BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)
Jaap Wesselius Independent consultants Office Server and Services MVP (was Exchange MVP) http :// bit.ly/ProEx2013SP1 Blog: jaapwesselius.com
Identities Exchange Hybrid What is it What version do we use How do we implement Decommission Exchange on-premises Should you? Is that supported? Summary AGENDA
IDENTITIES
Live in the Cloud Provisioned through MS Online Portal or PowerShell Source of authority: Office 365 Managed in the Cloud Authenticate in the Cloud Separate credential from on-premises Has nothing to do with on-premises Active Directory No Directory Synchronization, no hybrid, no ADFS…. Just Office 365 CLOUD IDENTITIES
Live in the Cloud Source of authority: Active Directory on-premises managed on-premises Separate credential, but same username/password Authenticate in the Cloud Password policy on-premises Need DirSync solution Exchange hybrid can use Synced Identities SYNCED IDENTITIES
Live on-premises Source of authority: on-premises Authenticate on-premises One set of credentials Single Sign-On Password policy on-premises Need DirSync solution Need Federation infrastructure FEDERATED IDENTITIES
This is the most important part, the Source of Authority Where is the account managed? In the cloud Cloud Identity On-premises Synced or Federated Identity Not only provisioning of the account, but also Password management Attribute management Exchange related attributes Important to realize when decommissioning Exchange servers! SOURCE OF AUTHORITY
EXCHANGE HYBRID
Exchange Hybrid is not (really) a migration tool Exchange Hybrid is a long term coexistence scenario Consists of Exchange on-premises and Exchange online Provides transparent connectivity between Exchange on-premises and Exchange online Secure messaging Transparent autodiscover Free/busy information, mailtips, OOF information WHAT IS EXCHANGE HYBRID?
HYBRID – ARCHITECTURE On-premises Exchange Org Users, Groups, Contacts via DirSync Office 365 Existing Exchange 2010 Azure AD Connect Exchange 2016 Secure Mail Flow Sharing (free/busy, MailTips, archive, etc.) Mailbox Data via MRS
TYPICAL EXCHANGE 2010 ENVIRONMENT Two Exchange 2010 (multi-role) servers Two Exchange 2010 Edge Transport servers A (hardware) load balancer Three namespaces: Webmail.contoso.com Autodiscover.contoso.com Smtp.contoso.com Outlook 2010, OWA, ActiveSync Has been working fine the last 5 years….
Exchange 2010 is running fine, but…. TMG is installed in front of Exchange 2010 A 3 rd party appliance is used for anti-spam Exchange is not accessible from the Internet Exchange is accessible for OWA, but Outlook Anywhere is not enabled Really old Outlook clients (sometimes still running on Windows XP) Oh, and did I mention… Security Officers, Privacy Officers, Network Officers… CHALLENGES A CONSULTANT RUNS INTO…
Directory Synchronization Azure AD Connect, tool from Microsoft, preferably on dedicated server Windows 2008 or higher, Forest Functional Level Windows 2003 or higher Password synchronization requires Windows 2008 R2 or higher, and Windows Management Framework 4 (.NET Framework and PowerShell 3.0) Your best option is to use Windows 2012 R2 Uses internet routable domain for User Principal Name (UPN) Run IDFix tool to fix potential issues with on-premises Active Directory (recommendation) REQUIREMENTS FOR EXCHANGE HYBRID
Activate Directory Synchronization in Admin Portal Install Azure AD Connect (on separate server) Service Account on-premise and in Azure Active Directory Port 443 access to Azure AD Finish wizard and wait for replication to happen (< 1 minute) EXCHANGE 2010 WITH AZURE AD CONNECT
OFFICE 365 ADMIN PORTAL
EXCHANGE (ONLINE) ADMIN CONSOLE
What is an Exchange Hybrid Server? It’s an Exchange server where the Hybrid Configuration Wizard is run Where the actual creation and configuration of the Hybrid configuration is performed Does it have to be an Exchange 2016 server? Or an Exchange 2013 server? Or an Exchange 2010 server? Do you need an additional Exchange 2010 hybrid server at all? EXCHANGE HYBRID SERVER
When adding an additional Exchange 2016 server as ‘hybrid server’…. You are half way an Exchange 2010 Exchange 2016 migration Not ‘just add an Exchange 2016 server’ Add new Exchange 2016 servers to the Exchange organization Switch client access to new Exchange 2016 servers Webmail.contoso.com Autodiscover.contoso.com You’re running an Exchange 2010 / Exchange 2016 coexistence scenario ADDITIONAL EXCHANGE HYBRID SERVER
HYBRID CONFIGURATION WIZARD For Exchange 2013 and Exchange 2016 this is a stand-alone application For Exchange 2010 it was integrated in Exchange Management Console As of February 2016 the HCW is stand-alone application as well Can be run on any Exchange 2010 server in your organization No need to install Exchange 2016 in your existing infrastructure (at this point at least) Do you need an additional Exchange 2010 server? For performance reasons it can be useful
Can be found in the Exchange (online) Admin Center Select Hybrid, click Configure and click Get Started to start wizard Select proper Exchange (2010) server Enable Federation Trust Create TXT proof record in public DNS (verification purposes) Configure Client Access and Mailbox server (for transport) Select proper certificate And wait for configuration to finish HYBRID CONFIGURATION WIZARD
New Hybrid Configuration object in Active Directory New Accepted Domain (contoso.mail.onmicrosoft.com) New Address Policy New Remote Domains New Send Connector to Office 365 New Receive Connector from Office 365 WHAT IS CONFIGURED ON-PREMISES
How to Configure TMG for Office 365 (Exchange) Hybrid deployments IP Restrictions for Office XML file with all IP addresses CUSTOMER SECURITY REQUIREMENTS
DECOMMISSION EXCHANGE
Question heard often…. Can I decommission my on-premises Exchange? After you moved all Mailboxes (and Public Folders) to Office 365, why do you need an on-premises Exchange server? For management purposes! Remember, source of authority is still on-premises Active Directory All related properties are managed on-premises ADSI Edit can be used (support statement not clear) but certainly not recommended or supported! More information on Technet: DECOMMISSIONING EXCHANGE ON-PREMISES
Recommendation: Keep one Exchange server on-premises unless you want to get rid of all your servers, including Identity Management! Upgrade from Exchange 2010 to Exchange 2016 is easy at this point Use the ‘hybrid license’ for this server No need for high availability It does not even have to be configured as a hybrid server But if you do…. You have an offboarding solution DECOMMISSIONING EXCHANGE ON-PREMISES
SUMMARY
Exchange 2010 can be fully configured in a hybrid scenario Exchange 2016 server as ‘hybrid server’ adds complexity Exchange hybrid scenario uses ‘linked identities’ or ‘federated identities’ Source of authority is on-premises You always need one Exchange server on-premises for management purposes SUMMARY
Q&A