Office 365 Evangelist » Office 365 Hybrid Deployment with Exchange 2010 SP2 – Part 3
So part 3 of this blog series is all about the benefits of Exchange 2010 SP2 Hybrid wizard. To recap in Part 1 I setup my lab environment, in Part 2 (let’s just forget about Part 1.5) I documents my setting up Single Sign-On (SSO). As I mentioned in one of the previous Parts, sorry long weekend of getting this done and writing about it, I used a great website from Microsoft, the Exchange Deployment Assistance site! This is a great resource to help plan and document the steps you need to do for any Exchange Migration, not just a move to the cloud. As of now it has not been updated to include the Exchange 2010 SP2 Hybrid Configuration Wizard, , but the great Microsoft team is working on getting it updated to include the steps with SP2 for Exchange 2010.
Seriously using Exchange 2010 SP 2 saves you, the admin, about 45-50 steps of configuration. The wizard that the Exchange and Online teams came up with in SP2 is nothing short of amazing. This shows the dedication by Microsoft to Cloud computing! If you don’t believe me, first setup a Hybrid Deployment with Exchange 2010 SP1 and then use SP2!
Let’s get started, below we follow-up on Part 2 with the Hybrid Configuration Wizard, the instructions below are from the Deployment Assistant site, and from then on I used the instructions.
- Move DLs to Azure AD so that Exchange Online users can manage them through Outlook. This can be accomplished through DL migration.
- Find a way for Exchange Online users to manage on-premises DLs. By using Forefront Identity Manager, DSQuery, or a Windows PowerShell script, you can provide a way for users to do so.
Although none of these solutions will get DL management to work the way it used to, I hope one of the solutions will fit your needs.
The best resource to reach is the Exchange Server 2013 Hybrid Deployments Whitepaper - . This covers all the details for setting up hybrid.
What is Exchange Hybrid?
Exchange Hybrid allows organizations to host Exchange servers on-premise that are connected to Exchange Online in Office 365. Organizations have the ability to share the same domain space across they hybrid environment and route inbound/outbound email securely between both environments. With Exchange hybrid there is a unified GAL, free/busy is shared, unified messaging, mailboxes can be moved between environments, centralized mailbox management across environments, messaging tracking, mailbox search across environments, etc.
On the “Credentials” page, enter the credentials for the on-premise Exchange administrator as well as the Office 365 Global administrator. Note the format for each username. This is important. You see, if you for instance try to use domain\user when authenticating against the Office 365 tenant, authentication will fail.
When you have entered the credentials for each organization, click “Next”.
Figure 5: HCW Credentials page
On the “Domains” page, we need to enter the respective accepted domain we want to federate with the MFG. In my case, it’s “office365lab.dk” (as you should know by now :)), so I enter that and click “Next”.
Figure 6: HCW Domains page
Okay, we have now reached the “Domain Proof of Ownership” page and as you can see in Figure 7, my domain name is in a “Pending” status. This is because the HCW cannot verify this domain as we first need to create a text (TXT) record in external DNS.
Reverse Proxy, ISA or TMG checks
If you're using a reverse proxy that uses pre-authentication for your deployment, you'll also need to examine it's configuration. That's because the federated components of Exchange use token-based authentication to connect from Office 365 to your Exchange On-Premises organization rather than traditional authentication against your Active Directory, and services such as the MRS Proxy don't support SSL Offload for the EWS virtual directory.
Although there are more complicated ways of achieving it, the simplest way to ensure TMG doesn't cause any problems is to move your rules for the EWS and AutoDiscover virtual directories into a dedicated rule, with the following key settings:
Allow All Users
The test log contains your personal information. To protect your privacy, I have sent a private message to request it (Click Private messages on the right side of the community site -> Click the subject to view the message -> reply to the message).
Exchange 2013 At least one server with the Mailbox and Client Access server roles installed. While it's possible to install the Mailbox and Client Access roles on separate servers, we strongly recommend that you install both roles on each server to provide additional reliability and improved performance.
Exchange 2016 and newer At least one server that has the Mailbox server role installed.
Hybrid deployments also support Exchange servers running the Edge Transport server role. Edge Transport servers also need to be updated to the latest cumulative update or update rollup available for the version of Exchange you've installed. We strongly recommend that you deploy Edge Transport servers in a perimeter network. Mailbox and Client Access servers can't be deployed in a perimeter network.
Office 365 Hybrid deployments are supported in all Office 365 plans that support Azure Active Directory synchronization. All Office 365 Enterprise, Government, Academic and Midsize plans support hybrid deployments. Office 365 Business and Home plans don’t support hybrid deployments.
Try “sync now” and check the results.
Set the Sync Interval (every day in our example)
Check the list of the replicated users under “Administration->Users” in the Forefront WebGUI.
Wait some minutes
Multi-forest hybrid deployment prerequisites:
- Prerequisites for multi-forest hybrid deployment are nearly same as of single hybrid deployments <refer Section C > with few exception mentioned below.
- Each Exchange organization should have Exchange 2013 with SP1
- Each Exchange organizatoin should have minimum one SMTP and Autodiscover namespace published in way that Office 365 can query Autodiscover for each forest successfully.
- Different public certificate should be configured on each Exchange forest.key thing to note here is that the certificate installed on the Mailbox and Client Access (and Edge Transport if deployed) servers in each Active Directory forest used for mail transport in the hybrid deployment must all be issued by the same CA and have the same common name.For example, VeriSign or Go Daddy. For example, one forest would have a certificate issued by VeriSign and one forest would have a certificate issued by Go Daddy. But then the certificate used for hybrid deployment features for each forest in a multi-forest organization must be issued by different third party CA.
- Also the common name (CN) of the digital certificate must match the host being authenticated and is typically the external hostname for the Client Access server in the Active Directory forest. For example, mail.contoso.com.
- Microsoft Forefront Identity Manager (FIM) 2010 R2 or greater and the Azure Active Directory (AAD) connector for Active Directory Synchronisation to synchronize mail recipients in each forest and the Office 365 tenant
- Single Sign on is optional but if administrator want's to use SSO in multi-org hybrid model then ADFS need's to setup in each Active Directory forest, or to configure a single SSO server if there is a two-way forest trust configured between the on-premises forests.
Configure a Hybrid deployment in a multi-forest organization (Flow)
Verify that you’ve met the hybrid deployment prerequisites as listed above
Validate AutoDiscover is properly configured and published in each Exchange organization
Validate public certificates for Exchange org are unique
Create 2 way forest trust
- Configure Mail Flow on-premise
Configure SMTP domain sharing as required
Configure mail flow between on-premise organizations
3. Configure Directory Synchronization
Hybrid Exchange Demonstration
Over a series of upcoming articles, I’ll walk through a Hybrid Exchange deployment scenario for an example organization. The Exchange Server Pro organization has a co-existence on-premises environment of Exchange Server 2010, 2013 and 2016, including the use of Edge Transport servers. Using this example organization I’ll demonstrate how to prepare and establish a Hybrid configuration, perform a variety of administration tasks, and how to leverage Office 365 features in a Hybrid environment.