Managing Exchange Online using Server 2012 R2 Essentials Experience Role (Part 2)

If you would like to read the other parts in this article series please go to:

• Managing Exchange Online using Server 2012 R2 Essentials Experience Role (Part 1)
• Managing Exchange Online using Server 2012 R2 Essentials Experience Role (Part 3)
• Managing Exchange Online using Server 2012 R2 Essentials Experience Role (Part 4)
• Managing Exchange Online using Server 2012 R2 Essentials Experience Role (Part 5)

Installation and Configuration

As mentioned in the first part of this article series, we can deploy the Essentials Experience role if our organization already has an existing Active Directory environment. In addition, we can choose if we want to deploy it as a domain controller.

For this article, I will be installing the Windows Server Essentials Experience role in my lab’s Domain Controller that is currently running Windows Server 2012 R2 Standard.

Because we will be integrating Essentials with Office 365, this role needs to be installed in a Domain Controller, so bear this in mind! Otherwise, you will encounter an error detailed further down.

So let us start by installing the Windows Server Essentials Experience role!

Open Server Manager and then click Add Roles and Features;

In the Add Roles Features Wizard, review the Before you begin screen and click Next:

Figure 1

In Select installation type verify Role-based or feature-based installation is selected and click Next:

Figure 2

In Select destination server, select the server you wish to install the Essentials Experience role on and click Next:

Figure 3

In Select server roles select Windows Server Essentials Experience:

Figure 4

You will be prompted to add additional features for the Windows Server Essentials Experience such as Remote Server Administration Tools, IIS and Windows Server Backup for example. Review these and click Add Features:

Figure 5

Click Next;

In Features, click Next:

Figure 6

Review the Windows Server Essentials Experience description, and then click Next:

Figure 7

In Web Server Role (IIS) review the message and click Next;

In Select role services, review the selections and click Next;

In Confirm installation selections, select the Restart the destination server automatically if required option (if desired) and click Install:

Figure 8

After the installation is complete, click Close. Windows Server Essentials Experience will be listed as a server role in Server Manager.

In the flag notification area in Server Manager, click the flag, and then click Configure Windows Server Essentials:

Figure 9

Follow the wizard to configure Windows Server Essentials. Depending on your Active Directory configuration, you will be informed whether you are configuring Windows Server Essentials as a domain controller, on a domain controller, or as a domain member. Depending on your scenario, you might be requested to provide further details. In my case, as I am installing it on a Domain Controller, I do not need to.

In Configure Windows Server Essentials welcome page review the message and click Configure:

Figure 10

In Configuration completed, click Close to finish the installation process:

Figure 11

The Windows Server Essentials Experience role has now been installed on my lab’s Domain Controller running Windows Server 2012 R2 Standard.

Next it is time to integrate it with Office 365.

Integration with Office 365

There are many good reasons to integrate Essentials with Office 365. If you manage some of your resources in-house but use Office 365 for other services, you will be able to manage your Office 365 services and resources from the Dashboard, along with your on-premises resources, instead of working in two places. This, for me, is the key advantage of Essentials!

Let us consider the following scenario: a new small business wants to set up an Active Directory environment to provide their users with certain capabilities that Active Directory provides. On top of that, they want to use Office 365 for e-mail but they want to be able to manage everything from one place.

This would typically mean the use of DirSync. However, the problem DirSync brings in this scenario is: how are we going to manage Exchange Online? With DirSync, this means certain changes such as adding new e-mail aliases need to be made on-premises. But without an on-premises Exchange server to manage these attributes, administrators need to resort to ADSIedit or other tools, which is obviously not ideal or recommended…

For me this is where the power of Essentials comes to the rescue: for small organizations that want to manage everything from one place and that do not have (or do not want to have) an Exchange server on-premises just to manage Exchange Online.

After the installation completes, there will be a new icon on the desktop called Dashboard:

Figure 12

Double click the icon and it will launch the Windows Server Essentials Dashboard:

Figure 13

From this main screen, we have an overview of some of the tasks we can perform, such as adding users, setting up Remote Access, generating Health Reports, etc. Obviously, there is much, much more we can do using Essentials’ Dashboard.

Let us start by integrating our Essentials Dashboard with Office 365. To do so, we need to navigate to SERVICES on the left hand side and then select Integrate with Microsoft Office 365:

Figure 14

In the screenshot above, we can see that Office 365 integration is not currently enabled and that we also have several other options like integrating with Intune or an on-premises Exchange server.

As I have mentioned before, because we are integrating with Office 365, the Essentials Experience role needs to be installed in a Domain Controller. If you do not, you will receive the following error:

Figure 15

To proceed with the integration, select Integrate with Microsoft Office 365 which will start the integration wizard. In the first screen, I am selecting the option I already have a subscription as I will be integrating with my existing Office 365 tenant:

Figure 16

Click Next;

Enter your Office 365 tenant administrator credentials and click Next:

Figure 17

Confirm you are OK with the strong policy password by selecting the I understand that this wizard sets the password policy to Strong option and click Next:

Figure 18

The wizard will now proceed with configuring the server for integration with Office 365:

Figure 19

Once complete, click in Restart Dashboard:

Figure 20

Back in the Essentials Dashboard, we can see that we have now successfully integrated with Azure Active Directory and Office 365, and that we can no longer integrate with an on-premises Exchange server:

Figure 21

By integrating with both Azure Active Directory and with Office 365, we are able to manage user accounts and Exchange Online settings as we will see in the next article.

In my lab, I have tested having DirSync and Essentials syncing the same user and everything seems to work just fine. However, this is obviously not recommended.

Password Synchronization

After Essentials is integrated with Windows Azure Active Directory, password synchronization is started automatically between the on-premises Active Directory and Windows Azure Active Directory, but will effectively only start to synchronize anything once accounts are matched with Office 365 accounts or new ones created.

This password synchronization is one-directional, where a password in the on-premises Active Directory always takes precedence over what is in Windows Azure Active Directory. The password synchronization happens instantly when a password is updated in the on-premises Active Directory.

With this feature, the end user experience is improved by seamlessly using the same password when authenticating to on-premises resources and applications as well as cloud services (e.g., the same password is used for both the local network account and for Office 365). Pretty much identical to DirSync with Password Synchronization with the exception of when using Azure Premium where passwords can also be synced back to on-premises.

Once on-premises users are matched to Office 365 users, or new ones created, and password sync starts to do its job, there are some logs we can check. These are located at: C:\ProgramData\Microsoft\Windows Server\Data\settingsproviderdata\PWDSYNCDATASTORE\PASSWORDCHANGEDATA-AZUREAD

In this folder, there will be an XML file per user each time an administrator resets a user’s password or each time a user itself changes his/hers password:

Figure 22

Opening one of these files, we can see if the password was reset/changed successfully (Status), when the password was reset/changed (TimeStamp), the user (UserName) and the user’s SID (UserSID):

Figure 23

Conclusion

In the second part of this article series, we installed Windows Server 2012 R2 Essentials Experience Role and integrated it with Office 365. Next, we will start using it to manage Exchange Online.

If you would like to read the other parts in this article series please go to:

• Managing Exchange Online using Server 2012 R2 Essentials Experience Role (Part 1)
• Managing Exchange Online using Server 2012 R2 Essentials Experience Role (Part 3)
• Managing Exchange Online using Server 2012 R2 Essentials Experience Role (Part 4)
• Managing Exchange Online using Server 2012 R2 Essentials Experience Role (Part 5)