Deploying Office 365 in Production: Part 1October 2013

Session Overview

2

Session Overview

• This session details the options and considerations when expanding a pilot Office 365 environment into a production deployment. Unlike on-premises implementations, IT professionals can scale out their Office 365 tenants with ease. However, with added scale, it is important to start to automate user provisioning, add a production domain and set up the desired workloads

Step 2: Deployment Overview

4

Optional integrationExtend in weeksMeet business needsCustomized to landscape

Core onboardingDeploy in daysCompanywide cloud useIT led migration

Full Office 365 servicePilot in hoursPersist to deploymentUser led migration

First use in hours, Onboarding in daysExchange, SharePoint, Lync, Office 365 ProPlus, WA Active Directory

Pilot complete

Deploy Complete

WhatOffice 365 ServiceExchange, SharePoint, Lync, Office Web Apps, Office 365 ProPlus, Mobile

HowService domainCloud IdentityWeb Client

Office clientSelf Service

WhatAll Pilot Features +Shared namespace, simple coexistence, external sites

HowPilot +IT led migration *Customer domainDirectory sync

Password syncAdmin migrationsOnRamp

WhatDeploy +Federation, Hybrid Delegation, and more

HowDeploy+ *Configure adv. featuresFederated IdentityExchange HybridCorporate app store

SharePoint HybridLync Hybrid3rd party migration tools

Adopt new features

Deploy Enhance Pilot1 2 3

Sign-on Integrated identity managementSign-on with the same user and password as on premises

Mail

Integrated mail flow and migrationGlobal address list Full mail content migration – mail, calendar, contacts

Collaboration

Sharing and working with othersLync business partner federationSite governance and provisioning supportSetup of Apps for Office corporate app catalog

ClientsIT managed client productivityOffice 365 ProPlus deployed to user desktop via IT process

Mobile Managed mobile connectivitySend and receive mail from mobile device as on-prem email

AdministrationControl & monitorData loss prevention configuration (limited)Exchange Online Protection mail protection configuration (limited)

Setup in days

Adds on-premises integration

Pilot user and info is sustained

IT driven migration

Mail migration that best fits environment

From EX 2010 Mail ServersManaged mail moves (MRS)Free/busy cross premisesUse existing OST

From EX 2007/03 Mail Servers Staged mail migrationNew mail file download

From OthersUser migration (PST import) or IMAP MigrationNew mail file

Deploy Experience – what’s added

IdentityWhat’s RequiredDirectory Sync server/sAD meets service requirements for hygieneSame password on-prem and in cloud via password sync

NetworkWhat you need to connectNetwork access to service from client end pointsNetwork bandwidth availabilityAccess to maintain DNS entries for share domains

ClientsRequired to connect and deployWeb client – minimum browserOffice 365 Pro Plus – clients running Windows 7 +

Unique requirements per mail platform

Dedicated customer IT team

Change management readiness

Mail

Required to setup and migrateAdmin access

From EX 2010 Mail ServersExchange 2010 SP3Certificates - public

From EX 2007/03 Mail Servers Outlook Anywhere Access

From OthersPST requirement

Deploy – what’s required

Cloud Identity

Single identity in the cloud

Windows Azure Active Directory

On-Premises Identity

Dirsync & Password Sync

Directory & Password Synchronization 

Single identity without federation

Windows Azure Active Directory

Federated Identity

On-Premises Identity

Federation

Single federated identity and credentials

Windows Azure Active Directory

Directory Sync

Deploy Identity Scenario Deploy Enhance Pilot1 2 3

Agenda

What is DirSync? Purpose – What does it do?

Understanding Synchronization

Understanding Coexistence

Understanding Migrations Self Service Admin lead

Migration Options PST migrations IMAP migrations Staged Exchange

migrations

What is DirSync?

10

What is DirSync? Application that synchronizes on-premises Active Directory with Office 365

Designed as a software based “appliance” “Set it and forget it”

x64 version based on FIM 2010 Bundled with SQL Server 2008 R2 Express Edition

11

Purpose (#1) Enables coexistence

Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment

Provides a unified Global Address List experience between on-premises and Office 365 Objects hidden from the GAL on-premises are also hidden from the

GAL in Office 365 Enables coexistence for Exchange

Works in both simple and hybrid deployment scenarios Enabler for mail routing between on-premises and Office 365 with a

shared domain namespace Enables coexistence for Microsoft Lync

12

Purpose (#2) Enables “run state” administration and management of users, groups, and contacts Synchronizes adds/deletes/modifications of users, groups, and

contacts from on-premise to Office 365

Enabler for Single Sign-On Mandatory component for ADFS / Federated Identities deployments

Not intended as a single use bulk upload tool

13

Understanding Synchronization

14

Synchronization Synchronize one (and only one) Active Directory forest with Office 365

Entire Active Directory forest is scoped for synchronization (default) Filtering can be configured based on OU, AD domain, and user

attribute

What is synchronized? All user objects All group objects Mail-enabled contact objects

Passwords are not synchronized

Synchronization Most Synchronization is from on-premises to Office 365 In an Exchange Hybrid Deployment, DirSync is configured to write

attributes back to the on-premises Active Directory

Synchronization occurs every 3 hours Use “Start-OnlineCoexistenceSync” cmdlet to force a sync outside of

regular synchronization schedule

16

Synchronization User Objects

Mail-enabled/mailbox-enabled users are synchronized as mail-enabled users (not mailbox-enabled users) Visible in the Office 365 GAL (unless explicitly hidden from GAL) Logon enabled, but not automatically licensed to use services Target address is synchronized for mail-enabled users

Regular NT users are synchronized as regular NT users Not automatically provisioned as mail-enabled in Office 365

Resource mailboxes are synchronized as resource mailboxes Synchronized users are not automatically assigned a license

17

Synchronization Group Objects

Mail-enabled groups are synchronized as mail-enabled Group memberships are synchronized Security groups are synchronized as security groups Dynamic Distribution Groups are NOT synchronized

Contacts Objects Only mail-enabled contacts are synchronized Target address is synchronized to Office 365

18

Synchronization New user, group, and contact objects that are added to on-premises are added to Office 365 Licenses are not automatically assigned

Existing user, group, or contact objects attributes that are modified on-premises are modified in Office 365 Not all on-premises AD attributes are synchronized

19

Synchronization Existing user, group, and contact objects that are deleted from on-premises are deleted from Office 365

Existing user objects that are disabled on-premises are disabled in Office 365 License is not automatically unassigned

20

Synchronization First synchronization cycle after installation is a full synchronization May be a time consuming process relative to the number of objects

synchronized Approximately 5000 objects every 45 to 60 minutes Plan ahead if synchronizing tens or hundreds of thousands of objects

Subsequent synchronization cycles are deltas only and much faster

21

On-premises

Synchronization

22

Exchange

Active Directory

Office 365

Windows Azure Active Directory

Directory Synchronizatio

n

Provisioning Web Service

Logon Enabled UserMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: John.Doe@contoso.com smtp: John.Doe@contoso.onmicrosoft.com smtp: John.Doe@contoso.mail.onmicrosoft.comTargetAddress: SMTP: John.Doe@contoso.com

Logon Enabled UserMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: John.Doe@contoso.com smtp: John.Doe@contoso.onmicrosoft.com smtp: John.Doe@contoso.mail.onmicrosoft.comTargetAddress: SMTP: John.Doe@contoso.com

Exchange Online

Authentication Platform

SharePoint Online

Lync Online

User ObjectMailbox-EnabledProxyAddresses: SMTP: John.Doe@contoso.com

User ObjectMailbox-EnabledProxyAddresses: SMTP: John.Doe@contoso.com

Sync Cycle Stage 3:Export Users, Groups, and Contacts to Office 365

Sync Cycle Stage 2:Import Users, Groups, and Contacts from Office 365

Sync Cycle Stage 1:Import Users, Groups,and Contacts from on-premises Sync Cycle

Stage 4:Export “Write Back” attributes

Synchronization Once implemented, on-premises AD becomes the “source of authority” for synchronized objects Modifications to synchronized objects must occur in the on-premises

AD Synchronized objects cannot be modified or deleted via the portal

unless DirSync is disabled for the tenant

Scoping/Filtering Custom scoping of default management agents is officially

supported23

Synchronization On-premises objectGuid AD attribute is assigned as the value for immutableID attribute during initial synchronization of an object Referred to as a “hard match” DirSync knows which Office 365 objects it is the “source of authority”

for by examining sourceAnchor attribute

DirSync can also match user objects created via the portal with on-premises objects if there is a match using the primary SMTP address Referred to as a “soft match”

24

Synchronization On-premises proxyAddresses attribute values are synchronized Requires a matching verified domain Updates/modifications to on-premises proxyAddresses attribute are

synchronized even after license assignment

25

Synchronization By default, only the first 50,000 objects are synchronized STEVE TO ADD Quota limit can be increased by contacting technical support Synchronization service will be stopped Email sent to technical contact

Deleted objects count against quota for up to 30 days

26

Synchronization 10GB SQL Server 2012 Express Edition database file size is estimated to max out ~50,000 objects 50,000+ total objects requires full SQL Server

Authorization and synchronization occur via SSL

27

Synchronization Synchronization errors are emailed to the Technical Contact for the subscription Recommend using a distribution group as the Technical Contact

email address

Example errors include: Synchronization health status

Sent once a day if a synchronization cycle has not registered 24 hours after last successful synchronization

Objects whose attributes contain invalid characters Objects with duplicate/conflicting email addresses Sync quota limit exceeded28

Azure AD DirSync scoping options Ability to DirSync to Windows Azure AD only a subset of your users

Options for Filtering OU Domain-based User attribute

Step-by-step instructions available on TechNet

Password SynchronizationScheduled to release in CY2013

New feature of Windows Azure Directory Sync as an alternative to Federated Authentication

Customer benefits:• Customer can use a “single set of credentials” (same username and

password) to access both on-premises and online resources• This single set of credentials is managed in the customer’s Active

Directory and is synchronized with Office 365 (username + password)• Password Sync is fully integrated in the DirSync appliance, no

additional sw/hw, or changes to the on-premises AD are required• No requirement to deploy and maintain Active Directory Federation

Services.• Keeps the deployment simple and eliminates IT costs associated with

ADFS

Password Sync securityDoes not require nor access the plain text password

No requirement for AD reversible encrypted format

AD user password hash is hashed again using a non-reversible encryption function and digest is synchronized into Azure AD

The digest in Azure AD cannot be used to access resources in the customer’s on-premises environment

Password Sync key password policiesPassword Sync is one-way synchronization from on-premises to the cloud

Password Complexity Policy implemented in the on-premises AD is the master policy

Password Expiration Policy on the Azure AD is set to “Never Expire”

Password expiration and sync to Azure AD is driven by on-premises events

Understanding Coexistence

33

What is Coexistence? Some users are provisioned in Office 365 while the remaining users are provisioned in the on-premises environment

Office 365 users see the same objects in the Global Address List as the on-premises users

Email messages are routed seamlessly from Office 365 users to on-premises users, and vice-versa

Simple Coexistence Deployment Uses Directory Synchronization for GAL synchronization Enables mail routing between on-premises and Office 365 using a

shared DNS namespace Provides a unified GAL experience

Can be used with cloud identities or federated identities

Does not require an on-premises Hybrid server

35

Office 365

SEM Architecture

37

On-premises Exchange Org

Users, Groups, Contacts via DirSync

Mailbox Data via Outlook Anywhere (RPC over HTTP)

Exchange 2003 or 2007

Office 365 Directory

SynchronizationApp

Mail Routing: Pre-Coexistence

38

On-premises

Messa

ge Filte

ring

MX Record:contoso.com

User ObjectMailbox-EnabledProxyAddresses: SMTP: John.Doe@contoso.com

User ObjectMailbox-EnabledProxyAddresses: SMTP: John.Doe@contoso.com

Exchange

Active Directory

Mail Routing: On-Premises To Office 365

39

On-premises

Messa

ge Filte

ring

MX Record:contoso.com

Exchange

Active Directory

Office 365

MX Record:contoso.onmicrosoft.com

contoso.mail.onmicrosoft.com

Exc

hange O

nlin

e P

rote

ctio

n

Exchange Online

Online Directory

DirSync DirSync Web Service

Logon Enabled UserMailbox-EnabledProxyAddresses: SMTP: John.Doe@contoso.com smtp: John.Doe@contoso.onmicrosoft.com smtp: John.Doe@contoso.mail.onmicrosoft.com

Logon Enabled UserMailbox-EnabledProxyAddresses: SMTP: John.Doe@contoso.com smtp: John.Doe@contoso.onmicrosoft.com smtp: John.Doe@contoso.mail.onmicrosoft.com

User ObjectMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: John.Doe@contoso.comTargetAddresses: SMTP: John.Doe@contoso.mail.onmicrosoft.com

User ObjectMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: John.Doe@contoso.comTargetAddresses: SMTP: John.Doe@contoso.mail.onmicrosoft.com

Mail Routing: Office 365 To On-Premises

40

On-premises

Messa

ge Filte

ring

MX Record:contoso.com

Exchange

Active Directory

Office 365

MX Record:contoso.onmicrosoft.com

contoso.mail.onmicrosoft.com

Exc

hange O

nlin

e P

rote

ctio

n

Exchange Online

Online Directory

DirSync DirSync Web Service

Logon Enabled UserMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: Jane.Doe@contoso.com smtp: Jane.Doe@contoso.onmicrosoft.com smtp: Jane.Doe@contoso.mail.onmicrosoft.comTargetAddresses: SMTP: Jane.Doe@contoso.com

Logon Enabled UserMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: Jane.Doe@contoso.com smtp: Jane.Doe@contoso.onmicrosoft.com smtp: Jane.Doe@contoso.mail.onmicrosoft.comTargetAddresses: SMTP: Jane.Doe@contoso.com

User ObjectMailbox-EnabledProxyAddresses: SMTP: Jane.Doe@contoso.com

User ObjectMailbox-EnabledProxyAddresses: SMTP: Jane.Doe@contoso.com

Understanding Migrations

42

Migration Option Decision Factors

43 | Microsoft Confidential

DEPLOYMENT PLAN

Migration solution is part of the

plan

DEPLOYMENT PLAN

Migration solution is part of the

plan

Source ServerSource Server

ExchangeIMAPLotus NotesGoogle

SizeSize

LargeMediumSmall

Identity Manageme

nt

Identity Manageme

ntIn-CloudOn-PremiseSingle Sign-On

ProvisioningProvisioning

DirSyncManual/Bulk Provisioning

Coexistence

Requirement

Coexistence

Requirement

SimpleRich

43

Time to ValueTime to Value

Self serve or Admin DrivenFeatures by user typeCloud or on- premises tools

Additional Onboarding Options

44

Control Deployment Type Description

Self Service

New mailbox

User receives new “green field” mailbox – i.e. user is onboarded to without data migration.

New mailbox + Outlook PST

User receives new mailbox and either attaches or imports PST files for access to pre-Office 365 data.

New mailbox + Connected Accounts

User receives new mailbox and configures connected accounts via OWA.

Admin-Driven New mailbox + PST Import

User receives a new mailbox and admin uses PST Export features of Exchange and 3rd Party tools to import PST data into the user’s Exchange Online mailbox.

PST Migration

IMAP migration

Staged migration

Hybrid

Exchange 5.5 X X

Exchange 2000 X X

Exchange 2003 X X X

Exchange 2007 X X X

Exchange 2010 X X X

Exchange 2013 X X X

Notes/Domino X X

GroupWise X X

Other X X

* Additional options available with tools from migration partners

FastTrack Step 2 Migration Options

Migration

PST MigrationImport of Archived/Offline Mail

IMAP migrationSupports wide range of email platformsEmail only (no calendar, contacts, or tasks)

Staged Exchange migrationNo server required on-premisesIdentity federation with on-premises directory

Hybrid

Hybrid deploymentManage users on-premises and onlineEnables cross-premises calendaring, smooth migration, and easy off-boarding

Migration Options

IMAP Migrations

IMAP Features and Benefits Works with a large number of source mail systems Works with on-premises or hosted systems Users can be migrated in batches On-premises migration tool is not required

48

IMAP Requirements and Limitations Access to IMAP ports (TCP/143/993) SMTP domains configured in O365 tenant Users + mailboxes must be provisioned prior to

migration Bulk provisioning, CSV parser, manual, etc.

Gather user credentials or setup admin credentials Prepare a CSV file with list of users

EmailAddress, UserName, Password Max of 50,000 rows Max 10 MB in size

Very limited data migration scope (mail items only)49

IMAP Data Migration ScopeMigrated

Mail messages (Inbox and other folders)

Maximum of 500,000 items

Possible to exclude specific folders from migration(e.g. Deleted Items, Junk E-Mail)

Not Migrated Contacts, Calendars,

Tasks, etc. Excluded folders Folders with a forward

slash( / ) in the folder name

Messages larger than 25 MB

50

Deltasync

every 24 hours

Mark migratio

n as complet

e

Change MX

record

Gather IMAP creds,

configure IMAP

endpoint and

prepare CSV

IMAP Migration Flow

51

Provision

users+

mailboxes

in O365

(license assigned

)

EAC Wizard:

Enter server

settings and

upload CSV

Initial sync

Final sync and cleanup

IMAP Migrations

Questions?

StagedExchangeMigrations(SEM)

SEM Features and Benefits Simple and flexible migration solution High-fidelity solution – all mailbox content is

migrated Typically best suited to medium and large

organizations Users are provisioned with Directory Sync prior to

migration No limit on the number of mailboxes Users can be migrated in batches (up to 1000 per

batch) Works with Exchange 2003 and 2007 only, on-

premises or hosted Identity management on-premises On-premises migration tool is not required

54

SEM Requirements Outlook Anywhere service on source system

(must have SSL certificate issued by a public CA) Migration Account with Full Access or Receive-As

permissions to all mailboxes that will be migrated SMTP domain(s) configured in O365 tenant Directory Sync tool enabled in O365 tenant

(i.e. requires simple coexistence)

55

SEM Limitations SEM is not supported with Exchange 2010 and

2013 Only simple coexistence is available

(no sharing of free/busy, calendar, etc.)

56

SEM Accounts and Passwords Accounts Provisioning

Migration tool relies on DirSync to do provisioningFor every on-premises mailbox to be migrated there needs to be a MEU or Mailbox in Office 365

PasswordsTarget mailbox passwords must be specified for all users

Administrators can force users to change passwords on first login

Note: Password management has been simplified with DirSync and password sync

57

SEM Batch File Format CSV format

› EmailAddress, Password, ForceChangePassword One user per line Max of 1000 users in each CSV Smart-check against the Office 365 directory

58

SEM Data Migration Scope

59

Migrated Mail messages and

folders Rules and categories Calendar (normal,

recurring) Out-of-Office settings Contacts Tasks Delegates and folder

perms Outlook settings (e.g.

favorites)

Not Migrated Security Groups, DDLs System mailboxes Dumpster Send-As Permissions Messages larger than 25

MB

SEM Data Migration Scope Partial migrations are not possible

(no folder exclusion, no time range selection, etc.) Mailboxes enabled for Unified Messaging cannot be

migrated Hidden mailboxes (not visible to tool) cannot be

migrated New cloud mailbox is created (new GUID) and data

is copied Existing cached-mode files (OST files) cannot be

preserved60

SEM User Experience Admin needs to distribute new passwords to users Users create their new Outlook profile using O365

username and new passwords (Autodiscover) All mail is downloaded from the Office 365 mailbox

(i.e. the OST file must be recreated)

Note: IT Admins must convert on-premises mailbox-enable user to mail-enable user (which will delete on-premises content)

61

Configure

Directory

Sync

EACWizard:

Enter server setting

s , admincreds, batch CSV

Delete migrati

on batch

(optional)

Change MX

Record

SEM Migration Flow

62

Migrate Batch

Convert onprem mailbox

es to MEU

License users

Configure

Outlook Anywhe

re

Test using ExRCA

Assign migrati

onperms

StagedExchangeMigrations

Questions?

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.