Hybrid deployment in Office 365 | Checklist and pre requirements
In the current article, we will review: The pre-requirements of Exchange hybrid environment Best practices and recommendation for the required preparations Tools and methods that will help us to check and verify if the on-Premises environment was configured correctly. The term Hybrid configuration or a Hybrid environment, describe a scenario in which two separated Exchange organizations that belong to different Active Directory forests are working as a “one unit”. The term Hybrid configuration was created, for describing this type of relationship between the Exchange On-Premise infrastructure and the cloud (Exchange Online) infrastructure. For example, in the following diagram, we see the logical concept of Hybrid environment. The Public Domain name: o365info.com, configured as a “shared Domain”. The meaning is that two separate Exchange infrastructure “represent” this domain name or shared between them the same domain name. When looking at the diagram, we can see two recipients: Bob@o365info.com andAlice@o365info.com Technically, the recipient mailboxes must be configured on the Exchange on-Premises server or at the Exchange Online server, but logically, Bob and Alice don’t know where their mailboxes hosted. In case that Bob mailbox is hosted on the Exchange on-Premises server and Alice’s mailbox is hosted on an Exchange Online server, Bob and Alice will have all the standard Exchange services such as: Free\Busy time, mail tips and more as if they are hosted in the same Exchange organization. The reason is that the Hybrid environment, “connect” the two distinct Exchange environments and making them appear as one entity. Hybrid configuration relationships and Trust concept As mentioned before, the Hybrid configuration was designed for “connecting” two different Exchange environments and make them operate as one entity. A trust concept implements the “glow” between the two distinct environments. Federation trust – each of the Exchange environments (on-Premises + cloud) needs or must trust a “third element” named: MFG – Microsoft’s federation gateway (number 1 in the diagram). Exchange organization relationships – a trust model between two separate Exchange organizations. In Hybrid environment, the Exchange organization relationship is implemented between the Exchange on-Premises forest and the “Office 365 forest” (Exchange Online) (number 2 in the diagram). The Hybrid configuration and the “Trust model” enable each of the “end points” (Exchange on-Premises and Exchange Online) to: Authenticate each other Verify the identity of each other Create a secure communication channel: Encrypt the information and implement data integrity by using a public certificate and by using a secure communication protocol such as SMTP\TLS and HTTPS. Simple Exchange on-Premises environment versus complicated environment. The term “Hybrid configuration” could use in describing a very simple scenario in which the organization has only one Exchange on-Premises server, who serves as a Hybrid server and is responsible for creating the “communication channel” between the on-Premises environment and the “cloud” (Exchange Online). Another scenario of Hybrid configuration could be a more complicated scenario, which is more common in enterprise environments that have complicated Exchange on-Premises infrastructure. In this scenario, the “relationship” between the Exchange Online and the “on-Premises Exchange infrastructure” could be divided into many “communication channels” with different\separated Exchange on-Premises servers. For example – the mail flow between Exchange on-Premises and Exchange Online could be implemented by using a “dedicated” Exchange on-Premises server which will be configured for sending mail to Exchange Online and, other Exchange on-Premises server which will be configured to “accept” mail from Exchange Online. Another Exchange on-Premises server could assign to different roles\services such as dedicated Exchange on-Premises server who will provide AutoDiscover services, dedicated Exchange on-Premises server who will provide EWS services and so on. Pre-requirements for Hybrid deployment in Office 365 In the next sections, we will review each of the components that includes in the “Pre-requirements for Hybrid environment list.” 1. Exchange Hybrid Server Version The term “Exchange Hybrid server” is just a logical term that describes Microsoft Exchange server which can be a part of a Hybrid environment. Note – the Hybrid environment based on two different “end point” such as Exchange on-Premises environment and the “cloud” (Exchange Online) environment. At the current time, the “cloud side” of the Hybrid configuration is based on Exchange 2013 SP1 technology. The Exchange on-Premises server “Hybrid server” could be implemented by using: Exchange 2010 SP3 Exchange 2013 Exchange 2016 Exchange 2010 SP3 as Hybrid server In case that we want to use an Exchange 2010 as a Hybrid server, the minimum requirement is service pack 3. Besides of the requirement for Service Pack 3, the best practice is: to install the most updated Exchange Rollup versions because each of the software updates (Exchange Rollup) includes a solution to issues\problem that was discovered and the fixed is included in the Rollups. Many times the customer or the organization IT will “resist” to the recommendation of “installing the most updated Exchange rollup“ but, it’s important to emphasize that installing the most updated Rollups can prevent many of the future problems and consider as an important factor in the process of building the Hybrid environment. The following quotation relates to Rollups 4 for Exchange 2010 SP3, but you get the idea. Additionally, we recommend installing future Update Rollups 4 for Exchange 2010 SP3 on all your hybrid servers. Microsoft releases update rollup packages approximately every six to eight weeks. The rollup packages are available via Microsoft Update and the Microsoft Download Center. In the Search box on the Microsoft Download Center, type “Exchange 2010 SP3 updates rollup” to find links to the rollup packages for Exchange 2010 SP3. [Source of information: http://technet.microsoft.com/en-us/library/hh945197(v=exchg.141).aspx ] Download link for the required Exchange on-Premises server software updates Exchange 2010 | How can I know what is the current Exchange Rollup? In case that you want to get information about the existing status of the Exchange 2010 on-Premises server, you can view the current version by using the Help menu and click on the About Exchange server 2010. In the following screenshot, we can see that the Exchange on-Premises server version is:14.03.0.195.001 So the next question could be: how can I know what is the Exchange on-Premises server service pack or rollup version based on this number? To be able to “translate” the value to a clearer information, we can use the article: http://social.technet.microsoft.com/wiki/contents/articles/240.exchange-server-and-update-rollups-build-numbers.aspx In the following screenshot, we can see that the version number: 14.3.195.1 is “telling” us that the Exchange 2010 on-Premises server includes an installation of Service Pack 3 + Rollup 6 for Exchange 2010 SP3. In this case, we will need to download and install to most updated Rollup (for example Rollup 9) The Cumulative Update (CU), Rollup, and Service Packs you have running on the on-premises server should also not be overlooked. Under normal circumstances we support you being no more than two updates behind the currently released update for Exchange; however, for hybrid environments, we are stricter, and you should not be more than one build behind. If the latest update is Exchange 2013 CU9, then you must have either Exchange 2013 CU9 or CU8 to be considered in a supported state. We are stricter with our hybrid requirements because of how tightly the on-premises and Exchange Online environments will be coupled together. For more information on our available updates please go https://technet.microsoft.com/en-us/library/Hh135098(v=EXCHG.150).aspx. [Source of information – http://blogs.technet.com/b/exchange/archive/2015/08/10/hybrid-deployment-best-practices.aspx] New Hybrid server versus existing Exchange On-Premise In case that the organization Exchange infrastructure based on older versions of Exchange such as Exchange 2003, 2007, we will need to “add” or install a new Exchange on-Premises server (2010 SP3 or 2013) that will serve as the “Hybrid server.” The “New” Exchange On-Premise Hybrid server can implement as Exchange 2010 or Exchange 2013 or Exchange 2016 but, the best practice is to install Exchange 2016 server instead Exchange 2013 or 2010 because Exchange 2016 includes improving features that relate to the Hybrid environment. You can read more information about the improvement in Exchange On-Premise 2016: Exchange Server 2016 Hybrid Perks Microsoft released its Exchange Server 2016 product https://redmondmag.com/articles/2015/10/01/exchange-server-2016-released.aspx. While the new product is an Exchange Server 2013 facelift of sorts, it was built based on Microsoft's Exchange Online service. Exchange Server 2016 has improved backend search and e-discovery capabilities, plus improved Outlook client support, among other features. It has other hybrid support benefits, according to a Microsoft TechNet library article updated in late January. Those benefits include: Secure e-mail routing between the two instances Use of a "shared domain namespace" for messages A shared address book (also known as "a unified global address list") Calendar sharing Mailbox mobility Centralized management via the Exchange Admin Center 2. Exchange On-Premise Hybrid Server | Public IP Address And Public Name (FQDN) Hybrid configuration is all about enabling Exchange On-Premise server which is configured as “Hybrid server” to create a communication channel with the Exchange Online infrastructure that exists in a public network. To be able to communicate hosts or “endpoint” on a Public network, the Exchange Hybrid server must have: Public Name – The public name of the Exchange Hybrid server should be published in the Public DNS and should resolve to the Public IP of the Exchange Hybrid server. Public IP address – A Public IP address that “Point” to the Exchange Hybrid server should be assigned. Most of the time, the Public IP address will not directly attach to the Exchange on-Premises server, but instead, the Public IP will be allocated to a Firewall server. Th eFirewall will accept the communication requests to the Exchange on-Premises server and forward the request to the internal IP address of the Exchange on-Premises server. Note – In case that we use more complicated scenario in which the on-Premises environment is “represented” by more than one Exchange on-Premises server, each of the Exchange On-Premise servers will need to have a dedicated Public IP. For example, in case that the Outbound mail flow based on two Exchange on-Premises servers who can send mail to the Exchange Online server, each of this server will need to have a dedicated Public IP address. How can I know what is the Public name of the Exchange On-Premise? The simple answer is that if you are the Exchange On-Premise Administrator, you supposed to know what the Exchange On-Premise public name is but, in some scenarios, we will have to configure and hybrid deployment in an environment which we are not familiar with. One option to get information about the “Public name” of the Exchange On-Premise server is by looking at the “External URL” that appears in the “client access” section under server configuration in the Exchange MMC (when we use Exchange 2010 MMC). In the following example, we will look under the “Server configuration\Client access\EX01” Exchange server “publish a ” couple of services. In our example, we look at the ECP tab (the ECP tab includes the Internal + External URL of the Exchange server using the web management interface). We can see that the “pubic name” (External URL) of the Exchange On-Premise is:mail.o365info.com Note – the External URL information includes parts that are only relevant for the URL syntax. Part of the URL is the host FQDN (Fully Qualified Domain Name). In our scenario, we are looking only for the Public Exchange server name (mail.o365info.com). Verify that the Exchange Hybrid Server Public name (FQDN) is mapped to his Public IP The verification process of the Exchange On-Premise Public IP is very simple. Open the command prompt and Ping the Public name of the Exchange On-Premise server. In our example, the Exchange On-Premise public name is: mail.o365info.com In the following screenshot, we can see that we got as an “answer” the public IP of the Exchange On-Premise server. One of the most common misconceptions is – that there is a problem because we got a “Request timed out”. This response is not a sign of a problem because, the host whom we “ping” (Exchange On-Premise in our scenario), was not supposed to reply to the ping request. This is a foreseeable result because most of the time the organization Firewall blocks the ICMP protocol (that used for the Ping reply). To recap: the fact that we got a response the Public IP is the required results, meaning the Exchange on-Premises server have a public name + Public IP address. Note – besides of verifying the Exchange Hybrid server public name and Public IP; we will need to check additional parameters such as the ability to access the Exchange Hybrid server using a particular protocol and so on. In the next sections, we will review these other requirements 3. Exchange On-Premise Hybrid Server | Port Number And Protocols Hybrid configuration based on sharing data and services between Exchange Online and Exchange on-Premises server. The communication channel implemented by using two communications protocols: HTTPS – access to the Exchange services (from Exchange on-Premises server to Exchange Online and vice versa) implemented by using the HTTPS protocol. SMTP – the SMTP protocol used for implementing mail flow, and the data is encrypted using TLS (TLS over SMTP). The underlying assumption is that – the Exchange on-Premises server protected by a Firewall. To be able to implement the communication channel, between the Exchange on-Premises server and the Exchange Online successfully, we will need to verify that the Firewall includes the following inbound and outbound rules: The inbound rule that enables to access the Exchange on-Premises server using port 25 (SMTP) and 443 (HTTPS). The outbound rule that enables the Exchange on-Premises server to access Exchange Online using the port 25 (SMTP) and 443 (HTTPS). Reference from Microsoft article The following screenshot is taken from a Microsoft article and includes a table the describe the port number and the services that need to enabled for Hybrid configuration 4. Exchange On-Premise Hybrid Server| Public IP Address And Static NAT An important factor that we need to verify is that the Exchange on-Premises server is using the public IP address that was assigned to him when he responds to a communication request of external hosts or when he initializes a connection to an external host. The technical term for this scenario could be as a “two-way static NAT”. For example: when using the Exchange 2010 Hybrid configuration wizard, we need to provide the public IP of the Exchange on-Premises server which is “allowed” to send an E-mail to the Exchange Online server. When the Exchange on-Premises server communicates the Exchange Online, it is important that the Exchange on-Premises server use the public IP that configured in the Exchange hybrid wizard. Other examples could be when the Exchange Online starts a communication process to the public IP of the Exchange on-Premises server. In this case, the Exchange Online server is “waiting” for a response from the IP address that used for starting the communication channel. An example for the static NAT rule could be: n the following diagram, we can see an example of static NAT rule. When external hosts such as Exchange Online try to communicate with the Public IP of the Exchange On-Premise server, the “response” from the Exchange on-Premises server implemented by using the same public IP address that we use for “publishing” the Exchange on-Premises server. 5. ISA-TMG Server And A Firewall Server When using ISA\TMG server to publish an Exchange On-Premise server, the configurations are a little bit different compares to a “standard Firewall” because, ISA\TMG is a Proxy server and additionally, Firewall server. When using a “Standard Firewall,” we redirect the communication to the internal Exchange On-Premise server by using a simple “access rule”. When using ISA\TMG Firewall, redirection to the internal Exchange On-Premise server is implemented by using a: Web publishing rule. The ISA\TMG web publishing rule relates to a particular or pre-configured Exchange On-Premise “path” such as -OWA, EWS an additional component that used in the ISA\TMG environment is the Authentication settings. Because ISA\TMG is a proxy server, many times the configuration of the authentication process implemented in the following way: external host authenticates (provide his credential) to the ISA\TMG, the ISA\TMG server approves or disapproves the credentials and if the complete successfully ISA\TMG will “forward in” the communication request of the external hosts. In the hybrid environment, this configuration will cause problem and errors. In simple words: when we publish Exchange On-Premise server using ISA\TMG server, we need to cancel or disable the option in which ISA\TMG server is authentication external host’s communication request. 6. Firewall Inbound And Outbound Access Policy | Office 365 And Exchange Online Public IP Range In many organizations, because of a regulation or other security requirements, there is an implementation of outbound and inbound policy that restricts access only to a dedicated or a predefined IP range. For example: when we say:” Exchange on-Premises server is creating a communication channel with Exchange Online,” what does is mean from the “IP range” point of view? Does Exchange Online infrastructure represented by a particular or a predefined public IP range? The answer to this question is: “Yes.” All the Office 365 environment such as – the Windows Azure Active Directory, Exchange Online, SharePoint Online and so on, based on a “publish” or well-known public IP range. The implementation of Outbound and inbound firewall rules that restrict the access only to a specific or a predefined IP range consider as “good practice” from the security point of view. But, at the same time, can complicate and interrupt the process of the “first-time configuration” that we use for building the “Hybrid communication channel” between the Exchange On-Premise and the Exchange Online server.
HCW Error when configuring the mail flow
Hi All, im trying to run the HCW and i have the below error when it reach the mail flow configuration. HCW0000 PowerShell failed to invoke 'New-InboundConnector': Parameter count mismatch. An unexpected error has occurred and a Watson dump is being generated: Parameter count mismatch ThanksConfiguring your Exchange hybrid deployment, in a nutshell
This less than 5-min video provides key information on how to setup an Exchange Hybrid Deployment. In addition, the articles below contain updates on topics covered by this video, along with their main takeaways, in bold. Subtitles in brazilian portuguese (my native language) are also available, which can be enabled/disabled from the built-in YouTube player. Enjoy!!! https://blogs.technet.microsoft.com/exchange/2015/08/10/hybrid-deployment-best-practices/ "Should we have a hybrid specific URL? - We have seen deployments where a decision is made to keep the existing Mail.Contoso.com and Autodiscover.Contoso.com pointing to a bank of Exchange 2010 servers and have a new hybrid URL, such as hybrid.Contoso.com, pointing to a couple of Exchange 2013 servers. This is an example of an environment that did not introduce Exchange 2013 in a recommended way. "Some might ask: “Can I keep just my hybrid server up to date?” The answer: there is no such thing as a “hybrid server” (meaning that companies shouldn't add Exchange servers exclusively for hybrid, unless the sizing says it differently). What this question is really asking is: “Can I just update the server were I plan to run the Hybrid Configuration Wizard (HCW) from?” The answer to that is “No.”" https://technet.microsoft.com/en-us/library/hh534377(v=exchg.150).aspx "Before you create and configure a hybrid deployment using the Hybrid Configuration wizard, your existing on-premises Exchange organization needs to meet certain requirements. If you don't meet these requirements, you won't be able to complete the steps within the Hybrid Configuration wizard and you won't be able to configure a hybrid deployment between your on-premises Exchange organization and Exchange Online." https://technet.microsoft.com/en-us/library/dn249970.aspxExchange Queue & A: Handling hybrid environments "With older hybrid servers—that is, hybrid servers running Exchange 2010—you need to create an Autodiscover record in DNS for all SMTP domains. Also, the SAN certificate has to include all used autodiscover DNS records in the SAN list. With the Autodiscover domain feature, you have the option of setting one of your SMTP domains as the Autodiscover domain. This is indeed a great new feature of Exchange Server 2013." https://blogs.technet.microsoft.com/exchange/2015/09/04/introducing-the-microsoft-office-365-hybrid-configuration-wizard/ "This article tells you what’s new and shows you how to run the wizard. We also explain the various issues that have been addressed with the new Wizard, and touch on some of the telemetry we pull with every run of the wizard." https://technet.microsoft.com/en-us/library/hh529921(v=exchg.150).aspx "This topic gives you an overview of the Exchange hybrid deployment configuration process, hybrid deployment features and options available to you, and the Hybrid Configuration Engine, which executes the core actions necessary for both configuring and updating a hybrid deployment." https://configure.office.com/Scenario.aspx?sid=13 https://support.office.com/en-us/article/Add-multiple-domains-to-Office-365-2d2fa996-b760-411d-a5cc-190d63f13207?ui=en-US&rs=en-US&ad=US *** UPDATE on 10/17/2017: Added a note to the top of this post to make it clear that there's actually not such a thing as hybrid servers. Thanks so much https://blogs.technet.microsoft.com/tiagosouza/ for the feedback!
Password write back with Office 365 E3 License.
Hi, We are going to migrate 600 users from Exchange On-premise to Office 365 E3 license. We are synching On-Premise Active Directory with Azure AD using Azure AD Connect Server with Pass-Through Authentication agent. With the On-premise Exchange server, all the users can reset their password through OWA. When their password expired When do they wish to change the password As I read, Password write-back is not licensed as part of Office 365 E3 license. Can the users change their password from https://outlook.office.com/mail/ when their password is expired or when they wish to change the password? Thanks
Office 365 Migration - Azure AD before Mailbox migrations?
Hi guys, A couple of quick questions regarding a cut-over migration to Office 365. A small number of staff here in the office (total 7), have been using Office 365 for the past year. Mostly for Sharepoint & SFB, and with no on-premise AD Sync. We're purchasing new licenses, and we now what to move all users (approx 15 in total) from our on-premise 2013 to Exchange Online, and merge/sync our on-premise AD user accounts with Azure AD using Azure AD Connect. We've been doing some research, and it seems like a cut-over migration is the simplest way to go for our environment. My two questions are: 1. For a cut-over migration, is it better to migrate the mailboxes to Exchange online first and then configure/sync Azure AD Connect. 2. What should we do with the current 365 accounts? We would like to be able to merge these current 365 accounts with the corresponding on-premise identities that are to be migrated/synced (e.g. We want to merge the 365 account brendan@mycompany.onmicrosoft.com with brendan@mycompany.com on-premise AD account). Is this possible with a cutover migration? Or do we need to delete the current 365 accounts, to be able to migrate the on-premise mailboxes? Any info or insights would be greatly appreciated. Thanks Brendan
