Configuring Hybrid Exchange the Easy Way

Ben ApplebySenior Program ManagerMicrosoft Corporation

EXL303

Session Objectives and Takeaways

Session Objective(s): Understand how the Hybrid Configuration Engine worksUnderstand the common pitfalls when configuring hybrid, and how to avoid them

Dependencies are key. You must have your certificates, DNS names, etc. working before you attempt to configure hybrid. Otherwise, it’s going to be harder than necessary.

Agenda

Migration optionsHybrid overviewThe new SP2 deployment processHow does the Hybrid Configuration Wizard work?Common deployment pitfalls

IMAP migration

Cutove

r migration

Staged

migration

Hybrid

Exchange 5.5 X

Exchange 2000 X

Exchange 2003 X X X X

Exchange 2007 X X X X

Exchange 2010 X X X

Notes/Domino X

GroupWise X

Other X

* Additional options available with tools from migration partners

Mig

rati

on

Hyb

rid

IMAP migrationSupports wide range of e-mail platformsE-mail only (no calendar, contacts, or tasks)

Cutover Exchange migration (CEM)Good for fast, cutover migrationsNo server required on-premises

Staged Exchange migration (SEM)No server required on-premisesIdentity federation with on-premises directory

Hybrid deploymentManage users on-premises and onlineEnables cross-premises calendaring, smooth migration, and easy off-boarding

Office 365 Migration OptionsChoices to fit your organization

How to pick an Exchange migration solution?

1 150 5,000 25,000

Organizational Size in Users

C-EM

S-EM

Hybrid

Mig

ratio

n S

olu

tion

s

<1 Week 2 Weeks 3 Weeks Several Months

Features

None Mailflow/GalSync Free/Busy, Archive in Cloud

Time For Migration including Planning

HybridStaged Exchange Migration vs Hybrid Feature-set

Feature Staged Hybrid

Mail routing between on-premises and cloud (recipients on either side)

Mail routing with shared namespace (if desired) - @company.com on both sides

Unified GAL

Free/Busy and calendar sharing cross-premises

Mailtips, messaging tracking, and mailbox search work cross-premises

OWA Redirection cross-premise (single OWA URL for both on-premises and cloud)

Exchange Online Archive

Exchange Management Console used to manage cross-prem relationship & mailbox migrations

Native mailbox move supports both onboarding and offboarding

No outlook reconfiguration or OST resync required after mailbox migration

Online Mailbox Move allows users to start logged into their mailbox while it is being moved to the cloud

Secure Mail ensure emails cross-premises are encrypted, and the internal auth headers are preserved

Centralized mailflow control, ensures that all email routes inbound/outbound via On Premises

HybridFeature summary

Makes your on-premises organization and cloud organization work together like a single, seamless organization

Offers near-parity of features/experience on-premises and in the cloudSeamless interactions between on-premises and cloud mailboxesMigrations in and out of the cloud transparent to end-user

Features not supported:

Coexistence of mailbox permissions –Permissions are migrated, but do not work when Delegator and Delegate are split between on-prem & cloudMigration of Send As for non mailbox recipientsMulti-forest – Only single forest source environmentsPublic FoldersAddress Book Policies

Hybrid Server Roles2 Required Server Roles:

Office 365 Active Directory SynchronizationExchange Server 2010 SP1 CAS/Hub*

Exchange Server 2010 SP1 CAS/Hub

Unified Global Address ListOffice 365 Directory Sync

Exchange SharingAD FSSingle Sign On

1 Optional Server Role:Active Directory Federation Services

Mailbox Move

Secure Transport

* Mbx role is required for legacy Public Folder based free/busy support

Exchange Server 2010 SP1 CAS/Hub

FREE!with paid Exchange

Online subscription

Exchange Deployment Assistant

Exchange Deployment Assistant http://technet.microsoft.com/exdeploy2010

Currently supports hybrid configuration with:

Exchange Server 2003Exchange Server 2007Exchange Server 2010

Guidance provided is for the Hybrid Configuration Wizard with Exchange 2010 SP2

The new SP2 Process

Hybrid Configuration Wizard

What’s new in Exchange 2010 SP2?

Coexistence Domain – Replaces the requirement for the customer to create a “service.contoso.com” domainFederation Trust improvements – Removes the requirement to create a “exchangedelegation.contoso.com” domain

SP2 automatically prepends a well know string (“FYDIBOHF25SPDLT”) to the beginning of the account namespace.

Dedicated hybrid management experienceHybrid Config WizardNew/Get/Set/Update-HybridConfiguration cmdlets

The wizard & cmdlets will configure the following things for you:Exchange federation trustOrganization relationshipsRemote domains/accepted domainsEmail address policiesSend/Receive connectorForefront inbound/outbound connectorsMRSProxyPre-req checks (i.e. Office365 Active Directory Sync, Exchange certificates, registered custom domains, etc…)

Pre-SP2: Over 50+ manual steps

With SP2: Now only 6 steps, all within the UI

SP2 Hybrid Deployment Process

Sign up for Office 365

Register your

domains with Office

365

Deploy Office 365 Directory

Sync

Install Exchange 2010 SP2

CAS & HUB Servers

Publish the CAS & Hub

Servers(Assign SSL certificate,

firewall rules)

Run the Hybrid Wizard

Use the Exchange Remote Connectivity

Analyzer to verify this stage

The new Hybrid Configuration Wizard

New organization level tab that contains a the “Hybrid Configuration

Object”

End to end wizard that guides you through each

step of configuring

hybrid

demo

Hybrid Configuration Wizard

How does the Hybrid Configuration Wizard work?

The Wizard & the Configuration Engine

The Wizard records the information collected from the user via the “Set-HybridConfiguration” cmdletAll deployment actions are taken by the Hybrid Configuration Engine, which is called by the Update-HybridConfiguration cmdlet

Update-HybridConfiguration

Hybrid Configuration Engine

Desired State

Topology & Current

Configuration State

Execute Configuratio

n Tasks

Hybrid Configuration Engine

ON-PREMISES EXCHANGE ORGANIZATION

IN

TE

RN

ET

EXCHANGE ONLINE

ORGANIZATIONStep 1

Step 2

Step 3

Step 4

Step 5Exchange

Management Tools

Organization Level

Configuration Objects

(Exchange Federation Trust, Organization

Relationship, Forefront Inbound Connector, & Forefront Outbound

Connector)

Domain Level Configuration

Objects(Accepted Domains &

Remote Domains)

Hybrid Configuration

Object

Exchange Server Level

Configuration(Mailbox Replication

Service Proxy, Certificate Validation, Exchange Web Service Virtual

Directory Validation, & Receive Connector)

Domain Level Configuration

Objects(Accepted Domains, Remote Domains, &

E-mail Address Policies)

Organization Level Configuration

Objects(Exchange Federation

Trust, Organization Relationship, Availability Address Space, & Send

Connector)

1

2 4 55

4

The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start.

Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the “difference” and then executes configuration tasks to establish the “desired state.”

The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization.

The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations.

The Hybrid Configuration Engine reads the “desired state” stored on the HybridConfiguration Active Directory object.

REMOTE POWERSHEL

L

REMOTE POWERSHELL

Organization Relationship Creation

Hybrid Configuration

Engine

Exchange 2007 Client Access Server

Exchange 2010 Client Access Server

Exchange OnlineClient Access Server

Exchange OnlineMailbox Server

Exchange 2007 Mailbox Server

C:\Get-FederationInformation –DomainName “contoso.com”

ON-PREMISES EXCHANGE ORGANIZATION EXCHANGE ONLINE ORGANIZATION

MICROSOFT

FEDERATION GATEWAY

PUBLIC DNS

(4) Client Access Server responds with Federation Trust details:

ApplicationUri: FYDIBOHF25SPDLT.contoso.comDomainNames: contoso.comTargetAutodiscoverEpr: http://autodiscover.contoso.com/autodiscover.svc/WSSecurityTokenIssuerUris: urn:federation:Microsoft Online

(1) Get-FederationInformati

on requests a delegation token

from the MFG over HTTPS

(2) It then attempts to find the

autodiscover endpoint through DNS

(3) Then connects to autodiscover via HTTPS with the MFG delegation token

“POST /Autodiscover/Autodiscover.svc/WSSe

curity”

REMOTE POWERSHEL

L

Hybrid Mail Flow – w/o Centralized Transport

ForeFront Online Protection for Exchange

The Exchange Send Connector” is scoped to the coexistence domain

(e.g. “contoso.mail.onmicrosoft.

com”

The FOPE Inbound Connector is scoped

to the public IP addresses entered

in the HCW

The FOPE Outbound Connector is scoped to the

domains selected in the HCW (e.g.

“contoso.com”), and it will deliver email to the FQDN

entered in the HCW (e.g.

“mail.contoso.com”)

The Exchange Receive

Connector is scoped to

FOPE’s public IP addresses

ON-PREMISES EXCHANGE ORGANIZATION

Exchange 2010 Hub Transport Server

External Recipient”

Third Party Email

Security System

Internal Mail Flow

Hybrid Mail Flow – with Centralized Transport

ForeFront Online Protection for Exchange

The Exchange Send Connector” is scoped to the coexistence domain

(e.g. “contoso.mail.onmicrosoft.

com”

The FOPE Inbound Connector is scoped to the

public IP addresses entered in the HCW

This connector is marked so that all email inbound

to the tenant must be delivered through it

The FOPE Outbound Connector is scoped to all

domains (e.g. *.*), and it will deliver

all outbound email to the FQDN

entered in the HCW (e.g.

“mail.contoso.com”)

The Exchange Receive

Connector is scoped to

FOPE’s public IP addresses

ON-PREMISES EXCHANGE ORGANIZATION

Exchange 2010 Hub Transport Server

External Recipient”

Third Party Email

Security System

Internal Mail Flow

Common Deployment Issues – Publishing CASAutodiscover is not published correctly

The external public DNS record for primary smtp domains must resolve to an Exchange Server 2010 SP1+ Client Access ServerThe CAS server must have a public SSL certificate bound to itThe certificate must include the autodiscover DNS name within the Subject or SAN

Pre-authentication is used in front of the Client Access ServerIf using pre-authentication, the following URLs must be excluded and allow anonymous connections:

/EWS/Exchange.asmx/WSSecurity/EWS/MRSProxy.svc/WSSecurity/Autodiscover/Autodiscover.svc/WSSecurity/autodiscover/autodiscover.svc

SSL Off loading is being used in front of CASEnabled in Rollup1 and guidance published to TechNet here

Common Deployment Issues – Mail Flow

Third party SMTP security devices in use between Exchange on-premises and ForeFront Online Protection for Exchange

TLS connection between Exchange on-premises and FOPE, for internal mail flow, must initiate/terminate on 2010 SP1+ Hub Transport or Edge Transport

MX record is pointed to FOPE with Centralized Transport Control enabled

This scenario only works if FOPE was already in use prior to creating the Office 365 tenant

Wildcard certificate used for TLSRollup1 enables support for wildcard certificates

Recap

Session Objective(s): Understand how the Hybrid Configuration Engine worksUnderstand the common pitfalls when configuring hybrid, and how to avoid them

Dependencies are key. You must have your certificates, DNS names, etc. working before you attempt to configure hybrid. Otherwise, it’s going to be harder than necessary.

Exchange Sessions this week

EXL301 Archiving in the Cloud with Exchange Online Archiving (EOA) – Thursday 08:30 – Hall 10BEXL306 Best Practices for Virtualizing Microsoft Exchange Server 2010 – Thursday 12:00 – Hall 9BEXL401 Microsoft Exchange Server 2010 High Availability Deep Dive – Thursday 16:30 – Hall 9AEXL201 Understanding Microsoft Forefront Online Protection for Exchange – Friday 08:30 – G106EXL307 Using a load balancer in your Exchange 2010 environment – Friday 13:00 – Hall 9B

Geek Out with Perry Blog: http://blogs.technet.com/b/perryclarke/

Track Resources

Exchange Team Blog: http://blogs.technet.com/b/exchange/

Exchange TechNet Tech Center: http://technet.microsoft.com/exchange

MEC Website and Registration: http://www.mecisback.com/

Resources

Connect. Share. Discuss.

http://europe.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Evaluations

http://europe.msteched.com/sessions

Submit your evals online

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.