IMAP Cutover migration migration IMAP migration Staged migration Hybrid Supports wide range of email platforms Email only (no calendar, contacts, or tasks) Exchange 5.5 X Cutover Exchange migration Exchange 2000 X Exchange 2003 X X X X* Exchange 2007 X X X X Exchange 2010 X X X Exchange 2013 X X X Notes/Domino X GroupWise X Other X Good for fast, cutover migrations No Exchange upgrade required on-premises Staged Exchange migration No Exchange upgrade required on-premises Optional Identity federation with on-premises directory Hybrid deployment Manage users on-premises and online Enables cross-premises calendaring, smooth migration, and easy off-boarding Delegated authentication for on-premises/Office 365 web services Enables free/busy, calendar sharing, message tracking & online archive Manage all of your Exchange functions, whether Exchange Online or on-premises from the same place: Exchange Admin Center Online mailbox moves Preserve the Outlook profile and offline folders Leverages the Mailbox Replication Service (MRS) Authenticated and encrypted mail flow between on-premises and Exchange Online Preserves the internal Exchange messages headers, allowing a seamless end user experience Support for compliance mail flow scenarios (centralized transport) On-premises Exchange organization Office 365 Active Directory synchronization Existing Exchange environment (Exchange 2007 or later) User, contacts, & groups via dirsync Secure mail flow Exchange 2013 client access & mailbox server Sharing (free/busy, Mail Tips, archive, etc.) Mailbox data via Mailbox Replication Service (MRS) Office 365 Sign up for Office 365 Register your domains with Office 365 General Office 365 deployment tasks Deploy Windows Azure AD Sync with Office 365 Install Exchange 2013 CAS & MBX Servers (Edge opt) Publish the CAS Server (Assign SSL certificate, firewall rules) Exchange specific deployment tasks (deep dive on next slide) Run the Hybrid Wizard From an existing Exchange 2007 or 2010 environment—Edge Transport server 1. Prepare autodiscover.contoso.com Install Exchange SP and/or updates across the ORG Prepare AD with E2013 schema mail.contoso.com EWS E2010 or 2007 Hub E2010 or 2007 CAS E2013 CAS E2010 or E2013 EDGE SP3/RU10 2. Deploy Exchange 2013 servers SMTP Install both E2013 MBX and CAS servers Configure Legacy namespace for 2007 (2007/2013) Install E2010 or E2013 SP1 EDGE servers Set an ExternalUrl & enable MRSProxy on the Exchange Web Services vDir Exchange 2010 or 2007 Servers SP3/RU10 3. Obtain and deploy certificates Obtain and deploy certificates on E2013 CAS servers & E2010 EDGE servers 4. Publish protocols externally Create public DNS A records for the EWS and SMTP endpoints Validate using Remote Connectivity Analyzer 5. Switch Autodiscover namespace to E2013 CAS E2010 or 2007 MBX Change the public Autodiscover DNS record to resolve to E2013 CAS E2013 MBX Internet-facing site Intranet site 6. Run the Hybrid Configuration Wizard 7. Move mailboxes Hybrid wizard history Step 1 The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start. On-Premises Exchange reads the “desired state” stored on the HybridConfiguration Active Directory object. Step 3 The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations. Step 4 The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization. Step 5 Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the “difference” and then executes configuration tasks to establish the “desired state.” Exchange Server Level Configuration Domain Level Configuration Objects Organization Level Configuration Objects (Mailbox Replication Service Proxy, Certificate Validation, Exchange Web Service Virtual Directory Validation, & Receive Connector) (Accepted Domains, Remote Domains, & E-mail Address Policies) (Exchange Federation Trust, Organization Relationship, Availability Address Space, & Send Connector) 4 2 Hybrid Configuration Object Remote 3 Powershell 5 Hybrid Configuration Engine 4 Organization Level Configuration Objects (Exchange Federation Trust, Organization Relationship, Forefront Inbound Connector, & Forefront Outbound Connector) 5 3 Remote Powershell Desired state 1 Exchange Management Tools Internet Step 2 The Hybrid Configuration Engine Domain Level Configuration Objects (Accepted Domains & Remote Domains) Feedback…Answered Get-Federation Information fallback logic If the on-premises Autodiscover endpoint is not published properly when the wizard executes, it will warn not fail. Autodiscover domain You can now specify which domain is used for the federated Autodiscover query. Set-HybridConfiguration -Domains "contoso.com, fabrikam.com, autod:nwtraders.com" Email address policy protection measures New “UpdateSecondaryAddressesOnly” parameter added to Update-EmailAddressPolicy. Protects customers that have manually edited their directory. Only missing proxies will be added. No addresses will be changed/removed. Note: This is still a very bad state to be in. Hybrid Product Key Availability You can now obtain a FREE Exchange 2013 or 2010 Hybrid Edition product key without the dreaded call to support. You can simply go to http://aka.ms/hybridkey Hybrid logging improvements Hybrid Product Key (http://aka.ms/hybridkey) You get a free Hybrid Edition key if… You have an existing, non-trial, Office 365 Enterprise subscription You currently do not have a licensed Exchange 2013 or Exchange 2010 SP3 server in your on-premises organization. • You will not host any on-premises mailboxes on the Exchange 2013 or Exchange 2010 SP3 server on which you apply the Hybrid Edition product key. • • Short Link: http://aka.ms/hybridkey For IE 11 only: others will get the link to the KB KB Link: http://support.microsoft.com/kb/2939261 Topologies Supported Exchange 2013 RTM Exchange 2013 Service Pack 1 Single Forest Model: Accounts and Mailboxes in single forest Supports multiple Exchange Organizations configured against a single O365 tenant Resource Forest Model: Multiple Account Forests, Single Resource Forest Multiple forests, each containing accounts and Exchange organizations 1:1 relationship between Exchange Organization and single O365 tenant Multi-Org Hybrid Support N:1 relationship between Exchange Organization and single O365 tenant Office 365 Office 365 Hybrid contoso.com Hybrid contoso.com Hybrid fabrikam.com Tenant Name: contoso.onmicrosoft.com Coexistence Name: contoso.mail.onmicrosoft.com FIM Org Relationship (F/B, Sharing) ForestA Forest: contoso.com Authoritative for contoso.com SMTP Mail Flow (TLS connectors) Not Configured by Hybrid Configuration Wizard ForestB Forest: fabrikam.com Authoritative for fabrikam.com Shares: contoso.com Autodiscover – Single Org MX contoso.com = ForestA autodiscover.contoso.com = ForestA CAS 1 ben@contoso.com 1.) What is the AutoD endpoint for ben@contoso.com? 2 3 2.) Send AutoD request to DNS FQDN contoso.com ben@contoso.com ForestA 3.) Client authenticates, CAS returns profile data in XML format Autodiscover – Two Orgs Office 365 1 yann@contoso.com 4 6 2 3 MX contoso.com = ForestA autodiscover.contoso.com = ForestA CAS autodiscover.fabrikam.com = ForestB CAS 5 Public DNS Share: contoso.com Owns: fabrikam.com Owns: contoso.com Yann Forest A Primary: yann@contoso.com TargetAddress: yann@fabrikam.com Yann 1.) What is the AutoD endpoint for yann@contoso.com? 2.) Send AutoD request to DNS FQDN for contoso.com 3.) Redirect AutoD request to DNS FQDN for fabrikam.com 4.) What is the AutoD endpoint for yann@fabrikam.com 5.) Send AutoD request to DNS FQDN for fabrikam.com 6.) Client authenticates, CAS returns profile data in XML format Primary: yann@contoso.com Proxy: yann@fabrikam.com Forest B FIM Management Agent AAD Conn Federated Trust Relationship 1. Prepare Azure AD SMTP/TLS Mail Flow Azure AD Auth Federated Authentication O365 Directory Organization Relationship contoso.onmicrosoft.com fabrikam.onmicrosoft.com Update each Exchange organization to Service Pack 1 Validate AutoDiscover is properly configured and published in each Exchange organization Validate public certificates for Exchange org are unique Create 2 way forest trust 2. Configure Mail Flow on-prem Configure SMTP domain sharing as required Configure mail flow between on-prem organizations 3. Configure Directory Synchronization AD FIM AD Configure FIM + AAD Connector to synchronize mail recipients in each forest and the Office 365 tenant 4. Run Hybrid Configuration Wizard ADFS ADFS ADFS Proxy Proxy ADFS Prepare Office 365 Tenant Run the HCW in contoso.com and fabrikam.com Validate mail flow between all entities 5. Configure ADFS Configure ADFS in contoso.com Configure ADFS in fabrikam.com E2013 E2013 6. Configure Organization Relationships Configure an Org Relationship between each Org contoso.com SMTP fabrikam.com 2 way Forest Trust Mail Routing Mail Routing and MFG • Cause: XTC has been retire and (undocumented) OAuth was the replacement • Documented: http://technet.microsoft.com/en-us/library/dn497703(v=exchg.150).aspx • Resolution: Implement OAuth for hybrid Discovery Searches I cannot see cross-premises Free/Busy? Happy Retirement Consumer MFG!! • Cause: Consumer MFG retired on February 25, 2014 • Resolution: recreate federation trust and org relationships • Documented: http://support.microsoft.com/kb/2937358 "Length of the property is too long" • Cause: TLS Certificate Name is greater than 256 characters • Documented: http://support.microsoft.com/kb/2860844 • Resolution: coming soon, for now you need to get a different certificate • Often, customers need guidance on how to configure their perimeter devices • Here is a Wiki on how to configure TMG for hybrid: http://community.office365.com/enus/wikis/exchange/1042.aspx?sort=mostrecent&pageindex=1 • Error: “Mailbox move to the cloud fail with error: Transient error CommunicationErrorTransientException has occurred. The system will retry” • Cause: Intrusion Detection Systems can often see migration traffic as an attack • Flood mitigation in TMG can cause this as well • This Wiki explains how to address the issue: • http://community.office365.com/en-us/wikis/exchange/office-365-move-mailbox-failswith-transient-exception.aspx • Cause: Timeout issues are not handles well by the HCW (we are getting better) • Running the HCW a second time is often all that is needed… "InvalidUri: Passed URI is not valid“ • Cause: There are certain words such as “bank”, profanity, and large org names that are blocked from federating • Calling Support is the only option to resolve issue • Documented: http://support.microsoft.com/kb/2615183 "FederationInformation could not be received" • • • • Cause: IIS is missing a handler mapping which causes connection to EWS and AUTOD to fail Errors: Get-Federation Information returns “405 Method Not Allowed” Resolution: from a cmd prompt run “ServiceModelReg.exe –r” Documented: http://support.microsoft.com/kb/2773628 • Cause: If you have an outbound proxy, you may be blocking required traffic • Resolution: ensure that your server have access to the proper IP and URL • Recommendation: If you require an outbound proxy try to use URL filtering instead of IP, it is easier to maintain • Documented: There is an EHLO blog on this here Common Issues – Runtime Cloud FB request mail.contoso.com Set 2010 externalURL to: `mail.contoso.com Layer 4 LB HTTP PROXY E2013 CAS E2013 MBX Internet facing site E2010 CAS Cross site proxy request E2010 MBX Intranet site Resolution: http://technet.microsoft.com/en-us/library/hh529912(v=exchg.150).aspx • Cause: Bad password for admin, publishing issues, MRS disabled, etc…. • Errors: NONE • The error in Wave 14 was the following, but in Wave 15 there isn’t an indication of failure: • Resolution: Use the EAC in EXO "Free/Busy information couldn’t be retrieved because the attendee's Mailbox server is busy" • Cause: TargetSharingEPR is configured • More Information: • • • • • • • SOAP request will include the following element: <ext:RequestServerVersion Version="Exchange2012" xmlns:ext="http://schemas.microsoft.com/exchange/services/2006/types" /> When an Exchange 2010 CAS server receives the EWS call, it will throw an HTTP 500 response Autodiscover response will have the following element: <h:ServerVersionInfo MajorVersion="14" MinorVersion="3" MajorBuildNumber="123" MinorBuildNumber="3" 2010 soap: <ext:RequestServerVersion Version="Exchange2009" xmlns:ext="http://schemas.microsoft.com/exchange/services/2006/types" /> • Resolution: Fix Autodiscover! • http://support.microsoft.com/kb/2838688 Common Issues – Runtime • Issue: Hybrid OWA redirection does not work as expected, this was addressed in CU3 • This is not an issue on 2010 hybrid environments • http://support.microsoft.com/kb/2890814 Common Issues – Runtime • From Exchange 2010 sp3 ru2 you will see the domain proof missing • Workaround: use Shell Get-FederatedDomainProof • This is addressed in Exchange 2010 SP3 RU3 • From Exchange 2010 SP3 RU2 you will not be able to add additional domains to a federation trust from the UI, you have to use the Shell as a workaround. • This has been addressed in Exchange 2010 SP3 RU3 Common Issues – Runtime • Cause: Exchange cannot manage “newer version” objects • This means 2010 EMC cannot manage org settings for an Exchange 2013-based tenant. • Resolution: Use EAC instead for org management Summary http://aka.ms/hybridkey http://aka.ms/exdeploy Related Sessions Session Name Session Type Date Time Speaker MVP Follow up Q & A Today 12:10 PM Us MNG-IN 301 Breakout Wednesday 2:45 PM Vincent Yim DMI 301 Breakout Wednesday 8:30 AM Michael Van Horenbeeck PAR 003 Hands on lab Wednesday 12:00 PM Federic Bourget MNG 301 Breakout Wednesday 10:15 AM Warren Johnson
