exchange online real world migration challenges

Steve Goodman

Exchange MVPPhoenix IT Group

Exchange OnlineReal-World Migration

Challenges

www.devconnections.com

EXCHANGE ONLINE – REAL-WORLD MIGRATION CHALLENGES

2

EXCHANGE ONLINE – REAL WORLD MIGRATION CHALLENGES

The Case for Hybrid Hybrid Challenges Coexistence Challenges Planning your migration The migration itself



THE CASE FOR HYBRID

When and when not to use Hybrid



4

WHAT MAKES A HYBRID EXCHANGE DEPLOYMENT?

Exchange Servers

AD FS

DirSync & FIM

AD

Users, Contacts & Groups

Secure Mail Flow

Sharing (free/busy, MailTips,, etc.)

Mailbox Moves

SSO

Organization



5

WHY HYBRID Exchange 2010 (SP2+) and Exchange 2013 only support Hybrid methods for migration – cutover and staged are not an option.

Makes moving from a pilot to a full migration simple, and re-uses Exchange skills

Think of it as a transition rather than a migration



6

WHY NOT HYBRID Smaller 2007 and 2003 migrations Non-Microsoft migrations Multiple on-premises Exchange organizations

Various options available Staged

Cutover

Third Party Solutions including MigrationWiz, Binary Tree E2E Complete and Quest Toolset



HYBRID CHALLENGES

What you’ll need to overcome before you can start planning to migrate mailboxes

7



8

CHALLENGES FOR EXCHANGE 2007 AND 2003

Migration of Client Facing Services including Implementing a legacy namespace

Moving AutoDiscover and other services

Similar to an Exchange 200x to 201x front-end services migration

Options available Exchange 2013 RTM CU2 “Hybrid Servers”

Exchange 2010 SP3 “Hybrid Severs” Free licenses available for both from Microsoft Support.



9

CHALLENGES FOR EXCHANGE 2010 ORGS Should you implement Exchange 2013 RTM CU2 as a Hybrid Server?

Where do you need to deploy Exchange 2010 SP3?



10

EXTERNAL CONNECTIVITY External HTTPS Namespaces

Use the Remote Connectivity Analyser to test Exchange Web Services (EWS) and AutoDiscover

Access to the above virtual directories is required for Hybrid Configuration and Mailbox Migrations

Verify you add the correct firewall exceptions to all services, both inbound and outbound For outbound MS recommend by URL rather than IP due to Content

Distribution Networks (CDNs)



11

EXTERNAL CONNECTIVITY Authenticated proxy servers cause issues

Exchange Servers cannot authenticate to proxy servers, and outbound communications, including Federated Sharing and the Hybrid Configuration Wizard will fail.

Outlook clients cannot authenticate to proxy servers and will fail to connect to Office 365.

Solutions Configure the proxy server to exclude the Exchange Online

datacentre URLs from Authentication

On Exchange Servers, set the proxy server in netsh& Exchange Netsh winhttp import proxy source=ie

Set-ExchangeServer <servername> -InternetWebProxy:"http://proxy:8080"



13

CERTIFICATES You need valid third-party certificates for HTTPS namespaces and SMTP

Exception: Federation Certificate is self-signed Did you ever set up Federated Sharing before Exchange 2010 SP1?



14

CERTIFICATES HCW attempts AutoDiscover for each hybrid

domain If you have some domains without AutoDiscover DNS names and

appropriate certificates configured, the HCW will fail to complete.

Exchange 2013 and Exchange 2010 SP3 RU1+ has a solution Set-HybridConfiguration -Domain "domain.com, autod:primary.com"

SSL Offload will cause issues with mailbox moves Remote Mailbox Moves will fail as SSL Offload is not supported by

the MRS Proxy

You may need to retain SSL offload, but there are workarounds - For example, use an additional FQDN for Remotes Mailbox Moves that by-

passes SSL offload using a different Load Balancer VIP



15

PRE-AUTHENTICATION What is pre-authentication? What uses pre-authentication? Why is this a problem?

Federated Sharing e.g. /EWS/Exchange.asmx/WSSecurity

What are the solutions? Rules before pre-authentication to exclude these paths:

http://community.office365.com/en-us/wikis/exchange/1042.aspx

Disable pre-authentication for /AutoDiscover/* and /EWS/* completely!



16

SMTP MAIL FLOW Make sure you understand the organization’s mail routing

Make sure you put the right certificates on the Hub servers you will use for the Hybrid configuration

Bear in mind firewalls and load balancers that mask the real sender’s address Changes to Receive Connectors may be needed



17

FEDERATED SHARING Provides Free/Busy and Calendar Sharing Relies on AutoDiscover and Exchange Web Services

These components can’t use pre-authentication

Troubleshooting tools include IIS logs and event logs



18

FEDERATED SHARING SSL offload can cause issues here too URL used can be specified manually, but try not to

Remember the limitations of Federated Sharing



19

MULTI-FOREST SCENARIOS Forests with Sub-Domains are no problem

Account + Resource Forests. Exchange is in a dedicated resource forest and user accounts are in

one or more forests.

Windows Azure Active Directory Connector can replace DirSync

Multiple Forests and Exchange organizations No supported partner/self deployable solution. Must involve

Microsoft.



20

S/MIME Used for encrypted mail While not unsupported can cause challenges Certificates are not automatically available to allow users to sign

and encrypt mail to organization contacts

DirSync will not push user certificates to Office 365, so the cert is not in the GAL

Solution Use an LDAP Provider in Outlook with the Fully Qualified Domain

name of a Global Catalog Server.



21

MOBILE DEVICE MANAGEMENT SOLUTIONS

Commonly used to manage iPads, Android tablets and similar

Not just for managing Exchange features, but also deployment of Applications and device monitoring.

Non-ActiveSync solutions like Good will need updates

Inline ActiveSync solutions may cause issues



COEXISTENCE CHALLENGES

While you’re migrating, what do you need to consider?

22



23

SHARING AND COLLABORATION Larger the organization often means more sharing

Sharing may cross many intra-org boundaries

Not all sharing is easy to discover Cross-premises sharers need to re-share Calendars

No cross-premises access to Shared Mailboxes



24

DISTRIBUTION GROUP MANAGEMENT While you use DirSync, on-premises DGs cannot be managed in Office 365

This means DGs cannot be managed in Outlook or OWA

What solutions are available? FIM Portal

ADUC Delegation

Post-migration you could move to cloud-only DGs



25

PUBLIC FOLDERS Public Folder access is not configured automatically Access is configured using RPC over HTTPS (Outlook Anywhere)

During coexistence all users access on-premises public folders

Only migrate public folders after migrating all users to the cloud

Limited to 2.5TB of Public Folders This limit cannot be increased on a per-customer basis



PLANNING YOUR MIGRATION

Measure twice, cut once

26



27

PLANNING – MICROSOFT TOOLS The most important part Base tools are very useful

OnRamp replaces the Deployment Readiness Tools

https://onramp.office365.com/OnRamp

ExDeploy – Exchange Deployment Assistant

Other great MS tools including MAP for MS Online Services



28

PLANNING – DEEPER DISCOVERY Active Directory & Exchange information

Mailbox and message sizes

Clients like Outlook, ActiveSync, IMAP, SMTP clients, EWS, BES

Shared Mailboxes and who shares with who

UM and archive mailboxes in use

Policies that aren’t migrated, such as ActiveSync, OWA Mailbox and Retention Policies

Previous cross-forest migrations

Local Knowledge Stats aren’t everything – IT staff supporting the users generally are

a wealth of information about the user base



29

PLANNING – DEEPER DISCOVERY

Department Mailbox Size Collaboration and Shared Mailboxes

Outlook Clients

Active Directory Data Exchange Server

General User Information

ActiveSync Clients

IMAP/POP3 Clients

BES Devices

BES

Consolidated Data

Migration Groups (Batches)

Local IT Support Knowledge

C2C Archive

One Users



30

TEST YOUR MIGRATION PROCESS Migration concurrency depends on multiple factors

Test throughput during the times you will migrate

Leavers mailboxes provide good candidates for throughput testing

Remember you can move mailboxes back to re-test (and should test that you can do this, anyway)



31

TEST YOUR MIGRATION PROCESS Double check your pre-requisites for successful moves Is it an on-premises mailbox with a corresponding mail user in the

cloud?

Does the Mailbox have a licence assigned?

Does the UPN match on-premises and in the cloud (and of course, does AD FS work correctly)

Have all required details, like email addresses synchronized successfully?

Were there any mailbox items larger than 25MB?

Do you have any clean up for cross premise migrations to do?

Check-EXOMigPreRequisites.ps1 script available to download from www.stevieg.org



32

TEST YOUR MIGRATION PROCESS Good documentation should be tested alongside your pilot migration

User and IT documentation ActiveSync users may need most support because these devices to

not automatically update server settings.

Listen to recommendations from IT staff who know the user base well

Consider an end-user portal



THE MIGRATION

The easy bit

33



34

BUILDING MIGRATION BATCHES Distribution Groups are great to use for migration batches!

It’s a communications channel The helpdesk can use them You can feed them to test scripts And of course to create Remote Move Requests



35

BUILDING MIGRATION BATCHES

Migration BatchImport Batch into Active Directory

Group

Communicate with end users within

batch

User requests re-schedule?

Add to retry batch

Yes

Schedule batch

Leave other users in migration batch

Communicate with end-user IT support

Inform IT support of change

Determine successful users

Staff Mailbox Sign-Off if required

Add unsuccessful users to retry batch

Successful batch complete



36

PRE-PILOT AND PILOT PHASES Before the main pilot iron out all issues you can

Treat the pilot like the real deal Don’t just use IT! Use real users who’ll give you real feedback!



37

THE MIGRATION By this point it should be straightforward Communicate with users so they know what’s coming

Make sure you have the appropriate resources

Don’t be afraid to scale up as you come along

Again, keep reviewing feedback



38

WHAT NEXT? If you’ve moved all users to the cloud is it time to get rid of on-premises entirely?

SMTP senders may require an on-premises SMTP server or EOP connector

Consider provisioning and management Remember you need to patch and maintain



SUMMARY

39



40

SUMMARY It’s all in the planning The more you test the more chance of success

If you plan on a on-going hybrid environment or longer migration, discovery is very important

Exchange 2010 SP3 is still a great option for a “hybrid” Exchange server if Exchange 2013 isn’t planned for on premises.

exchange online real world migration challenges

Technology