Many companies still exist that are running Exchange 2003 as their messaging environment. Some of them are now ready to upgrade the messaging services and use Exchange Online in Office 365. This blog provides some tips and tricks on how to accomplish this task.
We will be setting up a hybrid configuration to allow for proper coexistence during the transition period to Exchange Online. In order to accommodate for coexistence, the following components are required:
- Exchange Hybrid Server – A hybrid deployment provides a unified email experience for the Office 365 deployment. It enables users who have on-premises Exchange Server mailboxes and users who have Exchange Online mailboxes to find one another in the global address list (GAL), to send, receive and reply to email regardless of which system is hosting their mailbox.
Exchange 2013 cannot be used as the hybrid server as it cannot coexist in the same organization as Exchange 2003. For this reason, Exchange 2010 SP3 must be used as the hybrid solution for this scenario.
- Microsoft Online Services Directory Synchronization Server – The Microsoft Online Services Directory Synchronization tool is primarily used to synchronize the Exchangeglobal address list, also known as the shared address book and provision users in a cross-premises deployment. Directory synchronization is a requirement for the hybrid deployment scenario, and it as a pre-requisite for shared cross-premises GAL, calendar and free\busy sharing, and single sign on to produce a rich seamless user experience in the co-existence phase.
- Active Directory Federation Services Infrastructure(ADFS) – This includes both ADFS server as well as the optional yet recommended ADFS Proxy server. The ADFS infrastructure provides a Single Sign-On (SSO) like experience – Users enter their Active Directory corporate credentials to access the Office 365 Services. Check out this blog for some added information between single sign-on and same sign-on
- Please note that for authentication ADFS does not have to be used. You may also use Directory Synchronization with Password Synchronization to provide “Same Sign-on” experience where the user’s password is synchronized to Office 365 along with their user credentials. Authentication is handled in the cloud as opposed to being redirected back on-premise for verification.
1.2 Install and Configure ADFS
The most important operation you need to perform to provide your users with single sign-on access to the cloud service is to deploy a new AD FS federation server farm. Microsoft recommends deploying at least two federation servers in order to provide fault tolerance, load-balancing, and scalability to your organization’s AD FS production environment.
The Microsoft Online Services Sign-In Assistant (MOS SIA) provides end user with sign-in capabilities to Microsoft Online Services like Microsoft Office 365. The MOS SIA installs client components that allow desktop applications like Microsoft Outlook and Microsoft Lync to authenticate to Microsoft Online Services. The MOS SIA also provides an improved sign-in experience so users can access Microsoft Online Services without re-entering their usernames or passwords.
This is required so that ADFS can authenticate and create a proper federation session to Office 365.
- Install the necessary Windows prerequisites for ADFS
- Import the SSL certificate onto the server
- Configure the certificate in IIS
- Install the ADFS feature
- Configure a service account for the federation server farm
- Run the ADFS Federation Service Configuration wizard to create and configure the federation farm
1.3 Install and Configure Hybrid Server
In this blog I will not go into details of installation and/or configuration of the hybrid server – instead I will provide the high-level steps required to be configured.
1.3.1 Prepare for Exchange 2010 SP3 Installation
Before we can begin installing Exchange 2010 servers, the following preparation tasks need to be done.
- Exchange 2010 SP3 prerequisites check for the operating system being used
- Ensure that the Active Directory forest functionality mode is at Windows Server 2003 or higher
- Ensure that the Active Directory domain functionality mode is at Windows Server 2003 native mode or higher
- Validate that the schema master is running Windows Server 2003 SP2 or later
- Run EXBPA (Exchange Best Practices Analyzer) and resolve any issues reported by the tool
- Hybrid configuration must install Exchange 2010 SP3 at a minimum.
- Obtain an Exchange 2010 Hybrid Edition product key from Office 365 Support
- Extend Active Directory Schema with Exchange 2010 SP3
1.3.2 Install Exchange 2010 Server SP3
When installing the hybrid server, make sure to select a “typical installation” where the following three roles will be installed:
- Mailbox role
- Client access (CAS) role
- Hub transport role
Each of the roles must be configured individually to allow a proper hybrid setup. During the installation, make sure the following settings are configured as follows:
|Use the Configure Client Access Server external domain page to configure an external fully qualified domain name (FQDN). This is the FQDN that you give to Outlook Web App users to connect to an Exchange 2010 hybrid Client Access server. This is also the FQDN endpoint that Exchange Online will use to perform on-premises look-ups, including free/busy calendar availability. This will be completed at a later stage. Leave the check box unselected unless you have all the required DNS records already configured for a hybrid configuration|
|On the Mail flow settings page, browse and select the Exchange 2003 server that will be the bridgehead between the two messaging systems. This server will send emails between Exchange 2003 and Exchange 2010 and Office 365|
To enable Outlook 2010 and mobile clients to connect to mailboxes in the Exchange Online organization, you need to configure an AutoDiscover record on your public DNS. AutoDiscover automatically configures client settings so that users don’t need to know server names or other technical details to configure their mail profiles. Microsoft also recommends that you configure a Sender Policy Framework (SPF) record to ensure that destination e-mail systems trust messages sent from your domain and the Exchange Online Protection (EOP) service for your Office 365 organization.
- AutoDiscover record – The AutoDiscover DNS record for your on-premises organization needs to refer requests for autodiscover.domain.com to your on-premises hybrid server. You can use either a CNAME DNS record or an A DNS record. A CNAME DNS record must refer to the FQDN of an on-premises hybrid server that has the Client Access server role installed. An A (Host) DNS record must point to the external IP address of a hybrid server or your firewall, depending on your network configuration.
- SPF record – The SPF record for your organization uses the Sender ID Framework. The Sender ID Framework is an e-mail authentication protocol that helps prevent spoofing and phishing by verifying the domain name from which e-mail messages are sent. Sender ID validates the origin of e-mail messages by verifying the IP address of the sender against the alleged owner of the sending domain.
1.3.4 Configuring Exchange certificates in an Exchange 2010 hybrid deployment
Digital certificates are an important requirement for secure communications between the on-premises Exchange 2010 hybrid servers, clients, and the Exchange Online organization. You need to obtain a certificate that can be installed on the hybrid servers from a third-party trusted certificate authority (CA). Wildcard certificates work best for this type of setup as it can be used for both Exchange as well as ADFS infrastructure when using single sign-on.
Once the certificate has been purchased, import it onto the hybrid server and assign SMTP and IIS services to it.
Configure the external FQDN as the external URL on the Exchange Web Services (EWS), Outlook Address Book (OAB), AutoDiscover and the Exchange ActiveSync (Microsoft-Server-ActiveSync) virtual directories. If multiple hybrid servers will be used, make sure the URL is pointing to the load balanced name of the servers.
1.3.6 Configure Client Access Array
Regardless of how many hybrid servers will be used, always configure the Client Access (CAS) Array.
Outlook Anywhere for Exchange Server 2010 provides Internet-based access to your messaging environment using an Outlook 2003/2007/2010 client. If you have enabled Outlook Anywhere on a server that is running Exchange 2010 that has the Client Access server role installed, users who are on Exchange 2010 servers that have the Mailbox server role installed can use RPC over HTTP to connect to their Exchange mailbox. This is required to be enabled for connectivity to Exchange Online.
In order to manage the Exchange Online organization from a hybrid server in the on-premises organization, the Exchange Online organization must be added to the Exchange Management Console (EMC).
Before you can connect the cloud-based organization to the Exchange management console, the Microsoft Online Service Sign-in Assistant must be installed on the hybrid server(s). It basically provides you with sign-in capabilities to Microsoft online services like Office 365.
You can add your Exchange Online organization to the EMC on any hybrid server by using the following steps:
- Open the EMC on a hybrid server. In the console tree, click the Microsoft Exchange node. This is the top-most node in the tree
- In the action pane, click Add Exchange Forest
- In the Add Exchange Forest dialog box, complete the following fields:
- Specify a friendly name for this Exchange forest – Type the name of the Exchange forest. This name will display in the console tree
- Specify the FQDN or URL of the server running the Remote PowerShell instance – Select Exchange Online, which contains the URL necessary to access your Exchange Online organization
- Logon with default credential – Leave this check box unselected. You will be automatically prompted to enter the credentials for an administrator in your Exchange Online organization after you click OK.
Use the New Hybrid Configuration wizard to create the foundation for the hybrid deployment. The New Hybrid Configuration wizard creates the HybridConfiguration object in your on-premises Active Directory. This Active Directory object stores the hybrid configuration information for the hybrid deployment
1.3.10Configure the hybrid deployment
Use the Manage Hybrid Configuration wizard to configure your Microsoft Exchange organization for the hybrid deployment. The Manage Hybrid Configuration wizard gathers existing Exchange and Active Directory topology configuration data, defines several organization parameters and then runs an extensive sequence of hybrid deployment configuration tasks.
2 Migration Process
Following these steps will make sure that your Exchange migration has as little issues as possible. Using these steps has proven to reduce amount of corruption during migration and even though mailboxes are migrated twice, it greatly reduces the amount of time the migration takes directly from Exchange 2003. The migration should be done in two steps.
2.1 Migrate Mailboxes from Exchange 2003 to Exchange 2010
- Obtain a list of Exchange 2003 mailboxes to be migrated to Office 365
- Using the Exchange Management Console or Management Shell, migrate these mailboxes to Exchange 2010
2.2 Migrate Mailboxes from Exchange 2010 to Exchange Online
- Open Internet Explorer and go to http://portal.microsoftonline.com to log into the Office 365 portal
- Provide the credentials for a global administrator account and sign into the portal
- On the Office 365 Admin Center page, click on Admin on the top right corner of the page and select Exchange Admin Center, Click on Migration
- Click the New button and select to Migrate to Exchange Online
- On the Select a migration type page, select Remote move migration (Supported by Exchange 2010 and later versions) then click Next
- On the Select the users page, click the Add button to manually select the mailboxes being migrated in the batch.
- On the Confirm the migration endpoint, confirm the URL for the on-premise hybrid endpoint is selected as the Remote MRS proxy server then click Next
- On the Move Configuration page,
- Provide the new migration batch name if mailboxes were manually selected. If mailboxes were provided through a CSV, the file name will be used as the migration batch name
- On the Target delivery domain, select domain.onmicrosoft.com from the drop-down menu
- Accept the default option for the Archive.
- Click Next to continue
- On the Start batch page,
- Browse and select a recipient that will receive the migration reports
- Select to Automatically start the batch as the Preferred option to start the batch
- Select to Automatically complete the migration batch as the preferred option to complete the batch
- Click the New button to begin the migration
- Once completed, assign the necessary Office 365 licenses to the migrated mailbox and confirm functionality.