A brief history of hybrid management

The release of Exchange Server 2010 brought with it a revolutionary new Cloud based service which we all know today as Exchange Online for Office 365. In the early days of the Cloud lots of time and energy was devoted to rapid migration of user and organizational data with some focus on the deployment and support of coexistence between an on-premises Exchange enterprise deployment with a web-based tenant. However, for larger organizations (LORGs) the strong feedback was that in addition to data migration efficiency there is a great need to richly support a longer state of on-premises and Cloud coexistence. The LORGs have spoken and they’ve asked for a full-fidelity, no-compromises management experience for mailboxes based on-premises and in the Cloud.

Exchange Server 2010 was the first to deliver an on-premises plus Exchange Online cross-premises coexistence solution by extending the existing functionality provided by the Exchange Management Console (EMC). EMC is a Windows MMC based client originally geared toward managing large scale deployments of enterprise servers which later evolved into the de facto Exchange Server console that we refer to today simply as “hybrid.” EMC facilitated efficient data migration to the Cloud (Office 365), provided cross-premises recipient management including bulk editing and facilitated the management of most organizational level policies and objects.

EMC is typically used on individual x64 servers hosting Exchange Server roles or separately on workstations via the “Management tools only” installation. It’s a Windows only management tool which means it depends upon local services like WinRM to communicate with remote servers via the PowerShell protocol.

image
Figure 1: Hybrid Management with Exchange Server 2010

For hybrid management, EMC provides admins the ability to add a second “tree” to the console pane in order to view all recipients, perform mailbox migrations and manage organizational objects related to the Exchange Online tenant. A purely Exchange Online only deployment does not need to apply EMC for management, instead the simplified “Exchange Control Panel” (ECP) console is used which was also new in Exchange Server 2010.

So, what is hybrid?

Hybrid should not be imagined as a unique offering of an Exchange server itself, but rather as a state of coexistence which implies an on-premises server is interacting in cooperation with an Internet-based service. The concept of hybrid is not unique to the Exchange product line and may also be found across the wider family of Microsoft Office servers such as SharePoint and Lync.

In the case of Exchange hybrid, typically it implies a set of mailboxes and policies are distributed across on-premises and Office 365 to act as one “virtual” organization. In previous blog entries on hybrid setup and deployment, you learned that from the perspective of the two premises this state of coexistence is viewed as an internal deployment e.g. certificates are added automatically during cross-premises mail flow from Office 365 tenants to on-premises recipients resulting in the delivered mail being trusted as having originated from within the organization itself although actually arriving via the Internet using dedicated hybrid mail connectors.

There are many possibilities and permutations of how to organize recipients across on-premises and the Office 365 service to suit the needs of your organization. For example, one organization may plan to move 100% of their on-premises recipients to the tenant within two years, another will opt to add all their resource room mailboxes to their Office 365 tenant immediately while yet another chooses to use their online tenant to securely host their online archive mailboxes. The point is we’re delivering flexibility with hybrid designed to meet the needs of your business.

Introducing hybrid management for the new Exchange

This blog post picks up where “Cloud on your terms – Part I” left off by focusing primarily on the “steady state” of hybrid management particularly around the most common scenarios.

For the purposes of this post we’ll assume these pre-requisites have already been satisfied:

  • At least one Exchange Server 2013 Client Access Server (CAS15) and Mailbox Server (MBX15) role has been installed. One of each type separately or both residing on a single server e.g. in an interoperability environment featuring a previous edition of Exchange Server.
  • The Office 365 tenant version must be 15.0.000.0 or greater to configure a hybrid deployment with Exchange Server 2013. Consult the Office 365 site for latest details on licensing and pricing plans.
  • You’ve enabled coexistence via the Office 365 admin portal and performed all other pre-requisite steps as noted including proving coexistence domain ownership.
  • You have access to the “tenant administrator” Microsoft Account credentials which are necessary to access the Office 365 tenant.
  • All on-premises dependencies are in place e.g. Active Directory Synchronization installed.
  • The Hybrid Configuration wizard has been run successfully. This may have included upgrading your previous Hybrid Configuration settings if you were already using hybrid with Exchange 2010 and Office 365.
  • You are not using the built-in “administrator” recipient account. Read on for details on why this isn’t supported for hybrid management.

image
Figure 2: Hybrid Configuration wizard for the new Exchange as reviewed in a previous posting from Ben Appleby

The new Exchange Administration Center hybrid console

To start things off here’s an annotated guide to the new hybrid management console via Exchange Administrator Center (EAC) for the new Exchange:

image

A) “ENTERPRISE” and “OFFICE 365” pivots – use these to toggle between your on-premises deployment and your online Office 365 tenant

B) A single consolidated central list where all your notifications will appear regardless of where they originated or which pivot you’re currently using e.g. for tracking mailbox migrations from on-premises to Office 365.

C) A single list view containing all recipients from both premises

D) “Details pane” for remote (Office 365) hosted mailboxes

E) Mailbox migration entry point via navigation tab

What’s new in hybrid management for Exchange

The philosophy of hybrid for the new Exchange is dead simple: to provide you, the administrator, with a single familiar console that you can use from nearly anywhere to manage your all-up cross-premises organization.

Here’s a short list of what’s new:

1) We’re taking advantage of having the new full featured browser-based console for Exchange administrators, which means lower maintenance costs required to keep hybrid “Management Tools” installations up-to-date. Updating just your Exchange Server 2013 Mailbox servers will keep all your EAC admins up-to-date.

2) Depending upon the security configuration of the ECP (the protocol name for EAC) IIS virtual directory on the Mailbox servers you can choose to allow both external and internal administrator access or exclusively internal for domain joined machines.

3) From one browser tab you can control of all your recipients and organizational objects (e.g. address lists and policies).

4) A single consolidated set of Exchange Notifications across all premises.

5) Support for Single Sign-On via ADFS 2.0 – there will be future topics presented soon devoted to deploying and managing Single Sign On. More information on preparing to use Single Sign-On is available on Office 365.

image
Figure 4: ADFS Single Sign-On module for Hybrid mode

6) Manage “Another User …” cross-premises – to perform a help-desk scenario such as setting the out-of-office message on behalf of another user on vacation simply use the “Another user …” option next to your Display Name in the upper right hand corner of the console to view a complete list of recipients across all premises.

image
Figure 5: Managing "Another user  ..." merged Recipients view

Start using hybrid management mode for Exchange Server 2013

If you’ve already run the Hybrid Configuration wizard (HCW) or the Update-HybridConfiguration cmdlet directly in PowerShell then you are already using EAC’s hybrid mode. In fact, from the “Hybrid” tab in EAC once you click “enable” you’ll be asked for your Microsoft Account credentials and after your tenant is found you’ll be sent right back to EAC but this time running in hybrid mode.

Later on, there’s nothing special you need to do to enter hybrid mode after running the HCW successfully. This is because in addition to enabling key scenarios like mail flow and data sharing (aka free/busy) services cross-premises the wizard creates artifacts on-premises that when present will automatically enable hybrid mode for EAC. Specifically, Update-HybridConfiguration (via HCW) will create a special Remote-Domain object which, when EAC detects a –TargetDeliveryDomain (TDD) property, will start EAC hybrid mode automatically.

One of the biggest difference you’ll notice when using hybrid mode is that when you click the “Office 365” tab it will prompt you to sign into your online tenant via either your Microsoft Account or ADFS credentials. Note that for performance reasons EAC caches whether to use hybrid mode to avoid checking at every logon (the cache state is automatically refreshed every 30 minutes). If you’ve manually created a Remote Domain with a TDD and immediately need to start using hybrid mode you should restart IIS on your Exchange Server 2013 Mailbox servers.

image
Figure 6: Hybrid Configuration wizard entry point

Managing hybrid in an on-premises interoperability deployment

There are few fine points to consider when managing Hybrid in an on-premises interoperability environment where Exchange 2010 and/or Exchange 2007 servers exist.

In an interoperability deployment, be aware that there’s added functionality you should use with the URI you’re using to access your deployment when logging on if your admin mailbox isn’t on the new Exchange. These URI keys will not be added by default for you in most cases, but stay tuned for more information on future releases which may feature pre-built links. We highly recommend bookmarking URIs with any needed key/value pairings for easy reference.

Interoperability FeatureNotes

If your admin mailbox hasn’t yet been migrated to the new Exchange, you must use the “ExchClientVer=15” key/value to ensure you’re routed to an Exchange Server 2013 Mailbox server and not the one where your mailbox store resides.

This applies to “Mail User” accounts which do not have stores as well.

For example:

https://contoso.com /ecp?ExchClientVer=15

This applies to purely on-premises management as well. Exchange Server 2013 Client Access servers will by-default route to a Mailbox server based on the same version of the mailbox tied to the credentials.

This also applies to “Mail Users” too since although they don’t have a mailbox store they do contain a reference to the SYSTEM mailbox where they were first created unless it has been previously migrated.

When you’re installing Exchange Server 2013 on-premises on the final stage of the installer you’ll find a link which adds “ExchClientVer=15” automatically to help you easily navigate to EAC.

Use “cross=1” as a hint to use the ADFS authentication mode for Single Sign-On

For example:

https://contoso.com /ecp?ExchClientVer=15&cross=1

The shared OWA and ECP protocol authentication modules require a hint to use ADFS mode.

Note that the Outlook Web App virtual directory currently doesn’t support the ADFS authentication method.

Reminder that the use of the built-in “administrator” account in Exchange Server should not be used with hybrid management:

Attempting to use the “administrator” account for single sign-on (SSO) via ADFS will not let you manage the “Office 365” side of a hybrid deployment

This best practice applies to both interoperability and non-interoperability environments.

The built-in “administrator” account for Exchange isn’t synchronized between on-premises and your Office 365 tenant via Microsoft Online Directory Synchronization (“DirSync”)

If you attempt to use “administrator” for managing the hybrid tenant side you’ll see an error from ADFS because there is no corresponding “Mail User” account in Office 365.

The “administrator” user is not synchronized following the Directory Synchronization rules as it is notes: isCriticalSystemObject = TRUE in its object properties.

Managing your recipients in hybrid mode

A complete list of all recipients is available in the “ENTERPRISE” pivot under the “mailboxes” tab. There are few items you should be aware of when creating and managing new recipients in hybrid mode.

The simple rule to follow when provisioning or modifying any recipient with hybrid is to always use the on-premises “ENTERPRISE” side. This is due to mostly one-way synchronization nature of MSO Directory Synchronization services and ensures that both on-premises and the tenant have the same copies of all recipient Active Directory details.

image
Figure 7: On-premises mailboxes noted as Mail Users in an Office 365 tenant

Recipient TypeNotes
On-premises user mailboxes

Create as normal from the “ENTERPRISE” pivot.

These will be synchronized to the tenant and can be verified as synched by viewing the “contacts” tab in “Office 365” – see the figure above – where they’re created as “Mail Users” within the tenant.

By having the users reflected online as “Mail Users” a complete Global Address List (GAL) can be compiled.

User with primary mailbox on-premises and archive mailbox in Office 365 tenant

Archive mailboxes for on-premises primary mailboxes may be either initially created on the tenant – see the figure below – or migrated from on-premises.

User with Office 365 primary mailbox

Reflected as an “Office 365” mailbox in the “ENTERPRISE” side.

Remote objects which correspond to the “RecipientTypeDetails” the Get-Mailbox cmdlet output when viewed in PowerShell, are similar to Mail Users with a special parameter added (specifically the RemoteRoutingAddress) which instructs Microsoft Online Directory Synchronization to synch this Mail User to the Office 365 tenant.

Mail Contacts and Distribution Groups

These object types will automatically sync to the Office 365 side and reside in the same location on both sides.

Currently, on-premises groups with more than 15,000 members are filtered out (not synched) by the directory synchronization service.

Provisioning new mailboxes in Office 365

To provision a new Office 365 mailbox in hybrid mode begin in the on-premises “mailbox” tab then select the “Office 365” mailbox type in the dropdown list from the new icon. Creating a new mailbox in your tenant may impact your available client licenses – view available licenses and plans from the Office 365 portal using your Microsoft Account credentials.

image
Figure 8: Creating an Office 365 mailbox

You’ll notice that on the “Office 365” service side there is no option to create a mailbox from EAC in hybrid mode. This ensures that all new mailboxes are provisioned from the on-premises side for complete recipient copies. It may be possible for you to directly provision a new Office 365 mailbox from the Office 365 Portal directly but this should not be used in Hybrid deployments since this mailbox will not be “back-synced” from Office 365 to on-premises and mail flow problems may occur.

Modifying recipients is also not recommend or permitted in hybrid mode from the “Office 365” side as this would result in the recipient being out-of-date on one side of the cross-premises deployment. In fact, this operation is blocked by Role-Based Access Control (RBAC) runtime validation rules to prevent divergence of copies (see the error message below).

image
Figure 9: Edit to recipient in service side blocked to avoid divergence

Much more to come soon!

We hope that you’re as excited as we are about the new hybrid mode for the Exchange Administration Center! Look for more articles covering topics such as Migration, Single Sign-On via ADFS, and debugging for hybrid soon.

Warren Johnson