Exchange Hybrid: Deployment, best practices, and what’s new 4/27/2017 7:59 AM Cloud Roadshow Exchange Hybrid: Deployment, best practices, and what’s new © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Agenda Why Hybrid Hybrid Prerequisites History of the HCW 4/27/2017 7:59 AM Agenda Why Hybrid Hybrid Prerequisites History of the HCW Tour of the new HCW Improved error handling experience © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Why Exchange Hybrid 4/27/2017 7:59 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Calendaring & Free/Busy Microsoft Exchange 4/27/2017 Why Exchange Hybrid? Address Book User Experiences Calendaring & Free/Busy Messaging Mail Migrations Exchange on-premises MRS Mailbox data Office 365 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Hybrid benefits vs. other migration options Microsoft Ignite 2015 4/27/2017 7:59 AM Hybrid benefits vs. other migration options Deployment Complexity EASY Really? Hybrid Cutover Staged DirSync/Identity Management Hybrid Configuration Wizard, oAuth,MRS, …. Auto profile updates Batch Approach Offboarding Rich Coexistence No Additional Servers Cloud ID’s Only OST Sync All at Once… DirSync needed No 2010/2013 OST Sync Batch Approach Really? End User Complexity EASY © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Hybrid Prerequisites Have an Office 365 Tenant 4/27/2017 7:59 AM Hybrid Prerequisites Have an Office 365 Tenant Add your domain to the Tenant (Contoso.com) Ensure you have a third party Certificate on-premises Ensure Exchange is properly deployed on-premises Have Directory Synchronization activate and deployed Ensure that you are running in a supported configuration © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Exchange Hybrid Wizard History 4/27/2017 Exchange Hybrid Wizard History 1 2 3 4 5 6 Exchange 2010 SP1 72 pages of documentation Exchange 2010 SP2 HCW introduced Exchange 2013 HCW with web-based UI Exchange 2013 SP1 Exchange 2013 CU5 Exchange 2013 CU10 and 2016 Extremely complex and low adoption Removed confusing requirements for additional domains: exchangedelegation and service.contoso.com Greatly simplified transport configuration Multiple exchange organizations now supported Supports Exchange 2013 Edge Native OAUTH and Gallatin Support Office 365 HCW © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Hybrid Configuration Engine Microsoft Exchange Hybrid Configuration Engine 4/27/2017 Latest HCW Blob Exchange Online Step 1 Download the latest Hybrid Configuration Engine Organization Level Configuration Objects (Exchange Federation Trust, Organization Reclationship, Forefront Inbound Connector, & Forefront Outbound Connector) Step 2 The Hybrid Configuration Engine reads the “desired state” stored on the HybridConfiguration Active Directory object. Domain Level Configuration Objects (Accepted Domains & Remote Domains) 1 4 Step 3 The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations. On-Premises Exchange Organization Level Configuration Objects (Exchange Federation Trust, Organization Relationship, Availability Address Space, & Send Connector) Step 4 The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization. 5 EAC 3 4 Domain Level Configuration Objects (Accepted Domains, Remote Domains, & E-mail Address Policies) Hybrid Configuration Engine Desired state Topology & current configuration state Execute configuration tasks Step 5 Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the “difference” and then executes configuration tasks to establish the “desired state.” 5 2 Exchange Server Level Configuration (Mailbox Replication Service Proxy, Certificate Validation, Exchange Web Service Virtual Directory Validation, & Receive Connector) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
What have we been doing Microsoft Office365 4/27/2017 Piloting of HCW changes is controlled The latest and same version is used by all What have we been doing Supported on Exchange 2013 CU10 and 2016 Resolving the common upgrade issues (upgrade from 2010/2013) Agility with future releases HCW updates not tied to CU’s any longer Improvements to OAUTH and Multi Forest Better Diagnostics built in (HCW and other Troubleshooters) Stand Alone HCW (New Web Based HCW) HCW looks and feels familiar © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
What does the new experience look like?
Stand Alone HCW Common Questions Will I be able to run it on Exchange 2010? Will I be able to run in on Exchange 2013? Can I upgrade from Exchange 2010 to newer version? Can I opt out of the new HCW experience? Will I need to add any additional URL to my outbound proxy device? Will running the Stand Alone HCW change any of my settings?
Entry Point
4/27/2017 Welcome page © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Server detection page The configuration will be done from this server 4/27/2017 Server detection page The configuration will be done from this server We check local AD for a list of all Exchange servers and version (this is not a remote call) 1st see if the server we are on is running the latest version 2nd we look to see if a server in site is running the latest version 3rd we cross sight to connect to a random server running the latest version You can manually override this logic You can also specify 21v from this page © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
4/27/2017 Credential page We do not force you to enter your on-premises credentials You then just provide the cloud creds and we connect © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
“Enable” Federation Trust page
Shared namespace page We then show you a list of domains that are accepted in both on- premises and EXO This is were you choose your shared domain
Domain Proof We now copy just the string needed, no extra garbage
Mail Flow options Then you choose your familiar mail flow options 4/27/2017 Mail Flow options Then you choose your familiar mail flow options © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Send and receive server selection 4/27/2017 Send and receive server selection © 2015 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Transport Certificate We then show a list of valid certs.. Third Party Cert SMTP Service Assigned Installed properly on Exchange Not Self Signed
Certificate field is empty Certificate field is empty when running the HCW Certificate not correctly installed Required on selected CAS & MBX CAS are used for Receive Connectors MBX are used for send Connectors Both need same cert installed, else HCW won’t show. Third Party Proper SAN Assigned to SMTP Service Private Key Certificate requirements not met Need access to CRL url over 80 from all servers CRL Blocked
Namespace for on-premises
Ready to update
Scenario / Action Items On the last page Feedback On Every Page Scenario / Action Items Error: Time Offset check on the on-premises server to get Federation to succeed Usability: Scroll bar needed when on accepted domain page Error: Improve the invalid TXT error experience Error: Improve Error experience for Hybrid Domains Error: Add information on certificates to show why it failed Error: Improve error reporting around Autodiscover issues Usability: remove server that are considered deleted objects from view in HCW
Improved Logging (1 of 2) Application version information Log File location: %Appdata%\Microsoft\Exchange Hybrid Configuration Improved Logging (1 of 2) Application version information Exchange versions and other information found that will be used by the wizard
SMTP certificate information from each server Improved Logging (2 of 2) SMTP certificate information from each server Exchange versions and other information found that will be used by the wizard
Better error Handling Link to a Solution Link to log files Link to open Shell with current credentials
Active Monitoring for HCW 2000+ HCW runs every day Validation against multiple Regions and Datacenters Detected 2 Incidents over the last year before ANY customers reported the problems Detected a transient issue with Remote Powershell that are being fixed
4/27/2017 7:59 AM © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
MRS Enablement delays The last portion of the legacy HCW enabled MRS Proxy ERROR:Updating hybrid configuration failed with error 'Subtask Configure execution failed: Configuring organization relationship settings.Execution of the Set-WebServicesVirtualDirectory cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings. Unable to access the configuration system on the remote server. Make sure that the remote server allows remote configuration This process ran a cmdlet Get-WebServicesVirtualDirectory This added hours to the HCW often killing the HCW This is the longest part of the Hybrid process We have resolved this issue in the Office 365 HCW using the “- ADPropertiesOnly” switch with Get-WebServicesVirtualDirectory
Hybrid Upgrade issues We had issues upgrading Hybrid from 2010 to 2013 The solutions were to perform action like: - rename Org Relationships - rename Connectors for Mail flow - Remove Hybrid configuration objects from ADSIEDIT None of this was graceful and this is all addressed in the Office 365 HCW
Why are the logs so important? Exchange Online We use the logs to find our top problems 30% of our failures come from “execution failed: Creating Organization Relationships.” The point is that we often see customer with Autodiscover configured properly but still fail to complete the HCW… 1 Get-FedInfo does a call to on-prem DNS for Autodiscover.contoso.com 2 If there is no DNS record internally we could fail to complete HCW 3 What if we used External DNS as well? 3 “execution failed: Creating Organization Relationships.” On-premises 1 Exchange On-Premises