Exchange Hybrid Deployment with Office 365 - Part I
This blog is part I series of my blog "Exchange Hybrid Deployment with Office 365 - part I" which covers overview of Exchange Hybrid Deployment, advantages, consideration's , what happens behind the scenes when deploying Hybrid and last but and not the least the step's to deploy Exchange Hybrid.
A) What is Exchange Hybrid Deployment:
Hybrid allows on-premises organization and cloud organization work together like a single, seamless organization. In other word's hybrid deployment provides the seamless look and feel of a single Exchange organization between an on-premises Exchange Server 2013 organization and Exchange Online in Microsoft Office 365
B) Benefits of Exchange Hybrid:
- Exchange Online users and on-premises users can share free/busy calendar data vice a versa.
- Hybrid allows Secure mail routing between on-premises and Exchange Online organizations
- Administrators can use powerful and familiar Exchange management tools to move users to Exchange Online.
- OWA redirection allows for redirection from the on-premises environment to the Office 365 Outlook Web App environment.
- MailTips, out-of-office messages, and similar features understand that Office 365 and on-premises users are part of the same organization.
- Delivery reports and multi-mailbox search work with users who are on-premises and those working in Exchange Online.
- Authentication headers are preserved during cross-premises mail flow. So, all mail looks and feels like it is internal to the company (for example, recipient names resolve in the GAL).
- With the help of Directory Synchronization you get Unified GAL
- If necessary, administrators can easily move mailboxes back to the on-premises Exchange environment
- Cloud-based message archiving for on-premises Exchange mailboxes
- Administrators do not have to manually reconfigure Outlook profiles or resynchronize .OST files after they move users’ mailboxes
C) Exchange Hybrid Prerequisites:
- On-premises Exchange organization. You can choose to setup Hybrid with Exchange 2010 Sp3 or Exchange 2013 Server
- Office 365 for Enterprises (AdminDisplayVersion parameter value should be equal to or greater than 15.0.620.28)
- The Windows Azure Directory Synchronization tool or AD Sync
- A certificate from a trusted third-party CA
- AD FS is optional but strongly recommended
More details : https://technet.microsoft.com/en-in/library/hh534377(v=exchg.150).aspx
D) Exchange Hybrid Considerations:
- On-premises mailbox permissions such as Send As, Receive As, and Full Access that are explicitly applied on the mailbox are migrated to Exchange Online if the tenant in Exchange Online has been fully synchronized using Dirsync or AAD Sync.
- Inherited (non-explicit) mailbox permissions such as permissions applied to the mailbox database and any permissions on non-mailbox objects (such as distribution lists or a mail-enabled user) are not migrated. Therefore, you should recreate these permissions in Exchange Online using the Add-MailboxPermission or Add-RecipientPermission cmdlets.
- Cross-premises permissions Mailbox permissions such as Send As, Receive As, and Full Access are not supported if the user trying to access the mailbox is in Exchange Online but the target mailbox is on-premises, or vice versa. In order to overcome this limitation, mailboxes belonging to users who have access to the first mailbox should also be migrated at the same time to ensure the delegate scenarios continue to work.
- If your organization implements multiple on-premises Exchange organizations, you must deploy Exchange 2013 SP1 or greater servers in your on-premises organization to configure a hybrid deployment with Office 365.
C) What happens behind the scene when running Hybrid setup
Firstly ,Hybrid Configuration wizard creates the Hybrid Configuration object in your on-premises Active Directory. This Active Directory object stores the hybrid configuration information for the hybrid deployment and is updated by the Hybrid Configuration wizard.
1.The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start.
2.The Hybrid Configuration Engine reads the “desired state” stored on the HybridConfiguration Active Directory object.
3. The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations
you can also view respective powershell connections made in Hybrid Update logs as follows
[12/20/2014 15:35:26] INFO:Opening runspace to https://onpremise/powershell?serializationLevel=Full
[12/20/2014 15:35:26] INFO:Successfully connected to On-Premises
[12/20/2014 15:35:26] INFO:Opening runspace to https://ps.outlook.com/powershell-liveid/powershell.htm?serializationLevel=Full;clientApplication=EMC;ExchClientVer=14.3.123.4
[12/20/2014 15:36:12] INFO:Successfully connected to Tenant
4. The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization.
5. Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the “difference” and then executes configuration tasks to establish the “desired state.”
6. This is how Hybrid Configuration desired state look like.
Now , let's look at steps involved in setting up Hybrid with my Exchange 2013 Sp1 server and Office 365 Tenant
1.Log on Exchange on premise server and kick Hybrid setup using EAC
2.Select hybrid domain* as per your setup requirement.
3.View/Copy domain proof token and post verification with ISP , hit next
4. Choose transport options. This setting may vary/depend on your requirement
5. Choose receive 2013 CAS server(s)
6. Choose 2013 MBX server(s)
7.Select transport certificate from the drop down
8. Enter External FQDN of CAS Server
9.Enter Org Management Administrator's AD account
10. Enter Global Admin Office 365 account
11. Choose Update to configure hybrid. It fire's the Hybrid engine and starts configuring in the back ground.
12. Upon completion you can hit close.
Wow!! At this point my Hybrid is all set.
What's New with Exchange Hybrid
Exchange 2013 Sp1 Hybrid now supports multiple Exchange Organizations configured against a single O365 tenant.
Exchange Forest contoso.com ======> Office 365 Tenant <===== Exchange Forest fabrikam.com
Multi-forest hybrid deployment prerequisites:
- Prerequisites for multi-forest hybrid deployment are nearly same as of single hybrid deployments <refer Section C > with few exception mentioned below.
- Each Exchange organization should have Exchange 2013 with SP1
- Each Exchange organizatoin should have minimum one SMTP and Autodiscover namespace published in way that Office 365 can query Autodiscover for each forest successfully.
- Different public certificate should be configured on each Exchange forest.key thing to note here is that the certificate used for hybrid deployment features for each forest in a multi-forest organization must be issued by different third party CA. For example, VeriSign or Go Daddy. For example, one forest would have a certificate issued by VeriSign and one forest would have a certificate issued by Go Daddy. But then the certificate installed on the Mailbox and Client Access (and Edge Transport if deployed) servers in each Active Directory forest used for mail transport in the hybrid deployment must all be issued by the same CA and have the same common name.
- Also the common name (CN) of the digital certificate must match the host being authenticated and is typically the external hostname for the Client Access server in the Active Directory forest. For example, mail.contoso.com.
- Microsoft Forefront Identity Manager (FIM) 2010 R2 or greater and the Azure Active Directory (AAD) connector for Active Directory Synchronisation to synchronize mail recipients in each forest and the Office 365 tenant
- Single Sign on is optional but if administrator want's to use SSO in multi-org hybrid model then ADFS need's to setup in each Active Directory forest, or to configure a single SSO server if there is a two-way forest trust configured between the on-premises forests.
Configure a Hybrid deployment in a multi-forest organization (Flow)
Preparation
Verify that you’ve met the hybrid deployment prerequisites as listed above
Validate AutoDiscover is properly configured and published in each Exchange organization
Validate public certificates for Exchange org are unique
Create 2 way forest trustConfigure Mail Flow on-premise
Configure SMTP domain sharing as required
Configure mail flow between on-premise organizations
3. Configure Directory Synchronization
Configure FIM + AAD Connector to synchronize mail recipients in each forest and the Office 365 tenant
4. Run Hybrid Configuration Wizard
Prepare Office 365 Tenant
Run the HCW in each Forest (More inputs : Create a hybrid deployment with the Hybrid Configuration wizard )
Validate mail flow between all entities
5. Configure ADFS (optional)
Configure ADFS in contoso.com
Configure ADFS in fabrikam.com
For more information, see Single sign-on with hybrid deployments.
You refer to part II blog to review common error's and troubleshooting path to fix Hybrid deployment Issues.
Please refer to part II blog for understanding & mitigating common Issues with deploying Hybrid setup.
Comments
Anonymous
July 02, 2015
Shahnawaz Sir, you Rock !!!!! :)Anonymous
July 09, 2015
Thank you for taking efforts from your busy schedule and making this Publicly available.Anonymous
July 09, 2015
Thank you for the beautiful article.Anonymous
July 13, 2015
Awesome article sir.....waiting for the part 2.Anonymous
July 26, 2015
Thank you very much for the article :)Anonymous
August 15, 2015
Nice article... Best of luck for next post.Anonymous
August 21, 2015
Very well written, and detailed.Anonymous
August 28, 2015
Best articleAnonymous
September 01, 2015
Waited for it, like for ages.......Anonymous
September 28, 2015
Great Article SirAnonymous
October 20, 2015
Amazing work sir! Very descriptive article. Thank you!
Can't wait for part 2...