1 / 41

Exchange Hybrid Deployments: Stairway to Heaven or Highway to Hell?

Exchange Hybrid Deployments: Stairway to Heaven or Highway to Hell?. Agenda. Hybrid deployment overview Hybrid Best-practices High Availability Common (known?) issues Troubleshooting. An overview of hybrid deployments…. Overview. Internet. Microsoft. DMZ. Internal Network.

indira-mays
Download Presentation

Exchange Hybrid Deployments: Stairway to Heaven or Highway to Hell?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Exchange Hybrid Deployments: Stairway to Heaven or Highway to Hell? #devconnections

  2. Agenda • Hybrid deployment overview • Hybrid Best-practices • High Availability • Common (known?) issues • Troubleshooting #devconnections

  3. An overview of hybrid deployments… Overview #devconnections

  4. Internet Microsoft DMZ Internal Network Exchange Online Tenant Exchange on-prem Org. Rel / Intra-Org Conn. (Hybrid) Mail Flow Active Directory Auth. Azure AD Synchronization #devconnections

  5. Many moving parts • It’s no longer only about Exchange. Many different components are involved: • Active Directory • Networking • Exchange • …

  6. Many components • DirSync • Authentication • ADFS • Password Synchronization • Exchange Federation / oAuth • Security #devconnections

  7. Words of wisdom to live by… or not?! Best Practices #devconnections

  8. Best practice… Anyone? • No ‘defined’ best practice from Microsoft • Bunch of documents that describe the steps for setting up hybrid deployments • Mostly about keeping support statements in mind #devconnections

  9. Deploying hybrid configs • Hybrid deployments can be build manually. But… • …use the Hybrid Configuration Wizard; it’s the only supported way! • Be prepared to get dirty. Being ready to run the HCW mostly means you’ve done 80% of the work already #devconnections

  10. What’s this ‘hybrid’ server? • “On-premises (pre-existing) Exchange server ‘dedicated’ to interacting with Exchange Online” • Can be Exchange 2010 SP3+ or Exchange 2013 SP1+ • Adding a new hybrid server can be disruptive… #devconnections

  11. Typical Deployment On-premMBX Cloud MBX Autodiscover.domain.com Mail.domain.com Autodiscover.domain.com Mail.domain.com Exchange 2007 (Multi-Role) Exchange2010/2013 (Multi-Role) #devconnections

  12. Typical deployment • Great for long-term coexistence (keep on-premises indefinitely) • Requires namespace switch-over (more work) #devconnections

  13. Hybrid Namespace On-premMBX Cloud MBX Autodiscover.domain.com Mail.domain.com Autodiscover.domain.com Exchange 2007 (Multi-Role) Exchange2010/2013 (Multi-Role) Hybrid.domain.com #devconnections

  14. Hybrid namespace • Less intrusive as the ‘typical’ deployment • Ideal for migration purposes • No official statement on support though… #devconnections

  15. What it takes to make a hybrid deployment highly available High Availability

  16. High Availability • It’s not as easy as 1+1… • Topology depends on what features need to be highly available • Mail flow, Free/Busy, Mailbox Moves • Authentication • Connectivity • … #devconnections

  17. Hybrid Server HA • Deploy at least two hybrid servers • Add site resiliency by deploying in two distinct physical locations • Load balance incoming requests through a LB device

  18. Hybrid HA Setup (two sites) INTERNET Site 1 Site 2 Connectivity HA Load Balancer pair Exchange CAS/MBX Domain Controller Domain Controller Exchange CAS/MBX

  19. DirSync • No need to deploy Highly Available • Can run w/o DirSync for a (short) period of time • You could deploy Active/Passive

  20. Active Directory Federation Services • Critical to operations; No ADFS = No user logon possible • Must be deployed HA – in all possible ways • Deploy ADFS cluster; spread across sites to add site resiliency • Can be costly…

  21. AD FS HA AD FS Topology Load Balancer AD FSProxy Load Balancer AD FS Domain Controller FW INTERNET AD FSProxy AD FS Domain Controller FW

  22. Using Azure for Hybrid deployments • Leverage Azure VMs for ADFS and/or DirSync > increase availability • Better to deploy one (or more) Domain Controllers in Azure • Watch out for the VPN…

  23. Azure Topologies Hybrid Azure Full Azure Deploy ADFS and/or DirSync in Azure only Leverage the VPN to connect to supporting services or to support replication • Use a mix of services both on-premises as in Azure • E.g.: ADFS on-premises and in Azure

  24. Hybrid Azure architecture INTERNET On-Premises Azure AD FSProxy Domain Controller Domain Controller AD FSProxy Active / Passive IPSEC VPN AD FS Exchange AD FS

  25. HA inside Azure… Azure Load-Balanced Endpoint AD FSProxy Load-Balanced Endpoint AD FS Domain Controller INTERNET AD FSProxy AD FS Domain Controller

  26. Known or not known? That is the question… Common Issues #devconnections

  27. Limitations rather than issues • Some general limitations apply: • Cross-premises permissions • Public folder migrations • Cross-organization free/busy • Behavioral changes… #devconnections

  28. Cross-organization Free/Busy • One of the ‘biggest’ known limitations; described here. • w/o manual intervention, you cannot exchange Free/Busy between 2 hybrid organizations (cloud users) #devconnections

  29. Cross-org Free/Busy #devconnections

  30. #devconnections

  31. CU5 bug • There’s a bug in Exchange 2013 CU5 which requires an IU (KB2988229) for the HCW to complete successfully. #devconnections

  32. Multi-forest bug in CU5 • After deploying the IU mentioned earlier, you cannot deploy multi-forest Hybrid deployments. HCW will fail while configuring oAuth. #devconnections

  33. Behavioral changes… • How will you deal with people leaving the organization? • Move mailbox back on-premises • Leverage “inactive mailboxes” #devconnections

  34. How to get out of trouble… And stay out if it too…! Troubleshooting #devconnections

  35. Monitoring • New architecture paradigm, requires new way of thinking about monitoring • You don’t care about Microsoft’s side of the story • End-user service availability is key (but it’s always been like that, right?)

  36. How to monitor? • Consider monitoring through a series of both Active and Passive tests • Active tests allow you to be proactive • Passive tests give you great feedback (counters…) • Third-party tooling #devconnections

  37. Components to monitor • You don’t care about (Microsoft’s) servers, but you do care about: • Mail flow • Cross-premises / External • Exchange Federation • Org. RelationShips / oAuth • DirSync • Connectivity (network, certificates,…) #devconnections

  38. Monitoring & Troubleshooting DirSync, ADFS and Exchange issues Demo #devconnections

  39. Helpful tools • Exchange Remote Connectivity Analyzer (www.exrca.com) • Exchange Deployment Assistant (aka.ms/exdeploy)

  40. Thank you! Q & A

  41. Rate with Mobile App: Rate This Session Now! Tell Us What You Thought of This Session Select the session from the Agenda or Speakers menus Select the Actions tab Click Rate Session Be Entered to WIN Prizes! Rate Using Our Website: Register at www.devconnections.com/logintoratesession Go to www.devconnections.com/ratesession Select this session from the list and rate it

More Related