What is Email Coexistence?

First a definition: email coexistence refers to keeping some of your users on your own on-premise Exchange servers, and migrating other users over to BPOS – but you want all users to have the same SMTP domain. So in the example scenario in this article, all users keep the same user@bpostutorials.com addresses.

In our example, some users would use Exchange the traditional way – with a mail client like Outlook pointed at in-house mail servers. However, some users have been migrated over to BPOS, and their mail client is pointed to cloud servers. But all users have email addresses in the same domain, and all of them show up in the same Global Address List (GAL), making corporate-wide communication easy.

Email coexistence is a great solution, but it is not perfect. There are a few things you should be aware of:

• This is an either/or scenario – users can’t maintain a mailbox on both systems. Old mailboxes on the on-premise Exchange should be removed as quickly as possible.

• Free/busy data does not get exchanged between the two systems, so on-premise users can’t see free/busy data for BPOS users. For this reason, it may make the most sense to migrate entire workgroups to BPOS rather than just a few users.

• One other feature that doesn’t work between the two environments is mailbox delegation – another reason to migrate entire workgroups at once.

How Email Coexistence Works

Before we start configuring email coexistence, a high-level overview of mail traffic flow is important. With coexistence, mail is routed as follows:

• First, all incoming mail for our example domain, bpostutorials.com, continues to go to an on-premise Exchange system.

• Second, the on-premise Exchange server receives the mail. The local Active-Directory syncs with BPOS, and a migration tool tells Exchange if the mail recipient is local, or has been activated in BPOS. Then, depending on the setting for each user, the Exchange server either delivers mail locally or forwards it over to BPOS.

• Finally, BPOS receives the forwarded mail, and delivers it to users’ mailboxes.

The Trickery

Behind the scenes, this all works via some clever user trickery. The secret? The BPOS mailboxes don't actually use your domain as its SMTP domain. BPOS actually uses a microsoftonline.com domain – such as bpostutorial.microsoftonline.com.

So, mail is simply being forwarded back and forth between two domains: bpostutorials.com, and bpostutorial.microsoftonline.com.

However, the system tricks users by displaying their login, mailbox, and sent mail as being part of the bpostutorials.com domain – hiding the long microsoftonline.com domain and saving users the agony of changing email addresses.

Step-by-Step: How to Configure Email Coexistence

Now that you understand the basic mail traffic flow, configuring mail coexistence takes a few simple steps.

1. Add your own domain to BPOS and enable external relay

2. Verify the domain

3. Verify email traffic flow

4. Enable Active Directory synchronization

5. Activate migrated users

6. Migrate mailboxes to BPOS

7. Optional steps: Configure SPF and secure the mail flow

Let’s go through each of these steps in detail. We’ll cover steps one and two in this article, and finish off the process in our next articles in the series.

Step 1: Add Your Own Domain to BPOS and Enable External Relay

Open up the BPOS Admin site. Click on the Users tab, then the Domain menu item. Then, click the "New" link in the upper-right corner.

Enter your Domain name in the new window that opens up – in my example I’ve used bpostutorials.com. And, since we’re setting up email coexistence in this article, click the option for “External Relay.”

(For a step-by-step guide to use BPOS as your primary mail system instead of email coexistence mode, check out our article on using your own custom domains with BPOS.)

Click "Create" and a window like the one below will be displayed. Select the box to "Start the Verification Wizard" if you’re ready to go to the next step, and verify the domain now.

Step 2: Verify Your Domain

Verifying a domain is accomplished by creating a DNS entry called a CNAME, or Alias. Your DNS records are generally hosted by your domain registrar, though in some cases your DNS may be hosted elsewhere.

First we need Microsoft to tell us how to configure the CNAME. If you didn’t select the option to start the Verification wizard in the previous step, then go back to the Users tab, and click on the Domains menu item. The newly added domain will now appear in the domains list. Click the "Verify Now" link.

Select your registrar from the drop-down if available, otherwise select "Other" and click "Next".

On the next screen you’ll be provided with DNS settings that you’ll need to configure with your domain registrar. Don’t use the ones in the screenshot here, they will all be unique. Make a note of the Host name, and "Points To" information.

Keep this window open. Now, fire up a new browser window and log in to your domain registrar’s admin site. The example below was created using Go Daddy, but most registrars will have a similar tool. Microsoft has also compiled a detailed list of instructions for popular registrars.

Open up your registrar’s DNS tool and add a CNAME record. For example, with Go Daddy I would click the "Add New CNAME Record" button on the right-hand side of the screen.

Enter the Alias information that BPOS gave you. Note that you usually don’t have to fully qualify an Alias (i.e. the full domain name isn’t required, just the host name).

Success! Keep your registrar’s admin site open, because you’ll need it again in a minute.

Flip back to your BPOS window (you left that open right?) and click the "Verify" button. If you did it right, then you should see a message like the one below. If it was unsuccessful then go back and confirm that you typed in the alias properly. Some registrars could take anywhere from 15 minutes to a 72 hours to activate the new records.

If it’s not working, try doing a DNS lookup from another system to confirm that the alias is configured properly. BPOS won’t verify the domain until it can resolve the new alias you created to the server name it provided you in the previous steps.

Verify that you’ve configured everything correctly so far by going back to the Domains window. You should see your domain listed with a Status of “Verified”, Inbound messaging “Disabled”, and a Type that shows “External Relay”.

Once you’ve added and verified your domain, you'll be ready for part II of this series. In part II we'll synchronize Active-Directory with BPOS. In part III, we'll cover the final pieces of the puzzle: activating and migrating users.

To recap, configuring email coexistence with BPOS requires the following steps:

1. Add your own domain to BPOS and enable external relay (Covered in Part I) 2. Verify the domain (Covered in Part I) 3. Verify email traffic flow 4. Enable Active Directory Synchronization 5. Activate migrated users 6. Migrate mailboxes to BPOS

7. Optional steps: Configure SPF and secure the mail flow

This 2nd installment covers steps 3 and 4:

• Verify email traffic flow • Enable Active-Directory Synchronization

Step 3: Verify Email Traffic Flow

This step may seem out of order, but it’s actually very important. Before configuring Active-Directory sync, it’s crucial to verify that the two SMTP domains used for coexistence can successfully communicate.

As explained in part I of this article series, BPOS makes it look as if all users are using the same SMTP domain, whether using BPOS or your on-premise Exchange. However, behind the scenes it uses two different domains, and some tricky forwarding techniques. So, it’s important to verify that the two domains can talk to each other.

For this example we’ll continue to use the sample domain bpostutorials.com, and the BPOS domain bpostutorial.microsoftonline.com.

To verify email flow:

1. In your BPOS environment, create a test user with a mailbox in the microsoftonline.com domain. For example, UserOne@bpostutorial.microsoftonline.com

2. Create a test user in your on-premise Exchange environment. For example, UserTwo@bpostutorials.com

3. Log on to the BPOS Outlook Web Access as UserOne@bpostutorial.microsoftonline.com 4. Send an email message to UserTwo@bpostutorials.com 5. Verify that UserTwo received the message, and reply back to the email. 6. From OWA, confirm that UserOne received the reply.

Troubleshooting:

If messaging doesn’t work, check to confirm that the microsoftonline.com domain has been added to your safe-senders list in Exchange. It may also be worth confirming that any 3rd party Spam filters aren’t rejecting the messages, and that your MX records are configured correctly to point at your on-premise Exchange.

Don’t move on until you’ve confirmed that basic mail-flow works as expected. Email coexistence won’t work if you can’t email between the two domains.

Step 4: Enable Active-Directory Synchronization

Active-Directory synchronization does exactly what you might expect. It copies your local active-directory user information over to BPOS. This simplifies user administration, since BPOS automatically has a list of all users. It also makes your full Global Address List available to all users, whether they are on BPOS or on-premise Exchange. Synchronization is performed using a tool called the “Active-Directory Synchronization Tool”, or Dirsync for short.

Dirsync will copy AD user information over to BPOS, with the exception of passwords. It will perform an initial sync, then re-sync every 3 hours. After running Dirsync, it’s important to make all user changes in your local AD, not on the Microsoft Online environment.

Before beginning, there are a few prerequisites.

• Dirsync cannot be installed on a domain controller. It must be installed on a member-server joined to the same AD forest that you plan to sync with BPOS.

• It cannot run on a 64-bit system, it must be installed on a 32-bit, Microsoft Windows Server 2003 SP2 or newer OS.

• The .NET framework 2.0 or greater must be installed on the computer that will run Dirsync

• Powershell must be installed • Enterprise Administrator credentials for your AD will be required • BPOS Administrator credentials will be required

To install Dirsync:

From the machine that you plan to install Dirsync on, open up the BPOS admin console, and go to the Migration tab.

In the “Directory Synchronization” section click on Configure.

The window that opens provides a series of steps.

Read the planning document under Step 1 and check the box.

Next, under Step 2, click the button to Enable Directory Synchronization.

Now, under Step 3, click the download button which will take you to the download page for Dirsync.

Download and run the Dirsync setup file. Go ahead and install it using all default options.

Ensure that the option to "Start Configuration Wizard now" is selected, then click Finish.

Enter your BPOS administrator’s credentials when prompted:

And next enter your Active-Directory Enterprise administrator credentials:

We want synchronization to start immediately, so leave the checkbox labelled “Synchronize directories now” selected, and click Finish

Verify Synchronization

There are a couple of ways to verify that synchronization is working correctly.

First, open up the Event Log on the server running Dirsync. Check the Application Log for events with a source of “Directory Synchronization” and Event ID 4. Events logged with ID 4 indicate that synchronization completed successfully.

Next, we can verify that users and groups were copied to BPOS. Dirsync copies all accounts over and automatically disables them in BPOS by default, so you’ll need to view “Disabled User Accounts” in BPOS to find the synchronized accounts.

To do this, log in to the BPOS admin center. Go to the Users tab, and click on the User List sub-tab. Select “Disabled User Accounts” from the left-hand navigation pane. You should see a list of user accounts that were synchronized from your own Active-Directory.

If you can see user accounts from your domain, then congratulations! Directory synchronization is working correctly. For now, leave the accounts disabled. You should only activate accounts when you’re ready to complete the user migration process.

We’ll cover the final steps required to configure email coexistence in Part 3 of this series. In Part 3 we’ll use the BPOS migration tool to copy mailbox data to BPOS, and configure the forwarding information that makes co-existence possible.

To recap, configuring email coexistence with BPOS requires the following steps:

1. Add your own domain to BPOS and enable external relay (Covered in Part I) 2. Verify the domain (Covered in Part I) 3. Verify email traffic flow (Covered in Part II) 4. Enable Active Directory Synchronization (Covered in Part II) 5. Activate migrated users 6. Migrate mailboxes to BPOS 7. Optional steps: Configure SPF and secure the mail flow

At this point you should be able to send email between your on-premise Exchange, and a test user on BPOS. You also should have installed the Dirsync tool, and have successfully synchronized your own Active-Directory to BPOS.

In this final article of the series, we’ll activate users and then set up the key tool that makes this all work – the Mailbox Migration tool.

Step 5: Activate Migrated Users

Synchronized user accounts are disabled by default. First step – activate them.

Open up the BPOS admin center. Click on the Users tab, then the User List sub-tab. Click on “Disabled User Accounts” from the left-hand task pane.

A list of all users synchronized from your domain should appear if synchronization is working correctly.

Click on one of the users to open up their properties window, then click the “Activate User Wizard” link.

To activate a large number of users at once, simply select them using the checkboxes beside their accounts on the Disabled Users screen. Then, click the “Activate Users” link to do a bulk activation.

Go ahead and enter an email address if you want BPOS to email a login link and password to your users. Then click next.

Select the location of your users, then click next.

And finally, select mailbox size limits for your users, then click next.

Next you should see a successful confirmation and list of activated users, as well as temporary passwords. Make a note of the passwords if you did not select the option to have them emailed to your users.

One last important note – In the previous steps, BPOS Dirsync may have imported users with a default domain set to [whatever].microsoftonline.com. If you want your users to log in to BPOS

using your own domain (e.g. bpostutorials.com vs bpostutorial.microsoftonline.com), and send mail from your own domain name, then you should change this after activating users.

Step 6: Migrate Mailboxes to BPOS

Now that you’ve made it to this point, you’ve completed all the prep work for email-coexistence. In this last step we will install the Migration tool, and finally migrate selected mailboxes to BPOS.

The migration tool is the key piece to configure coexistence. The tool configures your on-premise Exchange SMTP settings to forward mail over to BPOS for migrated users. And, it will also migrate mailbox data over to BPOS. With the migration tool, users won’t lose content like mail and calendar items.

First, download and install the migration tool. To do this, go to the “Migration” tab in BPOS, then launch the “Migrate Mailboxes” link.

Before you can download the tool you’ll have to check the box to confirm that you’ve read the planning document. Then, download the tool.

The migration tool can be installed on any machine that meets the prerequisites below. It does not have to be installed on your Exchange server.

• Windows PowerShell is installed. • Windows Vista, Windows Server 2003, or Windows XP with Service Pack 2 is installed. • If Windows Server is installed, the computer can be configured as an Active Directory

domain controller. • Microsoft .NET Framework 2.0 or later must be installed.

In addition, you’ll need to run the migration tool from an account with Exchange server administrator privileges. And of course, you’ll also need admin permissions in BPOS.

Install the Migration tool using all of the default settings.

Once you’ve finished the install, open up the Migration Console from the Start menu (Start-Programs-Microsoft Online Services-Migration-Migration Console)

A sign-in box will prompt you for your BPOS user name and password. Enter the credentials for an account with administrator permissions, then click Sign In.

Click on “Mailboxes Ready to Migrate” to see a list of mailboxes that correspond to Activated BPOS user accounts. Any of these mailboxes can be migrated when you're ready to proceed.

Select the mailboxes that you wish to migrate, then right-click on one of the mailboxes. From the context-sensitive pop-up menu, choose “Migrate mailboxes”.

This will launch a migration wizard. Click Next on the introductory screen.

You now have two options. You can either configure forwarding records and migrate mailbox content, or configure forwarding records without migrating any content. You should migrate content if you want users to have access to their old data once they move over to BPOS.

If you chose to migrate content, then you can also decide whether to allow data to pass over an unsecured connection. Be aware that if you chose to allow this, then mailbox data could pass from your exchange server to the internet in an unsecured manner. Microsoft recommends

securing the connection, though it’s not necessary. (For more information on securing traffic, please see Step 6 in this article.)

Assuming you’re going to migrate content to BPOS, choose the option to “Copy the local mailbox content”, then click Next.

Next, review the mailboxes you plan to migrate. Ensure that the source mailbox isn’t larger than the quota you’ve assigned to the BPOS users. Mailboxes could take considerable time to migrate depending on size and network bandwidth, so be cautious about how many mailboxes you move at once.

Now, select mailbox content types to migrate, like mail and calendar items. If desired, select the date ranges of data to migrate. Click Next when you’re ready to proceed.

Note that some items will not be migrated by the tool – more details on that here: http://www.microsoft.com/online/help/en-us/helphowto/fa139bc5-76d7-4e1a-9029-abc431b3c39a.htm

The tool provides one last opportunity to do a final review. If everything looks correct, then click Migrate to start the process.

The Migration tool will show a progress window like this one:

Once migration is complete, then review the status window for any errors or warnings, then click Finish.

Verifying Migration in Active-Directory

Let’s jump back to your own Active-Directory where you can view the changes made by the migration tool.

Open up Active Directory Users and Computers, and navigate to the Users container. You’ll see that in addition to your user objects (e.g. User Three) the migration tool has created a new contact object for each of the migrated users. So in this example, we now have a contact for UserThree@bpostutorial.microsoftonline.com. The contact is only for back-end use, so it will be hidden from the GAL.

Open up the new contact for one of your users. As you can see in the screenshot below for User Three, the “Email:” field uses the smtp domain for your BPOS domain – in this case the mail address is userthree@bpostutorial.microsoftonline.com. This contact is created simply so that Exchange has somewhere to forward mail that arrives in the userthree@bpostutorials.com mailbox.

Next, open up the User object for your migrated user, and open up Delivery Options from the Exchange General tab. In our User Three example below, you can see that the migration tool has configured Exchange to forward all mail to the User Three (MSOL) contact object that we just looked at in the previous step.

Finally, back in the BPOS admin console, you can see that User Three has been activated with a user name of UserThree@bpostutorials.com.

At this point, User Three can log on to BPOS using the password provided earlier. They will be able to send and receive email from the bpostutorials.com domain. Once migration is complete, migrated users should only use BPOS to avoid problems with mailboxes becoming out of sync.

They can access BPOS using Outlook Web Access, or reconfure their mail client to point to BPOS.

Step 6: Optional steps: Configure SPF and secure the mail flow

Microsoft recommends a couple of additional steps to complete your coexistence setup.

First, consider enable Autodiscover and adding Sender Policy Framework records. SPF records are still not very common, but are probably worth adding anyway. More information on both of those settings can be found here: http://www.microsoft.com/online/help/en-us/helphowto/6a984970-1606-480f-92e2-585ff1ddae84.htm

Second, since intra-organization mail is now going to be passed over the internet, they recommend that you secure the flow of traffic between your on-premise Exchange and BPOS. This involves obtaining a certificate and configuring TLS – for more information see this detailed guide from Microsoft: http://www.microsoft.com/online/help/en-us/helphowto/ad854daa-75aa-4fc7-bb1d-86e7bc8cfcf1.htm

But, these steps are optional and may not be necessary depending on your organization’s security requirements.

Once you’ve completed these steps, send a few test messages to confirm that things are working. If so, congratulations! You’ve successfully configured email coexistence with BPOS.