Deploying Exchange 2013 in Hybrid ModeMichael Van HorenbeeckTechnology Consultant – Xylos, Exchange Server MVP

@mvanhorenbeeckwww.pro-exchange.bemichaelvh.wordpress.com

Building a hybrid configuration

Expectations… Reality (Ex2013)…

What is a hybrid deployment?

ExchangeOn-Prem

“The Internet”

ExchangeOnline

(Office 365)

“Virtual Exchange Organization”

Why hybrid?

• Long-term coexistence• Take advantages of features like e.g. Exchange Online

Archiving• Large migrations where cutover isn’t possible (e.g. EX2010 +)• Transparent mailbox moves (to or from Exchange Online)• “Online” Mailbox Moves• No OST resync!

• Interaction with 3rd party applications• e.g. Fax Solutions

Hybrid Configuration Primer

Federation

• Delegates• Free/Busy• Calendar

Sharing• Message

Tracking• Mail Tips• …

Secure Mail Flow

• Encrypted mail flow

• Header preservation (“internal”)

• Centralized mail flow

DirSync

• Unified GAL• Exchange

Online Archive (EOA)

• Off-boarding

Mailbox moves

• Online mailbox moves through MRS

DirSync Writeback

Write-Back attribute Exchange "full fidelity" feature

SafeSendersHashBlockedSendersHashSafeRecipientHash

Filtering: Writes back on-premises filtering and online safe and blocked sender data from clients. 

msExchArchiveStatus Online Archive: Enables customers to archive mail. 

ProxyAddresses (LegacyExchangeDN <online LegacyDn> as X500)

Enable Mailbox: Off-boards an online mailbox back to on-premises Exchange.

msExchUCVoiceMailSettings

Enable Unified Messaging (UM) - Online voice mail: This new attribute is used only for UM-Microsoft Lync Server 2010 integration to indicate to Lync Server 2010 on-premises that the user has voice mail in online services.

A trip down memory lane…

Hybrid Configuration Wizard (SP2)

Introducing the ‘new’ hybrid configuration wizard

• Single-step, adaptive configuration wizard• Enhanced mail-flow capabilities• Improved centralized mail flow

• Easier setup of secure mail flow (no more whitelisting IP’s!)

• Integrated support for Exchange 2010 Edge Transport server• Leverages Exchange Online Protection• Enhanced & more detailed logging

Hybrid Prerequisites

• Directory Synchronization (DirSync)• “Hybrid Server”• Add Office 365 tenant to Exchange Admin Center• Certificates• Exchange Web Services• 3rd party certificates for TLS between Exchange Online & On-Premises• Self-Signed Certificate for use w/ Microsoft Federation Gateway

(automatic)

Optional:• ADFS (though recommended)• Edge Transport Server may make life easier (more about that later)

Typical deployment process

“The Internet”

DeployExchange

1.

ConfigureSSO (optional)

2.

Setup DirSync

3.

Configure Certificates

4.

Configure WebServices

5.

Run Hybrid Configuration Wizard

6.

ConfigureMX Records

MX

7.

Hybrid Configuration Wizard Workflow

Current stateDesired state

Hybrid ConfigWizard

Hybrid ConfigurationEngine

Delta-config

Demo: the new Hybrid Configuration Wizard

Supported topologies

Office 365 (v 2010)

Office 365 (v 2013)w/ On-Prem 2010

Office 365 (v 2013)w/ On-Prem 2013

Exchange 2003 SP2 (X) (X)

Exchange 2007 SP2/SP3

(X) (X)

Exchange 2007 SP3 Urx

(X) (X) (X)

Exchange 2010 SP1 X

Exchange 2010 SP2 X

Exchange 2010 SP3 X X X

Exchange 2013 N/A X

(X) = supported w/ dependencies X = supported

Deployment Considerations

• Delegates• Migrated, but mailboxes must be moved at the same time

• Mailbox Permissions• Cross-premises permissions NOT supported• Only explicit permissions get migrated to Exchange Online.

• Multi-forest scenarios are not supported• Interaction with legacy / 3rd party applications• Web Services?• Use an SMTP gateway?

• Bandwidth

Hybrid mailbox moves

ExchangeOn-Prem

“The Internet”

ExchangeOnline

(Office 365)

MRS

Admin

Demo: cross-premise mailbox move

Mailbox moves: user experience

• When using SSO, moves to Exchange online are fully transparent

• Without SSO, users get a new password

• Outlook profile is updated automatically through Autodiscover

Common mistakes/issues

• Certificates• Expired• Not from a trusted source• Missing/Wrong subject (alternative) name

• Single Sign-On• Free/Busy not working• Peers not recognized as “internal”• Outlook-related (e.g. missing updates)

Troubleshooting

• Hybrid Configuration Log Files• <drive>:\Program Files\Microsoft\Exchange Server\V15\Logging\

Update-HybridConfiguration

• Review Federation Information• Get-FederationInformation –DomainName <domainname>

• Review OrganizationRelationShips• Get-OrganizationRelationShip | fl *

• Troubleshoot connection issues (e.g. AutoDiscover/Web Services)• Remote Connectivity Analyzer (www.testexchangeconnectivity.com)

Ex2013 Deployment Assistant

http://technet.microsoft.com/exdeploy2013

Demo: troubleshooting

Key takeaways

1

2

3

Mind the prerequisites! Check certificates.

Use tools like ExDeploy and remote connectivity analyzer to plan and validate your deployment

Review the hybrid configuration logs for more information.

Related Sessions

• Tuesday• Office 365: Do’s and Don’ts (Ilse Van Criekinge)• Troubleshooting Federation, ADFS and More (John Craddock)

• Wednesday• Office 365 ProPlus: Click-to-run deployment and management (Brian

Shiers)• Office 365 Identity Management Options (Jethro Seghers, Michael Van

Horenbeeck)

The result

If you follow the advice from this session, you’ll probably end up with something like this ;-)

THANK YOU!