Exchange 2007 On-Premises to Hybrid Deployment with Office365
“I am on Exchange 2007 On-Premise – Where do I go from here?” If that sounds familiar, you may be one of many Exchange 2007 administrators who are looking for options to move into a pure Cloud, or Hybrid or maybe an on-premise deployment of the current Exchange 2013 software. Mohammed Abdul Rafey, Senior Premier Field Engineer from Microsoft India, presents his views on the subject by providing three separate roadmaps, each catering to a different type of deployment. In this post we cover the first of the roadmaps.
In my role as a Premier Field Engineer for Exchange, I normally encounter situations where our customers ask us the way forward for their current Exchange 2007 environment. The three most logical courses for an Exchange 2007 organization are:
- To develop as a hybrid organization with Office 365
- Move to a pure Office 365 Exchange Online tenant
- Migrate to the latest Exchange version Exchange 2013
In a series of posts, I will present options for an environment where we currently have an On-Premises Exchange 2007 Organization. In this first installment, we describe hybrid deployment - when you create a new Exchange Online Exchange organization in Office 365 and then connect it to your existing on-premises Exchange organization by configuring Active Directory synchronization and using the Hybrid Configuration wizard.
Features of Hybrid deployments
After configuring the hybrid deployment, the following features are enabled between the organizations:
- Secure mail routing between on-premises and Exchange Online organizations.
- Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the @contoso.com SMTP domain.
- A unified global address list (GAL), also called a “shared address book.”
- Free/busy calendar information sharing between on-premises and Exchange Online organizations.
- Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization.
- A single Microsoft Office Outlook Web App URL for both the on-premises and Exchange Online organizations.
- The ability to move existing on-premises mailboxes to the Exchange Online organization. Exchange Online mailboxes can also be moved back to the on-premises organization if needed.
- Centralized mailbox management using the on-premises Exchange Administration Center (EAC).
- Message tracking, MailTips, and multi-mailbox search between on-premises and Exchange Online organizations.
- Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment.
Changes to consider in a Hybrid deployment
Configuration |
Before hybrid deployment |
After hybrid deployment |
Mailbox location |
Mailboxes on-premises only. |
Mailboxes on-premises and in Exchange Online. |
Message transport |
On-premises Hub Transport servers handle all inbound and outbound message routing. |
On-premises Exchange 2007 Hub Transport server handles inbound and outbound message routing between both the on-premises and Exchange Online organization and the Internet The Exchange 2013 server handles internal message routing between the on-premises and Exchange Online organization. |
Outlook Web App |
On-premises Exchange 2007 Client Access server receives all Outlook Web App requests and displays mailbox information. |
On-premises Exchange 2013 server redirects Outlook Web App requests to either the on-premises Exchange 2007 Client Access server or provides a link to log on to the Exchange Online organization. |
Unified GAL for both organizations |
Not applicable; single organization only. |
On-premises Active Directory synchronization server replicates Active Directory information for mail-enabled objects to the Exchange Online organization. |
Single-sign on used for both organizations |
Not applicable; single organization only. |
On-premises Active Directory Federation Services (AD FS) server supports using single-sign on credentials for mailboxes located either on-premises or in the Office 365 organization. |
Organization relationship established and a federation trust with Microsoft Federation Gateway |
Trust relationship with the Microsoft Federation Gateway and organization relationships with other federated Exchange organizations may be configured. |
Trust relationship with the Microsoft Federation Gateway is required. Organization relationships are established between the on-premises and Exchange Online organization. |
Free/busy sharing |
Free/busy sharing between on-premises users only. |
Free/busy sharing between both on-premises and Exchange Online users. |
Decision points before you select Hybrid
The following considerations should be kept in mind before you select this migration option.
Do you want all users to use their on-premises credentials when they log on to their Exchange Online mailbox?
Single sign-on enables users to access both the on-premises and Microsoft Office 365 organizations with a single user name and password. Single sign-on provides users with a familiar sign-on experience and allows administrators to easily control account policies for Exchange Online organization mailboxes by using on-premises Active Directory management tools. Deploying single sign-on includes several components that configure the trust relationship between the on-premises Active Directory Federation Services (AD FS) server and the Microsoft Federation Gateway.
How do you want to route inbound Internet mail for both your on-premises and Exchange Online mailboxes?
Do you want to route inbound Internet mail for both your on-premises and Exchange Online mailboxes through Microsoft Office 365 and EOP or through your on-premises organization? In that case, you can choose to route inbound Internet mail for both organizations through your on-premises organization or through EOP and the Exchange Online organization. The route that inbound messages for both organizations take depends on whether you enable centralized mail transport in your hybrid deployment.
Do you want to route outbound mail to external recipients from your Exchange Online organization through your on-premises organization (centralized mail transport), or do you want to route it directly to the Internet? With centralized mail transport, you can route all mail from mailboxes in the Exchange Online organization through the on-premises organization before they’re delivered to the Internet. This approach is helpful in compliance scenarios where all mail to and from the Internet must be processed by on-premises servers. Alternately, you can configure Exchange Online to deliver messages for external recipients directly to the Internet.
Centralized mail transport is only recommended for organizations with specific compliance-related transport needs. Our recommendation for typical Exchange organizations is not to enable centralized mail transport.
Do you want mail sent between your Exchange Online and on-premises organizations to go through an Edge Transport server?
An Edge Transport server is typically deployed on a computer located in an Exchange organization's perimeter network and is designed to minimize the attack surface of the organization. If you don’t want to expose your internal Mailbox server to the Internet, answer Yes, and later we’ll show you how to add an Exchange 2010 Edge Transport server to your hybrid deployment. The Edge Transport server works with internal Mailbox servers in the on-premises Exchange organization to route messages between the on-premises and Exchange Online organizations.
Environmental Considerations
Active Directory synchronization
AD sync between the on-premises and Office 365 organizations is a requirement for configuring a hybrid deployment. The Office 365 service has an upper limit for replicating mail-enabled Active Directory objects to the cloud-based organization of 50,000 objects. If your Active Directory environment contains more than 50,000 objects, contact the Microsoft Online Services support team to open a service request for an exception and indicate the number of objects you need to synchronize.
Management
You manage a hybrid deployment in Exchange 2013 via a single unified management console that allows for managing both your on-premises and Office 365 Exchange Online organizations. The Exchange admin center (EAC), which replaces the Exchange Management Console and the Exchange Control Panel, allows you to connect and configure features for both organizations. When you run the Hybrid Configuration wizard for the first time, you will be prompted to connect to your Exchange Online organization. You must use an Office 365 account that is a member of the Organization Management role group to connect the EAC to your Exchange Online organization.
Certificates
Secure Sockets Layer (SSL) digital certificates play a significant role in configuring a hybrid deployment. They help to secure communications between the on-premises hybrid server and the Exchange Online organization. Certificates are a requirement to configure several types of services. If you're already using digital certificates in your Exchange organization, you may have to modify the certificates to include additional domains or purchase additional certificates from a trusted certificate authority (CA). If you aren't already using certificates, you will need to purchase one or more certificates from a trusted CA.
The following table outlines the minimum suggested FQDNs that should be included on certificates configured for use in a hybrid deployment.
Service |
Server |
Suggested FQDN |
Primary shared SMTP domain |
Client Access and Mailbox servers |
Contoso.com |
Autodiscover |
Client Access servers |
Label that matches the external Autodiscover FQDN of your Exchange 2013 Client Access server, such as autodiscover.contoso.com |
Transport |
Edge Transport servers |
Label that matches the external FQDN of your Edge Transport servers, such as edge.contoso.com |
Bandwidth
Your network connection to the Internet will directly impact the communication performance between your on-premises organization and the Exchange Online organization. This is particularly true when moving mailboxes from your on-premises Exchange 2013 server to the Exchange Online organization. The amount of available network bandwidth, in combination with mailbox size and the number of mailboxes moved in parallel, will result in varied times to complete mailbox moves. Additionally, other Office 365 cloud-based services, such as Microsoft SharePoint 2013 and Microsoft Lync Server 2013, may also affect the available bandwidth for messaging services.
Before moving mailboxes to the Exchange Online organization, you should:
- Determine the average mailbox size for mailboxes that will be moved to the Exchange Online organization.
- Determine the average connection and throughput speed for your connection to the Internet from your on-premises organization.
- Calculate the average expected transfer speed, and plan your mailbox moves accordingly
- More details are available at this page
Information Rights Management (IRM)
Exchange uses AD RMS servers in the Active Directory forest in which the Exchange server is installed. For your on-premises Exchange 2007 servers, the on-premises AD RMS server is used. For your Exchange Online organization, AD RMS servers that are maintained within the Microsoft Office 365 datacenters are used. The AD RMS configuration that each Exchange organization uses is independent of any other AD RMS deployment.
AD RMS configuration, and therefore IRM configuration, isn't automatically replicated between your on-premises Exchange organization and the Exchange Online organization. Any AD RMS templates that you've defined aren't automatically copied to the Exchange Online organization. If you want the same AD RMS templates to be available in the Exchange Online organization, you must manually export the templates from your on-premises organization and apply them to the cloud-based organization. More details are available here.
Mobile Devices
Mobile devices are supported in a hybrid deployment. If Exchange ActiveSync is already enabled on Client Access servers, they’ll continue to redirect requests from mobile devices to mailboxes located on the on-premises Mailbox server. For mobile devices connecting to existing mailboxes that are moved from the on-premises organization to Exchange Online, the Exchange ActiveSync partnership must be disabled and re-established before redirection requests are processed correctly. All mobile devices that support Exchange ActiveSync should be compatible with a hybrid deployment.
Do we have end users who need to use Blackberry? If yes - we may need to check if their mailbox can be moved to cloud.
Client Requirements
We recommend that your clients use Outlook 2013 or Outlook 2010 for the best experience and performance in the hybrid deployment. Pre-Outlook 2010 clients have limited support in hybrid deployments and with the Office 365 service.
Licensing for Office365
To create mailboxes in, or move mailboxes to, an Exchange Online organization, you need to sign up for Office 365 for enterprises and you must have licenses available. When you sign up for Office 365, you'll receive a specific number of licenses that you can assign to new mailboxes or mailboxes moved from the on-premises organization. Each mailbox in the Exchange Online service must have a license.
Anti-virus and Anti-Spam Services
Mailboxes moved to the Exchange Online organization are automatically provided with antivirus and anti-spam protection by Microsoft Exchange Online Protection (EOP). You may need to purchase additional EOP licenses for your on-premises users if you chose to route all incoming Internet mail through the EOP service. We recommend that you carefully evaluate whether the EOP protection in your Exchange Online organization is also appropriate to meet the antivirus and anti-spam needs of your on-premises organization. If you have protection in place for your on-premises organization, you may need to upgrade or configure your on-premises antivirus and anti-spam solutions for maximum protection across your organization.
Public Folders
Public folders are now supported in Office 365, and on-premises public folders can be migrated to Exchange Online. Additionally, public folders on Exchange Online can be moved to the on-premises Exchange 2013 organization. Both on-premises and Exchange Online users can access public folders located in either organization using Outlook Web App, Outlook 2013, Outlook 2010 SP2, or Outlook 2007 SP3. Existing on-premises public folder configuration and access for on-premises mailboxes doesn’t change when you configure a hybrid deployment.
Next time!
In the next blog in this series, I will discuss the prerequisites for the Hybrid Roadmap and discuss the other two roadmaps as well.
Original content from Abdul Rafey Mohammed; posted by MSPFE editor Arvind Shyamsundar
Comments
- Anonymous
May 12, 2016
Great article, could you comment on whether it's possilbe to select a variety of online subscriptions with one email domain i.e. could we select some exchange option 1 mail boxes some option 2 boxes and some 365 E3 boxes ? - Anonymous
November 10, 2016
Seems you missed to explain if at all its possible to migrate directly from Exchange 2007 to Office 365 ?- Anonymous
December 05, 2018
As per article in "Exchange Server Deployment Assistant" atleast one exchange 2010 (CAS & HUB) has to be installed.
- Anonymous
- Anonymous
February 20, 2017
Hi, can you please confirm the URL setup for a Exchange 2007/Exchange 2013 hybrid with Office 365?My understanding is that:- autodiscover internally/externally points to the Exchange 2013 server- Exchange 2013 has a new namespace e.g. hybrid.domainname.com, Exchange 2007 maintains its existing namespace- new OWA cname e.g. owa.domainname.com can be created to point all requests to the Exchange 2013 server which will handle redirection to either Exchange 2007 or Exchange Online.The above is mentioned in the Exchange deployment assistant however this is different from the traditional namespace setup when an Exchange 2013 server is introduced into an Exchange environment.Thanks for your time. - Anonymous
March 15, 2019
Thank you for informative post. One can also try a third party software to migrate Exchange to Office 365. I would like to suggest Kernel Migrator for Exchange. - Anonymous
March 31, 2019
Great Article,But I would suggest users go with third-party tools because third-party tools provide a safe, easy and quick solution to export Exchange mailboxes to Office 365. Shoviv Exchange Migration is one of those tools which provides a free trial version and a good technical support team.