sharepoint fest chicago 2014 - anatomy of sharepoint and office 365 hybrid deployment – real-world...
Post on 12-Jul-2015
6.160 Views
Preview:
TRANSCRIPT
About Me
• Principal Consultant, Slalom Consulting, Chicago
• Current focus area SharePoint 2013 and Office 365
Contact Info
• Email - patenik2@yahoo.com
• Blog - Nik Patel’s SharePoint World - http://nikpatel.net/
• Twitter - @nikxpatel, @slalomchicago
• LinkedIn - linkedin.com/in/nikspatel
• Slideshare - slideshare.net/patenik2
What is SharePoint Hybrid?
Federated identity and directory synchronizationEnables consistent single sign-on experience across SharePoint online and on-premises
SharePointOn-premises
Hosting critical business data
and applications with full
control over ownership and
change management cycle
SharePointOnline
Microsoft’s Mobile-First, Cloud-
First, and Productivity-First
model with innovations
delivered more frequently
SharePoint Hybrid
Contents and workloads
spanning to both on-premises
and on the cloud
Why SharePoint Hybrid?
Cloud-first strategy easily scale up and down
easily collaborate
inability to have full control
Existing investments Protect sensitive data
Leverage the strengths of both parts
on-premises flexibility with cloud agility
Decision Matrix for SharePoint Hybrid
WorkloadsIdentityInfrastructureTopology
One-way outboundEnables SharePoint Server 2013 on-premises server farm to connect to SharePoint Online
One-way inboundEnables SharePoint Online to connect to SharePoint Server 2013 through a reverse-proxy device
Two-way (bidirectional)Enables connections between SharePoint Online and SharePoint Server 2013 from both systems
CorporateData CentersAllows you to fully control the SharePoint environment including server and network updates
Third-partyData CentersAllows you to outsource SharePoint environment as dedicated service including server and network updates
Windows Azure or Amazon IaaSAllows you to host SharePoint environment to public cloud service and offload server and network maintenance tasks
Cloud Identity
Single identity in the cloud
Synchronized Identity
Single identity across both
cloud and on-premises
Federated Identity (SSO)
Single federated identity across
both cloud and on-premises
• External Sharing
• Collaboration
• Communication and
Publishing
• Social Conversations
• Personal Storage
• Digital Asset Management
• Personalized Insights
• Self-Service BI
• Hybrid Search
• Custom Applications
Integration with BCS
• Managed Metadata and
Terms
• User Profiles and
personalized preferences
• Web Content
Management
• Record Management
• Enterprise BI
Configuring SharePoint Hybrid
Operational AD DS
Internet routable AD domains, DNS, and SSL certificates
Office 365 Enterprise Subscription
SharePoint Server 2013 Enterprise on-premises farm
Directory Synchronization
Directory Federation with ADFS
Reverse Proxy Appliances
Good bandwidth and Internet connectivity
Network Optimization Appliances
DOMAIN CONTROLLER
DOMAIN.NET
DOMAIN.COM
WINDOWS AZURE ACTIVE DIRECTORY
DOMAIN.SHAREPOINT.COM
ADFS1
ADFS2
WID/SQL
ADFS.DOMAIN.COM
EXTERNAL USERS INTERNAL USERS
SP SQL2
WAC1
WAC2
SP APP1
SP APP2
SP WEB1
SP WEB2
SP SQL1
SHAREPOINT.DOMAIN.COM
AZURE ACTIVEDIRECTORY
SYNC
WID/SQL
Directory Synchronization
NETWORK LOAD
BALANCER
WAP1
WAP2
NETWORK LOAD
BALANCER
DOMAIN CONTROLLER
DOMAIN.NET
DOMAIN.COM
EXTERNAL USERS INTERNAL USERS
NETWORK LOAD
BALANCER
NETWORK LOAD
BALANCER
DOMAIN CONTROLLER
DOMAIN.NET
DOMAIN.COM
WINDOWS AZURE ACTIVE DIRECTORY
DOMAIN.SHAREPOINT.COM
EXTERNAL USERS INTERNAL USERS
NETWORK LOAD
BALANCER
NETWORK LOAD
BALANCER
Choose level of subscription – E1-E4, you can mix these licenses
Specify the unique tenant name and Global admin User id/password
Specify the country where your tenant will be located (unless your EA states otherwise)
Specify a domain name and confirm ownership (e.g. chipchybrid.com)
Set the domain purpose of which services (e.g. Lync or Exchange) will be used
Configure DNS by creating verification record with DNS hosting provider
Complete the domain setup and choose default domain
DOMAIN CONTROLLER
DOMAIN.NET
DOMAIN.COM
WINDOWS AZURE ACTIVE DIRECTORY
DOMAIN.SHAREPOINT.COM
EXTERNAL USERS INTERNAL USERS SP SQL2
WAC1
WAC2
SP APP1
SP APP2
SP WEB1
SP WEB2
SP SQL1
SHAREPOINT.DOMAIN.COM
NETWORK LOAD
BALANCER
NETWORK LOAD
BALANCER
Configure SharePoint 2013 SP1 on-premises environments at minimum: SP1 allows Yammer
and OneDrive for Business redirection from on-premises
Configure primary web
applications and site
collections
For hybrid search, web
application with Integrated
Windows Authentication NTLM
claims is required – this can be
dedicated zone extended from
default SAML Claims zone
Enable SharePoint on-premises services for hybrid
• Required Service Applications
• User Profile Application (UPA)
• App Management Service and Subscription Settings
Service
• Also it is recommended to enable
• Managed Metadata Service
• User Profile Sync Service (UPS)
DOMAIN CONTROLLER
DOMAIN.NET
DOMAIN.COM
WINDOWS AZURE ACTIVE DIRECTORY
DOMAIN.SHAREPOINT.COM
EXTERNAL USERS INTERNAL USERS SP SQL2
WAC1
WAC2
SP APP1
SP APP2
SP WEB1
SP WEB2
SP SQL1
SHAREPOINT.DOMAIN.COM
AZURE ACTIVEDIRECTORY
SYNC
WID/SQL Directory Synchronization
NETWORK LOAD
BALANCER
NETWORK LOAD
BALANCER
Windows Azure
Active Directory
User
On-Premises Identity(chipchybrid\npatel)
Directory
Synchronization
Cloud Identity(npatel@chipchybrid.com)
AD
http://blogs.technet.com/b/ad/archive/2014/09/16/azure-active-directory-sync-is-now-ga.aspx
DOMAIN CONTROLLER
DOMAIN.NET
DOMAIN.COM
WINDOWS AZURE ACTIVE DIRECTORY
DOMAIN.SHAREPOINT.COM
ADFS1
ADFS2
WID/SQL
ADFS.DOMAIN.COM
EXTERNAL USERS INTERNAL USERS SP SQL2
WAC1
WAC2
SP APP1
SP APP2
SP WEB1
SP WEB2
SP SQL1
SHAREPOINT.DOMAIN.COM
AZURE ACTIVEDIRECTORY
SYNC
WID/SQL Directory Synchronization
NETWORK LOAD
BALANCER
WAP1
WAP2
NETWORK LOAD
BALANCER
Federation is optional for Outbound or Inbound Hybrid Topologies buts recommended to configure for
SSO user experience
Have dedicated ADFS service account and activate ADFS 3.0 role on Windows Server 2012 R2
Steve Peschka’s guide
SharePoint and ADFS SAML limitations and how to overcome UPS & Search
Publish ADFS through Reverse Proxy for external access
Create a Public DNS record for publishing to internet (e.g. adfs.chipchybrid.com)
Set up a trust between ADFS and Office 365 and Windows Azure AD
Install Microsoft Online Services Sign in Assistant and Windows Azure AD PowerShell Modules on ADFS server
Run Convert-MsolDomainToFederated –DomainName <domain>
Server-to-server trust between SharePoint Online and SharePoint On-Premises: The
trust relationship between SharePoint on-premises, SharePoint Online, and Windows Azure Active Directory
Security tokens issued by Windows Azure Active Directory Access Control Services are trusted by both SharePoint on-premises and SharePoint Online grant access to resources for users
SharePoint Online is registered as a high-trust application in SharePoint on-premises
Create a new security token service (STS) certificate (at least 2038 bit)
Either Self-Signed or Public CA certificate supported but domain-issued cert is not supported
#Import the SharePoint Management PowerShell
#Replace the STS certificate for the on-premises environment
Create a new security token service (STS) certificate (at least 2038 bit) for Server-to-Server trust
Either Self-Signed or Public CA certificate supported but domain-issued cert is not supported
Replace the default STS certificate on all on-premises SharePoint servers in the farm
# Load PowerShell Modules
# Configure Remoting in PowerShell
# Log on to SharePoint Online tenant (use credentials of a tenant Global Administrator)
Install the following tools on the Central Administration server
The Microsoft Online Services Sign-In Assistant
The Azure Active Directory Module for Windows PowerShell (64 bit version)
The SharePoint Online Management Shell (64 bit version)
Execute PowerShell to configure S2S trust between SharePoint on-premises and SharePoint Online
You must logon to the central admin server with a Farm Admin account (e.g. sp_farm) to run PowerShell
# Setup variables
# Upload the new on-premises STS certificate to SharePoint Online
# Add service principal name (SPN) for public domain name in Azure AD
# Register SharePoint Online application principal object ID as a trusted provider in SharePoint On-Premises farm
# Set the on-premises SharePoint authentication realm to the context ID of Office 365 tenancy
# Establish a S2S trust relationship between SharePoint on-premises and Windows Azure AD# Configure an on-premises ACS proxy for Azure AD to validate OAuth requests between SharePoint Online and SharePoint On-Premises, which will become a trusted token issuer for the on-premises farm
# Fix SharePoint on-premises (if on-premises April 2014 CU or later) - See: http://support.microsoft.com/kb/3000380
http://governance.codeplex.com/releases/view/120702
Enable Search Service on SharePoint on-premises services
Create crawled content in SharePoint on-premises and SharePoint Online
Verify search in SharePoint on-premises and SharePoint Online for same user
Protocol: Remote SharePoint
Remote Service URL: SharePoint Online root site URL
Credentials: Default Authentication - SharePoint Online is configured to authenticate queries using Windows
Azure Active Directory
http://technet.microsoft.com/en-us/library/dn607304.aspx#devices
https://intranet.chipchybrid.com
https://intranetext.chipchybrid.com
WINDOWS AZURE ACTIVE DIRECTORY
DOMAIN.SHAREPOINT.COM
EXTERNAL USERSINTERNAL USERS
SP SQL2
WAC1
WAC2
SP APP1
SP APP2
SP WEB1
SP WEB2
SP SQL1
SHAREPOINT.DOMAIN.COM
NETWORK LOAD
BALANCER
WAP1
WAP2
NETWORK LOAD
BALANCER
HTTPS
Communication
Office 365 S2S
Communication
Create crawled content in SharePoint on-premises and SharePoint Online
Verify search on both SharePoint on-premises and SharePoint Online for same user
Protocol: Remote SharePoint
Remote Service URL: Reverse-proxy address of the SharePoint on-premises primary web application
Credentials: SSO ID - To authenticate to the reverse proxy, enter the secure store target application ID
that contains the Windows certificate
Hybrid Challenges
Hybrid Story is still evolving
Handling Social Experience
Change Management and Operations
User Experience and Navigation
Wrap Up
Q&A
• Blog - http://nikpatel.net/
• Twitter - @nikxpatel
• Slideshare - slideshare.net/patenik2
top related