Uploaded by rakeshk2020

DMI304 Ehrensing

advertisement
IMAP
Cutover
migration migration
IMAP migration
Staged
migration Hybrid
Supports wide range of email platforms
Email only (no calendar, contacts, or tasks)
Exchange 5.5
X
Cutover Exchange migration
Exchange 2000
X
Exchange 2003
X
X
X
X*
Exchange 2007
X
X
X
X
Exchange 2010
X
X
X
Exchange 2013
X
X
X
Notes/Domino
X
GroupWise
X
Other
X
Good for fast, cutover migrations
No Exchange upgrade required on-premises
Staged Exchange migration
No Exchange upgrade required on-premises
Optional Identity federation with on-premises
directory
Hybrid deployment
Manage users on-premises and online
Enables cross-premises calendaring,
smooth migration, and easy off-boarding
Delegated authentication
for on-premises/Office
365 web services
Enables free/busy,
calendar sharing,
message tracking &
online archive
Manage all of your
Exchange functions,
whether Exchange Online
or on-premises from the
same place: Exchange
Admin Center
Online mailbox moves
Preserve the Outlook
profile and offline folders
Leverages the Mailbox
Replication Service (MRS)
Authenticated and encrypted mail
flow between on-premises and
Exchange Online
Preserves the internal Exchange
messages headers, allowing a
seamless end user experience
Support for compliance mail flow
scenarios (centralized transport)
On-premises Exchange organization
Office 365 Active
Directory synchronization
Existing Exchange environment
(Exchange 2007 or later)
User, contacts, & groups via dirsync
Secure mail flow
Exchange 2013
client access &
mailbox server
Sharing (free/busy, Mail Tips, archive, etc.)
Mailbox data via Mailbox Replication Service (MRS)
Office 365
Sign up for
Office 365
Register
your
domains
with Office
365
General Office 365 deployment tasks
Deploy
Windows
Azure AD
Sync with
Office 365
Install
Exchange
2013 CAS &
MBX
Servers
(Edge opt)
Publish the
CAS Server
(Assign SSL
certificate,
firewall
rules)
Exchange specific deployment
tasks (deep dive on next slide)
Run the
Hybrid
Wizard
From an existing Exchange 2007 or 2010 environment—Edge Transport server
1. Prepare
autodiscover.contoso.com
Install Exchange SP and/or updates across the ORG
Prepare AD with E2013 schema
mail.contoso.com
EWS
E2010 or
2007 Hub
E2010 or
2007 CAS
E2013 CAS
E2010 or
E2013 EDGE
SP3/RU10
2. Deploy Exchange 2013 servers
SMTP
Install both E2013 MBX and CAS servers
Configure Legacy namespace for 2007 (2007/2013)
Install E2010 or E2013 SP1 EDGE servers
Set an ExternalUrl & enable MRSProxy on the Exchange Web
Services vDir
Exchange 2010 or 2007 Servers
SP3/RU10
3. Obtain and deploy certificates
Obtain and deploy certificates on E2013 CAS servers & E2010
EDGE servers
4. Publish protocols externally
Create public DNS A records for the EWS and SMTP
endpoints
Validate using Remote Connectivity Analyzer
5. Switch Autodiscover namespace to E2013 CAS
E2010 or 2007 MBX
Change the public Autodiscover DNS record to resolve to
E2013 CAS
E2013 MBX
Internet-facing site
Intranet site
6. Run the Hybrid Configuration Wizard
7. Move mailboxes
Hybrid wizard history
Step 1
The Update-HybridConfiguration
cmdlet triggers the Hybrid
Configuration Engine to start.
On-Premises Exchange
reads the “desired state” stored
on the HybridConfiguration
Active Directory object.
Step 3 The Hybrid Configuration Engine
connects via Remote PowerShell
to both the on-premises and
Exchange Online organizations.
Step 4 The Hybrid Configuration
Engine discovers topology data
and current configuration from
the on-premises Exchange
organization and the Exchange
Online organization.
Step 5 Based on the desired state,
topology data, and current
configuration, across both the
on-premises Exchange and
Exchange Online organizations,
the Hybrid Configuration Engine
establishes the “difference” and
then executes configuration tasks
to establish the “desired state.”
Exchange Server Level
Configuration
Domain Level
Configuration Objects
Organization Level
Configuration Objects
(Mailbox Replication Service
Proxy, Certificate Validation,
Exchange Web Service
Virtual Directory Validation,
& Receive Connector)
(Accepted Domains,
Remote Domains, &
E-mail Address Policies)
(Exchange Federation Trust,
Organization Relationship,
Availability Address Space,
& Send Connector)
4
2
Hybrid
Configuration
Object
Remote 3
Powershell
5
Hybrid Configuration Engine
4
Organization Level
Configuration
Objects
(Exchange Federation Trust,
Organization Relationship,
Forefront Inbound
Connector, & Forefront
Outbound Connector)
5
3
Remote
Powershell
Desired
state
1
Exchange
Management
Tools
Internet
Step 2 The Hybrid Configuration Engine
Domain Level
Configuration
Objects
(Accepted Domains &
Remote Domains)
Feedback…Answered
Get-Federation Information fallback logic
If the on-premises Autodiscover endpoint is not published properly when the wizard executes, it will warn not fail.
Autodiscover domain
You can now specify which domain is used for the federated Autodiscover query.
Set-HybridConfiguration -Domains "contoso.com, fabrikam.com, autod:nwtraders.com"
Email address policy protection measures
New “UpdateSecondaryAddressesOnly” parameter added to Update-EmailAddressPolicy.
Protects customers that have manually edited their directory.
Only missing proxies will be added. No addresses will be changed/removed.
Note: This is still a very bad state to be in.
Hybrid Product Key Availability
You can now obtain a FREE Exchange 2013 or 2010 Hybrid Edition product key without the dreaded call to
support. You can simply go to http://aka.ms/hybridkey
Hybrid logging improvements
Hybrid Product Key (http://aka.ms/hybridkey)
You get a free Hybrid Edition key if…
You have an existing, non-trial, Office 365 Enterprise subscription
You currently do not have a licensed Exchange 2013 or Exchange 2010 SP3 server in your on-premises
organization.
• You will not host any on-premises mailboxes on the Exchange 2013 or Exchange 2010 SP3 server on which you
apply the Hybrid Edition product key.
•
•
Short Link: http://aka.ms/hybridkey
For IE 11 only:
others will get
the link to the KB
KB Link: http://support.microsoft.com/kb/2939261
Topologies Supported
Exchange 2013 RTM
Exchange 2013 Service Pack 1
Single Forest Model: Accounts and
Mailboxes in single forest
Supports multiple Exchange Organizations
configured against a single O365 tenant
Resource Forest Model: Multiple
Account Forests, Single Resource Forest
Multiple forests, each containing accounts
and Exchange organizations
1:1 relationship between Exchange
Organization and single O365 tenant
Multi-Org Hybrid Support
N:1 relationship between Exchange
Organization and single O365 tenant
Office 365
Office 365
Hybrid
contoso.com
Hybrid
contoso.com
Hybrid
fabrikam.com
Tenant Name: contoso.onmicrosoft.com
Coexistence Name: contoso.mail.onmicrosoft.com
FIM
Org Relationship (F/B, Sharing)
ForestA
Forest: contoso.com
Authoritative for contoso.com
SMTP Mail Flow (TLS connectors)
Not Configured by Hybrid Configuration
Wizard
ForestB
Forest: fabrikam.com
Authoritative for fabrikam.com
Shares: contoso.com
Autodiscover – Single Org
MX contoso.com = ForestA
autodiscover.contoso.com = ForestA CAS
1
ben@contoso.com
1.) What is the AutoD endpoint
for ben@contoso.com?
2
3
2.) Send AutoD request to DNS
FQDN
contoso.com
ben@contoso.com
ForestA
3.) Client authenticates, CAS
returns profile data in XML
format
Autodiscover – Two Orgs
Office 365
1
yann@contoso.com
4
6
2
3
MX contoso.com = ForestA
autodiscover.contoso.com = ForestA CAS
autodiscover.fabrikam.com = ForestB CAS
5
Public DNS
Share: contoso.com
Owns: fabrikam.com
Owns: contoso.com
Yann
Forest A
Primary: yann@contoso.com
TargetAddress: yann@fabrikam.com
Yann
1.) What is the AutoD endpoint for
yann@contoso.com?
2.) Send AutoD request to DNS FQDN for
contoso.com
3.) Redirect AutoD request to DNS FQDN for
fabrikam.com
4.) What is the AutoD endpoint for
yann@fabrikam.com
5.) Send AutoD request to DNS FQDN for
fabrikam.com
6.) Client authenticates, CAS returns profile
data in XML format
Primary: yann@contoso.com
Proxy: yann@fabrikam.com
Forest B
FIM Management Agent
AAD Conn
Federated Trust Relationship
1. Prepare
Azure AD
SMTP/TLS Mail Flow
Azure AD Auth
Federated Authentication
O365 Directory
Organization Relationship
contoso.onmicrosoft.com
fabrikam.onmicrosoft.com
Update each Exchange organization to Service Pack 1
Validate AutoDiscover is properly configured and published
in each Exchange organization
Validate public certificates for Exchange org are unique
Create 2 way forest trust
2. Configure Mail Flow on-prem
Configure SMTP domain sharing as required
Configure mail flow between on-prem organizations
3. Configure Directory Synchronization
AD
FIM
AD
Configure FIM + AAD Connector to synchronize mail
recipients in each forest and the Office 365 tenant
4. Run Hybrid Configuration Wizard
ADFS
ADFS
ADFS
Proxy
Proxy
ADFS
Prepare Office 365 Tenant
Run the HCW in contoso.com and fabrikam.com
Validate mail flow between all entities
5. Configure ADFS
Configure ADFS in contoso.com
Configure ADFS in fabrikam.com
E2013
E2013
6. Configure Organization Relationships
Configure an Org Relationship between each Org
contoso.com
SMTP
fabrikam.com
2 way Forest Trust
Mail Routing
Mail Routing
and MFG
• Cause: XTC has been retire and (undocumented) OAuth was the replacement
• Documented: http://technet.microsoft.com/en-us/library/dn497703(v=exchg.150).aspx
• Resolution: Implement OAuth for hybrid Discovery Searches
I cannot see cross-premises Free/Busy?
Happy Retirement Consumer MFG!!
• Cause: Consumer MFG retired on February 25, 2014
• Resolution: recreate federation trust and org relationships
• Documented: http://support.microsoft.com/kb/2937358
"Length of the property is too long"
• Cause: TLS Certificate Name is greater than 256 characters
• Documented: http://support.microsoft.com/kb/2860844
• Resolution: coming soon, for now you need to get a different certificate
• Often, customers need guidance on how to configure their perimeter devices
• Here is a Wiki on how to configure TMG for hybrid: http://community.office365.com/enus/wikis/exchange/1042.aspx?sort=mostrecent&pageindex=1
• Error: “Mailbox move to the cloud fail with error: Transient error
CommunicationErrorTransientException has occurred. The system will retry”
• Cause: Intrusion Detection Systems can often see migration traffic as an attack
• Flood mitigation in TMG can cause this as well
• This Wiki explains how to address the issue:
• http://community.office365.com/en-us/wikis/exchange/office-365-move-mailbox-failswith-transient-exception.aspx
• Cause: Timeout issues are not handles well by the HCW (we are getting better)
• Running the HCW a second time is often all that is needed…
"InvalidUri: Passed URI is not valid“
• Cause: There are certain words such as “bank”, profanity, and large org names that are
blocked from federating
• Calling Support is the only option to resolve issue
• Documented: http://support.microsoft.com/kb/2615183
"FederationInformation could not be received"
•
•
•
•
Cause: IIS is missing a handler mapping which causes connection to EWS and AUTOD to fail
Errors: Get-Federation Information returns “405 Method Not Allowed”
Resolution: from a cmd prompt run “ServiceModelReg.exe –r”
Documented: http://support.microsoft.com/kb/2773628
• Cause: If you have an outbound proxy, you may be blocking required traffic
• Resolution: ensure that your server have access to the proper IP and URL
• Recommendation: If you require an outbound proxy try to use URL filtering instead of IP, it is
easier to maintain
• Documented: There is an EHLO blog on this here
Common Issues – Runtime
Cloud FB request
mail.contoso.com
Set 2010 externalURL to:
`mail.contoso.com
Layer 4 LB
HTTP
PROXY
E2013 CAS
E2013 MBX
Internet facing site
E2010 CAS
Cross
site
proxy
request
E2010 MBX
Intranet site
Resolution:
http://technet.microsoft.com/en-us/library/hh529912(v=exchg.150).aspx
• Cause: Bad password for admin, publishing issues, MRS disabled, etc….
• Errors: NONE
• The error in Wave 14 was the following, but in Wave 15 there isn’t an indication of failure:
• Resolution: Use the EAC in EXO
"Free/Busy information couldn’t be retrieved
because the attendee's Mailbox server is busy"
• Cause: TargetSharingEPR is configured
• More Information:
•
•
•
•
•
•
•
SOAP request will include the following element:
<ext:RequestServerVersion Version="Exchange2012" xmlns:ext="http://schemas.microsoft.com/exchange/services/2006/types" />
When an Exchange 2010 CAS server receives the EWS call, it will throw an HTTP 500 response
Autodiscover response will have the following element:
<h:ServerVersionInfo MajorVersion="14" MinorVersion="3" MajorBuildNumber="123" MinorBuildNumber="3"
2010 soap:
<ext:RequestServerVersion Version="Exchange2009" xmlns:ext="http://schemas.microsoft.com/exchange/services/2006/types" />
• Resolution: Fix Autodiscover!
• http://support.microsoft.com/kb/2838688
Common Issues – Runtime
• Issue: Hybrid OWA redirection does not work as expected, this was addressed in
CU3
• This is not an issue on 2010 hybrid environments
• http://support.microsoft.com/kb/2890814
Common Issues – Runtime
• From Exchange 2010 sp3 ru2 you will see the domain proof missing
• Workaround: use Shell Get-FederatedDomainProof
• This is addressed in Exchange 2010 SP3 RU3
• From Exchange 2010 SP3 RU2 you will not be able
to add additional domains to a federation trust from
the UI, you have to use the Shell as a workaround.
• This has been addressed in Exchange 2010 SP3 RU3
Common Issues – Runtime
• Cause: Exchange cannot manage “newer version” objects
• This means 2010 EMC cannot manage org settings for an Exchange 2013-based tenant.
• Resolution: Use EAC instead for org management
Summary
http://aka.ms/hybridkey
http://aka.ms/exdeploy
Related Sessions
Session Name Session Type
Date
Time
Speaker
MVP Follow up Q & A
Today
12:10 PM Us
MNG-IN 301
Breakout
Wednesday
2:45 PM
Vincent Yim
DMI 301
Breakout
Wednesday
8:30 AM
Michael Van
Horenbeeck
PAR 003
Hands on lab
Wednesday
12:00 PM Federic Bourget
MNG 301
Breakout
Wednesday
10:15
AM
Warren Johnson
Download