Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exchange Hybrid Deployments: Stairway to Heaven or Highway to Hell?

Published byShannon Hill Modified over 8 years ago

Similar presentations

Presentation on theme: "Exchange Hybrid Deployments: Stairway to Heaven or Highway to Hell?"— Presentation transcript:

1 Exchange Hybrid Deployments: Stairway to Heaven or Highway to Hell?
#devconnections

2 Agenda Hybrid deployment overview Hybrid Best-practices
High Availability Common (known?) issues Troubleshooting #devconnections

3 An overview of hybrid deployments…
#devconnections

4 Microsoft Internet DMZ Internal Network Exchange Online Tenant
Exchange on-prem Org. Rel / Intra-Org Conn. (Hybrid) Mail Flow Active Directory Auth. Azure AD Synchronization One slide to rule them all. This picture says pretty much everything (from an inter-organization communications-pov at least.) #devconnections

5 Many moving parts It’s no longer only about Exchange. Many different components are involved: Active Directory Networking Exchange

6 Many components DirSync Authentication Exchange Federation / oAuth
ADFS Password Synchronization Exchange Federation / oAuth Security #devconnections

7 Words of wisdom to live by… or not?!
Best Practices #devconnections

8 Best practice… Anyone? No ‘defined’ best practice from Microsoft
Bunch of documents that describe the steps for setting up hybrid deployments Mostly about keeping support statements in mind #devconnections

9 Deploying hybrid configs
Hybrid deployments can be build manually. But… …use the Hybrid Configuration Wizard; it’s the only supported way! Be prepared to get dirty. Being ready to run the HCW mostly means you’ve done 80% of the work already #devconnections

10 What’s this ‘hybrid’ server?
“On-premises (pre-existing) Exchange server ‘dedicated’ to interacting with Exchange Online” Can be Exchange 2010 SP3+ or Exchange 2013 SP1+ Adding a new hybrid server can be disruptive… #devconnections

11 Typical Deployment On-prem MBX Cloud MBX Autodiscover.domain.com Mail.domain.com Autodiscover.domain.com Mail.domain.com Exchange 2007 (Multi-Role) Exchange 2010/2013 (Multi-Role) Ignoring the legacy namespace for Exchange 2007 for a second as it doesn’t contribute to the discussion. #devconnections

12 Typical deployment Great for long-term coexistence (keep on-premises indefinitely) Requires namespace switch-over (more work) #devconnections

13 Hybrid Namespace Cloud On-prem MBX MBX Autodiscover.domain.com
Mail.domain.com Autodiscover.domain.com Exchange 2007 (Multi-Role) Exchange 2010/2013 (Multi-Role) Hybrid.domain.com #devconnections

14 Hybrid namespace Less intrusive as the ‘typical’ deployment
Ideal for migration purposes No official statement on support though… #devconnections

15 What it takes to make a hybrid deployment highly available
High Availability

16 High Availability It’s not as easy as 1+1…
Topology depends on what features need to be highly available Mail flow, Free/Busy, Mailbox Moves Authentication Connectivity #devconnections

17 Hybrid Server HA Deploy at least two hybrid servers
Add site resiliency by deploying in two distinct physical locations Load balance incoming requests through a LB device

18 Hybrid HA Setup (two sites)
INTERNET Site 1 Site 2 HA Load Balancer pair Domain Controller Exchange CAS/MBX Exchange CAS/MBX Domain Controller Connectivity

19 DirSync No need to deploy Highly Available
Can run w/o DirSync for a (short) period of time You could deploy Active/Passive

20 Active Directory Federation Services
Critical to operations; No ADFS = No user logon possible Must be deployed HA – in all possible ways Deploy ADFS cluster; spread across sites to add site resiliency Can be costly…

21 AD FS HA AD FS Topology Load Balancer AD FS Proxy Load Balancer AD FS
Domain Controller FW INTERNET AD FS Proxy AD FS Domain Controller FW

22 Using Azure for Hybrid deployments
Leverage Azure VMs for ADFS and/or DirSync > increase availability Better to deploy one (or more) Domain Controllers in Azure Watch out for the VPN…

23 Azure Topologies Hybrid Azure Full Azure
Use a mix of services both on-premises as in Azure E.g.: ADFS on-premises and in Azure Deploy ADFS and/or DirSync in Azure only Leverage the VPN to connect to supporting services or to support replication

24 Hybrid Azure architecture
INTERNET Azure On-Premises Domain Controller AD FS Proxy AD FS Proxy Domain Controller Active / Passive AD FS AD FS Exchange IPSEC VPN

25 HA inside Azure… Azure Load-Balanced Endpoint Load-Balanced Endpoint
AD FS Proxy Load-Balanced Endpoint AD FS Domain Controller INTERNET AD FS Proxy AD FS Domain Controller

26 Common Issues Known or not known? That is the question…
#devconnections

27 Limitations rather than issues
Some general limitations apply: Cross-premises permissions Public folder migrations Cross-organization free/busy Behavioral changes… #devconnections

28 Cross-organization Free/Busy
One of the ‘biggest’ known limitations; described here. w/o manual intervention, you cannot exchange Free/Busy between 2 hybrid organizations (cloud users) #devconnections

29 Cross-org Free/Busy #devconnections

30 #devconnections

31 CU5 bug There’s a bug in Exchange 2013 CU5 which requires an IU (KB ) for the HCW to complete successfully. #devconnections

32 Multi-forest bug in CU5 After deploying the IU mentioned earlier, you cannot deploy multi-forest Hybrid deployments. HCW will fail while configuring oAuth. #devconnections

33 Behavioral changes… How will you deal with people leaving the organization? Move mailbox back on-premises Leverage “inactive mailboxes” #devconnections

34 Troubleshooting How to get out of trouble… And stay out if it too…!
#devconnections

35 Monitoring New architecture paradigm, requires new way of thinking about monitoring You don’t care about Microsoft’s side of the story End-user service availability is key (but it’s always been like that, right?)

36 How to monitor? Consider monitoring through a series of both Active and Passive tests Active tests allow you to be proactive Passive tests give you great feedback (counters…) Third-party tooling #devconnections

37 Components to monitor You don’t care about (Microsoft’s) servers, but you do care about: Mail flow Cross-premises / External Exchange Federation Org. RelationShips / oAuth DirSync Connectivity (network, certificates,…) #devconnections

38 Demo Monitoring & Troubleshooting DirSync, ADFS and Exchange issues
#devconnections

39 Troubleshooting AD FS Not easy. Use tools like e.g. Fiddler
Enable Debug Logging in Event Viewer Pair AD FS Proxy w/ ADFS for easier troubleshooting Understanding different authentication flows is important

40 Enabling Debug Log Open Event Viewer
Click View > Show Analytic and Debug Logs Right-click Debug under AD FS Tracing and click enable Reproduce issue

41 Exchange Federation Multiple areas where things can go wrong…
Verify that Federation Information can be retrieved (get-federationinformation) Test Organization Relationships (Test-OrganizationRelationship) Verify Federation trust (Test-FederationTrust) When using oAuth: Test-oAuthConnectivity

42 Mailbox Moves Error message is critical; contains useful information
Verify connectivity; e.g. MRS Proxy enabled? Use the Test-MigrationServerAvailability for more insights

43 DirSync No news = good news 
Take a look into the console (miisclient.exe located in installation folder) Check Permissions (inherit permissions enabled?)

44 Helpful tools Exchange Remote Connectivity Analyzer (www.exrca.com)
Exchange Deployment Assistant (aka.ms/exdeploy)

45 Thank you! Q & A

46 WIN Rate This Session Now! Tell Us What You Thought of This Session
Rate with Mobile App: Be Entered to WIN Prizes! Tell Us What You Thought of This Session Select the session from the Agenda or Speakers menus Select the Actions tab Click Rate Session Rate Using Our Website: Register at Go to Select this session from the list and rate it

Download ppt "Exchange Hybrid Deployments: Stairway to Heaven or Highway to Hell?"

Similar presentations

Configuring SharePoint 2013 and Office 365 Hybrid – Part 1

Configuring SharePoint 2013 and Office 365 Hybrid – Part 1
Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.

Microsoft ® Exchange Online Migration and Coexistence Name Title Microsoft Corporation.
Identity management integration options for Office 365

Identity management integration options for Office 365
4/16/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/16/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
Sessions about to start – Get your rig on!. Notes from the field – Implement Hybrid Search and OneDrive for Business Chris Zhong - Microsoft Aaron Dinnage.

Sessions about to start – Get your rig on!. Notes from the field – Implement Hybrid Search and OneDrive for Business Chris Zhong - Microsoft Aaron Dinnage.
Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.

Version 2.0 for Office 365. Day 1 Administering Office 365 Day 2 Administering Exchange Online Office 365 Overview & InfrastructureLync Online Administration.
IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.

IMAP migration Cutover migration Staged migration 2010 Hybrid2013 Hybrid Exchange 5.5 Exchange 2000 Exchange 2003 Exchange 2007 Exchange 2010 Exchange.
Keys to a Successful Hybrid Deployment Tips and Tricks from the Field.

Keys to a Successful Hybrid Deployment Tips and Tricks from the Field.
Configuring Hybrid Exchange the Easy Way

Configuring Hybrid Exchange the Easy Way
Exchange 2013 (backup &) Disaster Recovery

Exchange 2013 (backup &) Disaster Recovery
Archiving in the cloud with Exchange Online Archiving Bharat Suneja Sr Technical Writer | Exchange Microsoft Corporation EXL301.

Archiving in the cloud with Exchange Online Archiving Bharat Suneja Sr Technical Writer | Exchange Microsoft Corporation EXL301.
11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.

11 SYSTEMS ADMINISTRATION AND TERMINAL SERVICES Chapter 12.
Archiving in the Cloud with Exchange Online Archiving BHARAT SUNEJA SR TECHNICAL WRITER | EXCHANGE MICROSOFT CORPORATION EXL301.

Archiving in the Cloud with Exchange Online Archiving BHARAT SUNEJA SR TECHNICAL WRITER | EXCHANGE MICROSOFT CORPORATION EXL301.
TechEd 2013 4/20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

TechEd /20/2017 2:02 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.
Introduction 4 FeatureSimpleHybrid Mail routing between on-premises and cloud (recipients on either side) Mail routing with shared namespace (if desired)

Introduction 4 FeatureSimpleHybrid Mail routing between on-premises and cloud (recipients on either side) Mail routing with shared namespace (if desired)
Introduction Please answer the survey questions posted at the end of this meeting. Let us know what sessions you want! Josh Topal at

Introduction Please answer the survey questions posted at the end of this meeting. Let us know what sessions you want! Josh Topal at
Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.

Scenario covered in this presentation Separate credential from on- premises credential Authentication occurs via cloud directory service Does not.
Office 365 Exchange Online Migration Overview. Catapult Overview  An independent wholly owned subsidiary of CSI since 2013  Privately founded in 1993,

Office 365 Exchange Online Migration Overview. Catapult Overview  An independent wholly owned subsidiary of CSI since 2013  Privately founded in 1993,
Chris Goosen Infrastructure Consultant Kloud Solutions.

Chris Goosen Infrastructure Consultant Kloud Solutions.

Similar presentations

Ads by Google