Exchange online real world migration challenges


Published on

Session from IT/Dev Connections 2013

Published in: Technology
1 Comment
  • There is a mistake on Slide 5 - Exchange 2010 and 2013 DO support cutover migrations, just not staged - as long as the user count is less than 2000 - as per
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • What is Hybrid?It provides a unified organization that crosses logical boundariesTypically, it’s made up of ExchangeDirSyncAnd AD FSMailboxes and Resources can live both sides of the boundary and communicate as one organizationThe same username and password can be used before and after a migrationUsers share the same GAL and email domainsA migrated mailbox is the same mailbox – and thus OSTs are retained and AutoDiscover works cross-boundaryYou can use a Hybrid deployment for a migration, or for long term coexistence
  • Why Hybrid?Exchange 2010 needs itEase of Pilot You've got a way back Test, test and test again Transition, not migration What's the lowest impact on users Is user experience important? Whos' going to manage the migration Use the skills you have, don't learn now ones for a migration you'll only use once
  • Why not Hybrid Of course it's not always needed Smaller migrations - cutover or staged A cutover - you're planning on moving everything in one go The big bang approach can work! Multipleon-premise Exchange organizations Hybrid is a 1-1 on-premise to tenant relationshipAnd of course, you don't always have an on-premise Exchange IMAP migrations But don't - they can work, but look at MigrationWiz and similar Quest is great, but for smaller organizations too complicated
  • Challenges for Exchange 2007 and 2003 Organizations To do it properly, you're looking at a migration of Client Access services Let's walk through that Implementing a legacy namespace Then.. Moving AutoDiscover and other services Effectively, you're doing a lot of the hard work for an Exchange 201x migration What are your options Wave 15 is here, so you're looking at Exchange 2010 SP3 or Exchange 2013 CU2Unless you're 2003, in which case it's 2010 SP3 2013 CU2 simplifies the Hybrid Configuration Wizard
  • Challenges for Exchange 2010 Organizations Should you implement 2013 CU2 for your Hybrid Server Free Hybrid Key is now available for Exchange 2007 and 2010 organizationsWhy? You don't need a Hybrid Server on 2010... You'll need 2010 SP3 *in your Internet facing site* You're working from the outside-in, so you can upgrade just that site first If it's a single site and you can't upgrade the rest of the org? You can make a site within a site You'll need a DC, CAS and HUB
  • External URLs You need your AutoDiscover and Internet facing External URLs to be correct In particular, that's EWS and AutoDiscover Test the BASICS using the Remote Connectivity Analyser EWS Tests Including AutoD
  • External URLs You need your AutoDiscover and Internet facing External URLs to be correct In particular, that's EWS and AutoDiscover Test the BASICS using the Remote Connectivity Analyser EWS Tests Including AutoD
  • External URLs You need your AutoDiscover and Internet facing External URLs to be correct In particular, that's EWS and AutoDiscover Test the BASICS using the Remote Connectivity Analyser EWS Tests Including AutoD
  • Certificates Again, it's coming in from the Internet so VALID third party SSL certificates Common Vendors like GoDaddy, Verisign, Digicert are fine The Federation Certificate for MFG is self-signed though If you've setup Federation in pre-SP1 days consider That this uses the Consumer Gateway Look to remove and re-add this using a self-sign cert If you never used it, the chances are the cert expired This is a PITA to clean up Contact MS support - though possible to do via ADSIeditThe ADSIedit method will be a pain as there are many references, So contact MS If you do have to strip it out, expect a ~7 hour wait for the new one to take effect If you fail at the Get-FederationInformation stage, check this: Internally From another Exchange org And from Exchange Online PowerShell
  • Certificates The HCW will be default look for AutoD for *EVERY* domain in the Hybrid ConfigAre ALL your domains on the SAN for AutoD? Exchagne 2013 built in solution Set-HybridConfiguration -Domain "," Word is, this maybe back-ported to Exchange 2010 but no confirmation yet SSL Offload Where are you likely to find this? Typically a larger existing Exchange 2010 org You'll probably avoid this from the get-goif you're implementing Exchange 2010 servers for Hybrid Exchange 2013 doesn't support SSL offload yet, so it shouldn't be a problem Everything will work for the HCW But, you won't be able to move mailboxes Can you just get rid of SSL offload Find out why it's enabled. Is it part of the architecture sizing? What will the effects be on the: Load Balancer, which will now need to re-encrypt And the Client Access server? Any workarounds? Yes! You could implement a different namespace Additional SAN: Use this *only* when you are specifying a name for Remote Move requests It could be the same name as the SMTP certificate name, if that's unique
  • Pre-Authentication What's Pre-authClient (or in this case, Office 365) has to authenticate against LB/TMG first Credentials entered are passed onto back-end Exchange TMG, I'm looking at you But TMG and ISA aren't all bad as the pre-auth and SSO can be used alongside AD FS for single sign on And now, KEMP and F5 What's the problem? Federated Sharing (not AD FS) using Web Services Security /WSSecurity -.e.g /EWS/Exchange.asx/WSSecuritySolutions? Rules *before* pre-auth rules to exclude these filenames See Tim Heeney's article: Or disable pre-auth on /AutoDiscover/* and /EWS/* Oh no, security risk! MS aren't even recommending pre-auth for Exchange Current recommendation is 3 arm LB 1 in Server VLAN 1 in Internal LAN 1 in DMZ None with pre-authWhat's easier to troubleshoot?
  • SMTP mail flow Make sure you understand you mail routing first If you're not combining you Hybrid CAS and SMTP, make sure your certificates are in place on the Hubs HCW will define the address ranges for the Receive Connector Routing through something else? You may need to think about this one as it depends on the exact setup For example: Allow firewall rules and DNS entries direct to Hub Servers so they see the remote IP address Or you might need the IP Exchange sees to be different to what it sees for general mail You won't expect it to go via a Third Party SMTP gateway on the way in (or out) Remember, this is internal mail (effectively) and already going through EOP (FOPE) to get to you
  • Federated Sharing Firstly - it's reliant on AutoDiscover and EWS Remember our pass-thru for pre-auth above When troubleshooting, examine IIS logs and event logs Event logs can be especially useful if it's going to an internal AD site/traversing CAS servers
  • Federated Sharing You can manually specify the EWS endpoint in the Org relationship on the Exchange Online site Avoid this unless you really need to Again, SSL offload can cause problems An example - customer configured SSL offload and removed binding except for SSL localhostWas that a bad idea? Why did they have a self-sign cert bound to local host? OWA makes an SSL connection to EWS on localhostSo even with SSL offload, have the SAN cert bound to the Exchange website properly Note that you can't have another EWS virtual directory on the same server For co-existence, remember the limitations of Federated Sharing Re-share Calendars Availabiltiy should work without issue though We'll cover that more later
  • Complicated Exchange organizations will need some thought up front.Explain a standard scenario and re-assure that is supportedExplain account and resource forests brieflyAzure AD Connector download: known as the Office 365 ConnectorMore complicated scenarios, you need to bring in MS.
  • Explain a little about S/MIMEWhy would organizations use it?Proof of sender (signed messages)Privacy (encrypted messages)How is it usually deployed within an organization?Certificates issues by an internal CACertificates optionally issued by an external CAEnd user keeps private key on devicesPC (used for Outlook, OWA)Mobile Device (e.g. ActiveSync)Public certificate is published to Active DirectoryWhen picking a recipient to send encrypted mail you need their Public CertificateFor recipients in the GAL the above is automaticWhy is this an issue in Office 365?The certificate is not synced by DirSync to Office 365This means the end user cannot send an encrypted mail without understanding they need the certificateHow to workaround?On-Premises, add the Global Catalog as an additional LDAP providerOutlook 2013: Account Settings / Address Book tab / New: LDAPThe user can pick from the GAL, Outlook will resolve the certificate without the user needing to understand the LDAP directory
  • Give a basic MDM overviewWhy is it usedMention OWA app as a benefit of Office 365 along with the usual Quarantine and Remote WipeWhy can it be a problemSome interact using MAPI CDO and push to devices and therefore aren’t supportedOthers sit inline or connect using Remote PowerShell, these may have issuesCheck with your vendor to ensure they support Exchange OnlineAirWatch – SupportedFiberlink MaaS360 – supportedBoxtone – supported, but features that examine CAS server logs do notGood Technology – requires update from MAPI/CDO version to EWS versionMobileIron – inline proxy (Standalone Sentry) is inline and not recommended, remote PowerShell based solution (Integrated Sentry) may not be supported yetSybase Afaria – SupportedTangoe – SupportedYMMV!
  • Understanding collaboration issues during co-existence The larger the organization the more sharing they're likely to do Sharing relationships may cross many boundaries You might not be able to discover all sharing Default Reviewers Cross premise, users will need to re-share Calendars Those that are migrated retain sharing permissions Federated Sharing doesn't provide access to Shared Mailboxes Use your discovery information to at the very least, find departments with heavy collaboration E.g. If Finance and HR share heavily migrate them together or one after the other
  • Talk about how people manage distribution groupsPA’s, secretaries using Outlook to manage DGsOWA from 2010 onward providing great features to do thisDirSync blocks these users from managing DGs using Exchange / OutlookUse an alternative solution while in coexistenceDelegated access to Active Directory Users and ComputersIf you’re using FIM, consider the FIM PortalPost Migration you could move to using Cloud-Managed GroupsYou may need to re-create the GroupsYou can use Exchange Online PowerShell to re-create these
  • Public Folder access and migration is supportedPublic Folder Databases must be on Exchange 2007 SP3 RU10 or later - no 2003Each Mailbox Server with PF Databases must have the CAS role installedMigrate Public Folders to Exchange Online after all usersGuidance on TechNet
  • Planning Most of your work is in the planning Obvious issues like multi-forest, resource forest etc Use the base tools - OnRamp replaces Deployment Readiness Tool ExDeploy (Microsoft Assessment and Planning) Toolkit for Microsoft Online Services
  • PlanningPer-user discovery within your environment Active Directory User, Group and Department Data Exchange Data Mailbox Sizes Messages Sizes including large messages Outlook Clients ActiveSync Clients IMAP/POP3 Clients SMTP senders, like Application Servers and MFCs EWS Clients, like Outlook 2011 for Mac BES Clients Shared and Collaboration Mailboxes Who Shares with who? Any clean up required from a previous cross forest migration Local knowledge Statistics and data aren't everything Who are the real VIPs Groups of users you can get on-board And those that you can't and will complain loudly It's also effectively a cross-forest migration so where people are may matter too
  • Migration concurrency depends on more than one factor Max moves per DB on premise Max moves per DB in the cloud Test your throughput during the times you'll migrate Obviously yours and Microsoft infrastructure is busiest at certain times Move Requests are the lowest priority Leavers or other unused mailboxes provide good candidates for throughput testing Just watch out for those still used to retrieve historical data Record your statistics and consider your planned batches Remember, you can move mailboxes back and re-test
  • Double check your pre-reqsIs it an on-prem mailbox Is it a mail user in the cloud Is it licenced Is the UPN on prem valid and matches in the cloud Have details like email address synchronised successfully Did it have any oversized items Does it require Linked Mailbox cleanup, like Mailbox Permissions that need fixing
  • Documentation User and IT documentation Involve IT support staff who'll be on the ground early and listen to them Consider an end user portal FAQS Checks users can do themselves Videos and guides on how to perform updates Even personalise per user, such as providing planned
  • Building Migration Batches Consider using Distribution Groups Provides a communications channel Provides a great feed to test scripts Provides an in-AD method for IT staff to check quickly if someone is to be migrated And provides input to your Remote Moves
  • Pre-Pilot and Pilot Phases Before the main pilot, iron out every issue you can Treat the pilot like the real deal It's your one chance to get it right Don't just use IT, use real users IT might have configuration or changes not allowed elsewhere IT bods have a tendency to click past and error that will scare a user A successful pilot with representative users is likely to equal a successful migration Formally collect user feedback and act upon it Get the IT staff involved's input too. Their feedback is essential
  • The Migration Itself It was all in the planning right, this should be easy! Make sure you've got appropriate resources Don't be scared to scale up Some customers of mine have migrated 1000s per night Keep reviewing feedback from users and IT You might not need to act on it though
  • Post-Migration Time to get rid of on-premises? SMTP senders may be worth keeping a server for Remember our app servers and copiers? You can use an EOP connector thoughBig benefits with provisioning too when creating Remote Mailboxes But - it's an Exchange Server to patch and maintain
  • Exchange online real world migration challenges

    1. 1. Exchange Online Real-World Migration Challenges Steve Goodman Exchange MVP Phoenix IT Group
    2. 2. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  The Case for Hybrid  Hybrid Challenges  Coexistence Challenges  Planning your migration  The migration itself
    4. 4. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES Organization Secure Mail Flow Sharing (free/busy, MailTips,, etc.) Exchange Servers AD Mailbox Moves AD FS Users, Contacts & Groups DirSync & FIM
    5. 5. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Exchange 2010 (SP2+) and Exchange 2013 only support Hybrid methods for migration – cutover and staged are not an option.  Makes moving from a pilot to a full migration simple, and re-uses Exchange skills  Think of it as a transition rather than a migration
    6. 6. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Smaller 2007 and 2003 migrations  Non-Microsoft migrations  Multiple on-premises Exchange organizations  Various options available  Staged  Cutover  Third Party Solutions including MigrationWiz, Binary Tree E2E Complete and Quest Toolset
    7. 7. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES HYBRID CHALLENGES What you’ll need to overcome before you can start planning to migrate mailboxes 7
    8. 8. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Migration of Client Facing Services including   Moving AutoDiscover and other services   Implementing a legacy namespace Similar to an Exchange 200x to 201x front-end services migration Options available  Exchange 2013 RTM CU2 “Hybrid Servers”  Exchange 2010 SP3 “Hybrid Severs”  Free licenses available for both from Microsoft Support.
    9. 9. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Should you implement Exchange 2013 RTM CU2 as a Hybrid Server?  Where do you need to deploy Exchange 2010 SP3?
    10. 10. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  External HTTPS Namespaces    Use the Remote Connectivity Analyser to test Exchange Web Services (EWS) and AutoDiscover Access to the above virtual directories is required for Hybrid Configuration and Mailbox Migrations Verify you add the correct firewall exceptions to all services, both inbound and outbound  For outbound MS recommend by URL rather than IP due to Content Distribution Networks (CDNs)
    11. 11. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Authenticated proxy servers cause issues    Exchange Servers cannot authenticate to proxy servers, and outbound communications, including Federated Sharing and the Hybrid Configuration Wizard will fail. Outlook clients cannot authenticate to proxy servers and will fail to connect to Office 365. Solutions  Configure the proxy server to exclude the Exchange Online datacentre URLs from Authentication  On Exchange Servers, set the proxy server in netsh& Exchange  Netsh winhttp import proxy source=ie  Set-ExchangeServer <servername> -InternetWebProxy:"http://proxy:8080"
    12. 12. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  You need valid third-party certificates for HTTPS namespaces and SMTP  Exception: Federation Certificate is selfsigned  Did you ever set up Federated Sharing before Exchange 2010 SP1?
    13. 13. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  HCW attempts AutoDiscover for each hybrid domain  If you have some domains without AutoDiscover DNS names and appropriate certificates configured, the HCW will fail to complete.  Exchange 2013 and Exchange 2010 SP3 RU1+ has a solution   Set-HybridConfiguration -Domain "," SSL Offload will cause issues with mailbox moves  Remote Mailbox Moves will fail as SSL Offload is not supported by the MRS Proxy  You may need to retain SSL offload, but there are workarounds  For example, use an additional FQDN for Remotes Mailbox Moves that bypasses SSL offload using a different Load Balancer VIP
    14. 14. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  What is pre-authentication?  What uses pre-authentication?  Why is this a problem?   Federated Sharing e.g. /EWS/Exchange.asmx/WSSecurity What are the solutions?  Rules before pre-authentication to exclude these paths:  Disable pre-authentication for /AutoDiscover/* and /EWS/* completely!
    15. 15. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Make sure you understand the organization’s mail routing  Make sure you put the right certificates on the Hub servers you will use for the Hybrid configuration  Bear in mind firewalls and load balancers that mask the real sender’s address  Changes to Receive Connectors may be needed
    16. 16. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Provides Free/Busy and Calendar Sharing  Relies on AutoDiscover and Exchange Web Services  These components can’t use preauthentication  Troubleshooting tools include IIS logs and event logs
    17. 17. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  SSL offload can cause issues here too  URL used can be specified manually, but try not to  Remember the limitations of Federated Sharing
    18. 18. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Forests with Sub-Domains are no problem  Account + Resource Forests.    Exchange is in a dedicated resource forest and user accounts are in one or more forests. Windows Azure Active Directory Connector can replace DirSync Multiple Forests and Exchange organizations  No supported partner/self deployable solution. Must involve Microsoft.
    19. 19. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Used for encrypted mail  While not unsupported can cause challenges  Certificates are not automatically available to allow users to sign and encrypt mail to organization contacts  DirSync will not push user certificates to Office 365, so the cert is not in the GAL  Solution  Use an LDAP Provider in Outlook with the Fully Qualified Domain name of a Global Catalog Server.
    20. 20. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Commonly used to manage iPads, Android tablets and similar  Not just for managing Exchange features, but also deployment of Applications and device monitoring.  Non-ActiveSync solutions like Good will need updates  Inline ActiveSync solutions may cause issues
    21. 21. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES COEXISTENCE CHALLENGES While you’re migrating, what do you need to consider? 22
    22. 22. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Larger the organization often means more sharing  Sharing may cross many intra-org boundaries  Not all sharing is easy to discover  Cross-premises sharers need to re-share Calendars  No cross-premises access to Shared Mailboxes
    23. 23. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  While you use DirSync, on-premises DGs cannot be managed in Office 365  This means DGs cannot be managed in Outlook or OWA  What solutions are available?    FIM Portal ADUC Delegation Post-migration you could move to cloudonly DGs
    24. 24. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Public Folder access is not configured automatically  Access is configured using RPC over HTTPS (Outlook Anywhere)  During coexistence all users access onpremises public folders  Only migrate public folders after migrating all users to the cloud  Limited to 2.5TB of Public Folders  This limit cannot be increased on a per-customer basis
    26. 26. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  The most important part  Base tools are very useful  OnRamp replaces the Deployment Readiness Tools  ExDeploy – Exchange Deployment Assistant  Other great MS tools including MAP for MS Online Services
    27. 27. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Active Directory & Exchange information   Clients like Outlook, ActiveSync, IMAP, SMTP clients, EWS, BES  Shared Mailboxes and who shares with who  UM and archive mailboxes in use  Policies that aren’t migrated, such as ActiveSync, OWA Mailbox and Retention Policies   Mailbox and message sizes Previous cross-forest migrations Local Knowledge  Stats aren’t everything – IT staff supporting the users generally are a wealth of information about the user base
    28. 28. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES Active Directory Data General User Information Department Exchange Server Mailbox Size Collaboration and Shared Mailboxes Consolidated Data Local IT Support Knowledge Migration Groups (Batches) Outlook Clients BES ActiveSync Clients IMAP/POP3 Clients BES Devices C2C Archive One Users
    29. 29. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Migration concurrency depends on multiple factors  Test throughput during the times you will migrate  Leavers mailboxes provide good candidates for throughput testing  Remember you can move mailboxes back to re-test (and should test that you can do this, anyway)
    30. 30. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Double check your pre-requisites for successful moves  Is it an on-premises mailbox with a corresponding mail user in the cloud?  Does the Mailbox have a licence assigned?  Does the UPN match on-premises and in the cloud (and of course, does AD FS work correctly)  Have all required details, like email addresses synchronized successfully?  Were there any mailbox items larger than 25MB?  Do you have any clean up for cross premise migrations to do?  Check-EXOMigPreRequisites.ps1 script available to download from
    31. 31. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Good documentation should be tested alongside your pilot migration  User and IT documentation  ActiveSync users may need most support because these devices to not automatically update server settings.  Listen to recommendations from IT staff who know the user base well  Consider an end-user portal
    33. 33. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Distribution Groups are great to use for migration batches!  It’s a communications channel  The helpdesk can use them  You can feed them to test scripts  And of course to create Remote Move Requests
    34. 34. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES Migration Batch Import Batch into Active Directory Group Communicate with end users within batch Communicate with end-user IT support Staff Mailbox SignOff if required Determine successful users Schedule batch User requests re-schedule? Yes Successful batch complete Add unsuccessful users to retry batch Leave other users in migration batch Inform IT support of change Add to retry batch
    35. 35. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  Before the main pilot iron out all issues you can  Treat the pilot like the real deal  Don’t just use IT!  Use real users who’ll give you real feedback!
    36. 36. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  By this point it should be straightforward  Communicate with users so they know what’s coming  Make sure you have the appropriate resources  Don’t be afraid to scale up as you come along  Again, keep reviewing feedback
    37. 37. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  If you’ve moved all users to the cloud is it time to get rid of on-premises entirely?  SMTP senders may require an on-premises SMTP server or EOP connector  Consider provisioning and management  Remember you need to patch and maintain
    39. 39. EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES  It’s all in the planning  The more you test the more chance of success  If you plan on a on-going hybrid environment or longer migration, discovery is very important  Exchange 2010 SP3 is still a great option for a “hybrid” Exchange server if Exchange 2013 isn’t planned for on premises.