what exchange administrators need to know about hybrid deployments
DESCRIPTION
According to a recent survey by Osterman Research, 54% of organizations will migrate some or all of their users to hybrid solutions over the next few years. If you have, or are considering an Exchange Hybrid deployment, you'll want to join Exchange MCM/MVP Michael Van Horenbeeck to hear him discuss how to avoid administrator pitfalls and show you how to keep your hybrid environment tuned and running smoothly. Discover answers to questions like: - What is life like for an administrator in a hybrid environment? - What issues will you likely encounter in transitioning to hybrid environments? - What steps must you take before you move your users to the cloud? - What are the most common reasons for outages? - How can you ensure that your ADFS infrastructure is working correctly? - What are the common problems with DIRsync? - What's next for hybrid platforms and MS Office 365? Plus have the chance to ask your top questions!TRANSCRIPT
What Exchange Administrators Need to Know about Hybrid Deployments
Michael Van Horenbeeck
Agenda
• What’s life like for an admin in a Hybrid deployment?• Common issues and misconceptions • Moving mailboxes: the good, the bad and the ugly• Keeping ADFS alive• DirSync• What’s next?• Q&A
What is a Hybrid deployment?Components of a Hybrid deployment
What is a hybrid deployment?
“Two distinct cross-premises Exchange organizations, combined to ‘act’ as a single organization through a series of customizations in both
environments”
Hybri
d A
rchit
ect
ure
ACTIVE DIRECTORY
OFFICE 365 TENANT
EXCHANGE ONLINE TENANT
MICROSOFT DATA CENTER INTERNET PERIMETERNETWORK
INTERNAL NETWORK
EXCHANGE ON-PREM ORG.
AZURE AD
ADFSPROXY
ADFS
ACTIVE DIRECTORY
DIRSYNCSERVER
EXCHANGE 2013(CAS)ORGANIZATIONAL RELATIONSHIP /
OAUTH (INTRA-ORG CONNECTOR)
EXCHANGE 2013(MBX)
ONLINE PROTECTION
HYBRID MAIL FLOW
SMTP
EXCHANGE ONLINE
AUTHENTICATION SERVICE
EXTERNAL USER(O365)
SYNC
HTTP(S)
HTTPS
HTTPS
OWA USER(O365)
HTTPS
MAIL FLOW
AUTHENTICATION
SYNCHRONIZATION
APP. ACCESS (HTTP(S))
INTERNAL USER(O365)
EXCHANGE USER
HTTPS
INTERNAL OWA USER(O365)
Hybrid Building Blocks
Federation DirSync Secure Transport Mailbox Moves
• Free/Busy• Mailtips• Message Tracking• eDiscovery• …
• Unified GAL• X500 (Mailbox
Moves)• Online Archiving
• TLS encryption• Header
Preservation• Cert-based
security• Centralized mail
flow
• Mailbox Replication Service (MRS)
• Online Moves• Fast / Reliable
An admin’s life in the cloud…
What tasks does an admin commonly execute?• Daily Exchange Management• Identity Management• Moving Mailboxes• Patching• Monitoring• Troubleshooting
Identity Management
•All user objects are managed on-premises (through Exchange) because of DirSync•Account for the DirSync interval (or force DirSync to run)• Can be important if you want to “quickly” do things.
•Watch out for accidental deletions!• New DirSync feature might help…
DirSync Accidental Deletion
• New in version 6765.0006 (released end of May)• If the number of objects being deleted exceeds a configurable
threshold, DirSync won’t sync the deletions to Azure AD.
• To enable the feature:• Set-PreventAccidentalDeletes –Enable –ObjectDeletionThreshold <value>
Monitoring Hybrid Deployments
• New architecture paradigm, requires new way of thinking about monitoring• You don’t care about Microsoft’s side of the story
• End-user service availability is key (but it’s always been like that, right?)• Consider monitoring through a series of both Active and Passive tests• Active tests allow you to be proactive• Passive tests give you great feedback (counters…)
What components do I need to monitor?• Directory Synchronization• Identity Federation (if applicable)• Exchange Federation• Certificates• Connectivity
Featured as Messaging and Unified Communications Award Finalist
Patching
• Important to stay ‘current’ with patch levels (Exchange, DirSync) in order to remain supported• Challenge to keep up with cloud-cadence (CU’s are typically released
every quarter…)• You can use RSS feeds and the Office Blog to stay up to date with the
latest and the greatest. Recently released Microsoft roadmap blog might also help: http://office.microsoft.com/en-us/products/office-365-roadmap-FX104343353.aspx
Moving Mailboxes
Moving Mailboxes
ExchangeOn-Prem
“The Internet”
ExchangeOnline
(Office 365)
MRS
Admin
Moving Mailboxes
• A trivial action, but touches many different components in Exchange• Make sure the Mailbox Replication Service Proxy [MRS Proxy] is enabled on the
internet-facing Exchange Web Services
• Before a mailbox can be moved, certain ‘attributes’ need to be available on the object:• Prior to a mailbox move, check that the object have the correct attributes set (x500 +
Proxy Addresses)
• Because of the cross-premises nature of a hybrid deployment, certain features won’t work after a mailbox move• Watch out for permissions and large items in mailbox!
Mailbox move limitations
• Items larger than +/- 25 MB won’t be moved because of the item size limits in place in Office 365. • You can export them using this script
• Cross-premises permissions (currently?) are not supported. Make sure to move associated mailboxes at the same time.• Potential impact of your ‘pilot’ group.
Dealing with High AvailabilityWhat it takes to make a hybrid deployment highly available
What components should be highly available?• Exchange (Hybrid Servers)• AD FS (if deployed)• Connectivity
“Hybrid Server” HA• Deploy at least two hybrid servers• Add site resiliency by deploying in two distinct physical locations• Load balance incoming request through a LB device
Site 1 Site 2
ConnectivityDomain
ControllerExchangeCAS/MBX
Exchange CAS/MBX
INTERNET
Domain Controller
HA Load Balancer pair
DirSync / Azure AD Sync
• No urgent need for high availability• You can run w/o DirSync for a (short) period of time, although that would
reduce (admin-)functionality temporarily
• In case you cannot afford temporary functionality loss (SLAs?)• Deploy a ‘standby’ DirSync server
• Consider deploying SQL (default choice for large enterprises anyway)• Easier to backup
Active Directory Federation Services
• Critical to operations; No ADFS = No user logon possible• Must be deployed HA – in all possible ways• Deploy ADFS cluster; spread across sites to add site resiliency• Can be costly…
AD FS HA
AD FS Topology
AD FSProxy
AD FS
Domain Controller
INTERNET
AD FS
AD FSProxy
Load
Bal
ance
r
Load
Bal
ance
r
Domain Controller
FW
FW
TroubleshootingAn overview of the most common scenarios
Troubleshooting AD FS
• Not easy.• Use tools like e.g. Fiddler• Enable Debug Logging in Event Viewer• Pair AD FS Proxy w/ ADFS for easier troubleshooting• Understanding different authentication flows is important
Enabling Debug Log
• Open Event Viewer• Click View > Show Analytic and
Debug Logs• Right-click Debug under AD FS
Tracing and click enable• Reproduce issue
Exchange Federation
• Multiple areas where things can go wrong…• Verify that Federation Information can be retrieved (get-
federationinformation)• Test Organization Relationships (test-organizationrelationship)• Verify Federation trust (Test-FederationTrust)• When using oAuth: Test-oAuthConnectivity
Mailbox Moves
• Error message is critical; contains useful information• Verify connectivity; e.g. MRS Proxy enabled?• Use the Test-MigrationServerAvailability for more insights
DirSync
• No news = good news • Take a look into the console (miisclient.exe located in installation
folder)• Check Permissions (inherit permissions enabled?)
About ENow Software
Download Mailscape for Exchange Online Free Trial
http://bit.ly/Mailscape-Hybrid
