deploying office 365 in production: part 1docshare01.docshare.tips/files/26977/269776000.pdf ·...
TRANSCRIPT
Deploying Office 365 in Production: Part 1October 2013
Session Overview
2
Session Overview
• This session details the options and considerations when expanding a pilot Office 365 environment into a production deployment. Unlike on-premises implementations, IT professionals can scale out their Office 365 tenants with ease. However, with added scale, it is important to start to automate user provisioning, add a production domain and set up the desired workloads
Step 2: Deployment Overview
4
Optional integrationExtend in weeksMeet business needsCustomized to landscape
Core onboardingDeploy in daysCompanywide cloud useIT led migration
Full Office 365 servicePilot in hoursPersist to deploymentUser led migration
First use in hours, Onboarding in daysExchange, SharePoint, Lync, Office 365 ProPlus, WA Active Directory
Pilot complete
Deploy Complete
WhatOffice 365 ServiceExchange, SharePoint, Lync, Office Web Apps, Office 365 ProPlus, Mobile
HowService domainCloud IdentityWeb Client
Office clientSelf Service
WhatAll Pilot Features +Shared namespace, simple coexistence, external sites
HowPilot +IT led migration *Customer domainDirectory sync
Password syncAdmin migrationsOnRamp
WhatDeploy +Federation, Hybrid Delegation, and more
HowDeploy+ *Configure adv. featuresFederated IdentityExchange HybridCorporate app store
SharePoint HybridLync Hybrid3rd party migration tools
Adopt new features
Deploy Enhance Pilot1 2 3
Sign-on Integrated identity managementSign-on with the same user and password as on premises
Integrated mail flow and migrationGlobal address list Full mail content migration – mail, calendar, contacts
Collaboration
Sharing and working with othersLync business partner federationSite governance and provisioning supportSetup of Apps for Office corporate app catalog
ClientsIT managed client productivityOffice 365 ProPlus deployed to user desktop via IT process
Mobile Managed mobile connectivitySend and receive mail from mobile device as on-prem email
AdministrationControl & monitorData loss prevention configuration (limited)Exchange Online Protection mail protection configuration (limited)
Setup in days
Adds on-premises integration
Pilot user and info is sustained
IT driven migration
Mail migration that best fits environment
From EX 2010 Mail ServersManaged mail moves (MRS)Free/busy cross premisesUse existing OST
From EX 2007/03 Mail Servers Staged mail migrationNew mail file download
From OthersUser migration (PST import) or IMAP MigrationNew mail file
Deploy Experience – what’s added
IdentityWhat’s RequiredDirectory Sync server/sAD meets service requirements for hygieneSame password on-prem and in cloud via password sync
NetworkWhat you need to connectNetwork access to service from client end pointsNetwork bandwidth availabilityAccess to maintain DNS entries for share domains
ClientsRequired to connect and deployWeb client – minimum browserOffice 365 Pro Plus – clients running Windows 7 +
Unique requirements per mail platform
Dedicated customer IT team
Change management readiness
Required to setup and migrateAdmin access
From EX 2010 Mail ServersExchange 2010 SP3Certificates - public
From EX 2007/03 Mail Servers Outlook Anywhere Access
From OthersPST requirement
Deploy – what’s required
Cloud Identity
Single identity in the cloud
Windows Azure Active Directory
On-Premises Identity
Dirsync & Password Sync
Directory & Password Synchronization
Single identity without federation
Windows Azure Active Directory
Federated Identity
On-Premises Identity
Federation
Single federated identity and credentials
Windows Azure Active Directory
Directory Sync
Deploy Identity Scenario Deploy Enhance Pilot1 2 3
Agenda
What is DirSync? Purpose – What does it do?
Understanding Synchronization
Understanding Coexistence
Understanding Migrations Self Service Admin lead
Migration Options PST migrations IMAP migrations Staged Exchange
migrations
What is DirSync?
10
What is DirSync? Application that synchronizes on-premises Active Directory with Office 365
Designed as a software based “appliance” “Set it and forget it”
x64 version based on FIM 2010 Bundled with SQL Server 2008 R2 Express Edition
11
Purpose (#1) Enables coexistence
Provisions objects in Office 365 with same email addresses as the objects in the on-premises environment
Provides a unified Global Address List experience between on-premises and Office 365 Objects hidden from the GAL on-premises are also hidden from the
GAL in Office 365 Enables coexistence for Exchange
Works in both simple and hybrid deployment scenarios Enabler for mail routing between on-premises and Office 365 with a
shared domain namespace Enables coexistence for Microsoft Lync
12
Purpose (#2) Enables “run state” administration and management of users, groups, and contacts Synchronizes adds/deletes/modifications of users, groups, and
contacts from on-premise to Office 365
Enabler for Single Sign-On Mandatory component for ADFS / Federated Identities deployments
Not intended as a single use bulk upload tool
13
Understanding Synchronization
14
Synchronization Synchronize one (and only one) Active Directory forest with Office 365
Entire Active Directory forest is scoped for synchronization (default) Filtering can be configured based on OU, AD domain, and user
attribute
What is synchronized? All user objects All group objects Mail-enabled contact objects
Passwords are not synchronized
Synchronization Most Synchronization is from on-premises to Office 365 In an Exchange Hybrid Deployment, DirSync is configured to write
attributes back to the on-premises Active Directory
Synchronization occurs every 3 hours Use “Start-OnlineCoexistenceSync” cmdlet to force a sync outside of
regular synchronization schedule
16
Synchronization User Objects
Mail-enabled/mailbox-enabled users are synchronized as mail-enabled users (not mailbox-enabled users) Visible in the Office 365 GAL (unless explicitly hidden from GAL) Logon enabled, but not automatically licensed to use services Target address is synchronized for mail-enabled users
Regular NT users are synchronized as regular NT users Not automatically provisioned as mail-enabled in Office 365
Resource mailboxes are synchronized as resource mailboxes Synchronized users are not automatically assigned a license
17
Synchronization Group Objects
Mail-enabled groups are synchronized as mail-enabled Group memberships are synchronized Security groups are synchronized as security groups Dynamic Distribution Groups are NOT synchronized
Contacts Objects Only mail-enabled contacts are synchronized Target address is synchronized to Office 365
18
Synchronization New user, group, and contact objects that are added to on-premises are added to Office 365 Licenses are not automatically assigned
Existing user, group, or contact objects attributes that are modified on-premises are modified in Office 365 Not all on-premises AD attributes are synchronized
19
Synchronization Existing user, group, and contact objects that are deleted from on-premises are deleted from Office 365
Existing user objects that are disabled on-premises are disabled in Office 365 License is not automatically unassigned
20
Synchronization First synchronization cycle after installation is a full synchronization May be a time consuming process relative to the number of objects
synchronized Approximately 5000 objects every 45 to 60 minutes Plan ahead if synchronizing tens or hundreds of thousands of objects
Subsequent synchronization cycles are deltas only and much faster
21
On-premises
Synchronization
22
Exchange
Active Directory
Office 365
Windows Azure Active Directory
Directory Synchronizatio
n
Provisioning Web Service
Logon Enabled UserMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: [email protected] smtp: [email protected] smtp: [email protected]: SMTP: [email protected]
Logon Enabled UserMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: [email protected] smtp: [email protected] smtp: [email protected]: SMTP: [email protected]
Exchange Online
Authentication Platform
SharePoint Online
Lync Online
User ObjectMailbox-EnabledProxyAddresses: SMTP: [email protected]
User ObjectMailbox-EnabledProxyAddresses: SMTP: [email protected]
Sync Cycle Stage 3:Export Users, Groups, and Contacts to Office 365
Sync Cycle Stage 2:Import Users, Groups, and Contacts from Office 365
Sync Cycle Stage 1:Import Users, Groups,and Contacts from on-premises Sync Cycle
Stage 4:Export “Write Back” attributes
Synchronization Once implemented, on-premises AD becomes the “source of authority” for synchronized objects Modifications to synchronized objects must occur in the on-premises
AD Synchronized objects cannot be modified or deleted via the portal
unless DirSync is disabled for the tenant
Scoping/Filtering Custom scoping of default management agents is officially
supported23
Synchronization On-premises objectGuid AD attribute is assigned as the value for immutableID attribute during initial synchronization of an object Referred to as a “hard match” DirSync knows which Office 365 objects it is the “source of authority”
for by examining sourceAnchor attribute
DirSync can also match user objects created via the portal with on-premises objects if there is a match using the primary SMTP address Referred to as a “soft match”
24
Synchronization On-premises proxyAddresses attribute values are synchronized Requires a matching verified domain Updates/modifications to on-premises proxyAddresses attribute are
synchronized even after license assignment
25
Synchronization By default, only the first 50,000 objects are synchronized STEVE TO ADD Quota limit can be increased by contacting technical support Synchronization service will be stopped Email sent to technical contact
Deleted objects count against quota for up to 30 days
26
Synchronization 10GB SQL Server 2012 Express Edition database file size is estimated to max out ~50,000 objects 50,000+ total objects requires full SQL Server
Authorization and synchronization occur via SSL
27
Synchronization Synchronization errors are emailed to the Technical Contact for the subscription Recommend using a distribution group as the Technical Contact
email address
Example errors include: Synchronization health status
Sent once a day if a synchronization cycle has not registered 24 hours after last successful synchronization
Objects whose attributes contain invalid characters Objects with duplicate/conflicting email addresses Sync quota limit exceeded28
Azure AD DirSync scoping options Ability to DirSync to Windows Azure AD only a subset of your users
Options for Filtering OU Domain-based User attribute
Step-by-step instructions available on TechNet
Password SynchronizationScheduled to release in CY2013
New feature of Windows Azure Directory Sync as an alternative to Federated Authentication
Customer benefits:• Customer can use a “single set of credentials” (same username and
password) to access both on-premises and online resources• This single set of credentials is managed in the customer’s Active
Directory and is synchronized with Office 365 (username + password)• Password Sync is fully integrated in the DirSync appliance, no
additional sw/hw, or changes to the on-premises AD are required• No requirement to deploy and maintain Active Directory Federation
Services.• Keeps the deployment simple and eliminates IT costs associated with
ADFS
Password Sync securityDoes not require nor access the plain text password
No requirement for AD reversible encrypted format
AD user password hash is hashed again using a non-reversible encryption function and digest is synchronized into Azure AD
The digest in Azure AD cannot be used to access resources in the customer’s on-premises environment
Password Sync key password policiesPassword Sync is one-way synchronization from on-premises to the cloud
Password Complexity Policy implemented in the on-premises AD is the master policy
Password Expiration Policy on the Azure AD is set to “Never Expire”
Password expiration and sync to Azure AD is driven by on-premises events
Understanding Coexistence
33
What is Coexistence? Some users are provisioned in Office 365 while the remaining users are provisioned in the on-premises environment
Office 365 users see the same objects in the Global Address List as the on-premises users
Email messages are routed seamlessly from Office 365 users to on-premises users, and vice-versa
Simple Coexistence Deployment Uses Directory Synchronization for GAL synchronization Enables mail routing between on-premises and Office 365 using a
shared DNS namespace Provides a unified GAL experience
Can be used with cloud identities or federated identities
Does not require an on-premises Hybrid server
35
Office 365
SEM Architecture
37
On-premises Exchange Org
Users, Groups, Contacts via DirSync
Mailbox Data via Outlook Anywhere (RPC over HTTP)
Exchange 2003 or 2007
Office 365 Directory
SynchronizationApp
Mail Routing: Pre-Coexistence
38
On-premises
Messa
ge Filte
ring
MX Record:contoso.com
User ObjectMailbox-EnabledProxyAddresses: SMTP: [email protected]
User ObjectMailbox-EnabledProxyAddresses: SMTP: [email protected]
Exchange
Active Directory
Mail Routing: On-Premises To Office 365
39
On-premises
Messa
ge Filte
ring
MX Record:contoso.com
Exchange
Active Directory
Office 365
MX Record:contoso.onmicrosoft.com
contoso.mail.onmicrosoft.com
Exc
hange O
nlin
e P
rote
ctio
n
Exchange Online
Online Directory
DirSync DirSync Web Service
Logon Enabled UserMailbox-EnabledProxyAddresses: SMTP: [email protected] smtp: [email protected] smtp: [email protected]
Logon Enabled UserMailbox-EnabledProxyAddresses: SMTP: [email protected] smtp: [email protected] smtp: [email protected]
User ObjectMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: [email protected]: SMTP: [email protected]
User ObjectMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: [email protected]: SMTP: [email protected]
Mail Routing: Office 365 To On-Premises
40
On-premises
Messa
ge Filte
ring
MX Record:contoso.com
Exchange
Active Directory
Office 365
MX Record:contoso.onmicrosoft.com
contoso.mail.onmicrosoft.com
Exc
hange O
nlin
e P
rote
ctio
n
Exchange Online
Online Directory
DirSync DirSync Web Service
Logon Enabled UserMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: [email protected] smtp: [email protected] smtp: [email protected]: SMTP: [email protected]
Logon Enabled UserMail-Enabled (not mailbox-enabled)ProxyAddresses: SMTP: [email protected] smtp: [email protected] smtp: [email protected]: SMTP: [email protected]
User ObjectMailbox-EnabledProxyAddresses: SMTP: [email protected]
User ObjectMailbox-EnabledProxyAddresses: SMTP: [email protected]
Understanding Migrations
42
Migration Option Decision Factors
43 | Microsoft Confidential
DEPLOYMENT PLAN
Migration solution is part of the
plan
DEPLOYMENT PLAN
Migration solution is part of the
plan
Source ServerSource Server
ExchangeIMAPLotus NotesGoogle
SizeSize
LargeMediumSmall
Identity Manageme
nt
Identity Manageme
ntIn-CloudOn-PremiseSingle Sign-On
ProvisioningProvisioning
DirSyncManual/Bulk Provisioning
Coexistence
Requirement
Coexistence
Requirement
SimpleRich
43
Time to ValueTime to Value
Self serve or Admin DrivenFeatures by user typeCloud or on- premises tools
Additional Onboarding Options
44
Control Deployment Type Description
Self Service
New mailbox
User receives new “green field” mailbox – i.e. user is onboarded to without data migration.
New mailbox + Outlook PST
User receives new mailbox and either attaches or imports PST files for access to pre-Office 365 data.
New mailbox + Connected Accounts
User receives new mailbox and configures connected accounts via OWA.
Admin-Driven New mailbox + PST Import
User receives a new mailbox and admin uses PST Export features of Exchange and 3rd Party tools to import PST data into the user’s Exchange Online mailbox.
PST Migration
IMAP migration
Staged migration
Hybrid
Exchange 5.5 X X
Exchange 2000 X X
Exchange 2003 X X X
Exchange 2007 X X X
Exchange 2010 X X X
Exchange 2013 X X X
Notes/Domino X X
GroupWise X X
Other X X
* Additional options available with tools from migration partners
FastTrack Step 2 Migration Options
Migration
PST MigrationImport of Archived/Offline Mail
IMAP migrationSupports wide range of email platformsEmail only (no calendar, contacts, or tasks)
Staged Exchange migrationNo server required on-premisesIdentity federation with on-premises directory
Hybrid
Hybrid deploymentManage users on-premises and onlineEnables cross-premises calendaring, smooth migration, and easy off-boarding
Migration Options
IMAP Migrations
IMAP Features and Benefits Works with a large number of source mail systems Works with on-premises or hosted systems Users can be migrated in batches On-premises migration tool is not required
48
IMAP Requirements and Limitations Access to IMAP ports (TCP/143/993) SMTP domains configured in O365 tenant Users + mailboxes must be provisioned prior to
migration Bulk provisioning, CSV parser, manual, etc.
Gather user credentials or setup admin credentials Prepare a CSV file with list of users
EmailAddress, UserName, Password Max of 50,000 rows Max 10 MB in size
Very limited data migration scope (mail items only)49
IMAP Data Migration ScopeMigrated
Mail messages (Inbox and other folders)
Maximum of 500,000 items
Possible to exclude specific folders from migration(e.g. Deleted Items, Junk E-Mail)
Not Migrated Contacts, Calendars,
Tasks, etc. Excluded folders Folders with a forward
slash( / ) in the folder name
Messages larger than 25 MB
50
Deltasync
every 24 hours
Mark migratio
n as complet
e
Change MX
record
Gather IMAP creds,
configure IMAP
endpoint and
prepare CSV
IMAP Migration Flow
51
Provision
users+
mailboxes
in O365
(license assigned
)
EAC Wizard:
Enter server
settings and
upload CSV
Initial sync
Final sync and cleanup
IMAP Migrations
Questions?
StagedExchangeMigrations(SEM)
SEM Features and Benefits Simple and flexible migration solution High-fidelity solution – all mailbox content is
migrated Typically best suited to medium and large
organizations Users are provisioned with Directory Sync prior to
migration No limit on the number of mailboxes Users can be migrated in batches (up to 1000 per
batch) Works with Exchange 2003 and 2007 only, on-
premises or hosted Identity management on-premises On-premises migration tool is not required
54
SEM Requirements Outlook Anywhere service on source system
(must have SSL certificate issued by a public CA) Migration Account with Full Access or Receive-As
permissions to all mailboxes that will be migrated SMTP domain(s) configured in O365 tenant Directory Sync tool enabled in O365 tenant
(i.e. requires simple coexistence)
55
SEM Limitations SEM is not supported with Exchange 2010 and
2013 Only simple coexistence is available
(no sharing of free/busy, calendar, etc.)
56
SEM Accounts and Passwords Accounts Provisioning
Migration tool relies on DirSync to do provisioningFor every on-premises mailbox to be migrated there needs to be a MEU or Mailbox in Office 365
PasswordsTarget mailbox passwords must be specified for all users
Administrators can force users to change passwords on first login
Note: Password management has been simplified with DirSync and password sync
57
SEM Batch File Format CSV format
› EmailAddress, Password, ForceChangePassword One user per line Max of 1000 users in each CSV Smart-check against the Office 365 directory
58
SEM Data Migration Scope
59
Migrated Mail messages and
folders Rules and categories Calendar (normal,
recurring) Out-of-Office settings Contacts Tasks Delegates and folder
perms Outlook settings (e.g.
favorites)
Not Migrated Security Groups, DDLs System mailboxes Dumpster Send-As Permissions Messages larger than 25
MB
SEM Data Migration Scope Partial migrations are not possible
(no folder exclusion, no time range selection, etc.) Mailboxes enabled for Unified Messaging cannot be
migrated Hidden mailboxes (not visible to tool) cannot be
migrated New cloud mailbox is created (new GUID) and data
is copied Existing cached-mode files (OST files) cannot be
preserved60
SEM User Experience Admin needs to distribute new passwords to users Users create their new Outlook profile using O365
username and new passwords (Autodiscover) All mail is downloaded from the Office 365 mailbox
(i.e. the OST file must be recreated)
Note: IT Admins must convert on-premises mailbox-enable user to mail-enable user (which will delete on-premises content)
61
Configure
Directory
Sync
EACWizard:
Enter server setting
s , admincreds, batch CSV
Delete migrati
on batch
(optional)
Change MX
Record
SEM Migration Flow
62
Migrate Batch
Convert onprem mailbox
es to MEU
License users
Configure
Outlook Anywhe
re
Test using ExRCA
Assign migrati
onperms
StagedExchangeMigrations
Questions?
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.