This document provides an overview of common tasks and issues for administrators of hybrid Exchange deployments between on-premises and Office 365. It discusses identity management with DirSync, monitoring key components, patching regularly, moving mailboxes between on-premises and online, and ensuring high availability of services like Exchange and AD FS. Troubleshooting tips are provided for common problems with Exchange federation, mailbox moves, DirSync, and AD FS. The presentation aims to help administrators understand best practices for managing hybrid deployments.
2. Agenda
• What’s life like for an admin in a Hybrid deployment?
• Common issues and misconceptions
• Moving mailboxes: the good, the bad and the ugly
• Keeping ADFS alive
• DirSync
• What’s next?
• Q&A
3. What is a Hybrid deployment?
Components of a Hybrid deployment
4. What is a hybrid deployment?
“Two distinct cross-premises Exchange organizations, combined to ‘act’
as a single organization through a series of customizations in both
environments”
5. HybridArchitecture
ACTIVE DIRECTORY
OFFICE 365 TENANT
EXCHANGE ONLINE
TENANT
MICROSOFT DATA CENTER INTERNET PERIMETER
NETWORK
INTERNAL NETWORK
EXCHANGE ON-PREM ORG.
AZURE AD
ADFS
PROXY
ADFS
ACTIVE
DIRECTORY
DIRSYNC
SERVER
EXCHANGE
2013
(CAS)ORGANIZATIONAL RELATIONSHIP /
OAUTH (INTRA-ORG CONNECTOR)
EXCHANGE
2013
(MBX)
ONLINE PROTECTION
HYBRID MAIL FLOW
SMTP
EXCHANGE ONLINE
AUTHENTICATION
SERVICE
EXTERNAL USER
(O365)
SYNC
HTTP(S)
HTTPS
HTTPS
OWA USER
(O365)
HTTPS
MAIL FLOW
AUTHENTICATION
SYNCHRONIZATION
APP. ACCESS (HTTP(S))
INTERNAL USER
(O365)
EXCHANGE USER
HTTPS
INTERNAL OWA USER
(O365)
6. Hybrid Building Blocks
Federation DirSync Secure Transport Mailbox Moves
• Free/Busy
• Mailtips
• Message Tracking
• eDiscovery
• …
• Unified GAL
• X500 (Mailbox
Moves)
• Online Archiving
• TLS encryption
• Header
Preservation
• Cert-based
security
• Centralized mail
flow
• Mailbox
Replication
Service (MRS)
• Online Moves
• Fast / Reliable
8. What tasks does an admin commonly
execute?
• Daily Exchange Management
• Identity Management
• Moving Mailboxes
• Patching
• Monitoring
• Troubleshooting
9. Identity Management
• All user objects are managed on-premises (through
Exchange) because of DirSync
• Account for the DirSync interval (or force DirSync to
run)
• Can be important if you want to “quickly” do things.
• Watch out for accidental deletions!
• New DirSync feature might help…
10. DirSync Accidental Deletion
• New in version 6765.0006 (released end of May)
• If the number of objects being deleted exceeds a configurable
threshold, DirSync won’t sync the deletions to Azure AD.
• To enable the feature:
• Set-PreventAccidentalDeletes –Enable –ObjectDeletionThreshold <value>
11. Monitoring Hybrid Deployments
• New architecture paradigm, requires new way of thinking about
monitoring
• You don’t care about Microsoft’s side of the story
• End-user service availability is key (but it’s always been like that,
right?)
• Consider monitoring through a series of both Active and Passive tests
• Active tests allow you to be proactive
• Passive tests give you great feedback (counters…)
12. What components do I need to monitor?
• Directory Synchronization
• Identity Federation (if applicable)
• Exchange Federation
• Certificates
• Connectivity
Featured as Messaging and Unified
Communications Award Finalist
13. Patching
• Important to stay ‘current’ with patch levels (Exchange, DirSync) in
order to remain supported
• Challenge to keep up with cloud-cadence (CU’s are typically released
every quarter…)
• You can use RSS feeds and the Office Blog to stay up to date with the
latest and the greatest. Recently released Microsoft roadmap blog
might also help: http://office.microsoft.com/en-us/products/office-
365-roadmap-FX104343353.aspx
16. Moving Mailboxes
• A trivial action, but touches many different components in Exchange
• Make sure the Mailbox Replication Service Proxy [MRS Proxy] is enabled on the
internet-facing Exchange Web Services
• Before a mailbox can be moved, certain ‘attributes’ need to be available on
the object:
• Prior to a mailbox move, check that the object have the correct attributes set (x500 +
Proxy Addresses)
• Because of the cross-premises nature of a hybrid deployment, certain
features won’t work after a mailbox move
• Watch out for permissions and large items in mailbox!
17. Mailbox move limitations
• Items larger than +/- 25 MB won’t be moved because of the item size
limits in place in Office 365.
• You can export them using this script
• Cross-premises permissions (currently?) are not supported. Make
sure to move associated mailboxes at the same time.
• Potential impact of your ‘pilot’ group.
18. Dealing with High Availability
What it takes to make a hybrid deployment highly available
19. What components should be highly available?
• Exchange (Hybrid Servers)
• AD FS (if deployed)
• Connectivity
20. “Hybrid Server” HA
• Deploy at least two hybrid servers
• Add site resiliency by deploying in two distinct physical locations
• Load balance incoming request through a LB device
Site 1 Site 2
Connectivity
Domain
Controller
Exchange
CAS/MBX
Exchange
CAS/MBX
INTERNE
T
Domain
Controller
HA Load Balancer pair
21. DirSync / Azure AD Sync
• No urgent need for high availability
• You can run w/o DirSync for a (short) period of time, although that would
reduce (admin-)functionality temporarily
• In case you cannot afford temporary functionality loss (SLAs?)
• Deploy a ‘standby’ DirSync server
• Consider deploying SQL (default choice for large enterprises anyway)
• Easier to backup
22. Active Directory Federation Services
• Critical to operations; No ADFS = No user logon possible
• Must be deployed HA – in all possible ways
• Deploy ADFS cluster; spread across sites to add site resiliency
• Can be costly…
23. AD FS HA
AD FS Topology
AD FS
Proxy
AD FS
Domain
Controller
INTERNET
AD FS
AD FS
Proxy
LoadBalancer
LoadBalancer
Domain
Controller
FW
FW
25. Troubleshooting AD FS
• Not easy.
• Use tools like e.g. Fiddler
• Enable Debug Logging in Event Viewer
• Pair AD FS Proxy w/ ADFS for easier troubleshooting
• Understanding different authentication flows is important
26. Enabling Debug Log
• Open Event Viewer
• Click View > Show Analytic and
Debug Logs
• Right-click Debug under AD FS
Tracing and click enable
• Reproduce issue
27. Exchange Federation
• Multiple areas where things can go wrong…
• Verify that Federation Information can be retrieved (get-
federationinformation)
• Test Organization Relationships (test-organizationrelationship)
• Verify Federation trust (Test-FederationTrust)
• When using oAuth: Test-oAuthConnectivity
28. Mailbox Moves
• Error message is critical; contains useful information
• Verify connectivity; e.g. MRS Proxy enabled?
• Use the Test-MigrationServerAvailability for more insights
29. DirSync
• No news = good news
• Take a look into the console (miisclient.exe located in installation
folder)
• Check Permissions (inherit permissions enabled?)