“I am on Exchange 2007 On-Premise – Where do I go from here?” If that sounds familiar, you may be one of many Exchange 2007 administrators who are looking for options to move into a pure Cloud, or Hybrid or maybe an on-premise deployment of the current Exchange 2013 software. Mohammed Abdul Rafey, Senior Premier Field Engineer from Microsoft India, presents his views on the subject by providing three separate roadmaps, each catering to a different type of deployment. In this post we cover the first of the roadmaps.
In my role as a Premier Field Engineer for Exchange, I normally encounter situations where our customers ask us the way forward for their current Exchange 2007 environment. The three most logical courses for an Exchange 2007 organization are:
In a series of posts, I will present options for an environment where we currently have an On-Premises Exchange 2007 Organization. In this first installment, we describe hybrid deployment - when you create a new Exchange Online Exchange organization in Office 365 and then connect it to your existing on-premises Exchange organization by configuring Active Directory synchronization and using the Hybrid Configuration wizard.
After configuring the hybrid deployment, the following features are enabled between the organizations:
Before hybrid deployment
After hybrid deployment
Mailboxes on-premises only.
Mailboxes on-premises and in Exchange Online.
On-premises Hub Transport servers handle all inbound and outbound message routing.
On-premises Exchange 2007 Hub Transport server handles inbound and outbound message routing between both the on-premises and Exchange Online organization and the Internet
The Exchange 2013 server handles internal message routing between the on-premises and Exchange Online organization.
Outlook Web App
On-premises Exchange 2007 Client Access server receives all Outlook Web App requests and displays mailbox information.
On-premises Exchange 2013 server redirects Outlook Web App requests to either the on-premises Exchange 2007 Client Access server or provides a link to log on to the Exchange Online organization.
Unified GAL for both organizations
Not applicable; single organization only.
On-premises Active Directory synchronization server replicates Active Directory information for mail-enabled objects to the Exchange Online organization.
Single-sign on used for both organizations
On-premises Active Directory Federation Services (AD FS) server supports using single-sign on credentials for mailboxes located either on-premises or in the Office 365 organization.
Organization relationship established and a federation trust with Microsoft Federation Gateway
Trust relationship with the Microsoft Federation Gateway and organization relationships with other federated Exchange organizations may be configured.
Trust relationship with the Microsoft Federation Gateway is required. Organization relationships are established between the on-premises and Exchange Online organization.
Free/busy sharing between on-premises users only.
Free/busy sharing between both on-premises and Exchange Online users.
The following considerations should be kept in mind before you select this migration option.
Single sign-on enables users to access both the on-premises and Microsoft Office 365 organizations with a single user name and password. Single sign-on provides users with a familiar sign-on experience and allows administrators to easily control account policies for Exchange Online organization mailboxes by using on-premises Active Directory management tools. Deploying single sign-on includes several components that configure the trust relationship between the on-premises Active Directory Federation Services (AD FS) server and the Microsoft Federation Gateway.
Do you want to route inbound Internet mail for both your on-premises and Exchange Online mailboxes through Microsoft Office 365 and EOP or through your on-premises organization? In that case, you can choose to route inbound Internet mail for both organizations through your on-premises organization or through EOP and the Exchange Online organization. The route that inbound messages for both organizations take depends on whether you enable centralized mail transport in your hybrid deployment.
Do you want to route outbound mail to external recipients from your Exchange Online organization through your on-premises organization (centralized mail transport), or do you want to route it directly to the Internet? With centralized mail transport, you can route all mail from mailboxes in the Exchange Online organization through the on-premises organization before they’re delivered to the Internet. This approach is helpful in compliance scenarios where all mail to and from the Internet must be processed by on-premises servers. Alternately, you can configure Exchange Online to deliver messages for external recipients directly to the Internet.
Centralized mail transport is only recommended for organizations with specific compliance-related transport needs. Our recommendation for typical Exchange organizations is not to enable centralized mail transport.
An Edge Transport server is typically deployed on a computer located in an Exchange organization's perimeter network and is designed to minimize the attack surface of the organization. If you don’t want to expose your internal Mailbox server to the Internet, answer Yes, and later we’ll show you how to add an Exchange 2010 Edge Transport server to your hybrid deployment. The Edge Transport server works with internal Mailbox servers in the on-premises Exchange organization to route messages between the on-premises and Exchange Online organizations.
AD sync between the on-premises and Office 365 organizations is a requirement for configuring a hybrid deployment. The Office 365 service has an upper limit for replicating mail-enabled Active Directory objects to the cloud-based organization of 50,000 objects. If your Active Directory environment contains more than 50,000 objects, contact the Microsoft Online Services support team to open a service request for an exception and indicate the number of objects you need to synchronize.
You manage a hybrid deployment in Exchange 2013 via a single unified management console that allows for managing both your on-premises and Office 365 Exchange Online organizations. The Exchange admin center (EAC), which replaces the Exchange Management Console and the Exchange Control Panel, allows you to connect and configure features for both organizations. When you run the Hybrid Configuration wizard for the first time, you will be prompted to connect to your Exchange Online organization. You must use an Office 365 account that is a member of the Organization Management role group to connect the EAC to your Exchange Online organization.
Secure Sockets Layer (SSL) digital certificates play a significant role in configuring a hybrid deployment. They help to secure communications between the on-premises hybrid server and the Exchange Online organization. Certificates are a requirement to configure several types of services. If you're already using digital certificates in your Exchange organization, you may have to modify the certificates to include additional domains or purchase additional certificates from a trusted certificate authority (CA). If you aren't already using certificates, you will need to purchase one or more certificates from a trusted CA.
The following table outlines the minimum suggested FQDNs that should be included on certificates configured for use in a hybrid deployment.
Primary shared SMTP domain
Client Access and Mailbox servers
Client Access servers
Label that matches the external Autodiscover FQDN of your Exchange 2013 Client Access server, such as autodiscover.contoso.com
Edge Transport servers
Label that matches the external FQDN of your Edge Transport servers, such as edge.contoso.com
Your network connection to the Internet will directly impact the communication performance between your on-premises organization and the Exchange Online organization. This is particularly true when moving mailboxes from your on-premises Exchange 2013 server to the Exchange Online organization. The amount of available network bandwidth, in combination with mailbox size and the number of mailboxes moved in parallel, will result in varied times to complete mailbox moves. Additionally, other Office 365 cloud-based services, such as Microsoft SharePoint 2013 and Microsoft Lync Server 2013, may also affect the available bandwidth for messaging services.
Before moving mailboxes to the Exchange Online organization, you should:
Exchange uses AD RMS servers in the Active Directory forest in which the Exchange server is installed. For your on-premises Exchange 2007 servers, the on-premises AD RMS server is used. For your Exchange Online organization, AD RMS servers that are maintained within the Microsoft Office 365 datacenters are used. The AD RMS configuration that each Exchange organization uses is independent of any other AD RMS deployment.
AD RMS configuration, and therefore IRM configuration, isn't automatically replicated between your on-premises Exchange organization and the Exchange Online organization. Any AD RMS templates that you've defined aren't automatically copied to the Exchange Online organization. If you want the same AD RMS templates to be available in the Exchange Online organization, you must manually export the templates from your on-premises organization and apply them to the cloud-based organization. More details are available here.
Mobile devices are supported in a hybrid deployment. If Exchange ActiveSync is already enabled on Client Access servers, they’ll continue to redirect requests from mobile devices to mailboxes located on the on-premises Mailbox server. For mobile devices connecting to existing mailboxes that are moved from the on-premises organization to Exchange Online, the Exchange ActiveSync partnership must be disabled and re-established before redirection requests are processed correctly. All mobile devices that support Exchange ActiveSync should be compatible with a hybrid deployment.
Do we have end users who need to use Blackberry? If yes - we may need to check if their mailbox can be moved to cloud.
We recommend that your clients use Outlook 2013 or Outlook 2010 for the best experience and performance in the hybrid deployment. Pre-Outlook 2010 clients have limited support in hybrid deployments and with the Office 365 service.
To create mailboxes in, or move mailboxes to, an Exchange Online organization, you need to sign up for Office 365 for enterprises and you must have licenses available. When you sign up for Office 365, you'll receive a specific number of licenses that you can assign to new mailboxes or mailboxes moved from the on-premises organization. Each mailbox in the Exchange Online service must have a license.
Mailboxes moved to the Exchange Online organization are automatically provided with antivirus and anti-spam protection by Microsoft Exchange Online Protection (EOP). You may need to purchase additional EOP licenses for your on-premises users if you chose to route all incoming Internet mail through the EOP service. We recommend that you carefully evaluate whether the EOP protection in your Exchange Online organization is also appropriate to meet the antivirus and anti-spam needs of your on-premises organization. If you have protection in place for your on-premises organization, you may need to upgrade or configure your on-premises antivirus and anti-spam solutions for maximum protection across your organization.
Public folders are now supported in Office 365, and on-premises public folders can be migrated to Exchange Online. Additionally, public folders on Exchange Online can be moved to the on-premises Exchange 2013 organization. Both on-premises and Exchange Online users can access public folders located in either organization using Outlook Web App, Outlook 2013, Outlook 2010 SP2, or Outlook 2007 SP3. Existing on-premises public folder configuration and access for on-premises mailboxes doesn’t change when you configure a hybrid deployment.
In the next blog in this series, I will discuss the prerequisites for the Hybrid Roadmap and discuss the other two roadmaps as well.
Original content from Abdul Rafey Mohammed; posted by MSPFE editor Arvind Shyamsundar