H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
MS TechDays 2011 - Microsoft Exchange Server and Office 365 Hybrid Deployment
1. SINGAPORE
Sanjeev Thakur
Sr. Premier Field Engineer, Microsoft Singapore
Ram Muthukaruppan
Sr. Consultant, Microsoft Singapore
Microsoft
Exchange
Server and
Office 365 :
Hybrid
Deployment
2. Agenda
Overview of Hybrid Deployment
Planning Hybrid Deployment
Mail Flow Architecture
Calendar Sharing
Secure Transport
Deployment
Migration
What’s new in SP2
Q&A
3. Exchange Large On-Premises
IMAP Medium Single Sign-On
Lotus Small On-Cloud
Notes
Google
Hybrid DirSync
Exchange Bulk
sharing Provisioning
features
4. Overview of Hybrid Deployment
Seamless interactions between on-premises and cloud
mailboxes
Calendars and free/busy information sharing between
on-Premises and Cloud Mailboxes.
Mailbox Management can be done using on-premises
Exchange Management Console
Users can log on to their email accounts with their
existing credentials regardless of their mailboxes
Location
Migrations into and out of Exchange Online are
transparent to the user.
5. Limitations - Hybrid Deployment
Coexistence of mailbox permissions –Permissions are
migrated, but do not work when Delegator and
Delegate are split between on-premise & cloud
Migration of Send As for non mailbox recipients
Multi-forest – Only single forest source environments
Public Folders
7. Hybrid Server Roles
2 Required Server Roles:
• Office 365 Active Directory Synchronization
• Exchange Server 2010 SP1 CAS/Hub*
1 Optional Server Role:
9. Planning Hybrid Deployment
To use hybrid deployment, you must maintain at least one
Federation technology
Identity Federation
Provides SSO
Requires AD FS 2.0
Applies to all Office 365 services
Exchange Federation
Exchange Federation Trust
Organization relationships
Applies only to all Exchange Online services
11. Domain Name Requirement
Primary SMTP Domain : contoso.com
MX record points to on-premises
Service Domain :- service.contoso.com
MX record points to Office 365
Used for Mail routing between On-premises and Office 365
Delegation Domain :exchangedelegation.contoso.com
Only used for setting up the Federation Trust
DNS TXT records configured for proof of ownership purposes
12. Certificate Requirement
A public certificate is required to successfully setup both
Identity Federation and Exchange Federation
A public certificate is required for the following services:
AD FS endpoints (AD FS Proxy)
Exchange Web Services
Autodiscover
The Exchange Federation Trust can use a self-signed, public,
or internal CA generated certificate
The Exchange Management Console wizard creates a self-signed
certificate if one does not exist.
This certificate is only used to sign and encrypt delegation tokens
Exchange automatically distributes this certificate to other CAS
servers.
14. Single Namespace – Core
Concepts
MX for contoso.com = On Premises External Recipient
(joe@foo.com)
Internet
On Premises
AD Forest
Email from
Exchange 2003
joe@foo.com to
DC
FE/BE Server
ben@contoso.com
15. Shared Namespace-Core Concepts
MX for contoso.com = On Premises
External Recipient
(joe@foo.com)
Internet
On Premises MX for service.contoso.com = Exchange
AD Forest
Online
Exchange 2003
DC
FE/BE Server Exchange Online
Email from joe@foo.com to
ben@contoso.com
18. Federated Free/busy
Microsoft
Federation
Mailbox Gateway
Server
Ben
Client Access
Server
Free
Busy
Requ
est
From
Ben
To
Joe
Exchange
Online
On Premises
User “Ben”
On Premises
Joe
19. Exchange Online Archive
Microsoft
Federation
Mailbox Gateway
Ben Server
Client Access
Server
Archi
ve
Requ
est
From
Ben
To
Archi
ve
Exchange
Online
On Premises
User “Ben”
On Premises
21. ForeFront Online
Secure Mail – TLS
Protection for
Exchange
Domain
Secure Exchange
Online
Mailbox
On Premises Server
Mailbox “Ben”
Cloud
Hub Mailbox “Joe”
Transport
Server
On Premises
22. Secure Mail - Sending Internal Headers
to the Cloud ForeFront Online
Protection for
Exchange
XOORG
Data
Certific
ate
Subject
Exchange
Online
Mailbox
On Premises Server
Mailbox “Ben”
Cross-premises
emails are
Cloud
Hub Mailbox “Joe”
authenticated
Transport XOORG
Data as “Internal”
Server
On Premises
23. Secure Mail – Sending Internal Headers to
On-premises ForeFront Online
Protection for
Exchange
Exchange
Online
XOORG
Data
Mailbox
On Premises Server
Mailbox “Ben”
Emails
from the Cloud
Hub Mailbox “Joe”
cloud are
Transport
seen as Server
XOORG
Internal by Data
Transport Premises
On
24. Centralized Mail flow Control
Internet
ForeFront Online
Protection for
Exchange
Hub
Mailbox
Centralized Transport
Server Server
Mail flow
Control Exchange
Online
On Premises
29. Creating the Exchange Federation
Trust
Create Exchange Federation Trust with the
MFG using a “unique namespace”
e.g. “exchangedelegation.contoso.com” MSO ID
Microsoft Federation Automatic implied
Gateway (MFG)
trust between the
Exchange Online
tenant and MFG
On Premises
AD Forest
Exchange Online
Exchange Online
On-premises OrgExchange
2010 CAS/ Org Relationship
Relationship with Server
HUB
with
“service.contoso.com”
“contoso.com”
30. Creating the Secure Mail
Connectors
FOPE
On Premises
AD Forest
Exchange
2010 CAS/
HUB Server Exchange Online
32. Hybrid Coexistence Migration
It’s a true “online” move – user stays connected to their mailbox through the move
– Client switchover happens automatically at the end
– Traditional “offline” move when moving from Exchange 2003 source
Outlook uses Autodiscover to detect the change and fixes up the user’s Outlook
profile automatically on the client machine
Since it’s a move (not a new mailbox + data copy), Outlook doesn’t see it as a
new/different mailbox. End result = No OST resync
Moves are queued and paced by the datacenter
Object conversion for mail routing happens automatically after data move
– Mailbox on-premises gets converted to Mail-enabled user automatically
– Admin can override this automation and stage the move-then-convert steps
33. Autodiscover
Mailbox
Primary SMTP Address = ben@contoso.com
Secondary SMTP Address = guid@service.contoso.com
Remote Mailbox
Primary SMTP Address = ben@contoso.com
Remote Routing Address = guid@service.contoso.com
(3) Outlook attempts to discover
(1) Where is my mailbox? through DNS record
endpoint
“autodiscover.service.contoso.com”
(2) Local Exchange passes a redirect to
“service.contoso.com”Authentication
(4) Request
Outlook client (5) Authentication Success
(6) Profile Builds
34. What’s New in Exchange 2010
SP2?
New Hybrid Configuration Wizard
– Exchange federation trust
– Organization relationships
Pre-SP2: Approximately 50 manual
– Remote domains/accepted domains steps
– Email address policies
– Send/Receive connector With SP2: Now only 6 manual
steps
– Forefront inbound/outbound connectors
– MRSProxy
– Pre-req checks (i.e. Office365 Active Directory Sync, Exchange certificates,
registered custom domains, etc…)
New PowerShell cmdlets
– New/Get/Set/Update-HybridConfiguration
Namespaces improvements
– Removing requirement for unique namespace
– Providing every customer a coexistence domain, for every hybrid deployment
• Service.contoso.com is now Contoso.mail.onmicrosoft.com