Professional Documents
Culture Documents
Production: Part 1
October 2013
Session Overview
Session Overview
This session details the options and considerations when
expanding a pilot Office 365 environment into a production
deployment. Unlike on-premises implementations, IT professionals
can scale out their Office 365 tenants with ease. However, with
added scale, it is important to start to automate user provisioning,
add a production domain and set up the desired workloads
Step 2 Deployment Overview
What is DirSync?
Agenda
Purpose What does it do?
Understanding Synchronization
Understanding Coexistence
Understanding Migrations
Self Service
Admin lead
Migration Options
PST migrations
IMAP migrations
Staged Exchange migrations
Step 2: Deployment
Overview
First use in hours, Onboarding in days
Exchange, SharePoint, Lync, Office 365 ProPlus, WA Active Directory
Mail From EX 2010 Mail Servers From EX 2007/03 Mail From Others
Change management
Required to setup and migrate
readiness Admin access
Mail From EX 2010 Mail Servers From EX 2007/03 Mail From Others
Exchange 2010 SP3 Servers PST requirement
Certificates - public Outlook Anywhere Access
Windows Azure Active Directory Windows Azure Active Directory Windows Azure Active Directory
http://aka.ms/sync
What is Windows Azure AD DirSync?
Application that synchronizes on-premises Active
Directory with Office 365
Designed as a software based appliance
Set it and forget it
11
Purpose (#1)
Enables coexistence
Provisions objects in Office 365 with same email addresses as the
objects in the on-premises environment
Provides a unified Global Address List (GAL) experience between
on-premises and Office 365
Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365
Enabler for mail routing between on-premises and Office 365 with a
shared domain namespace
Enables coexistence for Microsoft Lync
12
Purpose (#2)
Enables run stateadministration and management
of users, groups, and contacts
Synchronizes adds/deletes/modifications of users, groups, and contacts from
on-premises to Office 365
Enabler for Single Sign-On
Mandatory component for ADFS / Federated Identities deployments
13
Understanding
Synchronization
Synchronization (#1)
Synchronize a single Active Directory Forest to Office 365
Entire Active Directory forest is scoped for synchronization
(default)
Filtering can be configured based on OU, AD domain, and user attribute
What is synchronized?
All user objects
All group objects
Mail-enabled contact objects
Synchronization (#2)
Passwords synchronization is now supported
Most Synchronization is from on-premises to Office 365
In an Exchange Hybrid Deployment, DirSync is configured to write attributes
back to the on-premises Active Directory
Synchronization occurs every 3 hours
Use Start-OnlineCoexistenceSync cmdlet to force a sync outside of regular
synchronization schedule
16
Synchronization - users
User Objects
Mail-enabled/mailbox-enabled users are synchronized as mail-
enabled users (not mailbox-enabled users)
Visible in the Office 365 GAL (unless explicitly hidden from GAL)
Logon enabled, but not automatically licensed to use services
Target address is synchronized for mail-enabled users
17
Synchronization groups and contacts
Group Objects
Mail-enabled groups are synchronized as mail-enabled
Group memberships are synchronized
Security groups are synchronized as security groups
Dynamic Distribution Groups are NOT synchronized
Contacts Objects
Only mail-enabled contacts are synchronized
Target address is synchronized to Office 365
18
Synchronization objects
creation/update
New user, group, and contact objects that are added to
on-premises are added to Office 365
Licenses are not automatically assigned
19
Synchronization objects deletion
Existing user, group, and contact objects that are deleted
from on-premises are deleted from Office 365
Existing user objects that are disabled on-premises are
disabled in Office 365
License is not automatically unassigned
20
Synchronization synchronization
cycles
First synchronization cycle after installation is a full
synchronization
May be a time consuming process relative to the number of objects
synchronized
Approximately 5,000 objects every 45 to 60 minutes
Plan ahead if synchronizing tens or hundreds of thousands of objects
24
Synchronization dirsync quotas
By default,
only the first 50,000 objects are
synchronized
Sync quota increased to 300,000 objects automatically once first vanity
domain is verified
Quota limit can be increased by contacting technical support
Synchronization service will be stopped
Email sent to technical contact
26
Synchronization errors logs
Synchronization errors areemailed to the Technical
Contact for the subscription
Recommend using a distribution group as the Technical Contact email address
SharePoint Online
Directory
Synchronization Provisioning Web
Service Lync Online
28
Password synchronization
Password Synchronization
Introduced with DirSync in June 2013
Benefits of using Password Sync as an alternative to
Federated Authentication
Single set of credentials to access both on-premises and
online resources
Managed in the customers Active Directory and is synchronized with Office 365
(username + password)
32
Understanding
Coexistence
What is Coexistence?
Some users are provisioned in Office 365 while the
remaining users are provisioned in the on-premises
environment
Office 365 users see the same objects in the Global
Address List as the on-premises users
Email messages are routed seamlessly from Office
365 users to on-premises users, and vice-versa
Simple Coexistence Deployment
Uses Directory Synchronization for GAL
synchronization
Enables mail routing between on-premises and Office 365 using a shared DNS
namespace
Provides a unified GAL experience
35
Mail Routing: Pre-Coexistence
On-premises
MX Record:
contoso.com
Message Filtering
Active Directory Exchange
User Object
Mailbox-Enabled
ProxyAddresses:
SMTP: John.Doe@contoso.com
36
Mail Routing: On-Premises To Office
365 On-premises Office 365
MX Record:
Message Filtering
Active Directory Exchange Exchange Online Online Directory
MX Record:
contoso.onmicrosoft.com
DirSync contoso.mail.onmicrosoft.com DirSync Web
Service
37
Mail Routing: Office 365 To On-
Premises On-premises Office 365
MX Record:
Message Filtering
Active Directory Exchange Exchange Online Online Directory
Logon Enabled User
User Object Mail-Enabled (not mailbox-enabled)
Mailbox-Enabled ProxyAddresses:
ProxyAddresses: SMTP: John.Doe@contoso.com
SMTP: John.Doe@contoso.com smtp: JohnDoe@contoso.onmicrosoft.com
smtp: JohnDoe@contoso.mail.onmicrosoft.com
TargetAddresses:
SMTP: John.Doe@contoso.com
MX Record:
contoso.onmicrosoft.com
DirSync contoso.mail.onmicrosoft.com DirSync Web
Service
38
Understanding
Migrations
Migration Option Decision Factors
Coexistence Provisioning Time to Value
Size Requirement
Self serve or
Simple DirSync
Large Admin Driven
Manual/Bulk
Medium Rich Provisioning
Features by
user type
Small Cloud or on-
premises tools
Identity
Source Server Management
40
FastTrack Step 2 Migration Options
PST Migration
Import of Archived/Offline Mail
Stag
PST
IMAP ed Hybr
Migr
migr migr id
ation
Migr IMAP migration
ation ation
42
Understand what each
Migration Options offers
IMAP
Migrations
IMAP migrations features and benefits
Works with a large number of source mail systems
Works with on-premises or hosted systems
Users can be migrated in batches
On-premises migration tool is not required
45
IMAP Requirements and Limitations
Access to IMAP4 ports (TCP/143/993)
SMTP domains configured in Office 365 tenant
Users + mailboxes must be provisioned prior to migration
Bulk provisioning, CSV parser, manual, etc.
Gather user credentials or setup admin credentials
Prepare a CSV file with list of users
EmailAddress, UserName, Password
Max of 50,000 rows
Max 10 MB in size
46
Very limited data migration scope (mail items only)
IMAP Data Migration Scope
Migrated Not Migrated
Mail messages Contacts, Calendars, Tasks, etc.
(Inbox and other folders) Excluded folders
Maximum of 500,000 items Folders with a forward slash
Possible to exclude specific ( / ) in the folder name
folders from migration Messages larger than 25 MB
(e.g. Deleted Items, Junk E-
Mail)
47
IMAP Migration Flow
Gather Initial
IMAP EAC sync
Provision
creds, Wizard: Mark
users Change Final
configure migration
+ MX sync and
IMAP Enter as
mailboxes record cleanup
endpoint server complete
in O365
and settings
prepare and upload Delta
(license sync
CSV CSV
assigned) every 24
hours
48
IMAP
Migrations
Questions?
Staged
Exchange
Migrations
(SEM)
SEM Features and Benefits
Simple and flexible migration solution
High-fidelity solution all mailbox content is migrated
Typically best suited to medium and large organizations
Users are provisioned with Directory Sync prior to migration
No limit on the number of mailboxes
Users can be migrated in batches (up to 1,000 per batch)
Works with Exchange 2003 and 2007 only, on-premises or
hosted
Identity management on-premises
51
SEM Requirements
Outlook Anywhere service on source system
(must have SSL certificate issued by a public CA)
Migration Account with Full Access or Receive-As permissions to
all mailboxes that will be migrated
SMTP domain(s) configured in Office 365 tenant
Directory Sync tool enabled in Office 365 tenant
(i.e. requires simple coexistence)
52
SEM Limitations
SEM is not supported with Exchange 2010 and 2013
Only simple coexistence is available
(no sharing of Free&Busy, calendar, etc.)
53
SEM Accounts and Passwords
Accounts Provisioning
Migration tool relies on DirSync to do provisioning
For every on-premises mailbox to be migrated there needs
to be a MEU or Mailbox in Office 365
Passwords
Target mailbox passwords must be specified* for all users
Administrators can force users to change passwords on
first login
54
*Password management has been simplified with DirSync and password sync.
SEM Batch File Format
CSV format
EmailAddress, Password*, ForceChangePassword*
One user per line
Max of 1,000 users in each CSV
Smart-check against the Office 365 directory
55
*Password and ForceChangePassword field in csv not needed if Password Sync is enabled
SEM Data Migration Scope
Migrated Not Migrated
Mail messages and folders Security Groups, DDLs
Rules and categories System mailboxes
Calendar (normal, recurring) Dumpster
Send-As Permissions
Out-of-Office settings
Messages larger than 25 MB
Contacts
Tasks
Delegates and folder perms
Outlook settings (e.g. favorites)
56
SEM Data Migration Scope
Partial migrations are not possible
(no folder exclusion, no time range selection, etc.)
Mailboxes enabled for Unified Messaging cannot be migrated
Hidden mailboxes (not visible to tool) cannot be migrated
New cloud mailbox is created (new GUID) and data is copied
Existing cached-mode files (OST files) cannot be preserved
57
SEM User Experience
Admin needs to distribute new passwords* to users
Users create their new Outlook profile using O365 username
and new passwords (Autodiscover)
All mail is downloaded from the Office 365 mailbox
(i.e. the OST file must be recreated)
IT Admins must convert on-premises mailbox-enable user to mail-
enable user (which will delete on-premises content)
*Not
58 required if Password Sync is enabled
SEM Migration Flow
Configur
e Convert
EAC
Outlook on-
Wizard: Migrate
Anywher premises
Batch Delete
e MBX to
Configur Enter migration License
MEU
e server Convert batch users
Test
Directory settings , onprem (optional)
using Change
Sync admin mailboxes
ExRCA MX
creds, to MEU
Record
batch
Assign
CSV
migration
perms
59
Staged
Exchange
Migrations
Questions?
Questions?
2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.