Those are notes for a migration to Office 365 using Hybrid Deployment. They are posts from severla blogs with some additions from me.
You will need:
2 x ADFS NLB (for identity federation)
2 x ADFS Proxy Servers NLB (for identity federation)
1 x domain member server with DIrSync configured (for directory synchronization with Office 365)
1 x SQL 2008 R2 server that will store the DirSync database
1 x Exchange 2010 Service Pack 2 + based hybrid deployment server (for rich coexistence with Exchange Online)
Access to public DNS of Domain (company.com)
3rd Party Certificates (if you have on old exchange 2007 a wildcard export and import to 2010)
Domain User for ADFS service account
Configure UPN for company.com domain
Walkthrough
1. Add Domain (company.com)
2. Add TXT record to DNS for verification
3. Specify domain cervices (Exchange, Lync, Sharepoint)
4. ADFS (&/or Farm)
Add IIS Role, Configure NLB sts.company.local (add hosts, add A record, enable MAC spoofing), add Certificate (SelfSigned or 3rd Party) & bind default site to 443
Setup ADFS Federation server
AD FS 2.0 Federation Server Configuration Wizard
Domain User for ADFS service account
5. ADFS Proxy (&/or Farm)
Add IIS Role, Configure NLB sts.company.com (add hosts, add A record, enable MAC spoofing), add Certificate (SelfSigned or 3rd Party) & bind default site to 443
Add host A to Public DNS (sts.company.com)
Add host record to proxy servers for sts.company.local local IP (ADFS NLB Address)
Setup ADFS Federation server proxy
AD FS 2.0 Federation Server Configuration Wizard
6. Convert Domain to a Federated Domain
On Office 365 portal then downloads then step 3 “Set up and configure your office desktop apps”
de-select everything (only to install MOSM for powershell)
On office 365 portal then users then manage (SSO), install MOSM for powershell
Open MOSM and “$Cred=Get-Credential” add creds, then “Connect-Msolservice –Credentials $Cred” then “Convert-MsolDomainToFederated –DomainName “office365lab.dk”” and “Get-MsolDomain | fl”
Configure UPN for company.com domain
Go to login.microsoftonline.com and check SSO login
7. DirSync
o365 portal then users then set up under directory synchronization (after activate needs some hours)
o365 portal then users then set up ude active directory synchronization under step 4 download DirSync tool
Verify dirsync:
o365 portal then users then set up under actice directory synchronization check “active directory synchronization is activated” or powershell: “Get-MsolCompanyInformation | fl DirectorySynchronizationEnabled”
Sync:
run “Directory Sync Configuration”, add creds, check “Enable Exchange hybrid deployment”. If you want to select OU, groups, users, etc then dont check “synchronize directories now”
Edit sync: “C:Program FilesMicrosoft Online Directory SyncSYNCBUSSynchronization ServiceUIShell” and run “miisclient” guide (http://blogs.msdn.com/b/denotation/archive/2012/11/21/installing-and-configure-dirsync-with-ou-level-filtering-for-office365.aspx)
Force Sync:
With powershell go to C:Program FilesMicrosoft Online Directory Sync” folder and from here run the “DirScConfigshell.psc1” script and on the new windows run “Start-ynOnlineCoexistenceSync”
8. Hybrid Deployment
Configure NLB on Exchange 2010 HUB/CAS
ADD 3rd party certificate (if you have on old exchange 2007 a wildcard export and import to 2010)
assign services SMTP & IIS
Configure URLS
OWA
Set-OwaVirtualDirectory -Identity “EX03OWA (Default Web Site)” -InternalURL https://hybrid.office365lab.dk/OWA -ExternalURL https://hybrid.office365lab.dk/OWA
Set-OwaVirtualDirectory -Identity “EX04OWA (Default Web Site)” -InternalURL https://hybrid.office365lab.dk/OWA -ExternalURL https://hybrid.office365lab.dk/OWA
ECP
Set-EcpVirtualDirectory -Identity “EX03ECP (Default Web Site)” -InternalURL https://hybrid.office365lab.dk/ECP -ExternalURL https://hybrid.office365lab.dk/ECP
Set-EcpVirtualDirectory -Identity “EX04ECP (Default Web Site)” -InternalURL https://hybrid.office365lab.dk/ECP -ExternalURL https://hybrid.office365lab.dk/ECP
Active Sync
Set-ActivesyncVirtualDirectory -Identity “EX03Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://hybrid.office365lab.dk/Microsoft-Server-Activesync -ExternalURL https://hybrid.office365lab.dk/Microsoft-Server-Activesync
Set-ActivesyncVirtualDirectory -Identity “EX04Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://hybrid.office365lab.dk/Microsoft-Server-Activesync -ExternalURL https://hybrid.office365lab.dk/Microsoft-Server-Activesync
OAB
Set-OABVirtualDirectory -Identity “EX03oab (Default Web Site)” -InternalUrl https://hybrid.office365lab.dk/oab -ExternalURL https://hybrid.office365lab.dk/oab
Set-OABVirtualDirectory -Identity “EX04oab (Default Web Site)” -InternalUrl https://hybrid.office365lab.dk/oab -ExternalURL https://hybrid.office365lab.dk/oab
EWS
Set-WebServicesVirtualDirectory -Identity “EX03EWS (Default Web Site)” -InternalUrl https://hybrid.office365lab.dk/ews/exchange.asmx -ExternalURL https://hybrid.office365lab.dk/ews/exchange.asmx
Set-WebServicesVirtualDirectory -Identity “EX04EWS (Default Web Site)” -InternalUrl https://hybrid.office365lab.dk/ews/exchange.asmx -ExternalURL https://hybrid.office365lab.dk/ews/exchange.asmx
Autodiscover
Set-ClientAccessServer –Identity EX03 -AutoDiscoverServiceInternalUri: https://hybrid.office365lab.dk/Autodiscover/Autodiscover.xml
Set-ClientAccessServer –Identity EX04 -AutoDiscoverServiceInternalUri: https://hybrid.office365lab.dk/Autodiscover/Autodiscover.xml
9. Configure DNS to Exchange 2010
Configure SPF Record (http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/)
Add public DNS v=spf1 ip4:192.168.6.220 ip4:192.168.6.221 include:outlook.com -all
o365 portal then domains then SMTP domain properties under DNS management create SPF TXT record (name @ value v=spf1 ip4:192.168.6.220 ip4:192.168.6.221 include:outlook.com -all)
10. Add o365 Tenant to EMC
from EMC add exchange forest
Connect to Exchange Online with powershell “$TenantCreds = Get-Credential” then “$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $TenantCreds -Authentication Basic –AllowRedirection” then “Import-PSSession $Session” then to test “Get-Mailbox | Get-MailboxStatistics | ft -a” or “Get-AcceptedDomain”
11. Configuring Exchange 2010 Hybrid
EMC – on premises – Organization Configuration” – “Hybrid Configuration” – “New Hybrid Configuration”
Add TXT record to public DNS
Add transport certificate (3rd party)
12. Now on can use EMS Get-HybridConfiguration
Checklist:
EMC on-premises
A federation trust with the Microsoft Federation Gateway (MFG) has been established for the specified domain | On-Premises Org Configuration – federation trust
an organizational relationship has been established with the Exchange Online organization in Office 365 | On-Premises Org Configuration | organization relationships
“tenant_name.mail.onmicrosoft.com” has been added as an accepted domain | on-premisis – org conf – hub – accepted domains
“tenant_name.mail.onmicrosoft.com” and “office365lab.dk” has been added as a remote domain | on-premises – org conf – hub – remote domains
The default E-Mail Address policy has been updated, so that it stamps a secondary proxy address (alias@tenant_name.mail.onmicrosoft.com) on mailbox user objects | on-premisis – org conf – hub – e-mail address policies
The HCW also creates a receive connector on each of the hybrid servers | on-premiss – server conf – HUB – receive connectors
the HCW will create a send connector that will route all e-mail messages destined for “tenant_name.mail.onmicrosoft.com” to Exchange Online in Office 365 | on-premisis – org conf – hub – send connectors
EMS: Get-OrganizationRelationship | fl
EMC online
Org conf – HUB – remote domains
Org conf – Organization Relationships
FOPE (forerfront access form ECP – Mail Control
check Two connectors (inbound & outbound)
Move mailbox = new remote move request | it will move to Mail Contact
New mailbox online: Mail Contact – new remote mailbox
After move
Generally, Windows Phone 8 and iOS clients will be able to automatically update the ActiveSync profile, while Android based clients must have their ActiveSync profile recreated.
Outlook will need to close with admin message, re-open and add credentials
Decommission
Move all mailboxes to Exchange Online, point all on-premise line of business applications, network devices and so on to Exchange Online, configures mail flow to go directly in and out of Exchange Online. In this scenario, you decommission all on-premise Exchange servers, but still use DirSync and ADFS for federation. With DirSync, the on-premise Active Directory is the source of authority, which means you should provision users in the on-premise Active Directory and then have them synchronized to Office 365/Exchange Online. In this cae, it’s usually a good idea to keep a single Exchange 2010 server on-premise, so you can use the Exchange 2010 EMC or cmdlets for the provisioning. Alternatively, you remove all Exchange 2010 servers and have an identity solution such as FIM provision the on-premise Active Directory objects with the required mail attributes in order for Exchange Online to treat them as mail enabled users. Bear in mind that with DirSync enabled, most user/mailbox attributes in Exchange Online are read-only meaning you must write to them via the on-premise Active Directory user/group object.
Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.