the difference and then
executes configuration tasks to establish the desired state. Step 4
The Hybrid Configuration Engine discovers topology data and current
configuration from the on-premises Exchange organization and the
Exchange Online organization. Step 3 The Hybrid Configuration
Engine connects via Remote PowerShell to both the on-premises and
Exchange Online organizations. Step 2 The Hybrid Configuration
Engine reads the desired state stored on the HybridConfiguration
Active Directory object. Remote Powershell Remote Powershell 3
3
Slide 8
Exchange Hybrid Scenario On-premises Exchange organization
Existing Exchange environment (Exchange 2007 or later) Office 365
Active Directory synchronization Exchange 2013 client access &
mailbox server Office 365 User, contacts, & groups via Azure AD
Sync Secure mail flow Mailbox data via Mailbox Replication Service
(MRS) Sharing (free/busy, Mail Tips, archive, etc.)
Slide 9
Slide 10
Exchange Hybrid Wizard History Exchange 2013 SP1 Multiple
exchange organizations now supported Supports Exchange 2013 Edge
What is coming next?
Slide 11
Multi Forest Hybrid with AADSYNC (TAP ongoing) Improvements to
OAUTH to support Multi Forest Resolving the common upgrade issues
(upgrade from 2010/2013) Better Diagnostics built in (HCW and other
Troubleshooters) Service Validation for HCW (Hybrid Tested in EVERY
forest EVERY day) Stand Alone HCW (New Web Based HCW) HCW updates
not tied to CUs any longer HCW looks and feels familiar
Slide 12
Exchange 2013 and E16 can use it Allows for agility with
feature releases Allows for changes outside of CUs Allows for
proper piloting of features Looks and Feels Familiar Allows us to
fix issues quickly Allows us to add improvements to HCW experience
Newest Version is used by EVERYONE
Slide 13
Slide 14
Slide 15
Active Directory Federation Services (AD FS) Password Hash
Synchronization (PW Sync) Cloud IDs (online username &
password) A lot of organizations deploy AD FS because of different
benefits: Near seamless logons (single sign-on) Most flexible
solution for various clients such as Outlook, EAS etc. More
granular control over authentication Most organizations deploy
Password Hash Synchronization
Slide 16
Slide 17
Identity Provider (OrgID) Directory Attempt Sign-In Request
mail (incl username/ password) Success! Return mail Return auth
token
Slide 18
Identity Provider (EvoSTS) Directory Need sign-in first Sync
Mail Attempt Sign-In Return auth token Sync Mail Success! Return
mail (Passive Auth) (SAML token) Please update colors to match TR20
pallete Please make arrows look nicer.
Slide 19
Slide 20
Ted is happily using his windows Phone This Camera is Awesome!
Sorry Then one day.. 0x86000C16 Teds mailbox was move to the cloud
The nerdy admin has no options but to recreate the profile The Old
Way Back in my day we just shut up and recreated profiles So what
do we do now?
Slide 21
User is connected to on-prem mailbox The user mailbox moves to
the cloud User Tries to sync again CAS determines the user is
Remote (Based on TA), then looks to see if the Domain name is in an
Org Relationship. If that exists and there is a Target OWA URL we
use that to perform a 451 User connects seamlessly to the cloud
Exchange 2013 CU8 and 2010 sp3 RU9 Unsupported scenarios: Mailbox
moves from Exchange Server 2007 to Office 365 Does not support
off-boarding EAS devices must support 451 redirect (Accompli does
not)
Slide 22
Slide 23
Next Steps More troubleshooters on the way Feedback is needed
to make them better HCW Troubleshooter .HCW fails so a customer
attempts opens a case Customer is presented with the troubleshooter
Customer is given clear solution ELIMINATING the need for case
Support also has immediate access to the HCW log, if the case is
still opened
Slide 24
Exchange Hybrid Configuration Diagnostic http://aka.ms/hcwcheck
If FailedSolution There are certificates installed in your Exchange
Hybrid environment which are missing the subject name.
http://go.microsoft.com/?linkid=9846727 You need to fix your
obsolete Active Directory Domain Services Federation
Objects.http://go.microsoft.com/?linkid=9846726 Your existing
Exchange 2007 servers are not part of the Exchange Trusted
Subsystems group.http://go.microsoft.com/?linkid=9846728 You need
to install Exchange 2010 sp3 RU3 or
laterhttp://go.microsoft.com/?linkid=9846729 In order to upgrade
your Hybrid environment from Exchange 2010 to Exchange 2013 you
need to rename your existing Organization Relationship
http://go.microsoft.com/?linkid=9846730 Your Exchange Server 2013
needs to be running a version of CU6 or later, we recommend the
latest version available. http://go.microsoft.com/?linkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to
work as expectedhttp://go.microsoft.com/?linkid=9846732 Microsoft
Exchange Service Host is not
running.http://go.microsoft.com/?linkid=9846733 Please run the
Exchange Hybrid Configuration Wizard on a server which has the CAS
role installed. http://go.microsoft.com/?linkid=9846734 You need to
upgrade your legacy email address
policy.http://go.microsoft.com/?linkid=9846735 You need to address
the issues found with the TLS certificate. If running Exchange
Server 2010 you'll need to acquire a certificate with a name that
has less than 256 characters. If running Exchange Server 2013
please install the latest cumulative update.
http://go.microsoft.com/?linkid=9846736
Solution: Hybrid Upgrade issues 1 Updating hybrid configuration
failed with error 'Subtask Configure execution failed: Upgrading
hybrid configuration from Exchange 2010... Object reference not set
to an instance of an object. at
Microsoft.Exchange.Management.Hybrid.UpgradeConfigurationFr
om14Task.UpgradeFopeConnectors [PS] C:\> Get-OrganizationConfig
| fl Guid [PS] C:\> Rename the organization relationship to
"O365 to On-premises -.
https://support.microsoft.com/en-us/kb/2967914/ (Fixed in CU5)
Slide 29
Solution: Hybrid Upgrade issues 2 The Wizard did not complete
successfully. Please see the list below for error details. Sending
Mailbox Server isnt running Exchange 2013 or a later version.
https://support.microsoft.com/en-gb/kb/3013420/en-us [PS] C:\>
Get-hybridconfiguration | fl >Hybrid.txt [PS] C:\>
Set-HybridConfiguration -ClientAccessServers $null `
-ReceivingTransportServers $null -SendingTransportServers
$null
Slide 30
Solution: Hybrid Upgrade issues 3 Updating hybrid configuration
failed with error 'Subtask Configure execution failed: Upgrading
hybrid configuration from Exchange 2010... Execution of the
Set-InboundConnector cmdlet has thrown an exception. This may
indicate invalid parameters in your hybrid configuration settings.
Active Directory operation failed on or ERROR : Subtask Configure
execution failed: Upgrading hybrid configuration from Exchange
2010... No Inbound connector found on the Office 365 tenant. 1.
Remove hybrid configuration through ADSI edit. ADSI Edit >
Connect to Configuration > CN=Services > CN=Microsoft
Exchange > CN=First Organization > CN=Hybrid Configuration 2.
Rerun setup /prepareAD from the on-premises Exchange Setup
Directory (Schema Admin Rights needed) 3. Rerun HCW from Exchange
2013
Slide 31
Slide 32
Microsoft introduced a new feature that broke Free Busy for
Hybrid Customers Microsoft made changes in the service that broke
customer using the Federation Gateway Microsoft made changes in the
service that prevent all 2013 customers from running the HCW
Microsoft introduced a CU that prevented the ability to create and
manage users accounts Microsoft made changes in the service that
broke customer using the Federation Gateway Bottom Line we needed
to be better at finding issues with CU/Service updates
Slide 33
Active Monitoring for HCW HCW tested in every forest throughout
the day Cause of this we found the issue before ANY customers
reported the problem
Slide 34
So does the monitoring work? Activating Directory Sync kicks
off an important process for Hybrid The new domain is forward syncd
to EXO The new routing domain gets created in MSO A new certificate
is created that includes the new name Then we create the AutoD and
MX DNS records
Slide 35
Slide 36
Message Size Limits for Migration Awareness
Slide 37
Message Size Limits for Migration FAQ Awareness 1.What
Migration types will be able to take advantage of this new limit
(with caveats)? 2.Will I be able to forward, resend, or move the
item after the Migration is complete? 3.Will message size limit be
increased so we can start sending larger messages? 4.When should I
expect to see message size increase for Hybrid Migrations? 5.What
do I need to do to enable this new limit? 6.Does it matter if I am
moving the mailboxes from 2007, 2010 or 2013?
Slide 38
150 Message Size increase We can now increase the message size
restrictions for a user, after the mailbox plan is associated
Slide 39
Max default Concurrent moves 100 (exceptions can be made) Item
count is a factor with migration performance Firewall configuration
on the on-premises organization Network Latency is a Factor
Migration are not considered User Expected (WLM) Multiple
concurrent moves allows for optimized migrations 0.31.0 GB/hour
range per mailbox Source Side performance is a COMMON factor
This is used to allow for a different UPN for ADFS in
on-premises vs Office 365 Install updates Adjust claim rule Update
the Management Agent in FIM Documented on TechNet Office 365
On-premises [email protected][email protected] Old Claim Rule
c:[Type = "http: //schemas.microsoft.
com/ws/2008/06/identity/claims/windowsaccount Name"] => issue
(store = "Active Directory", types =
("http://schemas.xm1soap.org/c1aims/UPN ", "http:
//schemas.microsoft.
com/LiveID/Federation/2008/05/ImmutablelD"),query="
samAccountName={0};userPrincipalNa me, objectGuiD; (1)", param =
regexreplace(c.Value, "(? [\\)+)\\(?.+)", "${user)"),param =
c.Value); New Claim Rule c:[Type = "http: //schemas.microsoft.
com/ws/2008/06/identity/claims/windowsaccount Name"] => issue
(store = "Active Directory", types =
("http://schemas.xm1soap.org/c1aims/UPN ", "http:
//schemas.microsoft.
com/LiveID/Federation/2008/05/ImmutablelD"),query="
samAccountName={0};mail, objectGuiD; (1)", param =
regexreplace(c.Value, "(? [\\)+)\\(?.+)", "${user)"),param =
c.Value);
Slide 42
Office 365 On-premises [email protected][email protected]
Outlook connected to corp Autodiscover connects to SCP and is
automatically authenticated Autodiscover redirects the client to
the Target Address stamped on the user User Provides Cloud UPN and
password Autodiscover connects from external machine (User provides
on-premises UPN) Autodiscover redirects the client to the Target
Address stamped on the user User Provides Cloud UPN and password
Outlook connected External
Slide 43
Slide 44
OAUTH and Federation
Slide 45
DAuth vs OAuth DAuthOAuth Uses Microsoft Federation Gateway for
Token generation Organization Relationships Controls what companies
you share information with Allows for granular control of what
features are available (free busy, mailtips) Uses Auth Server in
Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors /Configuration Controls what companies you can
share information with No granular control of feature-set (all or
nothing) Organization Relationship s Intraorg Connectors
Slide 46
Slide 47
Slide 48
eDiscovery Scenarios and OAuth eDiscovery scenario Requires
OAuth? Search on-premises and Exchange Online mailboxes in the same
eDiscovery search initiated from the Exchange on-premises
organization Yes Search Exchange on-premises mailboxes that use
Exchange Online Archiving for cloud-based archive mailboxes Yes
Search Exchange Online mailboxes from an eDiscovery search
initiated from the Exchange on- premises organization by an
administrator or compliance officer Yes Search on-premises
mailboxes using an eDiscovery search initiated from the Exchange
on-premises organization by an administrator or compliance officer
No Search Exchange Online mailboxes from an eDiscovery search
initiated from Exchange Online or the eDiscovery Center in
SharePoint Online by an Office 365 tenant administrator or a
compliance officer signed in to an Office 365 user account No
Slide 49
Exchange connects to the Azure OAUTH endpoint Exchange Server
passes the token and requests Joes free/busy on behalf of Ben Free
Busy Requ est From Ben To Joe Free/Busy works through a series of
checks 1 st we check to see if we can find free/busy locally 2 nd
(if the mailbox is not local) we check for an IOC 3 rd (if there is
no IOC) we check for an Organization Relationship 4 th we check for
an availability address space
Slide 50
Public Folders
Slide 51
Hybrid Public Folder Options Option 1: Office 365 mailboxes
accessing legacy PFs on-premises Option 2: Office 365 mailboxes
accessing modern PFs on-premises Option 3: Exchange 2013
on-premises mailboxes accessing modern PFs in Office 365 Mailbox
Version PF Location 2007 On-Premises2010 On-Premises2013
On-PremisesExchange Online Exchange 2007Yes No Exchange 2010Yes No
Exchange 2013Yes Yes* Exchange OnlineYes* Yes *Requires use of
Outlook for Windows 51
Slide 52
Outlook connect to Cloud Mailbox, starts by querying
autod.contoso.com Exchange Online On-premises Proxy to PF server
(running CAS role) Auth as user over Public MBX auth Autodiscover
responds with the Target address for the cloud mailbox Outlook does
AutoD for TA Contoso.mail.onmicrosoft.com EXO responds with
PFMailbox information obtained by org config or set explicitly on
the mailbox: [email protected] Outlook performs and AutoD
against [email protected] Outlook Anywhere settings are
returned including the server name of the PF/CAS instead of the
CASArray When PF access is initiated you then make a
connection
Slide 53
Question or Common Issues
Slide 54
On-Premises Were is the Activate button for sync? If Accepted
Domain was not added Why the Change? UPN mismatches and changes are
costly for support UPN mismatches cause a poor user experience If
you perform dirsync before adding the domain you see issues We have
now prevented this in the portal [email protected] om Office 365
UPN=Ted@Contos o.Onmicrosoft.com DirSync
Slide 55
Mailbox Recovery changes Today To recover use
New-MailboxRestoreRequest Do not Hard Delete a user That mailbox
will not be recoverable In the future we may add a soft delete
buffer, but today.
Slide 56
HCW Domain limit 250 Error When running HCW: Updating hybrid
configuration failed with error 'Subtask Configure execution
failed: Configure Organization Relationship Execution of the
New-OrganizationRelationship cmdlet has thrown an exception. This
may indicate invalid parameters in your hybrid configuration
settings. The total number of explicit and implicit subfilters
exceeds maximum allowed number of 250. Processing stopped. at
Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String
cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors)
'. Cause: Org Relationships allow up to 250 domains Resolution:
Manually create additional Org Relationship and add the additional
domain over 250 This is being added to the HCW troubleshooter along
with a ton more!
Slide 57
HCW Domain limit 64 Issue: HCW fails with the following issue
"The length of the property is too long. The maximum length is 64
and the length of the value provided is 68." Cause: We allow up to
a 32 character length domain name to be added to the service When
the routing domain is created for that domain it makes the length
longer but still shorter than the 64 overall hard limit When HCW
created the remote domain we prepend Hybrid Domain- to the identity
for the remote domain This can put us over the limit Resolution:
Still investigating but if we simply change the remote domain to
only Prepend Hybrid- we will allow for all 32 character domain
names currently still being investigated
Slide 58
Certificate field is empty Required on selected CAS & MBX
CAS are used for Receive Connectors MBX are used for send
Connectors Both need same cert installed, else HCW wont show. Third
Party Proper SAN Assigned to SMTP Service Private Key Need access
to CRL url over 80 from all servers
Slide 59
Challenges managing hybrid recipients User/Mailbox Management
Converting mailboxes Group self-service management Inactive
mailboxes (Procedures?) DirSync delay (e.g. archive creation)
Inconsistent experience Migrated permissions vs new permissions
Full Access, Send-As, Receive-as.
Slide 60
Solution: Hybrid Upgrade issues 1 Updating hybrid configuration
failed with error 'Subtask Configure execution failed: Upgrading
hybrid configuration from Exchange 2010... Object reference not set
to an instance of an object. at
Microsoft.Exchange.Management.Hybrid.UpgradeConfigurationFr
om14Task.UpgradeFopeConnectors [PS] C:\> Get-OrganizationConfig
| fl Guid [PS] C:\> Rename the organization relationship to
"O365 to On-premises -.
https://support.microsoft.com/en-us/kb/2967914/ (Fixed in CU5)
Slide 61
Solution: Hybrid Upgrade issues 2 The Wizard did not complete
successfully. Please see the list below for error details. Sending
Mailbox Server isnt running Exchange 2013 or a later version.
https://support.microsoft.com/en-gb/kb/3013420/en-us [PS] C:\>
Get-hybridconfiguration | fl >Hybrid.txt [PS] C:\>
Set-HybridConfiguration -ClientAccessServers $null `
-ReceivingTransportServers $null -SendingTransportServers
$null
Slide 62
Solution: Hybrid Upgrade issues 3 Updating hybrid configuration
failed with error 'Subtask Configure execution failed: Upgrading
hybrid configuration from Exchange 2010... Execution of the
Set-InboundConnector cmdlet has thrown an exception. This may
indicate invalid parameters in your hybrid configuration settings.
Active Directory operation failed on or ERROR : Subtask Configure
execution failed: Upgrading hybrid configuration from Exchange
2010... No Inbound connector found on the Office 365 tenant. 1.
Remove hybrid configuration through ADSI edit. ADSI Edit >
Connect to Configuration > CN=Services > CN=Microsoft
Exchange > CN=First Organization > CN=Hybrid Configuration 2.
Rerun setup /prepareAD from the on-premises Exchange Setup
Directory (Schema Admin Rights needed) 3. Rerun HCW from Exchange
2013
Slide 63
Cause: Timeout issues are not handles well by the HCW (we are
getting better) Running the HCW a second time is often all that is
needed HCW fails with "InvalidUri: Passed URI is not valid Cause:
There are certain words such as bank, profanity, and large org
names that are blocked from federating Calling Support is the only
option to resolve issue Documented:
http://support.microsoft.com/kb/2615183http://support.microsoft.com/kb/2615183
Slide 64
Cannot create users mailboxes Cannot move mailboxes Cannot
change user attributes Cause: there is an issue with the backlink
with EAC to EXO that prevents the proper connection Resolution:
download a script that will fix the file or install CU7 when avail
Cannot send mail from cloud user to the internet when CMC is
enabled Resolution: call support for an IU or wait for CU7
Slide 65
Slide 66
Pre-Release Programs Be first in line! Exchange &
SharePoint On-Premises Programs Customers get: Early access to new
features Opportunity to shape features Close relationship with the
product teams Opportunity to provide feedback Technical conference
calls with members of the product teams Opportunity to review and
comment on documentation Get selected to be in a program: Sign-up
at Ignite at the Preview Program desk OR Fill out a nomination:
http://aka.ms/joinofficehttp://aka.ms/joinoffice Questions: Visit
the Preview Program desk in the Expo Hall Contact us at:
[email protected]@microsoft.com