Download presentation
Presentation is loading. Please wait.
Published byPhilippa Daniel Modified over 9 years ago
1
Version 2.0 for Office 365
2
Day 1 Administering Office 365 Day 2 Administering Office 365 Office 365 Overview & InfrastructureAdministering Lync Online Office 365 User ManagementAdministering SharePoint Online Office 365 DirSync, Single Sign-On & ADFSExchange Online Basic Management MEAL BREAK Exchange Online Deployment & Migration Exchange Security & Protection Exchange Online Archiving & Compliance
3
Reviewing Identities Understanding DirSync DirSync Requirements Understanding Single Sign-On & ADFS Windows Azure & ADFS
4
Verifying that a user, device, or service such as an application provided on a network server is the entity that it claims to be. Determining which actions an authenticated entity is authorized to perform on the network
5
Cloud Identity Single identity in the cloud Suitable for small organizations with no integration to on- premises directories Directory & Password Synchronization* Single identity suitable for medium and large organizations without federation* Federated Identity Single federated identity and credentials suitable for medium and large organizations
6
Rich experience with Office Apps Ease of deployment, management and support Lower cost as no additional servers are required On-Premises High availability and reliability as all Identities and Services are managed in the cloud Windows Azure Active Directory User Cloud Identity Ex: alice@contoso.com
7
Rich experience with Office Apps Directory synchronization between on-premises and online Identities are created and managed on-premises and synchronized to the cloud Single identity and credentials but no single Sign-On for on-premises and office 365 services Password synchronization enables single sign-on at lower cost than federation Reuse existing directory implementation on- premises Windows Azure Active Directory User On-Premises Identity Ex: Domain\Alice Directory Synchronization Password Synchronization Cloud Identity Ex: alice@contoso.com AD Non-AD (LDAP) Non-AD (LDAP) * Password Synchronization may not be available at GA, the target is to update the service in 1H CY2013
8
Single identity and sign-on for on-premises and office 365 services Identities mastered on-premises with single point of management Directory synchronization to synchronize directory objects into Office 365 Secure Token based authentication Client access control based on IP address with ADFS Strong fa ctor authentication options for additional security with ADFS Windows Azure Active Directory User On-Premises Identity Ex: Domain\Alice Federation AD Non-AD (LDAP) Non-AD (LDAP) Directory Synchronization
9
Reviewing Identities Understanding DirSync DirSync Requirements Understanding Single Sign-On & ADFS Windows Azure & ADFS
10
An application that synchronizes on-premises Active Directory Objects with Office365 Users, Contacts and Groups Initially designed as a software based “appliance” “Set it and forget it” Multi Forest Support now available Now called the Windows Azure Active Directory Sync Tool
11
Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment Provides a unified Global Address List experience between on- premises and Office 365 Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365 Enables coexistence for Exchange Works in both simple and hybrid deployment scenarios Enabler for mail routing between on-premises and Office 365 with a shared domain namespace Enables coexistence for Microsoft Lync
12
Enables “run-State” administration and management of users, groups and contacts Synchronizes adds/deletes/modifications of users, groups and contacts from on-premise to Office 365 Enabler for Single Sign-On Not intended as a single use bulk upload tool
13
Directory Synchronization Options Suitable for small/medium size organizations with AD or Non-AD Performance limitations apply with PowerShell and Graph API provisioning PowerShell requires scripting experience PowerShell option can be used where the customer/partner may have wrappers around PowerShell scripts (eg: Self Service Provisioning) PowerShell & Graph API Suitable for Organizations using Active Directory (AD) Provides best experience to most customers using AD Supports Exchange Co-existence scenarios Coupled with ADFS, provides best option for federation and synchronization Supports Password Synchronization with no additional cost Does not require any additional software licenses Suitable for large organizations with certain AD and Non-AD scenarios Complex multi-forest AD scenarios Non-AD synchronization through Microsoft premier deployment support Requires Forefront Identity Manager and additional software licenses
14
X64 FIM Appliance (set and forget) X86 MIIS Appliance now unsupported If you call into support with they will make you upgrade first before helping Scoping of object sync within Forest now supported AD GUID used as SourceAnchor (Link between AD and Office 365 Object) Password Synchronization for DirSync coming 1H CY2013 Password Sync Early On-Boarding program underway
15
Entire Active Directory Forest is scoped for synchronization by default Ability to modify what gets synced has been added What is synchronized? All user objects All group objects Mail-enabled contact objects Synchronization is from on-premises to Office 365 only (unless “write-back” is enabled Synchronization occurs every 3 hours Use “Start-OnlineCoexistenceSync” cmdlet to force a sync
16
Mail-enabled/mailbox-enabled users are synchronized as mail- enabled users (not mailbox-enabled users) Visible in the Office 365 GAL (unless explicitly hidden from GAL) Logon enabled, but not automatically licensed to use services Target address is synchronized for mail-enabled users Regular NT users are synchronized as regular NT users Not automatically provisioned as mail-enabled in Office 365 Resource mailboxes are synchronized as resource mailboxes Synchronized users are not automatically assigned a license
17
Group Objects Mail-enabled groups are synchronized as mail-enabled Group memberships are synchronized Security groups are synchronized as security groups Contacts Objects Only mail-enabled contacts are synchronized Target address is synchronized to Office 365
18
New user, group, and contact objects that are added to on- premises are added to Office 365 Existing user, group, and contact objects that are deleted from on-premises are deleted from Office 365 Existing user objects that are disabled on-premises are disabled in Office 365 Existing user, group, or contact objects attributes (those that are synchronized) that are modified on-premises are modified in Office 365 Objects are recoverable within 30 days of deletion
19
First synchronization cycle after installation is a full synchronization Time-consuming process relative to number of objects synchronized ~5000 objects per hour Subsequent synchronization cycles are deltas only Much faster Not all on-premises attributes synchronized for each object type, but 100+ attributes are synchronized
20
Once implemented, on-premises AD becomes the “source of authority” for synchronized objects Modifications to synchronized objects must occur in the on-premises AD Synchronized objects cannot be modified or deleted via the portal unless DirSync is disabled for the tenant Scoping/Filtering Customers can exclude objects from synchronizing to Office 365 Scoping can be done at the following levels: AD Domain-based Organizational Unit-based User Attribute based
21
On-premises objectGuid AD attribute assigned value for sourceAnchor attribute during initial object synchronization Referred to as a “hard match” DirSync knows which Office 365 objects it is the “source of authority” for by examining sourceAnchor attribute DirSync can also match user objects created via the portal with on-premises objects if there is a match using the primary SMTP address Referred to as a “soft match”
22
Synchronization errors are emailed to the Technical Contact for the subscription Recommend using distribution group as Technical Contact email address Example errors include: Synchronization health status Sent once a day if a synchronization cycle has not registered 24 hours after last successful synchronization Objects whose attributes contain invalid characters Objects with duplicate/conflicting email addresses Sync quota limit exceeded List of attributes that are synchronized http://support.microsoft.com/default.aspx?scid=kb;en-US;2256198&wa=wsignin1.0 http://support.microsoft.com/default.aspx?scid=kb;en-US;2256198&wa=wsignin1.0
24
Run the Microsoft Office 365 Deployment Rediness Tool – http://community.office365.com/en-us/forums/183/p/2285/8155.aspx http://community.office365.com/en-us/forums/183/p/2285/8155.aspx Analyze on-premise environment Domains User Identity and Account Provisioning Exchange Online Lync Online SharePoint Online Client Network
25
DirSync (Single Forest) must be joined to a domain with the same forest that will be synchronized DirSync Server should never be installed on a domain controller DirSync Server should be Windows Server 2008 (x64) or better By default SQL Server 2008 R2 Express is installed 10GB Database limit (approx. 50,000 objects) Full SQL Option available X64 Single\Multi Forest Appliance available (O365 connector also available for complex scenarios
26
Only routable domains can be used with DirSync deployment Non-routable domains include.local OR.loc OR.internal. If organization has AD w/ only internal namespace, must: Add a routable UPN suffix in Active Directory Forests and Trusts. Configure each user with that routable UserPrincipalName suffix user@domain.local must be changed do user@domain.com user@domain.localuser@domain.com If this is not done, once DirSync runs, users will appear in Office365 as user@domain.onmicrosoft.com instead of user@domain.com user@domain.onmicrosoft.comuser@domain.com
27
Recommend a system that exceeds the minimum OS requirements Number of objects in AD CPUMemoryHard disk size Fewer than 10,0001.6GHz4GB70GB 10,000-50,0001.6GHz4GB70GB 50,000-100,0001.6GHz16GB100GB 100,000-300,0001.6GHz32GB300GB 300,000-600,0001.6GHz32GB450GB More than 600,0001.6GHz32GB500GB
28
Synchronization with Office 365 occurs over SSL Internal network communication will use typical Active Directory related ports DirSync server must be able to contact all DC’s in the Forest ServiceProtocolPort LDAPTCP/UDP389 KerberosTCP/UDP88 DNSTCP/UDP53 Kerberos Change Passowrd TCP/UDP464 RPCTCP135 RPC randomly allocated high TCP Ports TCP1024-64435 49152-65535* SMBTCP445 SSLTCP443 SQLTCP1433 * This is the range in Windows Server 2008
29
Account used to install DirSync must have local machine administrator permissions If using full SQL, rights within SQL to create the DirSync database, and to setup the SQL service account with the role of db_owner Account used to configure DirSync must reside in the local machine MIISAdmins group Account used to install DirSync is automatically added Administrator permission in the Office 365 tenant DirSync uses an administrator account in the tenant to provision and update/modify objects
30
Enterprise Administrator permission in the on-premise Active Directory Credential is not stored/saved by the configuration wizard Used to create the “MSOL_AD_Sync” domain account in the “CN=Users” container of the root domain of the forest Used to delegate the following permissions on each domain partition in the forest Replicating Directory Changes Replicating Directory Changes all Replication Synchronization
32
Enables users to access both the on-premises and cloud-based organizations with a single user name and password Provides users with a familiar sign-on experience Allows administrators to easily control account policies for cloud-based organization mailboxes by using on-premises Active Directory management tools.
33
Policy Control Access Control Reduced Support Calls Security
34
Windows Server 2008 or Windows Server 2008 R2 (2012 not currently supported) ADFS 2.0 Setup installs: Web Server (IIS),.Net 3.5 SP1, Windows Identity Foundation Publicly registered, routable domain name SSL Certificate(s), *Wild Card Supported Microsoft Online Services Module for Windows PowerShell Microsoft Online Sign In Assistant High Availability Design, Dual-Site, Load Balanced Choice between Windows Internal Database(WID) and SQL WID supports a maximum of 5 Federation Servers SQL supports SAML Replay Detection, Artifact Store Wildcard SSL Certificates are supported with ADFS, However the ADFS GUI fails to add additional ADFS Servers to a Farm when the ADFS Farm name does not match the *domain.com in the wildcard cert. When adding further ADFS Servers to a Farm use FSConfig.exe from the command line to add additional servers.
35
Browser Internet Explorer 8.0 or later, Firefox 10.0, Chrome 17.0 or later, Safari 5.0 or later Office Client Microsoft Office 2010/2007 (Latest Service Pack) Microsoft Office for Mac 2011 (Latest Service Pack) Note: Support for Microsoft Office 2008 for Mac version 12.2.9 ended 4/9/2013 Office 365 Desktop Setup (Suggested) Microsoft Online Sign In Assistant
36
Active Federation (MEX) Applies to rich clients supporting ADFS Used by Lync and Office Subscription client Clients will negotiate authentication directly with on-premises ADFS server Basic Authentication (Active Profile) Applies to clients authenticating with basic authentication Used by ActiveSync, Outlook 2007/2010, IMAP, POP, SMTP, and Exchange Web Services Clients send “basic authentication” credentials to Exchange Online via SSL. Exchange Online proxies the request to the on-premises ADFS server on behalf of the client Passive Federation (Passive Profile) Applies to web browsers and documents opened via SharePoint Online Used by the Microsoft Online Portal, OWA, and SharePoint Portal Web clients (browsers) will authenticate directly with on-premises ADFS server When working through the firewall considerations ensure that MSO Datacenter IP ranges have been granted access to port 443 to the ADFS Proxy Server located in the DMZ.
37
Block all external access to Office 365 based on the IP address of the external client Block all external access to Office 365 except Exchange Active Sync; all other clients such as Outlook are blocked. Block all external access to Office 365 except for passive browser based applications such as Outlook Web Access or SharePoint Online Use the Client Access Policy Builder! Test ADFS Client Access Rules extensively, ADFS will by default log all denied authorizations and the values it based the denial upon.
38
User objects must have a value for UPN in on-premises Active Directory UPN domain suffix must match a verified domain in Office 365 Default domain (e.g. contoso.onmicrosoft.com) is automatically added as a verified domain and is used if UPN does not match a verified domain Users must switch to using UPN to logon to Office 365 Not domain\username UPN must have valid characters Office 365 Deployment Readiness Tool will verify that on-premises objects have valid characters If the customer does not have a valid and routable UPN suffix then one can be added via Active Directory Domains and Trusts. Right click the top of the tree, click properties and add the UPN Suffix.
39
Office 365 Desktop Setup Automatically detects necessary updates for a computer Installs Microsoft Online Sign In Assistant Installs operating system and client software updates required for connectivity with Office 365 Automatically configures Internet Explorer and rich clients for use with Office 365 Office 365 Desktop Setup is not an authentication or sign-in service and should not be confused with single sign-on
40
Microsoft Online Sign-In Assistant Can be installed automatically by Office 365 Desktop Setup or manually Enables authentication support by obtaining a service token from Office 365 and returning it to a rich client (e.g. Lync) Not required for web kiosk scenarios (e.g. OWA) Required for on-premises computers connecting to Office 365 (e.g. DirSync, Exchange, ADFS, PowerShell)
41
AD FS 2.x Server Default topology for Office 365 is an AD FS 2.x federation server farm that consists of multiple servers hosting your organization’s Federation Service Recommend using at least two federation servers in a load-balanced configuration AD FS 2.x Proxy Server Federation server proxies are used to redirect client authentication requests coming from outside your corporate network to the federation server farm Federation server proxies should be deployed in the DMZ
42
Single server configuration AD FS 2.x Server Farm and load-balancer AD FS 2.x Proxy Server or UAG/TMG (External Users, Active Sync, Down-level Clients with Outlook)
43
1. Single server configuration 2. AD FS 2.0 Server Farm and load-balancer 3. AD FS 2.0 Proxy Server or UAG/TMG i. (External Users, Active Sync, Down-level Clients with Outlook) Enterprise Perimeter AD FS 2.0 Server Proxy Externaluser Internaluser ActiveDirectory Proxy
44
Number of usersMinimum number of servers Fewer than 1,000 users 0 dedicated federation servers 0 dedicated federation server proxies 1 dedicated NLB server 1,000 to 15,000 users 2 dedicated federation servers 2 dedicated federation server proxies 15,000 to 60,000 users Between 3 and 5 dedicated federation servers At least 2 dedicated federation server proxies AD FS 2.0 Capacity Planning Sizing Spreadsheet http://www.microsoft.com/en- us/download/details.aspx?id=2278
45
Understanding client authentication path
47
Virtual Network Support – Site to Site VPN Computing: 99.95% SLA Uptime for High Available System 99.9% SLA Uptime for Single System Storage: 99.9% Full Control over your Virtual Machines Pay as you Go, OPEX vs CAPEX
48
48 IaaS ActiveDirectoryActiveDirectory AD FS 2.0 Server ActiveDirectoryActiveDirectory Enterprise VPN
49
Cloud Service: Role which several VM’s take upon themselves to execute. E.G. ADFS. Cloud services need to have two instances or more to quality for the SLA of 99,95%. 1 External Virtual IP Address per Cloud Service Availability Group
50
EndPoints: You need to add an endpoint to a machine for other resources on the Internet or other virtual networks to communicate with it. You can associate specific ports and a protocol to endpoints. Resources can connect to an endpoint by using a protocol of TCP or UDP. The TCP protocol includes HTTP and HTTPS communication. Virtual Network enables you to create secure site-to-site connectivity, as well as protected private virtual networks in the cloud.
52
IP SEC DEVICE GATEWAYGATEWAY CLOUD SERVICE AD FS 2.0 Server DirSync LB ENDPOINT Enterprise Windows Azure
53
Prepare for directory synchronization: http://technet.microsoft.com/en-us/library/jj151831.aspx http://technet.microsoft.com/en-us/library/jj151831.aspx Directory synchronization roadmap: http://technet.microsoft.com/en-us/library/hh967642.aspx http://technet.microsoft.com/en-us/library/hh967642.aspx Set up your directory sync computer: http://technet.microsoft.com/en-us/library/dn144767.aspx http://technet.microsoft.com/en-us/library/dn144767.aspx Update Rollup 2 for ADFS 2.0: http://support.microsoft.com/kb/2681584 http://support.microsoft.com/kb/2681584 ADFS 2.0 Step-by-Step and How To Guides http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.10).aspx http://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.10).aspx
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.