office 365 hybrid deployments – part 1 · what about free busy from 2010 oauth? ... exchange 2013...
TRANSCRIPT
![Page 1: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/1.jpg)
![Page 2: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/2.jpg)
SVC307
Office 365 Hybrid Architecture and Deployment
Eddie Chua, Onboarding Engineer
![Page 3: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/3.jpg)
On Prem Office 365
Exchange Hybrid
SharePoint Hybrid
Lync Hybrid
OAuth
OAuth
![Page 4: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/4.jpg)
Cloud Identity
No integration to on-premises
directories
Directory & Password Synchronization
Integration without federation
Federated Identity *
Single federated identity
and credentials
* Federated ID scenario can use Azure AD Sync as a backup in case of a Federation platform outage on-prem
![Page 5: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/5.jpg)
On-premises Exchange organization
Existing Exchange environment
Exchange 2007 or later
Office 365 Active
Directory synchronization
Exchange 2013
Client Access &
Mailbox server
Office 365
User, contacts, & groups via Azure AD Sync
Secure mail flow
Mailbox data via Mailbox Replication Service (MRS)
Sharing (free/busy, Mail Tips, Archive, PF, etc.)
![Page 6: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/6.jpg)
On-premises Lync organization
Existing Lync environment
Lync Server 2010 or 2013
Office 365 Active
Directory synchronization
Lync Edge Server
Environment
Lync Serve 2010 or 2013
Office 365
User, contacts, & groups via Azure AD Sync
Migration of Data (Contact Lists / Scheduled Meetings)
Media Connectivity (SRTP)
Signaling (SIP) via split SIP domain
![Page 7: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/7.jpg)
Lync and
Sharepoint hybrid
Supported Note Supported Note Supported
View presence or IM a contact in Outlook
Schedule and join meeting through Outlook
View presence or IM a contact in Outlook Web Access
View presence or IM a contact in Lync Mobile Client
Join meeting from Lync Mobile Client
Modify Contact List (via Unified Contact Store in Exchange)
Lync Server 2013 and
Exchange only. A Lync 2013
client is required.
View or Modify Contact Photo in Lync Web App Lync Server 2013 Only
Delegate schedules meeting on-behalf of Boss * Exchange 2013 Only
Archiving meeting content Lync Server 2013 only
Searching archived meeting content Lync Server 2013 only
Leaving or retreiving voicemail
Publish status based on Outlook calendar free/busy
Missed Conversations history and Call Logs are written to user’s
exchange mailbox
Schedule meeting through Outlook Web Access
View presence or IM a contact in Sharepoint
Search contact by skill keyword
* Supported only when both users are homed online in the same forest or both are homed on-premises.
Customer scenario
Lync Online and
Exchange On-Prem
Lync On-Prem and
Exchange Online
![Page 8: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/8.jpg)
![Page 9: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/9.jpg)
Delegated authentication for on-premises/cloud web services
Enables free/busy, calendar sharing, message tracking & online archive
Online mailbox moves
Preserve the Outlook profile and offline folders
Leverages the Mailbox Replication Service (MRS)
Manage all of your Exchange functions, whether cloud or on-premises from the same place: Exchange Admin Center
Authenticated and encrypted mail flow between on-premises and the cloud
Preserves the internal Exchange messages headers, allowing a seamless end user experience
Support for compliance mail flow scenarios (centralized transport)
![Page 10: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/10.jpg)
![Page 11: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/11.jpg)
Exchange Hybrid Wizard History
Exchange 2013
SP1
Multiple exchange
organizations now
supported
Supports Exchange
2013 Edge
Thousands of tenants and millions of mailboxes in
Office 365 using Exchange Hybrid
![Page 12: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/12.jpg)
On-Premises Exchange
Hybrid Configuration Engine
Desired state
Inte
rn
et
Step 5
Exchange
Management
Tools
Organization Level
Configuration
Objects (Exchange Federation Trust,
Organization Relationship,
Forefront Inbound
Connector, & Forefront
Outbound Connector)
Domain Level
Configuration
Objects (Accepted Domains &
Remote Domains)
Hybrid
Configuration
Object
Exchange Server Level
Configuration
(Mailbox Replication Service
Proxy, Certificate Validation,
Exchange Web Service
Virtual Directory Validation,
& Receive Connector)
Domain Level
Configuration Objects
(Accepted Domains,
Remote Domains, &
E-mail Address Policies)
Organization Level
Configuration Objects
(Exchange Federation Trust,
Organization Relationship,
Availability Address Space,
& Send Connector)
1
2 4 5 5
4
Step 1 The Update-HybridConfiguration
cmdlet triggers the Hybrid
Configuration Engine to start.
Based on the desired state,
topology data, and current
configuration, across both the
on-premises Exchange and
Exchange Online organizations,
the Hybrid Configuration Engine
establishes the “difference” and
then executes configuration tasks
to establish the “desired state.”
Step 4 The Hybrid Configuration
Engine discovers topology data
and current configuration from
the on-premises Exchange
organization and the Exchange
Online organization.
Step 3 The Hybrid Configuration Engine
connects via Remote PowerShell
to both the on-premises and
Exchange Online organizations.
Step 2 The Hybrid Configuration Engine
reads the “desired state” stored
on the HybridConfiguration
Active Directory object.
Remote
Powershell
Remote
Powershell3
3
![Page 13: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/13.jpg)
Exchange Topologies Supported Exchange 2013 RTM
Single Forest Model: Accounts and Mailboxes in single forest
Resource Forest Model: Multiple Account Forests, Single Resource Forest
1:1 relationship between Exchange Organization and single O365 tenant
Exchange 2013 Service Pack 1
Supports multiple Exchange Organizations configured against a single O365 tenant
Multiple forests, each containing accounts and Exchange organizations
Multi-Org Hybrid Support
N:1 relationship between Exchange Organization and single O365 tenant
Office 365
Hybrid
Office 365
Hybrid Hybrid
contoso.com fabrikam.com contoso.com
R R R
![Page 14: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/14.jpg)
Not Configured by Hybrid Configuration
Wizard
ForestA ForestB
FIM
Tenant Name: contoso.onmicrosoft.com
Coexistence Name: contoso.mail.onmicrosoft.com
Forest: contoso.com
Authoritative for contoso.com Forest: fabrikam.com
Authoritative for fabrikam.com
Shares: contoso.com
Org Relationship (F/B, Sharing)
SMTP Mail Flow (TLS connectors)
![Page 15: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/15.jpg)
Feedback…Answered Get-Federation Information fallback logic If the on-premises Autodiscover endpoint is not published properly when the wizard executes, it will warn not fail.
Autodiscover domain You can now specify which domain is used for the federated Autodiscover query.
Set-HybridConfiguration -Domains "contoso.com, fabrikam.com, autod:nwtraders.com"
Email address policy protection measures New “UpdateSecondaryAddressesOnly” parameter added to Update-EmailAddressPolicy.
Protects customers that have manually edited their directory.
Only missing proxies will be added. No addresses will be changed/removed.
Note: This is still a very bad state to be in.
Hybrid Product Key Availability You can now obtain a FREE Exchange 2013 or 2010 Hybrid Edition product key without the dreaded call to support. You can simply go to http://aka.ms/hybridkey
OAUTH Wizard No more manual configuration of OAUTH, this is an integrated experience in specific deployment scenarios today
![Page 16: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/16.jpg)
Hybrid logging improvements
![Page 17: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/17.jpg)
Hybrid Product Key (http://aka.ms/hybridkey)
Short Link: http://aka.ms/hybridkey
KB Link: http://support.microsoft.com/kb/2939261
For IE 11 only:
others will get
the link to the KB
You get a free Hybrid Edition key if… • You have an existing, non-trial, Office 365 Enterprise subscription
• You currently do not have a licensed Exchange 2013 or Exchange 2010 SP3 server in your on-premises organization.
• You will not host any on-premises mailboxes on the Exchange 2013 or Exchange 2010 SP3 server on which you apply the Hybrid Edition product key.
![Page 18: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/18.jpg)
![Page 19: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/19.jpg)
What does this button do? • There is now an automated configuration for OAUTH!
• OAUTH is allows us to perform cross premises discovery searches and cross premises archive moves…
• OAUTH can be used for much more and actually is for 21Vianet customers (Greater China region)
• OAUTH is a replacement for the feature that relied on called XTC and will be used for many additional features in the future
• Click once application
![Page 20: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/20.jpg)
HEY! Where is the OAUTH config button?
• So, just cause you have 2010 and/or 2007 you cannot use OAUTH?
• Actually you can use OAUTH in a coexistence organization
• You would have to run the steps manually (documented on TechNet)
• Forcing you to run scripts and manual configure this is something that we are aiming to remove in future updates but for now….
• Do you have…
• Have Exchange 2013 sp1 + in the environment
• Are running Exchange 2013 cu5+ version of the HCW
![Page 21: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/21.jpg)
Do All Hybrid features use OAUTH? • Currently the only hybrid feature that require the use OAUTH by default are Cross premises Discovery and
certain cross premises archive features
• Keep in mind this is not changing the way features work before we introduced OAUTH this is instead adding new functionality that has not been their since the release of Wave 15.
• Having Regular Hybrid and OAUTH configured will give you the most complete robust feature set for your hybrid deployment
eDiscovery scenario Requires
OAuth?
Search Exchange on-premises mailboxes and Exchange Online mailboxes in the same eDiscovery search initiated from the Exchange
on-premises organization. Yes
Search Exchange on-premises mailboxes that use Exchange Online Archiving for cloud-based archive mailboxes. Yes
Search Exchange Online mailboxes from an eDiscovery search initiated from the Exchange on-premises organization by an
administrator or compliance officer. Yes
Search on-premises mailboxes using an eDiscovery search initiated from the Exchange on-premises organization by an administrator
or compliance officer. No
Search Exchange Online mailboxes from an eDiscovery search initiated from Exchange Online or the eDiscovery Center in SharePoint
Online by an Office 365 tenant administrator or a compliance officer signed in to an Office 365 user account. No
![Page 22: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/22.jpg)
What about Free Busy?
![Page 23: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/23.jpg)
On Premises
On Premises User “Ben”
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Free Busy
Requ
est From
Ben To
Joe
What about Free Busy? Refresher
![Page 24: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/24.jpg)
On Premises
On Premises User “Ben”
Client Access Server
Microsoft Federation Gateway
Exchange Online
Mailbox Server
Joe
Ben
Free Busy
Requ
est From
Ben To
Joe
What about Free Busy… (2013) OAUTH? • Free Busy works through a series of
checks
• 1st we check to see if we can find the free busy locally
• 2nd (if the mailbox is not local) we check for an IOC
• 3rd (if there is no IOC) we check for an Organization Relationship
• 4th we then check for an availability address space
• The Key point here is that OAUTH is not a fall back option for Free busy, it is one or the other
• The OAuth method gets the preference
• 21 Vianet simply does not have Org or a federation trust and relies on only OUATH
![Page 25: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/25.jpg)
Joe
BenFree Busy
Requ
est From
Ben To
Joe
What about Free Busy from 2010 OAUTH?
• Free Busy works through a series of checks
• 1st we check to see if we can find the free busy locally
• 2nd we check for an Organization Relationship
• 3rd we then check for an availability address space
Exchange 2013
Exchange 2010
![Page 26: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/26.jpg)
Joe
Ben
Free Busy
Requ
est From
Ben To
Joe
What if there is still an Org relationship for 2010?
Exchange 2013
Exchange 2010
• Free Busy works through a series of checks
• 1st we check to see if we can find the free busy locally
• 2nd we check for an Organization Relationship
• 3rd we then check for an availability address space
![Page 27: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/27.jpg)
Joe
BenFree Busy
Requ
est From
Ben To
Joe
What about Free Busy from 2007 OAUTH?
• Free Busy works through a series of checks
• 1st we check to see if we can find the free busy locally
• 2nd we then check for an availability address space
Exchange 2013
Exchange 2007
![Page 28: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/28.jpg)
DAuth vs OAuth DAuth
Uses Microsoft Federation Gateway for Token generation
Organization Relationships
Controls what companies you share information with
Allows for granular control of what features are available (free busy, mailtips)
OAuth
Uses Auth Server in Azure AD (better resiliency and faster in forest communications)
IntraOrgConnectors /Configuration
Controls what companies you can share information with
No granular control of feature-set (all or nothing)
Organization
Relationships
Intraorg
Connectors
![Page 29: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/29.jpg)
• In order to test OAUTH after the HCW is run or the manual configuration are done you will want to…
• 1st get a cup of Coffee
• 2nd kick off your shoes, maybe start that book you were eyeing
• 3rd After ~45 minutes run the verification cmdlets
Test-OAuthConnectivity -Service EWS -TargetUri https://outlook.office365.com/ews/exchange.asmx -Mailbox <On-Premises Mailbox> -Verbose | fl
And
Test-OAuthConnectivity -Service EWS -TargetUri <external hostname authority of your Exchange On-Premises deployment> -Mailbox <Exchange Online Mailbox> -Verbose | fl
![Page 30: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/30.jpg)
• Running Get-AuthServer from the on-premises environment will yield the metadata and trust information used by OAUTH
• TokenIssuingEndpoint – the endpoint we will connect to for delegation token retrieval
• AuthMetadatURL- is the tenants specific endpoint for token validation
• CertificateString- is similar to the certificate Metadata exchange we do with the traditional MFG trust
![Page 31: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/31.jpg)
• Running Get-ExchangeCertificate will reveal that a new self signed certificate is created for OAUTH communication.
• The public Hash of this certificate is exchanged with the trust broker (the Auth Server)
![Page 32: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/32.jpg)
• Running Get-IntraOrganizationConfiguration from both on-premises and cloud yield one full set of results….
• Between them you can see that we have One full set of data that is needed for the proper URL that will be used to communicate to the opposing orgs
• Similar information was in the AutodiscoverURI and TargetSharingEPR values in org relationships
![Page 33: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/33.jpg)
• Running Get-IntraOrganizationConnector from both premises shows the rest of the configuration
• DiscoveryEndpoints- are obtained from the IntraOrgConfig
• TargetAddressDomain- means the same thing it meant in org relationship, the domain name this IOC applies to
![Page 34: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/34.jpg)
![Page 35: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/35.jpg)
What are the hybrid public folder options
• Option 1: O365 mailboxes access legacy PFs on-prem
• Option 2: O365 mailboxes access Modern PFs on-prem
• Option 3: Exchange 2013 on-prem mailboxes access Modern PFs in O365
• Documentation in process
PF location > 2007 On-Premises 2010 On-Premises 2013 On-Premises Exchange Online
Mailbox version:
Exchange 2007 Yes Yes No No
Exchange 2010 Yes Yes No No
Exchange 2013 Yes Yes Yes Yes
New Exchange
Online Yes Yes Yes Yes
![Page 36: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/36.jpg)
1.
2.
3.
4.
5. Set-OrganizationConfig–PublicFoldersEnabled Remote –RemotePublicFolderMailboxes PFMbx1, PFMbx2
Configure Legacy PF access
![Page 37: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/37.jpg)
1. Outlook connect to Cloud Mailbox, starts by querying autod.contoso.com Exchange
Online
On-premises
2. Autodiscover responds with the Target address for the cloud mailbox
Proxy to PF
server
(running CAS
role)
Auth as user
over Public
MBX auth
Hybrid PF access 3. Outlook does AutoD for TA Contoso.mail.onmicrosoft.com
4. EXO responds with PFMailbox information obtained by org config or set
explicity on the mailbox: <PublicFolderInformation>
<SmtpAddress>[email protected]</SmtpAddress>
5. Outlook performs and AutoD against [email protected]
6. Outlook Anywhere settings are returned including the server name of the
PF/CAS instead of the CASArray
7. When PF access is initiated you then make an OA connection
![Page 38: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/38.jpg)
1.
2.
3.
4.
5. Set-OrganizationConfig–PublicFoldersEnabled Remote –RemotePublicFolderMailboxes PFMbx1, PFMbx2
Configure Legacy Modern PF access
![Page 39: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/39.jpg)
• DirSync currently does not sync MEPF objects in either direction.
• We recommend customers run the following scripts periodically to sync MEPF objects from on-
premise to the cloud directory. Below scripts works for E2010/E2007 on-premise.
• Export-MailPublicFoldersForMigration.ps1 -ExportFile [exportFileName] (run on-premise)
• Import-MailPublicFolders.ps1 -ImportFile [importFileName] (run on cloud)
• The Scripts are linked on TechNet but now are also in the scripts container on the Exchange server
• In the future we plan to eliminate the script and rely on DirSync
• Known issue with script
• When we import the MEPF we stamp all of the accepted domain that are verified in the tenant,
not just he domain that were added as a proxy address…
• Why is that an issue?
Configure Legacy PF access
![Page 40: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/40.jpg)
![Page 41: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/41.jpg)
![Page 42: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/42.jpg)
error: Subtask CheckPrereqs execution failed: Check Tenant Prerequisites
Deserialization fails due to one SerializationException:
Microsoft.Exchange.Compliance.Serialization.Formatters.BlockedTypeException: The type to be (de)serialized is not allowed:
Microsoft.Exchange.Data.Directory.DirectoryBackendType
• Cause: We modified the Office 365 Schema in order to allow for certain (non-PII)
information about your on-premises to be captured (run get-OnPremisesConfiguration)
some of these schema changes were not supported by HCW
• Solution: Update to CU6 / CU7
![Page 43: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/43.jpg)
• Cause: we previously defaulted to allowing zero corrupt item with a hybrid move
• Solution: it was determined that allowing 10 corrupt item in a move allowed 90+% of the
moves that failed with this issue to succeed. We now allow for 10 corrupted items per
mailbox and we properly report on the skipped items
• Issue: When you move an item that is over 35 mb in size the move will fail
• Solution: We are working on adjusting this limit to make sure that most of the moves will
succeed. We have to have limits and the limits are tied to transport limits, so this is not trivial
![Page 44: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/44.jpg)
• Cause 1: We changes the naming convention for org relationships to support multi forest
• Solution 1: use the latest builds of Exchange 2013 were the issue has been addressed
• Cause 2: you got too creative with the deployment and did not deploy 2013 properly
• Solution 2: Deploy 2013 properly, Hybrid is NOT a separate role and should be deployed
correctly
• Cause: you ran HCW with sp2 before we knew about multi forest
• Remove the connectors and rerun HCW
• Content: http://support.microsoft.com/kb/2977293
![Page 45: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/45.jpg)
and MFG
• Cause: XTC has been retire and (undocumented) OAuth was the replacement
• Documented: http://technet.microsoft.com/en-us/library/dn497703(v=exchg.150).aspx
• Resolution: Implement OAuth for hybrid Discovery Searches
• OAUTH and IOC are an option in Exchange server are 2013 sp1+ and you run HCW from cu5
• If you have a Legacy mix you have to use the manual steps
• For Gallatin you need to ensure the Availability address space is configured
I cannot see cross-premises Free/Busy?
Happy Retirement Consumer MFG!!
• Cause: Consumer MFG retired on February 25, 2014
• Resolution: recreate federation trust and org relationships
• Documented: http://support.microsoft.com/kb/2937358
![Page 46: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/46.jpg)
"Length of the property is too long"
• Cause: TLS Certificate Name is greater than 256 characters
• Documented: http://support.microsoft.com/kb/2860844
• Resolution: coming soon, for now you need to get a different certificate (this one was fixed 3
times now)
• Often, customers need guidance on how to configure their perimeter devices
• Here is a Wiki on how to configure TMG for hybrid: http://community.office365.com/en-
us/wikis/exchange/1042.aspx?sort=mostrecent&pageindex=1
![Page 47: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/47.jpg)
• Error: “Mailbox move to the cloud fail with error: Transient error
CommunicationErrorTransientException has occurred. The system will retry”
• Cause: Intrusion Detection Systems can often see migration traffic as an attack
• Flood mitigation in TMG can cause this as well
• This Wiki explains how to address the issue:
• http://community.office365.com/en-us/wikis/exchange/office-365-move-mailbox-fails-
with-transient-exception.aspx
![Page 48: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/48.jpg)
• Cause: Timeout issues are not handles well by the HCW (we are getting better)
• Running the HCW a second time is often all that is needed…
"InvalidUri: Passed URI is not valid“
• Cause: There are certain words such as “bank”, profanity, and large org names that are
blocked from federating
• Calling Support is the only option to resolve issue
• Documented: http://support.microsoft.com/kb/2615183
• This is being looked at and may be a thing of the past soon…
![Page 49: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/49.jpg)
Layer 4 LB
mail.contoso.com
Cloud FB request
Internet facing site
E2013 MBX
E2013 CAS
Intranet site
E2010 MBX
E2010 CAS
HTTP
PROXY Cross
site
proxy
request
Set 2010 externalURL to:
`mail.contoso.com
Common Issues – Runtime
http://technet.microsoft.com/en-us/library/hh529912(v=exchg.150).aspx Resolution:
![Page 50: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/50.jpg)
• Cause: Bad password for admin, publishing issues, MRS disabled, etc….
• Errors: NONE
• The error in Wave 14 was the following, but in Wave 15 there isn’t an indication of failure:
• Resolution: Use the EAC in EXO
![Page 51: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/51.jpg)
Common Issues – Runtime
• From Exchange 2010 sp3 ru2 you will see the domain proof missing
• Workaround: use Shell Get-FederatedDomainProof
• This is addressed in Exchange 2010 SP3 RU3
• From Exchange 2010 SP3 RU2 you will not be able
to add additional domains to a federation trust from
the UI, you have to use the Shell as a workaround.
• This has been addressed in Exchange 2010 SP3 RU3
![Page 52: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/52.jpg)
http://aka.ms/SVC307
Session Evaluation
![Page 53: Office 365 Hybrid Deployments – Part 1 · What about Free Busy from 2010 OAUTH? ... Exchange 2013 Exchange 2010 • Free Busy works through a series of checks](https://reader035.vdocument.in/reader035/viewer/2022070613/5b95820709d3f2a3668c82de/html5/thumbnails/53.jpg)