How to build an Exchange Hybrid Environment (CheckList)


I have been working this last year on number of Migration using third party tools or Hybrid deployment.

So please find a way to Design & deploy a working Exchange Hybrid Environment.

Requirements & Preparation

Active Directory
Forest & Domain Functional Level:

  • Windows 2008 DC to be able to use writeback (AD Connect)
  • Windows 2012R2 Forest level: Workplace Join (AD FS)
Schema Update:

  • Some Exchange CU required Schema Update
User authentication method:

  • UserPrincipalName (UPN):
  • SAMAccountName:
    • contoso\user
Domain suffix will be used for SSO
The Domain must be registered as a public domain with Public DNS

  • Yes: advise to use UPN
  • No: Add a new Domain Suffix or consider to use AlternateID
UPN must be know set and known by the user

  • UPN is match user email address (Recommendation)
Run Microsoft Office 365 Deployment Readiness Tool (user Impact)
Run IdFix to validate Users Readiness for Office 365 migration
Supported Exchange & Client:

  • Exchange Version:
  • Client Connectivity: Outlook\OWA\EAS\OA (version & enable)
Required Exchange Servers for Hybrid:

  • % of available resources (Exchange Calculator)
  • Additional server is needed
Namespace publicly available: EWS, OWA, Autodiscover, OA, EAS
(Check using Microsoft Remote Connectivity Analyzer)
Accepted Domains
Availability Space or Federation Trust (Free\Busy Sharing)
Autodiscover is pointing to your on-premise Exchange organization

  • Publish External
  • MRS Proxy is enabled
Valid Certificate from Third Party Provider (Exchange Web Services)
Self-Signed certificate for Federation Trust with MFG (only)
EWS External URL specified in your public DNS listed in the SAN
Autodiscover Endpoint specified in your public DNS listed in the SAN
All Exchange Server used for mail transport in Hybrid Deployment must use the same certificate (same CA & same Subject)

  • Hybrid Server to Exchange Online
  • Hybrid Server to EOP (Mail Flow)
Office 365
Sign up for Office 365
Valid Global Admins from your office 365 Tenant
Validation of custom Domain

  • Every accepted domain need to be set as office 365 custom domain
  • UPN suffix need to set as custom domain
  • Validation using TXT Record
  • Transfer DNS Management if no customization is needed
Directory Synchronization
AD Connect
AD Connect: On-Premise AD – Enterprise Admin
AD Connect: On-Premise Service Account for Federation Service
AD Connect: SQL requirements (Local or Existing SQL Server\Instance)
AD Connect : Firewalls

  • AD Connect -> DCs
  • AD Connect -> ADFS & WAP
  • AD Connect -> Azure AD
Method
ADFS (SSO): Request Servers according the design
ADFS (SSO): Request SQL Instance or WID
ADFS (SSO): A record for Federation Service (Internal DNS)
ADFS (SSO): DNS Entry for Federation Service (Public DNS)
ADFS (SSO): On-Premise Service Account for Federation Service
ADFS (SSO): Pfx certificate with federation service name
ADFS (SSO): Local administrator account for WAP Server(s)
ADFS (SSO): Enable Remote Management for WAP Server
ADFS (SSO): Firewalls

  • ADFS Servers DCs
  • WAP ADFS Server
  • WAP Internet users
Identity Management
AD Connect
How many AD Object to sync to office 365?
Synchronization using OU, Group or Domain
User Principal Name:
Select an Attribute (Default Value : UserPrincipalName (UPN)
This Attribute match the User Primary SMTP address
SourceAnchor selection (ObjectGUID Default)
Features needed:

  • Exchange Hybrid
  • Password Synchronization
  • Password writeback
  • Group Writeback (Office 365 Group)
method
Password Synchronization
Federated with ADFS
How many farm do we need?
How many server do we need ? More than 5?
Federation Service
Enable HA
Using SQL Server
Do we need SQL or WID will be enough
Do we need SQL for AD Connect
Do we need SQL for Federation Servers
Hybrid Environment
Certificate Design

  • Mail Transport (secure communication)
  • Autodiscover, OWA, EAS, OA
Web Services:

  • External FQDN of your Hybrid Server
    • Can be the external LB FQDN to reach your servers
    • Can be OWA external FQDN
Client Connectivity (OWA and EAS)
Availability Space or Federation Trust
Federated & Accepted Domain
Mail flow (Centralized mail Transport)
Federation Trust and Organization Relationships
Hybrid Installation & Configuration
AD Connect
AD Connect Installation & Configuration
Use AD Connect to install ADFS Farm (ADFS Server & WAP)
Configure Hybrid Configuration using HCW:

  • Exchange org Admin (On-Premise)
  • Global Admin (office 365)
  • Federation trust validation (TXT Record)
  • Secure Transport Mail Flow
    • Receive Connector
    • Send Connector
    • Certificate for Secure Mail Transport
    • External FQDN of Hybrid Server for EOP
Validation (checks)
AD Connect
Directory Synchronization:

  • Search for SMTP matching if license already assign
Sign in using SSO (Redirect, ADFS authentication)
Free\Busy Sharing:

  • Office 365 users to On-premise users
  • On-premise users to Office 365 Users
Cross-Premise Features:

  • MailTips
  • Message Tracing
  • Multi-mailbox Search
Online Archiving
OWA redirect\ Exchange ActiveSync Redirect
Cross-Premise Mailbox Permission (Conditions applied)
Unified GAL
Migration (Onboarding)

Operation & Migration (Onboarding)

How to create an User\Mailbox using EAC from on-premise Exchange
Migration Procedure:

  • Using Powershell Script (Sync, Licenses, Complete)
  • Using third Party application
Objects to Migrate:

  • Distribution list
  • Contacts
  • User Mailbox
  • Resource Mailbox
  • Shared Mailbox


Known issues Cross-Premise Mailbox Permission

  • Send as
  • Send on behalf
  • Full Access:
    • Already create (will be migrated)
    • Add full permission
Cross-premise Free\Busy

Comment & question are welcome so please do not hesitate.



How to calculate immutableID using Powersell

I have been writting script for onboarding and I have faced some issue, involving ImmutableID. the ImmutableID is the unique identifier create by your directory synchronization. it s a conversion of the ObjectGUID Attribute of your object.

So please find how to calculate the immutableID  based:

First I you have to retreive the Object GUID using :

$User = Get-ADuser $UserSamAccount -Properties * -server $DC

$ImmutableID = [system.convert]::ToBase64String(([GUID]($User.ObjectGUID)).tobytearray())



How to search a CorrelationID of ADFS login Page error in your AD FS Servers event Log


very often when I troubleshoot ADFS login page error, I need to match the CorrelationID with error on AD FS Server.

the quick way to find the CorrelationID(ActivityID) in the ADFS Server event log using Event viewer is:

  1. Event viewer
  2. Go to Event : Application and Services Logs\AD FS\Admin
  3. Right Click on Admin, then click on Find
  4. you can then type the CorrelationID provide by the failing usercorrelationid_find

How to Check if your Server ADFS environment is using SQL or WID

Please find a powershell CMDLet will help to find out if your AD FS environment is using SQL or WID:

Get-WmiObject -class SecurityTokenService -namespace root/ADFS | select-object ConfigurationDatabaseConnectionString

  • For WID, we are expecting:

Data Source=np:\\.\pipe\
microsoft##WID\tsql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True

  • For SQL we expecting:

Data Source=\\.\pipe\
mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True

How to Find(identify) your Primary AD FS Server 3.0 using powershell


While providing Support & troubleshooting is very important to know which server is the primary so you can make the appropriate change of the right server.

To find your primary server you can use the following CMDLet:


From the Primary ADFS Server (where you can make AD FS configuration Change )



From the secondary ADFS Server:






In both case you will get the server which is hosting the primary node

How to deploy 2013 Hybrid Server in Exchange 2010 environment.

While working on Deploying 2013 Hybrid Server in an Exchange 2010 environment,  I have faced some issues, so please find a Implementation plan which will help you avoid making my mistakes. so you will have a list of the milestones you shoudn’t missed to successfully deploy an Hybrid Servers