Sofia Event Center

21-22 ноември 2013 г.

Преходът към Office365 – различни сценарии, но винаги полезни Христо ХристовService Centrix Ltd.

Agenda

• Introducing the FastTrack Deployment Methodology• Components and Scenarios of Office 365 solutions• Microsoft Consulting Services Customer scenarios: Prista

Oil, Contoso Ltd.• Additional tools and information• Q&A

Introducing the FastTrack Deployment Methodology

Traditional Deployment Methodology

Disadvantages of the Traditional Approach

The FastTrack Deployment Process

Advantages of the FastTrack Approach• The FastTrack Phases

Traditional Deployment Methodology

Pre-Deployment Plan Prepare Migrate Post-

Deployment

1 2 3 4 5 6 7 8 9 10 11 12 ….

Pre Plan Prepare Migrate Post

Note: Timeline in Weeks

Disadvantages of the Traditional Approach

1 2 3 4 5 6 7 8 9 10 11 12 ….

Pre Plan Prepare Migrate Post

Do not treat a cloud deployment like an on-premises deployment

First Mailbox

Pre-Deployment Plan Prepare Migrate Post-

Deployment

Note: Timeline in Weeks

The FastTrack Deployment Process

Pilot Deploy Enhance

Experience value early;discover cloud advantage

Implement full features;meet organizational needs

Gain real world benefitsAchieve production use

Advantages of the FastTrack Approach

•No throw-away effort on a production pilot• Full Office 365 user experience with minimal on-premises requirements•Reduced time to value against effort invested•Multiple data migration methods: • New mailbox, self-service, and IT managed

•Range of identity options: • Cloud IDs, synchronized IDs, password sync, and federated IDs

•Deployment portal with prescriptive guidance• http://fasttrack.office.com/

Components and Scenarios of Office 365 solutions

• Core Components of Office 365• Core Identity Scenarios with Office 365• Core Messaging Scenarios with Office 365• Core Lync Scenarios with Office 365• Core SharePoint Scenarios with Office 365• Core Client Scenarios with Office 365• Office 365 Capability Matrix per Deployment Step

Core Components of Office 365

Windows Azure Active Directory

Exchange Online

SharePoint Online

Lync Online

Office 365 ProPlus

Core Identity Scenarios with Office 365

Directory Synchronization 

Single identitysuitable for medium and large organizations without federation

Federated Identity

Single federated identity and credentials suitable for medium and large organizations

Cloud Identity

Single identity in the cloud Suitable for small organizations with no integration to on-premises directories

Office 365 Capability Matrix per Deployment Step

Key Capabilities Step 1 – Pilot Step 2 – Deploy Step 3 - Extend

Identity Sign On Cloud IDs Corporate AD user account with same password via Password Sync

Corporate AD user account and password via ADFS Option for Integration

with “Works with O365” Identity Providers

Option for Shibboleth Integration

Active Directory Remediation

Not applicable IdFix Dirsync Error Remediation Tool

IdFix Dirsync Error Remediation Tool

Custom Engagement

Simple Coexistence Federated Coexistence

No Coexistence

Core Messaging Scenarios with Office 365

Office 365 Capability Matrix per Deployment Step

Key Capabilities Step 1 – Pilot Step 2 – Deploy Step 3 - Extend

Global Address List Cloud Users Dirsync Users Dirsync users FIM 2010 via O365

connector

Calendar Free/Busy sharing

Cloud Users Dirsync Users (req. Ex 2010 SP3)

Dirsync Users Exchange Federation to

other O365 or Exchange

Corporate Email Yes via “connected accounts”

Yes via Corporate Domain add

a

Data Migration Options User driven migrations via connected accounts (mail only)

User driven PST import (mail/calendar/contacts)

User Driven IT Driven via Staged

Migration or Hybrid Exchange (req. Ex 2013)

Hybrid Exchange for 2013 and 2010 or 2007 on-premises

IBM Notes Migration Option

OWA / Full Outlook a a a

Mobile via Active Sync Cloud Email Address (Send From)

Corporate Email Address Option for BlackBerry

BCS

Corporate Email Address Option for BlackBerry

BCS

Exchange

Core Lync Scenarios with Office 365

Advanced FeaturesBasic Features Enterprise Features

Office 365 Capability Matrix per Deployment Step

Key Capabilities Step 1 – Pilot Step 2 – Deploy Step 3 - Extend

IM & P a a a

Online Meetings a a a

Video Conferencing a a a

PC and Application Sharing

a a a

Mobile Lync Clients a a a

Skype Federation (Summer ‘13)

a a a

Lync External Federation   a a

Lync Hybrid Option     a

Lync Hybrid Voice Option     a

Lync

Core SharePoint Scenarios with Office 365

User Sites Basic Web Page Site Collections/Team Sites

Office 365 Capability Matrix per Deployment Step

Key Capabilities Step 1 – Pilot Step 2 – Deploy Step 3 - Extend

Team Sites a a a

Sky Drive Pro a a a

External Sharing a a a

Office Web Apps a a a

Public Site with Corporate DNS

  a a

SharePoint Solutions (BCS, Duet)

    a

Click-to-Run Office 2013 Pro Plus

Self-Serve for Pilot Users Self-Serve for Dirsync Users

IT Managed Deployment

Self-Serve for Dirsync Users

IT Managed Deployment

SharePoint

Core Client Scenarios with Office 365

Web Based Clients All Clients

MCS Customer scenario: Prista Oil

Customer Information

• PRISTA OIL GROUP is a holding structure, with two main activities:• Production and trading of motor and industrial oils, greases and

special fluids • Battery Business – part of the MONBAT structure (one of the blue

chips on Sofia Stock Exchange)

• PRISTA OIL has its own production facilities in Bulgaria, Turkey and Hungary• PRISTA OIL HOLDING EAD is operating in more than 20

countries in Central and Eastern Europe, Near and Middle East, as well as in Ukraine, Georgia, Kazakhstan and others

Existing Environment

• Two locations in Bulgaria with several hundreds of users• Several locations with less than 100 users• AD was partially deployed in Prista Oil• Different mail services (Qmail) and mail address spaces were

implemented in Bulgarian locations• Variety of e-mail clients are currently used – Outlook,

Outlook Express and Thunderbird• An existing trial of Office 365 service was used • Business location outside Bulgaria have heterogeneous e-

mail systems - Exchange, MDaemon, cloud based and etc.

Project Objectives and Team

• Design and optimization of IT infrastructure services • Design and implementation of Active Directory services• Provide Exchange Online Services• Develop unified workstations images with management• Provide a new solution services for pilot users

Project team includes experts from:• Microsoft Consulting Services• Service Centrix• Prista Oil IT department

Project Scope – Exchange Online Services

• Subscription to Office 365 service and verification of the SMTP domains for Prista Oil in Office 365.• Implementation of Office 365 Directory synchronization

and PasswordSync• Configuration of coexistence with Office 365.• Establish mail flow between Qmail Servers on-premises and

Exchange Online.• Configure coexistence and changes in domain name system

(DNS) and firewalls.

• Migration of pilot mailboxes to Exchange Online.

On-premises

Directory Synchronization – Objects Flow

ExchangeActive Directory

Office 365

Windows Azure Active Directory

Directory Synchronization Provisioning Web

Service

Logon Enabled UserMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: John.Doe@contoso.com smtp: John.Doe@contoso.onmicrosoft.com smtp: John.Doe@contoso.mail.onmicrosoft.comTargetAddress: SMTP: John.Doe@contoso.com

Exchange Online

Authentication Platform

SharePoint Online

Lync Online

User ObjectMailbox-EnabledProxyAddresses: SMTP: John.Doe@contoso.com

Sync Cycle Stage 1:Import Users, Groups,and Contacts from on-premises

Sync Cycle Stage 3:Export Users, Groups, and Contacts to Office 365

Sync Cycle Stage 4:Export “Write Back” attributes Sync Cycle

Stage 2:Import Users, Groups, and Contacts from Office 365

Password Synchronization

• Introduced with DirSync in June 2013• Benefits of using Password Sync as an alternative to

Federated Authentication• “Single set of credentials” to access both on-premises and

online resources• Managed in the customer’s Active Directory and is

synchronized with Office 365 (username + password)

• Fully integrated in the DirSync appliance• No requirement for Active Directory Federation

Services.• Keeps the deployment simple and eliminates IT costs

associated with AD/FS

Email Migration Factor Triage

Third-party

Exchange Server

Exchange 2000 or earlier

POP3 or proprietary

What is the current email

system?

Which Exchange

Server Version?

How do clients

connect?

Can it be configured for IMAP?

IMAP

Yes

No

Exchange 2003 or later

Is there any need for long-term mail co-

existence?

No

Yes

PST migration or 3rd party migration tool IMAP migration

Is there any need for long-term mail co-

existence?

Hyb

rid

Exch

ang

e

Sta

ged

Exch

ang

e o

r IM

AP m

igra

tionCutover Exchange

migration

How many users are

there?

Yes

No

2,000 or over

Under 2,000

Want more than just email folders

Coexiste

nceC

ross-P

rem

ises

Coexiste

nce

Rich

Sim

pl

eTe

mp

ora

ry

Migration

How many users are

there?

2,000 or over

Under 2,000

IMAP Migration

Prepare for

IMAPMigration

Create IMAP

Migration Endpoint

Create a CSVs for

IMAP Migration

Delete IMAP

Migration Batches

Configure MX

Record Pointing to Office

365

Start IMAP

Migration Batch

Create IMAP

Migration Batch

IMAP Migration Process

• Configure IMAP server to accept connections from Office 365 (port TCP/143 or TCP/993)

• Add and verify email domain in Office 365• Create users and mailboxes in Office 365

-> Manual/Bulk/DirSync

Best practices• Reconfigure MX record TTL to 15 mins• Create a dedicated migration admin user• Add permissions to the migration admin• If not possible: collect user passwords

Prepare for

IMAPMigration

IMAP Migration Process

• User list is defined in CSV files• Multiple migration batches• CSV file limits: 50,000 rows, max 10 MB

Best practices• Keep CSV files at secure location• Newly arriving emails land where MX record

points to - no redirection• Client software reconfiguration (pointing to

ExO)

Start IMAP

Migration Batch

Create IMAP

Migration Batch

MCS Customer scenario: Contoso Ltd.

Customer Information

• Contoso Ltd. is part of international group and offers broad range of telecommunications services• Operates in Bulgaria• Provides hosting services for group companies and

partners

Existing Environment

• Two locations in Bulgaria with several hundreds of users• Several locations with less than 100 users• Existing Active Directory forest with multiple domains• Messaging infrastructure based on Exchange Server

2007• Unified Communications based on Lync Server 2010

Project Objectives and Team

• Enable Office 365 services for Contoso users• Demonstrate the benefits of using Microsoft Online

services• Drive business agility• Improve operational effectiveness of users and IT staff

Project team includes experts from:• Microsoft Consulting Services• Service Centrix• Contoso Ltd. IT department

Project Scope – Exchange and Lync Online Services• Subscription to Office 365 service and verification of the

SMTP domains for Contoso in Office 365.• Establishment of federation trust with Office 365• Implementation of Office 365 Directory synchronization.• Configuration of hybrid coexistence with Exchange

Online• Configuration of hybrid coexistence with Lync Online• Migration of pilot users to Exchange and Lync Online.

On Premises

Federated Identity

Active Directory

DirSync

Windows Azure Active Directory

OAuth2

SAML-P

WS-Federation

Metadata

Graph API

Active Directory Federation Services

One way trust

Office Activation Service

Office 365 Admin Portal

Exchange Mailbox Access

…

Authentication

Auth

ori

zati

on

Exchange Hybrid Overview

Federation trust

Integrated admin experience

Native mailbox move

Secure mail flow

Delegated authentication for on-premises/cloud web services

Enables free/busy, calendar sharing, message tracking & online archive

Online mailbox moves

Preserve the Outlook profile and offline folders

Leverages the Mailbox Replication Service (MRS)

Manage all of your Exchange functions, whether cloud or on-premises from the same place: Exchange Admin Center

Authenticated and encrypted mail flow between on-premises and the cloudPreserves the internal Exchange messages headers, allowing a seamless end user experienceSupport for compliance mail flow scenarios (centralized transport)

Exchange Hybrid Server Roles

On-premises Exchange organization

Existing Exchange

environment (Exchange 2007

or later)

Office 365 Active Directory

synchronization

Exchange 2013 client access & mailbox server

Office 365

User, contacts, & groups via DirSync

Secure mail flow

Mailbox data via Mailbox Replication Service (MRS)

Sharing (free/busy, Mail Tips, archive, etc.)

Office 365 Federated Trust

Active Directory Federation Services

From an existing Exchange 2007 or 2010 environment—no Edge Transport server

Exchange 2013 hybrid deployment

Clients Office 365

autodiscover.contoso.com

mail.contoso.com

E2010 or 2007 Hub

E2010 or 2007 CAS

E2010 or 2007 MBX

E2013 CAS

E2013 MBX

Exchange 2010 or 2007 Servers

Intranet site

SP3/RU10

SP3/RU10

Internet-facing site

1.Prepare• Install Exchange SP and/or updates across

the ORG • Prepare AD with E2013 schema

2.Deploy Exchange 2013 servers• Install both E2013 MBX and CAS servers• Set an ExternalUrl and enable the MRSProxy

on the Exchange Web Services vdir

3.Obtain and deploy Certificates• Obtain and deploy certificates on E2013

CAS servers

4.Publish protocols externally• Create public DNS A records for the EWS

and SMTP endpoints• Validate using Remote Connectivity

Analyzer

5.Switch autodiscover namespace to E2013 CAS• Change the public autodiscover DNS record

to resolve to E2013 CAS

6.Run the Hybrid Configuration Wizard

7.Move mailboxes

1 2

3

EWS SMTP

45

6

7

1 2

3

45

6

Lync 2013 Hybrid Coexistence

ActiveDirectoryLync 2010 Pool

Microsoft Federation Gateway

Lync Federation Edge

AD FS v2

Interoperability—IM/

P, Federation, OWA,

UM

Sign-on and auth

enticatio

n

Directo

ry sync

DirSync—Provisioning, GAL

Federation for SSO

Lync Hybrid Interoperability

Integration between local IT systems and the cloud

Lync OnlineOffice 365

Exchange Online

Legacy OCS 2007 R2

Lync 2010+ Pool

SharePoint Online

Directory Sync

Edge

Same as Exchange

Lync Hybrid—Checklist

Task Details

Deploy DirSync on-premises

Lync 2013 tenants created in Office 365 Need to provision new Lync 2013 tenants

Add vanity domains for hybrid Create TXT/CNAME record that Office 365 completes verification

Activate for vanity domain for DirSync Activate step in the tenant admin experience

Certificates for on-premises AD FS

Get necessary certificates for AD FS to work against Office 365:

SN: sts.<vanitydomain>SAN: additional sts, one for each vanity domain

Domain Name Server (DNS) records for AD FS

Publish A record for <sts.vanitydomain> pointing to on-premises AD FS

Office 365 Tools

• https://portal.microsoftonline.com/Tools• OnRamp - https://onramp.office365.com/onramp/ • Office 365 Best Practices Analyzer for Exchange Server 2013 (beta)• Microsoft Connectivity Analyzer

• http://community.office365.com/en-us/wikis/diagnostic_tools/default.aspx• Exchange Online PowerShell• IdFix DirSync Error Remediation Tool• Lync Online Transport Reliability IP Probe (TRIPP) Tool• Microsoft Online Services Diagnostics and Logging (MOSDAL) Support Toolkit• Microsoft Outlook Configuration Analyzer Tool (OCAT)• Windows Azure Active Directory Module for Windows PowerShell

Office 365 Resources

•Office 365 FastTrack Deployment Center•Office Ignite Readiness•TechNet Center for Office 365•TechNet Center for the new Office•Office IT Pro Blog•Office 365 Trust Center•Office 365 Service Descriptions•Service Updates for Office 365 for Enterprises•Microsoft Planning Services

If you would like to implement the technologies that you just saw in your organization, then join us for a Customer Immersion Experience (CIE), a hands-on introduction to Windows 8 and the new Office, new servers for business productivity as well as a variety of other Microsoft technologies, including Windows Phone, and Dynamics CRM.

A CIE is not a generic demo about all the features Microsoft products offer. It's a true-to-life user experience that takes you through common work-related scenarios such as staying productive while mobile, using social networking to get work done, and connecting in real time with coworkers. It also gives you a first-hand look at the fast and fluid experience of Windows 8 and the exciting features of the new Office across a variety of devices, including tablets, PCs, and smartphones.

If you are interested please fill in the feedback form by choosing CIE workshop.

Thank you!

Customer Immersion Experience (CIE)

Споделете вашата обратна връзка за тази сесия и за цялостната организация на конференцията

http://aka.ms/inchargeи участвайте в томболата за HTC 8S и други

награди!

• Enhanced Secure Mail feature• Certificate based attribution for mail flow connectors - no more

static IP address lists

• Explicit TLS certificate selection avoids certificate conflicts

• Remote domains no longer required for secure mailzSimpler configuration and troubleshooting

• Centralized Transport feature supports more mail flow paths

• Edge Server support – Edge Transport Server 2010

Hybrid mail flow enhancements

Secure Mail

On-premises organization Internet

Exchange Online Protection

MX resolves to on-premises gateway

Exchange Online

MX is switched to Exchange Online Protection

Outbound Exchange Online traffic is delivered direct

You can choose to route outbound on-premises mail via EOP

External recipient

DAVIDOn-premises mailbox

Exchange

CHRISCloud mailbox

Third Party Email Security System

Secure Mail

Encrypted & authenticated mail flow

• All email between Exchange on-premises and Exchange Online is encrypted and authenticated

• Internal mail flow going from Exchange to Exchange must go direct and not through 3rd party gateways

• External (Internet) mail can be routed to wherever you choose – on premises, 3rd party service, EOP

• The MX record for the domain controls where inbound external email is received

• The hybrid wizard’s “OnPremisesSmartHost” property controls the flow of internal mail from Exchange Online to Exchange on-premises

• The FQDN defined within OnPremisesSmartHost can be:

• A single Exchange 2013 CAS or 2010 Edge server

• Multiple round robin Exchange 2013 CAS or 2010 Edge servers

• Multiple load balanced Exchange 2013 CAS or 2010 Edge servers (recommended)

If you want outbound email from on-premises to the Internet to go through EOP you need to create an extra “*.*” send connector that forwards all mail to EOP

Things to remember about Secure Mail

Secure Mail

On-premises organization Internet

Exchange Online Protection

MX resolves to on-premises gateway

Exchange Online

MX is switched to Exchange Online Protection

External recipient

DAVIDOn-premises mailbox

Exchange

CHRISCloud mailbox

Third-party email security system

Secure Mail

Encrypted & authenticated mail flow

All email in and out of the Exchange Online tenant must go via on-premises

• It is built on top of Secure Mail• You cannot enable Centralized Transport without it

• All email in and out of Exchange Online is routed via on-premises

• Unless you have a business requirement to route mail via on-premises you do not need to enable it

• You can now route inbound Internet email to Exchange Online Protection even when Centralized Transport is turned on

• No more need for FOPE “duplicate domains”, multiple FOPE companies. It simply works out of the box

Things to remember about Centralized Transport