As described in the Office 365 CON 2014 Virtual Conference sessions, “Stairway to heaven – Best practices for Hybrid Deployments”, it is very important that you validate your on-premises environment before getting started with the hybrid bits.
The reason why this is so important has to do with the many interactions between Office 365 [the cloud] and your on-premises environment. Let’s take a look at what components are at stake here.
First there is the directory synchronization [DirSync]. DirSync is the cornerstone for hybrid deployments as it ensures that objects are correctly synchronized between your on-premises environment and Office 365 and it ensures the behavior is consistent across both environments. It is also the enabler for easily onboarding and off-boarding mailboxes to/from Exchange online. Assuming that you will start your hybrid deployment by setting up DirSync, you will need to make sure that you on-premises Active Directory is in a healthy state. By “healthy” I’m not only referring to as replicating properly. Office 365 – Windows Azure AD – expects certain object values. It does – for instance – not accept malformed object attributes whereas on-premises Active Directories do in certain cases. Although DirSync reporting will automatically send you an e-mail report when one or more objects have synchronization issues, it’s always better to make sure you don’t run into these issues in the first place. Another requirement is to make sure that you on-premises User Principal Names [UPNs] match a domain in Office 365. This is particularly important when setting up Identity Federation [ADFS] afterwards.
Once DirSync is setup properly, you shouldn’t run into too much trouble. However, to help you getting it set up. Microsoft has developed a tool called “IdFix”. This tool will help you to quickly remediate any errors you might still have in DirSync. Prior to this, however, I suggest you also take a look at “OnRamp for Office 365”. This online-based tool is the successor for the Office 365 Readiness tool which proactively will check your Active Directory environment and build a report of all the objects which might be causing problems with DirSync. That way, you can remediate them before installing DirSync.
Secondly there is ADFS. Short-skipping how ADFS is installed – that is beyond the scope of this article – it is important to ensure that ADFS is working properly before you move on. One way of doing that is, for instance, using ENow’s Mailscape for Office 365 which will continuously monitor your ADFS infrastructure and verify that it is still crafting logon tokens for your Office 365 users. Another option is to use Microsoft Remote Connectivity analyzer [https://testconnectivity.microsoft.com]:
The Single Sign-On test will perform a remote authentication against your ADFS infrastructure and provide you with relevant diagnostic information. This can be particularly handy when troubleshooting ADFS issues. If the test passes, you’ve got nothing to worry about and can safely move on.
Thirdly, you need to make sure that your on-premises Exchange environment is configured properly and is working fine. Although Office 365 doesn’t have any particular bizarre requirements with regards to Exchange, some companies prefer not to publish certain workloads onto the internet. So for your reference, here’s what Office 365 (when running the Hybrid Configuration Wizard) ‘expects’:
Autodiscover must work properly
Exchange Web Services must be internet-accessible and be deployed using a public certificate from a trusted Certificate Authority. The MRS Proxy needs to be enabled on your internet-facing EWS virtual directories as well.
There cannot be any email-filtering device between your HUB (or EDGE) server(s) and Office 365*
* in theory you could, but that’s another discussion. A quick way to verify if your setup meets the connectivity requirements is to use the Remote Connectivity Analyzer again. On the site, these are the tests which can be of use for this purpose:
Especially the Free/Busy test is particularly useful for validating your environment for hybrid deployments. It will make sure that the Exchange Web Services are working, that connectivity is fine, that the time on your Exchange server isn’t skewed by more than 5 minutes (this could cause issues with the Microsoft Federation Gateway) and that your on-premises Exchange server meets the minimum version requirements (Exchange 2010 SP1, that is). Please note that these tests will not verify whether or not there is a mail filtering appliance in between your HUB/EDGE servers and Office 365. However, that doesn’t seem hard to find out by yourself ;-)
The bottom line is pretty straightforward: use the Remote Connectivity Analyzer to verify and validate your on-premises deployment. If you get a green “ticky-ticky” for all of the aforementioned tests, I’m pretty confident that you’re all set to successfully start your hybrid deployment through the Hybrid Configuration Wizard!
Michael Van Horenbeeck MVP, MCSM
Michael Van Horenbeeck is a Microsoft Certified Solutions Master (MCSM) and Exchange Server MVP from Belgium, with a strong focus on Microsoft Exchange, Office 365, Active Directory, and a bit of Lync. Michael has been active in the industry for about 12 years and developed a love for Exchange back in 2000. He is a frequent blogger and a member of the Belgian Unified Communications User Group Pro-Exchange. Besides writing about technology, Michael is a regular contributor to The UC Architects podcast and speaker at various conferences around the world.
Secure Mobile Device Access with MobileIron Sentry and Kemp LoadMaster ESP