Configuring hybrid exchange the easy way
Download
1 / 30

Configuring Hybrid Exchange the Easy Way - PowerPoint PPT Presentation


  • 241 Views
  • Uploaded on

EXL303. Configuring Hybrid Exchange the Easy Way. Ben Appleby Senior Program Manager Microsoft Corporation. Session Objectives and Takeaways. Session Objective(s ): Understand how the Hybrid Configuration Engine works

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Configuring Hybrid Exchange the Easy Way' - inara


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Configuring hybrid exchange the easy way

EXL303

Configuring Hybrid Exchange the Easy Way

Ben Appleby

Senior Program Manager

Microsoft Corporation


Session objectives and takeaways
Session Objectives and Takeaways

  • Session Objective(s):

    • Understand how the Hybrid Configuration Engine works

    • Understand the common pitfalls when configuring hybrid, and how to avoid them

  • Dependencies are key. You must have your certificates, DNS names, etc. working before you attempt to configure hybrid. Otherwise, it’s going to be harder than necessary.


Agenda
Agenda

  • Migration options

  • Hybrid overview

  • The new SP2 deployment process

  • How does the Hybrid Configuration Wizard work?

  • Common deployment pitfalls


Office 365 migration options choices to fit your organization
Office 365 Migration OptionsChoices to fit your organization

  • IMAP migration

    • Supports wide range of e-mail platforms

    • E-mail only (no calendar, contacts, or tasks)

  • Cutover Exchange migration (CEM)

    • Good for fast, cutover migrations

    • No server required on-premises

  • Staged Exchange migration (SEM)

    • No server required on-premises

    • Identity federation with on-premises directory

Migration

  • Hybrid deployment

    • Manage users on-premises and online

    • Enables cross-premises calendaring, smooth migration, and easy off-boarding

Hybrid

* Additional options available with tools from migration partners


How to pick an exchange migration solution
How to pick an Exchange migration solution?

Hybrid

Migration Solutions

S-EM

C-EM

1 150 5,000 25,000

Organizational Size in Users

<1 Week 2 Weeks 3 Weeks Several Months

Time For Migration including Planning

None Mailflow/GalSync Free/Busy, Archive in Cloud

Features


Hybrid staged exchange migration vs hybrid feature set
HybridStaged Exchange Migration vs Hybrid Feature-set


Hybrid feature summary
HybridFeature summary

Makes your on-premises organization and cloud organization work together like a single, seamless organization

  • Offers near-parity of features/experience on-premises and in the cloud

  • Seamless interactions between on-premises and cloud mailboxes

  • Migrations in and out of the cloud transparent to end-user

Features not supported:

  • Coexistence of mailbox permissions –Permissions are migrated, but do not work when Delegator and Delegate are split between on-prem & cloud

  • Migration of Send As for non mailbox recipients

  • Multi-forest – Only single forest source environments

  • Public Folders

  • Address Book Policies


Hybrid server roles

2 Required Server Roles:

Office 365 Active Directory Synchronization

Exchange Server 2010 SP1 CAS/Hub*

Hybrid Server Roles

FREE!

with paid Exchange Online subscription

  • 1 Optional Server Role:

  • Active Directory Federation Services

Unified Global Address List

Office 365 Directory Sync

Single Sign On

AD FS

Exchange Sharing

Mailbox Move

Secure Transport

Exchange Server 2010 SP1 CAS/Hub

Exchange Server 2010 SP1 CAS/Hub

* Mbx role is required for legacy Public Folder based free/busy support


Exchange deployment assistant
Exchange Deployment Assistant

Exchange Deployment Assistant

http://technet.microsoft.com/exdeploy2010

  • Currently supports hybrid configuration with:

    • Exchange Server 2003

    • Exchange Server 2007

    • Exchange Server 2010

  • Guidance provided is for the Hybrid Configuration Wizard with Exchange 2010 SP2


Hybrid configuration wizard

Hybrid Configuration Wizard

The new SP2 Process


What s new in exchange 2010 sp2
What’s new in Exchange 2010 SP2?

  • Coexistence Domain – Replaces the requirement for the customer to create a “service.contoso.com” domain

  • Federation Trust improvements – Removes the requirement to create a “exchangedelegation.contoso.com” domain

    • SP2 automatically prepends a well know string (“FYDIBOHF25SPDLT”) to the beginning of the account namespace.

  • Dedicated hybrid management experience

    • Hybrid Config Wizard

    • New/Get/Set/Update-HybridConfigurationcmdlets

  • The wizard & cmdlets will configure the following things for you:

    • Exchange federation trust

    • Organization relationships

    • Remote domains/accepted domains

    • Email address policies

    • Send/Receive connector

    • Forefront inbound/outbound connectors

    • MRSProxy

    • Pre-req checks (i.e. Office365 Active Directory Sync, Exchange certificates, registered custom domains, etc…)

Pre-SP2: Over 50+ manual steps

With SP2: Now only 6 steps, all within the UI


Sp2 hybrid deployment process
SP2 Hybrid Deployment Process

Use the Exchange

Remote Connectivity Analyzer

to verify this stage


The new hybrid configuration wizard
The new Hybrid Configuration Wizard

New organization level tab that contains a the “Hybrid Configuration Object”

End to end wizard that guides you through each step of configuring hybrid


Hybrid configuration wizard1

demo

Hybrid Configuration Wizard


How does t he hybrid configuration wizard work

How does the Hybrid Configuration Wizard work?


The wizard the configuration engine
The Wizard & the Configuration Engine

  • The Wizard records the information collected from the user via the “Set-HybridConfiguration” cmdlet

  • All deployment actions are taken by the Hybrid Configuration Engine, which is called by the Update-HybridConfigurationcmdlet

Update-HybridConfiguration


Hybrid configuration engine
Hybrid Configuration Engine

EXCHANGE ONLINE ORGANIZATION

The Update-HybridConfigurationcmdlettriggers the Hybrid Configuration Engine to start.

ON-PREMISES EXCHANGE ORGANIZATION

Step 1

  • The Hybrid Configuration Engine reads the “desired state” stored on the HybridConfiguration Active Directory object.

Step 2

Exchange Server Level Configuration

(Mailbox Replication Service Proxy, Certificate Validation, Exchange Web Service Virtual Directory Validation, & Receive Connector)

Domain Level Configuration Objects

(Accepted Domains, Remote Domains, & E-mail Address Policies)

Organization Level Configuration Objects

(Exchange Federation Trust, Organization Relationship, Availability Address Space, & Send Connector)

Organization Level Configuration Objects

(Exchange Federation Trust, Organization Relationship, Forefront Inbound Connector, & Forefront Outbound Connector)

  • The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations.

Step 3

INTERNET

  • The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization.

REMOTE POWERSHELL

4

5

Step 4

2

5

Hybrid Configuration Object

Desired State

Topology & Current Configuration State

Execute Configuration Tasks

REMOTE POWERSHELL

  • Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the “difference” and then executes configuration tasks to establish the “desired state.”

Domain Level Configuration Objects

(Accepted Domains & Remote Domains)

1

Step 5

Exchange Management Tools

4

Hybrid Configuration Engine


Organization relationship creation
Organization Relationship Creation

MICROSOFT FEDERATION GATEWAY

PUBLIC DNS

ON-PREMISES EXCHANGE ORGANIZATION

EXCHANGE ONLINE ORGANIZATION

(3) Then connects to autodiscover via HTTPS with the MFG delegation token

“POST /Autodiscover/Autodiscover.svc/WSSecurity”

(2) It then attempts to find the autodiscover endpoint through DNS

(1) Get-FederationInformation requests a delegation token from the MFG over HTTPS

Exchange Online

Mailbox Server

Exchange 2007

Mailbox Server

Exchange 2007

Client Access Server

C:\Get-FederationInformation –DomainName “contoso.com”

(4) Client Access Server responds with Federation Trust details:

ApplicationUri: FYDIBOHF25SPDLT.contoso.com

DomainNames: contoso.com

TargetAutodiscoverEpr: http://autodiscover.contoso.com/autodiscover.svc/WSSecurity

TokenIssuerUris:urn:federation:Microsoft Online

Exchange Online

Client Access Server

Exchange 2010

Client Access Server

Hybrid Configuration Engine

REMOTE POWERSHELL


Hybrid mail flow w o centralized transport
Hybrid Mail Flow – w/o Centralized Transport

The Exchange Send Connector” is scoped to the coexistence domain (e.g. “contoso.mail.onmicrosoft.com”

The FOPE Inbound Connector is scoped to the public IP addresses entered in the HCW

ON-PREMISES EXCHANGE ORGANIZATION

ForeFront Online Protection for Exchange

Third Party Email Security System

Internal Mail Flow

The FOPE Outbound Connector is scoped to the domains selected in the HCW (e.g. “contoso.com”), and it will deliver email to the FQDN entered in the HCW (e.g. “mail.contoso.com”)

Exchange 2010 Hub Transport Server

External Recipient”

The Exchange Receive Connector is scoped to FOPE’s public IP addresses


Hybrid mail flow with centralized transport
Hybrid Mail Flow – with Centralized Transport

The FOPE Inbound Connector is scoped to the public IP addresses entered in the HCW

This connector is marked so that all email inbound to the tenant must be delivered through it

The Exchange Send Connector” is scoped to the coexistence domain (e.g. “contoso.mail.onmicrosoft.com”

ON-PREMISES EXCHANGE ORGANIZATION

ForeFront Online Protection for Exchange

Third Party Email Security System

Internal Mail Flow

The FOPE Outbound Connector is scoped to all domains (e.g. *.*), and it will deliver all outbound email to the FQDN entered in the HCW (e.g. “mail.contoso.com”)

Exchange 2010 Hub Transport Server

External Recipient”

The Exchange Receive Connector is scoped to FOPE’s public IP addresses


Common deployment issues publishing cas
Common Deployment Issues – Publishing CAS

  • Autodiscover is not published correctly

    • The external public DNS record for primary smtp domains must resolve to an Exchange Server 2010 SP1+ Client Access Server

    • The CAS server must have a public SSL certificate bound to it

    • The certificate must include the autodiscover DNS name within the Subject or SAN

  • Pre-authentication is used in front of the Client Access Server

    • If using pre-authentication, the following URLs must be excluded and allow anonymous connections:

      • /EWS/Exchange.asmx/WSSecurity

      • /EWS/MRSProxy.svc/WSSecurity

      • /Autodiscover/Autodiscover.svc/WSSecurity

      • /autodiscover/autodiscover.svc

  • SSL Off loading is being used in front of CAS

    • Enabled in Rollup1and guidance published to TechNet here


Common deployment issues mail flow
Common Deployment Issues – Mail Flow

  • Third party SMTP security devices in use between Exchange on-premises and ForeFront Online Protection for Exchange

    • TLS connection between Exchange on-premises and FOPE, for internal mail flow, must initiate/terminate on 2010 SP1+ Hub Transport or Edge Transport

  • MX record is pointed to FOPE with Centralized Transport Control enabled

    • This scenario only works if FOPE was already in use prior to creating the Office 365 tenant

  • Wildcard certificate used for TLS

    • Rollup1 enables support for wildcard certificates


Recap
Recap

  • Session Objective(s):

    • Understand how the Hybrid Configuration Engine works

    • Understand the common pitfalls when configuring hybrid, and how to avoid them

  • Dependencies are key. You must have your certificates, DNS names, etc. working before you attempt to configure hybrid. Otherwise, it’s going to be harder than necessary.


Exchange sessions this week
Exchange Sessions this week

  • EXL301 Archiving in the Cloud with Exchange Online Archiving (EOA) – Thursday 08:30 – Hall 10B

  • EXL306 Best Practices for Virtualizing Microsoft Exchange Server 2010 – Thursday 12:00 – Hall 9B

  • EXL401 Microsoft Exchange Server 2010 High Availability Deep Dive – Thursday 16:30 – Hall 9A

  • EXL201 Understanding Microsoft Forefront Online Protection for Exchange – Friday 08:30 – G106

  • EXL307 Using a load balancer in your Exchange 2010 environment – Friday 13:00 – Hall 9B


Track resources
Track Resources

  • Exchange Team Blog: http://blogs.technet.com/b/exchange/

  • Exchange TechNet Tech Center: http://technet.microsoft.com/exchange

  • Geek Out with Perry Blog: http://blogs.technet.com/b/perryclarke/

  • MEC Website and Registration: http://www.mecisback.com/


Resources
Resources

Learning

TechNet

  • Connect. Share. Discuss.

  • Microsoft Certification & Training Resources

http://europe.msteched.com

www.microsoft.com/learning

  • Resources for IT Professionals

  • Resources for Developers

  • http://microsoft.com/technet

http://microsoft.com/msdn


Submit your evals online

Evaluations

Submit your evals online

http://europe.msteched.com/sessions


© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.


ad