Slide 1

Slide 2 Slide 3 Slide 4 IMAP migration Cutover migration Staged migrationHybrid Exchange 5.5X Exchange 2000X Exchange 2003XXXX* Exchange 2007XXXX Exchange 2010XXX Exchange 2013XXX Notes/DominoX GroupWiseX OtherX Slide 5 Delegated authentication for on-premises/Office 365 web services Enables free/busy, calendar sharing, message tracking & online archive Online mailbox moves Preserve the Outlook profile and offline folders Leverages the Mailbox Replication Service (MRS) Manage all of your Exchange functions, whether Exchange Online or on-premises from the same place: Exchange Admin Center Authenticated and encrypted mail flow between on-premises and Exchange Online Preserves the internal Exchange messages headers, allowing a seamless end user experience Support for compliance mail flow scenarios (centralized transport) Slide 6 On-premises Exchange organization Existing Exchange environment (Exchange 2007 or later) Office 365 Active Directory synchronization Exchange 2013 client access & mailbox server Office 365 User, contacts, & groups via dirsync Secure mail flow Mailbox data via Mailbox Replication Service (MRS) Sharing (free/busy, Mail Tips, archive, etc.) Slide 7 Slide 8 Sign up for Office 365 Register your domains with Office 365 Deploy Windows Azure AD Sync with Office 365 Install Exchange 2013 CAS & MBX Servers (Edge opt) Publish the CAS Server (Assign SSL certificate, firewall rules) Run the Hybrid Wizard Exchange specific deployment tasks (deep dive on next slide) General Office 365 deployment tasks Slide 9 autodiscover.contoso.com mail.contoso.com E2010 or 2007 Hub E2010 or 2007 CAS E2010 or 2007 MBX E2013 CAS E2013 MBX E2010 or E2013 EDGE Exchange 2010 or 2007 Servers Intranet site SP3/RU10 Internet-facing site 1.Prepare Install Exchange SP and/or updates across the ORG Prepare AD with E2013 schema 2.Deploy Exchange 2013 servers Install both E2013 MBX and CAS servers Configure Legacy namespace for 2007 (2007/2013) Install E2010 or E2013 SP1 EDGE servers Set an ExternalUrl & enable MRSProxy on the Exchange Web Services vDir 3.Obtain and deploy certificates Obtain and deploy certificates on E2013 CAS servers & E2010 EDGE servers 4.Publish protocols externally Create public DNS A records for the EWS and SMTP endpoints Validate using Remote Connectivity Analyzer 5.Switch Autodiscover namespace to E2013 CAS Change the public Autodiscover DNS record to resolve to E2013 CAS 6.Run the Hybrid Configuration Wizard 7.Move mailboxes EWSSMTP From an existing Exchange 2007 or 2010 environmentEdge Transport server Slide 10 Slide 11 Slide 12 Hybrid wizard history Slide 13 On-Premises Exchange Hybrid Configuration Engine Desired state Internet Step 5 Exchange Management Tools Organization Level Configuration Objects (Exchange Federation Trust, Organization Relationship, Forefront Inbound Connector, & Forefront Outbound Connector) Domain Level Configuration Objects (Accepted Domains & Remote Domains) Hybrid Configuration Object Exchange Server Level Configuration (Mailbox Replication Service Proxy, Certificate Validation, Exchange Web Service Virtual Directory Validation, & Receive Connector) Domain Level Configuration Objects (Accepted Domains, Remote Domains, & E-mail Address Policies) Organization Level Configuration Objects (Exchange Federation Trust, Organization Relationship, Availability Address Space, & Send Connector) 1 2 4 5 5 4 Step 1 The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start. Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the difference and then executes configuration tasks to establish the desired state. Step 4 The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization. Step 3 The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations. Step 2 The Hybrid Configuration Engine reads the desired state stored on the HybridConfiguration Active Directory object. Remote Powershell Remote Powershell 3 3 Slide 14 Slide 15 Slide 16 FeedbackAnswered Get-Federation Information fallback logic If the on-premises Autodiscover endpoint is not published properly when the wizard executes, it will warn not fail. Autodiscover domain You can now specify which domain is used for the federated Autodiscover query. Set-HybridConfiguration -Domains "contoso.com, fabrikam.com, autod:nwtraders.com" Email address policy protection measures New UpdateSecondaryAddressesOnly parameter added to Update-EmailAddressPolicy. Protects customers that have manually edited their directory. Only missing proxies will be added. No addresses will be changed/removed. Note: This is still a very bad state to be in. Hybrid Product Key Availability You can now obtain a FREE Exchange 2013 or 2010 Hybrid Edition product key without the dreaded call to support. You can simply go to http://aka.ms/hybridkey Slide 17 Hybrid logging improvements Slide 18 Hybrid Product Key (http://aka.ms/hybridkey) Short Link: http://aka.ms/hybridkeyhttp://aka.ms/hybridkey KB Link: http://support.microsoft.com/kb/2939261http://support.microsoft.com/kb/2939261 For IE 11 only: others will get the link to the KB You get a free Hybrid Edition key if You have an existing, non-trial, Office 365 Enterprise subscription You currently do not have a licensed Exchange 2013 or Exchange 2010 SP3 server in your on-premises organization. You will not host any on-premises mailboxes on the Exchange 2013 or Exchange 2010 SP3 server on which you apply the Hybrid Edition product key. Slide 19 Slide 20 Topologies Supported Exchange 2013 RTM Single Forest Model: Accounts and Mailboxes in single forest Resource Forest Model: Multiple Account Forests, Single Resource Forest 1:1 relationship between Exchange Organization and single O365 tenant Exchange 2013 Service Pack 1 Supports multiple Exchange Organizations configured against a single O365 tenant Multiple forests, each containing accounts and Exchange organizations Multi-Org Hybrid Support N:1 relationship between Exchange Organization and single O365 tenant Office 365 Hybrid Office 365 Hybrid contoso.com fabrikam.com contoso.com Slide 21 Not Configured by Hybrid Configuration Wizard FIM Tenant Name: contoso.onmicrosoft.com Coexistence Name: contoso.mail.onmicrosoft.com Forest: contoso.com Authoritative for contoso.com Forest: fabrikam.com Authoritative for fabrikam.com Shares: contoso.com Org Relationship (F/B, Sharing) SMTP Mail Flow (TLS connectors) Slide 22 Slide 23 Autodiscover Single Org ben@contoso.com contoso.com ben@contoso.com 1.) What is the AutoD endpoint for ben@contoso.com? 2.) Send AutoD request to DNS FQDN 3.) Client authenticates, CAS returns profile data in XML format MX contoso.com = ForestA autodiscover.contoso.com = ForestA CAS 1 2 3 Slide 24 Autodiscover Two Orgs yann@contoso.com Owns: contoso.com Yann Primary: yann@contoso.comyann@contoso.com Proxy: yann@fabrikam.com 1.) What is the AutoD endpoint for yann@contoso.com? 2.) Send AutoD request to DNS FQDN for contoso.com 3.) Redirect AutoD request to DNS FQDN for fabrikam.com 4.) What is the AutoD endpoint for yann@fabrikam.com 5.) Send AutoD request to DNS FQDN for fabrikam.com 6.) Client authenticates, CAS returns profile data in XML format MX contoso.com = ForestA autodiscover.contoso.com = ForestA CAS autodiscover.fabrikam.com = ForestB CAS 1 2 3 Yann Primary: yann@contoso.comyann@contoso.com TargetAddress: yann@fabrikam.comyann@fabrikam.com Share: contoso.com Owns: fabrikam.com Forest B Forest A 4 5 6 Public DNS Office 365 Slide 25 Slide 26 1.Prepare Update each Exchange organization to Service Pack 1 Validate AutoDiscover is properly configured and published in each Exchange organization Validate public certificates for Exchange org are unique Create 2 way forest trust 2.Configure Mail Flow on-prem Configure SMTP domain sharing as required Configure mail flow between on-prem organizations 3.Configure Directory Synchronization Configure FIM + AAD Connector to synchronize mail recipients in each forest and the Office 365 tenant 4.Run Hybrid Configuration Wizard Prepare Office 365 Tenant Run the HCW in contoso.com and fabrikam.com Validate mail flow between all entities 5.Configure ADFS Configure ADFS in contoso.com Configure ADFS in fabrikam.com 6.Configure Organization Relationships Configure an Org Relationship between each Org E2013 ADFS AD contoso.onmicrosoft.com fabrikam.onmicrosoft.com fabrikam.comcontoso.com E2013 ADFS ADFIM Azure AD Azure AD Auth O365 Directory ADFS Proxy ADFS Proxy SMTP AAD Conn 2 way Forest Trust FIM Management Agent Federated Trust Relationship SMTP/TLS Mail Flow Federated Authentication Organization Relationship Slide 27 Mail Routing Slide 28 Slide 29 Slide 30 Cause: XTC has been retire and (undocumented) OAuth was the replacement Documented: http://technet.microsoft.com/en-us/library/dn497703(v=exchg.150).aspxhttp://technet.microsoft.com/en-us/library/dn497703(v=exchg.150).aspx Resolution: Implement OAuth for hybrid Discovery Searches I cannot see cross-premises Free/Busy? Happy Retirement Consumer MFG!! Cause: Consumer MFG retired on February 25, 2014 Resolution: recreate federation trust and org relationships Documented: http://support.microsoft.com/kb/2937358http://support.microsoft.com/kb/2937358 Slide 31 Cause: TLS Certificate Name is greater than 256 characters Documented: http://support.microsoft.com/kb/2860844http://support.microsoft.com/kb/2860844 Resolution: coming soon, for now you need to get a different certificate Often, customers need guidance on how to configure their perimeter devices Here is a Wiki on how to configure TMG for hybrid: http://community.office365.com/en- us/wikis/exchange/1042.aspx?sort=mostrecent&pageindex=1http://community.office365.com/en- us/wikis/exchange/1042.aspx?sort=mostrecent&pageindex=1 Slide 32 Error: Mailbox move to the cloud fail with error: Transient error CommunicationErrorTransientException has occurred. The system will retry Cause: Intrusion Detection Systems can often see migration traffic as an attack Flood mitigation in TMG can cause this as well Flood mitigation This Wiki explains how to address the issue: http://community.office365.com/en-us/wikis/exchange/office-365-move-mailbox-fails- with-transient-exception.aspx http://community.office365.com/en-us/wikis/exchange/office-365-move-mailbox-fails- with-transient-exception.aspx Slide 33 Cause: Timeout issues are not handles well by the HCW (we are getting better) Running the HCW a second time is often all that is needed Cause: There are certain words such as bank, profanity, and large org names that are blocked from federating Calling Support is the only option to resolve issue Documented: http://support.microsoft.com/kb/2615183http://support.microsoft.com/kb/2615183 Slide 34 Cause: IIS is missing a handler mapping which causes connection to EWS and AUTOD to fail Errors: Get-Federation Information returns 405 Method Not Allowed Resolution: from a cmd prompt run ServiceModelReg.exe r Documented: http://support.microsoft.com/kb/2773628http://support.microsoft.com/kb/2773628 Cause: If you have an outbound proxy, you may be blocking required traffic Resolution: ensure that your server have access to the proper IP and URLproper IP and URL Recommendation: If you require an outbound proxy try to use URL filtering instead of IP, it is easier to maintain Documented: There is an EHLO blog on this herehere Slide 35 Layer 4 LB mail.contoso.com Cloud FB request Internet facing site E2013 MBX E2013 CAS Intranet site E2010 MBX E2010 CAS HTTP PROXY Cross site proxy request Set 2010 externalURL to: `mail.contoso.com Common Issues Runtime http://technet.microsoft.com/en-us/library/hh529912(v=exchg.150).aspx Resolution: Slide 36 Cause: Bad password for admin, publishing issues, MRS disabled, etc. Errors: NONE The error in Wave 14 was the following, but in Wave 15 there isnt an indication of failure: Resolution: Use the EAC in EXOthe EAC in EXO Slide 37 "Free/Busy information couldnt be retrieved because the attendee's Mailbox server is busy" Cause: TargetSharingEPR is configured More Information: SOAP request will include the following element: When an Exchange 2010 CAS server receives the EWS call, it will throw an HTTP 500 response Autodiscover response will have the following element:Slide 38 Issue: Hybrid OWA redirection does not work as expected, this was addressed in CU3 This is not an issue on 2010 hybrid environments http://support.microsoft.com/kb/2890814 Common Issues Runtime Slide 39 From Exchange 2010 sp3 ru2 you will see the domain proof missing Workaround: use Shell Get-FederatedDomainProof This is addressed in Exchange 2010 SP3 RU3 From Exchange 2010 SP3 RU2 you will not be able to add additional domains to a federation trust from the UI, you have to use the Shell as a workaround. This has been addressed in Exchange 2010 SP3 RU3 Slide 40 Common Issues Runtime Cause: Exchange cannot manage newer version objects This means 2010 EMC cannot manage org settings for an Exchange 2013-based tenant. Resolution: Use EAC instead for org management Slide 41 Slide 42 Summary Slide 43 Related Sessions Session NameSession TypeDateTimeSpeaker MVP Follow upQ & AToday12:10 PMUs MNG-IN 301BreakoutWednesday2:45 PMVincent Yim DMI 301BreakoutWednesday8:30 AMMichael Van Horenbeeck PAR 003Hands on labWednesday12:00 PMFederic Bourget MNG 301BreakoutWednesday10:15 AM Warren Johnson Slide 44 Slide 45 Slide 46 Slide 47