Exchange 2013: Hybrid Part 1
You must be listening Office 365 and Hybrid a lot. Let me share some simple hybrid blogs which might explain the concept better & help you in configuring & enhancing hybrid & office 365 skills. I hope you will be excited to configure and use/test it. So Let us begin.
This is a 7 blog series which was successfully tested and written with the help of Microsoft Exchange Deployment Assistant.
Here is the link of Microsoft Exchange Deployment Assistant: https://technet.microsoft.com/en-us/exdeploy2013/Checklist?state=2419-W-AABoAQqA0gCIAIEGAwAAAAg~
This blog will cover Readiness, concept and Office 365 account creation
We will start the Hybrid configuration with Readiness which is an assessment phase of the current customer environment.
What is your current on-premises Exchange environment?
Exchange Server 2013
Exchange Server 2010
Exchange Server 2007
Do you want all users to use their on-premises credentials (Single Sign on) when they log on to their Exchange Online mailbox?
Yes or No
How do you want to route inbound Internet mail for both your on-premises and Exchange Online mailboxes?
-Route all inbound Internet mail for both organizations through Exchange Online Protection
-Route all inbound Internet mail for both organizations through my on-premises Exchange servers
Do you want mail sent between your Exchange Online and on-premises organizations to go through an Edge Transport server?
Yes or No
- Make sure following ports are open.
|Transport Protocol||Upper Level Protocol||Feature/Component||On-premises Endpoint||On-premises Path||Authentication Provider||Authorization Method||Pre-Auth Supported?|
|TCP 25 (SMTP)||SMTP/TLS||Mail flow between Office 365 and on-premises||Exchange 2013 CAS/EDGE
Exchange 2010 HUB/EDGE
|TCP 443 (HTTPS)||Autodiscover||Autodiscover||Exchange 2013/2010 CAS||/autodiscover/autodiscover.svc/wssecurity
|Azure AD authentication system||WS-Security Authentication||No|
|TCP 443 (HTTPS)||EWS||Free/busy, MailTips, Message Tracking||Exchange 2013/2010 CAS||/ews/exchange.asmx/wssecurity||Azure AD authentication system||WS-Security Authentication||No|
|TCP 443 (HTTPS)||EWS||Multi-mailbox search||Exchange 2013/2010 CAS||/ews/exchange.asmx/wssecurity
|Auth Server||WS-Security Authentication||No|
|TCP 443 (HTTPS)||EWS||Mailbox migrations||Exchange 2013/2010 CAS||/ews/mrsproxy.svc||Basic||Basic||No|
|TCP 443 (HTTPS)||Autodiscover
|OAuth||Exchange 2013/2010 CAS||/ews/exchange.asmx/wssecurity
|Auth Server||WS-Security Authentication||No|
|TCP 443 (HTTPS)||N/A||AD FS||WIN2008/2012 Server||/adfs/*||Azure AD authentication system||Varies per config.||2-factor|
Concept and Prerequisite:
The concept and prerequisite is important to understand so added this for the blog followers so that it can clear any confusion. These are the definition of these technical terms which are good to understand in Microsoft wordings so either you read on my blog or technet. We have referred to the following link:
EOP: The Microsoft Exchange Online Protection service (EOP) is included in all Office 365 for enterprises tenants by default and works with on-premises Exchange 2013 Client Access servers to provide secure message delivery between the on-premises and Exchange Online organizations. Depending on how your organization is configured, it may also handle routing incoming mail from external recipients for your Exchange Online organization and your on-premises Exchange organization.
Hybrid Configuration wizard: Exchange 2013 includes the Hybrid Configuration wizard which provides you with a streamlined process to configure a hybrid deployment between on-premises Exchange and Exchange Online organizations.
Windows Azure AD authentication system and ADFS: The Windows Azure AD authentication system is a free cloud-based service that acts as the trust broker between your on-premises Exchange 2013 organization and the Exchange Online organization. On-premises organizations configuring a hybrid deployment must have a federation trust with the Windows Azure AD authentication system. The federation trust can either be created manually as part of configuring federated sharing features between an on-premises Exchange organization and other federated Exchange organizations or as part of configuring a hybrid deployment with the Hybrid Configuration wizard. A federation trust with the Windows Azure AD authentication system for your Office 365 tenant is automatically configured when you activate your Office 365 service account.
Active Directory synchronization Active Directory synchronization replicates on-premises Active Directory information for mail-enabled objects to the Office 365 organization to support the unified global address list (GAL). Organizations configuring a hybrid deployment must deploy Active Directory synchronization on a separate, on-premises server.
Supported organizations: Active Directory synchronization between the on-premises and Office 365 organizations is a requirement for configuring a hybrid deployment. All customers of Azure Active Directory and Office 365 have a default object limit of 300,000 objects (users, mail-enabled contacts, and groups) by default. At the same time if you have more objects contact Azure Admin to increase the quota.
Hybrid deployment management:
You manage a hybrid deployment in Exchange 2013 via a single unified management console that allows for managing both your on-premises and Office 365 Exchange Online organizations. The Exchange admin center (EAC), which replaces the Exchange Management Console and the Exchange Control Panel, allows you to connect and configure features for both organizations. When you run the Hybrid Configuration wizard for the first time, you will be prompted to connect to your Exchange Online organization. You must use an Office 365 account that is a member of the Organization Management role group to connect the EAC to your Exchange Online organization.
Secure Sockets Layer (SSL) digital certificates play a significant role in configuring a hybrid deployment. They help to secure communications between the on-premises hybrid server and the Exchange Online organization. Certificates are a requirement to configure several types of services. If you’re already using digital certificates in your Exchange organization, you may have to modify the certificates to include additional domains or purchase additional certificates from a trusted certificate authority (CA). If you aren’t already using certificates, you will need to purchase one or more certificates from a trusted CA.
Bandwidth: Your network connection to the Internet will directly impact the communication performance between your on-premises organization and the Exchange Online organization. This is particularly true when moving mailboxes from your on-premises Exchange 2013 server to the Exchange Online organization. The amount of available network bandwidth, in combination with mailbox size and the number of mailboxes moved in parallel, will result in varied times to complete mailbox moves. Additionally, other Office 365 cloud-based services may also affect the available bandwidth for messaging services.
Before moving mailboxes to the Exchange Online organization, you should:
Determine the average mailbox size for mailboxes that will be moved to the Exchange Online organization.
Determine the average connection and throughput speed for your connection to the Internet from your on-premises organization.
Calculate the average expected transfer speed, and plan your mailbox moves accordingly.
Unified Messaging: Unified Messaging (UM) is supported in a hybrid deployment between your on-premises and Exchange Online organizations. Your on-premises telephony solution must be able to communicate with the Exchange Online organization. This may require that you purchase additional hardware and software. If you want to move mailboxes from your on-premises organization to the Exchange Online organization, and those mailboxes are configured for UM, you should configure UM in your hybrid deployment prior to moving those mailboxes. If you move mailboxes before you configure UM in your hybrid deployment, those mailboxes will no longer have access to UM functionality which you would not want.
Information Rights Management:
Information Rights Management (IRM) enables users to apply Active Directory Rights Management Services (AD RMS) templates to messages that they send. AD RMS templates can help prevent information leakage by allowing users to control who can open a rights-protected message, and what they can do with that message after it’s been opened.
IRM in a hybrid deployment requires planning, manual configuration of the Exchange Online organization, and an understanding of how clients use AD RMS servers depending on whether their mailbox is in the on-premises or Exchange Online organization.
Mobile devices are supported in a hybrid deployment. If Exchange ActiveSync is already enabled on Client Access servers, they’ll continue to redirect requests from mobile devices to mailboxes located on the on-premises Mailbox server. For mobile devices connecting to existing mailboxes that are moved from the on-premises organization to Exchange Online, the Exchange ActiveSync partnership must be disabled and re-established before redirection requests are processed correctly. All mobile devices that support Exchange ActiveSync should be compatible with a hybrid deployment.
Client requirements: Recommended clients use Outlook 2013 or Outlook 2010 for the best experience and performance in the hybrid deployment. Pre-Outlook 2010 clients have limited support in hybrid deployments and with the Office 365 service so they are not preferred clients.
Licensing for Office 365: To create mailboxes in, or move mailboxes to, an Exchange Online organization, you need to sign up for Office 365 for enterprises and you must have licenses available. When you sign up for Office 365, you’ll receive a specific number of licenses that you can assign to new mailboxes or mailboxes moved from the on-premises organization. Each mailbox in the Exchange Online service must have a license.
Antivirus and anti-spam services: Mailboxes moved to the Exchange Online organization are automatically provided with antivirus and anti-spam protection by Microsoft Exchange Online Protection (EOP). You may need to purchase additional EOP licenses for your on-premises users if you chose to route all incoming Internet mail through the EOP service. Carefully evaluate whether the EOP protection in your Exchange Online organization is also appropriate to meet the antivirus and anti-spam needs of your on-premises organization. If you have protection in place for your on-premises organization, you may need to upgrade or configure your on-premises antivirus and anti-spam solutions for maximum protection across your organization.
Public folders: Public folders are now supported in Office 365, and on-premises public folders can be migrated to Exchange Online. Additionally, public folders on Exchange Online can be moved to the on-premises Exchange 2013 organization. Both on-premises and Exchange Online users can access public folders located in either organization using Outlook Web App, Outlook 2013, Outlook 2010 SP2 or Outlook 2007 SP3. Existing on-premises public folder configuration and access for on-premises mailboxes doesn’t change when you configure a hybrid deployment.
Image: courtesy Microsoft
Current Client connectivity Architecture.
Hybrid Architecture: Once you will configure the Hybrid Exchange with your on Premise and office 365, it will look like below image.
Office 365: Register a domain
Follow the below mentioned blog to register a domain. Make sure to do not change the DNS records until we reach to a cut over point.
Verify Office 365 account version:
-Hybrid deployments are supported in all Office 365 plans that support Windows Azure Active Directory synchronization.
All Office 365 Enterprise, Government, Academic and Midsize plans support hybrid deployments.
Office 365 Small Business and Home plans don’t support hybrid deployments.
-So it is important to verify that if your plan is ready to support hybrid deployment. Make sure, your Office 365 plan is one of the supported plans.
-Your Office 365 tenant must also be version 15.0.000.0 or higher for the hybrid deployment to function correctly with Exchange 2013.
-To verify the version and status of your existing Office 365 tenant, do the following:
Connect to the Office 365 tenant using remote Windows PowerShell. For step-by-step connection instructions from here – http://msexchangeguru.com/2014/02/03/eop-o365-connect-powershell/
After connecting to the Office 365 tenant, run the following command.
Get-OrganizationConfig | FL AdminDisplayVersion,IsUpgradingOrganization
Verify that your Office 365 tenant and status meet the following requirements:
AdminDisplayVersion parameter value is greater than 15.0.000.0
IsUpgradingOrganization parameter value is False
For example, “0.20 (184.108.40.206)” and “False”.
Disconnect from the Office 365 tenant remote PowerShell session. Run the below command.
ADFS Server requirement:
At least one ADFS server should be there to sync mail-enabled active directory objects. This will be called Active Directory Syncronization Server.
Exchange server requirement:
-Exchange 2013 servers configured in a hybrid deployment must have one of the following operating systems installed:
64-bit edition of Windows Server 2008 R2 Datacenter RTM or later
64-bit edition of Windows Server 2008 R2 Standard Service Pack 1
64-bit edition of Windows Server 2008 R2 Enterprise Service Pack 1
64-bit edition of Windows Server 2012 Standard or Datacenter
-Exchange 2013 servers configured with the Client Access and Mailbox server roles.
-All on-premises Exchange 2013 servers must have installed Cumulative Update 1 (CU1) or greater for Exchange 2013 to support hybrid functionality with Office 365
On Premise Active Directory:
In the Active Directory site where your existing Exchange 2010 servers are deployed, you must have at least one writeable domain controller running any of the following:
Windows Server 2003 Standard Edition with SP1 or later (32-bit or 64-bit)
Windows Server 2003 Enterprise Edition with SP1 or later (32-bit or 64-bit)
Windows Server 2008 Standard or Enterprise RTM or later (32-bit or 64-bit)
Windows Server 2008 R2 Standard or Enterprise RTM or later
Windows Server 2008 Datacenter RTM or later
Windows Server 2008 R2 Datacenter RTM or later
Windows Server 2012 Standard or Datacenter
Additionally, the Active Directory forest must be Windows Server 2003 forest functional level or higher.
Mine is 2012 R2 J
At this time we have reviewed the Hybrid concept, prerequisite, created and verified office 365 account and domain. Now we will move to the Single Sign on Configuration step in the Blog 2 of Hybrid Series.
Microsoft MVP | Exchange Server