使用本地 Exchange 混合配置 Office 365 组Configure Office 365 Groups with on-premises Exchange hybrid

了解如何使本地 Exchange 用户在混合部署中使用 Office 365 组。Learn how to enable on-premises Exchange users to use Office 365 Groups in a hybrid deployment.

组是 Office 365 的一项服务,它使团队能够更轻松地进行通信、安排会议以及就文档进行协作。任何组成员都可使用与组共享的所有信息,包括从发送到组的电子邮件到存储在组的 OneDrive for Business 或 SharePoint 库中的文件。如果已在本地 Exchange 组织和 Office 365 之间配置了混合部署,则可按照本主题中的步骤使在 Office 365 中创建的组对本地用户可用。Groups is an Office 365 service that enables teams to communicate, schedule meetings, and collaborate on documents more easily. All information shared with a group, from email messages sent to the group, to files stored in the group's OneDrive for Business or SharePoint libraries, is available to any member of a group. If you've configured a hybrid deployment between your on-premises Exchange organization and Office 365, you can make groups created in Office 365 available to your on-premises users by following the steps in this topic.

重要

对 Exchange 混合部署中的本地用户使用 Office 365 组是一项新功能。因为是新功能,所以可能会在设置时遇到一些问题。请务必查看本主题结尾的已知问题部分,了解可能遇到的问题的修复方法。Using Office 365 Groups with on-premises users in an Exchange hybrid deployment is a new feature. Because it's so new, you might run into some issues when you set it up. Be sure to check out the Known issues section at the end of this topic for fixes to issues you might run into.

先决条件Prerequisites

开始前,请确保完成以下操作:Before you start, make sure that you've done the following:

  • 已为租户购买 Azure Active Directory Premium 许可证。这是在 Azure Active Directory Connect 中启用组写回功能所必需的。Purchased Azure Active Directory Premium licenses for your tenant. This is required to enable the Groups writeback feature in Azure Active Directory Connect.

  • 已在 Exchange 本地组织和 Office 365 之间配置混合部署并验证它能够正常运行。有关 Exchange 混合部署的详细信息,请参阅以下内容:Configured a hybrid deployment between your Exchange on-premises organization and Office 365 and verified it's functioning correctly. For more information about Exchange hybrid deployments, see the following:

  • 在 CU1 和较新版本的 Exchange 2016,以及 CU11 和较新版本的 Exchange 2013 中提供了与 Office 365 组集成的安装了受支持 Exchange 版本的本地 Exchange。但是,Exchange 混合需要在本地 Exchange 服务器上安装最新的 Exchange 2013 或 Exchange 2016 累积更新 (CU)。如果不能安装最新的 CU,也可使用当前 CU 的上一发布更新。Installed a supported version of Exchange on-premises Exchange integration with Office 365 Groups is available in CU1 and newer releases of Exchange 2016, and CU11 and newer releases of Exchange 2013. However, Exchange hybrid requires the latest Exchange 2013 or Exchange 2016 Cumulative Update (CU) to be installed on your on-premises Exchange servers. If you can't install the latest CU, the update released immediately prior to the current CU can be used.

  • 配置的单一登录使用 Azure Active Directory Connect (Azure AD Connect)。需要这些信息来允许用户单击" 查看组文件"或组电子邮件中的云附件链接。Configured single sign-on using Azure Active Directory Connect (Azure AD Connect). This is needed to allow users to click on the View group files or cloud attachment links in group email messages.

    在 Exchange 混合部署中为单一登录配置 Azure AD 连接时,建议使用密码同步。在下列情况下,应仅使用 Active Directory 联合身份验证服务 (AD FS):你在大型组织中、你有一个复杂的本地 Active Directory 部署(例如,多个 Active Directory 林)、另一个 Microsoft 产品需要 AD FS 与 Office 365 配合使用,或者因为合规性策略无法同步本地网络之外的密码。有关单一登录的详细信息,请参阅将本地标识与 Azure Active Directory 集成When configuring Azure AD Connect for single sign-on in an Exchange hybrid deployment, we recommend that you use password synchronization. Active Directory Federation Services (AD FS) should only be used if you're in a large organization; if you have a complex on-premises Active Directory deployment (for example, multiple Active Directory forests); if another Microsoft product requires AD FS to work with Office 365; or if, due to compliance policies, you're not able to synchronize passwords outside of your on-premises network. For more information about single sign-on, see Integrating your on-premises identities with Azure Active Directory.

启用 Azure AD Connect 中的组写回Enable Group writeback in Azure AD Connect

  1. 在 Azure AD Connect 向导中,选择" 自定义同步选项",然后单击" 下一步"。In the Azure AD Connect wizard, select Customize synchronization options and then click Next.

  2. 在" 连接到 Azure AD"页中,输入你的 Office 365 和本地凭据。单击" 下一步"。On the Connect to Azure AD page, enter your Office 365 and on-premises credentials. Click Next.

  3. 在" 可选功能"页上,验证以前配置的选项是否仍处于选中状态。最常选择的选项是" Exchange 混合"和" 密码哈希同步"。On the Optional features page, verify that the options you previously configured are still selected. The most commonly-selected options are Exchange hybrid and Password hash synchronization.

  4. 选择" 组写回",然后单击" 下一步"。Select Group writeback and then click Next.

  5. 在" 写回"页上,选择 Active Directory 组织单位 (OU) 以存储从 Office 365 同步到本地组织的对象,然后单击" 下一步"。On the Writeback page, select an Active Directory organizational unit (OU) to store objects that are synchronized from Office 365 to your on-premises organization, and then click Next.

  6. 在" 准备配置"页上,单击" 配置"。On the Ready to configure page, click Configure.

  7. 完成向导后,在" 配置完成"页上单击" 退出"。When the wizard is complete, click Exit on the Configuration complete page.

  8. 打开 Active Directory 域控制器上的 Active Directory 用户和计算机,然后找到开头为 AAD_ 的用户帐户。记下此帐户的名称。Open Active Directory Users and Computers on an Active Directory domain controller and locate the user account that begins with AAD_. Make note of this account's name.

  9. 在本地 Exchange 服务器上打开 Exchange 命令行管理程序,并运行以下命令。Open the Exchange Management Shell on an on-premises Exchange server, and run the following commands.

    $AzureADConnectSWritebackAccount = <AAD_ account name from step 8>
    $GroupsOU = <writeback Active Directory OU selected in step 5>
    Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"
    Initialize-ADSyncGroupWriteBack -ADConnectorAccount $AzureADConnectSWritebackAccount -GroupWriteBackContainerDN $GroupsOU
    

配置组域Configure a group domain

Office 365 组的主 SMTP 域称为组域。默认情况下,组织中默认的接受域会被选作组域。如果想要添加专用组域,可以使用下列步骤添加域。有关 Office 365 组的多域支持的详细信息,请参阅 Multi-domain support for Office 365 Groups(Office 365 组的多域支持)The primary SMTP domain of an Office 365 Group is called a group domain. By default, the default accepted domain in your organization is chosen as the group domain. If you want to add a dedicated groups domain, you can add a domain using the following steps. For more information about multi-domain support for Office 365 Groups, check out Multi-domain support for Office 365 Groups

  1. 将新域添加到 Office 365 组织。如需有关将域添加到 Office 365 的帮助,请参阅 Add users and domains to Office 365(将用户和域添加到 Office 365)Add your new domain to your Office 365 organization. If you need help adding a domain to Office 365, check out Add users and domains to Office 365

  2. 使用以下命令,添加该组域作为本地 Exchange 组织中的接受域。需要执行该操作,以使用混合发送连接器将出站邮件传递到 Office 365 中的组域。Add the group domain as an accepted domain in your on-premises Exchange organization using the following command. This is needed so that the hybrid Send connector can be used to deliver outbound mail to the group domain in Office 365.

    New-AcceptedDomain -Name groups.contoso.com -DomainName groups.contoso.com -DomainType InternalRelay
    
  3. 使用 DNS 提供程序创建以下公用 DNS 记录。Create the following public DNS records with your DNS provider.

| |

DNS 记录名称DNS record name DNS 记录类型DNS record type DNS 记录值DNS record value
groups.contoso.comgroups.contoso.com
MXMX
组-contoso com.mail.protection.outlook.comgroups-contoso-com.mail.protection.outlook.com
> [!NOTE]> 此 DNS 记录值的格式是 <domain key>.mail.protection.outlook.com。要找出你的域密钥是什么,请参阅收集创建 Office 365 DNS 记录所需的信息> [!NOTE]> The format of this DNS record value is <domain key>.mail.protection.outlook.com. To find out what your domain key is, check out Gather the information you need to create Office 365 DNS records.
autodiscover.groups.contoso.comautodiscover.groups.contoso.com
CNAMECNAME
autodiscover.outlook.comautodiscover.outlook.com
> [!CAUTION]
> If the MX DNS record for the group domain is set to the on-premises Exchange server, mail flow won't work correctly between users in the on-premises Exchange organization and the Office 365 Group. 
  1. 使用以下命令,将组域添加到由本地 Exchange 组织中的混合配置向导创建的混合发送连接器中。Add the group domain to the hybrid Send connector, created by the Hybrid Configuration wizard in your on-premises Exchange organization, using the following command.

    Set-SendConnector -Identity "Outbound to Office 365" -AddressSpaces "contoso.mail.onmicrosoft.com","groups.contoso.com"
    

    备注

    如果未更新发送连接器,或未将组域添加为本地 Exchange 组织中的接受域,则不会将从本地邮箱发送的邮件传递至组,除非将该组配置为接收来自外部发件人的邮件。If the Send connector isn't updated, or if the group domain isn't added as an accepted domain in the on-premises Exchange organization, mail sent from an on-premises mailbox won't be delivered to the group unless the group is configured to receive mail from external senders.

您如何知道这有效?How do you know this worked?

若要确保组可以正常使用 Exchange 混合部署,应使用本地邮箱以及已从本地组织移动到 Office 365 的邮箱对其进行测试。使用以下各部分中的步骤执行每个测试。 To make sure that groups are working with your Exchange hybrid deployment, you should test them using an on-premises mailbox and using a mailbox that's been moved from your on-premises organization to Office 365. Use the steps in the following sections to do each test.

使用本地邮箱进行测试Test using an on-premises mailbox

  1. 将本地邮箱添加到 Office 365 组。Add an on-premises mailbox to an Office 365 Group.

  2. 将 Office 365 邮箱添加到同一 Office 365 组。Add an Office 365 mailbox to the same Office 365 Group.

  3. 使用 Outlook 网页版登录到 Office 365 邮箱。Log into the Office 365 mailbox using Outlook on the web.

  4. 使用 Office 365 邮箱向组发送邮件。Post a message to the group using the Office 365 mailbox.

  5. 使用 Outlook 2016 或 Outlook 网页版打开本地邮箱。Open the on-premises mailbox using Outlook 2016 or Outlook on the web.

  6. 验证邮箱收到包含发送到 Office 365 组的文章的电子邮件。Verify that the mailbox received an email message containing the post sent to the Office 365 Group.

  7. 在同一邮箱中,撰写邮件回复并将其发送到组。In the same mailbox, compose a reply to the message and send it to the group.

  8. 验证邮件可由所有组成员查看。Verify that the message can be viewed by all of the members of the group.

使用移动到 Office 365 的邮箱进行测试Test using a mailbox moved to Office 365

  1. 将邮箱从本地 Exchange 组织移动到 Office 365。Move a mailbox from your on-premises Exchange organization to Office 365.

  2. 向 Office 365 组添加邮箱。Add the mailbox to an Office 365 Group.

  3. 在新的浏览器会话中,登录已移动到 Office 365 的邮箱。In a new browser session, log into the mailbox that was moved to Office 365.

  4. 在 Outlook 网页版中,验证该组在左侧导航栏中列出。In Outlook on the web, verify that the group is listed in the left navigation bar.

  5. 向组发送邮件。Post a message to the group.

  6. 验证邮件可由所有组成员查看。Verify that the message can be viewed by all of the members of the group.

已知问题Known issues

  • 不会显示移动到 Office 365 的邮箱的组 在将用户从本地 Exchange 组织移动到 Office 365 时,该组不会显示在 Outlook 或 Outlook 网页版中的左侧导航窗格中。若要解决此问题,将该邮箱从其所属的任何组中删除,并将其重新添加到每个组。Groups don't appear for mailboxes moved to Office 365 When a user is moved from your on-premises Exchange organization to Office 365, groups won't appear in the left navigation pane in Outlook or Outlook on the web. To fix the issue, remove the mailbox from any groups of which it is a member, and re-add it to each group.

  • 不会在本地 Exchange 全局地址列表 (GAL) 中显示新组 在 Office 365 中创建新组时,该组不会自动显示在本地 GAL 中。若要解决此问题,在本地 Exchange 服务器上打开 Exchange 命令行管理程序,并运行以下命令。New groups don't appear in the on-premises Exchange global address list (GAL) When a new group is created in Office 365, it won't appear in the on-premises GAL automatically. To fix this issue, open the Exchange Management Shell on an on-premises Exchange server and run the following command.

    Update-Recipient "<group name>"
    
  • 组不接收来自本地用户的邮件 在以下条件为 true 时,本地用户将无法向 Office 365 组发送邮件。Groups don't receive messages from on-premises users An on-premises user won't be able to send mail to an Office 365 Group when the following conditions are true:

    • 将组域配置为本地 Exchange 组织中的权威域。The group domain is configured as an authoritative domain in your on-premises Exchange organization.

    • 最近创建了该组,且其信息尚未写回到本地 Active Directory。The group was recently created and its information hasn't been written back to your on-premises Active Directory yet.

      当 Azure AD Connect 在 Office 365 和本地组织间执行其下一同步时,该问题将自行解决。每隔三十分钟进行一次 Azure AD Connect 同步。This issue will resolve itself when Azure AD Connect performs its next synchronization between Office 365 and your on-premises organization. Azure AD Connect synchronization occurs every thirty minutes.

  • 本地用户不能使用包含在组邮件页脚中的链接 ** 本地用户不能使用包含在向其发送的每个组邮件的页脚中的" **查看组对话"或" 取消订阅"链接。若要取消组订阅,本地用户需要与组管理员联系。On-premises users can't use links included in group message footers ** On-premises users can't use the **View group conversations or Unsubscribe links that are included in the footer of each group message sent to them. To unsubscribe from a group, on-premises users need to contact a group administrator.

  • 发送到组的辅助 SMTP 地址的邮件传送失败 向某个组添加多个电子邮件地址时,仅将主 SMTP 地址写回到本地 Active Directory。如果某个本地用户尝试将邮件发送到某个组的辅助 SMTP 地址,则邮件将无法传送。若要避免此问题,请仅在每个组上配置一个 SMTP 地址。Mail sent to a group's secondary SMTP address fails to be delivered When multiple email addresses are added to a group, only the primary SMTP address is written back to your on-premises Active Directory. If an on-premises user tries to send a message to the secondary SMTP address of a group, the message will fail to be delivered. To prevent this issue, configure only one SMTP address on each group.

  • 本地用户不能成为某个组的管理员 本地用户不能直接访问组空间。因此,不能将他们添加为组管理员。On-premises users can't become an administrator of a group On-premises users can't access the group space directly. Because of this, they can't be added as an administrator of a group.

  • 如果启用集中式邮件流,外部邮件传送到组可能失败如果启用集中式邮件流,外部用户发送给组的邮件将传送失败,即使该组允许来自外部发件人的邮件。Delivery of external mail to a group can fail if you've enabled centralized mail flow If centralized mail flow is enabled, mail sent by an external user to a group fails to be delivered, even though the group allows mails from external senders.

  • 本地用户不能作为一个组发送邮件 本地用户尝试作为 Office 365 组发送邮件会收到权限拒绝错误,即使他们被授予了以组发送权限。以组发送权限只适合 Exchange Online 邮箱用户。On-premises users can't send mail as a group An on-premises user who tries to send a message as an Office 365 Group will receive a permission denied error even if they're given Send As permissions on the group. Send As permissions on a group work only for Exchange Online mailbox users.

  • 从 Outlook 的左侧导航窗格中选择一个未打开组邮箱的组 Outlook 使用自动发现 URL 打开组邮箱。如果一个组的主电子邮件地址在一个不指向 Office 365 的自动发现 URL (autodiscover.outlook.com) 的域中,Outlook 将无法打开组的邮箱。若要解决此问题,可以使用指向 Office 365 自动发现 URL 的域中的主地址设置组。可以配置电子邮件地址策略,以将主电子邮件添加至每个指向 Office 365 自动发现 URL 的组邮箱。有关详细信息,请查阅 Multi-domain support for Office 365 Groups(Office 365 组的多域支持)Selecting a group from Outlook's left navigation pane doesn't open the group's mailbox Outlook uses the AutoDiscover URL to open a group mailbox. If a group's primary email address is in a domain that doesn't point to Office 365's AutoDiscover URL (autodiscover.outlook.com), Outlook won't be able to open the group's mailbox. To fix the issue, groups can be provisioned with a primary address in a domain that points to Office 365's AutoDiscover URL. You can configure an email address policy to add a primary email address on each group mailbox that points to Office 365's AutoDiscover URL. Check out Multi-domain support for Office 365 Groups for more details.