Exchange Hybrid Deployment with Office 365 - Part I

  • Article

This blog is part I series of my blog "Exchange Hybrid Deployment with Office 365 - part I" which covers overview of Exchange Hybrid Deployment, advantages, consideration's , what happens behind the scenes when deploying Hybrid and last but and not the least the step's to deploy Exchange Hybrid.

A) What is Exchange Hybrid Deployment:

 

Hybrid allows on-premises organization and cloud organization work together like a single, seamless organization. In other word's hybrid deployment provides the seamless look and feel of a single Exchange organization between an on-premises Exchange Server 2013 organization and Exchange Online in Microsoft Office 365

B) Benefits of Exchange Hybrid:

 

  • Exchange Online users and on-premises users can share free/busy calendar data vice a versa.
  • Hybrid allows Secure mail routing between on-premises and Exchange Online organizations
  • Administrators can use powerful and familiar Exchange management tools to move users to Exchange Online.
  • OWA redirection allows for redirection from the on-premises environment to the Office 365 Outlook Web App environment.
  • MailTips, out-of-office messages, and similar features understand that Office 365 and on-premises users are part of the same organization.
  • Delivery reports and multi-mailbox search work with users who are on-premises and those working in Exchange Online.
  • Authentication headers are preserved during cross-premises mail flow. So, all mail looks and feels like it is internal to the company (for example, recipient names resolve in the GAL).
  • With the help of Directory Synchronization you get Unified GAL
  • If necessary, administrators can easily move mailboxes back to the on-premises Exchange environment
  • Cloud-based message archiving for on-premises Exchange mailboxes
  • Administrators do not have to manually reconfigure Outlook profiles or resynchronize .OST files after they move users’ mailboxes

 

C) Exchange Hybrid Prerequisites:

 

  • On-premises Exchange organization. You can choose to setup Hybrid with Exchange 2010 Sp3 or Exchange 2013 Server
  • Office 365 for Enterprises (AdminDisplayVersion parameter value should be equal to or greater than 15.0.620.28)
  • The Windows Azure Directory Synchronization tool or AD Sync
  • A certificate from a trusted third-party CA
  • AD FS is optional but strongly recommended

 More details : https://technet.microsoft.com/en-in/library/hh534377(v=exchg.150).aspx

 

D) Exchange Hybrid Considerations:

  

  1. On-premises mailbox permissions such as Send As, Receive As, and Full Access that are explicitly applied on the mailbox are migrated to Exchange Online if the tenant in Exchange Online has been fully synchronized using Dirsync or AAD Sync.
  2.  Inherited (non-explicit) mailbox permissions such as permissions applied to the mailbox database and any permissions on non-mailbox objects (such as distribution lists or a mail-enabled user) are not migrated. Therefore, you should recreate these permissions in Exchange Online using the Add-MailboxPermission or Add-RecipientPermission cmdlets.
  3.   Cross-premises permissions Mailbox permissions such as Send As, Receive As, and Full Access are not supported if the user trying to access the mailbox is in Exchange Online but the target mailbox is on-premises, or vice versa. In order to overcome this limitation, mailboxes belonging to users who have access to the first mailbox should also be migrated at the same time to ensure the delegate scenarios continue to work.
  4.  If your organization implements multiple on-premises Exchange organizations, you must deploy Exchange 2013 SP1 or greater servers in your on-premises organization to configure a hybrid deployment with Office 365.

  

C) What happens behind the scene when running Hybrid setup

 

Firstly ,Hybrid Configuration wizard creates the Hybrid Configuration object in your on-premises Active Directory. This Active Directory object stores the hybrid configuration information for the hybrid deployment and is updated by the Hybrid Configuration wizard.

  

1.The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start.

 2.The Hybrid Configuration Engine reads the “desired state” stored on the HybridConfiguration Active Directory object.

3. The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations

you can also view respective powershell connections made in Hybrid Update logs as follows

[12/20/2014 15:35:26] INFO:Opening runspace to https://onpremise/powershell?serializationLevel=Full
[12/20/2014 15:35:26] INFO:Successfully connected to On-Premises

[12/20/2014 15:35:26] INFO:Opening runspace to https://ps.outlook.com/powershell-liveid/powershell.htm?serializationLevel=Full;clientApplication=EMC;ExchClientVer=14.3.123.4
[12/20/2014 15:36:12] INFO:Successfully connected to Tenant

 4. The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization.

 5. Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the “difference” and then executes configuration tasks to establish the “desired state.”

6. This is how Hybrid Configuration desired state look like.

 

 Now , let's look at steps involved in setting up Hybrid with my Exchange 2013 Sp1 server and Office 365 Tenant

   

1.Log on Exchange on premise server and kick Hybrid setup using EAC

 

 

 

 2.Select hybrid domain* as per your setup requirement.

 3.View/Copy domain proof token and post verification with ISP , hit next

 

4. Choose transport options. This setting may vary/depend on your requirement

5. Choose receive 2013 CAS server(s)

6. Choose 2013 MBX server(s)

 

 7.Select transport certificate from the drop down

8. Enter External FQDN of CAS Server

9.Enter Org Management Administrator's AD account

10. Enter Global Admin Office 365 account

  

 

 

 

11. Choose Update to configure hybrid. It fire's the Hybrid engine and starts configuring in the back ground.

12. Upon completion you can hit close.

 

 

Wow!! At this point my Hybrid is all set.

 

What's New with Exchange Hybrid

Exchange 2013 Sp1 Hybrid now supports multiple Exchange Organizations configured against a single O365 tenant.

Exchange Forest contoso.com ======> Office 365 Tenant <===== Exchange Forest fabrikam.com

Multi-forest hybrid deployment prerequisites:

  • Prerequisites for multi-forest hybrid deployment are nearly same as of single hybrid deployments   <refer Section C >  with few exception mentioned below.
  • Each Exchange organization should have Exchange 2013 with SP1
  • Each Exchange organizatoin should have minimum one SMTP and Autodiscover namespace published in way that Office 365 can query Autodiscover for each forest successfully.
  • Different public certificate should be configured on each Exchange forest.key thing to note here is that the certificate used for hybrid deployment features for each forest in a multi-forest organization must be issued by different third party CA. For example, VeriSign or Go Daddy. For example, one forest would have a certificate issued by VeriSign and one forest would have a certificate issued by Go Daddy. But then the certificate installed on the Mailbox and Client Access (and Edge Transport if deployed) servers in each Active Directory forest used for mail transport in the hybrid deployment must all be issued by the same CA and have the same common name.
  • Also the common name (CN) of the digital certificate must match the host being authenticated and is typically the external hostname for the Client Access server in the Active Directory forest. For example, mail.contoso.com.
  • Microsoft Forefront Identity Manager (FIM) 2010 R2 or greater and the Azure Active Directory (AAD) connector for Active Directory Synchronisation to synchronize mail recipients in each forest and the Office 365 tenant
  • Single Sign on is optional but if administrator want's to use SSO in multi-org hybrid model then ADFS need's to setup in each Active Directory forest, or to configure a single SSO server if there is a two-way forest trust configured between the on-premises forests.

Configure a Hybrid deployment in a multi-forest organization (Flow)

  1. Preparation

    Verify that you’ve met the hybrid deployment prerequisites as listed above
    Validate AutoDiscover is properly configured and published in each Exchange organization
    Validate public certificates for Exchange org are unique
    Create 2 way forest trust

  2. Configure Mail Flow on-premise

Configure SMTP domain sharing as required
Configure mail flow between on-premise organizations

       3.  Configure Directory Synchronization

   Configure FIM + AAD Connector to synchronize mail recipients in each forest and the Office 365 tenant

       4.   Run Hybrid Configuration Wizard

   Prepare Office 365 Tenant
   Run the HCW in each Forest (More inputs : Create a hybrid deployment with the Hybrid Configuration wizard )
   Validate mail flow between all entities

        5. Configure ADFS (optional)

 Configure ADFS in contoso.com
 Configure ADFS in fabrikam.com
 For more information, see Single sign-on with hybrid deployments.

 

 

You refer to part II blog to review common error's and troubleshooting path to fix Hybrid deployment Issues.

Please refer to part II blog for understanding & mitigating common Issues with deploying Hybrid setup.