Deploying Office 365 in Production: Part 2

Deploying Office 365 in Production: Part 2October 201310/28/20131Microsoft Office365 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Session OverviewSession OverviewThis session details the steps and actions required when expanding a pilot Office 365 environment into a production deployment. Unlike on-premises implementations, IT professionals can scale out their Office 365 tenants with ease. However, with added scale, it is important to start to automate user provisioning, add a production domain and set up the desired workloads.

Your onboarding pathOptimized path Exchange 2007PilotSourceEnhanceDeploy

PilotPilot users use the service in about an hourStart with a clean mailbox or with their own dataCloud IDSelf servicePSTConnected accountAdmin DrivenPST import toolIMAP migrationMigration5Optimized path Exchange 2007DeployCloud identitySourceEnhance

DeployPilotShared namespaceSelf servicePSTAdmin drivenPST import toolIMAP migrationDeploy quickly using cloud identityOption to expedite with use of a new or shared namespace with limited GALMigration6Optimized path Exchange 2007DeploySynchronized identitySourceEnhance

DeployPilotSynchronized ID with password syncAdmin drivenMigrationShared namespaceStaged migrationUse the service within days post migration of mail data with full GAL7Optimized path Exchange 2007Deploy Synchronized identitySourceEnhance

EnhancePilotDeployUse the service within weeks post-introduction of hybrid serversComplete GAL availabilityHybrid serversAdmin drivenMigrationHybrid migration8Optimized path Exchange 2007Deploy Synchronized identitySource

EnhancePilotDeployUsers can start using the service within weeks post-introduction of hybrid servers, full GAL, and SSO post-data moveFederated IDAdmin drivenStaged migrationMigrationSelf ServiceHybrid migration9Optimized path Exchange 2007 RecapPilot service in about an hourDeployment options to meet your requirementsLeverage staged migration for IT led migrationOptionally enhance service over timeDecision pointsIdentity typeNamespaceMigration and coexistence approachAuthentication requirementsOptimized path Exchange 2010PilotSourceEnhanceDeployPilotPilot users use the service in about an hourStart with a clean mailbox or with their own dataCloud IDSelf servicePSTConnected accountAdmin DrivenPST import toolIMAP migration

Migration11Optimized path Exchange 2010DeployCloud identitySourceEnhanceDeployPilotShared namespaceAdmin drivenMigrationPST import toolIMAP migrationUsers can start using the service within hours to days post-data migration depending on requirements of new or shared namespace with limited GAL

12Optimized path Exchange 2010DeploySynchronized identitySourceEnhanceDeployPilotSynchronized ID with password syncShared namespaceHybrid migrationUsers can start using the service within days post-introduction of SP3 or later with Hybrid Configuration Wizard (HCW), full GAL, post-data moveSelf serviceAdmin driven

Migration13Optimized path Exchange 2010Enhance Synchronized identitySourceEnhanceEnhancePilotDeployUsers can start using the service within days post-introduction of SP3 or later with HCW, full GAL, and introduction of SSO, post-data move

Federated IDSelf serviceAdmin drivenHybrid migrationMigration14Optimized path Exchange 2010RecapPilot service in about an hourDeployment options to meet your requirementsLeverage hybrid Exchange for IT led migrationOptionally enhance service over timeDecision pointsIdentity typeNamespaceMigration and coexistence approachHybrid useAuthentication requirementsConvert Pilot to Paid SubscriptionIntroducing production licensesPurchasing directly in the Admin PortalActivation Email- Purchasing via Volume Licensing New Online Services CustomersOffice 365 Trial CustomersActivation Email Sign In vs Sign Up OptionsNew Online Services CustomerWhen a new online services customer purchases Office 365 for Enterprises via their Enterprise Agreement (EA), and has never participated in an Office 365 Trial, they should use the Sign Up option from the link in the activation email.Office 365 Trial CustomerIf a trial customer choses to retain their Office 365 trial data, settings, and their existing onmicrosoft.com domain during their transition from trial to a paid subscription, they will need to choose Sign In. Choosing this option will allow the customer to transition their trial subscription over to the licensed production subscription. Activation- Step-by-step (New Online Service)Customer clicks Sign Up via activation emailCustomer creates and activates a new account profileCustomer adds New Online Service IDCustomer receives acknowledgment

Activation- Step-by-step (O365 Trial)Microsoft or Partner enters VL orderCustomer clicks Sign In on activation emailCustomer signs in & provides existing account subscription infoCustomer receives provisioning confirmation email

Setup your Vanity DomainAdd and Verify a DomainLogon to the PortalSelect domainsSelect Add DomainStart Step 1 and specify domain nameSelect preferred instructionsAdd verification DNS recordVerify domainComplete domain configuration

Walkthrough of adding a Managed Domain using the Microsoft Online Portal22Key Deployment ConsiderationsKey Deployment ConsiderationsVerify domainsAdd all SMTP domains as verified domains before synchronizingCannot be removed until all synchronized objects are no longer using the domain as a proxy address or UPNPlan UPN suffixVerify on-premises user objects have a value (not null) for UPN suffix and that it is correctThe default routing domain (e.g. contoso.onmicrosoft.com) is used for Office 365 UPN suffix if the on-premises UPN suffix does not contain a verified + public routable DNS domain (e.g. cannot use *.local)

Note: we recommend SMTP == UPN24Key Deployment ConsiderationsComplete Active Directory cleanup work before implementing DirSync -> consider using ID FixEspecially if importing data from a 3rd party LDAP directory into Active DirectoryEnable Dirsync ahead of deploying it on-premisesPlan ahead for DirSync quota increaseCould become a deployment blocker. Dont wait until 11th hour to request.Enable Directory Synchronization ahead of DirSync server deployment (activation can take up to 24 hours to complete)Unless you dont want to use DirSync at allUnderstand how soft match worksConsider Exchange schema extensions for non-Exchange AD environments

25ID Fix : http://www.microsoft.com/en-us/download/details.aspx?id=36832 (current version 1.05)Installing and Configuring DirSync

Prepare and Download DirSyncLogon to the PortalSelect Users and groups and then activate DirSyncSelect Users and Groups and click Set up Active Directory synchronizationActivate Directory SynchronizationWait (up to 24 hours) for Dirsync enablementReview all documentation, follow the implementation steps, and download DirSync

In MOP, select users and groups | DirSync Set up

Activate Directory Synchronization(can take up to 24h to propagate)

Form DirSync serverDownload DirSyncWalkthrough of adding a Managed Domain using the Microsoft Online Portal27Install DirSyncLogon to DirSync server and run setupFollow setup wizardWhen finished, option to start the configuration wizard

Walkthrough of the simple 5-step DirSync setup wizardMust be admin on the local machine to install DirSyncDefault setup installs DirSync code along with FIM engine and SQL Express 200828Configure DirSyncRun configuration wizardProvide O365admin credsProvide AD admin credsIf Exchange hybrid, configure write-backPassword sync optionCreate configurationWhen finished, option to run synchronization

Walkthrough of the simple 6-step DirSync configuration wizardMust provide credentials enterprise admin credentials for local AD, global or user admin credentials for O365 tenantEnterprise admin creds does not became service account and is not used in any way during ongoing DirSync operationTenant creds used by DirSync cannot be a federated accountTenant creds are used during ongoing DirSync operation; thus, may want to configure with non-expiring password29Start Moving the Rest of your UsersIMAP Migration

IMAP MigrationPrepare for IMAPMigration

Create IMAP Migration Endpoint

Create a CSVs for IMAP Migration

Delete IMAP Migration Batches

Configure MX Record Pointing to Office 365

Start IMAP Migration Batch

Create IMAP Migration Batch

Slide Objectives:IMAP migration processTalking Points:Here the big difference that we can repeat the 2 orange steps until all users are migrated, then change MX record.And the users can be migrated in groups not all-at-once like at cutover migration.More Information:

32IMAP Migration ProcessConfigure IMAP server to accept connections from Office 365 (port TCP/143 or TCP/993)Add and verify email domain in Office 365Create users and mailboxes in Office 365-> Manual/Bulk/DirSync

Best practicesReconfigure MX record TTL to 15 minsCreate a dedicated migration admin userAdd permissions to the migration adminIf not possible: collect user passwordsPrepare for IMAPMigration

Slide Objectives:Articulate the differences when preparing IMAP migrationTalking Points:In an IMAP migration the Cloud will connect to the on-premise server using IMAP connection. Hence you need to make sure MS cloud can connecto to your server. This might need some firewall adjustments, especially if your IMAP server was not visible from outside previously. Imap can work without encryption; however highly recommended to publish and use the secure IMAP port (TCP/993).

This migration will not create the user accounts automatically, you need to take care of this task. You may add the users manually (one-by-one) or import them from a CSV file, or use DirSync. Whatever method is used, you should add your e-mail domain previously.

From the best practices session I want to highlight the question of the user passwords. If your e-mail server can be configured to use only one dedicated account to download the e-mails, then you can use a dedicated migration admin account. If this is not possible for example you are using a hosted IMAP server and you dont have administrative access to that server then you need to collect the user passwords.More Information:

33IMAP Migration ProcessUser list is defined in CSV filesMultiple migration batchesCSV file limits: 50,000 rows, max 10 MB

Best practicesKeep CSV files at secure location

Newly arriving emails land where MX record points to - no redirection

Client software reconfiguration (pointing to ExO)Start IMAP Migration Batch

Create IMAP Migration Batch

Slide Objectives:Explain the usage of CSVfiles

Talking Points:IMAP migration can be done in batches. You might test the migration with a small amount of test users, and then continue with the 1st group of production users, and so on.

The CSV files contain the e-mail address of the target mailbox, the user account used to logon to the IMAP server and the password.Although the CSV file can contain up to 50 000 user names, the best practice is moving the users in smaller (and more controllable) groups.

As best practice please keep these CSV files at a secure location as it contains user paswords. As previously this initial sync can be started anytime it wont affect the users. We will perform incremental syncs too which will replicate the newly arrived e-mails too.

The big switch happens when you redirect the MX record to O365; and instruct the users to logon to O365.

34Demo IMAP MigrationStaged Migration

Staged Migration ProcessConvert On-Premise Mailboxes to Mail-Enabled Users

Prepare for Staged Migration

Create Migration End-Point

Create a CSV Filefor Staged Migration Batch

Complete Post-Migration Tasks

Delete Staged Migration Batch

Start a Staged Migration Batch

Create a Staged Migration Batch

Slide Objectives:Staged migration process flow.Talking Points:The orange steps can be repeated here users can be migrated in groups.Staged migration can be a longer project it can last even for a couple of months.More Information:

37Staged Migration ProcessAdd and verify email domain in Office 365Implement DirSyncDirSync will create mail-enabled accountsAvailable in M or E plans (or Exchange Online plan)

Configure Outlook AnywhereExchange 2003 and 2007 is supported

Best practicesYou can optionally deactivate DirSync after migration Use Hybrid for Exchange 2010 and 2013Prepare for Staged Migration

Slide Objectives:Explaing the preparation tasks for a staged migration

Talking Points:When preparing a staged migration we will start again be adding the e-mail domain to the O365 and verifying it.The staged migration needs DirSync so we also need to enable and implement DirSync as it will create the user objects in O365 based on the on-premise users in your AD. Let me add here a comment that after the migration you can deactivate DirSync if you want. Or you keep it running its your choice. The reason why we must do this: DirSync will make changes on the migrated user accounts in the on-premise AD during the migration.

We will use Outlook Anywhere, so RPC over HTTPS should be configured the very same way as in a cutover scenario. If it was already implemented then we dont have to do anything here.Please note that staged migration is supported with Exchange 2003 and 2007 for newer Exchange versions you need to implement a hybrid deployment, or a cutover migration.More Information:http://technet.microsoft.com/en-us/library/jj898486(v=exchg.150).aspx38Staged Migration ProcessMultiple batches - defined in CSV filesCreate a migration admin accountCreate the migration endpoint in Office 365Test endpoint using ExRCA

Best practicesMove the workgroups togetherCross-premise sharing is not available (Delegates, shared calendars, rooms)Each CSV file can contain max.1,000 usersCreate a CSV Filefor Staged Migration Batch

Create Migration End-Point

Slide Objectives:Explain how we define the migration groupsTalking Points:In a staged migration we move the users in groups (called batches). These are defined by CSV files.As previously we need to create a migration administrator account which is capable to read out data from the user mailboxes.When we define the migration endpoint on the Exchange Online portal, this account need to be defined, along with the server name and the number of simultaneous mailbox moves.

As best practice we migrate the workgroups together to minimize the chances of a cross-premise sharing situation. This happens for example when the boss and his assistant is moved in separate batches. This would break the delegate access to the mailbox.More Information:

39Staged Migration ProcessStart the batch by uploading CSV file

Best practicesUsers start with empty mailboxes filling in

Example scenario: Start the migration at 18:00Mailboxes will be synced during the nightReconfigure Outlook profilesAllow Outlook sync during the nightStart a Staged Migration Batch

Slide Objectives:Explain how a batch will workTalking Points:After you defined/created a batch by uploading the CSV you can automatically or manually start the batch.(Also suspend/continue options are available)

As soon you start the batch a user will have a new mailbox, and replication will happen later we need some time until the mailbox fills up.When users create new outlook profile, they _might_ se an empty mailbox (if they are too quick)

My best practice:Migration at nightMigration at weekends

You can see here an example for a nightly migration one night should be enough to migrate 50-100 GB = 10-20 mailboxes depending on the mailbox size.More Information:In owerall this is nearly the same as with cutover. We need to touch the users workstations to configure the new Outlook profile.40Staged Migration ProcessSimple CoexistenceEmails still arrive On-PremiseForwarded if mailbox is migratedOffice 365: mail-enabled users converted to mailboxesOn-Premise: DirSync set the targetAddress property

Best practicesCheck if sync was finished without errorsConvert the on-premises mailboxes of the migrated users to mail-enabled usersConvert On-Premise Mailboxes to Mail-Enabled Users

Slide Objectives:Explain how the incoming e-mails find the right mailboxTalking Points:This is a big change compared to cutover and IMAP. Here we have no e-mail replication process.All e-mails will still arrive onpremise (MX points there) and we will forward these to the cloud if the recipient is hosted there.

Before the batch was started, the User in Cloud created by DirSync was mail enabled only. When we start the batch, the mailbox will be created for the O365 user, and in the on-prem AD the DirSync will set the TargetAddress parameter. This will be responsible for the redirection. (You can see it even from the Exchange management console)

After the batch was finished, the best practice is to convert the on-prem user(mailbox) to mail-enabled user > so Outlook will autodiscover his cloud mailbox and connect to it.More Information:http://technet.microsoft.com/en-us/library/jj874018(v=exchg.150).aspx

After a migration batch has finished running and youve verified that all mailboxes in the batch are successfully migrated and the initial synchronization of mailbox items to Exchange Online is complete, its recommended that you convert the on-premises mailboxes in the migration batch to mail-enabled users. Why? After a staged Exchange migration, a user has an on-premises mailbox and an Exchange Online mailbox. Because mail sent to the users on-premises mailbox is forwarded to their Exchange Online mailbox after migration, users need to connect to their Exchange Online mailboxes to access their email. But if a person uses Outlook to open their mailbox, the Autodiscover service still tries to connect to the on-premises mailbox. After you convert on-premises mailboxes to mail-enabled users, the Autodiscover service uses a mail-enabled user to connect Outlook to the Exchange Online mailbox after the user creates a new Outlook profile.Another important reason to convert on-premises mailboxes to mail-enabled users is to retain proxy addresses from the Exchange Online mailboxes by copying proxy addresses to the mail-enabled users. This lets you manage cloud-based users from your on-premises organization by using Active Directory. Also, if you decide to decommission your on-premises Exchange organization after all mailboxes are migrated to Exchange Online, the proxy addresses youve copied to the mail-enabled users will remain in your on-premises Active Directory.

More details about converting MBX to MEU and scripts:Exchange 2003: http://community.office365.com/en-us/wikis/exchange/834.aspxExchange 2007: http://community.office365.com/en-us/wikis/exchange/845.aspx

41Staged Migration ProcessNo need for incremental syncOutlook will rebuild the OST cache

Best practicesInstruct users to use Office 365 mailboxCross-premise sharing is not allowedDelete Staged Migration Batch

Slide Objectives:Finishing steps for migrating a user groupTalking Points:There is no incremental sync see the previous slide.Outlook will rebuild the OST cache just like in previous migrations.Also you need to distribute the passwords for the users. (download the report from the e-mail sent by O365 about the migration)

Users should not use the on-prem mailbox, because newly sent e-mails are not replicated up again after the sync was done!Migrate workgroups together a cloud user is not able to share his calendar with an on-prem user.More Information:

42Staged Migration ProcessReconfigure MX recordDecommission on-premises Exchange*Assign licenses to Office 365 users

Best practicesStaged migration is not a long-term solutionMigration can span up to some monthsComplete Post-Migration Tasks

Slide Objectives:Finishing steps after all users are migratedTalking Points:MX record will point to O365 as well as the autodiscover.Uninstall the on-premise exchange (and do a backup before!) You can keep it running for a longer period if you want, but no one will use it, neither e-mails will be sent through.DirSync can be deactivated after the sync users will be managed in O365 if you do so.Hybrid infrastructure is the long term solution (Exchange 2010 and 2013)More Information:43Demo Staged MigrationDemo IMAP migrationDeploy Office 365 Pro PlusTwo ways to deploy(A) Have users install Office directly from the Office 365 portal

(B) Download the Office software to your local network and then deploy Office to your users

See http://technet.microsoft.com/en-us/library/jj219422.aspx for more information on IT Admin tools for click-to-run configuration46Which way to deploy?Are users local admins on their computers?If not, cant use the portal

Download/on-premises option gives more control:Where on the network Office is installed fromHow Office is updated after it is installedWhich computers Office is installed onWhich users, if any, get the 64-bit edition of OfficeWhich languages are available to installPortal = less administrative setup, more self-service, less control

Additional resources on Pro Plus admin lead configuration:http://technet.microsoft.com/en-us/library/jj219422.aspxhttp://community.office365.com/en-us/blogs/office_365_community_blog/archive/2013/04/04/office-365-proplus-administrator-series-enabling-verbose-logging-for-troubleshooting-office-365-proplus-installations.aspx

47Setup DevicesMobile Device Configurationhttp://office.microsoft.com/en-us/office365-suite-help/set-up-and-use-office-365-on-your-phone-or-tablet-HA102818686.aspxPhone and tablet applications and configurationFrom the Office 365 admin portal : https://portal.microsoftonline.com/OLS/mysoftware.aspx?source=ehome

Questions?

2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.10/28/201351Additional resourcesOffice 365 troubleshooter: http://community.office365.com/en-us/tools/troubleshooting.aspx