Presentation is loading. Please wait.

Presentation is loading. Please wait.

Microsoft Ignite /16/2017 4:33 PM

Similar presentations


Presentation on theme: "Microsoft Ignite /16/2017 4:33 PM"— Presentation transcript:

1 Microsoft Ignite 2015 4/16/2017 4:33 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2 Exchange Hybrid: Make Office 365 Work for You
Michael Van Horenbeeck, MVP Timothy Heeney, Supportability Program Manager

3 4/16/2017 Why Exchange Hybrid? © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4 Calendaring & Free/Busy
Microsoft Exchange 4/16/2017 Why Exchange Hybrid? Address Book User Experiences Calendaring & Free/Busy Messaging Mail Migrations Exchange on-premises MRS Mailbox data Office 365 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5 Exchange Hybrid Overview
Microsoft Exchange 4/16/2017 Exchange Hybrid Overview OAUTH / DAUTH Integrated admin experience Native mailbox move Secure mail flow Delegated authentication for on-premises/cloud web services Enables free/busy, calendar sharing, message tracking & online archive Online mailbox moves Preserve the Outlook profile and offline folders Leverages the Mailbox Replication Service (MRS) Manage all of your Exchange functions, whether cloud or on- premises from the same place: Exchange Admin Center Authenticated and encrypted mail flow between on-premises and the cloud Preserves the internal Exchange messages headers, allowing a seamless end user experience Support for compliance mail flow scenarios (centralized transport) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

6 Hybrid benefits vs. other migration options
Microsoft Ignite 2015 4/16/2017 4:33 PM Hybrid benefits vs. other migration options Deployment Complexity EASY Really? Hybrid Cutover Staged DirSync/Identity Management Hybrid Configuration Wizard, oAuth,MRS, …. Auto profile updates Batch Approach Offboarding Rich Coexistence No Additional Servers Cloud ID’s Only OST Sync All at Once… DirSync needed No 2010/2013 OST Sync Batch Approach Really? End User Complexity EASY © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7 Hybrid Configuration Engine
Microsoft Exchange Hybrid Configuration Engine 4/16/2017 On-Premises Exchange Exchange Online Step 1 The Update-HybridConfiguration cmdlet triggers the Hybrid Configuration Engine to start. Exchange Server Level Configuration (Mailbox Replication Service Proxy, Certificate Validation, Exchange Web Service Virtual Directory Validation, & Receive Connector) Domain Level Configuration Objects (Accepted Domains, Remote Domains, & Address Policies) Organization Level Configuration Objects (Exchange Federation Trust, Organization Relationship, Availability Address Space, & Send Connector) Organization Level Configuration Objects (Exchange Federation Trust, Organization Relationship, Forefront Inbound Connector, & Forefront Outbound Connector) Domain Level Configuration Objects (Accepted Domains & Remote Domains) Step 2 The Hybrid Configuration Engine reads the “desired state” stored on the HybridConfiguration Active Directory object. Step 3 The Hybrid Configuration Engine connects via Remote PowerShell to both the on-premises and Exchange Online organizations. Internet Step 4 The Hybrid Configuration Engine discovers topology data and current configuration from the on-premises Exchange organization and the Exchange Online organization. 4 5 Remote Powershell 3 Hybrid Configuration Object 2 5 Hybrid Configuration Engine Desired state Topology & current configuration state Execute configuration tasks Remote Powershell 3 Step 5 Based on the desired state, topology data, and current configuration, across both the on-premises Exchange and Exchange Online organizations, the Hybrid Configuration Engine establishes the “difference” and then executes configuration tasks to establish the “desired state.” Exchange Management Tools 1 4 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8 Exchange Hybrid Scenario
Microsoft Exchange 4/16/2017 Exchange Hybrid Scenario On-premises Exchange organization Existing Exchange environment (Exchange 2007 or later) Office 365 Active Directory synchronization Exchange 2013 client access & mailbox server Office 365 User, contacts, & groups via Azure AD Sync Secure mail flow Mailbox data via Mailbox Replication Service (MRS) Sharing (free/busy, Mail Tips, archive, etc.) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9 4/16/2017 What's Coming… © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

10 Exchange Hybrid Wizard History
4/16/2017 Exchange Hybrid Wizard History 1 2 3 4 5 1 Exchange 2010 SP1 72 pages of documentation Exchange 2010 SP2 HCW introduced Exchange 2013 HCW with web-based UI Exchange 2013 SP1 Exchange 2013 CU5 Extremely complex and low adoption Removed confusing requirements for additional domains: exchangedelegation and service.contoso.com Greatly simplified transport configuration Multiple exchange organizations now supported Supports Exchange 2013 Edge Native OAUTH and Gallatin Support 2 What is coming next? 3 4 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11 Microsoft Office365 4/16/2017 What is next for Hybrid? Multi Forest Hybrid with AADSYNC (TAP ongoing) Resolving the common upgrade issues (upgrade from 2010/2013) Service Validation for HCW (Hybrid Tested in EVERY forest EVERY day) HCW updates not tied to CU’s any longer Improvements to OAUTH to support Multi Forest Better Diagnostics built in (HCW and other Troubleshooters) Stand Alone HCW (New Web Based HCW) HCW looks and feels familiar © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

12 Stand Alone HCW What are the benefits?
Exchange 2013 and E16 can use it Allows for agility with feature releases Allows for changes outside of CU’s Allows for proper piloting of features Looks and Feels Familiar Allows us to fix issues quickly Allows us to add improvements to HCW experience Newest Version is used by EVERYONE

13 Stand Alone HCW Common Questions
Will I be able to run it on Exchange 2010? Will I be able to run in on Exchange 2013? Can I upgrade from Exchange 2010 to newer version? Can I opt out of the new HCW experience? Will I need to add any additional URL to my outbound proxy device? Will running the Stand Alone HCW change any of my settings?

14 Hybrid & authentication
Microsoft Ignite 2015 4/16/2017 4:33 PM Hybrid & authentication © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15 Authentication in a hybrid deployment
Cloud ID’s (online username & password) Password Hash Synchronization (PW Sync) Active Directory Federation Services (AD FS) A lot of organizations deploy AD FS because of different benefits: Near seamless logons (single sign-on) Most flexible solution for various clients such as Outlook, EAS etc. More granular control over authentication Most organizations deploy Password Hash Synchronization

16 Modern Authentication
Not really a hybrid feature Benefits for hybrid customers w/ AD FS True SSO with e.g. Outlook (instead of basic auth) Will change how clients authenticate and affect custom claim rules

17 Outlook Authentication Today with Office 365
Microsoft Ignite 2015 4/16/2017 4:33 PM Outlook Authentication Today with Office 365 Windows Azure Active Directory Exchange Online Attempt Sign-In Identity Provider (OrgID) Directory Return auth token Request mail (incl username/ password) Success! Return mail © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18 How does Modern Authentication work?
Please update colors to match TR20 pallete Please make arrows look nicer. How does Modern Authentication work? Windows Azure Active Directory On-Premises Directory Exchange Online Identity Provider (EvoSTS) Directory Identity Provider Attempt Sign-In Return auth token Success! Return mail Need sign-in first (Passive Auth) Sync Mail Sync Mail (SAML token)

19 4/16/2017 EAS Redirection © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20 Back in my day we just shut up and recreated profiles
This Camera is Awesome! Then one day.. 0x86000C16 Sorry… Ted is happily using his windows Phone Ted’s mailbox was move to the cloud The nerdy admin has no options but to recreate the profile The Old Way So what do we do now?

21 User connects seamlessly to the cloud
The user mailbox moves to the cloud User is connected to on-prem mailbox User Tries to sync again Exchange 2013 CU8 and 2010 sp3 RU9 CAS determines the user is Remote (Based on TA), then looks to see if the Domain name is in an Org Relationship. If that exists and there is a Target OWA URL we use that to perform a 451 Unsupported scenarios: • Mailbox moves from Exchange Server 2007 to Office 365 • Does not support off-boarding • EAS devices must support 451 redirect (Accompli does not)

22 New Tool for Troubleshooting
4/16/2017 New Tool for Troubleshooting © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23 HCW Troubleshooter Next Steps More troubleshooters on the way
….HCW fails so a customer attempts opens a case Customer is presented with the troubleshooter Customer is given clear solution ELIMINATING the need for case Next Steps More troubleshooters on the way Feedback is needed to make them better Support also has immediate access to the HCW log, if the case is still opened

24 http://aka.ms/hcwcheck Exchange Hybrid Configuration Diagnostic
If Failed Solution There are certificates installed in your Exchange Hybrid environment which are missing the subject name. You need to fix your obsolete Active Directory Domain Services Federation Objects. Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group. You need to install Exchange 2010 sp3 RU3 or later In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to rename your existing Organization Relationship Your Exchange Server 2013 needs to be running a version of CU6 or later, we recommend the latest version available. Some manual configurations are needed to allow Legacy Free Busy to work as expected Microsoft Exchange Service Host is not running. Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed. You need to upgrade your legacy address policy. You need to address the issues found with the TLS certificate. If running Exchange Server you'll need to acquire a certificate with a name that has less than 256 characters. If running Exchange Server 2013 please install the latest cumulative update. This was our starting point

25 Hybrid Migration Troubleshooter

26 4/16/2017 Upgrade Hybrid © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

27 Upgrading hybrid servers?
Short answer: it depends…. Long answer: Simple answer: only upgrade to Exchange 2013 if: You are already planning to move to Exchange 2013 (on-prem) You need 2013-specific features

28 Microsoft Ignite 2015 Hybrid Upgrade issues 1 4/16/2017 4:33 PM Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Upgrading hybrid configuration from Exchange Object reference not set to an instance of an object. at Microsoft.Exchange.Management.Hybrid.UpgradeConfigurationFrom14Task.UpgradeFopeConnectors‎ Solution: [PS] C:\> Get-OrganizationConfig | fl Guid [PS] C:\> Rename the organization relationship to "O365 to On-premises - <GUID>. (Fixed in CU5) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29 Microsoft Ignite 2015 Hybrid Upgrade issues 2 4/16/2017 4:33 PM The Wizard did not complete successfully. Please see the list below for error details. Sending Mailbox Server ‘<ServerName>’ isn’t running Exchange 2013 or a later version. Solution: [PS] C:\> Get-hybridconfiguration | fl >Hybrid.txt [PS] C:\> Set-HybridConfiguration -ClientAccessServers $null ` -ReceivingTransportServers $null -SendingTransportServers $null © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

30 Microsoft Ignite 2015 Hybrid Upgrade issues 3 4/16/2017 4:33 PM Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Upgrading hybrid configuration from Exchange Execution of the Set-InboundConnector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Active Directory operation failed on or ERROR : Subtask Configure execution failed: Upgrading hybrid configuration from Exchange   No Inbound connector found on the Office 365 tenant. Solution: 1. Remove hybrid configuration through ADSI edit. ADSI Edit > Connect to Configuration > CN=Services > CN=Microsoft Exchange > CN=First Organization > CN=Hybrid Configuration 2. Rerun setup /prepareAD from the on-premises Exchange Setup Directory (Schema Admin Rights needed) 3. Rerun HCW from Exchange 2013 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

31 4/16/2017 Hybrid Validation © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

32 Hybrid Stability is overall good, but…
Microsoft made changes in the service that broke customer using the Federation Gateway Microsoft introduced a new feature that broke Free Busy for Hybrid Customers Microsoft made changes in the service that prevent all 2013 customers from running the HCW Bottom Line – we needed to be better at finding issues with CU/Service updates Microsoft introduced a CU that prevented the ability to create and manage users accounts Microsoft made changes in the service that broke customer using the Federation Gateway

33 Active Monitoring for HCW
HCW tested in every forest throughout the day Cause of this we found the issue before ANY customers reported the problem

34 So does the monitoring work?
Let’s review a recent issue… Activating Directory Sync kicks off an important process for Hybrid The new routing domain gets created in MSO Because we messed this up A new certificate is created that includes the new name This Failed The new domain is forward sync’d to EXO Then we create the AutoD and MX DNS records

35 Migration Message Size
4/16/2017 Migration Message Size © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

36 Message Size Limits for Migration
Awareness

37 Message Size Limits for Migration FAQ Awareness
What Migration types will be able to take advantage of this new limit (with caveats)? Will I be able to forward, resend, or move the item after the Migration is complete? Will message size limit be increased so we can start sending larger messages? When should I expect to see message size increase for Hybrid Migrations? What do I need to do to enable this new limit? Does it matter if I am moving the mailboxes from 2007, 2010 or 2013?

38 150 Message Size increase We can now increase the message size restrictions for a user, after the mailbox plan is associated Configurable in EAC per user EAC multiple user Shell with Set-Mailbox Max Send/receive settings

39 Migration Throughput? Max default Concurrent moves 100 (exceptions can be made) Item count is a factor with migration performance 0.3–1.0 GB/hour range per mailbox Firewall configuration on the on-premises organization Multiple concurrent moves allows for optimized migrations Source Side performance is a COMMON factor Migration are not considered “User Expected” (WLM) Network Latency is a Factor

40 Alternate ID and Hybrid
Microsoft Ignite 2015 4/16/2017 4:33 PM Alternate ID and Hybrid © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

41 What is an Alternate ID This is used to allow for a different UPN for ADFS in on-premises vs Office 365 Install updates Adjust claim rule Update the Management Agent in FIM Documented on TechNet    Old Claim Rule c:[Type = "http: //schemas.microsoft. com/ws/2008/06/identity/claims/windowsaccount Name"] => issue (store = "Active Directory", types = (" ", "http: //schemas.microsoft. com/LiveID/Federation/2008/05/ImmutablelD"),query="samAccountName={0};userPrincipalName, objectGuiD; (1)", param = regexreplace(c.Value, "(?<domain>[’\\)+)\\(?<user>.+)", "${user)"),param = c.Value); New Claim Rule c:[Type = "http: //schemas.microsoft. com/ws/2008/06/identity/claims/windowsaccount Name"] => issue (store = "Active Directory", types = (" ", "http: //schemas.microsoft. com/LiveID/Federation/2008/05/ImmutablelD"),query="samAccountName={0};mail, objectGuiD; (1)", param = regexreplace(c.Value, "(?<domain>[’\\)+)\\(?<user>.+)", "${user)"),param = c.Value); On-premises Office 365

42 Alternate ID with Hybrid?
On-premises Outlook connected to corp 1 Autodiscover connects to SCP and is automatically authenticated    1 2 1 Autodiscover redirects the client to the Target Address stamped on the user 2 2 3 User Provides Cloud UPN and password 3 3 Outlook connected External 1 Autodiscover connects from external machine (User provides on-premises UPN) Autodiscover redirects the client to the Target Address stamped on the user 2 Office 365 3 User Provides Cloud UPN and password

43 So what are we doing about it?
Microsoft Ignite 2015 4/16/2017 4:33 PM So what are we doing about it? We added a warning to content We have no timeline to share but we are working aggressively to make AltID a reality for Hybrid customers, we know it is important © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

44 OAUTH and Federation Microsoft Ignite 2015 4/16/2017 4:33 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

45 Microsoft Federation Gateway
Microsoft Exchange 4/16/2017 DAuth vs OAuth Microsoft Federation Gateway Organization Relationships AuthServer Intraorg Connectors DAuth OAuth Uses Microsoft Federation Gateway for Token generation Organization Relationships Controls what companies you share information with Allows for granular control of what features are available (free busy, mailtips) Uses Auth Server in Azure AD (better resiliency and faster in forest communications) IntraOrgConnectors /Configuration Controls what companies you can share information with No granular control of feature-set (all or nothing) © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

46 Configure OAuth for Hybrid
4/16/2017 Configure OAuth for Hybrid HCW now includes automated configuration for OAuth Enables cross-premises discovery searches and cross- premises archive moves Can be used for much more like free/busy and is used by 21Vianet customers (Greater China region) Long term authentication approach for future capabilities © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

47 Configure OAuth for Hybrid
4/16/2017 Configure OAuth for Hybrid If you click this… We will launch this © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

48 eDiscovery Scenarios and OAuth
4/16/2017 eDiscovery Scenarios and OAuth eDiscovery scenario Requires OAuth? Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization Yes Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer No Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

49 Free/Busy using OAuth Free/Busy works through a series of checks
CAS finds that Joe’s mailbox is external and there is an IOC Free/Busy works through a series of checks 1st we check to see if we can find free/busy locally 2nd (if the mailbox is not local) we check for an IOC 3rd (if there is no IOC) we check for an Organization Relationship 4th we check for an availability address space Ben requests free/busy info for Joe Exchange Server passes the token and requests Joe’s free/busy on behalf of Ben Free/Busy info is returned Free Request Busy From Ben To Joe Exchange connects to the Azure OAUTH endpoint WAAD returns a Delegation Token Joe’s free/busy is returned to the Outlook client

50 Public Folders Microsoft Ignite 2015 4/16/2017 4:33 PM
© 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

51 Hybrid Public Folder Options
4/16/2017 Hybrid Public Folder Options Option 1: Office 365 mailboxes accessing legacy PFs on-premises Option 2: Office 365 mailboxes accessing modern PFs on-premises Option 3: Exchange 2013 on-premises mailboxes accessing modern PFs in Office 365 Mailbox Version PF Location 2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online Exchange 2007 Yes No Exchange 2010 Exchange 2013 Yes* *Requires use of Outlook for Windows © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

52 Hybrid PF access Outlook connect to Cloud Mailbox, starts by querying autod.contoso.com 1 Exchange Online Autodiscover responds with the Target address for the cloud mailbox 2 4 Outlook does AutoD for TA Contoso.mail.onmicrosoft.com 3 3 EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox: <PublicFolderInformation>     </SmtpAddress> 4 On-premises Outlook performs and AutoD against 5 7 1 Outlook Anywhere settings are returned including the server name of the PF/CAS instead of the CASArray Proxy to PF server (running CAS role) 6 2 5 6 Auth as user over Public MBX auth 7 When PF access is initiated you then make a connection 7

53 Question or Common Issues

54 Were is the Activate button for sync?
Why the Change? UPN mismatches and changes are costly for support UPN mismatches cause a poor user experience If you perform dirsync before adding the domain you see issues We have now prevented this in the portal If Accepted Domain was not added On-Premises Office 365 DirSync Onmicrosoft.com

55 Mailbox Recovery changes
In the past the behavior was… Mailbox would become Hard Deleted Restore needed? run Get- RemovedMailbox to find Deleted mailbox GUID Create a new mailbox using the proper switches and guid Cloud user with Mailbox User deleted and removed from Recycle Bin Today To recover use New-MailboxRestoreRequest Do not Hard Delete a user That mailbox will not be recoverable In the future we may add a soft delete buffer, but today….

56 HCW Domain limit 250 Error When running HCW:
Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Configure Organization Relationship Execution of the New-OrganizationRelationship cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. The total number of explicit and implicit subfilters exceeds maximum allowed number of 250. Processing stopped. at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand‎(String cmdlet, SessionParameters parameters, Boolean ignoreNotFoundErrors)‎ ‎'. Cause: Org Relationships allow up to 250 domains Resolution: Manually create additional Org Relationship and add the additional domain over 250 This is being added to the HCW troubleshooter along with a ton more!

57 HCW Domain limit 64 Issue: HCW fails with the following issue "The length of the property is too long. The maximum length is 64 and the length of the value provided is 68." Cause: We allow up to a 32 character length domain name to be added to the service When the routing domain is created for that domain it makes the length longer but still shorter than the 64 overall hard limit When HCW created the remote domain we prepend “Hybrid Domain-” to the identity for the remote domain This can put us over the limit Resolution: Still investigating but if we simply change the remote domain to only Prepend “Hybrid-” we will allow for all 32 character domain names… currently still being investigated

58 Certificate field is empty
Certificate field is empty when running the HCW Certificate not correctly installed Required on selected CAS & MBX CAS are used for Receive Connectors MBX are used for send Connectors Both need same cert installed, else HCW won’t show. Third Party Proper SAN Assigned to SMTP Service Private Key Certificate requirements not met Need access to CRL url over 80 from all servers CRL Blocked

59 Challenges managing hybrid recipients
Dirsync adds complexity for managing objects: Cross-premises permissions are not supported: User/Mailbox Management Converting mailboxes Group self-service management Inactive mailboxes (Procedures?) DirSync delay (e.g. archive creation) Inconsistent experience Migrated permissions vs new permissions Full Access, Send-As, Receive-as….

60 Microsoft Ignite 2015 Hybrid Upgrade issues 1 4/16/2017 4:33 PM Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Upgrading hybrid configuration from Exchange Object reference not set to an instance of an object. at Microsoft.Exchange.Management.Hybrid.UpgradeConfigurationFrom14Task.UpgradeFopeConnectors‎ Solution: [PS] C:\> Get-OrganizationConfig | fl Guid [PS] C:\> Rename the organization relationship to "O365 to On-premises - <GUID>. (Fixed in CU5) © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

61 Microsoft Ignite 2015 Hybrid Upgrade issues 2 4/16/2017 4:33 PM The Wizard did not complete successfully. Please see the list below for error details. Sending Mailbox Server ‘<ServerName>’ isn’t running Exchange 2013 or a later version. Solution: [PS] C:\> Get-hybridconfiguration | fl >Hybrid.txt [PS] C:\> Set-HybridConfiguration -ClientAccessServers $null ` -ReceivingTransportServers $null -SendingTransportServers $null © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

62 Microsoft Ignite 2015 Hybrid Upgrade issues 3 4/16/2017 4:33 PM Updating hybrid configuration failed with error ‎'Subtask Configure execution failed: Upgrading hybrid configuration from Exchange Execution of the Set-InboundConnector cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Active Directory operation failed on or ERROR : Subtask Configure execution failed: Upgrading hybrid configuration from Exchange   No Inbound connector found on the Office 365 tenant. Solution: 1. Remove hybrid configuration through ADSI edit. ADSI Edit > Connect to Configuration > CN=Services > CN=Microsoft Exchange > CN=First Organization > CN=Hybrid Configuration 2. Rerun setup /prepareAD from the on-premises Exchange Setup Directory (Schema Admin Rights needed) 3. Rerun HCW from Exchange 2013 © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

63 Microsoft Exchange 4/16/2017 Common Issues – HCW “The HCW failed to complete” Cause: Timeout issues are not handles well by the HCW (we are getting better) Running the HCW a second time is often all that is needed… HCW fails with "InvalidUri: Passed URI is not valid“ Cause: There are certain words such as “bank”, profanity, and large org names that are blocked from federating Calling Support is the only option to resolve issue Documented: © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

64 CU6 issues Cannot create users mailboxes Cannot move mailboxes
Microsoft Exchange 4/16/2017 CU6 issues Recipient Management Cannot create users mailboxes Cannot move mailboxes Cannot change user attributes Cause: there is an issue with the backlink with EAC to EXO that prevents the proper connection Resolution: download a script that will fix the file or install CU7 when avail Centralized MailFlow (CMC) broken Cannot send mail from cloud user to the internet when CMC is enabled Resolution: call support for an IU or wait for CU7 © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

65 Session Objectives And Takeaways
Tech Ready 15 4/16/2017 Session Objectives And Takeaways Session Objective(s): Understand how Exchange Hybrid is different from other migration methods Understand latest issues around Hybrid scenarios Hybrid is not for everyone We are investing in diagnostic tools and wizard enhancements to remove friction from hybrid configuration and migrations © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

66 Pre-Release Programs Be first in line!
Microsoft Ignite 2015 Pre-Release Programs Be first in line! 4/16/2017 4:33 PM Exchange & SharePoint On-Premises Programs Customers get: Early access to new features Opportunity to shape features Close relationship with the product teams Opportunity to provide feedback Technical conference calls with members of the product teams Opportunity to review and comment on documentation Get selected to be in a program: Sign-up at Ignite at the Preview Program desk OR Fill out a nomination: Questions: Visit the Preview Program desk in the Expo Hall Contact us at: © 2015 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

67 Please evaluate this session
4/16/2017 4:33 PM Please evaluate this session Your feedback is important to us! Visit Myignite at or download and use the Ignite Mobile App with the QR code above. © 2014 Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

68


Download ppt "Microsoft Ignite /16/2017 4:33 PM"

Similar presentations


Ads by Google