Let’s now run through the last part of this blog series in which will see the ADFS and Hybrid setup.
Hybrid Migration (Exchange 2010)
Having hybrid setup you have the option to have single sign on implemented using MS Directory Synchronization tool or Active Directory Federation Services. In our LAB scenario we made sure during configuring DirSync we didn’t select the option enable password sync and hence would be setting up ADFS server.
Let us have the LAB ready and setup in place.
-
Virtual Machine – As we have already have created the VM for ADFS and in my case as mentioned below.
-
Installing ADFS server role – I followed the link and input was as per my lab scenario. We would be ensuring the ADFS is installed as standalone and if you want to test HA better to create FARM using Windows Internal Database setup providing the FQDN which can be reached via internet to on premise AD in my case I have used sts.msexchangeasia.in
-
Create a service account for ADFS service and in my case I created one called adfsservice
-
Make sure the DNS A record is registered on internet as mentioned below.
-
Make sure you create and configure endpoints on SSL service
Federating the domain with Azure AD – this is the critical part where you update cloud AD about the on premise domains which are federated post which when you enter the credential at portal.microsoftonline.com the MS federation server will then redirect the request to on premise ADFS for single process with on premise to authenticate and get the mailbox access. For your convenient create a shortcut of the Windows Azure PowerShell from – C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Azure Active Directory.
-
Connect to Windows Azure AD as mentioned below
-
After successful authentication you can check for federated domain which are already federated and since I have already updated Azure AD you will see the below results.
-
If you want to setup a new federated domain or update existing one enter the below commands
New
Update
This will help you in case your configuration was changed or the ADFS server was crashed due to some reason.
-
Verifying the redirection – Once you try to login via portal.microsoftonline.com with your company email address the login page would be redirect you to the company ADFS server as mentioned below.
-
At above portal you enter your company email address and click on password area
-
The portal will be then redirect the request to ADFS as you have already informed / updated the msexchangeasia.in domain is federated via PowerShell in above steps and as you notice below screen the url is changed to ADFS server as sts.msexchangeasia.in
-
Drilling down to our Hybrid setup configuration below are the prerequisites to be taken care.
-
Make sure the Public Certificate with the required alternate names like mail.msexchangeasia.in / autodiscover.msexchangeasia.in is listed. SMTP service is assigned enabled on the Exchange Public Certificate
-
Add Exchange online to Exchange Management Console – check below step
Give the tenant name and select on-line, provide the Office 365 Admin Credentials
Verify the tenant is added successfully.
-
Create a new Federation Trust via Organization Configuration option @on premise, in my case I’ve already created and re-running using manage federation option
-
Configure the domain proof record @Internet DNS, to get the domain proof run the below command using PowerShell
Copy the domain proof value and create a txt record @internet DNS and in my case at godaddy dns control panel.
-
Create and configure Organization Relationship
Enter the external Exchange organization – which is what we subscribed to Office 365 as msexchangeasiain.onmicrosoft.co
Upon successful completion the results would be automatically updated as mentioned below.
-
Configure the Hybrid Wizard
-
Run the wizard to check if the prerequisites were met
-
Provide the on premise and online credentials
-
Add the domain which is federated
-
Verify the provisioning status is active
-
Add the CAS / HUB servers
-
Enter the public IP used by Exchange Server to send email out of the internet and EOP online will whitelist the IP to receive from on premise to cloud. Also make sure the FQDN mentioned here must be listed on the
Exchange Certificate
-
Select the appropriate certificate and the mail routing option
-
Verify the settings and complete the wizard
Post configuring Hybrid setup upon creation of new mailbox the below email address policy will be applied.
The user which is created and moved online on cloud gets converted mail users as mentioned below with additional target remote routing address stamped with owaredirectu2@msexchangeasiain.onmicrosoft.com as the MX is still pointed to on premise Exchange 2010 and the mailbox was moved to cloud based on the remote routing address the email will be forwarded to MS EOP using the send connector which was automatically created during the hybrid configuration wizard. Similarly the receive connector will also be created with all the Online IPs whitelisted to receive email on premise from cloud.
Do some features testing on your own since you have a running LAB setup and below are some topics on which you can work on.
-
Free Busy
-
Mail tips
-
Secure Email
-
Move Mailbox
-
Archive Mailbox – for this you will need additional trial subscription to be added using the existing subscription under license option in the Office 365 Portal as mentioned below.
-
Â
Hope now you had enjoyed setting up this lab and good to know the resources availability which is so ease to gather which & convenient to test the scenario what fits us and accordingly evaluate the benefits of migration and moving to Microsoft Office 365 Cloud.
Hope that’s been informative & Enjoy J
){kind=link}
Well drafted Charles..!
Thanks
Thank you very much for this series. Very interesting and still pretty valid!