Download presentation
Published byShannon Hill Modified over 8 years ago
1
Exchange Hybrid Deployments: Stairway to Heaven or Highway to Hell?
#devconnections
2
Agenda Hybrid deployment overview Hybrid Best-practices
High Availability Common (known?) issues Troubleshooting #devconnections
3
An overview of hybrid deployments…
#devconnections
4
Microsoft Internet DMZ Internal Network Exchange Online Tenant
Exchange on-prem Org. Rel / Intra-Org Conn. (Hybrid) Mail Flow Active Directory Auth. Azure AD Synchronization One slide to rule them all. This picture says pretty much everything (from an inter-organization communications-pov at least.) #devconnections
5
Many moving parts It’s no longer only about Exchange. Many different components are involved: Active Directory Networking Exchange …
6
Many components DirSync Authentication Exchange Federation / oAuth
ADFS Password Synchronization Exchange Federation / oAuth Security #devconnections
7
Words of wisdom to live by… or not?!
Best Practices #devconnections
8
Best practice… Anyone? No ‘defined’ best practice from Microsoft
Bunch of documents that describe the steps for setting up hybrid deployments Mostly about keeping support statements in mind #devconnections
9
Deploying hybrid configs
Hybrid deployments can be build manually. But… …use the Hybrid Configuration Wizard; it’s the only supported way! Be prepared to get dirty. Being ready to run the HCW mostly means you’ve done 80% of the work already #devconnections
10
What’s this ‘hybrid’ server?
“On-premises (pre-existing) Exchange server ‘dedicated’ to interacting with Exchange Online” Can be Exchange 2010 SP3+ or Exchange 2013 SP1+ Adding a new hybrid server can be disruptive… #devconnections
11
Typical Deployment On-prem MBX Cloud MBX Autodiscover.domain.com Mail.domain.com Autodiscover.domain.com Mail.domain.com Exchange 2007 (Multi-Role) Exchange 2010/2013 (Multi-Role) Ignoring the legacy namespace for Exchange 2007 for a second as it doesn’t contribute to the discussion. #devconnections
12
Typical deployment Great for long-term coexistence (keep on-premises indefinitely) Requires namespace switch-over (more work) #devconnections
13
Hybrid Namespace Cloud On-prem MBX MBX Autodiscover.domain.com
Mail.domain.com Autodiscover.domain.com Exchange 2007 (Multi-Role) Exchange 2010/2013 (Multi-Role) Hybrid.domain.com #devconnections
14
Hybrid namespace Less intrusive as the ‘typical’ deployment
Ideal for migration purposes No official statement on support though… #devconnections
15
What it takes to make a hybrid deployment highly available
High Availability
16
High Availability It’s not as easy as 1+1…
Topology depends on what features need to be highly available Mail flow, Free/Busy, Mailbox Moves Authentication Connectivity … #devconnections
17
Hybrid Server HA Deploy at least two hybrid servers
Add site resiliency by deploying in two distinct physical locations Load balance incoming requests through a LB device
18
Hybrid HA Setup (two sites)
INTERNET Site 1 Site 2 HA Load Balancer pair Domain Controller Exchange CAS/MBX Exchange CAS/MBX Domain Controller Connectivity
19
DirSync No need to deploy Highly Available
Can run w/o DirSync for a (short) period of time You could deploy Active/Passive
20
Active Directory Federation Services
Critical to operations; No ADFS = No user logon possible Must be deployed HA – in all possible ways Deploy ADFS cluster; spread across sites to add site resiliency Can be costly…
21
AD FS HA AD FS Topology Load Balancer AD FS Proxy Load Balancer AD FS
Domain Controller FW INTERNET AD FS Proxy AD FS Domain Controller FW
22
Using Azure for Hybrid deployments
Leverage Azure VMs for ADFS and/or DirSync > increase availability Better to deploy one (or more) Domain Controllers in Azure Watch out for the VPN…
23
Azure Topologies Hybrid Azure Full Azure
Use a mix of services both on-premises as in Azure E.g.: ADFS on-premises and in Azure Deploy ADFS and/or DirSync in Azure only Leverage the VPN to connect to supporting services or to support replication
24
Hybrid Azure architecture
INTERNET Azure On-Premises Domain Controller AD FS Proxy AD FS Proxy Domain Controller Active / Passive AD FS AD FS Exchange IPSEC VPN
25
HA inside Azure… Azure Load-Balanced Endpoint Load-Balanced Endpoint
AD FS Proxy Load-Balanced Endpoint AD FS Domain Controller INTERNET AD FS Proxy AD FS Domain Controller
26
Common Issues Known or not known? That is the question…
#devconnections
27
Limitations rather than issues
Some general limitations apply: Cross-premises permissions Public folder migrations Cross-organization free/busy Behavioral changes… #devconnections
28
Cross-organization Free/Busy
One of the ‘biggest’ known limitations; described here. w/o manual intervention, you cannot exchange Free/Busy between 2 hybrid organizations (cloud users) #devconnections
29
Cross-org Free/Busy #devconnections
30
#devconnections
31
CU5 bug There’s a bug in Exchange 2013 CU5 which requires an IU (KB ) for the HCW to complete successfully. #devconnections
32
Multi-forest bug in CU5 After deploying the IU mentioned earlier, you cannot deploy multi-forest Hybrid deployments. HCW will fail while configuring oAuth. #devconnections
33
Behavioral changes… How will you deal with people leaving the organization? Move mailbox back on-premises Leverage “inactive mailboxes” #devconnections
34
Troubleshooting How to get out of trouble… And stay out if it too…!
#devconnections
35
Monitoring New architecture paradigm, requires new way of thinking about monitoring You don’t care about Microsoft’s side of the story End-user service availability is key (but it’s always been like that, right?)
36
How to monitor? Consider monitoring through a series of both Active and Passive tests Active tests allow you to be proactive Passive tests give you great feedback (counters…) Third-party tooling #devconnections
37
Components to monitor You don’t care about (Microsoft’s) servers, but you do care about: Mail flow Cross-premises / External Exchange Federation Org. RelationShips / oAuth DirSync Connectivity (network, certificates,…) #devconnections
38
Demo Monitoring & Troubleshooting DirSync, ADFS and Exchange issues
#devconnections
39
Troubleshooting AD FS Not easy. Use tools like e.g. Fiddler
Enable Debug Logging in Event Viewer Pair AD FS Proxy w/ ADFS for easier troubleshooting Understanding different authentication flows is important
40
Enabling Debug Log Open Event Viewer
Click View > Show Analytic and Debug Logs Right-click Debug under AD FS Tracing and click enable Reproduce issue
41
Exchange Federation Multiple areas where things can go wrong…
Verify that Federation Information can be retrieved (get-federationinformation) Test Organization Relationships (Test-OrganizationRelationship) Verify Federation trust (Test-FederationTrust) When using oAuth: Test-oAuthConnectivity
42
Mailbox Moves Error message is critical; contains useful information
Verify connectivity; e.g. MRS Proxy enabled? Use the Test-MigrationServerAvailability for more insights
43
DirSync No news = good news
Take a look into the console (miisclient.exe located in installation folder) Check Permissions (inherit permissions enabled?)
44
Helpful tools Exchange Remote Connectivity Analyzer (www.exrca.com)
Exchange Deployment Assistant (aka.ms/exdeploy)
45
Thank you! Q & A
46
WIN Rate This Session Now! Tell Us What You Thought of This Session
Rate with Mobile App: Be Entered to WIN Prizes! Tell Us What You Thought of This Session Select the session from the Agenda or Speakers menus Select the Actions tab Click Rate Session Rate Using Our Website: Register at Go to Select this session from the list and rate it
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.