X

Exchange Archiving: On-Premises vs Cloud-Based (Part 3)

If you would like to read the other parts in this article series please go to:

Exchange Online Archiving Requirements

The following are general requirements for configuring Exchange Online Archiving.

  • You must purchase one of the following subscriptions for the Exchange Online service included with Microsoft Office 365:
    • Exchange Online Archive
    • Exchange Online Plan 2
    • Office 365 Plan E3
    • Office 365 Plan E4
  • If using hybrid configuration, the on-premises servers have to run Exchange 2010 or higher.
  • Users must use Outlook 2010, Outlook 2007 SP2, or Outlook Web App to access the cloud-based archive mailbox.
  • The users’ computers must meet Office 365 system requirements.

Hybrid Configuration Requirements

The following prerequisites are required for configuring a hybrid deployment:

  • On-premises Exchange organization: At least one Exchange 2013 Client Access and one Exchange 2013 Mailbox server must be installed in the on-premises organization to run the Hybrid Configuration wizard and support Exchange 2013-based hybrid deployment functionality. All on-premises Exchange 2013 servers must have installed Cumulative Update 1 (CU1) or greater.
  • Office 365: Hybrid deployments are supported in all Office 365 plans that support Azure Active Directory synchronization. All Office 365 Enterprise, Government, Academic and Midsize plans support hybrid deployments. Office 365 Small Business and Home plans don’t support hybrid deployments. The Office 365 tenant version must be 15.0.620.28 or greater to configure a hybrid deployment with Exchange 2013. To verify your Office 365 tenant version and status, see Verify Office 365 tenant version and status.
  • Owned DNS domain: You must own the DNS domain you’re using with Exchange and register it with the Office 365 service.
  • Active Directory synchronization: Deploy the Azure Active Directory Sync tool for Active Directory synchronization with your on-premises organization.
  • Autodiscover DNS records: Configure the Autodiscover public DNS records for your existing SMTP domains to point to an on-premises Exchange 2013 Client Access server.
  • Office 365 organization in the Exchange admin center (EAC): The Office 365 organization node is included by default in the on-premises EAC, but you must connect the EAC to your Office 365 organization using your Office 365 tenant administrator credentials before you can use the Hybrid Configuration wizard. This also allows you to manage both the on-premises and Exchange Online organizations from a single management console.
  • Certificates: Install and assign Exchange services to a valid digital certificate purchased from a trusted public certificate authority (CA). Self-signed certificates can’t be used for Exchange services in a hybrid deployment. The Internet Information Services (IIS) instance on the Client Access servers configured in the hybrid deployment must have a valid digital certificate purchased from a trusted CA. Additionally, the EWS external URL and the Autodiscover endpoint specified in your public DNS must be listed in Subject Alternative Name (SAN) of the certificate. The certificate installed on the Mailbox and Client Access (and Edge Transport if deployed) servers used for mail transport in the hybrid deployment must all use the same certificate (that is, they are issued by the same CA and have the same subject).
  • EdgeSync: If you’ve deployed Edge Transport servers in your on-premises organization and want to configure the Edge Transport servers for hybrid secure mail transport, you must configure EdgeSync prior to using the Hybrid Configuration wizard.
  • Ports and Protocols: make sure the following ports and protocols are allowed in your perimeter firewall.
Transport Protocol Upper Level Protocol Feature/Component On-premises Endpoint
TCP 25 (SMTP) SMTP/TLS Mail flow between Office 365 and on-premises Exchange 2013 CAS/EDGE

Exchange 2010   HUB/EDGE

TCP 443 (HTTPS) Autodiscover Autodiscover Exchange 2013/2010 CAS TCP 443 (HTTPS) EWS Free/busy, MailTips, Message Tracking Exchange 2013/2010 CAS TCP 443 (HTTPS) EWS Multi-mailbox search Exchange 2013/2010 CAS TCP 443 (HTTPS) EWS Mailbox migrations Exchange 2013/2010 CAS TCP 443 (HTTPS) Autodiscover

EWS

OAuthExchange 2013/2010 CAS TCP 443 (HTTPS) N/A AD FS WIN2008/2012 Server

Table 1: Ports and protocols used in hybrid deployment

Preparing the Hybrid Environment

Based on the requirements on the previous section, it seems there is work to be done. Let’s start by registering the domain with Office 365.

  1. In the Office 365 Administration Portal, navigate to DOMAINS and click Add domain. In the Add a new domain in Office 365 window (Figure 1) click Let’s get started. In the Verify domain window (Figure 2) insert the name of the domain and click Next.


Figure 1: Add a new domain in Office 365


Figure 2: Step 1: Verify domain

  1. You need to add a TXT record to your DNS space to make proof that you actually own the domain. After doing this, click Okay, I’ve added the record (Figure 3). If the domain is successfully verified (Figure 4), click Next.


Figure 3: Step 1: Add TXT record


Figure 4: Step 1: Domain verified

  1. In the Step 2: Add users window (Figure 5) select Update selected users to update their email addresses with the new added domain. After the users are updated (Figure 6) click Next. You’ll be asked to sign-out and sign back in with the new credentials. After logging in, if you don’t wish to add new users, click Skip this step.


Figure 5: Step 2: Add users


Figure 6: Step 2: Users updated

  1. In Step 3: Set up domain windows (Figure 7) click Next. If you’ve registered your domain in one of the registrars supported by Office 365, Microsoft will do the work for you; if you prefer to do it yourself, select No, I have an existing website or prefer to manage my own DNS records. Click Next.


Figure 7: Step 3: Set up domain

  1. You’ll be asked to add a couple of DNS records (Figure 8). Click Okay, I’ve added the records. Click Finish (Figure 9).


Figure 8: Add DNS records


Figure 9: Step 3 complete

The next step is to have a certificate issued by a third-party trusted authority. Please read Certificate requirements for hybrid deployments for detailed information. Make sure that your certificate has, at least, this suggested domains

Service

Server

Suggested FQDN

Primary shared SMTP   domain Client Access and Mailbox   servers contoso.com
Autodiscover Client Access servers Label that matches the external Autodiscover FQDN of your Exchange 2013 Client Access server, such as autodiscover.contoso.com
Transport Edge Transport servers Label that matches the external FQDN of your Edge Transport servers, such as edge.contoso.com

Table 2: Minimum FQDNS for the certificate

  1. Using the EAC, assign the issued certificate to IIS and the SMTP service (Figure 10).
  2. Check your on-premises organization with the Remote Connectivity Analyzer tool prior to configuring your hybrid deployment with the Hybrid Configuration wizard. The Microsoft Remote Connectivity Analyzer tool checks the external connectivity of your on-premises Exchange organization and makes sure that you’re ready to configure your hybrid deployment (Figure 11).


Figure 10: Assigning the certificate to Exchange services


Figure 11: Remote Connectivity Analyzer tool

Directory Synchronization

Setting up and configuring the Windows Azure Directory Sync tool is a requirement for the Exchange hybrid environment. This tool syncs objects between the local Active Directory and Office 365, which uses Microsoft Azure Active Directory, enabling a single point of management for your user accounts (the local AD).

There are some requirements to be met in order to install the DirSync tool, for details I recommend the reading of Prepare for directory synchronization. Briefly, the server requirements are:

To install and configure the DirSync tool, follow these procedures:

  1. At the Office 365 admin center, click USERS > Active Users, click Set up next to Active Directory synchronization, and then proceed to the next step. Click Activate (Figure 12) and confirm that you really want to Activate (Figure 13).


Figure 12: Set up Active Directory synchronization


Figure 13: Activate AD synchronization

  1. The next step is to install and run the IdFix DirSync Error Remediation tool, to make sure the local AD is healthy and meets the requirements (Figure 14). If there’s no errors, proceed with the download of the DirSync tool (Figure 15).


Figure 14: IdFix tool


Figure 15: Download DirSync

  1. Unpack the DirSync installation binaries in order to proceed. Read through the DirSync welcome text (Figure 16) and click Next.
  2. Read through the End-User License Agreement (Figure 17) and click Next.


Figure 16: Windows Azure Active Directory Sync Setup: Welcome


Figure 17: Windows Azure Active Directory Sync Setup: EULA

  1. Specify the Installation folder (Figure 18) and click Next. The installation of the several components (including SQL Server 2012 Express) will start (Figure 19), which can take a while, depending on the hardware specs of the server.


Figure 18: Windows Azure Active Directory Sync Setup: Select Installation Folder


Figure 19: Windows Azure Active Directory Sync Setup: Installing Components

  1. After the installation finishes (Figure 20) click Next and move on to the configuration wizard. Click Finish (Figure 21). If you are installing the Directory Sync tool on a Domain Controller (as was the case), please do the following:
    • De-select the "Start Configuration Wizard Now" checkbox
    • Log-off (not restart) from your current session
    • Launch the "Directory Sync Configuration" application and proceed to next step


Figure 20: Windows Azure Active Directory Sync Setup: Installation Complete


Figure 21: Windows Azure Active Directory Sync Setup: Finished

  1. Read the Welcome screen (Figure 22) and click Next. Provide the credentials to access Office 365 (Figure 23), click Next, and then provide the local AD credentials (Figure 24). Click Next.

Installing the Directory Sync tool creates the AAD_xxxxxxxxxxxx account in the standard Users organizational unit of the local Active Directory service. This account is used by the Directory Sync tool to read the local Active Directory information. Moving or removing this account will cause synchronization failures.


Figure 22: Windows Azure Active Directory Configuration Wizard: Welcome


Figure 23: Windows Azure Active Directory Configuration Wizard: Office 365 Credentials


Figure 24: Windows Azure Active Directory Configuration Wizard: Local AD Credentials

  1. Check the Enable Hybrid Deployment (Figure 25) and click Next. Keep the Enable Password Sync checked (Figure 26) and click Next.


Figure 25: Windows Azure Active Directory Configuration Wizard: Hybrid Deployment


Figure 26: Windows Azure Active Directory Configuration Wizard: Password Sync

  1. Wait for the configuration process to finish (Figure 27) and click Next. If you want to start sync'ing now, select the Synchronize your directories now checkbox (Figure 28), and then click Finish.


Figure 27: Windows Azure Active Directory Configuration Wizard: Configuration Complete


Figure 28: Windows Azure Active Directory Configuration Wizard: Finished

If you want to know that your Active Directory synchronization is provisioning users, groups, and contacts from on-premises apps to the cloud correctly, you must verify the directory synchronization computer's event log. When reviewing the event log, look for entries whose source is Directory Synchronization. An entry designated Event 114 and with the description Export cycle completed indicates that the directory synchronization is complete.


Figure 29: Directory Synchronization Event ID 114

You can also check the Office 365 side. Sign in to the cloud service with administrator credentials and verify the existence of additional users with the description Synced with Active Directory.

Summary

With the hybrid deployment requirements in place, we are ready to start the Exchange Hybrid configuration wizard, which will be covered in the next part of this article. That’s the last step before we can start provisioning cloud-based archives for our on-premises users.

If you would like to read the other parts in this article series please go to: