Presentation is loading. Please wait.

Presentation is loading. Please wait.

Running Exchange hybrid over the long term

Published byDiane Ward Modified over 6 years ago

Similar presentations

Presentation on theme: "Running Exchange hybrid over the long term"— Presentation transcript:

1 Running Exchange hybrid over the long term
7/3/2018 2:05 AM Running Exchange hybrid over the long term Michael Van Horenbeeck (VHCT) Independent Consultant | MVP #hybridrocks #MSIgnite © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Important related session(s)
BRK3155 – Thrive as an organization in Exchange Online

3 Setting the scene 7/3/2018 2:05 AM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 “Hybrid (IT) is an approach to enterprise computing in which an organization provides and manages some information technology (IT) resources in-house but uses cloud-based services for others.” ~ someone on the internet

5 What I mean with “hybrid” Exchange
An organization that has gone through the motions of running the Hybrid Configuration Wizard to: Facilitate coexistence with Exchange Online, whilst maintaining to run an on-premises Exchange Organization for the foreseeable future. Facilitate moving mailboxes to Exchange Online with no intention to continue running Exchange on-premises for the foreseeable future or to provide coexistence between both environments whilst migrating (except for mail flow). Full Hybrid Minimal Hybrid

6 Common Questions 7/3/2018 2:05 AM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Common struggles How to deal with the fast pace of “the cloud”?
How to organize the IT department for support etc.? How to move to the cloud in a reasonable time fram? Where will data be stored? Technical Limitations > bandwidth, latency, etc. Legal Implications > Local regulations What features will be made available? Technical/Functional > are they useful to the organization The CISO, CSO, Security guy can be a real pain...

8 About that CISO, CSO, security-guy, ....
Hybrid (or Office 365 FWIW), is not insecure. A great read: MS Exchange Team Blog - “How hybrid authentication really works” Office 365 Trust center is a great resource to answer a LOT of questions. Microsoft can help to further clarify questions not covered by Trust Center (NDA, ...) You can deploy Hybrid, but you cannot publish OWA/AutoD/ActiveSync etc... We want to inspect all traffic to/from Exchange Online ...

9 Securely publishing Exchange (hybrid)
Define “secure” (interpretation might vary depending whom you talk to...) There’s a difference between mailbox moves and other CoEx traffic Maintaining IP-based ACLs (firewall, reverse-proxy) can be challenging: RSS feed On-Premises Migration Endpoint MRS

10 Publishing Migration Endpoints
If you can create multiple endpoints; do so. Load Balancer can be used, but might complicate stuff. MRS Proxy traffic must be encrypted (no SSL offloading) Migration Endpoint On-Premises Migration Endpoint MRS

11 When do I need to (re-) run the HCW?
When you update/modify transport certificate(s) When you add/remove accepted domains When you add/remove transport servers When you update Exchange on-premises (CUx > CUy) When you add a DAG When you modify Client Access settings Yes No

12 Do I need to upgrade “hybrid” servers?
Exchange 2010 Are you happy? YES Stay on Ex2010 NO Upgrade to 2013/2016 “Fix unrelated Issues first” Unrelated Why? Related Fix related issues first Purpose? L/T CoEx Move Mailboxes Migration

13 Common mistakes & misconceptions and hybrid snafus
7/3/2018 2:05 AM Common mistakes & misconceptions and hybrid snafus © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14 I just completed migrating to Exchange Online...
7/3/2018 2:05 AM ...but I need to keep my Exchange Server?! I just completed migrating to Exchange Online... © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Identity = Root of all evil (in this case)
As long as a customer is running Directory Synchronization (AAD Connect), an on-premises Exchange Server is needed to manage Exchange Online mailboxes. Recipient Management DirSync Disabled DirSync Enabled Hybrid Exchange Online Mailbox Managed in the cloud Managed on-premises Exchange Online Mail-Enabled User

16 Any other reason to keep Exchange around?
Exit-strategy: if you keep Exchange around, you can choose to move messages back on-premises if you don’t like it in the cloud* SMTP-relay: the on-premises Exchange server is an ideal candidate to allow (secure) SMTP relaying to Exchange Online. E.g. Multi-functional devices, scanners, faxes, etc... Hybrid Public Folders: Keep Public Folders on-premises (e.g. if you have more than 250k folders…)

17 Cross-premises permissions...
Sofie (Sales Director) just got moved to Office 365; she is happy that she can (finally) start using all those cool new features... Mike (the IT-guy) is happy he moved his first batch of mailboxes to Office 365. In fact, he’s already dreaming about his next vacation somewhere on a (remote) beach.

18 The morning after... After a morning full of meetings, Sofie (Sales Director) just got a phone call from her secretary telling her she was unable to confirm her availability for an urgent meeting with one of her clients (she couldn’t see her calendar). As a result, the client decided to take his business elsewhere... Infuriated, she calls Mike asking him what’s happened [drama: in a perhaps not so friendly tone] Mike starts investigating, and finds out here that delegate permissions are not supported in a hybrid deployment. This is something he was not prepared for! After all, the Microsoft sales rep recently told him that hybrid would be the answer to all of his problems! [drama: he might not be able to afford his next vacation after all]

19 Cross-premises permissions: reality (today)
On-Prem Mailbox Cloud Mailbox (Full Access) Works as expected. Permissions are migrated and can be assigned cross-premises. Works as expected (both mailboxes in same environment) (Send-As) Migrated permissions will work (IF assigned on-premises first). Cannot assign cross-premises permissions (thus won’t work). Works as expected (both mailboxes in same environment). Permissions stop working once mailbox is moved back to on-premises. Cloud-Mailbox (Send-on-Behalf) Migrated permissions will work (IF assigned on-premises first). New cross-premises permissions won’t work (even after move).

20 Microsoft Federation Gateway
Exchange now requests a delegation token for Timothy’s organization. The MFG returns a valid token for Timothy’s organization. Hybrid mes(s)(h) GASP Microsoft Federation Gateway Exchange finds that Timothy is external, and that an Org. Relationship exists for Timothy’s domain. The answer Brianna’s Exchange server got, isn’t exactly what it expected. Instead of launching another F/B lookup using the new recipient details; it does nothing... Brianna requests F/B information for Timothy Hybrid Timothy’s Exchange servers looks up Timothy’s recipient details. Because Tim’s mailbox is in Office 365, there’s a targetAddress stamped on the object microsoft.com). This value is returned to Brianna’s Exchange Server’s request. Via AutoDiscover, Brianna’s Exchange Server now contacts Timothy’s on-prem Exchange server, to request F/B information for Timothy using the delegation token from the MFG. Timothy H. onmicrosoft.com Brianna D. Timothy H. Comp. A On-Premises Comp. B On-Premises Comp. B Office 365

21 Hybrid Mesh Trusts aren’t transitive. Applies to both OAUTH and DAUTH scenarios Workaround: (Manually) implement GalSync between both organizations Create Organization Relationships & Intra-Organization Connectors between all involved environments

22 Mailbox provisioning Creating mailboxes cross-premises can be confusing... New-Remot box can create mailbox directly in Office 365; but creates a (potential) problem for offboarding. Ideally, you create a new mailbox on-premises and move the (empty) mailbox to Office 365 (=cumbersome)

23 Mergers, acquisitions & divestitures
7/3/2018 2:05 AM Mergers, acquisitions & divestitures © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24 The playing field... Holding X Company A Exchange 2010 (On-Prem)
Company B Office 365 Company C Lotus Notes Company D Exchange (On-Prem)

25 Requirements Setup a (single) global solution to improve collaboration between all subsidiaries (organizations) Keep the time to implement as low as possible Minimize impact on end-users at all costs Show benefits as quickly as possible (early-on the project) “Secure by design”; everything you implement should adhere to company/industry standards & best practices Maintain compliancy with regulations (such as e.g. GDPR)

26 Where do you begin?! 7/3/2018 2:05 AM
© Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 My BAE (Before Anything Else)
Make sure network connectivity / infrastructure is up to par! Network is often underestimated Scale > port exhaustion? Proxy Servers? Firewalls (and their (in)ability to deal with domain-based ACLs) Challenge: how to stay up to date with changing IP addresses? Single or multiple tenants? Multi-tenant = complex and doesn’t always meet requirements. Often you create the same problems as before, but shift the problem towards the cloud

28 Building a solid foundation
Identities are the cornerstone of your deployment, but also the front door to your data... Azure AD can serve multiple purposes > multiple quick win! Multiple forests > how to deal with them? AAD Connect (stay away from complex solutions) On-Prem synchronization tool? (i.e. GalSync)

29 Synchronizing identities
Comp. A Comp. B Comp. C Comp. D Directories Azure AD Think about your sourceAnchor attribute! (objectGUID vs. msDs-ConsistencyGuid (or other))

30 SourceAnchor

31 Benefits of a single (global) Azure AD tenant?
Enable easy & quick collaboration across connected organizations Quickly start collaborating with new partners or acquired organizations through e.g. Azure B2B (or other external Sharing Features) New acquisitions can quickly hook into the existing tenant by expanding Azure AD Connect with an additional on-prem forest

32 How about authentication?
Lots of organizations (try to) default to ADFS. Is it really necessary? What’s the constraint against using e.g. Password Hash Sync or PTA/SSO? ADFS & multi-forest works great, IF: All organizations have a unique UPN (namespace). If not, cross-forest UPN Suffix routing is disabled! Separate UPNs allow for separate AD FS instances > more granular control (but also an overhead you don’t want)

33 Authentication; User A in Company A
Company B CompanyA.com @companyA.com sync CompanyB.com

34 Authentication; User B in Company B
Company A Company B CompanyA.com @companyB.com sync CompanyB.com

35 Authentication; User in shared namespace
Company A Company B Holding.com sync Holding.com

36 Migration stategies Exchange on-premises: Hybrid or not?
Long-term, or just for migration purposes? What version of on-premises Exchange is used? Lotus Notes: built-in capabilities or 3rd-party tools? -only? Or also include applications and data? Other cloud solutions Using a third-party tool is (almost) the only really viable option...

37 Multi-Forest Hybrid? Each Exchange Organization must be authoritative for at least one distinct SMTP namespace and the corresponding Autodiscover namespace; A different public certificate must be used for TLS negotiation in each on-prem Exchange Organization If there are shared domains across multiple Exchange organizations, then both mail routing and Autodiscover needs to be configured and working properly between the Exchange orgs before you start Office 365 must be able to query Autodiscover in each org. Possible with Exchange 2010/2013/2016 Latest version of HCW must be used! Free/busy is NOT transitive. Coex between on-premises orgs must be configured manually. You cannot go multi forest with multiple tenants

38 Exchange: Edge or no Edge?
Edge Transport servers are not required, but can help overcome certain security requirements (i.e. “external connections must be terminated in DMZ”) Sizing Edge for (large) hybrid environments is not easy > no real guidance available Size just like you would size regular transport servers (think about SafetyNet!) Start small, scale up as needed (Third-party) routing agents can increase flexibility of deployment and migration (e.g. condition-based routing)

39 Sharing a namespace? One of the toughest problems to solve (today)
Internal Relay domains are prone to issues (e.g. Mail Loops) & cumbersome to setup/maintain across multiple orgs. 3rd-party solutions can help Address Rewriting for inbound/outbound messages Can, in turn, break functionality (e.g. DKIM, etc.). @compC.holding.com @compA.holding.com @holding.com

40 Non-technical challenges
Building a service-organization across organizational boundaries can be tough. Define a standard service, and how to deal with new functionalities Define a MVP (minimal viable product) for functionality, security, etc. Define allowed/possible deviations from the MVP How to deal with support? What if your orgs are spread across multiple geographical locations? Other challenges that might will arise: Political (job protection?) Tooling (e.g. license management) Account lifecycle management

41 Shared administration across boundaries?
Often, there might be legal implications (e.g. admins from one region being able to manage objects elsewhere) 3rd-party tooling can help Doesn’t take away the need for a “code of conduct” Shared tooling can improve communication across teams (and reduce overhead); need to factor in budget for this! EMS and Role-Based access control can provide sufficient security Might require additional licenses, and must be setup accordingly.

42 Multi-geographical organizations
7/3/2018 2:05 AM Multi-geographical organizations Today, there’s no all-encompassing solution (available) for multi-geo support. MSFT announced new capabilities coming in the future: BRK3248 – 10:45 AM, Exchange Online Multi-Geo Capabilities BRK2378 – 4:30 PM, Understanding Multi-Geo Capabilities in Office 365 BRK3263 – 10:45 AM, Multi-Geo Capabilities in OneDrive and SharePoint Online © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

43 Please evaluate this session Your feedback is important to us!
7/3/2018 2:05 AM Please evaluate this session Your feedback is important to us! From your PC or Tablet visit MyIgnite at From your phone download and use the Ignite Mobile App by scanning the QR code above or visiting © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44 7/3/2018 2:05 AM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Download ppt "Running Exchange hybrid over the long term"

Similar presentations

Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.

Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.

Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.

IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.
TechEd 2013 4/20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

TechEd /20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation

Windows Azure Networking & Active Directory Nasir (Muhammad Nasiruddin) Developer Evangelist - Azure Microsoft Corporation
Securing Microsoft® Exchange Server 2010

Securing Microsoft® Exchange Server 2010
Module 2 Designing Microsoft® Exchange Server 2010 Integration with the Current Infrastructure.

Module 2 Designing Microsoft® Exchange Server 2010 Integration with the Current Infrastructure.
123456789101112…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.

…. PrePlanPrepareMigratePost Pre- Deployment PlanPrepareMigrate Post- Deployment First Mailbox.
Implementing Microsoft Exchange Online with Microsoft Office 365

Implementing Microsoft Exchange Online with Microsoft Office 365
Exchange Hybrid: Deployment, best practices, and what’s new

Exchange Hybrid: Deployment, best practices, and what’s new
BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)

BE-com.eu Brussel, 26 april 2016 EXCHANGE 2010 HYBRID (IN THE EXCHANGE 2016 WORLD)
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.

Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
 Step 2 Deployment Overview  What is DirSync?  Purpose – What does it do?  Understanding Synchronization  Understanding Coexistence  Understanding.

 Step 2 Deployment Overview  What is DirSync?  Purpose – What does it do?  Understanding Synchronization  Understanding Coexistence  Understanding.
 What is DirSync?  Purpose – What does it do?  Understanding Synchronization  Understanding Coexistence  Demo.

 What is DirSync?  Purpose – What does it do?  Understanding Synchronization  Understanding Coexistence  Demo.
Office 365 Migration Challenges Drew St. John 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Consultant

Office 365 Migration Challenges Drew St. John 2016 Redmond Summit | Identity Without Boundaries May 24, 2016 Consultant
Jhong Catane Exchange Hybrid Deployment PRD34 2.

Jhong Catane Exchange Hybrid Deployment PRD34 2.
Recording Brief EMS Partner Bootcamp Variables Values Module Title

Recording Brief EMS Partner Bootcamp Variables Values Module Title
Office 365 Migration – Understanding Migrations Part 1

Office 365 Migration – Understanding Migrations Part 1
När verkligheten hälsar på

När verkligheten hälsar på
Microsoft Ignite 2016 4/27/2018 9:00 AM THR2016

Microsoft Ignite /27/2018 9:00 AM THR2016

Similar presentations

Ads by Google