Exchange Hybrid Deployment Scott Schnoll Senior PM Microsoft Corp
Agenda
Office 365 Hybrid Scenarios
Exchange Hybrid Fundamentals
Exchange Hybrid Deployment
Managing Exchange Hybrid
Mailbox Migration
Hybrid Configuration Diagnostic
Why Exchange Hybrid
Office 365
Exchange
on-premises
MRS
Calendaring
amp FreeBusy
Messaging
Address
Book
On Prem Office 365
Office 365 Hybrid Scenarios
Exchange Online
SharePoint Online
Skype for Business
Exchange Hybrid
SharePoint Hybrid
SfB Hybrid
OAuth
OAuth
Exchange Hybrid Scenario
On-premises Exchange organization
Existing Exchange environment
(Exchange 2007 or later)
Office 365 Active
Directory synchronization
Exchange 2013
client access amp
mailbox server
Office 365 User contacts amp groups via Azure AD Sync
Secure mail flow
Mailbox data via Mailbox Replication Service (MRS)
Sharing (freebusy Mail Tips archive etc)
Begin with the Exchange Deployment Assistant httpakamsexdeploy
Validate existing environment is in a standard and supported configuration
Primary namespace(s) MUST point to the latest installed version of Exchange
Planning
You should use standard sizing guidance
Migration Traffic is more taxing than the rest
Planning
From an existing Exchange 2007 or 2010 environmentmdashno Edge Transport server
Exchange 2013 hybrid deployment
autodiscovercontosocom
mailcontosocom
Exchange
20102007
Exchange
20102007
Exchange 20102007
Exchange 2013
Exchange 2013
Exchange 20102007
Intranet site
SP3UR8 or SP3UR15 SP3UR8 or SP3UR15
Internet-facing site
1 Prepare Install Exchange updates on all legacy servers
Prepare Active Directory with Exchange 2013 schema
2 Deploy Exchange 2013 Install both roles
Configure and enable the Mailbox Replication Service
3 Obtain and deploy Certificates Obtain and deploy certificates on Exchange 2013 CAS
4 Publish protocols externally Create public DNS A records for the EWS and SMTP
endpoints
Validate using Remote Connectivity Analyzer
5 Switch Autodiscover namespace to
Exchange 2013
6 Run the Hybrid Configuration Wizard
7 Move mailboxes
EWS SMTP
Exchange Hybrid Wizard History
Exchange 2013
SP1
Multiple exchange
organizations now
supported
Supports Exchange
2013 Edge
Thousands of tenants and millions of mailboxes in
Office 365 using Exchange Hybrid
Hybrid Configuration Wizard
Exchange Online
Org
On-Premises Exchange Organization
Hybrid
Configuration
Engine
Desired state
Inte
rn
et
Exchange
Management
Tools
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Forefront Inbound Connector amp
Forefront Outbound Connector)
Domain Level
Configuration Objects
(Accepted Domains amp Remote
Domains)
Hybrid
Configuration
Object
Exchange Server Level
Configuration
(Mailbox Replication Service
Proxy Certificate Validation
Exchange Web Service
Virtual Directory Validation amp
Receive Connector)
Domain Level
Configuration
Objects
(Accepted Domains Remote
Domains amp
E-mail Address Policies)
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Availability Address Space amp
Send Connector)
1
2 4 5
5
4
Remote
Powershell
Remote
Powershell3
3
The Update-HybridConfiguration cmdlet
triggers the Hybrid Configuration Engine
to start
1
The Hybrid Configuration Engine reads
the ldquodesired staterdquo stored on the
HybridConfiguration Active Directory
object
2
The Hybrid Configuration Engine
connects via Remote PowerShell to both
the on-premises and Exchange Online
organizations
3
The Hybrid Configuration Engine
discovers topology data and current
configuration from the on-premises
Exchange organization and the Exchange
Online organization
4
Based on the desired state topology data
and current configuration across both the
on-premises Exchange and Exchange
Online organizations the Hybrid
Configuration Engine establishes the
ldquodifferencerdquo and then executes
configuration tasks to establish the
ldquodesired staterdquo
5
Desired state configuration engine
Applies configuration to on-prem and online orgs
Supported Exchange Topologies Exchange 2013 Exchange 2010
Single Forest Model Accounts and Mailboxes in single forest
Resource Forest Model Multiple Account Forests Single Resource Forest
11 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests each containing accounts and Exchange organizations
N1 relationship between Exchange Organization and single O365 tenant
Office
365 Hybrid
Office
365 Hybrid Hybrid
contosocom fabrikamcom contosocom
R R R
Exchange 2013 multi-org hybrid deployment
Office 365 1 Prepare Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2 Configure Mail Flow on-premises Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3 Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
4 Run Hybrid Configuration Wizard Prepare Office 365 Tenant
Run the HCW in contosocom and fabrikamcom
Validate mail flow between all entities
5 Configure ADFS or use AAD with password sync Configure ADFS in contosocom
Configure ADFS in fabrikamcom
6 Configure Organization Relationships Configure an Org Relationship between each Org
fabrikamcom
E2013
contosocom
ADFS
AD
fabrikamonmicrosoftcom
fabrikamcom contosocom
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy 1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
Two-way Forest Trust
FIM Management Agent
Federated Trust Relationship
SMTPTLS Mail Flow
Federated Authentication
Organization Relationship
4
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Agenda
Office 365 Hybrid Scenarios
Exchange Hybrid Fundamentals
Exchange Hybrid Deployment
Managing Exchange Hybrid
Mailbox Migration
Hybrid Configuration Diagnostic
Why Exchange Hybrid
Office 365
Exchange
on-premises
MRS
Calendaring
amp FreeBusy
Messaging
Address
Book
On Prem Office 365
Office 365 Hybrid Scenarios
Exchange Online
SharePoint Online
Skype for Business
Exchange Hybrid
SharePoint Hybrid
SfB Hybrid
OAuth
OAuth
Exchange Hybrid Scenario
On-premises Exchange organization
Existing Exchange environment
(Exchange 2007 or later)
Office 365 Active
Directory synchronization
Exchange 2013
client access amp
mailbox server
Office 365 User contacts amp groups via Azure AD Sync
Secure mail flow
Mailbox data via Mailbox Replication Service (MRS)
Sharing (freebusy Mail Tips archive etc)
Begin with the Exchange Deployment Assistant httpakamsexdeploy
Validate existing environment is in a standard and supported configuration
Primary namespace(s) MUST point to the latest installed version of Exchange
Planning
You should use standard sizing guidance
Migration Traffic is more taxing than the rest
Planning
From an existing Exchange 2007 or 2010 environmentmdashno Edge Transport server
Exchange 2013 hybrid deployment
autodiscovercontosocom
mailcontosocom
Exchange
20102007
Exchange
20102007
Exchange 20102007
Exchange 2013
Exchange 2013
Exchange 20102007
Intranet site
SP3UR8 or SP3UR15 SP3UR8 or SP3UR15
Internet-facing site
1 Prepare Install Exchange updates on all legacy servers
Prepare Active Directory with Exchange 2013 schema
2 Deploy Exchange 2013 Install both roles
Configure and enable the Mailbox Replication Service
3 Obtain and deploy Certificates Obtain and deploy certificates on Exchange 2013 CAS
4 Publish protocols externally Create public DNS A records for the EWS and SMTP
endpoints
Validate using Remote Connectivity Analyzer
5 Switch Autodiscover namespace to
Exchange 2013
6 Run the Hybrid Configuration Wizard
7 Move mailboxes
EWS SMTP
Exchange Hybrid Wizard History
Exchange 2013
SP1
Multiple exchange
organizations now
supported
Supports Exchange
2013 Edge
Thousands of tenants and millions of mailboxes in
Office 365 using Exchange Hybrid
Hybrid Configuration Wizard
Exchange Online
Org
On-Premises Exchange Organization
Hybrid
Configuration
Engine
Desired state
Inte
rn
et
Exchange
Management
Tools
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Forefront Inbound Connector amp
Forefront Outbound Connector)
Domain Level
Configuration Objects
(Accepted Domains amp Remote
Domains)
Hybrid
Configuration
Object
Exchange Server Level
Configuration
(Mailbox Replication Service
Proxy Certificate Validation
Exchange Web Service
Virtual Directory Validation amp
Receive Connector)
Domain Level
Configuration
Objects
(Accepted Domains Remote
Domains amp
E-mail Address Policies)
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Availability Address Space amp
Send Connector)
1
2 4 5
5
4
Remote
Powershell
Remote
Powershell3
3
The Update-HybridConfiguration cmdlet
triggers the Hybrid Configuration Engine
to start
1
The Hybrid Configuration Engine reads
the ldquodesired staterdquo stored on the
HybridConfiguration Active Directory
object
2
The Hybrid Configuration Engine
connects via Remote PowerShell to both
the on-premises and Exchange Online
organizations
3
The Hybrid Configuration Engine
discovers topology data and current
configuration from the on-premises
Exchange organization and the Exchange
Online organization
4
Based on the desired state topology data
and current configuration across both the
on-premises Exchange and Exchange
Online organizations the Hybrid
Configuration Engine establishes the
ldquodifferencerdquo and then executes
configuration tasks to establish the
ldquodesired staterdquo
5
Desired state configuration engine
Applies configuration to on-prem and online orgs
Supported Exchange Topologies Exchange 2013 Exchange 2010
Single Forest Model Accounts and Mailboxes in single forest
Resource Forest Model Multiple Account Forests Single Resource Forest
11 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests each containing accounts and Exchange organizations
N1 relationship between Exchange Organization and single O365 tenant
Office
365 Hybrid
Office
365 Hybrid Hybrid
contosocom fabrikamcom contosocom
R R R
Exchange 2013 multi-org hybrid deployment
Office 365 1 Prepare Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2 Configure Mail Flow on-premises Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3 Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
4 Run Hybrid Configuration Wizard Prepare Office 365 Tenant
Run the HCW in contosocom and fabrikamcom
Validate mail flow between all entities
5 Configure ADFS or use AAD with password sync Configure ADFS in contosocom
Configure ADFS in fabrikamcom
6 Configure Organization Relationships Configure an Org Relationship between each Org
fabrikamcom
E2013
contosocom
ADFS
AD
fabrikamonmicrosoftcom
fabrikamcom contosocom
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy 1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
Two-way Forest Trust
FIM Management Agent
Federated Trust Relationship
SMTPTLS Mail Flow
Federated Authentication
Organization Relationship
4
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Why Exchange Hybrid
Office 365
Exchange
on-premises
MRS
Calendaring
amp FreeBusy
Messaging
Address
Book
On Prem Office 365
Office 365 Hybrid Scenarios
Exchange Online
SharePoint Online
Skype for Business
Exchange Hybrid
SharePoint Hybrid
SfB Hybrid
OAuth
OAuth
Exchange Hybrid Scenario
On-premises Exchange organization
Existing Exchange environment
(Exchange 2007 or later)
Office 365 Active
Directory synchronization
Exchange 2013
client access amp
mailbox server
Office 365 User contacts amp groups via Azure AD Sync
Secure mail flow
Mailbox data via Mailbox Replication Service (MRS)
Sharing (freebusy Mail Tips archive etc)
Begin with the Exchange Deployment Assistant httpakamsexdeploy
Validate existing environment is in a standard and supported configuration
Primary namespace(s) MUST point to the latest installed version of Exchange
Planning
You should use standard sizing guidance
Migration Traffic is more taxing than the rest
Planning
From an existing Exchange 2007 or 2010 environmentmdashno Edge Transport server
Exchange 2013 hybrid deployment
autodiscovercontosocom
mailcontosocom
Exchange
20102007
Exchange
20102007
Exchange 20102007
Exchange 2013
Exchange 2013
Exchange 20102007
Intranet site
SP3UR8 or SP3UR15 SP3UR8 or SP3UR15
Internet-facing site
1 Prepare Install Exchange updates on all legacy servers
Prepare Active Directory with Exchange 2013 schema
2 Deploy Exchange 2013 Install both roles
Configure and enable the Mailbox Replication Service
3 Obtain and deploy Certificates Obtain and deploy certificates on Exchange 2013 CAS
4 Publish protocols externally Create public DNS A records for the EWS and SMTP
endpoints
Validate using Remote Connectivity Analyzer
5 Switch Autodiscover namespace to
Exchange 2013
6 Run the Hybrid Configuration Wizard
7 Move mailboxes
EWS SMTP
Exchange Hybrid Wizard History
Exchange 2013
SP1
Multiple exchange
organizations now
supported
Supports Exchange
2013 Edge
Thousands of tenants and millions of mailboxes in
Office 365 using Exchange Hybrid
Hybrid Configuration Wizard
Exchange Online
Org
On-Premises Exchange Organization
Hybrid
Configuration
Engine
Desired state
Inte
rn
et
Exchange
Management
Tools
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Forefront Inbound Connector amp
Forefront Outbound Connector)
Domain Level
Configuration Objects
(Accepted Domains amp Remote
Domains)
Hybrid
Configuration
Object
Exchange Server Level
Configuration
(Mailbox Replication Service
Proxy Certificate Validation
Exchange Web Service
Virtual Directory Validation amp
Receive Connector)
Domain Level
Configuration
Objects
(Accepted Domains Remote
Domains amp
E-mail Address Policies)
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Availability Address Space amp
Send Connector)
1
2 4 5
5
4
Remote
Powershell
Remote
Powershell3
3
The Update-HybridConfiguration cmdlet
triggers the Hybrid Configuration Engine
to start
1
The Hybrid Configuration Engine reads
the ldquodesired staterdquo stored on the
HybridConfiguration Active Directory
object
2
The Hybrid Configuration Engine
connects via Remote PowerShell to both
the on-premises and Exchange Online
organizations
3
The Hybrid Configuration Engine
discovers topology data and current
configuration from the on-premises
Exchange organization and the Exchange
Online organization
4
Based on the desired state topology data
and current configuration across both the
on-premises Exchange and Exchange
Online organizations the Hybrid
Configuration Engine establishes the
ldquodifferencerdquo and then executes
configuration tasks to establish the
ldquodesired staterdquo
5
Desired state configuration engine
Applies configuration to on-prem and online orgs
Supported Exchange Topologies Exchange 2013 Exchange 2010
Single Forest Model Accounts and Mailboxes in single forest
Resource Forest Model Multiple Account Forests Single Resource Forest
11 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests each containing accounts and Exchange organizations
N1 relationship between Exchange Organization and single O365 tenant
Office
365 Hybrid
Office
365 Hybrid Hybrid
contosocom fabrikamcom contosocom
R R R
Exchange 2013 multi-org hybrid deployment
Office 365 1 Prepare Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2 Configure Mail Flow on-premises Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3 Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
4 Run Hybrid Configuration Wizard Prepare Office 365 Tenant
Run the HCW in contosocom and fabrikamcom
Validate mail flow between all entities
5 Configure ADFS or use AAD with password sync Configure ADFS in contosocom
Configure ADFS in fabrikamcom
6 Configure Organization Relationships Configure an Org Relationship between each Org
fabrikamcom
E2013
contosocom
ADFS
AD
fabrikamonmicrosoftcom
fabrikamcom contosocom
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy 1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
Two-way Forest Trust
FIM Management Agent
Federated Trust Relationship
SMTPTLS Mail Flow
Federated Authentication
Organization Relationship
4
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
On Prem Office 365
Office 365 Hybrid Scenarios
Exchange Online
SharePoint Online
Skype for Business
Exchange Hybrid
SharePoint Hybrid
SfB Hybrid
OAuth
OAuth
Exchange Hybrid Scenario
On-premises Exchange organization
Existing Exchange environment
(Exchange 2007 or later)
Office 365 Active
Directory synchronization
Exchange 2013
client access amp
mailbox server
Office 365 User contacts amp groups via Azure AD Sync
Secure mail flow
Mailbox data via Mailbox Replication Service (MRS)
Sharing (freebusy Mail Tips archive etc)
Begin with the Exchange Deployment Assistant httpakamsexdeploy
Validate existing environment is in a standard and supported configuration
Primary namespace(s) MUST point to the latest installed version of Exchange
Planning
You should use standard sizing guidance
Migration Traffic is more taxing than the rest
Planning
From an existing Exchange 2007 or 2010 environmentmdashno Edge Transport server
Exchange 2013 hybrid deployment
autodiscovercontosocom
mailcontosocom
Exchange
20102007
Exchange
20102007
Exchange 20102007
Exchange 2013
Exchange 2013
Exchange 20102007
Intranet site
SP3UR8 or SP3UR15 SP3UR8 or SP3UR15
Internet-facing site
1 Prepare Install Exchange updates on all legacy servers
Prepare Active Directory with Exchange 2013 schema
2 Deploy Exchange 2013 Install both roles
Configure and enable the Mailbox Replication Service
3 Obtain and deploy Certificates Obtain and deploy certificates on Exchange 2013 CAS
4 Publish protocols externally Create public DNS A records for the EWS and SMTP
endpoints
Validate using Remote Connectivity Analyzer
5 Switch Autodiscover namespace to
Exchange 2013
6 Run the Hybrid Configuration Wizard
7 Move mailboxes
EWS SMTP
Exchange Hybrid Wizard History
Exchange 2013
SP1
Multiple exchange
organizations now
supported
Supports Exchange
2013 Edge
Thousands of tenants and millions of mailboxes in
Office 365 using Exchange Hybrid
Hybrid Configuration Wizard
Exchange Online
Org
On-Premises Exchange Organization
Hybrid
Configuration
Engine
Desired state
Inte
rn
et
Exchange
Management
Tools
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Forefront Inbound Connector amp
Forefront Outbound Connector)
Domain Level
Configuration Objects
(Accepted Domains amp Remote
Domains)
Hybrid
Configuration
Object
Exchange Server Level
Configuration
(Mailbox Replication Service
Proxy Certificate Validation
Exchange Web Service
Virtual Directory Validation amp
Receive Connector)
Domain Level
Configuration
Objects
(Accepted Domains Remote
Domains amp
E-mail Address Policies)
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Availability Address Space amp
Send Connector)
1
2 4 5
5
4
Remote
Powershell
Remote
Powershell3
3
The Update-HybridConfiguration cmdlet
triggers the Hybrid Configuration Engine
to start
1
The Hybrid Configuration Engine reads
the ldquodesired staterdquo stored on the
HybridConfiguration Active Directory
object
2
The Hybrid Configuration Engine
connects via Remote PowerShell to both
the on-premises and Exchange Online
organizations
3
The Hybrid Configuration Engine
discovers topology data and current
configuration from the on-premises
Exchange organization and the Exchange
Online organization
4
Based on the desired state topology data
and current configuration across both the
on-premises Exchange and Exchange
Online organizations the Hybrid
Configuration Engine establishes the
ldquodifferencerdquo and then executes
configuration tasks to establish the
ldquodesired staterdquo
5
Desired state configuration engine
Applies configuration to on-prem and online orgs
Supported Exchange Topologies Exchange 2013 Exchange 2010
Single Forest Model Accounts and Mailboxes in single forest
Resource Forest Model Multiple Account Forests Single Resource Forest
11 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests each containing accounts and Exchange organizations
N1 relationship between Exchange Organization and single O365 tenant
Office
365 Hybrid
Office
365 Hybrid Hybrid
contosocom fabrikamcom contosocom
R R R
Exchange 2013 multi-org hybrid deployment
Office 365 1 Prepare Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2 Configure Mail Flow on-premises Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3 Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
4 Run Hybrid Configuration Wizard Prepare Office 365 Tenant
Run the HCW in contosocom and fabrikamcom
Validate mail flow between all entities
5 Configure ADFS or use AAD with password sync Configure ADFS in contosocom
Configure ADFS in fabrikamcom
6 Configure Organization Relationships Configure an Org Relationship between each Org
fabrikamcom
E2013
contosocom
ADFS
AD
fabrikamonmicrosoftcom
fabrikamcom contosocom
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy 1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
Two-way Forest Trust
FIM Management Agent
Federated Trust Relationship
SMTPTLS Mail Flow
Federated Authentication
Organization Relationship
4
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Exchange Hybrid Scenario
On-premises Exchange organization
Existing Exchange environment
(Exchange 2007 or later)
Office 365 Active
Directory synchronization
Exchange 2013
client access amp
mailbox server
Office 365 User contacts amp groups via Azure AD Sync
Secure mail flow
Mailbox data via Mailbox Replication Service (MRS)
Sharing (freebusy Mail Tips archive etc)
Begin with the Exchange Deployment Assistant httpakamsexdeploy
Validate existing environment is in a standard and supported configuration
Primary namespace(s) MUST point to the latest installed version of Exchange
Planning
You should use standard sizing guidance
Migration Traffic is more taxing than the rest
Planning
From an existing Exchange 2007 or 2010 environmentmdashno Edge Transport server
Exchange 2013 hybrid deployment
autodiscovercontosocom
mailcontosocom
Exchange
20102007
Exchange
20102007
Exchange 20102007
Exchange 2013
Exchange 2013
Exchange 20102007
Intranet site
SP3UR8 or SP3UR15 SP3UR8 or SP3UR15
Internet-facing site
1 Prepare Install Exchange updates on all legacy servers
Prepare Active Directory with Exchange 2013 schema
2 Deploy Exchange 2013 Install both roles
Configure and enable the Mailbox Replication Service
3 Obtain and deploy Certificates Obtain and deploy certificates on Exchange 2013 CAS
4 Publish protocols externally Create public DNS A records for the EWS and SMTP
endpoints
Validate using Remote Connectivity Analyzer
5 Switch Autodiscover namespace to
Exchange 2013
6 Run the Hybrid Configuration Wizard
7 Move mailboxes
EWS SMTP
Exchange Hybrid Wizard History
Exchange 2013
SP1
Multiple exchange
organizations now
supported
Supports Exchange
2013 Edge
Thousands of tenants and millions of mailboxes in
Office 365 using Exchange Hybrid
Hybrid Configuration Wizard
Exchange Online
Org
On-Premises Exchange Organization
Hybrid
Configuration
Engine
Desired state
Inte
rn
et
Exchange
Management
Tools
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Forefront Inbound Connector amp
Forefront Outbound Connector)
Domain Level
Configuration Objects
(Accepted Domains amp Remote
Domains)
Hybrid
Configuration
Object
Exchange Server Level
Configuration
(Mailbox Replication Service
Proxy Certificate Validation
Exchange Web Service
Virtual Directory Validation amp
Receive Connector)
Domain Level
Configuration
Objects
(Accepted Domains Remote
Domains amp
E-mail Address Policies)
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Availability Address Space amp
Send Connector)
1
2 4 5
5
4
Remote
Powershell
Remote
Powershell3
3
The Update-HybridConfiguration cmdlet
triggers the Hybrid Configuration Engine
to start
1
The Hybrid Configuration Engine reads
the ldquodesired staterdquo stored on the
HybridConfiguration Active Directory
object
2
The Hybrid Configuration Engine
connects via Remote PowerShell to both
the on-premises and Exchange Online
organizations
3
The Hybrid Configuration Engine
discovers topology data and current
configuration from the on-premises
Exchange organization and the Exchange
Online organization
4
Based on the desired state topology data
and current configuration across both the
on-premises Exchange and Exchange
Online organizations the Hybrid
Configuration Engine establishes the
ldquodifferencerdquo and then executes
configuration tasks to establish the
ldquodesired staterdquo
5
Desired state configuration engine
Applies configuration to on-prem and online orgs
Supported Exchange Topologies Exchange 2013 Exchange 2010
Single Forest Model Accounts and Mailboxes in single forest
Resource Forest Model Multiple Account Forests Single Resource Forest
11 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests each containing accounts and Exchange organizations
N1 relationship between Exchange Organization and single O365 tenant
Office
365 Hybrid
Office
365 Hybrid Hybrid
contosocom fabrikamcom contosocom
R R R
Exchange 2013 multi-org hybrid deployment
Office 365 1 Prepare Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2 Configure Mail Flow on-premises Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3 Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
4 Run Hybrid Configuration Wizard Prepare Office 365 Tenant
Run the HCW in contosocom and fabrikamcom
Validate mail flow between all entities
5 Configure ADFS or use AAD with password sync Configure ADFS in contosocom
Configure ADFS in fabrikamcom
6 Configure Organization Relationships Configure an Org Relationship between each Org
fabrikamcom
E2013
contosocom
ADFS
AD
fabrikamonmicrosoftcom
fabrikamcom contosocom
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy 1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
Two-way Forest Trust
FIM Management Agent
Federated Trust Relationship
SMTPTLS Mail Flow
Federated Authentication
Organization Relationship
4
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Begin with the Exchange Deployment Assistant httpakamsexdeploy
Validate existing environment is in a standard and supported configuration
Primary namespace(s) MUST point to the latest installed version of Exchange
Planning
You should use standard sizing guidance
Migration Traffic is more taxing than the rest
Planning
From an existing Exchange 2007 or 2010 environmentmdashno Edge Transport server
Exchange 2013 hybrid deployment
autodiscovercontosocom
mailcontosocom
Exchange
20102007
Exchange
20102007
Exchange 20102007
Exchange 2013
Exchange 2013
Exchange 20102007
Intranet site
SP3UR8 or SP3UR15 SP3UR8 or SP3UR15
Internet-facing site
1 Prepare Install Exchange updates on all legacy servers
Prepare Active Directory with Exchange 2013 schema
2 Deploy Exchange 2013 Install both roles
Configure and enable the Mailbox Replication Service
3 Obtain and deploy Certificates Obtain and deploy certificates on Exchange 2013 CAS
4 Publish protocols externally Create public DNS A records for the EWS and SMTP
endpoints
Validate using Remote Connectivity Analyzer
5 Switch Autodiscover namespace to
Exchange 2013
6 Run the Hybrid Configuration Wizard
7 Move mailboxes
EWS SMTP
Exchange Hybrid Wizard History
Exchange 2013
SP1
Multiple exchange
organizations now
supported
Supports Exchange
2013 Edge
Thousands of tenants and millions of mailboxes in
Office 365 using Exchange Hybrid
Hybrid Configuration Wizard
Exchange Online
Org
On-Premises Exchange Organization
Hybrid
Configuration
Engine
Desired state
Inte
rn
et
Exchange
Management
Tools
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Forefront Inbound Connector amp
Forefront Outbound Connector)
Domain Level
Configuration Objects
(Accepted Domains amp Remote
Domains)
Hybrid
Configuration
Object
Exchange Server Level
Configuration
(Mailbox Replication Service
Proxy Certificate Validation
Exchange Web Service
Virtual Directory Validation amp
Receive Connector)
Domain Level
Configuration
Objects
(Accepted Domains Remote
Domains amp
E-mail Address Policies)
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Availability Address Space amp
Send Connector)
1
2 4 5
5
4
Remote
Powershell
Remote
Powershell3
3
The Update-HybridConfiguration cmdlet
triggers the Hybrid Configuration Engine
to start
1
The Hybrid Configuration Engine reads
the ldquodesired staterdquo stored on the
HybridConfiguration Active Directory
object
2
The Hybrid Configuration Engine
connects via Remote PowerShell to both
the on-premises and Exchange Online
organizations
3
The Hybrid Configuration Engine
discovers topology data and current
configuration from the on-premises
Exchange organization and the Exchange
Online organization
4
Based on the desired state topology data
and current configuration across both the
on-premises Exchange and Exchange
Online organizations the Hybrid
Configuration Engine establishes the
ldquodifferencerdquo and then executes
configuration tasks to establish the
ldquodesired staterdquo
5
Desired state configuration engine
Applies configuration to on-prem and online orgs
Supported Exchange Topologies Exchange 2013 Exchange 2010
Single Forest Model Accounts and Mailboxes in single forest
Resource Forest Model Multiple Account Forests Single Resource Forest
11 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests each containing accounts and Exchange organizations
N1 relationship between Exchange Organization and single O365 tenant
Office
365 Hybrid
Office
365 Hybrid Hybrid
contosocom fabrikamcom contosocom
R R R
Exchange 2013 multi-org hybrid deployment
Office 365 1 Prepare Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2 Configure Mail Flow on-premises Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3 Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
4 Run Hybrid Configuration Wizard Prepare Office 365 Tenant
Run the HCW in contosocom and fabrikamcom
Validate mail flow between all entities
5 Configure ADFS or use AAD with password sync Configure ADFS in contosocom
Configure ADFS in fabrikamcom
6 Configure Organization Relationships Configure an Org Relationship between each Org
fabrikamcom
E2013
contosocom
ADFS
AD
fabrikamonmicrosoftcom
fabrikamcom contosocom
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy 1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
Two-way Forest Trust
FIM Management Agent
Federated Trust Relationship
SMTPTLS Mail Flow
Federated Authentication
Organization Relationship
4
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
You should use standard sizing guidance
Migration Traffic is more taxing than the rest
Planning
From an existing Exchange 2007 or 2010 environmentmdashno Edge Transport server
Exchange 2013 hybrid deployment
autodiscovercontosocom
mailcontosocom
Exchange
20102007
Exchange
20102007
Exchange 20102007
Exchange 2013
Exchange 2013
Exchange 20102007
Intranet site
SP3UR8 or SP3UR15 SP3UR8 or SP3UR15
Internet-facing site
1 Prepare Install Exchange updates on all legacy servers
Prepare Active Directory with Exchange 2013 schema
2 Deploy Exchange 2013 Install both roles
Configure and enable the Mailbox Replication Service
3 Obtain and deploy Certificates Obtain and deploy certificates on Exchange 2013 CAS
4 Publish protocols externally Create public DNS A records for the EWS and SMTP
endpoints
Validate using Remote Connectivity Analyzer
5 Switch Autodiscover namespace to
Exchange 2013
6 Run the Hybrid Configuration Wizard
7 Move mailboxes
EWS SMTP
Exchange Hybrid Wizard History
Exchange 2013
SP1
Multiple exchange
organizations now
supported
Supports Exchange
2013 Edge
Thousands of tenants and millions of mailboxes in
Office 365 using Exchange Hybrid
Hybrid Configuration Wizard
Exchange Online
Org
On-Premises Exchange Organization
Hybrid
Configuration
Engine
Desired state
Inte
rn
et
Exchange
Management
Tools
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Forefront Inbound Connector amp
Forefront Outbound Connector)
Domain Level
Configuration Objects
(Accepted Domains amp Remote
Domains)
Hybrid
Configuration
Object
Exchange Server Level
Configuration
(Mailbox Replication Service
Proxy Certificate Validation
Exchange Web Service
Virtual Directory Validation amp
Receive Connector)
Domain Level
Configuration
Objects
(Accepted Domains Remote
Domains amp
E-mail Address Policies)
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Availability Address Space amp
Send Connector)
1
2 4 5
5
4
Remote
Powershell
Remote
Powershell3
3
The Update-HybridConfiguration cmdlet
triggers the Hybrid Configuration Engine
to start
1
The Hybrid Configuration Engine reads
the ldquodesired staterdquo stored on the
HybridConfiguration Active Directory
object
2
The Hybrid Configuration Engine
connects via Remote PowerShell to both
the on-premises and Exchange Online
organizations
3
The Hybrid Configuration Engine
discovers topology data and current
configuration from the on-premises
Exchange organization and the Exchange
Online organization
4
Based on the desired state topology data
and current configuration across both the
on-premises Exchange and Exchange
Online organizations the Hybrid
Configuration Engine establishes the
ldquodifferencerdquo and then executes
configuration tasks to establish the
ldquodesired staterdquo
5
Desired state configuration engine
Applies configuration to on-prem and online orgs
Supported Exchange Topologies Exchange 2013 Exchange 2010
Single Forest Model Accounts and Mailboxes in single forest
Resource Forest Model Multiple Account Forests Single Resource Forest
11 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests each containing accounts and Exchange organizations
N1 relationship between Exchange Organization and single O365 tenant
Office
365 Hybrid
Office
365 Hybrid Hybrid
contosocom fabrikamcom contosocom
R R R
Exchange 2013 multi-org hybrid deployment
Office 365 1 Prepare Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2 Configure Mail Flow on-premises Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3 Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
4 Run Hybrid Configuration Wizard Prepare Office 365 Tenant
Run the HCW in contosocom and fabrikamcom
Validate mail flow between all entities
5 Configure ADFS or use AAD with password sync Configure ADFS in contosocom
Configure ADFS in fabrikamcom
6 Configure Organization Relationships Configure an Org Relationship between each Org
fabrikamcom
E2013
contosocom
ADFS
AD
fabrikamonmicrosoftcom
fabrikamcom contosocom
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy 1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
Two-way Forest Trust
FIM Management Agent
Federated Trust Relationship
SMTPTLS Mail Flow
Federated Authentication
Organization Relationship
4
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
From an existing Exchange 2007 or 2010 environmentmdashno Edge Transport server
Exchange 2013 hybrid deployment
autodiscovercontosocom
mailcontosocom
Exchange
20102007
Exchange
20102007
Exchange 20102007
Exchange 2013
Exchange 2013
Exchange 20102007
Intranet site
SP3UR8 or SP3UR15 SP3UR8 or SP3UR15
Internet-facing site
1 Prepare Install Exchange updates on all legacy servers
Prepare Active Directory with Exchange 2013 schema
2 Deploy Exchange 2013 Install both roles
Configure and enable the Mailbox Replication Service
3 Obtain and deploy Certificates Obtain and deploy certificates on Exchange 2013 CAS
4 Publish protocols externally Create public DNS A records for the EWS and SMTP
endpoints
Validate using Remote Connectivity Analyzer
5 Switch Autodiscover namespace to
Exchange 2013
6 Run the Hybrid Configuration Wizard
7 Move mailboxes
EWS SMTP
Exchange Hybrid Wizard History
Exchange 2013
SP1
Multiple exchange
organizations now
supported
Supports Exchange
2013 Edge
Thousands of tenants and millions of mailboxes in
Office 365 using Exchange Hybrid
Hybrid Configuration Wizard
Exchange Online
Org
On-Premises Exchange Organization
Hybrid
Configuration
Engine
Desired state
Inte
rn
et
Exchange
Management
Tools
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Forefront Inbound Connector amp
Forefront Outbound Connector)
Domain Level
Configuration Objects
(Accepted Domains amp Remote
Domains)
Hybrid
Configuration
Object
Exchange Server Level
Configuration
(Mailbox Replication Service
Proxy Certificate Validation
Exchange Web Service
Virtual Directory Validation amp
Receive Connector)
Domain Level
Configuration
Objects
(Accepted Domains Remote
Domains amp
E-mail Address Policies)
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Availability Address Space amp
Send Connector)
1
2 4 5
5
4
Remote
Powershell
Remote
Powershell3
3
The Update-HybridConfiguration cmdlet
triggers the Hybrid Configuration Engine
to start
1
The Hybrid Configuration Engine reads
the ldquodesired staterdquo stored on the
HybridConfiguration Active Directory
object
2
The Hybrid Configuration Engine
connects via Remote PowerShell to both
the on-premises and Exchange Online
organizations
3
The Hybrid Configuration Engine
discovers topology data and current
configuration from the on-premises
Exchange organization and the Exchange
Online organization
4
Based on the desired state topology data
and current configuration across both the
on-premises Exchange and Exchange
Online organizations the Hybrid
Configuration Engine establishes the
ldquodifferencerdquo and then executes
configuration tasks to establish the
ldquodesired staterdquo
5
Desired state configuration engine
Applies configuration to on-prem and online orgs
Supported Exchange Topologies Exchange 2013 Exchange 2010
Single Forest Model Accounts and Mailboxes in single forest
Resource Forest Model Multiple Account Forests Single Resource Forest
11 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests each containing accounts and Exchange organizations
N1 relationship between Exchange Organization and single O365 tenant
Office
365 Hybrid
Office
365 Hybrid Hybrid
contosocom fabrikamcom contosocom
R R R
Exchange 2013 multi-org hybrid deployment
Office 365 1 Prepare Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2 Configure Mail Flow on-premises Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3 Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
4 Run Hybrid Configuration Wizard Prepare Office 365 Tenant
Run the HCW in contosocom and fabrikamcom
Validate mail flow between all entities
5 Configure ADFS or use AAD with password sync Configure ADFS in contosocom
Configure ADFS in fabrikamcom
6 Configure Organization Relationships Configure an Org Relationship between each Org
fabrikamcom
E2013
contosocom
ADFS
AD
fabrikamonmicrosoftcom
fabrikamcom contosocom
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy 1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
Two-way Forest Trust
FIM Management Agent
Federated Trust Relationship
SMTPTLS Mail Flow
Federated Authentication
Organization Relationship
4
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Exchange Hybrid Wizard History
Exchange 2013
SP1
Multiple exchange
organizations now
supported
Supports Exchange
2013 Edge
Thousands of tenants and millions of mailboxes in
Office 365 using Exchange Hybrid
Hybrid Configuration Wizard
Exchange Online
Org
On-Premises Exchange Organization
Hybrid
Configuration
Engine
Desired state
Inte
rn
et
Exchange
Management
Tools
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Forefront Inbound Connector amp
Forefront Outbound Connector)
Domain Level
Configuration Objects
(Accepted Domains amp Remote
Domains)
Hybrid
Configuration
Object
Exchange Server Level
Configuration
(Mailbox Replication Service
Proxy Certificate Validation
Exchange Web Service
Virtual Directory Validation amp
Receive Connector)
Domain Level
Configuration
Objects
(Accepted Domains Remote
Domains amp
E-mail Address Policies)
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Availability Address Space amp
Send Connector)
1
2 4 5
5
4
Remote
Powershell
Remote
Powershell3
3
The Update-HybridConfiguration cmdlet
triggers the Hybrid Configuration Engine
to start
1
The Hybrid Configuration Engine reads
the ldquodesired staterdquo stored on the
HybridConfiguration Active Directory
object
2
The Hybrid Configuration Engine
connects via Remote PowerShell to both
the on-premises and Exchange Online
organizations
3
The Hybrid Configuration Engine
discovers topology data and current
configuration from the on-premises
Exchange organization and the Exchange
Online organization
4
Based on the desired state topology data
and current configuration across both the
on-premises Exchange and Exchange
Online organizations the Hybrid
Configuration Engine establishes the
ldquodifferencerdquo and then executes
configuration tasks to establish the
ldquodesired staterdquo
5
Desired state configuration engine
Applies configuration to on-prem and online orgs
Supported Exchange Topologies Exchange 2013 Exchange 2010
Single Forest Model Accounts and Mailboxes in single forest
Resource Forest Model Multiple Account Forests Single Resource Forest
11 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests each containing accounts and Exchange organizations
N1 relationship between Exchange Organization and single O365 tenant
Office
365 Hybrid
Office
365 Hybrid Hybrid
contosocom fabrikamcom contosocom
R R R
Exchange 2013 multi-org hybrid deployment
Office 365 1 Prepare Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2 Configure Mail Flow on-premises Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3 Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
4 Run Hybrid Configuration Wizard Prepare Office 365 Tenant
Run the HCW in contosocom and fabrikamcom
Validate mail flow between all entities
5 Configure ADFS or use AAD with password sync Configure ADFS in contosocom
Configure ADFS in fabrikamcom
6 Configure Organization Relationships Configure an Org Relationship between each Org
fabrikamcom
E2013
contosocom
ADFS
AD
fabrikamonmicrosoftcom
fabrikamcom contosocom
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy 1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
Two-way Forest Trust
FIM Management Agent
Federated Trust Relationship
SMTPTLS Mail Flow
Federated Authentication
Organization Relationship
4
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Hybrid Configuration Wizard
Exchange Online
Org
On-Premises Exchange Organization
Hybrid
Configuration
Engine
Desired state
Inte
rn
et
Exchange
Management
Tools
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Forefront Inbound Connector amp
Forefront Outbound Connector)
Domain Level
Configuration Objects
(Accepted Domains amp Remote
Domains)
Hybrid
Configuration
Object
Exchange Server Level
Configuration
(Mailbox Replication Service
Proxy Certificate Validation
Exchange Web Service
Virtual Directory Validation amp
Receive Connector)
Domain Level
Configuration
Objects
(Accepted Domains Remote
Domains amp
E-mail Address Policies)
Organization Level
Configuration Objects
(Exchange Federation Trust
Organization Relationship
Availability Address Space amp
Send Connector)
1
2 4 5
5
4
Remote
Powershell
Remote
Powershell3
3
The Update-HybridConfiguration cmdlet
triggers the Hybrid Configuration Engine
to start
1
The Hybrid Configuration Engine reads
the ldquodesired staterdquo stored on the
HybridConfiguration Active Directory
object
2
The Hybrid Configuration Engine
connects via Remote PowerShell to both
the on-premises and Exchange Online
organizations
3
The Hybrid Configuration Engine
discovers topology data and current
configuration from the on-premises
Exchange organization and the Exchange
Online organization
4
Based on the desired state topology data
and current configuration across both the
on-premises Exchange and Exchange
Online organizations the Hybrid
Configuration Engine establishes the
ldquodifferencerdquo and then executes
configuration tasks to establish the
ldquodesired staterdquo
5
Desired state configuration engine
Applies configuration to on-prem and online orgs
Supported Exchange Topologies Exchange 2013 Exchange 2010
Single Forest Model Accounts and Mailboxes in single forest
Resource Forest Model Multiple Account Forests Single Resource Forest
11 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests each containing accounts and Exchange organizations
N1 relationship between Exchange Organization and single O365 tenant
Office
365 Hybrid
Office
365 Hybrid Hybrid
contosocom fabrikamcom contosocom
R R R
Exchange 2013 multi-org hybrid deployment
Office 365 1 Prepare Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2 Configure Mail Flow on-premises Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3 Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
4 Run Hybrid Configuration Wizard Prepare Office 365 Tenant
Run the HCW in contosocom and fabrikamcom
Validate mail flow between all entities
5 Configure ADFS or use AAD with password sync Configure ADFS in contosocom
Configure ADFS in fabrikamcom
6 Configure Organization Relationships Configure an Org Relationship between each Org
fabrikamcom
E2013
contosocom
ADFS
AD
fabrikamonmicrosoftcom
fabrikamcom contosocom
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy 1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
Two-way Forest Trust
FIM Management Agent
Federated Trust Relationship
SMTPTLS Mail Flow
Federated Authentication
Organization Relationship
4
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Supported Exchange Topologies Exchange 2013 Exchange 2010
Single Forest Model Accounts and Mailboxes in single forest
Resource Forest Model Multiple Account Forests Single Resource Forest
11 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests each containing accounts and Exchange organizations
N1 relationship between Exchange Organization and single O365 tenant
Office
365 Hybrid
Office
365 Hybrid Hybrid
contosocom fabrikamcom contosocom
R R R
Exchange 2013 multi-org hybrid deployment
Office 365 1 Prepare Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2 Configure Mail Flow on-premises Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3 Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
4 Run Hybrid Configuration Wizard Prepare Office 365 Tenant
Run the HCW in contosocom and fabrikamcom
Validate mail flow between all entities
5 Configure ADFS or use AAD with password sync Configure ADFS in contosocom
Configure ADFS in fabrikamcom
6 Configure Organization Relationships Configure an Org Relationship between each Org
fabrikamcom
E2013
contosocom
ADFS
AD
fabrikamonmicrosoftcom
fabrikamcom contosocom
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy 1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
Two-way Forest Trust
FIM Management Agent
Federated Trust Relationship
SMTPTLS Mail Flow
Federated Authentication
Organization Relationship
4
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Exchange 2013 multi-org hybrid deployment
Office 365 1 Prepare Update each Exchange organization to Service Pack 1
Validate Autodiscover is properly configured and published in
each Exchange organization
Validate public certificates for Exchange org are unique
Create two-way forest trust
2 Configure Mail Flow on-premises Configure SMTP domain sharing as required
Configure mail flow between on-premises organizations
3 Configure Directory Synchronization Configure AAD Sync (FIM) to synchronize mail recipients in each
forest and the Office 365 tenant
4 Run Hybrid Configuration Wizard Prepare Office 365 Tenant
Run the HCW in contosocom and fabrikamcom
Validate mail flow between all entities
5 Configure ADFS or use AAD with password sync Configure ADFS in contosocom
Configure ADFS in fabrikamcom
6 Configure Organization Relationships Configure an Org Relationship between each Org
fabrikamcom
E2013
contosocom
ADFS
AD
fabrikamonmicrosoftcom
fabrikamcom contosocom
E2013
ADFS
AD AAD Sync
(FIM)
Azure AD
Azure AD Auth
O365 Directory
ADFS
Proxy
ADFS
Proxy 1 1
2 2
3 3
3
4 4
5 5
6 6
SMTP
AAD Conn
Two-way Forest Trust
FIM Management Agent
Federated Trust Relationship
SMTPTLS Mail Flow
Federated Authentication
Organization Relationship
4
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
DAuth vs OAuth
DAuth OAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy mailtips)
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
HCW now includes automated configuration for OAuth
Enables cross-premises discovery searches and cross-premises archive moves
Can be used for much more like freebusy and is used by 21Vianet customers (Greater China region)
Long term authentication approach for future capabilities
Configure OAuth for Hybrid
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Configure OAuth for Hybrid
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Configure Button is not available if you are not running at least Exchange 2013 SP1 on all of your Exchange servers
Exchange 2013 pre-SP1 (and 20102007)
Do you really need OAuth
Configure OAuth for Hybrid
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
eDiscovery Scenarios and OAuth
eDiscovery scenario Requires
OAuth
Search on-premises and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange on-premises organization
Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes
Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator or compliance officer
No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account
No
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
FreeBusy works with OAuth
Not all features work with OAuth
HCW configures both Org Relationship and IntraOrgConnectors
FreeBusy and OAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Ben requests
freebusy info for
Joe
Joe
Ben
CAS Server passes
the MFG token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy using DAuth
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
On Premises
On Premises User ldquoBenrdquo
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Exchange
connects to
the Azure
OAUTH
endpoint
Exchange
Server passes
the token and
requests Joersquos
freebusy on
behalf of Ben
Free
Busy Requ
est From
Ben To
Joe
FreeBusy works through a series of checks
1st we check to see if we can find freebusy locally
2nd (if the mailbox is not local) we check for an IOC
3rd (if there is no IOC) we check for an Organization Relationship
4th we check for an availability address space
FreeBusy using OAuth
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
1 Office 365 mailbox can access legacy PFs on-premises
2 Office 365 mailbox can access Modern PFs on-premises
3 Exchange 2013 on-premises mailbox can access Modern PFs in Office 365
Hybrid Public Folder Options
Mailbox Version PF Location
2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
Exchange Online Yes Yes Yes Yes
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Outlook connects to Cloud Mailbox starts by querying autodiscovercontosocom
Exchange Online
On-premises
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access
Autodiscover responds with the target address for the cloud mailbox Outlook does Autodiscover for target address of Contosomailonmicrosoftcom EXO responds with PFMailbox information obtained by org config or set explicitly on the mailbox ltPublicFolderInformationgt ltSmtpAddressgtPFmailbox1Contosocom ltSmtpAddressgt Outlook performs Autodiscover against PFmailbox1Contosocom Outlook settings are returned including the server name of the PFCAS
When PF access is initiated you then make a connection
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
DirSync currently does not sync mail-enabled public folder objects in either direction
We recommend customers run the following scripts periodically to sync these objects from on-premises to the cloud directory
Syncing Public Folders
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Maintain Exchange Hybrid servers post migration for
Can I Retire Hybrid Servers
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
All mailbox migration paths are now supported from the Exchange Admin Center through a unified mailbox move wizard
Moves are ldquopulledrdquo from on-premises to the cloud
All move types now support the new ldquobatchrdquo architecture which allows for easier creation and management of multiple moves
As with Exchange 2010 hybrid mailbox moves support off-boarding from the cloud to on-premises
Mailbox Migration
35
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Max default Concurrent moves 100 (exceptions can
be made)
Item count is a factor with migration performance
Firewall configuration on the on-premises organization
Network Latency is a Factor
Migration are not considered ldquoUser Expectedrdquo (WLM)
Multiple concurrent moves allows for optimized
migrations
03ndash10 GBhour range per mailbox
Source Side
performance is a
COMMON factor
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Hybrid Automation
New Tool for
Troubleshooting
bull We will be collecting HCW logs
bull We will try to determine the issue with a parser to prevent the call
bull We will upload the log to make it available to Support
bull We will be adding more checks
bull We will be using this data to do some extra analytics in the service side to
better warn customers of configuration issue
If Failed Solution
There are certificates installed in your Exchange Hybrid environment which are missing the subject
name
httpgomicrosoftcomlinkid=9846727
You need to fix your obsolete Active Directory Domain Services Federation Objects httpgomicrosoftcomlinkid=9846726
Your existing Exchange 2007 servers are not part of the Exchange Trusted Subsystems group httpgomicrosoftcomlinkid=9846728
You need to install Exchange 2010 sp3 RU3 or later httpgomicrosoftcomlinkid=9846729
In order to upgrade your Hybrid environment from Exchange 2010 to Exchange 2013 you need to
rename your existing Organization Relationship
httpgomicrosoftcomlinkid=9846730
Your Exchange Server 2013 needs to be running a version of CU6 or later we recommend the latest
version available
httpgomicrosoftcomlinkid=9846731
Some manual configurations are needed to allow Legacy Free Busy to work as expected httpgomicrosoftcomlinkid=9846732
Microsoft Exchange Service Host is not running httpgomicrosoftcomlinkid=9846733
Please run the Exchange Hybrid Configuration Wizard on a server which has the CAS role installed httpgomicrosoftcomlinkid=9846734
You need to upgrade your legacy email address policy httpgomicrosoftcomlinkid=9846735
You need to address the issues found with the TLS certificate If running Exchange Server 2010 youll
need to acquire a certificate with a name that has less than 256 characters If running Exchange Server
2013 please install the latest cumulative update
httpgomicrosoftcomlinkid=9846736
httpakamshcwcheck
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars
Your feedback is important
Scan the QR Code and let us know via the TechDays App
Laat ons weten wat u van de sessie vindt via de TechDays App
Scan de QR Code
Bent u al lid van de Microsoft Virtual Academy Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft Meld u vandaag aan op de MVA Stand MVA biedt 724 gratis online training on-demand voor IT-Professionals en Ontwikkelaars