“I am on Exchange 2007 On-Premise – Where do I go from here?” If that sounds familiar, you may be one of many Exchange 2007 administrators who are looking for options to move into a pure Cloud, or Hybrid or maybe an on-premise deployment of the current Exchange 2013 software. Mohammed Abdul Rafey, Senior Premier Field Engineer from Microsoft India, presents his views on the subject by providing three separate roadmaps, each catering to a different type of deployment. In this post we cover the first of the roadmaps.


In my role as a Premier Field Engineer for Exchange, I normally encounter situations where our customers ask us the way forward for their current Exchange 2007 environment. The three most logical courses for an Exchange 2007 organization are:

  1. To develop as a hybrid organization with Office 365
  2. Move to a pure Office 365 Exchange Online tenant
  3. Migrate to the latest Exchange version Exchange 2013

 

In a series of posts, I will present options for an environment where we currently have an On-Premises Exchange 2007 Organization. In this first installment, we describe hybrid deployment - when you create a new Exchange Online Exchange organization in Office 365 and then connect it to your existing on-premises Exchange organization by configuring Active Directory synchronization and using the Hybrid Configuration wizard.

Features of Hybrid deployments

After configuring the hybrid deployment, the following features are enabled between the organizations:

  • Secure mail routing between on-premises and Exchange Online organizations.
  • Mail routing with a shared domain namespace. For example, both on-premises and Exchange Online organizations use the @contoso.com SMTP domain.
  • A unified global address list (GAL), also called a “shared address book.”
  • Free/busy calendar information sharing between on-premises and Exchange Online organizations.
  • Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound Exchange Online messages to be routed through the on-premises Exchange organization.
  • A single Microsoft Office Outlook Web App URL for both the on-premises and Exchange Online organizations.
  • The ability to move existing on-premises mailboxes to the Exchange Online organization. Exchange Online mailboxes can also be moved back to the on-premises organization if needed.
  • Centralized mailbox management using the on-premises Exchange Administration Center (EAC).
  • Message tracking, MailTips, and multi-mailbox search between on-premises and Exchange Online organizations.
  • Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment.

 

Hybrid deployment of Exchange

Changes to consider in a Hybrid deployment

Configuration

Before hybrid deployment

After hybrid deployment

Mailbox location

Mailboxes on-premises only.

Mailboxes on-premises and in Exchange Online.

Message transport

On-premises Hub Transport servers handle all inbound and outbound message routing.

On-premises Exchange 2007 Hub Transport server handles inbound and outbound message routing between both the on-premises and Exchange Online organization and the Internet

The Exchange 2013 server handles internal message routing between the on-premises and Exchange Online organization.

Outlook Web App

On-premises Exchange 2007 Client Access server receives all Outlook Web App requests and displays mailbox information.

On-premises Exchange 2013 server redirects Outlook Web App requests to either the on-premises Exchange 2007 Client Access server or provides a link to log on to the Exchange Online organization.

Unified GAL for both organizations

Not applicable; single organization only.

On-premises Active Directory synchronization server replicates Active Directory information for mail-enabled objects to the Exchange Online organization.

Single-sign on used for both organizations

Not applicable; single organization only.

On-premises Active Directory Federation Services (AD FS) server supports using single-sign on credentials for mailboxes located either on-premises or in the Office 365 organization.

Organization relationship established and a federation trust with Microsoft Federation Gateway

Trust relationship with the Microsoft Federation Gateway and organization relationships with other federated Exchange organizations may be configured.

Trust relationship with the Microsoft Federation Gateway is required. Organization relationships are established between the on-premises and Exchange Online organization.

Free/busy sharing

Free/busy sharing between on-premises users only.

Free/busy sharing between both on-premises and Exchange Online users.

Decision points before you select Hybrid

The following considerations should be kept in mind before you select this migration option.

Do you want all users to use their on-premises credentials when they log on to their Exchange Online mailbox?

    Single sign-on enables users to access both the on-premises and Microsoft Office 365 organizations with a single user name and password. Single sign-on provides users with a familiar sign-on experience and allows administrators to easily control account policies for Exchange Online organization mailboxes by using on-premises Active Directory management tools. Deploying single sign-on includes several components that configure the trust relationship between the on-premises Active Directory Federation Services (AD FS) server and the Microsoft Federation Gateway.

    How do you want to route inbound Internet mail for both your on-premises and Exchange Online mailboxes?

    Do you want to route inbound Internet mail for both your on-premises and Exchange Online mailboxes through Microsoft Office 365 and EOP or through your on-premises organization? In that case, you can choose to route inbound Internet mail for both organizations through your on-premises organization or through EOP and the Exchange Online organization. The route that inbound messages for both organizations take depends on whether you enable centralized mail transport in your hybrid deployment.

    Do you want to route outbound mail to external recipients from your Exchange Online organization through your on-premises organization (centralized mail transport), or do you want to route it directly to the Internet? With centralized mail transport, you can route all mail from mailboxes in the Exchange Online organization through the on-premises organization before they’re delivered to the Internet. This approach is helpful in compliance scenarios where all mail to and from the Internet must be processed by on-premises servers. Alternately, you can configure Exchange Online to deliver messages for external recipients directly to the Internet.

    Centralized mail transport is only recommended for organizations with specific compliance-related transport needs. Our recommendation for typical Exchange organizations is not to enable centralized mail transport.

      Do you want mail sent between your Exchange Online and on-premises organizations to go through an Edge Transport server?

      An Edge Transport server is typically deployed on a computer located in an Exchange organization's perimeter network and is designed to minimize the attack surface of the organization. If you don’t want to expose your internal Mailbox server to the Internet, answer Yes, and later we’ll show you how to add an Exchange 2010 Edge Transport server to your hybrid deployment. The Edge Transport server works with internal Mailbox servers in the on-premises Exchange organization to route messages between the on-premises and Exchange Online organizations.

        Environmental Considerations

        Active Directory synchronization

        AD sync between the on-premises and Office 365 organizations is a requirement for configuring a hybrid deployment. The Office 365 service has an upper limit for replicating mail-enabled Active Directory objects to the cloud-based organization of 50,000 objects. If your Active Directory environment contains more than 50,000 objects, contact the Microsoft Online Services support team to open a service request for an exception and indicate the number of objects you need to synchronize.

        Management

        You manage a hybrid deployment in Exchange 2013 via a single unified management console that allows for managing both your on-premises and Office 365 Exchange Online organizations. The Exchange admin center (EAC), which replaces the Exchange Management Console and the Exchange Control Panel, allows you to connect and configure features for both organizations. When you run the Hybrid Configuration wizard for the first time, you will be prompted to connect to your Exchange Online organization. You must use an Office 365 account that is a member of the Organization Management role group to connect the EAC to your Exchange Online organization.

        Certificates

        Secure Sockets Layer (SSL) digital certificates play a significant role in configuring a hybrid deployment. They help to secure communications between the on-premises hybrid server and the Exchange Online organization. Certificates are a requirement to configure several types of services. If you're already using digital certificates in your Exchange organization, you may have to modify the certificates to include additional domains or purchase additional certificates from a trusted certificate authority (CA). If you aren't already using certificates, you will need to purchase one or more certificates from a trusted CA.

        The following table outlines the minimum suggested FQDNs that should be included on certificates configured for use in a hybrid deployment.

        Service

        Server

        Suggested FQDN

        Primary shared SMTP domain

        Client Access and Mailbox servers

        Contoso.com

        Autodiscover

        Client Access servers

        Label that matches the external Autodiscover FQDN of your Exchange 2013 Client Access server, such as autodiscover.contoso.com

        Transport

        Edge Transport servers

        Label that matches the external FQDN of your Edge Transport servers, such as edge.contoso.com

         

        Bandwidth

        Your network connection to the Internet will directly impact the communication performance between your on-premises organization and the Exchange Online organization. This is particularly true when moving mailboxes from your on-premises Exchange 2013 server to the Exchange Online organization. The amount of available network bandwidth, in combination with mailbox size and the number of mailboxes moved in parallel, will result in varied times to complete mailbox moves. Additionally, other Office 365 cloud-based services, such as Microsoft SharePoint 2013 and Microsoft Lync Server 2013, may also affect the available bandwidth for messaging services.

        Before moving mailboxes to the Exchange Online organization, you should:

        • Determine the average mailbox size for mailboxes that will be moved to the Exchange Online organization.
        • Determine the average connection and throughput speed for your connection to the Internet from your on-premises organization.
        • Calculate the average expected transfer speed, and plan your mailbox moves accordingly
        • More details are available at this page

         

        Information Rights Management (IRM)

        Exchange uses AD RMS servers in the Active Directory forest in which the Exchange server is installed. For your on-premises Exchange 2007 servers, the on-premises AD RMS server is used. For your Exchange Online organization, AD RMS servers that are maintained within the Microsoft Office 365 datacenters are used. The AD RMS configuration that each Exchange organization uses is independent of any other AD RMS deployment.

        AD RMS configuration, and therefore IRM configuration, isn't automatically replicated between your on-premises Exchange organization and the Exchange Online organization. Any AD RMS templates that you've defined aren't automatically copied to the Exchange Online organization. If you want the same AD RMS templates to be available in the Exchange Online organization, you must manually export the templates from your on-premises organization and apply them to the cloud-based organization. More details are available here.

        Mobile Devices

        Mobile devices are supported in a hybrid deployment. If Exchange ActiveSync is already enabled on Client Access servers, they’ll continue to redirect requests from mobile devices to mailboxes located on the on-premises Mailbox server. For mobile devices connecting to existing mailboxes that are moved from the on-premises organization to Exchange Online, the Exchange ActiveSync partnership must be disabled and re-established before redirection requests are processed correctly. All mobile devices that support Exchange ActiveSync should be compatible with a hybrid deployment.

        Do we have end users who need to use Blackberry? If yes - we may need to check if their mailbox can be moved to cloud.

        Client Requirements

        We recommend that your clients use Outlook 2013 or Outlook 2010 for the best experience and performance in the hybrid deployment. Pre-Outlook 2010 clients have limited support in hybrid deployments and with the Office 365 service.

        Licensing for Office365

        To create mailboxes in, or move mailboxes to, an Exchange Online organization, you need to sign up for Office 365 for enterprises and you must have licenses available. When you sign up for Office 365, you'll receive a specific number of licenses that you can assign to new mailboxes or mailboxes moved from the on-premises organization. Each mailbox in the Exchange Online service must have a license.

        Anti-virus and Anti-Spam Services

        Mailboxes moved to the Exchange Online organization are automatically provided with antivirus and anti-spam protection by Microsoft Exchange Online Protection (EOP). You may need to purchase additional EOP licenses for your on-premises users if you chose to route all incoming Internet mail through the EOP service. We recommend that you carefully evaluate whether the EOP protection in your Exchange Online organization is also appropriate to meet the antivirus and anti-spam needs of your on-premises organization. If you have protection in place for your on-premises organization, you may need to upgrade or configure your on-premises antivirus and anti-spam solutions for maximum protection across your organization.

        Public Folders

        Public folders are now supported in Office 365, and on-premises public folders can be migrated to Exchange Online. Additionally, public folders on Exchange Online can be moved to the on-premises Exchange 2013 organization. Both on-premises and Exchange Online users can access public folders located in either organization using Outlook Web App, Outlook 2013, Outlook 2010 SP2, or Outlook 2007 SP3. Existing on-premises public folder configuration and access for on-premises mailboxes doesn’t change when you configure a hybrid deployment.

        Next time!

        In the next blog in this series, I will discuss the prerequisites for the Hybrid Roadmap and discuss the other two roadmaps as well.


        Original content from Abdul Rafey Mohammed; posted by MSPFE editor Arvind Shyamsundar