Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TechFuse 2012: Rich Coexistence


Published on

Learn about Rich Coexistence scenarios including: On Premise, Hosted, Segmented, and Hybrid. Presented by Tom Moen.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

TechFuse 2012: Rich Coexistence

  1. 1. Thomas Moen Director of Strategy and Innovation @cloudmovrRich Coexistence (wrongfully Hybrid Deployment)5.16.2012
  2. 2. It is GREAT to Have Options…• On Premise – services on premise• Hosted – services hosted by someone else• Segmented – host some users/apps, keep some users/apps on premise• Hybrid – some services, i.e., filtering, archive encryption, are hosted. Azure Appliance or Azure SQL
  3. 3. Agenda• Introduction• Rich Coexistence Features Explained• Planning• Deployment• Migration• Management
  4. 4. Not for the faint of heart. This is ahigh impact ride. People with back,neck, heart, or cursing at computer problems, should not attempt thisride. Stay at the Exchange server atall times. Hold on with both hands!
  5. 5. Think I am Joking?
  6. 6. If you are feel any discomfort with… – ADFS 2.0 – Dir Sync – Rich Coexistence – PowerShellCall a professional immediately! If you doproceed, proceed at your own peril…
  7. 7. … and Keep These Close at Hand! On the occasion of a Service Interrupting Event (SIE), Microsoft Online Services continuously updates the channels below to provide you necessary information to manage your business. Microsoft Online Services strives to earn your business and trust through our best in class service and ongoing communication. Service Health Dashboard The best location for Service Update information. Updated regularly through any SIE and notifies you of any upcoming planned maintenance. TwitterFeed is continuously updated as Facebook SIE incidents occur. Get the latest updates, tips!/Office365 and more delivered straight to your Facebook stream.!/ Community Blog office365 With access to forums, community, and community, you’re always receiving the most updated information. us/default.aspx
  8. 8. Your Four New Best Friends… tmoen@avtex.comus/download/confirmation.aspx?id=26509 @cloudmovr Jack us/exdeploy2010/default.aspx#Index
  9. 9. Rich Coexistence SummarizedWhat does coexistence mean? – Executed over a longer period of time (a week, a month, a year, etc.) – No requirement to ever “flip a switch”—can run in coexistence scenario indefinitely – Requires on-premises configuration and hardware
  10. 10. Today’s Rich Coexistence Summarized Focus Simple vs. Rich Coexistence feature-setFeature Simple Rich*Mail routing between on-premises and cloud (recipients on either side)  Mail routing with shared namespace (if desired) - on both sides  Unified GAL  Free/Busy and calendar sharing cross-premises Mailtips, messaging tracking, and mailbox search work cross-premises OWA Redirection cross-premise (single OWA URL for both on-premises and cloud) Exchange Online Archive Exchange Management Console used to manage cross-prem relationship & mailbox migrations Native mailbox move supports both onboarding and offboarding No outlook reconfiguration or OST resync required after mailbox migration Online Mailbox Move allows users to start logged into their mailbox while it is being moved to the cloud Secure Mail ensure emails cross-premises are encrypted, and the internal auth headers are preserved Centralized mailflow control, ensures that all email routes inbound/outbound via On Premises 
  11. 11. Directory Synchronization– Manages online users in Active Directory®– Eliminates the need to manage users and groups in two places– Powers unified global address list– Simplifies user provisioning– Enables rich coexistence scenarios– Designed for single-forest topologies DirSync tool runs on– Customer’s Active Directory is the local server replication master
  12. 12. Active Directory Federation Services Users are authenticated by local Active Directory Federation Services server. Active Directory Federation No Microsoft Outlook® sign-in tool is required. Services 2.0
  13. 13. Exchange 2010 Federation• Federated Sharing provides: – Easy setup of external data sharing – Broader reach without additional steps to set up – More security with controls for admins and users• Federated Sharing is made possible because: – Server can act on behalf of a specific user • Specific user identified by email address • User not prompted for credentials – Microsoft Federation Gateway acts as a trust broker • Reduces explicit point-to-point trust management • No Active Directory trusts, service ,or cloud accounts to manage • Minimizes certificate exchanges • Verifies domain ownership
  14. 14. Cross-Premises Free/Busy andCalendar Sharing* – Creates the look and feel of a single, seamless organization for meeting scheduling and management of calendars – Works with any supported Outlook client; the heavy lifting is done by the Exchange Server 2010 CAS servers and the MS Federation Gateway, making this transparent to the end user. *Caution with Exchange 2003 or earlier
  15. 15. Cross-Premises Free/Busy andCalendar Sharing – How it Works Microsoft Federation Ben Mailbox Gateway Server Client Access Free Server Busy Request From Ben To Joe Exchange Online On Premises User “Ben” On Premises Joe
  16. 16. Cross-Premises MailTips – Creates the look and feel of a single, seamless organization. Correct evaluation of “Internal to” vs. “External to” organization context – Allows awareness and correct Outlook 2010 representation of MailTips for size and quantity limits on DGs, etc.
  17. 17. Cross-Premises Message Tracking – Creates the look and feel of a single, seamless organization – Message tracking started from on-premises or from the cloud will track through to the edge of the combined organization • Tracking fidelity across Exchange Server 2010 SP1 servers will be identical to fully on-premises organizations (i.e., high fidelity) • Tracking fidelity across pre-2010 servers will be identical to fully on-premises organizations (i.e., lower fidelity)
  18. 18. Cross-Premises Mailbox Search – Allows administrators to select/manage mailboxes for mailbox searches from on-premises or cloud- hosted mailboxes – Graphical representation allows to differentiate between on-premises and cloud-hosted mailboxes in the picker – Search results returned across all selected mailboxes, regardless of mailbox location!
  19. 19. Cross-Premises OWA Redirection• Single URL – Allows mailbox access to OWA via a single URL (pointed to on-premises CAS) – Ensures a good end-user experience as mailboxes are moved in and out of the cloud, since OWA URL remains unchanged• Better cloud log-in experience – Log-in experience can be greatly improved by adding your domain name into your cloud URL so that you can access your cloud mailbox without the interruption of “Go There” page
  20. 20. Cross-Premises Mail Flow• Secure transport• Rich coexistence adds the ability to preserve internal organizational headers: • Allows us to treat a message from the cloud as authenticated. This means we trust the message and resolve the sender to a recipient in the GAL. • Restrictions specified for that recipient get honored. • When sender is expanded in Outlook, GAL card is opened (not SMTP address). – Possible centralized mail flow scenario
  21. 21. Cross-Premises Mail Flow Secure TLS Connection ForeFront Online Protection for ExchangeDomainSecure Exchange Online Mailbox On Premises Server Mailbox “Ben” Cloud Hub Mailbox “Joe” Transport Server On Premises
  22. 22. Cross-Premises Mail Flow Sending Internal Headers to Cloud ForeFront Online Protection for XOORG Data Exchange Certificate Subject Exchange Online MailboxOn Premises ServerMailbox “Ben” Cross-premises emails are XOORG Data authenticated Cloud Hub as “Internal” Mailbox “Joe” Transport Server On Premises
  23. 23. Cross-Premises Mail Flow Sending Internal Headers to On Prem ForeFront Online Protection for Exchange Exchange Online XOORG Data MailboxOn Premises ServerMailbox “Ben” Emails from the cloud are seen as Internal by Cloud Hub XOORG Data Transport & Mailbox “Joe” Transport Journal Rules Server On Premises
  24. 24. Cross-Premises Mail FlowCentralized mail flow scenario Internet ForeFront Online Protection for Exchange HubMailbox TransportServer Server Exchange Online On Premises
  25. 25. Rich CoexistenceFeature summaryMakes your on-premises organization and cloud organization work togetherlike a single, seamless organization • Offers near-parity of features/experience on-premises and in the cloud • Seamless interactions between on-premises and cloud mailboxes • Migrations in and out of the cloud transparent to end userFeatures not supported: • Delegation Coexistence—Delegate permissions are migrated, but not available during the move • Migration of Send As/Full Access permissions • Multi-forest—only single-forest source environments
  26. 26. Federation Scenarios“Federation”: A very overloaded word…• Sign-On Scenarios • Single Sign-on cloud mailbox log in ADFSv2: “Federated • Direct log on for LOB apps Identity”• User uses corporate credentials to access online resources in the cloud • Cross-premises Free/Busy, Shared Calendaring• Delegation Scenarios: “Federated Sharing” • Cross-premises MailTips• Services act on behalf of a user • Cross-premises Message Tracking to access Exchange resources • Cross-premises Mailbox Search • Cross-premises MRS authentication • Cross-premises OWA redirection (single URL) • Cross-premises Archiving
  27. 27. Rich Coexistence Server Roles3 - 5 Additional Server/Roles Required
  28. 28. Shared Namespace: Core Concepts MX for = On Premises External Recipient ( Internet On Premises MX for = Exchange AD Forest Online Exchange 2003 DC FE/BE Server Exchange Online Email is forwarded to from to
  29. 29. Namespace Planning• Federated Identity – UPN suffixes need to match an Identity Federation domain• Email Forwarding & Autodiscover Redirects – Minimum of 1 domain for on-premises and 1 for Exchange Online – Existing primary SMTP domain sufficient for the on-premises namespace – Additional namespace required for Exchange Online • Note: Cannot be the sign-up domain (*• Exchange Federated Sharing – Recommend use of a unique domain for the On-Premises to Microsoft Federation Gateway Exchange Federation Trust – e.g. – Referred to in EMC and EMS as the “Account Namespace” – Does not need to be on any Email Address Policies – Any other domains (e.g. should be added as additional federated domains
  30. 30. Certificates• Exchange Federation Trust – Can be any certificate (e.g. self-signed)—it will be pushed/pulled to all Exchange Server 2010 SP1 Client Access Control Servers – The “New Federation Trust” wizard handles the cert creation and replication to other CAS servers for you• Exchange CAS – You must ensure that the primary SMTP domain has an Autodiscover DNS entry and is listed on the CAS certificate – DNS must resolve to a Exchange Server 2010 SP1 CAS server – CAS protocols (EWS, MRSPRoxy) must have the externalUrl listed on the certificate• Exchange HUB – Ensure the certificate is both client and server certificate typeYou can use the Exchange Certificate wizard in EMC 2010 SP1 to generate the request!ADFS also requires public certificates for ADFS endpoints in most scenarios
  31. 31. Exchange Deployment Assistant•• Currently supports Rich Coexistence configuration with Exchange Server 2003 and Exchange 2007• SP2 new Coexistence/Hybrid Wizard
  32. 32. Hybrid Config Wizard Requirements• On Premise Exchange 2003 or Later• All Exchange Updates and SP2 Rollup• Office 365 Tenant and Admin Account• Custom Domains• AD FS 2.0• Dir Sync• CAS/HUB Server• Autodiscover DNS Records Configured• Office 365 Org in the EMC• EWS Config ExternalURL - externally accessible, FQDN• Certificates – self signed certs NOT used and a whole lot of other certification stuff! Like EWS external URL, the Autodiscover endpoint specified in public DNS have to be listed in the Subject Alternative Name of the certificate. (I hate certificates)
  33. 33. New SP2 Wizard
  34. 34. Here Where We Start… The following services may be exposed to the Internet to support remote access: 1. SMTP External SMTP Recipient ( 2. Outlook Web Access 3. Outlook Anywhere 4. Exchange ActiveSync On Premises AD Forest Exchange 2003 DC AD FS Dirsync FE/BE Server Microsoft-Server-ActiveSync
  35. 35. Rich Coexistence SetupStep Details Required/• Step 1: Office 365 configuration steps RecommendedRun through Office 365 As part of onboarding, the onboarding RecommendedOnboarding Accelerator accelerator steps the admin over to “Rich Coexistence” guidanceConfigure Federated On-premises ADFS/Geneva server allows on- RecommendedIdentity premises (single) identity to be used for cloud authenticationConfigure DirSync On-premises appliance synchronizes on- Required premises directory/GAL with the cloudEnable DirSync Writeback Allows rich off-boarding with message- Recommended* repliability, archiving in the cloud, and UM in the cloud Not available during Beta
  36. 36. Register MSO Namespaces &Config ADFS(2) CreateMSOFederation Config cmdlets: Records (1) Run Domain Proof of Ownership DNS(3) RerunMSO Federation Config cmdlets: to(4) New Registered Domains propagate out• > •• “Add-MsolFederatedDomain –DomainName “Add-MsolFederatedDomain –DomainNameMSO ID and Exchange Online• > “” “” •• • MSO ID reserves the namespace as a “Federated “Add-MsolFederatedDomain –DomainName “Add-MsolFederatedDomain –DomainName MSO ID Namespace” “” “” • MSO ID sets the AD FS endpoint for each namespace to “”*This verifies domain proof of ownership* domains as • Exchange Online creates all registered Accepted Domains Microsoft Online Namespace Type Endpoint Directory Service Federated m service.contoso.c Federated om m On Premises AD Forest Company: Company: Domains Status Exchange Online Domains Status pending active pending active DC AD FS Accepted Domain Type Authoritative Authoritative
  37. 37. Deploy Office 365 Directory Sync(1) Install DirSync(2) Run configuration wizard(3) Run first sync MSO ID Only Users are given an MSO ID If their On-Premises UPN matches a federated domain, then they are given a Federated MSO ID with the same name Microsoft Online Any logons using that ID will be Directory Service redirected to the On Premises ADFS instance for authentication On Premises AD Forest Sync process will sync out the following object types: 1. Users 2. Contacts Exchange Online All mail-enabled objects are synced to DC AD FS Dirsync 3. Groups Exchange Online: 1. Mailuser 2. Mailbox 3. Mailcontact 4. MaildistributionGroup (Inc. security)
  38. 38. Rich Coexistence Setup Step Details Required/ Recommended Install Exchange Server 2010 On-premises Exchange Server 2010 SP1 CAS/Hub server (also MBX role for some Required SP1 server on-premises scenarios) required for rich coexistence features • Step 2: Exchange configuration steps* Configure cloud Autodiscover DNS record Allows on-premises targeted autodiscover Outlook client to redirect to cloud without prompts Required Publish MRS Proxy Allows Exchange Online Mailbox Replication Service to connect On Premises and perform a Required move to the cloud Implement Cloud Create configuration policies in the cloud to match (or complement) on-premises Recommended Configuration Policies configuration policies (e.g., ActiveSync policies, OWA policies, etc.) Configure RBAC in the cloud Create/manage Role-Based Access Control (RBAC) settings in the cloud to match (or Recommended complement) on-premises RBAC configuration Configure Federation Trust / Enable infrastructure for delegated Live namespace federation. Allows the following Recommended Org Relationship features: “Federated Sharing” Cross-premises Free/Busy, Shared Cross-premises OWA redirection (single Calendaring URL) Cross-premises MailTips Cross-premises Mailbox Search Cross-premises Message Tracking Cross-premises Archiving Configure Cross-premises mail Configure Cross-premises mail routing. This configuration ensures proper anti- Recommended** routing spam/header handling for mail sent between on-premises and the cloud.* Exchange Deployment Assistant will be updated to include Rich Coexistence scenario steps** Not available during Beta
  39. 39. Creating the Exchange Federation Trust MSO ID Automatic implied trust (1) Create Exchange Federation Trust with the “MFG” using a “unique namespace” e.g. Microsoft Federation between the Exchange Gateway (MFG) Online tenant and MFG (3) Exchange Online Org Relationship with “” On Premises AD Forest Exchange Online Exchange Exchange DC AD FS Dirsync 2003 FE/BE 2010 CAS/ Server HUB Server (2) On Premises Org Relationship with “” and “”
  40. 40. Creating the Secure Mail Connectors FOPE On Premises AD Forest Exchange 2010 CAS/ HUB Server Exchange Online
  41. 41. Mail RoutingExternal recipient to Exchange Online mailbox MX & AutoD for = On Premises MX & AutoD for service. = External Recipient Exchange Online ( Internet Exchange Online On Premises AD Forest Mailbox Primary Smtp Address = Remote Mailbox Primary Smtp Address = Secondary Smtp Address = Remote Routing Address =
  42. 42. AutodiscoverOutlook Profile Generation (3) Outlook attempts to discover (1) Where is my mailbox? endpoint through DNS record “” (2) Local Exchange passes a redirect to (4) Request Authentication “” (5) Authentication Success (6) Profile Builds
  43. 43. Post-Exchange Coexistence Server Deployment Once 2010 is deployed the following additional services need to be enabled: New Certificate 1. Autodiscover Required 2. Availability Web Service 3. Exchange Web Services On Premises AD Forest autodiscover/autodiscover.xml Exchange Exchange DC AD FS Dirsync 2003 FE/BE 2010 CAS/ Server HUB Server Microsoft-Server-ActiveSync To support OWA redirectionExternal endpoints: to the cloud, logons need to1. be shifted to 20102. autodiscover.contoso.com3. This requires a new “legacy” endpoint for OWA 2003
  44. 44. Rich Coexistence: GUI ManagementConnecting on-premises GUI to the cloud – Once you have installed Exchange Server 2010 SP1 on premises and connected it to your Exchange Online 2010 organization, you can use EMC GUI for a number of the configuration steps on the previous slides
  45. 45. Rich Coexistence SetupFederated Sharing – Most of the cool Rich Coexistence features require federated sharing to be configured between on- premises and the cloud – EMC in Exchange Server 2010 SP1 has GUI for this
  46. 46. Rich Coexistence MigrationYou’ve configured for cross-premises, now it’s time to move!• Administrator uses EMC on-premises tool to manage mailbox moves and other administrative cross-premise tasks – Note: There is no requirement to move mailboxes on premises to an Exchange Server 2010 server prior to moving them to the cloud• DirSync keeps GAL in sync as mailboxes are moved
  47. 47. Rich Coexistence MigrationCross-premises mailbox move experience• Cross-Premises moves just like on-premises – Cross-Premises mailbox moves driven out of EMC GUI “Remote Move” wizard – With federated sharing configuration in place, it eliminates the explicit-credentials requirement, allowing mailbox moves to be executed seamlessly to and from the cloud
  48. 48. Rich Coexistence MigrationThe stuff you need to know – It’s a true “online” move: User stays connected to their mailbox through the move • Client switchover happens automatically at the end • Traditional “offline” move when moving from Exchange 2003 source – Outlook uses Autodiscover to detect the change and fixes up the user’s Outlook profile automatically on the client machine – Since it’s a move (not a new mailbox + data copy), Outlook doesn’t see it as a new/different mailbox. End result = No OST resync – Moves are queued and paced by the datacenter – Object conversion for mail routing happens automatically after data move • Mailbox on-premises gets converted to mail-enabled user automatically • Admin can override this automation and stage the move-then-convert steps
  49. 49. Rich Coexistence MigrationMailbox off-boarding• Why might you care about off-boarding? – Long term coexistence scenarios – Compliance requirements (retaining ex-employee data) – Piloting online but not committed to the move• What do you need to know about off-boarding? – Off-boarding is available using EMC toolset while in Rich Coexistence scenario – Off-boarding to on-premises Exchange Server 2010 database is an online mailbox move – Off-boarding to on-premises Exchange Server 2003/Exchange Server 2007 database is an offline mailbox move – Off-boarding without Rich Coexistence (i.e., any other scenario, including V1 off-boarding) is PST via Outlook or partner driven
  50. 50. Rich Coexistence Recipient ManagementExchange Management Console – All recipient management should be performed through EMC 2010 SP1 – Objects should be created through the On- Premises node – Any Policies (e.g. OWA Policy) should be assigned through the Cloud node
  51. 51. Richnew to recipient management in Exchange OnlineWhat’s Coexistence Recipient Management • New On-Premises recipient, called “Remote Mailbox” – Represents a Mailbox that exists in Exchange Online (found under Contacts) – Specific to Rich Coexistence – Appears as a Mail User to legacy Exchange – MRS Mailbox Move to Exchange Online will leave a Remote Mailbox in the On Premises directory • New flag on a Remote Domain allows the targetAddress to be automatically calculated
  52. 52. Key Takeaways Rich Coexistence is about 3 core components • Migration • Exchange Sharing • Secure Transport Rich Coexistence setup has a bunch of steps, but it’s primarily about getting the planning right • Namespaces & Certificates are the two key areas to think about • Remember you are performing a partial upgrade to Exchange Server 2010 • And moving to Exchange Server 2010 on-premise sets you up for a smooth path to the cloud Once you’re in fully-configured Rich Coexistence, toggling the federated sharing features on and off in Exchange is simple • These features are a differentiator and make the cross-premises Exchange Online experience seamless