Wednesday, 24 February 2016

Office 365 Exchagne Hybrid deployment

Hybrid deployments can be configured for on-premises Exchange 2007-based organizations or later but you have to install at least one hybrid server in your existing Microsoft Exchange organization e.g. Exchanger server 2010/13.

Hybrid deployment prerequisites

Adding Domain Names to Office 365

The Exchange organization uses a domain of “”, so I need to add that custom domain to the Office 365 tenant. This task is performed in the Office 365 admin portal, in the Domains section.

When you add a domain Microsoft will provide you with a TXT record value to add to the public DNS zone for that domain, which proves that you own and control the domain.
After successfully verifying domain ownership we’re also given the option to update existing user accounts to use the new domain, or add new accounts. I’ve skipped both options in this case, and proceeded to the DNS records. For this organization I host my own DNS records in Amazon Web Services Route 53.
I’m also planning to use the domain for Outlook, Skype, and MDM. The selections at this step determine which DNS records Microsoft will ask you to create.
The full list of DNS records to add is presented. A word of caution here; I’m not ready to direct mail flow and Autodiscover to Office 365 yet, because I’m just making preparations for my Hybrid deployment at this stage. So the Autodiscover, SPF and MX records will not be added to my DNS zone now. The other records can be added at this time though.
We can ignore the errors for the records that aren’t ready to be deployed or changed at this stage.

Configuring Active Directory Synchronization

To get started with Active Directory synchronization I need to enable it in my Office 365 tenant. After logging in to the Office 365 portal with a tenant admin account, go to Users -> Active Users, and click Manage for Active Directory synchronization.

The directory sync status should be set at “deactivated” if this is the first time you’ve looked here. Click the button to Activate directory sync.

Preparing for Directory Synchronization

While we’re here I’ll also download the IdFix Tool to run in the on-premises Active Directory. IdFix scans your Active Directory for any objects or attributes that might cause a problem with directory synchronization, and you should always run it as part of your preparation. Fortunately in my case, there are no problems reported.

Installing Azure Active Directory Connect

Next, I’m going to download and install Azure Active Directory Connect (AAD Connect). AAD Connect is the latest tool from Microsoft for deploying directory synchronization, replacing the earlier DirSync and AADSync tools. If you’re deploying a Hybrid configuration today, I recommend you start with AAD Connect. However, there are some scenarios where the other tools may be required instead. You can read more about those in our eBook, Office 365 for Exchange Professionals.
AAD Connect has an express setup option, which I am going to use to speed up the install since it meets the basic requirements of my scenario.
Enter the Azure AD credentials (this is the Office 365 tenant admin account that was created while provisioning the tenant).
Then enter on-premises Active Directory enterprise admins credentials.
Before completing setup I need to uncheck the box so that synchronization doesn’t start immediately, and then check the box for Exchange hybrid deployment.
Finally, I click Install to let setup go ahead and install AAD Connect on my server.

Configuring Azure Active Directory Connect

I want to customize my AAD Connect configuration before I start synchronizing, but before I do anything I first need to log out and log back in to the server. After logging back in, open the Synchronization Service Manager. Select Connectors, then open the properties of the Active Directory Domain Services connector.
In Configure Directory Partitions go to Containers. There’s a prompt for credentials at this step, so just enter your administrator credentials to proceed.
By default, all of the containers in Active Directory are selected for synchronization. The customization I want to make in this case is to remove all but my “Company” OU, so that every object in the on-premises Active Directory is not synchronized to the cloud (for example, I don’t want service accounts synchronizing).
After applying that change, it’s time to enable synchronization.

Enabling the Synchronization Schedule

On the AAD Connect server a Task Scheduler task has been configured by AAD Connect for the synchronization schedule. The task is disabled because I chose not to start initial synchronization at the end of setup. All I need to do now is enable it.
Simply wait for the next run time of the task. Or run it manually if you’d like to see results straight away.

Verifying Active Directory Synchronization

If Active Directory synchronization was successful we see user accounts populated in the Office 365 admin portal, with a status of “Synced with Active Directory”.
You can also go to and log in with one of the user accounts to verify that the username and password works.

No comments:

Post a Comment