Exchange 2013 Hybrid Deployment on Office365 leveraging Azure

With all the new releases of Servers, Services and Devices, I thought it was time to build a Hybrid Deployment using Exchange 2013 Preview and Office 365 Preview.

I set out to do everything on Server 2012 but unfortunately that didn’t work out. So I had to cheat a little (making it more interesting though); my onprem environment consists of Server 2012 machines only. The Win2k8R2 machine I needed runs on Azure. The AD FS Service required for Single Sign On with Office 365 does not (yet) run on Server 2012. As the High Available AD FS Service is a constraint for a lot of customers to go for SSO, this might be good option anyway. Have your AD FS Servers in the Cloud, you could even force geo-redundancy and stuff like that.

So, I first need to acknowledge Office 365 MVP Jethro Seghers (http://jethroseghers.blogspot.nl/ and @jsegehrs) from Belgium who already set up this config but has had no time yet to describe it.

Secondly I used a great blogpost from Paul Cunningham on installing Exchange 2013 on Server 2012 (http://exchangeserverpro.com/install-exchange-2013-pre-requisites-windows-server-2012 .

And Trevor Smith for getting DirSync to run on Server 2012 http://community.office365.com/en-us/forums/613/p/63806/243279.aspx

I also acknowledge myself J for my earlier posts on setting up a Hybrid Deployment (been there, done that, got the certifcations….. no t-shirts though).

Okay, that being said, let’s get going.

Here is my Bill of Materials:

And you need a couple of rainy Sunday afternoons to set it all up. It’s not that hard but we all met Mr.Murphy, he’ll check in every now and then.

Onprem Configuration

I have a lack of resources so I only used 3 VMs in my “Private Cloud”: a Domain Controller, an Exchange Server and a Windows 8 client. It’s certainly no best-practice to put the Directory Synchronization tool on the Exchange server but it works.

It’s all straight forward configuration work, the certificate tool in Exchange 2013 works great. Just make the request, go to your certificate provider to submit the request and import the certificate. This is what it looks like:

 

 

 

I added the “sts” so I can use this certificate on the AD FS Server as well.

Create some users, dynamic distribution groups and mailboxes and start mailing, scheduling and stuff like that. There should be something in there before we start moving things to Office 365.

Then you do ALL of the tests in the Exchange Remote Connectivity Analyser (https://www.testexchangeconnectivity.com/ ):

 

 

 

 

 

 

….. and fix any issue before proceeding (keeps Mr.Murphy away).

 

Azure Configuration

The new Azure Portal is a real pleasure to work with, everything is in the place where you expect it to be. First we have to do some networking so that the VMs running on Azure can connect to the Onprem environment, using also your Onprem DNS Server. On Azure you have to create a so called Gateway Network and private subnet, name them as an Affinity group. Tick the Checkbox that you want to use this Gateway Network to connect to you Onprem environment.

Azure gives you the Gateway IP Address and there’s a button that will show the Pre-Shared Key to use when setting up your IPSec LAN-to-LAN VPN Tunnel. On my Draytek Router (running from my HAN, Home Area Network) that was a quick one. Although the default time-out was too low (300 sec), I adjusted it to 1500 secs. The result (in the pic even my two VMs are already spinning):

 

 

 

 

 

 

 

I set up 2 VMs on Azure, just pick them form the Gallery, I took a Server 2012 for a Read-Only-Domain-Controller (it only serves authentication purposes out there) and a Win2k8R2SP1 for the AD FS Server. When the Networks are properly configured the machines obtain the appropriate IP Addresses. A RDP Endpoint is automatically created so you can manage the machines through RDP. I created an additional Endpoint for the AD FS Service.

I did the dcpromo wizard to create the RODC (the Azure Neworking gave it the right IP settings, including my Onprem DNS Server) and I also joined the AD FS Server to the domain.

 

 

 

 

Office 365 Preview Configuration

The steps to take in the Admin Portal are the same as they are in the current version, it is still very important (keeps you out of trouble) to do thing in the right order.

So, assuming that all is set to go, working and tested, this is the order:

  • Set up Single Sign On by installing AD FS 2.0 and configure it with the proper commandlets in de MSOLPowershell Module.
  • The previous step asks that you must add a TXT Record in DNS for validation, after doing that you re-issue the last commandlet
  • Verify the addition of your domainname in the Portal
  • Enable Directory Synchronization, it’s just a button in the Portal. It says it might take 24 hours, my experience is it takes about 30 minutes.
  • When you see that DirSync is enabled you can run the configwizard prompting for both Online Admin credentials and Onprem (Schema) Admin credentials
  • Verify Directory Synchronization in the Portal, your Onprem AD Users should be listed there
  • Verify SSO by logging in to the Portal with a Synchronized user

All this is necessary because a Hybrid Exchange Deployment uses only Federated Users, thus AD FS and DirSync.

 

Exchange 2013 and Exchange Online Hybrid Deployment

Finally, we’re getting there. Getting the 2 Exchange Organizations talk to each other, allowing for Calendar Sharing, mailbox moves, complete GALs , etc, etc. I was not that enthusiastic about the wizard in Exchange 2010 SP2. It takes away the deeper level insights of what is actually happening. In my Trainings I still do it the manual way and if time permits I let my students do the SP2-Wizard.

So I’m quit curious about the Exchange 2013 “Exchange Administration Center” and the Wizard in there…..

As soon as you hit “Hybrid” in the al new Exchange Admin Center, a button appears with “Enable”, then it asks you to logon to Exchange Online so you end up in the Exchange Admin Center …… online! As soon as you hit Hybrid in there, a button appears with “Enable”. Looks like that way you have enabled Hybrid Deployment on both sides.

 

 

 

 

 

That looks very promising! YES! The next one looks familiar from the “old” Hybrid Deployment, proof of ownership for your domain:

 

 

 

 

 

 

 

I go to GoDaddy to do just that. Oeps, slight error in the “Copy to clipboard”, it also takes the domain name field… do NOT put that into your DNS Tool!! GoDaddy is fast, I could continue right away.

 

 

 

 

 

 

Centralized Mail Transport allows for mail flow from Exchange Online to the Internet to be routed through your Onprem mail servers (Compliance, Journaling or whatsoever). The Edge Role does not exist anymore (as TMG will soon) so I choose Hub Transport.

 

 

 

 

 

Easy choice, I only have one server deployed…. It should be an Internet facing CAS Server though, Hybrid Deployment is leveraged by Exchange Web Services found through Autodiscover. I skip the next screenshot, it’s the same but now it’s about the Sending Server.

 

 

 

 

I have set up my Exchange Certificate real good! Exchange Online recognizes it right away. And asks me for the SMTP Address of my Onprem server:

 

 

 

 

 

 

No surprise here (I’ll keep that for myself J):

 

 

 

 

This looks almost too easy to be true:

 

 

 

 

 

 

 

Checking Onprem, checking Tenant, checking prerequisites ….. a

All the manual steps from the good old times come by….. and yes indeed, this used to be the case all the time….

 

 

It used to be a matter of time-outs, so I’ll just cancel it (changes made are already there) and do some manual stuff, but not after running the wizard for a third time (Mr.Murphy please leave).

 

 

Let’s see what there is to modify….. hmmm, not much, exactly the same Wizard with the same results L.

 

 

Hey, I’m on Wave 15! This appears when I look at the Node “Organization”.

Here’s the FIX!

 

 

 

 

I added my namespace not from the Online Interface but from the Onprem Interface! That seems to be working perfectly! Just passed all the nodes and settings and it looks okay…. Time to move a Mailbox to Online, I guess.

The usual credential stuff (I’m triggering the Move from Online):

 

 

 

 

The Wizard does it wrong again…. As in Exchange 2010 SP2, the automatically configured endpoint is my local FQDN, which is of course not resolvable from Online. I manually enter the webmail.domain.domain endpoint and of we go.

 

 

 

 

YES! There he is! Note the very, very, very small arrow pointing to “Office365”, took me some minutes J, by that time the move had already completed (just 2 items).

Last checks for now:

  • mailflow Onprem-Online and vice versa                                   check
  • mailflow Online-Internet and vice versa                                    check
  • Calender sharing                                                                       check
  • That all will double check the AD FS Deployment as well J    check

Great!

Been there, done that, now I want the T-Shirt!

Thanks for reading and don’t hesitate to comment or to contact me!

 

Office 365 vNext: Ignite Session October 2012

This week I have been attending the Ignite Sessions on Office 365, three days of Technical Deep Dives and the newest features of all the products in the suite. There is quite some new stuff in there!

To enable businesses to use all of those features I think it’s time (at last) to get some form of user training. Because the changes in the client side of the next Office 365 are drastic (and, IMO, users are stuck when it comes to effectively using Office apps). Yeah! Training Time! Not only because of Office 2013 and SharePoint 2013, but also because of Windows 8. We must be very happy with these new versions because now the toolset is in such shape that we can really work on user productivity. Note that I am not using the term “end user”, just “user”. Because the same applies to systems engineers, administrators and so on.

The Windows Desktop and Office Suite haven’t changed much since Windows 95 and Office 95. And neither have our habits of using them. In those days, user training was booming; I trained over a 1.000 persons to get from MS-DOS/WP5.1/Lotus 123 to Windows 95/Office 95. Why did we stop doing that? We invested billions in hard- and software over the past two decades but we left users where they were and thus still are. Seems like a waste. So here is a brand new Desktop and a brand new set of Apps. Boy, will user be baffled when they see a couple of demo’s on touch-windows8-wordwebapp, adoption will take a lot of time if we do not put some effort in education.

So, that being said, what’s new in Office 365? It’s too much, but here are some of my highlights.

The Portal

The top navigation bar will follow whether you go to Outlook Web App, SharePoint Online, People, etc.

 

 

Mail

Two years ago I read on some Exchange Expert blog “We’re done”, Exchange is final, finished, nothing to do anymore. Well, they got it wrong. Exchange 2013 has a couple of totally new architectural concepts. For starters, there are only 2 roles left: Client Access and Mailbox. Secondly RPC/TCP is no longer supported, everything is RPC/HTTP(S). For the real details please look on http://www.microsoft.com/exchange/en-us/exchange-preview.aspx .

On the client side, well Outlook is still Outlook, no very radical changes. OWA is a bit sober, no more colors but the feature set is as expected. Best news is the partial OST-file. Just cache mail from the last 12 months or whatever setting you like.

 

 

Files

SharePoint has been overhauled thoroughly. MySite is now called SkyDrive Pro and there are (touch)tiles all over the place:

 

 

 

 

Everything is called App, so a Library is an App, a List is an App. You add Apps to your sites. A really handy feature is the SiteMailbox. You then have kind of mail able teamsite to keep mail and documents together in either Outlook or SharePoint.

Very spectacular is the way in which the Office Web Apps behave over different devices; the Apps seem to know when you are using a touch (Windows 8) device or a full (mouse) desktop device.

The way in which project, documents, lists are displayed is the same way as the new social pages, now to be found on the top menu bar under People and Newsfeed. So you can follow documents(sets), and people in the same way; very nice and easy!

 

Office

As mentioned, it’s school time! Is it SharePoint or is it Office? I really think that we can boost our productivity significantly by starting to use all of those features the way they are meant to be used. So finally, normal.dot is no longer hardcoded on A-4 or legal paper size. Knowing that just a small percentage will ever be printed. That makes sense and also a huge difference for reading pane and editing panes. Much more fluid and logical. Excel Pivot-tables now so easy for everyone to make use of, some great improvements there, especially when you add Apps into it, like Bing Maps.

Deployment and updates are smooth streaming processes and there even is an option for Office-On-Demand! Need Word for just now, click and go, nothing left when you’re done (I use it all the time on my servers, to read configurations guides and stuff like that).

There is a really nice OneNoteMX Metro App (Preview), it’s kind of “always on” whether you’re on a Mobile device, tablet or desktop, multiple people all at the same time in the same OneNote. Brilliant!

 

And now we’ll have to wait….. current Office 365 Customers will be upgraded and are able to choose for example when SharePoint gets the new looks. No hard dates just yet, somewhere Q1 2013 we’ll have General Availability.

Upcoming Blog: building Exchange 2013 Hybrid Deployments using ONLY Server 2012 (challenge with AD FS).

Server 2012 Certification Tracks

Server 2012 is here! And so are a great deal of the exams necessary to earn your certifications. I took them all, either the real stuff or in beta (beta-period is over though, you’ll have to wait). So what’s available and what are they like?

Microsoft Certified Solutions Associate: Server 2012

  • Exam 070-410, Installing and Configuring Windows Server 2012
  • Exam 070-411, Administering Windows Server 2012
  • Exam 070-412, Configuring Advance Windows Server 2012 Services
  • Or Exam 070-417, upgrading your Skills to MCSA Windows Server 2012, which is the 3 above exam taken all at once

I did 070-410 (beta) and 070-417 and passed them both. There is not much preparation material available yet, so how did I prepare? Well, first of all, I already started playing around with Server 2012 when the first Technical Preview became available. So I’m already pretty familiar with the interfaces, the “what-is-where-and-how” questions on the exams. Secondly, I am really well grounded in the previous versions of Windows Servers. There is a lot off good old stuff in the exams. And third, I took a very close look at the section “Skills being measured” on the Microsoft Learning website: http://www.microsoft.com/learning/en/us/Exam.aspx?ID=70-417&locale=en-us#tab1 (substitute the bold-printed exam number for either which exam). Actually, I did everything mentioned on those pages! Been there, done that, got the Certification (no shirts yet in the eCompany Store though….)

Exam 070-410 was a piece of cake, I took the beta unprepared and for free during Microsoft TechED 2012 in Amsterdam. I was not surprised of the result. I took exam 070-417 playing a game with some co-workers; who would be certified before October first. Jimmy van der Mast and I took it up and both passed. It’s a tough exam! Very lengthy, it took me 2,5 hours to complete. And a lot of stuff is being covered. As a trainer/coach I would suggest to a lot of folks to take the 3 separate exams instead of this one. Which has been the case with all previous versions of Upgrade-your-skills exams. It’s 3 exams in one, you cannot go back to a finished section, you’ll get 3 scores, the lowest one being the final score. So you must Pass on all 3 sections. No surprise that both Jimmy and I had the lowest score on the third section, there’s no “good old stuff” in there.

 

Microsoft Certified Solutions Expert: Server Infrastructure

  • Exam 070-413, Designing and Implementing a Server Infrastructure
  • Exam 070-414, Implementing an Advanced Server Infrastructure

Those exams are currently not available, I took the beta’s, no scores so far…). According to the Microsoft Learning website they will be “live” on October 16. You can look at the “Skills being measured” by taking the URL mentioned above and change the exam number. And then you will see…….. wow, this covers a lot more than only Server 2012! There is quite a bit of System Center 2012 in there so you have to be fairly familiar with SCOM, SCCM, SCVMM and you have know about AppController, Orchestrator, SCSM and SCDPM. And of course there is Networking, networking and more networking. And there is all flavors of Storage. BEWARE!

On exam 070-413, the name is not well chosen (IMHO). I think “Design” would fit better on exam 070-414. Then they would be more in line with the former Server 2000/2003 Design Exams. So exam 070-413 is still about “what-is-where-and-how”. Know the Interfaces, know how to fulfill requirements, step by step, complete the tasks. Whereas exam 070-414 is more about deciding which technology should be implemented give the requirements. More thinking and overview is required for the latter. I’m good at that, so I thought the first one was tougher than the second one.

Again, my preparations were about doing it all, building the complex Infrastructures and DOING it ALL. Fortunately there is Microsoft’s Virtual Labs (http://technet.microsoft.com/en-us/windowsserver/hh968267.aspx so you don’t have to build everything yourself.

Overall, these are really tough exams. The certification will be great asset on your resume.

 

Microsoft Certified Solutions Expert: Desktop Infrastructure

  • Exam 070-415, Implementing a Desktop Infrastructure
  • Exam 070-416, Implementing Desktop Application Environments

Same story here, beta’s, no scores yet, live on October 16. And again a lot of System Center 2012 products, networking, storage, performance and optimization. Depending on your line of expertise (mine is more on infrastructures than desktops and applications) this track is at least as tough as the Server Infrastructure track. Lucky for me that Qwise, my employer, does a lot of “Server Based Computing” (Citrix, RDS), VDI and App-V projects so I am well grounded in those matters. And isn’t everything about the App?

The track is very similar to the Server Infrastructure track for the differences between the 2 exams. And also over here, this certification will look great on your resume because markets will soon find out that not many of us will succeed in passing both exams.

 

Happy studying! Keep you posted!

Update, October 23: no MCSE for me, passed one exam in both tracks.

 

Upcoming: Office 365 Ignite Training + Office 365 User Group NL Meeting

Next week I will be attending the Office 365 Ignite training in Amsterdam to get all the tech-deep-dives for the vNext of Office 365.

A lot of the attendees at the Ignite training will go to the Office 365 Dutch User Group Meeting on Thursday evening. http://www.o365ug.nl if you would like to register.

So watch for my blog posts next week; I have some writing to do 🙂

Update Certificates in AD FS for Office365

As Office365 was launched just over a year ago, there will be organizations that will run into an issue with their AD FS (SSO) implementation, the result of which is that NO FEDERATED USER  is able to Sign In to any of the Office 365 Services!!!!

Set it and forget it works for just 1 year if you implemented AD FS the fast and easy way. A couple of things might have happened in those 12 months:

–          Token Signing Certificate is expired

–          MSOL Services Module for Windows Powerhell has not been updated

–          Sign In URL Certificate is expired

In this blog post I’ll do a walkthrough of the update process of the first two from this list. The web service (Sign In URL) probably involves a public certificate and has to be updated through IIS Management console after renewing your public web certificate.

Of course it is best to do this BEFORE the expiration dates!!!!

The starting point for renewing the Token Signing Certificate is taking a look a the current settings in both AD FS Management Console and MSOL Powershell:

Open MSOL Services Module for Windows Powershell and enter the following commands:

$cred = Get-Credential                    (enter your Online Admin credentials)

Connect-MsolService -Credential $cred

Set-MsolADFSContext –Computer <your adfs servername>

Get-MSOLFederationProperty –DomainName <your domainname>

The output looks something like this:pic1

 

Have a close look at the Token Signing Certificate “not after”  date and the thumbprint, which are both equal on Source: “your AD FS Server” and on Source “Microsoft Office365”.

The second step is to verify the current settings in the AD FS Management console:pic2

 

In this console you click “Add Token-Signing Certificate:pic3

 

Probably you’ll end up was this warning and this Wizard will not continue, fortunately the warning gives us exact information on how to add a new certificate to AD FS:pic4

 

Open Powershell as Administrator and run:

Add-PSSnapin Microsoft.Adfs.Powershell

Update-ADFSCertificate -CertificateType: Token-Signing -Urgent:$true

You can check the new certificate by looking at the date in the AD FS Management Console:pic6

 

Now we have to update the Microsoft Federation Gateway with this newly created certificate on our AD FS Server because there is a difference between the settings on the two.pic7

 

The command for doing that is:

Update-MSOLFederatedDomain –DomainName <your domainname>

Check the result by entering the following command:

Get-MSOLFederationProperty –DomainName <your domainname>pic8

 

If you did not use the self-signed certificate in AD FS but assigned certificates through your local PKI please see the following website: http://support.microsoft.com/kb/2383983 .

To avoid any issues of this kind you can use the Microsoft Office 365 Federation Metadata Update Automation Installation Tool which you can download from:

http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

Finally, it might be a good idea to check if you are using the latest version of the MSOL Service Module for Windows Powershell. For as far as I know this tool is not automatically updated by Windows Update.

 

Good Luck!

Technical Learning Guide in the Hands-on Labs at TechEd Europe 2012!

Last year at Teched NA in Atlanta I had my first opportunity to assist in the Hands-On-Lab area. A great experience for all MCT’s!

This year, at first I was not among the lucky ones, but I received an invitation eventually! So, I’ll be at TechEd Amsterdam, just around the corner of my home!

CU at http://europe.msteched.com/

 

Shortening Product Lifecycles for ICT Products, what should an IT Professional do?

Over the past three decades a lot has happened in the ICT world, I’m not even going to summarize it. But when you’re around for some time you might wonder what to do with the next wave of great technologies coming at us. About 14 years ago I already had that feeling and decided to do Microsoft only. But within that portfolio, wow, far too much to handle.

I realize that if I’m going to throw myself on Server8, Hyper-V3 and System Center 2012, that will only be for a couple of years. If I don’t throw myself at it, I’ll never close the gap again.

I’m gonna be picky though, trying to imagine what life of an ICT Pro will look like when Server8 is old school. Last week I led a workshop for people who train young high potentials, what should the focus on? A lot of Cloud stuff, but that is not specific enough.

Classic IT Pro’s do their Server stuff, networking, storage and the lot. But due to Datacenter Automation tools just one Operator can manage hundred or thousands of servers, so that is not the road to go. To be blunt: Who needs servers, who needs an OS? It’s all about the App and corresponding data. And when that App is somewhere out there we do not even need to deploy it any longer. Bye, bye, decade of deployment.

Current IT Pro’s will do the job in the cloud-transition period, the newbies will never get that experience and they do not need to because it’s only worth something for a short period of time. So what should the newbies focus on? I think there’s a couple of areas where they can create themselves very good positions.

Identity, authentication and authorization Management along with security policies will be booming within the corporate environment. It’s hard for a lot of the current “server huggers” to look beyond their line of duty. They are losing their control.

Application Development, Cloud Apps, probably HTML5 based. No more device or OS specific packages needed, the App runs out there.

Business Intelligence. Over the years we have gathered humongous amounts of data of which about 90% is never being used. We don’t even know that we don’t know what treasures are in there.

And that is where old meets new, Certificate Services, Rights Management Services, Federation Services, App-V and Server App-V, SharePoint, SQL, .NET are some of the Microsoft technologies that both current IT Pro’s and future IT Pro’s will have to master through Certification and hands-on experience.

 

Microsoft Cloud Certification – So What’s New?

A couple of weeks ago I already blogged about the 2 new Microsoft Exams on Cloud. There’s nothing new about Microsoft introducing new exams and new exam tracks.

And yet, there is something really different going on now. Most of the Microsoft exams are about servers, their installation, configuration and management.

Well “Server Huggers”, I have bad news for you! We’re done with servers, it’s all about Services! Those of you who already took the Office365 (beta) Exams know what I’m talking about.

For the MCT-Community that is going to be tough as well. A lot of my fellow (senior) consultants are still thinking “servers” and are having a hard time in shifting that towards “services”. And as senior consultants are having a hard time in making that shift, imagine what that means for Systems Engineers, the people we train.

So, are you up to it? Are you able to let go of your servers? Because you have to “walk the talk”, don’t you. You cannot preach services while clinging on to your servers. There is loads of stuff out there to train yourself in shifting from servers to services:

–          Office365

–          Windows Intune

–          Azure

–          System Center Virtual Machine Manager 2012

–          System Center 2012 as a whole (that is a lot of food….)

If you haven’t begun already you should start right now! I’m talking about your future, no kidding. The other day I attended a seminar at Microsoft about the Microsoft Datacenters. The speaker was very, very clear: the server huggers will be the first people to lose their jobs in the next 3 to 7 years.

Get Ready!

Windows8 and Office365

After 48 hours of playing with Windows8 I found some interesting things when using Office365 Services.

Exchange

Windows8 comes with a Mail client. For my company Qwise, we have set up Active Directory Federation Services. But when connecting with the Windows8 Mail client, you just put in your mailaddress and your password and your ready to go. Apparantly the redirection to the Federation Server occurs in the background. That’s neat!

And you can have multiple accounts in there as well; I use Office365 for both my workmail as for my private mail. As in Outlook 2010, I can connect to more than one Exchange Server! Cool!

Here’s what the mail client looks like:

Sharepoint

When connecting to SharePoint Online you do get redirected from the Portal to your AD FS Server for credentials. But from that point all looks great in Internet Explorer 10 (?).

Here’s a shot of Word WebApp:

Lync

The Lync client is a bit less….. it does not run as a Tile, you have to go to the old Desktop for running Lync….. I guess there will be some sort of remake of Lync Mobile that will fit in to Windows8.

Looking forward to more………