Transcript of "MS TechDays 2011 - Microsoft Exchange Server and Office 365 Hybrid Deployment"
SINGAPORE Sanjeev Thakur Sr. Premier Field Engineer, Microsoft Singapore Ram Muthukaruppan Sr. Consultant, Microsoft SingaporeMicrosoftExchangeServer andOffice 365 :HybridDeployment
Agenda Overview of Hybrid Deployment Planning Hybrid Deployment Mail Flow Architecture Calendar Sharing Secure Transport Deployment Migration What’s new in SP2 Q&A
Exchange Large On-Premises IMAP Medium Single Sign-On Lotus Small On-Cloud Notes GoogleHybrid DirSyncExchange Bulksharing Provisioningfeatures
Overview of Hybrid DeploymentSeamless interactions between on-premises and cloudmailboxesCalendars and free/busy information sharing betweenon-Premises and Cloud Mailboxes.Mailbox Management can be done using on-premisesExchange Management ConsoleUsers can log on to their email accounts with theirexisting credentials regardless of their mailboxesLocationMigrations into and out of Exchange Online aretransparent to the user.
Limitations - Hybrid DeploymentCoexistence of mailbox permissions –Permissions aremigrated, but do not work when Delegator andDelegate are split between on-premise & cloudMigration of Send As for non mailbox recipientsMulti-forest – Only single forest source environmentsPublic Folders
Planning Hybrid DeploymentTo use hybrid deployment, you must maintain at least oneFederation technology Identity Federation Provides SSO Requires AD FS 2.0 Applies to all Office 365 services Exchange Federation Exchange Federation Trust Organization relationships Applies only to all Exchange Online services
Domain Name RequirementPrimary SMTP Domain : contoso.com MX record points to on-premisesService Domain :- service.contoso.com MX record points to Office 365 Used for Mail routing between On-premises and Office 365 Delegation Domain :exchangedelegation.contoso.com Only used for setting up the Federation Trust DNS TXT records configured for proof of ownership purposes
Certificate RequirementA public certificate is required to successfully setup bothIdentity Federation and Exchange FederationA public certificate is required for the following services:AD FS endpoints (AD FS Proxy)Exchange Web ServicesAutodiscoverThe Exchange Federation Trust can use a self-signed, public,or internal CA generated certificateThe Exchange Management Console wizard creates a self-signedcertificate if one does not exist.This certificate is only used to sign and encrypt delegation tokensExchange automatically distributes this certificate to other CASservers.
Single Namespace – Core ConceptsMX for contoso.com = On Premises External Recipient (firstname.lastname@example.org) Internet On Premises AD Forest Email from Exchange 2003 email@example.com to DC FE/BE Server firstname.lastname@example.org
Shared Namespace-Core ConceptsMX for contoso.com = On Premises External Recipient (email@example.com) Internet On Premises MX for service.contoso.com = Exchange AD Forest Online Exchange 2003 DC FE/BE Server Exchange Online Email from firstname.lastname@example.org to email@example.com
ForeFront Online Secure Mail – TLS Protection for ExchangeDomainSecure Exchange Online MailboxOn Premises ServerMailbox “Ben” Cloud Hub Mailbox “Joe” Transport Server On Premises
Secure Mail - Sending Internal Headers to the Cloud ForeFront Online Protection for Exchange XOORG Data Certific ate Subject Exchange Online MailboxOn Premises ServerMailbox “Ben” Cross-premises emails are Cloud Hub Mailbox “Joe” authenticated Transport XOORG Data as “Internal” Server On Premises
Secure Mail – Sending Internal Headers to On-premises ForeFront Online Protection for Exchange Exchange Online XOORG Data MailboxOn Premises ServerMailbox “Ben” Emails from the Cloud Hub Mailbox “Joe” cloud are Transport seen as Server XOORGInternal by Data Transport Premises On
Centralized Mail flow Control Internet ForeFront Online Protection for Exchange HubMailbox Centralized TransportServer Server Mail flow Control Exchange Online On Premises
Creating the Exchange Federation TrustCreate Exchange Federation Trust with the MFG using a “unique namespace” e.g. “exchangedelegation.contoso.com” MSO ID Microsoft Federation Automatic implied Gateway (MFG) trust between the Exchange Online tenant and MFG On Premises AD Forest Exchange Online Exchange Online On-premises OrgExchange 2010 CAS/ Org Relationship Relationship with Server HUB with “service.contoso.com” “contoso.com”
Creating the Secure Mail Connectors FOPEOn Premises AD Forest Exchange 2010 CAS/ HUB Server Exchange Online
Hybrid Coexistence Migration It’s a true “online” move – user stays connected to their mailbox through the move – Client switchover happens automatically at the end – Traditional “offline” move when moving from Exchange 2003 source Outlook uses Autodiscover to detect the change and fixes up the user’s Outlook profile automatically on the client machine Since it’s a move (not a new mailbox + data copy), Outlook doesn’t see it as a new/different mailbox. End result = No OST resync Moves are queued and paced by the datacenter Object conversion for mail routing happens automatically after data move – Mailbox on-premises gets converted to Mail-enabled user automatically – Admin can override this automation and stage the move-then-convert steps
Autodiscover Mailbox Primary SMTP Address = firstname.lastname@example.org Secondary SMTP Address = email@example.com Remote Mailbox Primary SMTP Address = firstname.lastname@example.org Remote Routing Address = email@example.com (3) Outlook attempts to discover (1) Where is my mailbox? through DNS record endpoint “autodiscover.service.contoso.com” (2) Local Exchange passes a redirect to “service.contoso.com”Authentication (4) Request Outlook client (5) Authentication Success (6) Profile Builds
What’s New in Exchange 2010 SP2? New Hybrid Configuration Wizard – Exchange federation trust – Organization relationships Pre-SP2: Approximately 50 manual – Remote domains/accepted domains steps – Email address policies – Send/Receive connector With SP2: Now only 6 manual steps – Forefront inbound/outbound connectors – MRSProxy – Pre-req checks (i.e. Office365 Active Directory Sync, Exchange certificates, registered custom domains, etc…) New PowerShell cmdlets – New/Get/Set/Update-HybridConfiguration Namespaces improvements – Removing requirement for unique namespace – Providing every customer a coexistence domain, for every hybrid deployment • Service.contoso.com is now Contoso.mail.onmicrosoft.com