** IMPORTANT: This blog includes old instructions for manual configuration of Exchange Hybrid. This method is no longer supported and instead you should be using the Hybrid Configuration Wizard as documented here: http://technet.microsoft.com/en-us/library/hh529921(v=exchg.150).aspx
** Updated 24-08-2011 to include enable-OrganizationCustomization step as an optional extra.
I have been working with a number of customers and consultants recently who have been keen to explain to me just how difficult they are finding the configuration of Exchange Rich Coexistence or Hybrid Deployment as its now known with Office 365, and to be fair I agree, its definitely not as simple as we would like. We do have improvements coming in Exchange Server 2010 SP2 that will simplify this process, but I thought that I would post this to attempt to help out with some basics…
During the early adopter programs and beta this was known as Exchange Rich Coexistence and it is essentially a way to share availability data between your on premises Exchange Organisation and your Office 365 tenant. This type of deployment is extremely useful both for large migrations and where organisations wish to split their users permanently into a hybrid configuration, where some users are provisioned in the Office 365 service and some remain on premises. The basic idea behind the solution is that users shouldn't need to know where their mailbox is located and instead should just be able to arrange meetings and see availability data for everyone, regardless of their location.
To keep this post relatively brief I have decided not to walk through tasks that are relatively well understood, such as installing Exchange Server 2010 and publishing EWS. Instead I have assumed that several tasks have already been completed…
Cross organisation availability sharing uses the availability service, which is built on Exchange Web Services (EWS). This means that your on premises Exchange organisation must have a published EWS endpoint with a valid public certificate attached, plus a few other things.
So.. with that in mind, this is what we really need…
In reality of course most Office 365 enterprise deployments require ADFS and Directory Synchronisation to meet design requirements, which adds to our list..
Note: Since all of my customers are working with ADFS and Directory Sync the rest of this post assumes that you have already configured them and they are working correctly…
It is assumed that the following tasks have been completed…
Before we begin it is important that we verify that a few things are working….
Microsoft Federation Gateway Trust To test the MFG trust we need to issue the “test-federationtrust” PowerShell commandlet from our on premises Exchange Server 2010 server… it is vital that all of the test outputs show as “Success”
Exchange Web Services To test Exchange Server 2010 EWS on premises use the Exchange Remote Connectivity Analyzer…
Complete the “Microsoft Exchange Web Services Connectivity Tests”
TIP: The EWS test requires an empty mailbox, so create a new “ewstest” mailbox and logon to it via OWA or Outlook prior to running the test to ensure that it is functioning properly… once you have logged on to the mailbox and checked that it is empty, then progress on to the RCA EWS test…
OK, so now we are ready to begin some configuration… we will follow this order to get things up and running…
Create service domain
The service domain is used primarily for forwarding SMTP E-mail from on premises to the Office 365 tenant. We cannot use the *.onmicrosoft.com namespace given to all users since that name is blocked from the Office 365 DIRSYNC process. This is a problem since we need to stamp the service domain as a proxyAddress for all on premises users to ensure that when we migrate a user and set the service domain to be the targetAddress it matches the right user in the Office 365 tenant. The service domain also acts as targetAddress for availability requests for Office 365 mailbox.
TIP: To make things easier it is recommended to use a subdomain of your primary SMTP domain for the service domain. In my lab the primary smtp domain is groovycloud.co.uk, so I will use service.groovycloud.co.uk as my service domain.
Use the following blog to establish a remote PowerShell session to your Office 365 Tenant –
NOTE: This is NOT the same as connecting to your Exchange tenant PowerShell in Office 365..
Tip: This is a useful thing to remember, so save the blog URL for future administration tasks with Office 365…
Once you have established your Office 365 remote PowerShell session, lets check some settings by running…
We are looking primarily for the authentication type of the parent domain, in my case it is a federated domain that passes authentication requests back to an on premises ADFS 2.0 infrastructure.
Now we can create our service domain. Note that you need to replace the Authentication type to be the same as reported in the previous step.
Note: Since this is a subdomain of a previously verified domain, Office 365 will not require that you re-verify the domain.
Now we have our service domain, we need to provide it with DNS information for MX record to ensure that SMTP traffic destined for the domain is routed appropriately and an Autodiscover CNAME record to ensure that Autodiscover works correctly…
Contact your DNS Registrar and ask for the following records to be created…
Note: You can continue the configuration while waiting for these records to be created.
The final things we need to do with our service domain is to add it as a Remote Domain, Accepted Domain and add a proxyAddress for our on premises Exchange users.
Adding the Service Domain as an Accepted Domain…
Adding the Service Domain as a Remote Domain and setting it as our “BPOS” Domain (TargetDeliveryDomain $true)
Adding the service domain to all users proxyAddresses…
The easiest way to achieve this is to edit the E-mail Address Policy. In my case I only have a single “Default Policy”, so I will add the service domain in there…
Tip: If this is the first time you have attempted to edit your E-mail Address policy since installing Exchange Server 2010 you may need to upgrade it. If like me you only have a single policy you can upgrade with the following Exchange Server 2010 PowerShell command…
Once upgraded, edit the policy and apply to all users.
Note: If you cannot do this, then you will need to either script the proxyAddress update or perform a manual update on each user.
Once all of these tasks are completed, either wait for your scheduled directory synchronisation to complete or force directory synchronisation by following the instructions here..
This process is performed on premises in the Exchange 2010 Management Console. However, before we continue we need to know what our Office 365 tenant POD name and EWS namespace is…
Configuring the Org Relationship…
Once the Org Relationship has been created we need to modify a few settings in PowerShell…
Firstly we need to see what the settings are…
Enable Mailtips… Thesesettings enables mailtips to work between Exchange Org’s
Check that the correct domain names are listed on the Organisation Relationship… As general rule the following should be listed as a minimum…
Use the following command to write the correct domain names on the Org Relationship…
Set the TargetOwaURL to enable OWA redirection… Note that the URL should end with your federated namespace to ensure that users are directed to the correct authentication platform. This should match the domain portion of the UPN that users use to login to Office 365 with.
Example of a working OnPrem Organisation Relationship…
[PS] C:\Windows\system32>Get-OrganizationRelationship | fl
RunspaceId : 75c03ec6-47bb-4070-807d-ec2a09d112f1
DomainNames : {service.groovycloud.co.uk, groovycloud.co.uk, neiljohn.onmicrosoft.com}
FreeBusyAccessEnabled : True
FreeBusyAccessLevel : LimitedDetails
FreeBusyAccessScope :
MailboxMoveEnabled : False
DeliveryReportEnabled : True
MailTipsAccessEnabled : True
MailTipsAccessLevel : All
MailTipsAccessScope :
TargetApplicationUri : outlook.com
TargetSharingEpr :
TargetOwaURL : http://outlook.com/owa/groovycloud.co.uk
TargetAutodiscoverEpr : https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity
OrganizationContact :
Enabled : True
ArchiveAccessEnabled : False
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Office 365
DistinguishedName : CN=Office 365,CN=Federation,CN=GroovyCloud,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=groovycloud,DC=local
Identity : Office 365
Guid : 3da3da88-22fa-444a-ac4e-4eaafe84d917
ObjectCategory : groovycloud.local/Configuration/Schema/ms-Exch-Fed-Sharing-Relationship
ObjectClass : {top, msExchFedSharingRelationship}
WhenChanged : 15/08/2011 10:39:28
WhenCreated : 15/08/2011 07:23:48
WhenChangedUTC : 15/08/2011 09:39:28
WhenCreatedUTC : 15/08/2011 06:23:48
OrganizationId :
OriginatingServer : DC1.groovycloud.local
IsValid : True
Now we need to create a relationship between our Office 365 tenant and our Exchange on premises infrastructure. This process is very similar to the previous Org Relationship…
First we need to create a remote PowerShell session to our Exchange tenant in Office 365, follow the instructions in Mike’s post here to sort that out..
Once we have that session established we need to create a new Org Relationship…
Once created we need to check the same settings as previously..
Again, we will need to configure some settings here to make the relationship work…
Set TargetApplicationURI to delegated OnPrem Namespace If you followed the documentation to establish your federation trust this will be "federation.<primary SMTP domain>”
Enable Mailtips This setting enables mailtips to work between Exchange Org’s
Enable Free/Busy Access
Check that the correct domain names are listed on the Organisation Relationship As general rule the following should be listed as a minimum…
NOTE: By default your tenant will be provisioned as a “tiny tenant”, this means that many of the configuration attributes are non writeable. If you intend to customize your address policies or RBAC polices then it is probably worth “hydrating” your tenant at this stage by running the “enable-OrganizationCustomization” cmdlet. This is not necessary to get hybrid availability working, but it may save you some headaches later on! (Thanks for the recommendation Tim!)
Example of a working Office 356 Organisation Relationship…
PS C:\LiveMesh\Tools\RemotePS> Get-OrganizationRelationship -Identity "Exchange OnPrem" | fl
RunspaceId : 94f72750-98a0-495d-91cc-bb26a88611da
DomainNames : {groovycloud.co.uk}
TargetApplicationUri : exchangedelegation.groovycloud.co.uk
TargetOwaURL :
TargetAutodiscoverEpr :
Name : Exchange Onprem
DistinguishedName : CN=Exchange Onprem,CN=Federation,CN=Configuration,CN=neiljohn.onmicrosoft.com,CN=ConfigurationUnits,CN=Microsoft Exchange,CN=
Services,CN=Configuration,DC=eurprd02,DC=prod,DC=outlook,DC=com
Identity : Exchange Onprem
Guid : e3f00a9d-1534-479d-a439-d187aa02e05a
ObjectCategory : eurprd02.prod.outlook.com/Configuration/Schema/ms-Exch-Fed-Sharing-Relationship
WhenChanged : 15/08/2011 09:48:18
WhenCreated : 15/08/2011 07:39:43
WhenChangedUTC : 15/08/2011 08:48:18
WhenCreatedUTC : 15/08/2011 06:39:43
OrganizationId : eurprd02.prod.outlook.com/Microsoft Exchange Hosted Organizations/neiljohn.onmicrosoft.com - eurprd02.prod.outlook.com/Config
uration/Services/Microsoft Exchange/ConfigurationUnits/neiljohn.onmicrosoft.com/Configuration
OriginatingServer : AMSPRD0202DC004.eurprd02.prod.outlook.com
Ok, so now were all set up so the next step is to logon as some users to see what happens…
I am going to use the following accounts
For this test I am going to log on to my ewstest account via Outlook 2010 and attempt to view availability data for my Office365User1 account. I have created a test meeting in each mailbox and set the default calendar permission level to “Free/Busy time, subject, location”.
A new meeting request running on premises logged on as user ewstest with Office 365 user Office 365 User 1 added as an attendee. You can clearly see that both users are returning rich availability data… yay!
For this test I am going to log on to my Office365User1 account via Outlook 2010 and attempt to view availability data for my ewstest account. I have created a test meeting in each mailbox and set the default calendar permission level to “Free/Busy time, subject, location” the same as before…
As you can clearly see, the experience is exactly the same for an Office 365 user collaborating with an on premises user…. double yay!
Hopefully this article shows that it is possible to get availability to work cross premises. It does show however that even in this extremely simple example where I only have a single Exchange 2010 server and a handful of users, there were still a number of steps to complete and plenty of scope to get something wrong. I for one cant wait for Exchange Server 2010 SP2 to come along and simplify the whole thing!
In my experience working in labs and with customers the following are the most common areas of misconfiguration…
For further information and detail around more complex configurations please see
Awesome :-)
Great and informative information. Thank you for sharing this with us. Splendid explenation.
Regards, Ron J. Buitenhuis a.k.a.XMLFREAK
Thank you for another great and useful post!
One question though: what are your thoughts about the possibility of using the Office 365 logon page to enter users’ wrong credentials multiple times in order to try and lock their AD account?
I know they are some ways of trying to prevent this like DoS prevention at the ISP level, for example, but with Integrated Authentication (for Lync Online), your ADFS Proxy has to accept connections from any IP address in the world (to allow users to use the service from home). So there’s not actually a way of preventing this, is there?
Thank you once again for the great post!
Best regards,
Nuno
Great article and good use of images!
Thank you for all the work.
You rock.
Hi Neil,
Tremendous piece!
Are ADFS 2.0 and Directory Synchronisation necessary to make a Lync Online user see free/busy from an on-premise Exchange 2010 server, or optional? If optional, do the steps you list above change much?
Thanks
Are ADFS and/or DirSync required to make this work? If not, what changes to your process are necessary to simply get on-prem Exchange 2010 to provide f/b to Lync online users with the Lync URI matching the Exchange SMTP addy?
i am cnfused about this statement "Create MX Record for your Service Domain that points to : mail.outlook.com "
Where this MX record has to be created, and "service.domain.com" should this be NS record or host A on external DNS.
and what if we use tenant.onmicrosoft.com as target address then where do we create MX record. cuz ofcource we cant create it in onmicrosoft.com as MS owns it.
Not really clear about mail flow in this case... could you elaborate or point to some article which explains it.
almost everyone who i know is working on o365 has this dowubt and isnt able to provide me correct answer.
waiting for your reply.