Microsoft Office 365 Administration Inside Out

Julian Soh Anthony Puca Marshall Copeland Copyright © 2013 by Julian Soh, Anthony Puca, Marshall Copeland All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. ISBN: 978-0-7356-7823-1 Fifth Printing: March 2015 Printed and bound in the United States of America. Microsoft Press books are available through booksellers and distributors worldwide. If you need support related to this book, email Microsoft Press Book Support at [email protected]. Please tell us what you think of this book at http://www.microsoft.com/learning/booksurvey. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/ Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are ﬁ ctitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. This book expresses the author’s views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.

Acquisitions and Developmental Editor: Kenyon Brown Production Editor: Kara Ebrahim Technical Reviewers: Darryl Kegg, Scott Wold, Stephen Jones, and Mark Ghazai Copyeditor: Barbara McGuire Indexer: BIM Publishing Services Cover Design: Twist Creative • Seattle Cover Composition: Ellie Volckhausen Illustrator: Rebecca Demarest Contents at a glance

PART 1: Introducing Office 365 PART 4: Integrating and using Chapter 1 Office 365 Services The business case for the cloud ...... 3 Chapter 10 Chapter 2 Introducing Exchange Online...... 429 Planning and preparing to deploy Chapter 11 Office 365...... 17 Planning and deploying hybrid Exchange. . 459 Chapter 12 PART 2: Office 365 Foundations: Mailbox migration and administering Identity Management Exchange Online ...... 565 Chapter 3 Chapter 13 Active Directory Federation Services...... 71 SharePoint Online...... 631 Chapter 4 Chapter 14 Directory synchronization...... 137 Lync Online...... 699 Chapter 15 PART 3: Office 365 Foundations: Office 365 Professional Plus...... 759 Monitoring and Automation Chapter 5 PART 5: Advanced topics: Monitoring Office 365 with System Center. . 207 Incorporating Office 365 with Chapter 6 Windows Azure Customizing Operations Manager Chapter 16 reports and dashboards for Office 365. . . . . 283 Advanced concepts and scenarios for Chapter 7 Office 365...... 781 Automating Office 365 management using Orchestrator...... 325 PART 6: Appendix Chapter 8 Appendix Office 365 and Service Manager Windows PowerShell scripts for automation...... 351 Office 365...... 813 Chapter 9 Windows PowerShell for Office 365...... 395

iii

Table of contents

Foreword ...... xv Introduction ...... xv. ii Who this book is for ...... xvii Assumptions about you ...... xviii Conventions ...... xviii Text conventions ...... xviii Design conventions ...... xix Acknowledgments ...... xxi Support & feedback ...... xxiii Errata ...... xxiii We want to hear from you ...... xiv Stay in touch ...... xxv

PART 1: Introducing Office 365 Chapter 1: The business case for the cloud ...... 3 Consumer vs. enterprise ...... 3 Office 365 ...... 4 Licensing overview ...... 5 Office 365 terminology ...... 8 Tenant ...... 8 Tenant name ...... 8 Vanity domain name ...... 9 Waves ...... 9 Hybrid ...... 9 Examples and screen shots ...... 9 Government Community Cloud ...... 10 Business case for Office 365 ...... 10 Subscription model ...... 10

What do you think of this book? We want to hear from you! Microsoft is interested in hearing your feedback so we can improve our books and learning resources for you. To participate in a brief survey, please visit:

http://aka.ms/tellpress

v vi Table of contents

Economies of scale ...... 11 Scalability ...... 11 Redundancy ...... 11 Core competency ...... 12 Trust Center ...... 12 Certifications ...... 13 Regulatory compliance ...... 14 Summary ...... 15 Chapter 2: Planning and preparing to deploy Office 365 ...... 17 Approach to planning and evaluating Office 365 ...... 17 Foundational planning and remediation tasks ...... 18 Service-specific planning and remediation tasks ...... 18 Office 365 planning, deployment, and troubleshooting tools ...... 18 Office 365 Service Descriptions ...... 19 Office 365 Deployment Guide ...... 20 Microsoft Office 365 Deployment Readiness Toolkit ...... 21 Network planning and analysis ...... 26 Quality vs. quantity ...... 27 Misconception about distance ...... 28 Speed test ...... 28 Basic traffic analysis ...... 35 Putting it all together ...... 38 Alternative approach to email traffic analysis ...... 39 Network requirements for SharePoint Online ...... 43 Network requirements for Lync Online ...... 44 Microsoft Remote Connectivity Analyzer ...... 46 Microsoft Online Services Diagnostics and Logging Support Toolkit ...... 48 Windows PowerShell ...... 52 Microsoft Online Services Module ...... 54 Microsoft Windows PowerShell Integrated Scripting Environment (ISE) 3.0 . . . 66 Summary ...... 68

PART 2: Office 365 Foundations: Identity Management Chapter 3: Active Directory Federation Services ...... 71 Different types of user accounts ...... 71 Cloud identity ...... 72 Federated identity ...... 72 Integrating Active Directory with Office 365 ...... 73 Adding your domain name to Office 365 ...... 74 Active Directory Federation Services ...... 82 Single sign-on experience ...... 83 Single sign-on requirements ...... 84 Remediating the UPN suffix ...... 86 Installing IIS on the AD FS server ...... 92 Requesting and installing certificates ...... 92 Table of contents vii

Planning the AD FS architecture ...... 99 Installing and configuring AD FS 2.0 ...... 101 Testing the federation server ...... 112 Converting the domain from standard authentication to identity federation . . 113 Updating the federation URL endpoint ...... 117 Removing Active Directory Federation Services ...... 122 Converting a domain from identity federation to standard authentication . . 123 Completely uninstall AD FS 2.0 ...... 125 Summary ...... 135 Chapter 4: Directory synchronization ...... 137 Directory synchronization process ...... 140 Activating directory synchronization ...... 140 Updating the AD schema ...... 141 Activating directory synchronization with Windows PowerShell ...... 144 Activating directory synchronization through the admin center ...... 145 Installing Windows Azure Active Directory Sync ...... 147 Installing directory synchronization with a dedicated computer running SQL Server ...... 151 Installing directory synchronization with Windows Internal Database . . . . . 163 Configuring directory synchronization ...... 168 Verifying directory synchronization ...... 176 Verifying directory synchronization using the admin center ...... 176 Verifying directory synchronization service status ...... 177 Using the Synchronization Service Manager ...... 178 Checking the Event Viewer ...... 181 Forcing an unscheduled directory synchronization ...... 182 Understanding run profiles and management agents ...... 182 Initiating an unscheduled directory synchronization using Synchronization Service Manager ...... 183 Initiating an unscheduled directory synchronization using Windows PowerShell ...... 191 Changing the directory synchronization schedule ...... 194 Troubleshooting common directory synchronization errors ...... 195 Directory synchronization is not running ...... 195 Directory synchronization data problems ...... 198 Troubleshooting directory synchronization using the MOSDAL toolkit . . . . 198 Summary ...... 203

PART 3: Office 365 Foundations: Monitoring and Automation Chapter 5: Monitoring Office 365 with System Center ...... 207 Introduction to System Center components and licensing ...... 209 System Center 2012 Configuration Manager ...... 210 System Center 2012 Operations Manager ...... 212 System Center 2012 Data Protection Manager ...... 214 System Center 2012 Virtual Machine Manager ...... 214 viii Table of contents

System Center 2012 Orchestrator ...... 216 System Center 2012 Service Manager ...... 217 System Center 2012 Endpoint Protection ...... 218 System Center 2012 App Controller ...... 219 Concepts and planning for monitoring Office 365 ...... 221 Evaluating what to monitor ...... 222 Administering the monitoring solution ...... 224 Monitoring targets ...... 225 Deploying the SCOM infrastructure and importing the Office 365 Management Pack ...... 225 Installing the System Center 2012 Operations Manager Service Pack 1 prerequisites ...... 225 Downloading the System Center 2012 Operations Manager Service Pack 1 media ...... 236 Installing System Center 2012 Operations Manager ...... 238 Importing the Office 365 Management Pack ...... 253 Creating alert notifications ...... 262 Creating alert recipients ...... 263 Creating a subscription ...... 270 Summary ...... 281 Chapter 6: Customizing Operations Manager reports and dashboards for Office 365 ...... 283 Identifying Office 365 dependent servers ...... 283 Customizing System Center 2012 Operations Manager state views ...... 287 Customizing System Center 2012 Operations Manager alert views ...... 289 Tuning the Office 365 management pack and reducing false alarms ...... 291 Configuring the watcher nodes ...... 300 System Center 2012 Operations Manager report customization ...... 305 Dashboard creation for technical and business owners ...... 311 Operator console dashboards ...... 311 How to create a custom Office 365 dashboard ...... 312 Office 365 service level agreement dashboards ...... 317 Summary ...... 323 Chapter 7: Automating Office 365 management using Orchestrator ...... 325 System Center 2012 Orchestrator ...... 325 Orchestrator overview and concepts ...... 326 Introducing Orchestrator ...... 326 Applying the runbook concept to Office 365 ...... 327 Using Orchestrator components ...... 329 Installing Orchestrator ...... 330 Prerequisites for installing Orchestrator for testing ...... 331 Installing prerequisites for Orchestrator ...... 332 Installing Microsoft SQL Server ...... 334 Completing the installation for Orchestrator ...... 335 Table of contents ix

Using Integration Packs with Office 365 automation ...... 344 Creating a new runbook for Office 365 email accounts ...... 346 Summary ...... 350 Chapter 8: Office 365 and Service Manager automation ...... 351 System Center 2012 SP1 Service Manager ...... 351 Service Manager components ...... 352 Installing Service Manager ...... 353 Installing the Self-Service Portal ...... 358 Service catalog overview ...... 365 Service request automation ...... 366 Enabling the System Center Orchestrator connector ...... 367 Configuring Service Manager automation ...... 369 Completing Orchestrator integration and finalizing a runbook ...... 370 Creating a runbook automation activity template ...... 379 Creating a service request template ...... 383 Creating a request offering ...... 387 Creating and publishing a service offering ...... 390 Service and request offering in the Self-Service Portal ...... 392 Summary ...... 393 Chapter 9: Windows PowerShell for Office 365 ...... 395 Windows PowerShell underlying services ...... 395 Preparing the Windows PowerShell environment ...... 396 Windows PowerShell pre-configured for the workstation or server ...... 396 Configuring Windows PowerShell and WinRM settings ...... 401 Connecting Windows PowerShell to the Office 365 service ...... 403 Windows PowerShell as the future interface ...... 405 Windows PowerShell Integrated Scripting Environment ...... 406 Starting the ISE from Windows 8 ...... 407 Starting the ISE from within Windows PowerShell ...... 407 Starting the ISE from Windows 7 ...... 407 Navigating the ISE ...... 409 Office 365 examples and exercises ...... 414 Establishing a Windows PowerShell session with Exchange Online ...... 414 Updating Windows PowerShell Help files ...... 416 Granting mailbox access ...... 417 Validating permissions ...... 418 Changing time zones ...... 418 Viewing groups ...... 419 Creating distribution groups ...... 419 Using the Admin Audit log ...... 421 Viewing retention policies ...... 422 Creating retention policies ...... 423 Summary ...... 425 x Table of contents

PART 4: Integrating and using Office 365 Services Chapter 10: Introducing Exchange Online ...... 429 Multiple service descriptions ...... 430 Exchange Online plans ...... 431 Exchange Online core workloads and concepts ...... 432 Mailboxes and calendaring ...... 433 Exchange Online Archiving mailbox ...... 434 Email handling and transport ...... 435 Email filtering ...... 438 Secure email ...... 438 Exchange Online capabilities ...... 439 Messaging limits ...... 439 Backup and recovery ...... 439 Exchange Online service availability and redundancy ...... 441 Forefront Online Protection for Exchange ...... 442 Layered protection ...... 443 Anti-Spam ...... 444 Message quarantine ...... 445 FOPE policies ...... 445 Message handling ...... 446 Reporting ...... 447 Exchange Online Archiving ...... 448 Archive size ...... 449 Backup and recovery ...... 449 EOA access ...... 450 Compliance ...... 451 Exchange Hosted Encryption ...... 451 Exchange Online implementation options ...... 452 Hybrid mailboxes ...... 452 Hybrid archiving model ...... 454 Hybrid mail protection and routing ...... 455 New capabilities ...... 456 Data Leakage Prevention ...... 456 Rights Management Service ...... 457 Summary ...... 458 Chapter 11: Planning and deploying hybrid Exchange ...... 459 Planning an Exchange hybrid deployment ...... 460 Understanding capabilities ...... 460 Requirements ...... 461 Using the Exchange Server Deployment Assistant ...... 462 Installing Exchange hybrid deployment prerequisites ...... 471 Preparing the Exchange Management Console ...... 471 Certificates ...... 482 Configuring Exchange Web Services ...... 508 Configuring an Exchange hybrid model ...... 513 Table of contents xi

Establishing a hybrid relationship ...... 514 Configuring a hybrid deployment ...... 517 Troubleshooting hybrid configuration ...... 534 Autodiscover service ...... 534 Virtual directory security settings ...... 537 Resetting the Autodiscover virtual directory ...... 539 Finalizing the Exchange hybrid deployment ...... 542 Testing a mailbox creation ...... 542 Testing a mailbox move ...... 549 Changing an MX record ...... 558 Centralized mail transport ...... 558 Summary ...... 564 Chapter 12: Mailbox migration and administering Exchange Online ...... 565 Mailbox migration options ...... 565 Cutover migration ...... 566 Staged migration ...... 573 IMAP migration ...... 585 Migration using remote Windows PowerShell ...... 589 Migration with an Exchange hybrid environment ...... 591 Microsoft Exchange PST Capture ...... 592 Third-party migration tools ...... 601 Migration best practices ...... 601 Moving mailboxes back to on-premises Exchange ...... 603 Mailbox originally created on-premises ...... 603 Mailbox originally created in Exchange Online ...... 605 Decommissioning on-premises Exchange ...... 607 Administering Exchange Online ...... 608 Exchange Management Console ...... 609 Exchange Online remote Windows PowerShell ...... 611 Exchange Online administration user interface ...... 612 Compliance, Legal Hold, and eDiscovery concepts ...... 621 Preserving content ...... 621 Automated deletions ...... 621 Enforced retention ...... 621 Putting it all together ...... 622 Personal archive ...... 622 Messaging Records Management ...... 622 Holds ...... 623 Multi-mailbox search (eDiscovery) ...... 627 Summary ...... 629 Chapter 13: SharePoint Online ...... 631 Understanding SharePoint capabilities ...... 631 Introducing SharePoint Online ...... 632 SharePoint Online concepts ...... 633 xii Table of contents

SharePoint Online capabilities ...... 633 SharePoint Online capacity limits ...... 635 SharePoint hybrid model ...... 637 Managing SharePoint Online ...... 638 SharePoint Online 2013 ...... 638 SharePoint Online 2010 ...... 642 SharePoint Store ...... 646 Permissions and adding apps to sites ...... 655 Managing app licenses ...... 657 SkyDrive Pro ...... 659 Storage ...... 660 External collaboration ...... 660 Mobility ...... 669 Office Web Apps ...... 670 Achieving compliance with SharePoint eDiscovery Center ...... 674 SharePoint Online Management Shell ...... 694 SharePoint search in a hybrid environment ...... 696 One-way outbound topology ...... 697 One-way inbound topology ...... 697 Two-way topology ...... 698 Summary ...... 698 Chapter 14: Lync Online ...... 699 Lync terminology ...... 700 Session Initiation Protocol and SIP addressing ...... 700 Peer-to-peer voice vs. Enterprise Voice ...... 700 Lync Online overview and licensing ...... 701 Lync client ...... 702 Lync meetings ...... 704 Lync mobile ...... 707 Lync Web App and Outlook Web App ...... 708 Lync Online capabilities and concepts ...... 712 Lync Online features ...... 713 Lync Federation ...... 713 Hybrid Lync Online ...... 714 Dial-in audio conferencing ...... 717 Lync Online planning and deployment ...... 718 Test network bandwidth and latency ...... 719 Determine ports and protocols ...... 722 Allow outgoing connections ...... 723 Create DNS entries ...... 723 Configuring and managing Lync Online ...... 728 Lync Online 2013 ...... 728 Lync Online 2010 ...... 736 Lync IM conversation history and policy ...... 742 Configuring hybrid Lync ...... 754 Table of contents xiii

Migration considerations ...... 757 Summary ...... 757 Chapter 15: Office 365 Professional Plus ...... 759 Introduction to the Microsoft Office editions ...... 760 Office ProPlus Service Description ...... 762 Deploying Office 365 ProPlus ...... 762 Office Click-to-Run and activations ...... 764 Customizing Click-to-Run ...... 769 Difference between Click-to-Run and MSI ...... 771 Office on Demand ...... 773 Patching Office 365 ProPlus ...... 774 Managing and deploying Office 365 ProPlus ...... 775 System requirements ...... 775 32-bit vs. 64-bit version ...... 775 Group Policy ...... 775 Virtualization ...... 776 Other Office products ...... 777 Office 365 ProPlus common errors ...... 777 Microsoft Office subscription error ...... 777 Office subscription removed ...... 777 No subscription found ...... 777 Activation error ...... 778 Summary ...... 778

PART 5: Advanced topics: Incorporating Office 365 with Windows Azure Chapter 16: Advanced concepts and scenarios for Office 365 ...... 781 Trusts ...... 783 One-way forest trusts ...... 785 Two-way forest trusts ...... 785 Introduction to Forefront Identity Manager ...... 786 Office 365 and FIM architecture to support multi-forest scenarios ...... 788 Windows Azure ...... 793 Office 365 on-premises dependencies supported in Windows Azure . . . . . 793 Identity and SSO for Office 365 in Windows Azure ...... 794 Scenario 1: All Office 365 identity management components deployed in Windows Azure ...... 796 Scenario 2: Office 365 on-premises identity management components duplicated in Windows Azure for disaster recovery and failover ...... 797 Virtual machine sizing ...... 798 Multi-factor authentication ...... 799 Setting up Azure Multi-Factor Authentication ...... 800 First time user experience ...... 802 Subsequent user experience ...... 805 Summary ...... 809 xiv Table of contents

PART 6: Appendix Appendix A: Windows PowerShell scripts for Office 365 ...... 813 Introduction ...... 813 Determining the subscription name ...... 813 Creating cloud identities from a .csv file ...... 814 Generating a user list ...... 815 Generating a subscription assignment report ...... 815 Swapping licenses ...... 818 Activating certain services in a suite SKU ...... 819 Purging deleted users ...... 820 Sending bulk email to users ...... 820 Office 365 Windows PowerShell resources ...... 822

Index ...... 823 Foreword

hen I think back at why I got into IT, it came down to a constant thirst for innovation and helping solve problems with technology. Innovation can take on two W forms: refinement or outright change. Technology really exists to solve problems and can take any form.

As a kid I watched my computers and game consoles change manufacturer and platform at an almost annual clip. That was exciting and still is. It’s part of why I’m excited to be in the tech industry. You can see how fluid the technology space is by watching the mobile device and gaming markets right now. In the same way, you can see an evolution of communication styles. Written correspondence, email, instant messaging, social, video calls and online meetings are part of most of our daily repertoire. These things all have hooks into different services, both on-premises and online. The fluidity and constant evolution attracted me and many of us to technology.

Now we are seeing the pendulum swing to where many of the technology services are turning into commodities and things that used to take thousands of dollars of infrastructure to accomplish have been simplified into a few clicks. The automation we spent building in the last decade has turned into service and account hydration. The virtual machines, clustered services, and live migrations have been woven into the fabric of cloud services. It means the building and sizing of infrastructure is real-time and logic-based. As infrastructure people, we’ve watched this evolve and the elasticity of everything is really cool and getting better with more advances in security, rapid failover, and most other aspects each day.

Office 365 is a leader in the charge to take advantage of the infrastructure and automation improvements to provide highly available services. As the workloads in Office 365 (Exchange, SharePoint, Lync, Yammer, and Office) continue to develop, Office 365 removes the complexity of building out infrastructure and keeping software up to date. The rapid innovation of these services and the evolution of technology they build upon is a reflection of that spark that led many of us into technology careers.

Like any platform, it is extensible, configurable, and manageable. For the seasoned IT pro, many of the aspects around directory service management, user provisioning, PowerShell automation, email, and site administration are consistent with what you’ve probably been doing. As an IT pro, your stake and role is more valuable than ever. With a background in Exchange or SharePoint, you have a unique view into the inner workings of the services, without the painstaking work of provisioning and de-provisioning servers, patch management, and major upgrades.

xv xvi Foreword

Microsoft Office 365 Administration Inside Out is your guide to navigate the landscape to Office 365 from the IT pro lens. It goes much deeper and thoughtfully into the specifics of managing Office 365 workloads. The great thing with this book is that once you start a trial, you can hit the ground running and start getting hands-on. The other great side effect of cloud services is that you generally don’t need to worry about test virtual machines or hosted hands-on labs. It’s all there, so roll up your sleeves and get started.

—Jeremy Chapman Director Office 365 Product Management Introduction

elcome to Office 365 Administration Inside Out. This book was written specifically for enterprise-level customers who want to adopt Office 365. There are other W books that cover the use of Office 365, but this book focuses on the actual integration of Office 365 with on-premises technologies. This integration is often necessary for organizations that already have, and might need to continue to have, some level of on- premises infrastructure for administration or other purposes.

For example, most organizations have Microsoft Active Directory (AD) as an identity management solution and have built groups, policies, and processes based on AD identities. AD is the premium identity management solution and is not intended to be replaced by Office 365. Office 365 leverages on-premises technologies such as AD for security and authentication purposes. There are also organizations that currently have on-premises email systems. They have the option to migrate all or some of those systems or simply adopt portions of email functions in Office 365. These are all examples of enterprise-level decisions that organizations face, and this book addresses these types of real-world implementations and administration. Who this book is for This book is intended for Information Technology (IT) system architects who need to integrate Office 365 with existing on-premises technologies. It is also intended for subject matter experts in Exchange, SharePoint, and Lync who design migration and hybrid implementations of these specific Office 365 services. Although this book contains a lot of technical information, it can also serve IT leaders and decision makers such as Chief Information Officers (CIOs) by providing insight to the level of planning and effort required to integrate Office 365 with existing technologies. With that insight, IT leaders and CIOs can plan and budget their Office 365 projects accordingly. There are also security and compliance topics that security professionals will find useful because there are new and specific security considerations for adopting cloud services. This book is not intended for the typical end user or business user, nor is it intended to cover all the functionalities of Exchange, SharePoint, Lync, and Office.

Regardless of your role, we hope this book helps you methodically plan, integrate, and deploy Office 365 services in your organization. We also hope you will get a better understanding about deploying technologies that can make the Office 365 experience a great one for end users and administrators.

xvii xviii Introduction

Assumptions about you

This book is designed for readers who have a fundamental understanding of Office 365 services, but possess technical expertise in the administration and configuration of the on-premises technologies equivalent to those services. Because Office 365 covers a breadth of technologies including SharePoint, Lync, Exchange, and Office, this book assumes that the audience for each of these technologies has the relevant expertise in configuring and administering these technologies prior to Office 365. In addition, this book includes information that can serve multiple audiences; because of this, it can serve as a great resource for an Office 365 implementation team of experts. During implementation, there is foundational work to complete in the areas of identity management, network assessments, security analysis, and migration planning. As such, this book assumes the readers in these areas have the operational expertise for managing AD, running network assessments, and making configuration changes to networking services such as Domain Name System (DNS), proxies, and firewalls. While not required, readers will benefit most from this book if they have a lab environment to implement the concepts covered in the book. Conventions This book uses special text and design conventions to make it easier for you to find the information you need.

Text conventions Convention Meaning Bold Bold type indicates keywords and reserved words that you must enter exactly as shown. Microsoft Visual Basic understands keywords entered in uppercase, lowercase, and mixed case type. Access stores SQL keywords in queries in all uppercase, but you can enter the keywords in any case. Italic Italicized words represent variables that you supply. Angle brackets < > Angle brackets enclose syntactic elements that you must supply. The words inside the angle brackets describe the element but do not show the actual syntax of the element. Do not enter the angle brackets. Introduction xix

Convention Meaning Brackets [ ] Brackets enclose optional items. If more than one item is listed, the items are separated by a pipe character (|). Choose one or none of the elements. Do not enter the brackets or the pipe; they’re not part of the element. Note that Visual Basic and SQL in many cases require that you enclose names in brackets. When brackets are required as part of the syntax of variables that you must supply in these examples, the brackets are italicized, as in [MyTable].[My- Field]. Braces { } Braces enclose one or more options. If more than one option is listed, the items are separated by a pipe character (|). Choose one item from the list. Do not enter the braces or the pipe. Ellipsis … Ellipses indicate that you can repeat an item one or more times. When a comma is shown with an ellipsis (,…), enter a comma between items. Underscore _ You can use a blank space followed by an underscore to continue a line of Visual Basic code to the next line for readability. You cannot place an underscore in the middle of a string literal. You do not need an underscore for continued lines in SQL, but you cannot break a literal across lines.

Design conventions

This statement illustrates an example of an “Inside Out” INSIDE OUT heading These are the book’s signature tips. In these tips, you get the straight scoop on what’s going on with the software—inside information about why a feature works the way it does. You’ll also find handy workarounds to deal with software problems.

Sidebar Sidebars provide helpful hints, timesaving tricks, or alternative procedures related to the task being discussed. xx Introduction

TROUBLESHOOTING This statement illustrates an example of a “Troubleshooting” problem statement

Look for these sidebars to find solutions to common problems you might encounter. Troubleshooting sidebars appear next to related information in the chapters. You can also use “Index to Troubleshooting Topics” at the back of the book to look up problems by topic.

Cross-references point you to locations in the book that offer additional information about the topic being discussed.

CAUTION! Cautions identify potential problems that you should look out for when you’re completing a task or that you must address before you can complete a task.

Note Notes offer additional information related to the task being discussed. Introduction xxi

Acknowledgments Writing a technical book is a challenging yet rewarding experience. Writing a technical book that covers a new technology offering that is rapidly changing and covers the core Microsoft enterprise software takes the experience to an entirely different level. After read- ing this book, we hope you can appreciate how innovative Office 365 really is. It is a well- planned service with technologies and options to address almost every business scenario. When we meet with organizations that want to adopt Office 365, they often are over- whelmed by its complexity. Our answer to the complexity question is both "yes" and "no." Office 365 can be very easy to adopt. Just turn it on and it is ready. On the other hand, it can be complex if you have a complex environment with complex business needs. To address complex business scenarios, the service needs to be sophisticated. In this book, we provide simple, step-by-step procedures to ease your way through even the most complex scenarios.

We wrote this book during the preview period of the latest release of Office 365. We have made every attempt to continually update the information as we developed the book. However, due to the rapid update cadence of Office 365, the screen shots and information presented here might vary from your environment. Even so, the significant core concepts should remain consistent with the current Office 365 offering.

There are a number of people who have made this project possible. First, the authors would like to thank the great teams at and Microsoft Press for the opportunity to write this book. We also would like to thank Kenyon Brown, our senior editor, for his patience and valuable guidance throughout the project; Kara Ebrahim, our production editor, and her team for making the book look so aesthetically pleasing; and Barbara McGuire, our copy editor, for her excellent edits and valuable comments. We want to thank all our technical reviewers and subject matter experts, who behind the scenes validated all the material and provided very important feedback and corrections. They are Scott Wold, Darryl Kegg, Mark Ghazai, Stephen Jones, Jeremy Chapman, Yann Kristofic, Andreas Kjell- man, and Darren Carlsen. We want to thank King County’s CIO Bill Kehoe and many other IT leaders and technical experts in other organizations who have been willing to share their experience with us and give us the opportunity to work on their Office 365 projects. Without the vision and courage of these early adopters, it would not have been possible to provide all the real world experience we tried to capture in this book. We also thank the executive management at Microsoft for their support of this project, especially Jeff Tozzi, Dave Rogers, Javier Vasquez, Tori Locke, Dean Iacovelli, and Keith Olinger. Last but not least, we would like to thank the wonderful account teams at Microsoft we worked with, especially Steve Finney, Abel Cruz, Mark Wernet, Chris Wilch, Benjamin Callahan, Steve Kirchoff, Steven Fiore, Tara Larson, Bjorn Salvesen, Arshad Mea, Rick Joyer, Dan Crum, and Adam Loughran. xxii Introduction

Julian Soh

This book has been one of the most challenging projects I have ever undertaken. There is so much material that we struggled to keep the scope of the book in check. This book truly has given me the opportunity to gain a deeper appreciation for the innovation, intricacies, and the possibilities that Office 365 offers.

This experience has helped me grow professionally, and I appreciate all the authors who have come before me because it is a huge personal investment in time and commitment for any author. Most importantly, I have been humbled by so many experts who have helped make this book possible. I sincerely would like to thank the efforts of my co-authors Marshall Copeland and Anthony Puca. Not only are they experts in their field, they have been great friends. I am humbled by their expertise and professionalism. I will always trea- sure this journey we have shared together, and I feel very blessed to have friends like you. I want to personally thank my Office 365 field team for making it such a great place to work and for your unselfish sharing of information. So thank you Bob Ballard, Carl Solazzo, Chuck Ladd, Dennis Guzy, Erika Cheley, Jed Zercher, Joel Martin, Michael Icore, Mike Hacker, Mon- ica Hopelian, Scott Derby, Tim Gade, Stephen Jones, Brian Burns, and Scott Wold.

Finally, I would be remiss if I did not thank my family. I spent many days away from them. They also put up with my multi-tasking between writing chapters and trying to participate in family events. My wife Priscilla has been ever supportive and selfless in taking on all the extra work around the house. Thank you to my daughters Jasmine and Makayla for their understanding and for sacrificing some of our time together for this project. Jasmine, thank you for all the green tea you made me while I was busy typing away late into the night and for taking over the mowing of the yard.

To all these very important people in my life, I dedicate this book to you.

Marshall Copeland

Writing a book is a tremendous undertaking, and I would like to thank my beautiful wife Angela for her patience during the many evenings and weekends I spent hovered over a keyboard. She supports my hectic work with travel for public and customer speaking while keeping me grounded with incredible insight on what’s important. For Cecil, Frances, and Barbara. We miss you.

Words are not enough to thank Julian Soh for offering me a seat on this voyage. It became very clear that to be a subject matter expert is quite different from trying to teach others by writing about a subject. Julian, merely saying "thank you" can’t express my gratitude enough. Also, I want to thank Anthony Puca for his daily expertise with System Center and the insight he offered during our many conversations. A big thank you to Keith Olinger and Jeff Tozzi for their support during the writing of this book and for being two great people Introduction xxiii

with amazing guidance to help me grow. You both pour so much effort into everyday work that our entire team is lifted, and we thank you.

Thank you to the many customers who continue to ask "what if" questions and allow me to provide insight to help each of you move forward. Thank you to Bill Gates and Steve Ballmer for building a fantastic company called Microsoft, the best place to work. A special thank you to Charles Fox for helping me see the right direction when I could not. Thank you to Mark Ghazai for all the Windows PowerShell guidance and Hyper-V understanding.

Anthony Puca

I would like to say thank you to my wife Laura for being so understanding during all the nights I was working on this book, taking phone calls when we were on vacation or weekends, and going through this all over again with me. Our rendezvous at the dinner table, when we were trying to keep to the schedule and you were in the middle of your busy sea- son, will not be forgotten.

When two friends, Julian Soh and Marshall Copeland, asked me to accompany them on this effort, I was honestly flattered. Special thanks go to Julian for coming up with the idea and driving it through; we could not have done this without you. Thank you, Marshall and Julian, for being my sounding board, for providing sanity checks and peer reviews, and for all the insightful conversations during those late night and weekend calls.

Working at Microsoft has given me access to some of the most talented, brightest, and passionate people in information technology. Thank you to all of you who contributed in some fashion. Thank you to Keith Olinger, Dave Rodgers, Bob Ballard, and their teams for their support. Thank you to Mark Ghazai and Marek Tyszkiewicz for all the Windows Power- Shell scripting. Thank you to Anna Timasheva for your System Center Operations Manager (SCOM) expertise. Thank you to Jeff Tozzi for growing an amazing group that supports state and local government in the U.S. Thank you to my account teams who remind me of the value these things provide to the customers and public: Mark Starr, Nathan Beckham, Todd Strong, Adam Loughran, Elisa Yaros, Bobby Bliven, Don Born, and Kris Gedman. Support & feedback The following sections provide information on errata, book support, feedback, and contact information.

Errata

We’ve made every effort to ensure the accuracy of this book and its companion content. Any errors that have been reported since this book was published are listed on our Micro- soft Press site at:

http://aka.ms/Office365_Admin_IO_errata xxiv Introduction

If you find an error that is not already listed, you can report it to us through the same page.

If you need additional support, email Microsoft Press Book Support at mspinput@microsoft. com.

Please note that product support for Microsoft software is not offered through the addresses above.

We want to hear from you

At Microsoft Press, your satisfaction is our top priority, and your feedback our most valuable asset. Please tell us what you think of this book at:

http://www.microsoft.com/learning/booksurvey

The survey is short, and we read every one of your comments and ideas. Thanks in advance for your input!

Stay in touch Let’s keep the conversation going! We’re on Twitter: http://twitter.com/MicrosoftPress

CHAPTER 3 Active Directory Federation Services

Different types of user accounts ...... 71 Active Directory Federation Services ...... 82 Integrating Active Directory with Office 365...... 73 Removing Active Directory Federation Services. . . . . 122

icrosoft Active Directory Federation Services (AD FS) provides single sign-on (SSO) by using token-based authentication. With SSO, a service will trust the M authentication token of a user who has successfully logged on to a disparate but trusted network. As such, the service will grant access without requiring the user to authenticate again. For example, if a user has already been authenticated by Active Directory (AD) and if SSO is configured, Office 365 will provide access to the user without a challenged logon.

SSO through AD FS is not mandatory for Office 365, but enterprise customers usually implement it because of the need or desire to leverage existing identity management solutions such as AD. Remember, too, that we said the user is the most important part of the equation. SSO optimizes the users’ experience because they don’t need to provide credentials multiple times.

AD FS is commonly considered and discussed together with directory synchronization, which is covered in Chapter 4, “Directory Synchronization.”

Note Office 365 SSO is not available for Office 365 for professionals and small businesses or for Office 365 Small Business Premium Preview. For more information, see KB article 2662960 at http://support.microsoft.com/kb.2662960. SSO is available only for Office 365 Enterprise Suites.

Different types of user accounts Before we dive into AD FS, we need to introduce the different types of user accounts and authentication methods available in Office 365.

As with any computer system, a user needs an account to access Office 365. This chapter covers the different ways in which user accounts can be created and maintained. We also describe the user experience when accessing Office 365 based on the different account types.

71 - - - f user accounts s, but for now we will Group Policy Objects (GPOs) that Objects (GPOs) Policy Group Services

Federation

Federated identity Federated Cloud identity Directory

● ● ● ● ctive tory scenario, if you introduce User and Computer (ADUC) management console. In this cloud identities with Office 365, you would have to maintain a second set o your workload. doubling in Office 365, thereby define password complexity requirements. Furthermore, a day-to-day management requirements. from complexity define password using tools such as the Active Direc probably standpoint, you and your administrators are Federated identities refer to user accounts that are maintained outside of Office 365, maintained outside of to user accounts that are Federated identities refer an enter the most commonly used accounts in Federated identities are such as in AD. Shell. Windows PowerShell provides you with account management capabilities that might account management capabilities that you with provides Shell. Windows PowerShell or assign user passwords For example, you can the admin center. not be available through not these options are but by using Windows PowerShell, expiration dates password remove and also opens the door for automation PowerShell Windows center. available in the admin chapters in later into Windows PowerShell will dive deeper accounts. We of bulk processing administering Office 365 at of choice for is definitely the tool because Windows PowerShell the enterprise level. service,When a user tries to access an Office 365 for a logon name she will be prompted will be validated 3-1. The user name and password as shown in Figure and a password, access to servicesby Office 365 before is granted. For cloud identities, Office 365 is the authentication. known as standard authoritative authentication source identity Federated identity management solution such as AD. have an prise because most enterprises already We it will leverage your AD environment. Because Office 365 is built to be enterprise-ready, solutions in later chapter discuss other non-AD identity management source. assume AD as the authoritative identity For one, AD is most likely benefits to leveraging your AD environment. many are There such as features configured and you have already mature Cloud identities are user accounts that are created directly in Office 365 through the admin in Office 365 through directly created that are user accounts Cloud identities are in Office 365. Cloud also stored with cloud identities are associated The passwords center. Windows Power the admin center as well as through through identities can be managed There are essentially two classes of user accounts: classes of essentially two are There Cloud identity A

Chapter 72

Chapter 3

Integrating Active Directory withOffice365 Integrating Active Directory To fullyleverageADinOffice 365,followthesegeneralsteps: standpoint. to implement,theyare definitelynotthebestapproach from along-term, administration account inAD. Therefore, whilecloudidentitiescanbeusedinanenterpriseandare easy disable, theuseraccountinOffice365additiontodeleting ordisablingtheemployee’ Whenever anemployeeleavesyourorganization, youwillhavetoensure youdelete,or create andmaintain acorresponding user accountinOffice365forthenewemployee. user requires accesstoOffice365.Without federatedidentities,youwillhavetomanually For example,let’s sayyou create anewuseraccountforemployeeinADandthat Figure 3-1 ● ● ● ● ● ● Install and configure the Directory Synctool(covered inChapter4). Install andconfigure theDirectory withthe“Activechapter starting section). Federation Services” Directory Set upandconfigure SSOthrough ADFS (optional;wecoverthisprocess laterinthis Add yourdomainnameto Office365tenant.

Office 365logonwindow . Integrating

Active

Directory

with

Office

365

s 73

Chapter 3 and . Services

Office 365 admin center

Federation

Figure 3-2 Figure Log on to your Office 365 admin center at https://portal.microsoftonline.comLog on to your Office 365 admin center 3-2. click the domains link, as shown in Figure Directory

Note it prior implement to you recommend we SSO, will be implementing you know If you first to organizations is not uncommon for it However, tool. Directoryinstalling the Sync in our experience, In fact, this has FS. AD directoryimplement before synchronization a common approach. been quite 1. ctive Adding your domain name to Office 365 name to domain Adding your PowerShell scripting. For Windows name to Office 365 through can add your domain You we will use the graphical interface this task: to accomplish now, The first to your Office Office 365 is to add your domain name step to integrating AD with do so, you first name (FQDN). A fully need to own a fully qualified domain 365 tenant. To .net, domain name, such as .com, Internet routable is defined as a qualified domain name .local, cannot be added. domain name, such as .lcl or A non-routable or .org. A

Chapter 74

Chapter 3

5. 4. 3. 2.

associated. If not, you can proceed to the next task, which is to verify thedomain. associated. Ifnot,youcanproceed tothenexttask,whichisverify youclicknext,Office365informs youifthedomainhasbeenpreviously After another tenant.You willbenotifiedifthatisthecase. ifyoudonotremember whetheradomainhasbeenassociatedwith Do notworry mustnothavebeenpreviously associatedwithanotherOffice365tenant. specify Remember thatyoucanaddonlyanInternet routable domain,andthedomainyou Enter yourdomainnameinthetextbox andclicknext,asshowninFigure 3-4. adomainnameandconfirm ownership. Click Specify Figure 3-3 3-3. To associateadomaintothistenant,clickthe It shouldbeintheform of < Name>.onmicrosoft.com. signupforOffice365. you shouldatleastseethedomainnamethatusedtofirst not beabletoassociatethatsamedomainanotherOffice365tenant.Bydefault, tenant. However, onceadomainhasbeenassociatedtoanOffice365tenant,youwill and theirrespective status.Asyoucansee,associatemultipledomainstoa The domainspageshowsalltheyourOffice365tenantisassociatedwith

Add adomain. Add adomainlink,asshowninFigure Integrating

Active

Directory

with

Office

365

Chapter 3 - Domain Name Ser Services

Confir Enter your domain name. m domainandinstructionstomodify DNS.

Federation

Figure 3-5 Figure Select your ISP to view the specific instructions or select General Instructions if you Select your ISP to view the specific instructions hosting your own DNS, which is often case for an enterprise. In this example, the are available instructions. shows the list of 3-5 we will select General Instructions. Figure Figure 3-4 Figure Directory

1. ctive You now need to confirm you own the domain and have the authority to add this domain you own the domain now need to confirm You in your create a record to TXT name to Office 365. Office 365 asks you vice (DNS) server is authoritative for the domain you just added. Office 365 also lists that Service is hosted by an Internet instructions on how to do this if your DNS (ISP) or Provider such as Go Daddy. registrar A

Chapter 76

Chapter 3

In thissection,weshowyouhow toaddtherequired record TXT toaWindowsDNSserver. record Entering aDNS TXT 3. 2.

later. changes foryou,justclosethewindow. You thedomain cancomebackandverify button. Ifyouneedmore timeorneedtorely onsomeoneelsetomaketheDNS now Next, makethechangestoyourDNS.Whenyouare done,clicktheverify Figure 3-6 Figure 3-6showsinformation forGeneralInstructions. recordused aTXT insteadof anMXrecord, butbothoptionsare availabletoyou. through DNSandwillattempttolocatetheserecords. Personally, wehavealways contains auniquenumber. Duringverification,Office365 will resolvethedomain we were giventheoptiontocreate eithera appear onthesamepage.Inthisexample,whenweselectedGeneralInstructions, When youhaveselectedtheinstructionthatappliestoyou,will

General Instructionstomodif y DNS. TXT recordTXT oranMXrecord inDNSthat Integrating

Active

Directory

with

Office

365

Chapter 3 Services

Cr Micr type. (TXT) record eate aText osoft ManagementConsoleforDNSserver. Federation

Figure 3-8 Figure Figure 3-7 Figure (TXT) you locate the Text down until scroll dialog box, Type Record In the Resource 3-8. as shown in Figure Record, Select it and click Create type. record Microsoft Management Console (MMC) for Console (MMC) Management the Microsoft Using your DNS server. Log on to select the Other New to Office 365 and adding the domain you are DNS, right-click 3-7. as shown in Figure option, Records Directory

2. 1. ctive A

Chapter 78

Chapter 3

the admincenteragain,follow thesestepstoconfirm ownership: nowbutton.Ifyouhavetologon it hasnotyettimedout,youcanclickthedone,verify If youare stillonthe Office365pagewaitingfordomainverification(seeFigure 3-6)andif theverificationprocess. cation purposes,soyoucanimmediatelystart gence becauseOffice365doesnotcacheitsDNSlookup of recordsTXT fordomainverifi the authoritytoadddomainyourtenant.There isnoneedtowaitforDNSconver Now thatwehavecreatedrecord, thatyouhave theTXT Office365willbeabletoverify Verifying domain the 1. 3.

progress linkintheStatuscolumn,asshownFigure 3-10. From theadmincenter, pane,andthenclicktheSetup in clickdomainsin the left Figure 3-9 click OK. DNS).Thisusuallytakestheform ofto modify MS=ms1234567.Whenyouare done, recordenter theTXT asinstructedbyOffice365(seeFigure 3-6,GeneralInstructions Lastly, asshowninFigure 3-9,leavetheRecord namefieldblank.Inthe Text field, eating theText record. (TXT) Cr Integrating

Active

Directory

with

Office

365

- - 79

Chapter 3 s . Services

Domains page in the admin center Domains page in the

Federation

On the Add a domain to Office 365 page, notice that the link in Step 2, which is On the Add a domain to Office 365 page, Add users and assign licenses, is now active. Furthermore, the link in Step 1, which is Specify ownership, name and confirm a domain is no longer active and a check is completed the task. Click the Add user shown for that step. This indicates you have Select the I don’t want to add users right now option and click next. Click the done, verify now button. to the next step. Otherwise, Office 365, skip on the Add a domain page of If you are link in the then click the Setup in progress click domains, and the admin center, from 3-10. Status column, as shown in Figure and assign licenses link. Figure 3-10 Figure Click Specify ownership. a domain name and confirm Directory

3. 1. 2. 2. 3. ctive Adding usersAdding and licenses assigning directory users will explain how to add Therefore, in Chapter 4. through synchronization We we need to specify that users time. Follow these steps to specify will be added at a later that you will add users later: You are now ready to finish the third task, which is to define the domain purpose and con- to finish the third now ready are You DNS. figure After your domain has been successfully verified, the next task is to specify how users will be added to Office 365. A

Chapter 80

Chapter 3

purpose: Exchange Online,Lync Online,orSharePoint Online.Followthesestepstosetthedomain Setting thepurposeof thedomainmeansdefiningwhetherwillbeusedfor configuring and domain the purpose DNSSetting 4. 3. 2. 1.

and willinform youifanyerrors are found.Ifthere are noerrors, youwillreceive a click done,gocheck.Office365 willcheckthattheDNS records are correctly created specific DNSentriesforthem towork.Addthe records toyourDNS server, then that Office 365doesnotmanage DNS requirerecords butstillprovides services records youneedtoaddyourDNSserver,the necessary asshown inFigure 3-12. Setting thedomainpurposeinpreceding stepallowsOffice365todetermine Figure 3-11 you wanttoassociatewiththedomainandclicknext. domain purposewilllooksimilartotheoneshowninFigure 3-11.Selectthe services Online, SharePoint Online,oranycombinationof thethree. Thescreen tosetthe On theSetupdomainpage,youhaveoptiontochooseExchangeOnline,L domain purposeandconfigure DNSlink. next toSteps1and2indicateyouhavecompletedthetasks.ClickSet therethe domainpurposeandconfigure are DNS,isnowactive.Furthermore, checks At theAddadomaintoOffice365page,noticethatlinkinStep3,whichisSet Status column,asshowninFigure 3-10. from theadmincenterclickdomains,andthenSetupinprogress linkinthe If youare ontheAddadomaintoOffice365page,skipnextstep.Otherwise,

Set domainpurpose. Integrating

Active

Directory

with

Office

365 ync

Chapter 3 vices that are associated to a verified domain. vices that are Services

DNS settings for ser

Federation

Note Online as a service domain your specify to associated Choosing to SharePoint a pub- However, host a public-facing website. to the capability you name provides be a full-featured to not intended currently is Online website lic-facing SharePoint use a public-facing site, do choose to management solution. If you content web first asso- will need to Online, you Lync Online and use Exchange and also want to your DNS for Exchange the changes and configure Save and Lync. Exchange ciate Online as a service specify to SharePoint Online, then come back Online and Lync domain name. with the associate to Figure 3-12 Figure message that the domain is ready to work with the Office 365 services work with the Office to the domain is ready message that you selected. Setup in progress. instead of changed to Active status will then be The domain Directory ctive AD FS is a role in Windows Server. The most prominent and primary The most prominent FS to use AD reason in Windows Server. is a role AD FS having with Office 365 is that it allows an AD user to seamlessly access Office 365 without to as this ability is often referred again. As mentioned earlier, her credentials to re-supply A

Chapter Active DirectoryActive Federation Services 82

Chapter 3 securely create an encrypted communication channel between their personal computers computers communicationchannelbetweentheirpersonal securely create anencrypted ally, willuseatechnology suchasa theseworkers A remote workerorteleworkerisonewhonot onthecorporatenetwork.Tradition- connection 3:Scenario Remote network workerprivate on a virtual experience becausetheuserdoesnotneedtopresent herlogoncredentials again. acknowledge theclaimtokenandwillnotproduce alogonprompt. Thisprovides anSSO porate intranetthatishostedinSharePoint Online,theOffice365federationgatewaywill byopeningOutlooktoaccessemailorabrowser toaccess the cor services, authenticates theusersoshehasavalidclaimtoken.When theuseraccessesOffice365 In thisscenario,auserisatworkandlogsontothecorporate network.TheenterpriseAD on work at 2: is logged User Scenario work logon. attempting toaccessOffice365from withinthecorporatenetworkorfrom apublicnet access Office365,heisprompted tosupplyavalidusernameandpassword, whetherheis In thisscenario,auserisnotauthenticatedthrough SSO. Eachtimetheuserattempts to 1: No singleScenario sign-on experience experience whenSSOwithOffice365isandnotinplace. Before webegintoinstallandconfigure AD takealookattheend-user FS 2.0,letusfirst Single sign-onexperience business needs. yousetupADFS forOffice365,youmightbe able touseitforothernon-Office365 after poses, youmightbeabletousetheexistingADFS infrastructure forOffice365.Likewise, networks. Ifyoualready haveADFS setupinyourenvironmentB2B partner forotherpur You can useADFS forotherpurposesaswell.Acommonuseof ADFS istofederatewith cation, youmustaccomplishitwithADFS andSSO. external networks,youcandosothrough ADFS andAD. Ifyourequire two-factorauthenti ees tobeableaccessOffice365onlyfrom thecorporateenvironment andnotfrom also control location-basedaccesstoOffice365.Forexample,ifyouwantallowemploy authentication of through users AD, youcantakeadvantageof group policies.ADFS can However, asidefrom SSO, there are otherbenefits of AD FS. BecauseAD FS facilitatesthe sion required 2.0;thus,itis byOffice365isversion referredoften toasAD FS 2.0. 365. However, ifyourorganization decidestoimplementADFS, theminimumADFS ver single sign-on(SSO).ADFS isanoptionalimplementationandnotrequired forOffice virtual privatenetwork(VPN)clientto virtual Active

Directory

Federation

Services

- - - - 83 - -

Chapter 3 - Services

Federation

AD FS must be installed on a server must be installed on AD FS that is joined to a domain and running either Windows Server 2008 or Windows Server 2008 R2. (DC). installed on a domain controller 2.0 or above must be AD FS Directory

● ● ● ● ctive Single sign-on requirements into divided for Office 365 are up SSO with AD FS for setting The minimum requirements server and AD FS AD requirements requirements. straightforward: are The server role to install the AD FS requirements Scenario 4: Remote worker is not is logged the corporate network to on worker Scenario Remote 4: a non-corporate net through the Internet worker has access to In this scenario, a remote and the corporate network. This is known as a tunnel within the public network. Because it network. Because within the public is known as a tunnel network. This and the corporate is encrypted, is deemed secure. the communication VPN session initialization. during the credentials his logon a user presents In this scenario, network. After to the corporate passed are the user pos- authenticated, The credentials his email or accesses this point, if the user opens as in Scenario 2. At sesses a claims token, will be the same as it is for that is hosted in Office 365, the situation the corporate intranet his logon credentials for 2. That is, the user will not be prompted the worker in Scenario again. work, such as her home office or the public Internet provided by a hotel. She can choose by a hotel. She provided or the public Internet office work, such as her home us assume this user does not do discussion let VPN, but for the sake of to log on through on the corporate network. not need to access any corporate resources so because she does that is hosted in email or access the corporate intranet Instead, she only wants to read of the locator (URL) resource and enters the uniform Office 365. So she opens a browser VPN, either locally or through by AD, corporate intranet. Because she is not authenticated she does not possess a valid token. 3-1. shown in Figure as the user with the Office 365 logon window, Office 365 presents Principal Name (UPN) user name. Office 365 The user attempts to log on using her User that the user is tryingrecognizes a UPN suffix belonging to a domain that to log on with 3-13. The as shown in Figure server, the user to the AD FS is federated and thus redirects federation server The user suc- a logon window to obtain the user’s credentials. presents back She then is redirected and is issued a valid claim token. cessfully enters her credentials she is now granted access to Office 365 services.to Office 365, where is a good idea to have a communication plan so you scenarios, it the different In light of in place. and SSO are can communicate to your users what they will see when AD FS A

Chapter 84

Chapter 3

. library/dn151311.aspx For more information aboutADFS requirements, see ful. Thefollowingare theADrequirements: AD requirements toimplementADFS 2.0forOffice365 canbemore complexandimpact ● ● ● ● ● ● ● ● section. AD defaultUPNmustbeidenticaltothedomainnameyou addedinthepr mode. 2003inmixedornative AD withaminimumfunctionallevelof WindowsServer same machine. not required. theADFS Furthermore, cannotbesetuponthe proxy andADFS server nect from outsidethecompanynetwork.WhileanADFS proxy isrecommended, itis Deployment of tocon- ifyouplantoallowusers anADFS 2.0oraboveproxy server (IIS)mustbeinstalled. Internet Information Server Figure 3-13

Office 365logonpor tal redirecting youtosigninthrough theADFS server. http://technet.microsoft.com/en-us/ Active

Directory

Federation

Services eceding

85 -

Chapter 3 eplace e not able to r Services

Federation

Remediate your AD UPN suffix. Install IIS on the server that will host AD FS. Sockets Layer (SSL) certificate. IIS with an Secure Protect FS 2.0. AD Install and configure Directory

● ● ● ● ● ● ● ● Note Most com- see in AD. we most common problem Name (UPN) is the User Principal cloud and was still young the Internet years ago when AD many implemented panies with all the wild west was considered Internet The was virtuallycomputing of. unheard AD and dangers. give then, a common security Back best practice was to its promises reason is typically .lcl or .local. The UPN. The common UPN suffix used a non-routable creating a federa- we will be One, twofold. valid UPN suffix is a requires why Office 365 the requires FS installation. This Office 365 and the local AD during the AD tion between Adding the domain we saw earlier in the chapter. Office 365 as be added to domain to DNS, so the domain through of a TXTrecord validation or MX the requires Office 365 to directory install Second, when we the and routable. synchronization, be valid needs to 365 account is in UPN formatuser name for an Office >@adatum. (example @adatum.onmicrosoft.com). ctive Remediating the UPN suffix Remediating replace do not need to the UPN suffix in AD is that you The good news about remediating with Office 365. In fact, you ar your old UPN suffix if it is not federated Follow these general steps to implement SSO using AD FS: Follow these general steps to implement a forest. firstthe original UPN that was used when you created A

Chapter 86

Chapter 3

with the Active Directory DomainsandTrustswith theActiveDirectory MMC: Domains andTrustsActive Directory MMC.ThefollowingstepsshowhowtoaddaUPN alternate UPNsuffixtoyourADforest. To doso,youcanuseWindows PowerShell orthe routable oryoumightnotwanttofederateitforsomereason. Thesolutionistoaddan A commonreason whyyouneedtoaddaUPNmightbebecausethecurrent oneisnot 1.

Figure 3-14 Domainsand Trusts theActiveDirectory Start MMC,asshowninFigure 3-14. ectory Domains andTrustsectory MMC. Active Dir Active

Directory

Federation

Services

Chapter 3 operties the AD UPN. of Services

Accessing the pr

Federation

Figure 3-15 Figure associated with Office 365 On the UPN Suffixes tab, enter the domain name you be added the UPN suffix because it will and click Add. Do not type @ before UPN suffix, type add adatum.com as an alternate For example, to automatically. 3-16. shown in Figure adatum.com and not @adatum.com, as Right-click Active Directory Domain and Trusts and select Properties, in as shown Directory Active Domain and Trusts Right-click 3-15. Figure Directory

3. 2. ctive A

Chapter 88

Chapter 3

suffix. ThedefaultUPNsuffixistheonethatwillbeused by theDir be associatedwiththeuserlogon,butonethatisselected isknownasthedefaultUPN when youcreate a new user, asshowninFigure 3-17.AlltheUPNsuffixeslistedhere will (ADUC)MMC UserandComputers the userlogonnamesettingsinActiveDirectory Now thatyouhaveaddedanalternative UPNtotheforest, itwillappearasanoptionin creating theuser. toselectthecorrect defaultUPNsuffixwhen ate theuserinOffice365,soitisimportant 4.

Click OK. Figure 3-16

Adding analter native UPNtotheforest. Active

Directory ector

Federation y Synctooltocre-

Services

Chapter 3 - - ough owerShell or thr eating a user in ADUC. Services

Setting the default UPN suffix when cr Federation

Directory ctive #Script to update the UPN suffix #Replace the fields indicated with <> with actual field names import-module ActiveDirectory Get-ADUser -SearchBase "ou=,dc=,dc=" -SearchScope OneLevel -filter * | ForEach-Object { Figure 3-17 Figure suffix because it is associated with the AD for It is not possible to change the default UPN UPN the set properly to way a need will you Therefore, firstwas created. forest the when est so that Directory default UPN suffix users correct to the all previous of Sync can cor suffix UPN suffix for to select the correct You will also need the Office 365 account. create rectly 3-16. as shown in Figure done manually, This can be created. new users at the time they are methods such as Windows P This can also be automated using several because it is easy approach Manager (FIM). Automation is the preferred Identity Forefront default UPN suffix for new users. to set the correct to forget is also the method you will use to bulk set users’ default UPN, either Windows PowerShell or by OU. organization-wide of all users in a particular suffix script updates the UPN The following Windows PowerShell OU: A

Chapter 90

Chapter 3 suffix. Figure 3-18 } Set-ADUser-servermail-UserPrincipalName$newUPN-whatif $_| $newUPN=$_.UserPrincipalName.Replace('thomsonhills.com','adatum.com') ForEach-Object { Get-ADUser -SearchBase"dc=thomsonhills,dc=com"-SearchScopesubtree-filter*| import-module ActiveDirectory Windows PowerShell 3.0 script makethechangeswhenyourunit.Figure 3-18showsascriptbeingexecutedinthe changes. Iftheoutputiswhatyouexpect,thenremove the-whatif that whenthescriptisrun,itshowseffectsof thescriptwithoutactuallymakingany default UPNsuffix of thomsonhills.comtoadatum.com.The The nextsamplescriptupdatesanentire domain,insteadof justasingleOU,toreplace the } $_|Set-ADUser-server-UserPrincipalName$newUPN fix>') $newUPN=$_.UserPrincipalName.Replace('','

Directory parametertohavethe parameterisusedso

Federation

Services -

Chapter 3 m of @

Federation

If you do not see it, click the Add Roles link in the Roles Summar If you do not see it, click the Add Roles to to select roles prompted guide you. When you are Let the Add Roles Wizard Server for Web install, select the check box (IIS). the installation. Once complete, the IIS of the rest guide you through Let the wizard will be installed. role In Control Panel, select the Turn Windows features on or off option. on or off Windows features select the Turn Panel, In Control Select Roles in the Server Manager MMC. In the Roles Summary Server see if Web pane, If you (IIS) is listed as an installed role. go straight to the the steps and of done and can skip the rest see it, then you are “Requesting and Installing Certificates” section. Directory

nyName>.onmicrosoft.com. Note legacy NetBIOS method the UPN or by the through AD to authenticate A user can the default UPN suf- suffix and changing UPN (Domain\Username alternate ). Adding an fix for users alternate you add multiple will not affect When logon method. the NetBIOS Sync will use only the but Directoryof the UPNs, can log on with any user a suffixes, UPN is why it is impor- process. That creation the Office 365 account default UPN suffix from 365 or it with Office the domain associated default UPN is set to the sure make tant to the will create Directorythe user with that UPN. Instead, Sync create will not be able to is in the for initial Office 365 UPN suffix, which account with the default 6. 3. 4. 5. 1. 2. ctive Requesting and installing certificates Requesting security the issue of we need to address server, Now that we have IIS installed on the AD FS certificatesFS 2.0. we can install AD before AD FS requires the IIS role on the server. Install the IIS role by following these steps: by following the IIS role Install on the server. the IIS role requires AD FS Aside from the UPN suffix in AD, it is important relies on AD 365 remember that Office to the UPN suffix in AD, Aside from for users List (GAL) information For example, the Global Address attributes for information. you will need to ensure Therefore, on AD information. as well as distribution lists (DLs) rely will be available in Office 365. populated in AD so the information these attributes are serverInstalling IIS on the AD FS You are now ready to protect the IIS Server to protect now ready are with an SSL certificate for the default website. You A

Chapter 92

Chapter 3

Follow these steps to create a certificate request: Follow thesestepstocreate acertificate request Creating certificate the or youcanuseyourenterpriseCAifhaveone. You authority (CA), from aknown certificate have theoptiontopurchase anSSLcertificate will usethedefaultwebsiteinIIS,whichiswhyweinstalledIISfir the “InstallingandconfiguringAD FS 2.0”section,youwillseethattheAD FS installation laterin WhenyouinstalltheAD FS server isfairlystraightforward. Setting upthecertificate the organization. as impersonating dence thattheyare authenticating totheorganization andnotaserver alsoidentifiesthefederationserver, TheSSLcertificate confi givingusers is encrypted. thattheconnection Credentials are transmittedoverthisSSLconnection,soitisimportant between theclientcomputerandADFS server. tosecure thecommunications website, whichneedstobeprotected byanSSLcertificate, You toprotect yourAD FS server. needasecuritycertificate AD FS relies ontheIISdefault 2. 1.

Figure 3-19 thendouble-clicktheicon,asshowninFigure 3-19. Certificates, Server In theIISMMC,selectserver. Inthemiddlepane,scroll downuntilyousee Manager. clickAdministrative Tools,Click Start, (IIS) andthenclickInternet Information Services

Select the Server Certificates optioninIISManagerMMC. Certificates Server Active

Directory st.

Federation

Services -

Chapter 3 Distinguished Name Properties page of the Request Distinguished Name Properties of page Services

Cr eate Certificate Request. Federation

Figure 3-20 Figure Complete all fields in the Certificate Common name text box, 3-21. Note that in the Figure as shown in Wizard, of the federation service.you should enter the fully qualified domain name (FQDN) to your federation serviceFor example, if you plan to refer as fs1.adatum.com, then when you are Click Next required. All fields are enter that FQDN in the text box. done. Create Certificate pane, select Create In the Actions 3-20. as shown in Figure Request, Directory

4. 3. ctive A

Chapter 94

Chapter 3

INSIDE OUT INSIDE Figure 3-21 services involved, including the AD FS service. involved, includingtheADFS service. services benefits whenever and to usingwildcard there certificates are namechanges toservers Webeyond are thescopeof simplypointingoutthatthere discussionforthisbook. are depend onyour posture security andprofessional stanceonthistopic; however, thisis bestpractice.Whetheryousecurity are aproponent of ornotwill wildcard certificates However, there is along,ongoingdebate aboutavoidingasa wildcard certificates namewithouthavingto reissue thecertificate. venience to changethehostorservice becausetheyprovideConsider usingwildcard you theflexibilityandcon- certificates mation required forthecertificate. Infor

The controversy about wildcard about controversy The certificates Active

Directory

Federation

Services

Chapter 3

Services

Cr yptographic Service Properties Provider pagewith2,048bitlength. Federation

Figure 3-22 Figure On the Cryptographic Service Properties you that Provider page, we recommend RSA SChannel Cryptographic select the Microsoft with a bit length of Provider it is more 3-22. Although a 1,024 bit length is acceptable, 2,048, as shown in Figure susceptible to cryptanalytic about certificates information attacks. For more for AD see http://technet.microsoft.com/en-us/library/adfs2-help-certificates(v=WS.10).FS, aspx. Directory

Be careful of name duplication the same as the server service the FQDN federation It is important sure make is NOT to For example, as any other server not be the same In fact, it should in AD. name in AD. federation service your to refer want to you but when as fs1.adatum.com, let us say you set up this server will need this case, you also named it fs1. In AD you to and joined it will not change the serverto installation wizard or the AD FS something else name to 2.0: Guid- FS information, see “AD set the SPN during For more installation. be able to Utilizing a Federation Serviceance for Selecting and at http://social.technet. Name” microsoft.com/wiki/contents/articles/4177.aspx TROUBLESHOOTING 5. ctive A

Chapter 96

Chapter 3

server: onyourIIS of thefilename.Followthesestepstoinstallcertificate extension aspart file,whichusuallyhasa.cer issue it,youshouldnowhaveinyourpossessionacertificate Regardless of from adomain whetheryoupurchasedregistrar orhadyourCA acertificate on IISInstalling certificate the Figure 3-23 requestearlier.file nameweusedwhengeneratedthecertificate As showninFigure 3-23,weissuedthecommandandusedRequest.txtbecausethatis issueyouacertificate: server followthesestepstohaveyourcertificate erwise, provider, from athird-party If youpurchased yourcertificate youcanskipthissection.Oth a certificate to issue authority Using your certificate enterprise 1. 2. 1. 8. 7. 6.

On theADFS server, IISManager. start Certificate Requestfile> certreq -submit-attrib"CertificateTemplate:WebServer"

Using the command on the CA server toissueacertificate. commandontheCAserver certreq Active

Directory

Federation

Services

97 -

Chapter 3 , ecognize it later Edit Bindings, as shown in Figure 3-25. Edit Bindings, as shown in Figure tificate Request in IIS Manager. Services

Complete Cer

Federation

From the AD FS server, start IIS Manager. server, the AD FS From serverIn the Connections pane, expand the ADFS node, and then expand the Sites Site and select Default Web node. Right-click Figure 3-24 Figure your .cer certificate you stored to where for the file name, browse When prompted that will allow you to easily r file and select it. Give it a friendly name the certificate.and complete the installation of In the Connections pane, select the AD FS server, double-click Server double-click server, Certificates the AD FS pane, select In the Connections Certificate pane, and click Complete in the middle pane, as in the Actions Request 3-24. shown in Figure Directory

1. 2. 3. 2. ctive Now that we have installed the certificate,Follow we need to use it for the default website. these steps to apply the certificate to the default website: Protecting the default website with the certificate with Protecting website the default A

Chapter 98

Chapter 3

structure and carry outtheinstallation. structure andcarry Next,wewillplanforourADFS infra isready tohosttheADFS service. Now theIISserver When planningforADFS, there are severalconsiderations from adesign standpoint: Planning theADFS architecture 5. 4. 3. ● ● ● ● ● ● dedicated SQL server fortheAD FS database dedicated SQLserver Whether tousetheWindowsInternal Database(WID) thatcomeswithADFS orusea Whether ornottodeployanAD FS proxy inthefarm The numberof ADFS servers Click OKwhenyouare done,andthenclickClose. when youinstalledit. 3. You should beabletorecognize itbythefriendlynameyougavecertificate youinstalledinStep selectthecertificate In thedrop-down box forSSLcertificate, protocol intheSiteBindingswindow,Select theHTTPS andthenclickEdit. Figure 3-25

Edit thebindingso f theDefaultWeb Site. Active

Directory

Federation

Services

99 -

Chapter 3 - e, it is important to efor Services

T Federation

implementationinanenterprise. proxy andADFS ypical ADFS Directory ctive ment redundancy through the deployment of server farms and failover clusters. However, server of the deployment through and failover clusters. farms However, ment redundancy 2.0 on a serverin the following sections we show you how to install AD FS and how to of SSO and extend enterprise reap the benefits Office 365 to with establish the relationship into Office 365. controls Implementing an AD FS proxy is beyond the scope of this book because it is more an of on- an of this book because it is more the scope of is beyond proxy Implementing an AD FS network and serverpremises rather than an Office 365 discussion. discussion infrastructure or how to imple proxy implementing an AD FS of do not cover the process we Therefore, Figure 3-26 Figure AD FS proxy FS AD allow users if you plan to connect to Office to is recommended role proxy An AD FS is not proxy an AD FS outside the corporate network. Implementing 365 with SSO from 3-26 shows a typical AD FS scenario, but it is a security best practice. Figure in this required architecture. AD FS server FS AD farm servers FS AD the of The number the availability of determines in turn which in the farm, far the most important is by farm, for is the enabler AD FS consideration because design such availability, factors other might affect AD FS that are There AD. through authentication when designing that you also will need to take into consideration as network availability, FS servers deployment. After if your AD for Office 365, your AD FS AD FS you deploy are Ther to Office 365 will not be possible. inaccessible, then access build redundancy at the network and serverbuild redundancy layers. very the At servers AD FS minimum, two a load ended with that is front in a single farm If one server or for is down for maintenance redundancy. the needed balancer will provide still be possible and access to will farm the AD FS authentication through any other reason, be interrupted. Office 365 will not A

Chapter 100

Chapter 3

INSIDE OUT INSIDE ing tasks.At thispoint,youalready shouldhavecompletedthefollowing: theinstallationforADFS 2.0,makesureBefore youhavecompletedallthepreced starting AD Installing andconfiguring FS 2.0 leverage yourADFS farm forotherpurposesbesidesOffice365. only 100trustrelationships. Thislimitationmightbecomeanissueifyouare planningto limitations whenusingWIDthatare notapplicabletoOffice365,suchasbeinglimited nizations, exceptthelargest of enterprises,this isusuallynotaproblem. There are other limitations of usingWID. Formostorga UsingWIDlimitsyourADFS farm tofiveservers. requires youtobeaware ofDeciding whethertouseWIDoradedicatedSQLserver the inthefarm. federationserver mary federationserver. toaprimary There canbeonlyonepri federationserver a secondary becomespermanently unavailable,youwillneedtopromote federationserver the primary are read-only. federationservers Intheeventthat base, whiletheonesonsecondary inthefarm. Thedatabaseonthe FS servers store configurationinformation. Theinformation inthedatabaseis replicated across theAD The ADFS database,regardless of whetheryouchoosetodeployWIDorSQL,isused to federationservers are knownassecondary FS servers , andsubsequentAD federationserver inthefarm isknownastheprimary AD first FS server Database (WID)thatcomeswithADFS, whichisthedefault,oradedicatedSQLserver. The touseeithertheWindowsInternal When deployingADFS 2.0,youhavetheopportunity AD FS database 365. FS environment becomingunavailable andthereby theavailability affecting of Office advantage of to of minimizetherisk adifferent anon-premises typeof AD cloudservice Azure, organizations withouttheabilityto create geo-redundant networks cantake such asWindowsAzure canmake adifference. ByimplementingADFS inWindows AD FSless if isunavailable. (IaaS)solution Thisiswhere an Infrastructure asaService forOffice365ismeaning- level agreement (SLA) 365 becausethe99.9percent service that introducing ADFS addsasinglepointof weakness intheimplementationof Office requirement ratherthananoptionalcomponent.At thesametime,theyare concerned Many decisionmakers inorganizations realize thebenefits of AD FS and regard itasa

Leveraging Windows Azure Windows Leveraging primary federation server isaread-write data- federationserver primary . Active

Directory

Federation

Services

- - 101 -

Chapter 3 ,

Services

Federation

as shown in Figure 3-27. Follow the instructions at the Download Center, which Center, 3-27. Follow the instructions at the Download as shown in Figure the package that the AdfsSetup.exe options. Select eventually will lead you to a list of applies to your server operating system. Download the AD FS 2.0 software. The AD FS software package is a single executable package is a single executable software The AD FS 2.0 software. Download the AD FS Download Center the Microsoft You can download it from file called AdfsSetup.exe. at http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=10909 Create a service account for AD FS. In AD, create a service create account that the AD FS a serviceCreate In AD, account for AD FS. service this service sure will use. Make account is part the Administrators group of this for required memberships are AD group No special server. AD FS the local of AD serviceWe assume you know how to create account; Domain Users is sufficient. details about so we do not provide membership in AD, accounts and assign group how that is done. Understand the requirements for AD FS. Understand the requirements added. by ensuring you have the right UPN suffix Remediate your AD primary existing users the correct have Ensure UPN suffix. server. FS Install IIS on the AD and install the security certificateCreate FS website in IIS on the AD for the default server. Be familiar with the SSO experience your users with the SSO experience Be familiar communication will see and have a plan prepared. Directory

● ● ● ● ● ● Download AD FS from Office365 on Windows features the server to the Turn role through add the AD FS Do not directly instead. AdfsSetup.exe and use Download Panel. link in Control or off TROUBLESHOOTING ● ● ● ● ● ● 2. 1. ctive When you have completed the preceding tasks, you are ready to install AD FS 2.0: to install AD FS ready tasks, you are When you have completed the preceding A

Chapter 102

Chapter 3

4. 3.

Click NextattheWelcome toADFS 2.0SetupWizard page. Run AdfsSetup.exe. Figure 3-27 osoft DownloadCenterwiththeADFS 2.0software. Micr Active

Directory

Federation

Services

103

Chapter 3 Federation osoft Software License Terms for AD FS. License Terms osoft Software Services

Accept the Micr

Federation

Figure 3-28 Figure In the Active Directory Federation Services select the 2.0 Setup Wizard, server click Next. 3-29, and then in Figure option, as shown Read and accept the Microsoft Software License Terms and click Next, as shown in and click Next, as Terms License Software accept the Microsoft Read and 3-28. Figure Directory

6. 5. ctive A

Chapter 104

Chapter 3

Figure 3-30 install, andthenclickNext. the required componentsifneeded.Take noteof thecomponentswizard will As showninFigure 3-30,thewizard will checkforADFS prerequisites andwillinstall Figure 3-29

InstallingADFS prerequisites. Install theADF S server role. S server Active

Directory

Federation

Services

105

Chapter 3 AD FS 2.0 Management snap-in 2.0 Management AD FS Services

Star 2.0Managementsnap-in. t theADFS Federation

Because we selected the check box to startBecause we selected the check box Management snap-in in the AD FS step, it will startthe preceding 2.0 Federation Server this time. Click the AD FS at 3-32. as shown in Figure link in the middle pane, Configuration Wizard Figure 3-31 Figure when this wizard closes, as shown in Figure 3-31, and then click Finish. 3-31, and then click Figure closes, as shown in wizard when this After complete, select Start the installation is the Directory

9. 8. ctive A

Chapter 106

Chapter 3

10.

Figure 3-33 option,asshowninFigure 3-33,andthenclickNext. Federation Service federationserver, selectthe andprimary Because thisisthefirst Figure 3-32 S 2.0 Federation Server ConfigurationWizard. S 2.0FederationServer eate anewFederation Service. AD F Cr Active

Directory Create anew

Federation

Services

107

Chapter 3

Services

Cr farm. eate anewADFS Federation

The wizard will queryThe wizard website in IIS and should select the certificate the default you 3-35. Click Next. in Figure installed on the default website, as shown Figure 3-34 Figure New federation server New federation page, select Deployment or Farm In the Select Stand-Alone serversadd more have the option to 3-34, so you in Figure as shown farm, to the later. farm

Directory

stand-alone AD FS serverProblem FS AD with a stand-alone link for Office being a weak potentially our discussion earlier about AD FS Remember A environment. farm for a production should build an AD FS you 365? For that reason, serverstand-alone AD FS add additional servers to you will not allow later. TROUBLESHOOTING 12. 11. ctive A

Chapter 108

Chapter 3

13.

the DefaultWeb Site. Administrators groupAdministrators of theADFS server. ClickNext. the account.Asareminder, accountmustbeamemberof theLocal theservice (ADDS)orWindowsPowerShell tocreate DomainServices use ActiveDirectory earlier, account,youcan asshowninFigure 3-36.Ifyoudidnotcreate theservice account youcreated Accountpage,selectthe ADFS service aService On theSpecify Figure 3-35

AD FS 2.0 Federation Server Configuration Wizard detects the certificate for ConfigurationWizard detectsthecertificate AD FS 2.0FederationServer Active

Directory

Federation

Services

109

Chapter 3 S service account. Services

Select the AD F

Federation

Figure 3-36 Figure On the Summary configuration. When the the AD FS page, click Next to begin reportsthat configuration is complete, a Configuration Results page will appear any 3-37. issues, similar to the one shown in Figure

Directory

14. ctive A

Chapter 110

Chapter 3

TROUBLESHOOTING setspn -ahost\fed.adatum.com adatum\svc_adfs is adatum\svc_adfs, thecommandwillbefollowing: account qualifiedhostnameisfed.adatum.comandtheservice thefully For example,if setspn -ahost\\ command inalinewindowasanadministrator: optionisusuallysimpler. Thefirst certificate. Once youhave runthefollowing doneso, default website. You hostnameorrevoke caneitherchangetheserver andreissue the issued to the problem iswhenyour hostnameisthesameascertificate thatoccurs You account manually. mightberequired to settheSPNforservice Acommon set not SPN was Figure 3-37

Configuration ResultspageshowingADF

S 2.0wassuccessfullyinstalled. Active

Directory

Federation

Services

111

Chapter 3 - http://support. Knowledge Base (KB) articleKnowledge at 2681584 vice description when accessing the AD FS server’svice description when accessing the AD FS URL. . Services

XML document and ser Federation

microsoft.com/kb/2681584 Download and install the current AD FS 2.0 update rollup. For more information information For more update rollup. 2.0 FS AD and install the current Download see update rollup, about the

Directory

15. ctive Figure 3-38 Figure If the federation server is responding correctly, you will see an XML document similar to the you will see If the federation server correctly, is responding 3-38. one shown in Figure https://fed.adatum.com/FederationMetadata/2007-06/FederationMetadata.xml Testing the federation server federation the Testing Use a client to test that it is responding. 2.0, we need AD FS Now that we have installed enter browser, the client’s From server. FS as the AD the same forest computer located in server the AD FS the URL of and append /FederationMetadata/2007-06/FederationMeta data.xml to the end of the URL. For example, if your federation server’s the URL. For example, if your of data.xml to the end URL is https://fed. as shown in the following example: browser, URL in the client’s adatum.com, enter the A

Chapter 112

Chapter 3

AD FS server is installed on Windows Server 2008 R2 2008 on Windows Server is installed AD FS server that bestdescribesyourenvironment. switch backtoWindowsPowerShell. Followthestepsinoneof thetwofollowing sections To thedomainfrom standard authenticationtoidentityfederation,wewillneed convert tity accounts. identity federationforadomainwillnotaffectoralterthelogonexperienceo thetenantto has avalidtokenfrom apreviously successful authentication.Converting with theUPNsuffix of the domaintoyourAD FS forauthentication,unlessauseralready to identityfederation.ThisactionwillcauseOffice365 redirect access requests byusers yourdomainthatisinOffice365from standard authentication The laststepistoconvert authenticationrequests. safe tosaythatADFS isnowoperationalandcanservice appliedtotheIISserver, certificates testedAD FS, andcanseetheXMLschema,itis sary totheIISserver,Now thatwehaveinstalledIIS,boundtheADFS appliedtheneces- service identity federation thedomainfrom standardConverting authenticationto 4. 3. 2. 1.

use yourOffice365GlobalAdministratoraccountname. Thecredentials you provide willbestored inthe$cred variable.At thelogon prompt, $cred =Get-Credential and password: Enter thefollowingcommand,whichwillproduce alogonprompt forausername ModuleforWindowsPowerShell theWindowsAzure ActiveDirectory cmdlets. Start com/FWLink/p/?Linkid=236297 FWLink/p/?Linkid=236298 ModuleforWindowsPowerShellDirectory islocatedat Windows PowerShell of cmdlets.The32-bitversion theWindowsAzure Active PowerShell Module for cmdlets,formerly knownastheMicrosoft OnlineServices ModuleforWindows Download andinstalltheWindowsAzure ActiveDirectory we are just keeping itconsistent throughout thebook. because we willneeditwhenwe useWindowsPowerShell for Exchange Online,so in avariable However, first. we saved thecredential in a inourexample variable use thecommandConnect-MsolService Technically, whenmanagingidentitywithWindowsPowerShell you cansimply Note

Why save a credential in avariable? acredential save Why and the 64-bit version islocatedathttp://go.microsoft. andthe64-bitversion . . You donotneedto save thecredential Active http://go.microsoft.com/

Directory

Federation f cloudiden-

Services

113

Chapter 3 http://go.microsoft. . of a domain” section. of and the 64-bit version is located at http:// parameter is optional. Use it only if you will be federating parameter is optional. Services

Federation

Note Management a Windows Remote The Enable–PSRemoting command creates service(WinRM) listener on the server on all IP addresses using the HTTP protocol the allow rulesto Windows Firewall port the required through creates 5985. It also port go through application to Management 5985. This allows a Windows Remote commands Windows PowerShell or server workstation remote remote execute to against this server. winrm enumerate winrm/config/listener Enable-PSRemoting -force that the Windows Remote Management service confirm has been configured, To execute the following command to see the configuration details: top-level domains (TLDs) with this Office 365 tenant. other top-level domains (TLDs) Directory Active Download and install the Windows Azure Module for Windows Online Services known as the Microsoft cmdlets, formerly Module for PowerShell Active the Windows Azure cmdlets. The 32-bit version of Windows PowerShell cmdlets is located at Directory Module for Windows PowerShell go.microsoft.com/FWLink/p/?Linkid=236297 Active DirectoryInstall the Windows Azure server a remote Module on running Windows 2008 R2 or on a Windows 7 workstation. and run it as an the shortcut to Windows PowerShell right-click server, On your AD FS Next, enter the following command: administrator. Lastly, enter the following command to convert following command enter the from the domain Lastly, in Office 365. Note that the authentication to identity federation standard -SupportMultipleDomain -SupportMultipleDomain -DomainName Convert-MsolDomainToFederated usually red are messages, which error any Windows PowerShell If you do not receive then your domain now supports will verify this in the identity federation. We in color, conversion a successful “Verifying com/FWLink/p/?Linkid=236298 Enter the following command, which will attempt to connect and authenticate to an to connect and authenticate which will attempt command, Enter the following : in $cred you stored credentials tenant using the logon Office 365 $cred -Credential Connect-MsolService Directory

4. 3. 2. 1. 5. 6. ctive The AD FS serverThe FS AD installed is Server Windows on a on or 2008 SP2 remote 7 workstation Windows A

Chapter 114

Chapter 3

There that federationhasbeensuccessfullyaccomplished: are twomainwaysyoucanverify conversionVerifying of asuccessful adomain 9. 8. 7. 6. 5. ● ● ● ●

Using theADFS 2.0Managementsnap-in Using WindowsPowerShell asuccessfulconversion fying in color, thenyourdomainisnowafederateddomain.We thisinthe“Veri willverify If youdonotreceive anyWindowsPowerShell error messages,whichare usuallyred be federatingothertop-leveldomains(TLDs)withthisOffice365tenant. Note thatthe Convert-MsolDomainToFederated -DomainName -SupportMultipleDomain authentication toidentityfederationinOffice365: Lastly, thedomainfrom standard enterthefollowingcommandtoconvert Set-MsolAdfscontext -Computer Enter thefollowingcommandtosetcontextthatof theADFS server: Connect-MsolService -Credential$cred Office 365tenantusingthelogoncredentials thatyoustored in$cred: Enter thefollowingcommand,whichwillattempttoconnectandauthenticatean the logonprompt, enteryourOffice365GlobalAdministratoraccountname. The credentials youprovide willbestored inavariable called $cred =Get-Credential and apassword: Enter thefollowingcommand,whichwillproduce alogonprompt forausername themodule. Moduleandstart Azure ActiveDirectory orworkstationonwhichyouinstalledtheWindows Return totheremote server we are justkeeping itconsistent throughout thebook. because we willneeditwhenwe useWindowsPowerShell forExchange Online,so in avariable However, first. we saved thecredential ina inourexample variable use thecommandConnect-MsolService Technically, whenmanagingidentitywithWindowsPowerShell you cansimply Note

Why save a credential in avariable? acredential save Why -SupportMultipleDomain of adomain”section. parameterisoptional.Useitonlyifyouwill . You donotneedto save thecredential Active

Directory $cred. Whenyousee

Federation

Services

115 -

Chapter 3

Get-MsolDomainFederationSettings without passing the –DomainName without passing the Services

Results af Federation

ter enteringacommandwiththe Get-MsolDomainFederationSettings –DomainName –DomainName Windows domain by issuing settings for the your federation You - command after365 by using the Connect-Msol to Office you have connected PowerShell Service 3-39. as shown in Figure command, cmdlet. A

Chapter 116

Chapter 3

lowing thesesteps: If foranyreason you needtochangethefederationURLendpoint,youcandosobyfol- associated toanidentityfederateddomain. tologonwithaUPNsuffixthatis will redirect ausertoonceitdetects theuseristrying thatOffice365 orservice The federationURLendpointistheFQDNof thefederationserver Updating thefederationURLendpoint steps below: by lookingatthetrustrelationships intheADFS 2.0Administrationconsole.Followthe You thatafederationtrusthasbeenestablishedbetweenADandOffice365 canalsoverify AD FS 2.0Administrationsnap-in 1. 2. 1.

Start theADFS 2.0Managementconsole. Start Figure 3-40 relationship withtheMicrosoft Office 365IdentityPlatform. as showninFigure 3-40.You inthemiddlepaneforatrust shouldseeanentry pane,expandthe In theleft theADFS 2.0Administrationconsole. Start erifying thatfederationtrusthasbeenestablishedwithOffice365. erifying V Trust Relationshipsnodeandselect Active

Directory Relying Party Trust,

Federation

Services

117

Chapter 3 vice Properties 2.0 MMC. using AD FS Services

Edit Federation Ser

Federation

Figure 3-41 Figure the federation service, propertiesEdit the three of 3-42. as shown in Figure Edit Federation Service node and select Edit Federation root 2.0 FS the AD Properties from Right-click 3-41. shown in Figure as box, the drop-down Directory

3. 2. ctive A

Chapter 118

Chapter 3

3-43. asshowninFigure theADFS 2.0service, Click OKtosavethesettingsand restart Figure 3-42 before 480minutes, theSSOlifetimeisreset. prompted forcredentials for480minutes. Ifthe userlogsoff andlogsonagain ing example,onceauserhasbeenauthenticated byADFS theuserwillnotbe through theWeb SSOlifetimesetting,asshowninFigure 3-42.Inthepreced- can beusedisrepresented bytheSAMLtoken’s whichcanbemodified lifetime, facilitate SSOinOffice365.Theperiod of timethat eachauthenticationcookie 365 consumesthrough theuseof authenticationcookies.Authentication cookies Language(SAML)tokens Markup AD FS thatOffice Assertion 2.0issuesSecurity Note

operties of thefederation service. operties Pr SSO lifetime SSO Active

Directory

Federation

Services

119

Chapter 3 Set Service Add Token-Decrypting certificate, and then click Add Token-Decrypting Services

Restar 2.0servicet theADFS theServices from MMC. Federation

Communications. See Figure 3-44. Communications. See Figure Set-ADFSProperties –AutoCertificateRollover $False Set-ADFSProperties –AutoCertificateRollover your certificate.Skip this step if you do not need to update or generate your Acquire new certificate. your certificate.Skip this step if you do not need to update FS 2.0 the AD From Management console, expand the Service node, and then click node under the root certificate and add your Certificates. In the Actions pane, click Add Token-Signing new certificate. Click Figure 3-43 Figure certificate,If you have a wildcard you do not need to do anything with the certificate, if service. your AD FS name of assuming you did not change the domain However, certificateyou do not have a wildcard and need to add a new certificate, you will first server your AD FS from command need to issue the following Windows PowerShell automatic certificate the AD FS rollover feature: off to turn Directory

6. 7. 5. ctive A

Chapter 120

Chapter 3

9. 8.

Get-MsolDomainFederationSettings –DomainName updated: Moduletodetermine ifthefederationURL endpoint issuccessfully Directory Issue thefollowingWindowsPowerShell commandfrom theWindows Azure Active Update-MSOLFederatedDomain –DomainName Module: Active Directory Lastly, enterthefollowingWindowsPowerShell commandfrom theWindowsAzure Communications. Service Figure 3-44 mand. Refer to previous you sectionsif needto refresh your memory. AD FS server, remember you needto alsoexecute theSet-MsolAdfsContext com- Windows2008R2ora7workstation running andnotfrom your server you if arecommands. Furthermore, executing thesecommandsfrom aremote to connectto namelytheGet-Credential Office365first, andConnect-MsolService Step 8we omitted theWindowsPowerShell commands you would use normally By thistime,you shouldbesomewhatfamiliarwithWindowsPowerShell. Thus,for Note oken-Signing Certificate, Add oken-Signing Certificate, andSet Certificate, Token-Decrypting Add T Active

Directory

Federation

Services

121

Chapter 3

Services

Federation

Users will have to log on with their new temporary to and will be prompted password password. a new permanent provide the virtual in directories your server, from role If you choose to uninstall the AD FS must be done manually. This the default website will not be removed. database will the AD FS your server, from role If you choose to uninstall the AD FS This can be done manually. not be removed. Disabling SSO is also known as converting identity federation to stan- a domain from authentication. dard As with most actions, you will use the Windows Azure Active Directory you will use the Windows Azure As with most actions, and Module to convert domain in Office 365 back to a stan- the federated Windows PowerShell domain. dard prior to federation, will not revert federated user accounts, if they existed Previously they had prior to federation. Office 365 passwords to using the original users. will be generated for all federated passwords Temporary You will specify the path and the name The temporarya file. in stored are passwords of the parameters. the file as one of Directory

● ● ● ● ● ● ● ● After you convert a domain in Office 365 from identity federation to standard authen- After convertto standard you identity federation a domain in Office 365 from will become unusable until with that domain tication, all the user accounts associated also either convert identity federation or until the usersyou are to the domain back be assigned new caution is that the users will need to of converted. word Another passwords. Accounts affected by reverting from identity federation to standard authentication TROUBLESHOOTING ● ● ● ● ● ● ● ● ctive In the event you need to remove AD FS and disable SSO for a domain in your tenant, there there domain in your tenant, disable SSO for a and FS AD you need to remove In the event a few importantare you need to know: things A

Chapter Removing Active Directory Active Services Federation Removing 122

Chapter 3

installed Module Active Directory Windows the Azure has that AD FS server the scenariothatisrightforyouandfollowsteps. adomainfrom federatedtostandard. Choose The followingscenariosshowhowtoconvert AD FS 2.0from theserver. to standard usingWindowsPowerShell. Thesecondstep,whichisoptional,touninstall thedomainfrom federated stepyouneedtotakebreakThe first federationistoconvert authentication adomainfrom identityfederationto standardConverting 5. 4. 3. 2. 1.

–PasswordFile c:\TempPwd.txt Convert-MsolDomainToStandard –DomainNameadatum.com–SkipUserConversion $false discuss shortly. Anactualcommandmightlook somethinglikethis: usingtheConvert-MSOLFederatedUseraccount isconverted backtoidentityfederationoreach unusable untileitherthedomainisconverted generated andtheuseraccountsthatare associatedwiththedomainwillbecome If the–SkipUserConversion [$true|$false] –PasswordFile: Convert-MsolDomainToStandard -DomainName-SkipUserCoonversion server: andtheon-premises AD FS 2.0 Office 365authenticationsystemfederationservice Enter thefollowingcommandtoremove theRelyParty Trust information from the Connect-MsolService -Credential$cred Office 365tenantusingthelogoncredentials youstored in$cred: Enter thefollowingcommand,whichwillattempttoconnectandauthenticatean $cred=Get-Credential variable named$cred: you willusetosupplyyourOffice365credentials, andstore thecredentials ina Enter thefollowingWindowsPowerShell commandtoinitiatealogonprompt, which From theADFS Module. Server, theWindowsAzure ActiveDirectory start

parameterissetto$true,apassword filewill notbe Removing

Active

Directory cmdlet,whichwewill

Federation

Services

123

Chapter 3 to re-establish the the re-establish to [email protected] –NewPassword parameter, then enter this command: then parameter, Bulk conversion of user accounts Services

Why not convert users?

Federation

Note with the –SkipUserConver- Convert-MsolDomainToStandard use you Why would convert so as not to users? such scenario One sion $true parameter might be when occasions been a few have There Trust. Party Relying the re-establish to need you issue, and an AD FS because of Trust Party the Relying remove had to we where and use the Convert-MsodDomainToFederated then turn around convert do not want to really In such a scenario, the users. we Trust. Party Relying Convert-MsolFederatedUser –UserPrincipalName -NewPassword Convert-MsolFederatedUser –UserPrincipalName "" like this: An actual command will look something Convert-MsolFederatedUser –UserPrincipalName "Office365Rocks" Now that we have removed the Relying Party Trust, we need to reset the we need to reset Trust, the Relying Party Now that we have removed to accomplish for the domain. Enter the following command authentication setting this: –Authentication Managed –DomainName Set-MsolDomainAuthentication If you need to manually convert authentication because user accounts to standard you used the –SkipUserConversion $true Directory

#Script to bulk convert users #after Domain has been converted from #Identity Federated to Standard Authentication Cred$=Get-Credential Connect-MsolService –Credential Cred$ Get-MsolUser –All | ForEach-Object { Convert-MsolFederatedUser –UserPrincipalName $_.UserPrincipalName –NewPass- word “Temp-pwd” } It might not be feasible for you to manually convert issuing the to It might not be feasible for you each user by repeatedly bulk convert users, will have you 6. To Step command, as shown in Windows PowerShell users use the and manually convert a list of them. We through iterate a script to write to following example script: 7. 6. ctive A

INSIDE OUT Chapter 124

Chapter 3

farm isremoved. might needtodetermineinthe where thiscontainerislocatedbefore thelastADFS server SharingContainerinActiveDirectory.need todoisremove theCertificate To doso,you of isremoved theuninstallationprocess. aspart Oneof themanualstepsyou everything As youcansee,uninstallingADFS completelywillrequire afewmanualstepsbecausenot To SharingContainer, determine thelocationof theCertificate followthesesteps: inthefarm. stalling thelastADFS server PowerShell commandstoreveal thelocationof thecontainerhavetoberunpriorunin we justneedtodeterminelocation.We thecontainer’s dothisnowbecausetheWindows The actualremoval SharingContainerwillbe carried outlater. of theCertificate Fornow, do thismanually. SharingContainerisnotautomaticallydeleted,sowewillneedto uninstall, theCertificate SharingContainerinActiveDirectory. andfarm, itcreates aCertificate Whenyou server When weruntheADFS ConfigurationWizard duringinstallationtocreate anewAD FS Directory Container Sharing in DeterminingActive location the of Certificate the The followingprocess completelyremoves ADFS: Completely uninstallADFS 2.0 3. 2. 1. ● ● ● ● ● ● ● ●

CN=ADFS,CN=Microsoft,CN=Program Data,DC=thomsonhills,DC=com. information revealed bytheWindowsPowerShellthe pertinent scriptis 3-45. We willusethisinformation atalaterstep.Intheexamplebelow, Take noteof theCertificateSharingContainer Get-AdfsProperties Add-PsSnapin Microsoft.Adfs.Powershell Execute thefollowingWindowsPowerShell commands: From anADFS server, WindowsPowerShell. start SharingContainerinActiveDirectory.Manually remove theCertificate directoriesRestore and IISbymanuallyremoving virtual inthefarm. Uninstall ADFS from theserver(s) SharingContainerinActiveDirectory.Determine thelocationof the Certificate property, asshown inFigure Removing

Active ADFSAppPool.

Directory

Federation

Services

125 -

Chapter 3 - Services

T thevalueforCertificateSharingContainer. ake noteof Federation

Open Control Panel and in the Category view, click Programs. and in the Category Panel view, Open Control Figure 3-45 Figure The GUID for the AD FS farm in this example is CN=2e9a65b9-3a14-43e1-b9ec- in this example farm for the AD FS The GUID your farm. the GUID of note of d965fb6272c5. Take Directory

1. ctive Uninstalling AD FS 2.0 FS AD Uninstalling your from 2.0 role the AD FS if you need to remove As mentioned earlier in the chapter, you will need to follow these steps: server, Now that we know the location of the Certificate Sharing Container, we can start uninstall the CertificateNow that we know the location of Container, Sharing ing AD FS 2.0 from the servers 2.0 from ing AD FS in the farm. A

Chapter 126

Chapter 3 was created isnamed ADFSAppPool, asshowninFigure 3-47. tual directories that were created inIISare /adfsand/adfs/ls,theapplicationpoolthat ofnot removed theuninstallprocess, aspart soyouwillhavetodothismanually. Thevir directories inIISandanapplication poolforADFS.2.0, thesetupcreated Theseare virtual Uninstalling ADFS 2.0 doesnotrestore IIStoitsoriginal state.WhenyouinstalledADFS Restoring IIS 3. 2.

Figure 3-46 shown inFigure 3-46. 2.0componentandclickUninstall,as FederationServices Select theActiveDirectory 2.0component. Services Federation Select theViewInstalledUpdateslinkandsearch fortheActiveDirectory

Uninstall ActiveDir ectory Federation Services 2.0. FederationServices ectory Removing

Active

Directory

Federation

Services

- 127

Chapter 3 Services

Vir Federation

andapplicationpool. directories tual adfs In IIS, navigate to the /adfs/ls directory. the directory 3-48. in Figure and select Remove, as shown Right-click Directory

1. 2. ctive Figure 3-47 Figure follow these steps: application pools, and directories, the application, remove To A

Chapter 128

Chapter 3

4. 3. the Actionspane. Right clickitandselectRemove,asshowninFigure 3-49,orsimplyselectRemoveon Select theApplicationPools nodeandlocatetheADFSAppPool applicationpool. Repeat thesamestepsfor/adfsdirectory. Figure 3-48

Remove theapplicationin/adfs/ls. Removing

Active

Directory

Federation

Services

129

Chapter 3 SAppPool application pool. SAppPool Services

Remove the ADF

Federation

Figure 3-49 Figure and Open Windows Explorer the actual directories. we need to remove Lastly, navigate to %systemdrive%\inetpub. the \adfs directory 3-50. in Figure and select Delete, as shown Right-click Directory

6. 5. ctive A

Chapter 130

Chapter 3

from ADbyfollowing thesesteps: Sharing Container. We willnowuse thatinformation tomanuallyremove thecontainer From anearlierstep,youshouldhavegathered thelocationinformation fortheCertificate Removing the Certificate Sharing Container 1.

. library/cc773354.aspx a workstation,see“ADSI Edit(adsiedit.msc)” athttp://technet.microsoft.com/en-us/ thatisnotrunning Windows2008oron If youneedtoinstallADSIEditonaserver 3-51. ClickRun,andthentype role installed,click Start. DomainServices thathastheActiveDirectory From aWindows2008 orlaterServer Figure 3-50

Delete the\adfssubdir ectory. Removing ADSIEdit.msc, asshowninFigure

Active

Directory

Federation

Services

131

Chapter 3 Services

Right Run ADSIEdit.msc. EditandselectConnectto. -click ADSI

Federation

Figure 3-52 Figure Figure 3-51 Figure 3-52. Connect to, as shown in Figure ADSI Edit and select Right-click Directory

2. ctive A

Chapter 132

Chapter 3

4. 3. and finallyCN=ADFS. Navigateinthatorder, asshowninFigure 3-54. DC=thomsonhills,DC=com, expandCN=Program Data,followedbyCN=Microsoft, Applying thisinformation from toourexample,andreading backward starting CN=ADFS,CN=Microsoft,CN=Program Data,DC=thomsonhills,DC=com. beginning.Inourexample,wenotedthat thecontainerisat collected atthevery SharingContaineryou Refer tothelocationinformation of theCertificate Figure 3-53 Figure 3-53.ThenclickOK. Under ConnectionPoint, clickSelectawell-knownNamingContext,asshownin

Select thedefaultnamingcontext. Removing

Active

Directory

Federation

Services

133

Chapter 3 tificate Sharing Container in ADSIEdit.msc. -click, and delete the GUID that matches the AD FS farm. AD FS -click, and delete the GUID that matches the Services

Locate, right Locating the Cer

Federation

Figure 3-55 Figure Figure 3-54 Figure an from have that information should already You the farm. Look for the GUID of looking for is 2e9a65b9-3a14-43e1- are earlier step. In our example, the GUID we GUID and the appropriate Right-click 3-55. b9ec-d965fb6272c5, as shown in Figure select Delete. Directory

5. ctive You have now completely uninstalled AD FS and manually cleaned up all the objects and and manually cleaned up have now completely uninstalled AD FS You by the uninstallation process. not removed settings that were A

Chapter 134

Chapter 3 Summary native andredundant optionssuchasWindowsAzure IaaStosupplementyourADFS farm. cated. Investinthetimeandarchitecture tobuildarobust ADFS farm andconsideralter whoare willbeunavailableforusers notyetauthenti whatever reason, Office365services tication toyouron-premises ADFS farm. Therefore, iftheADFS farm isunreachable for tostress thatwhenyouturn onSSO,It isalsoimportant youare in factdeferringauthen this chapterlessdaunting. ing todeployOffice365,” shouldhaveprepared yourenvironment andmadethe tasksin Synchronization.”“Directory Theplanningworkyoudid in Chapter2,“Planningandprepar Sync),whichwewillcoverChapter4, synchronizationrequirement (Directory fordirectory forest hasaroutable intheforest. UPNsuffixthat you willassigntotheusers Thisisalsoa thingistoensure thatyour analyze yourADforOffice365 readiness. Themostimportant assessment. Asareminder, theMicrosoft Office365DeploymentReadiness Toolkit will With mostenterpriseOffice365deployments,weadvocateanActiveDir tant of whichisahealthyActiveDirectory. E4) suiteofferings. There are manytechnologiesthatmadethis possible,themostimpor enterprises andavailableonlyintheOffice365Enterprise(A1/G1/E1,A3/G3/E3,orA4/G4/ In thischapter, andimplementedSSO, weundertook akeycomponentthatisuniqueto ector y health Summary

- - - 135 - -

Chapter 3

CHAPTER 12 Mailbox migration and administering Exchange Online

Mailbox migration options...... 565 Administering Exchange Online...... 608 Moving mailboxes back to on-premises Exchange. . . . 603 Compliance, Legal Hold, and eDiscovery concepts . . . 621 Decommissioning on-premises Exchange...... 607

n Chapter 10, “Introducing Exchange Online,” we covered the different models of deploying Exchange Online, and in Chapter 11, “Planning and deploying hybrid I Exchange,” we implemented an Exchange Online hybrid environment. We also per- formed tests to confirm key mailbox operations.

Now that you have incorporated Exchange Online in your environment, it is time to discuss mailbox migration options and administering the different messaging workloads. As we mentioned before, this book is about Office 365, so we will focus only on Exchange Online and hybrid administration topics in this chapter. Mailbox migration options There are three primary types of migration options:

●● Cutover migration

●● Staged migration

●● Hybrid deployment migration

A cutover migration is a process where all on-premises mailboxes and contents are migrated as a single batch and is applicable to Exchange 2003, 2007, 2010, and 2013 with fewer than 1,000 mailboxes. You must disable directory synchronization if you would like to do a cutover migration.

A staged migration is a process where a subset of mailboxes and content is migrated in several batches over time and is applicable only to Exchange 2003 and 2007. A staged migration is typically the approach if you have more than 1,000 mailboxes. A special consideration for staged migration is that you need to identify mailboxes that must be in the same migration batch. The mailboxes of individuals participating in delegate permissions must be kept together. Therefore, they need to belong to the same batch when you plan a staged migration.

565 - Online

Exchange administering and

Migration options. migration ailbox M nizing Active Directory (AD) objects to Office 365, you need to use a staged migration or migrate using a hybrid deployment. Figure 12-1 Figure migration Cutover or less. The other with 1,000 mailboxes A cutover migration is ideal for organizations important is that directory for a cutover migration has not requirement synchronization users in for this is because the cutover migration will create been established. The reason if directory synchro is already Therefore, synchronization Office 365 as partof the process. If your organization has Exchange 2010 or 2013 with more than 1,000 mailboxes, you will you will 1,000 mailboxes, than or 2013 with more has Exchange 2010 If your organization implemented in which is what you hybrid deployment, an Exchange need to implement Chapter 11. a flowchart 12-1 shows Figure to your organization migration options available depicting configuration. based on your on-premises

Chapter 566

Chapter 12

lowing processes occur: pens whenyouexecuteacutovermigration.Whenmigrationisinitiated,thefol- Before welookathowacutovermigrationissetup,itusefulforyoutoknowwhathap migrate mailbox data from youron-premises ExchangetoOnline. can alsouseWindowsPowerShell toprovision newExchangeOnlinemailboxes, andthen upgraded tothelatestrelease, thisisdonethrough theExchangeControl Panel (ECP).You release of Office365.Fororganizations thatare currently onOffice365buthavenotbeen A cutovermigrationisinitiatedthrough theExchangeadmincenter(EAC) forthelatest initiating thecutovermigration.ConfiguringAutodiscover was cover You havetheoptiontouseAutodiscoverormanuallyconfigure connectionsettingspriorto ● ● ● ● ● ● ● ● ● ● complete. Theemailnotificationwillcontaintwo reports: theadministratorthroughfinal synchronization emailthatthe migration is andnotify ing emailstotheonlinemailboxes andendthemigration.Exchangewillconducta When youare ready rout tocompletethe migration, changetheMXrecord tostart synchronization. of theprocess Thispart iscalledincremental 24hours. online mailboxes every On-premises mailbox contentsare synchronized withtheircorresponding cess iscalledinitialsynchronization. on-premises mailboxes of totheircorresponding onlinemailboxes. thepro Thispart - thenmigratesthecontents,contacts,and calendaritemsfrom The migrationservice On-premises distributiongroups andcontactsare migratedtoExchangeOnline. on-premises Exchange2003or2007address book. provisions newmailboxes inExchangeOnlinebyreading the The migrationservice ❍ ❍ ❍ ❍ accounts as part of themigrationprocess.accounts aspart tial logon.Rememberthatthisisbecausethecutovermigration cr password ini- assigned toeachmailbox that theuserwillneedtochangeafter corresponding number of alsoincludesaunique itemsmigrated.The report MigrationStatistics.csv MigrationErrors.csv migrate andinformation abouttheerror.

This report containsalistofThis report mailboxes thatfailedto eport containsalistof mailboxeseport andthe This r Mailbox ed inChapter11.

m igration eates new

o ptions

567 - -

Chapter 12 Manage My Organization menu item. Manage My Organization A. Online

ough the Exchange

Access the ECP thr Options menu in OW administering

and migration

Figure 12-3 Figure Figure 12-2 Figure as shown in My Organization, Select the Manage Myself option, and then select 12-3. This will take you to the ECP. Figure Log on to Outlook Web App (OWA). Outlook Web Log on to select window, OWA the of corner located at the upper-right On the Options menu 12-2. in Figure See All Options, as shown

ailbox 3. 1. 2. M Cutover migration with the ECP with migration Cutover using the ECP: a cutover migration steps to execute Follow these

Chapter 568

Chapter 12

9. 8. 7. 6. 5. 4.

addresses orbyusingtheBrowse buttontoselectfrom theglobaladdress list. Provide shouldbesenttobytypinginthe emailaddresses thatthemigrationreport will beprompted toprovide aname forthebatchmigration. Autodiscover ormanualconnectionsettings.Whenthe issuccessful,you withthe ECP willtesttheconnectiontoyouron-premises Exchangeserver three mailboxes simultaneously, andthemaximum is50.ClickNext. enter thenumberof mailboxes tomigratesimultaneously. Thedefaultis tomigrate Provide emailaddress, anadministrator’s logonwithacredential andpassword, and IMAP formailbox contentmigration,andthenclickNext. Select whethertouseAutodiscover, manuallyconfigure connection settings, oruse this page.To create anewcutovermigration, click New. resume, pause,ordeletetheprocesses byusingthecontrolsyou canedit,start, on errors. If there are anyexistingmigrationprocesses, youwillseethemlistedhere and The mainpaneshowsmigrationprocesses andtheircorresponding statusesand Figure 12-4 as showninFigure 12-4. selecttheE-MailMigrationtabon When theECPappears,

Exchange Contr ol Panel (ECP). Mailbox Users &GroupsUsers page,

m igration

o ptions

569

Chapter 12

dex- . . Online

Exchange

. The Office 365 admin center administering

and migration

Figure 12-5 Figure pane on the left, on the select recipients the migration tab, and then click In the EAC, 12-6. as shown in Figure Access the Office 365 admin center at https://portal.onmicrosoft.comAccess the Office 365 12-5. After as shown in Figure the Admin menu, select Exchange from authentication,

Note a cutover 365 through Office to information migrating all mailboxes about For more see http://help.outlook.com/en-us/140/ms.exch.ecp.emailmigrationwizar migration, changelearnmore.aspx ailbox 3. 1. 2. M Cutover migration with EAC with migration Cutover the ECP will not be an available Office 365, of is using the latest release If your organization initiate a cutover graphical user interface To will use the EAC. (GUI) option. Instead, you follow these steps: EAC, migration using the

Chapter 570

Chapter 12

5. 4.

Next. then provide anon-premises administratorcredential, asshowninFigure 12-8.Click Provide theemailaddress of any one of themailboxes thatwillbemigrated, and Figure 12-7 shown inFigure 12-7.SelecttheCutovermigrationoption,andthenclicknext. Select MigratetoExchangeOnline.You willbeprovided withmigrationoptions,as Figure 12-6 C withthemigrationoptions.

The EA Migration optionsintheEA C. Mailbox

m igration

o ptions

571

Chapter 12 Online

Exchange

Name the cutover migration. Cr administering

foranewcutovermigrationbatch. edentials andemailinformation and migration

Figure 12-9 Figure Figure 12-8 Figure 12-9, and then click Next. as shown in Figure Enter a name for the cutover migration, ailbox 6. M

Chapter 572

Chapter 12

processes occur: happens duringastagedmigration.Whenyouinitiatemigration,thefollowing Before weexaminehowtosetupastagedmigration,itisusefulforyouknowwhat synchronization isalready implemented. method ifdirectory mailboxes tomigratethrough a.csvfile.Stagedmigrationistheappropriate migration It issimilartoacutovermigrationexceptthatyouhavetheabilityidentif A stagedmigrationisinitiatedthrough theEAC, theECP, orthrough WindowsPowerShell. Staged migration 7. ● ● ● ● ● ●

property. mailbox, theywillberedirected toExchangeOnlinebecauseof theTargetAddress without anyMXrecord changes.Thisisbecauseifemailsarriveatthe on-premises usingthemailboxMailbox contentsare can start notmigratedyet,buttheusers an emailwithalistof mailboxes thathavebeensuccessfullycreated andconverted. theTargetAddressAfter ofproperty theon-premises mailbox with theemailaddress of thecloudmailbox. theMEUsintomailboxes andpopulatestheTargetAddress thenconverts The service (MEU) inOffice365. inthe.csvfileisamail-enableduser for the.csvfile,andchecksthateachentry synchronization isconfigured, prompts checksthatdirectory The migrationservice Figure 12-10 Figure 12-10,andthenclicknew. themigrationiscomplete,asshownin shouldbesenttoafter addresses thatareport themigrationandprovide email Choose toeithermanuallyorautomaticallystart t migrationandemailaddress of administrators. Star property hasbeenupdatedforallmailboxes, youwill receive property Mailbox

m igration y asubseto

o ptions

f 573

Chapter 12 ed. Simply Online

This Boolean attribute specifies whether the user must This Boolean attribute specifies whether Exchange

This is the SMTP address of the mailbox and is the only required and is the only required the mailbox of This is the SMTP address administering The password that will be set for the cloud-based mailbox after that will be set for the cloud-based mailbox it is The password

and migration

migrated. This is an optional attribute and is not required if single sign-on (SSO) is is not required migrated. This is an optional attribute and it will be ignored. in the .csv file and SSO is enabled, enabled. If you set the password to your configuration. blank if it does not apply Simply leave this box change the password when first logging on to the cloud mailbox. The value is either when first logging on to the cloud mailbox. change the password if SSO is enabled. not required . This is also an optional attribute and is or False True SSO is enabled, it will be ignor If you set this attribute in the .csv file and configuration. blank if it does not apply to your leave this box EmailAddress Password ForceChangePassword At this point, you can create and start can create this point, you At migration batches. additional so that email will be MX records done with migration, change the When you are the migration. The can then complete You to the online mailboxes. delivered directly migration service will carry out any necessary every to make sure cleanup and checks migrated. A final status has been mailbox on-premises MEU that has a corresponding report be sent to the administrator. will then The migration serviceThe migration then starts contacts, and calendar the contents, to migrate online mailboxes. to their corresponding mailboxes the on-premises items from another report migration is done, When content administrators. is emailed to attribute. ● ● ● ● ● ● ● ● ● ● ● ● ailbox M The first order of business to carry The first a .csv file containing order is to create out a staged migration .csv file is the header of the row to migrate. The first you want mailboxes the attributes of and should contain only the following attribute names: row Creating a .csvCreating file

Chapter 574

Chapter 12

INSIDE OUT INSIDE Follow thesestepstoinitiateastagedmigrationusingtheECP: migrationStaged with ECP attributes. ECP, theEAC, orWindowsPowerShell. the.csvfilecancontainonlythese Furthermore, A .csvfileis required regardless whetherthestagedmigrationisinitiatedthrough the Figure 12-11 upon initiallogontotheirrespective cloudmailboxes. mailboxes toNewPa$$word, andrequire onlyAnnaandScotttochangetheirpassword the stagedmigrationprocess tomigratefivemailboxes, setthepassword forthenewcloud Figure 12-11showsanexampleof a.csvfileforstagedmigration.Thiswillcause 2. 1. UTF-8 encoding. non-ASCIIorspecialcharacters inyour .csvfile,thensave itwith If you needto support

See AllOptions,asshowninFigure 12-2. From theOptionsmenulocatedatupper-right corner of theOWA window, select Log ontoOWA.

Contents o

Support for non-ASCII for characters Support f a.csvfileforstagedmigration. Mailbox

m igration

o ptions

575

Chapter 12 - Users & Groups page, as page, Groups & Users Automatically detect connections set Automatically detect Manually specify connection settings

E-Mail Migration tab on the on tab Migration E-Mail Online

Exchange administering and

Exchange 2007 and later versionsExchange 2007 and later versionsExchange 2003 and IMAP tings with Autodiscover ❍ ❍ ❍ ❍ ❍ ❍ migration

shown in Figure 12-4. shown in Figure Provide an administrator’s email address, log-on credential, password, and the password, log-on credential, an administrator’s email address, Provide The default is to migrate three to migrate simultaneously. mailboxes number of and the maximum is 50. simultaneously, mailboxes When the ECP appears, select the select appears, ECP the When use Autodiscover migration batch and decide whether to a new Click New to create to manually specifyto detect settings or by selecting the option that the settings applies to your scenario: Manage Myself option, and then select My Organization, as shown in select My Organization, option, and then Manage Myself Select the 12-3. Figure

ailbox 6. 3. 4. 5. M

Chapter 576

Chapter 12

Figure 12-12 in Step7.Thebatchnamecannotcontainspacesorspecialcharacter directed inadditiontotheadministratoridentified tootheradministrators the report identified inStep7. You canprovide additionalemailaddresses ifyouwanttohave emailaddress willbesenttotheadministrator’s 12-12. Notethatbydefault,areport and file,thenprovide anameforthisstagedmigrationbatch,asshowninFigure When prompted forthe.csvfile,clickBrowse buttontonavigatethelocation

Upload a.csvfile,batchname,andr eport. Mailbox

m igration s. ClickNext.

o ptions

577

Chapter 12 Online

Exchange

V witha.csvfile. alidation errors administering and migration

Figure 12-13 Figure Click Close. the staged batch migration you just created On the E-Mail Migration page in the ECP, 12-14. Select it and click Startshould be listed, as shown in Figure to begin the batch migration. The migration wizard will verify the .csv file and contents to make sure there are no are will verify there wizard The migration contents to make sure the .csv file and see you will errors, validation are there migration batch. If the creating before errors link to details Show error 12-13. Click the in Figure as the one shown such a warning addresses be invalid email could The errors the errors. about information get detailed In this particular in the .csv file. errors or formatting in had an email address case, we formatted. not properly the .csv file that was

ailbox 10. 9. 8. M

Chapter 578

Chapter 12

Follow thesestepstoinitiateastagedmigrationfrom theEAC: astagedmigrationfrom theEAC issimilartoacutovermigrationfromStarting theEAC. migrationStaged with EAC 3. 2. 1. 11.

tab, asshowninFigure 12-6. In theEAC, andthenselectthemigration selectrecipients onthepane ontheleft and selectExchange,asshowninFigure 12-5. authentication,clicktheAdmin menuontheupper-rightAfter corner of thepage Access theOffice365admincenterathttps://portal.onmicrosoft.com are alsolistedalongwiththemigrationbatch. Figure 12-14.Thestatusof themigration,numberof mailboxes migrated,anderrors batch migrationandlookingatthestatisticslocatedinrightpane,asshown themigration,youcanmonitorprocess byselectingthe youhavestarted After Figure 12-14 ting amigrationbatch. Star Mailbox

m igration .

o ptions

579

Chapter 12 om the list of migration options. om the list of Online

Exchange

Select Staged migration fr administering and

Migrate to Exchange Online. You will be provided with migration options, one of of one options, migration with provided be will You Online. Exchange to Migrate migration

Figure 12-15 Figure Select next. 12-15, and then click Figure it, as shown in staged migration. Select which is a ailbox 4. M

Chapter 580

Chapter 12

Figure 12-16 display thatinformation, asshowninFigure 12-16.Clicknext. wizard willread the.csvfile,determine the number of mailboxes tobemigrated,and Click theBrowse button, navigatetothelocationof the.csvfile,andselectit.The

Selecting the.csvfileinEA C migrationwizard. Mailbox

m igration

o ptions

581

Chapter 12 Online

Exchange

Pr toon-premises anaccountwithpermissions of ovide credentials administering and migration

mailboxes. Figure 12-17 Figure Provide account credentials of an account that has access to the on-premises access to the on-premises an account that has of credentials account Provide down-level format The account is in the to be migrated. that need mailboxes name the user principal 12-17. Do not use in Figure name), as shown (domain\user next. account name. Click (UPN) as the ailbox 6. M

Chapter 582

Chapter 12

8. 7.

Figure 12-19 Give themigrationbatchaname,asshowninFigure 12-19,andthenclicknext. Figure 12-18 Figure 12-18.Entertheinformation, ifrequested, andclicknext. settings,asshownin so, youwillneedtomanuallyprovide youron-premises server toautomaticallydetectsettings.Ifitisnotabledo The migrationwizard willtry ovide anameforthis phasedmigrationbatch. Pr Connection settingsintheeventthatautomaticdetectionfails. Mailbox

m igration

o ptions

583

Chapter 12 Online

Exchange

Star Select r ting thephasedbatchmigration. eport recipients. administering and migration

Figure 12-21 Figure Figure 12-20 Figure After you can view its status and start the migration batch is created, the EAC, it from 12-21. as shown in Figure Click browse to select administrators who should receive a report a administrators to select who should receive the migration when Click browse migration batch. the Click new to create 12-20. as shown in Figure is completed,

ailbox 10. 9. M

Chapter 584

Chapter 12

migration. IMAP batchmigration.You canalsouseWindowsPowerShell toinitiateanIMAPbatch Like cutoverandstagedmigrations,youwilluseeithertheECPorEA dar items,andtaskscannotbemigratedwiththeIMAPmethod. tain more allthree than50,000 rows. attributesare Furthermore, required. Contacts,calen The .csvfileforanIMAPmigrationbatchmustnotbelarger than10MBandcannot con- whom youwanttomigratecontent. assumes youhavecreated mailboxes inExchangeOnlinefortheon-premises for users Office 365andwouldliketo use theECPtoinitiateanIMAPmigration.Thissection Follow thesestepsifyourorganization hasnotbeenupgradedtothelatestrelease of IMAP migration with ECP the tain onlythefollowingattributenames: migrate toExchangeOnline.Thefirst row of the.csvfileisheader rowandshouldcon Create a.csvfiletotarget theon-premises mailboxes users’ whosecontentyouwantto fileCreating a.csv migration, there are twomanualtasks youmustperform: the IMAPprotocol enabledtouseanIMAPmigrationmethod.Priorinitiating IMAP Exchange Online.Asthenameimplies,on-premises emailsystemwillneedtohave An IMAPmigrationiscommonlyusedinmigrationsfrom non-Exchangeemail systemsto IMAP migration 1. ● ● ● ● ● ● ● ● ● ●

Log ontoOWA. Password server. UserName Note thatthisisnottheSMTPaddress; thisistheuserIDinOffice365. EmailAddress you willbemigrating. Create a.csvfilewiththeemailaddress, username,andpassword foreachmailbox migrate. Create theExchangeOnlinemailboxes whosemailbox forusers contentsyouwantto box server.

This isthepasswor This istheuserlogonnameforon-pr

This istheuserIDfor d for the user’s accountontheon-premisesd fortheuser’s IMAPmail ’s cloud-basedmailbox inUPNformat. emises mailbox ontheIMAP Mailbox C GUItoinitiatean

m igration

o ptions

585 - - -

Chapter 12 Online

Exchange

IMAP ser ver settings. administering and migration

Figure 12-22 Figure Manage Myself option at the upper left, and select My Organization, as shown as Organization, My select and left, upper the at option Myself Manage the Select the ECP. This will take you to 12-03. in Figure Users 12-04, select E-Mail Migration under & Groups. as shown in Figure In the ECP, then select IMAP. New, a new IMAP migration, click create To of the the fully qualified domain name (FQDN) 12-22, provide As shown in Figure email serveron-premises in the IMAP server the authentication type, Select box. Finally, encryption level, and the IMAP port port standard if it is not the 993 for IMAP. to simultaneously migrate. Click Next. mailboxes specify the number of From the Options menu located at the upper-right corner of the OWA window, select See See select window, OWA the of corner upper-right the at located menu Options the From 12-2. as shown in Figure All Options,

ailbox 5. 6. 2. 3. 4. M

Chapter 586

Chapter 12

follow thesestepstoinitiateanIMAPmigration: If yourorganization isusingthelatestrelease of Office365and wouldliketousetheEAC, IMAP migration with EAC the 4. 3. 2. 1. 15. 14. 13. 12. 11. 10. 9. 8. 7.

of whichisIMAPmigration.Selectit,andthenclicknext. Select MigratetoExchangeOnline. You willbeprovided withmigrationoptions,one in Figure 12-6. In theEAC, underrecipients, selectthe migrationtabfrom themainpane,asshown and selectExchange,asshowninFigure 12-05. authentication,clicktheAdmin menuontheupper-rightAfter corner of thepage Access theOffice365admincenterathttps://portal.onmicrosoft.com delivered tothecloudmailboxes. themigrationiscompleted,changeyourMXrecordsAfter sothatnewmailwillbe window. toinitiatethemigration. Select it,andthenclickStart The IMAPmigrationbatchshouldnowappearinthelistECPE-MailMigration Review theinformation aboutthemigrationbatch,andthenclickClose. are noerrors, youwillbenotifiedthatthe.csvfilesuccessfullypassedchecks. Exchange Onlinewillcheckthe.csvfiletoensure thatnoerrors are detected.Ifthere bottom of ClickNext. thepageandadd otheradministrators. To clickBrowse sendcopiesof tootheradministrators, atthe themigrationreport youwanttoexcludearethis stepuntilallthefolders addedtothelist.ClickOK. exclusion list.Makesure youtypethenameof Repeat thefolderexactlyasitappears. Type thenameof thefolderandclickAdd buttontoaddthefolder suchascontentsintheDeletedItemsfolder.folders, toexcludeifyoudonotwantmigratethecontentsofClick Addfolders certain special characters. for theIMAPmigrationinBatchnamebox. Batchnamescannothavespaces or Click theBrowse button tonavigatethelocationand.csvfile.Provide aname for the.csvfile. withtheIMAPprotocol. Ifsuccessful,itwillprompt you the on-premises mailserver The migrationwizard willtesttheconnectionsettingsbyattemptingtoconnect to Mailbox

m igration .

o ptions

587

Chapter 12 Online

Exchange

Pr settings. ovide IMAPconnection administering and

Move configuration page, provide a name for the migration batch, and then click then and batch, migration the for name a provide page, configuration Move migration

next. On the On Figure 12-23 Figure and Exchange Online can connect to the correct If the IMAP settings in Step 7 are a to create information will use the the wizard serveron-premises IMAP, through the migration endpoint page, click next. migration endpoint. On the Confirm After about the information been successfully created, the migration endpoint has next. the endpoint will be displayed on the IMAP migration configuration page. Click Exchange Online will check the .csv file to ensure that no errors are detected. If there detected. If there are no errors that .csv file to ensure Online will check the Exchange Click next in the .csv file. detected mailboxes see the number of you will no errors, are to continue. server email the on-premises the FQDN of in the 12-23, provide As shown in Figure IMAP server encryption Select the authentication type, box. level, and the IMAP port to mailboxes specify the number of Finally, portif it is not the standard 993 for IMAP. Click next to continue. simultaneously migrate. Click the Browse button and navigate to the location and the .csv file. Click Open, the .csv file. Click to the location and button and navigate Click the Browse next. and then click

ailbox 9. 10. 8. 7. 5. 6. M

Chapter 588

Chapter 12

erShell byfollowingthesesteps: A cutovermigrationtoExchangeOnline2010canbedonethrough remote WindowsPow- 2010 Online 365UsingExchange Windows PowerShell with remote with Office not. are slightlydifferent dependingonwhetheryouare using thelatestrelease of Office365or Windows PowerShell canbeusedtoinitiatecutoverorstagedmigrations.Thecommands Migration usingremote WindowsPowerShell 4. 3. 2. 1. 13. 12. 11.

Standard Time"> concurrent migrations>-TimeZone -ExchangeConnectionSettings Create themigrationbatchbyenteringfollowing command: privileges totheon-premises mailboxes. When prompted, enter theon-premises credentials of auserwhohasfullaccess (Get-Credential) –ExchangeServer -RPCProxyServer $MigrationSettings =Test-MigrationServerAvailability–Exchange –Credentials Create aconnection stringcontainingthemigrationsettings: Import-PSSession $Session-AllowClobber -AllowRedirection https://ps.outlook.com/powershell/ -Credential$cred-Authentication Basic $Session =New-PSSession-ConfigurationNameMicrosoft.Exchange-ConnectionUri Connect-MsolService -Credential$cred $cred =Get-Credential Import-Module MSonline Connect toExchangeOnlinebycreating aPSSession Online. yourMXrecord migrationiscomplete,modify topointOffice365Exchange After to create thebatch. itlater. thebatchortomanuallystart Select whethertoautomaticallystart Clicknew complete. whom youwouldliketosendacopyof oncethemigrationis themigrationreport thebatchpage,clickbrowse to toselectadditionaladministrators On theStart usingthefollowingcommands: Mailbox

m igration

o ptions

589

Chapter 12 emote Windows

. Online

Exchange by entering the following commands:

Cutover migration best practices administering

and migration

Open a new PSSession Import-Module MSonline $cred = Get-Credential Connect-MsolService -Credential $cred Microsoft.Exchange-ConnectionUri $Session = New-PSSession -ConfigurationName https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic -AllowRedirection Import-PSSession $Session -AllowClobber During the migration, you can monitor the progress by entering the following by entering monitor the progress migration, you can During the command: | fl Status Get-MigrationBatch Startfollowing command: by entering the the migration Start-MigrationBatch

Plan to do a cutover migration over a weekend and change the MX record as soon as the as soon as record MX the change and weekend a migration over cutover a do to Plan for migrations are that cutover Remember migration is successfully completed. cutover is a final synchro- though there and even mailboxes, with 1,000 or fewer organizations if a synchronizations between be missing items to for mailboxes nization, it is common time. There- period migration is left of mode for an extended cutover in synchronized the MX records and switch migration in a single pass a cutover complete plan to fore, (TTL) Live set the Time to the migration you as soon as possible. It also helps if prior to Domain for be fairly short, the time required to reducing thereby MX records for your as of The Complete-Migration cmdlet is deprecated (DNS) convergence. Name System information, see http://community.office365.com/en-us/blogs/ April, more 2012. For office_365_technical_blog/archive/2012/04/04/why-administrators-don-t-see-the-complete-migration-button-in-the-e-mail-migration-tool.aspx ailbox 1. 5. 6. M Using remote Windows PowerShell with the latest remote with PowerShell release Windows Using Office of 365 Exchangewith 2013 Online to Exchange Online 2013 using r Follow these steps to initiate a migration PowerShell:

INSIDE OUT Chapter 590

Chapter 12

such, wewillnotbecoveringthe stepsagainhere. In Chapter11,wediscussedindepthhowanExchangehybrid modelisimplemented.As outmailbox moves. carrying responsible for (MRS)thatcomeswiththe2010SP3CAS.MRSisservice tion Service 2010 Service Pack 3(SP3) 2010 Service premises. Part of settingupanExchangehybridenvironment istoimplementanExchange an Exchangehybridenvironment, youcanmovemailboxes tothecloudandbackon- approaches because, unliketheothermethodswehavecovered sofar, youestablish after establishinganExchange hybridenvironment isoneofMigration after themostpopular Migration withanExchange environment hybrid 6. 5. 4. 3. 2.

Start-MigrationBatch –Identity$CutoverBatch.Identity or Start-MigrationBatch –Identity$StagedBatch.Identity entering thefollowingcommand: themigrationbatchby youcanmanuallystart commands inStep3or4.Otherwise, themigration batchautomaticallybyaddingthe Start $IMAPBatch =New-MigrationBatch–Name To create anIMAPmigrationbatch,enterthefollowing command: Pacific StandardTime>" $SourceEndPoint.Identity -TimeZone" Exchange FQDN>-RpcProxyServer

m igration

o ptions

- 591

Chapter 12 - http://technet.microsoft.com/ The Central Service .pst files the list of maintains Online

The PST Console is the administrator interface to configure Exchange This is the component that needs to be installed on computersThis is the component that needs to be

administering and migration

in your organization and is responsible for locating .pst files associated to the com and is responsible in your organization the .pst file to for transmitting responsible puter it is installed on. The agent is also the Central Service import during operations. PST Capture Central ServicePST Capture Agent PST Capture Console PST Capture Discover .pst files and importDiscover .pst files and Exchange serveron-premises contents to an first, then Exchange Online. In this scenario, the on-premises to Exchange migrate mailboxes server 2013. must be Exchange 2010 or Exchange importDiscover .pst files and to Exchange Online. contents directly .pst discovery, configure the import configure and also import.pst discovery, process, from network .pst files agents installed. storage devices that do not have capture found in your organization and manages the migration of the data into Exchange and manages the migration of found in your organization Online. ● ● ● ● ● ● ● ● ● ● Note see PST Capture, information about Microsoft For more Pay special attention to the permissions to special attention en-us/library/hh781036(EXCH.141).aspx. Pay the .NET Console and Agent also require The PST Capture Capture. for PST required 4.5. Framework ailbox M Microsoft Exchange PST Capture PST Exchange Microsoft access to a personal with archive. mailboxes Online, your usersWith Exchange have large this makes personal folders before, As mentioned If your organization (.pst) files obsolete. files on for .pst have to search you might mailboxes in addition to migrating has .pst files, into personal so you can incorporate the contents computers archives. in your organization PST Capture. with Microsoft This can be accomplished have you and Exchange Online. Therefore, works with Exchange on-premises PST Capture two import options: PST Capture comprises the following components: PST Capture

Chapter 592

Chapter 12

low thesestepstoinstallthePSTCapture Console: Implementing aPSTCapture strategyinvolvesinstallingthePSTCapture Fol- Consolefirst. Capture Installing using PST and 4. 3. 2. 1.

Figure 12-24 List. PST Search andNewImport the PSTCapture Console.AsshowninFigure 12-24,there are twomajoractions:New onyournetwork,start alltheagentshavebeendistributedtocomputers After Capture Console>SERVICEPORT=6674 Msiexec /IPSTCaptureAgent.msi/qCENTRALSERVICEHOST=

PST Captur . e Console. Mailbox

m . Y igration ou can

o ptions

593

Chapter 12 ost Office mation. Online

Exchange

ECP showing your Exchange Online infor administering and migration

Figure 12-25 Figure On the Settings page, under Online Connection, provide the credentials of an Office of the credentials Connection, provide page, under Online On the Settings account. 365 administrator Exchange Online, select to Office 365 migrating .pst content directly If you are Office 365 Serverthe The above is an the server and provide box check name. your Exchange Online server determine to OWA, name, use the ECP by going To Settings for P See All Options, and clicking the selecting Options, selecting Before searching for .pst files, you need to specify files, you need to for .pst searching settings. online connection your Before Settings. menu, select the Tools From 12-25. and SMTP access link, as shown in Figure (POP), IMAP, Protocol ailbox 5. 6. 7. M

Chapter 594

Chapter 12

Figure 12-26 shown inFigure 12-26.ClickOKtosavethesettingsandclosewindow. credentials, youwillseethe“SuccessfullyconnectedtoExchangeOnline”message, as click Check.IfthePSTCapture ConsolecanconnecttoExchangeOnlinewiththe youhaveentered theinformation intheOnlineConnectionSettingspage, After

Successfully connectedtoExchangeOnline. Mailbox

m igration

o ptions

595

Chapter 12 Online

ch Step 1 of 4. ch Step 1 of Exchange

New PST Sear administering and migration

Figure 12-27 Figure New PST Search Wizard, as shown in Figure as shown in Figure Wizard, New PST Search to invoke the PST Search Click New the first step, select the Computers four steps. At node, are that there 12-27. Note Next. and then click ailbox 9. M

Chapter 596

Chapter 12

11. 10.

schedule so you can manually start thissearch. ClickNext. schedule soyoucanmanuallystart off-peak thedateandtime,oryoucanacceptdefaultof timebyspecifying No In Step3of theNewPSTSearch Wizard, youcanchoosetoschedulethissearch at an Figure 12-28 click Next. include andexcludewhensearching for.pstfiles,asshowninFigure 12-28,andthen In Step2of theNewPSTSearch storagelocationsto thecomputers’ Wizard, specify

New PSTSear ch Wizard Step2of locations. 4:Specify Mailbox

m igration

o ptions

597

Chapter 12 Online

ch Wizard Step 4 of 4: Provide a PST search name. a PST search 4: Provide Step 4 of ch Wizard e Console: search information. e Console: search Exchange

Search All Now button you can use to invoke this search. Click this Click search. this invoke to use can you button Now All Search PST Captur New PST Sear

administering and migration

Figure 12-30 Figure Figure 12-29 Figure of Number information: key a separate tab in the PST displayed in and the details are is created, A new PST Search following the Note 12-30. Figure in shown is search as the Console, whether Search and task, each of status the scope, search the in this included in computers are that computers the for detected is agent the sure make Also, not. or scheduled a is There Search. PST button to manually start now. search the In the last step of the New PST Search Wizard, give the search a name, as shown in a name, as shown the search give Wizard, New PST Search the step of In the last then click Finish. 12-29, and Figure

ailbox 13. 12. M

Chapter 598

Chapter 12

16. 15. 14.

Cloud Import List. Cloud Import an on-premises Exchange server or directly into Exchange Online. For this exercise, select List. As mentioned before, you can use PST Capture to import content from .pst files to You will seeadrop-down listwithtwooptions: Listbutton atthebottomof thepage. Import Select the .pst files you want to import by selecting the check boxes. Then click the Figure 12-31 12-31 showstheresults of acomputedPSTsearch. column togetherwiththetotalsizeof allthePSTfilesfoundoncomputer. Figure Completed andthenumberof PSTfilesfound,ifany, willbelistedintheFilesFound When thesearch iscomplete,thestatusbesideeachcomputerselectedwillbe ch results. PST sear OnPrem Import List and OnPrem Import Cloud Import Mailbox

m igration

o ptions

New 599

Chapter 12 x. Online

Exchange

Setting destination mailbo administering and

Note window the Set Mailbox 8), set the online connection settings (Step recently If you all the a list of This is because the PST Console has not retrieved might be empty. for a while, and then try Online. Wait again. Depending on on Exchange mailboxes some time. in Office 365, it might take mailboxes the number of migration

Click the Import All Now button to start importing .pst contents to the respective destination mailboxes. Figure 12-32 Figure Set mailbox link, as shown link, Set mailbox by clicking the mailbox files to a destination Set the .pst the Select a separate window. will be listed in mailboxes A list of 12-32. in Figure click OK. the list, and then from mailbox destination

ailbox 18. 17. M Although we did not cover all the settings for the PST Capture Console, you can explore the the you can explore Console, for the PST Capture Although we did not cover all the settings import options available, such as setting the staging area, different tolerance, and whether Console the PST Capture from to import non-mail items such as calendars. Click Tools them to the available settings options and configure menu and select Settings. Next, review needs. meet your organization’s

Chapter 600

Chapter 12

but dependsontheInternet connection. has shownthata5GBto10 perhourrateof datamigration canbereliably achieved, the MigrationPerformance whitepaper, metrictonote isthatpastexperience animportant to theMigrationPerformance whitepaperreferenced inthefollowingInsideOutsidebar. In put isrequired forthedifferent typesof migrationoptionswecovered inthischapter, refer Foranideaonhowmuchthrough- whenitcomestomigrationperformance. as important is notnecessarilytheonlyfactor. Latencyandsustainedthroughput are thatare factors just As wementionedinChapter2,“Planningandpreparing todeployOffice365“, bandwidth lowest level. whennetworkutilizationisatthe business hours mailboxes aweek,mostlyconductedafter generallyaimstorampupamigrationrateof 1,000 batch, Microsoft ConsultingServices initialtestswithasmallstagedmigration is doneoroverweekends.Asanexample,after theworkday outmigrationsafter of onthenetwork. Thatiswhyyoushouldcarry users canalsobeaffectedbythetimeof Migrationperformance dayandthenumber servers. of itemsinthemailboxes, networkbandwidth, networklatency, andtheon-premises mail There such as thesizeandnumber are thataffectmigrationperformance, manyfactors Migration performance 3,600 seconds,whichisonehour. time when you do switch your MX records. The recommendation is that you change the TTL to tion, change the starting any of the migration tasks, regardless of whether it is a cutover, staged, In or most IMAP scenarios, migra you will want to route incoming email to Exchange Online. Therefore, before for MX records Reduce TTL the toExchangeOnline. servers mon onesyoushouldconsideradoptingwhenmigratingmailboxes from on-premises mail There are severalbestpracticeswhen migratingmailboxes. We willlistsomeof thecom- Migration bestpractices toolsare readily availableandareparty justasmature. ogix. Exchangeisamature platform andhasbeenaround forsometime.Therefore, third- Tree,Exchange migrationtoolsare QuestSoftware, Binary BitTitan,Cemaphore, and migration needs,there toolsyoucanturn to.Examplesof are alwaysthird-party third-party If forsomereason theexistingtoolsandoptionsprovided byMicrosoft donotmeetyour migrationtoolsThird-party Time To Live (TTL) of your MX records so as to improve the DNS convergence Mailbox

m igration

o ptions Metal-

601 -

Chapter 12 - Online

Exchange

“Migration Performance” white paper

. administering

and migration

Microsoft has provided an excellent TechNet article performance about migration based TechNet an excellent has provided Microsoft Office 365. The on experience and observations migrations to customer actual from at http://technet.microsoft.com/en-us/ is located paper white “Migration Performance” library/jj204570 ailbox M User throttling mostly affects third-party limits the number User throttling throttling migration tools. User - user can access simultaneously and is designed to minimize risks and pre a mailboxes of uses a single service if a migration tool serve Therefore, to account with access resources. the service Office 365 might throttle all mailboxes, account if it starts to access too many impacting migration per thereby process, simultaneously during the migration mailboxes User throttling that performance When you evaluate migration tools, make sure formance. will not be Services Web Good migration tools generally use Exchange impacted by user throttling. to impersonate a single user simultaneously user accounts so Exchange Online is not seeing mailboxes. but rather the users respective accessing their accessing multiple mailboxes, will not be triggered. Thus, user throttling Migration serviceMigration throttling that you have recall that you looked at earlier in this chapter, In the migration exercises which migrated simultaneously, that are mailboxes the ability to specify of the number that should be simultaneously mailboxes Specifyingby default is three. the number of to as migration-servicemigrated is referred throttling. migration paper or test a single mailbox white Refer again to the “Migration Performance” the optimum number This will help you determine the migration throughput. to determine migrations your network can support. simultaneous of If you are going to use Microsoft PST Capture, you can import PST Capture, going to use Microsoft on- the .pst files to your If you are first or you can import and then do a migration, mailbox to premises files directly the .pst PST importscloud mailboxes. so you need to take that bandwidth-intensive operations, are import scheduling and designing your PST into consideration when strategy.

INSIDE OUT Chapter 602

Chapter 12 Moving mailboxes back to on-premises Exchange Exchange ManagementConsole(EMC).Followthesestepstoseehowthisisaccomplished: the ExchangeOnlineorganization totheExchangeon-premises organization through the then migratedtothecloud,allyouhavedoissubmitanewr If themailbox youwanttomigratefrom Office365wasinitiallycreated on-premises and Mailbox created originally on-premises they were created first on-premises andthenmovedtoOffice365. boxes beginning orwhether youwanttomovewere created inOffice365from thevery move mailboxes backon-premises, youneedtotakeintoconsiderationwhetherthemail outa the moveofremote move request. amailbox toOffice365isdone bycarrying To youhaveimplementedanExchangehybridenvironment, As yousawinChapter11,after Office 365,there are nobuilt-in outthe reverse. optionstocarry cutover andstagedmigrationoptionsfrom theEAC andECP, whenmovingmailboxes to tools.Unlikehavingthe youwillneedtorely onthird-party environment. Otherwise, Moving mailboxes backtoon-premises canbefacilitatedonlythrough anExchangehybrid Moving

mailboxes

back emote mover

on-premises equest from

Exchange

603 -

Chapter 12 >, as shown in Figure >, as shown in Figure >; for example, MAIL\First Storage om Office 365. Online

Server>\

Remote Target Database box, if you are migrating to an Exchange migrating if you are Database box, Remote Target Remote Move Request fr administering and migration

Figure 12-33 Figure as in Chapter 11. When you Wizard, Follow the steps in the Remote Move Request Delivery the Target domain in on-premises get to the Move Settings page, select your In the Domain box. < use the format 2010 server, Start the the EMC. Expand the Recipient right-click 12-33, As shown in Figure Configuration node. the Recipient and select New Remote in the middle pane, a mailbox node, right-click Configuration menu. the drop-down from Move Request 12-34. If you are migrating to an Exchange 2003 or 2007 server, use the format use the format migrating to an Exchange 2003 or 2007 server, 12-34. If you are \\

ailbox 2. 1. M

Chapter 604

Chapter 12

remote mailbox: fortheon-premises Follow thesestepstocheckand settheExchangeGUIDproperty on-premises remote mailbox. mustbethesameformailbox inOffice365andtheassociated ExchangeGUID property tially created inOffice 365.Fora remote move request to succeed,thevaluestored inthe is notsynchronized backtotheassociatedon-premises mailbox ifthemailbox wasini associated on-premises mailbox. You need to dothisbecausethe originally created setthe inOffice365,youwillneedtofirst If theExchangeOnlinemailbox youwanttomovebackon-premises Exchangewas Mailbox created originally inExchange Online 3.

New toinitiatethemoverequest. Complete therest of stepsintheNewRemoteMoveRequestWizard, andthenclick Figure 12-34

Move Settingspage. Moving

mailboxes property onthe ExchangeGUID property

back property ExchangeGUID property

on-premises

Exchange -

605

Chapter 12 - - ExchangeGUID is not set. On a ExchangeGUID. f Online

Exchange

Checking the value o administering and migration

mat-List ExchangeGUID Enter the following command to retrieve ExchangeGUID for the Exchange Online Enter the following command to retrieve value: and write down the returned mailbox, For Get-Mailbox \ mat-List ExchangeGUID 12-35, then as shown in Figure is not all zeros, value for ExchangeGUID If the return move back to mailbox can immediately initiate a remote ExchangeGUID is set. You originally Exchange by following the steps outlined in the “Mailbox on-premises section. on-premises” created then is all zeros, value for ExchangeGUID If the return start Active Directory the Windows Azure Module for Windows separate computer, and connect to Exchange Online. Do not use the Exchange Management PowerShell syntax to connect to Exchange Online you can use the following Shell. As a reminder, Windows PowerShell: remote through Import-Module MSonline $cred = Get-Credential Connect-MsolService -Credential $cred Microsoft.Exchange-ConnectionUri $Session = New-PSSession -ConfigurationName $cred -Authentication Basic https://ps.outlook.com/powershell/ -Credential -AllowRedirection Import-PSSession $Session -AllowClobber property on the on-premises remote mailbox is set by mailbox ExchangeGUID propertyCheck if the remote on the on-premises the output as a example of 12-35 shows an Figure following command. entering the the command: issuing of result on-premises> | For of cloud mailbox to migrate back Get-RemoteMailbox

ailbox 5. 4. 3. 1. 2. M

Chapter 606

Chapter 12

Decommissioning on-premises Exchange INSIDE OUT INSIDE their teamblogreferenced inthefollowingInsideOutsidebar. more detaileddiscussion aboutthistopiciscovered bytheMicrosoft Exchangeteamon The bottomlineisthatyoushouldkeeponeExchange2010 CASon-pr on-premises. to themailbox objectsinExchangeOnlinebecausethesource of authorityisdefinedas By removing thelaston-premises Exchange server, youwillbeunabletomakechanges ity, andMicrosoft recommends notremoving thelastExchange2010on-premises server. isthenthesource of synchronization isimplemented,ActiveDirectory author If directory exist intheforest. Exchange OnlinewiththeEMC,aminimumof oneExchangeon-premises CASmuststill been migrated.However, tonotethatifyourorganization wantstomanage itisimportant allmailboxesdecommissioning allon-premises andemailworkloadshave Exchangeafter tions thathavecreated anExchangehybridenvironment. Itmightseemlogicaltoconsider The subjectof decommissioning on-premises Exchangeismostapplicabletoorganiza- 8. 7. 6. 2010-servers-in-a-hybrid-deployment.aspx. blogs.technet.com/b/exchange/archive/2012/12/05/decommissioning-your-exchange- Exchange 2010CASandthereasons ontheExchange Team Blog located athttp:// You canread abouttheExchange team’s recommendation to maintain on-premises

preceding sectiontomovethemailbox from thecloud backtoon-premises. synchronization iscomplete,youcanfollowthestepsoutlined inthe directory After you needarefresher onhowtodothis. OnlineCoexistenceSync synchronization process usingtheStart- anunscheduleddirectory Start Set-RemoteMailbox -ExchangeGUID mailbox: command tosetthevalueof ontheon-premises remote theExchangeGUIDproperty Go backtotheExchangeManagementShellwindow, andenterthefollowing

Microsoft recommendation on decommissioning Exchange Exchange decommissioning on recommendation Microsoft on-premises command. Refer to Chapter 4, “Directory synchronization”, command.RefertoChapter4,“Directory if Decommissioning

on- emises, fornow premises

E xchange

. A - 607

Chapter 12 - Online

Exchange administering and migration

2010 SP3 Exchange Management Console (EMC) 2010 SP3 Exchange Windows PowerShell managing Exchange including EAC, and the browser-based Office 365 admin center 2013 Office 365 with Exchange Online of (EOP) in the latest release Online Protection Console for Office for Exchange (FOPE) Administrator Online Protection Forefront 2010 365 with Exchange Online ● ● ● ● ● ● ● ● ailbox M Because Exchange on-premises, Exchange Online, and the Exchange hybrid environment environment Exchange hybrid Online, and the Exchange on-premises, Because Exchange are and experience the management tools technologies, set of based on a common are are tools for Exchange The administration deployment models. different the similar across the following: This book does not cover all the intricacies of administering Exchange and messaging; there and messaging; there administering Exchange of This book does not cover all the intricacies a summary dedicated Exchange books for that. What we will do is provide the differ are of ent administration tools and focus on the specifics of administering Exchange Online and of administering specifics ent administration tools and focus on the you to the new capabilities in Exchange and introduce the Exchange hybrid environment Online 2013.

Chapter Administering Exchange Online Exchange Administering 608

Chapter 12

Figure 12-36 EMC, asshowninFigure 12-36. Online, the For example, because there is no need for you to manage the server configuration in Exchange administer in Exchange on-premises versus Exchange Online, and this is reflected in the EMC. EMC, as shown in Chapter 11. However, note that there are differences between what you can To use EMC as the administration tool, simply add Exchange Online as a new organization into through the EMC, you need to maintain an on-premises Exchange Client Access Server (CAS). The EMC serves as a familiar interface for Exchange administrators. To manage Exchange Online Exchange ManagementConsole Server ConfigurationServer node is not present for the Exchange Online organization in ence betweenExchangeon-premises andExchangeOnlineintheEMC. Differ Administering

E xchange

O nline

609

Chapter 12 - Online

Exchange administering and

Using EMC to manage hybrid configuration. migration ailbox M Figure 12-37 Figure Implementation of an Exchange hybrid environment through Exchange 2010 SP3 CAS Exchange through environment an Exchange hybrid of Implementation components as workloads, manage the hybrid and capabilities to create the also provides in Fig as shown the hybrid configuration, moves and managing mailbox such as remote ure 12-37 and through the tasks covered in Chapters 11 and 12, “Mailbox migration and in Chapters“Mailbox 11 and 12, the tasks covered 12-37 and through ure Exchange Online”. administering

Chapter 610

Chapter 12

INSIDE OUT INSIDE array of remote WindowsPowerShell cmdletsforExchangeOnline. Between theImport-PSSession Remove-PSSession $Session # # # Import-PSSession $Session-AllowClobber ps.outlook.com/powershell/ -Credential$cred-AuthenticationBasic-AllowRedirection $Session =New-PSSession-ConfigurationNameMicrosoft.Exchange-ConnectionUrihttps:// Connect-MsolService -Credential$cred $cred =Get-Credential Import-Module MSonline #Base scriptformanagingExchangeOnline session. We usethefollowingbasescriptasatemplateinWindowsPowerShell ISE: Exchange Onlinethrough remote WindowsPowerShell, needtoestablishanew youfirst Windows PowerShell istherecommended approach tomanagingExchange.To manage A majorityof Office365Windows PowerShell cmdletsare forExchangeOnline,and Exchange Onlineremote WindowsPowerShell located athttp://help.outlook.com/en-us/exchangelabshelp/dd575549.aspx A reference to alltheavailable WindowsPowerShell cmdlets forExchange Onlineis Note before you canopenanewsession. you of the risk run outof running sessionsandwillneedto waitforasessionto timeout there isamaximumof three sessionsperlogon.Therefore, you if donotclearasession, It is important to alwaysclearyour sessionwiththeRemove-PSSession It isimportant

Clear your PSSession your Clear commands, you can insert thevast andRemove-PSSessioncommands,youcaninsert Administering cmdletbecause

E xchange .

O nline

611

Chapter 12 tware or grant exces- tware f electronic discoveryelectronic (eDiscovery) to should belong Online

face. Exchange administering and

The ECP user inter migration ailbox M Figure 12-38 Figure Exchange Panel Control was OWA Accessing the ECP through the OWA. accessed through The ECP is hosted and ECP UI. 12-38 shows the Figure earlier in this chapter. covered compliance or legal personnel. Therefore, there is a need for an easy interface is a need there to manage personnel.compliance or legal Therefore, so having to distribute special administrative such functions without Exchange Online administration user interface user Online administration Exchange user interface the form (UI), which takes browser-based tool is a Another management on depending admin center (EAC), Exchange (ECP) or the Panel the Exchange Control of of the key new capabilities One is using. 365 your organization Office of which release the ability to delegate provides RBAC (RBAC). in Exchange is Role Based Access Control personnel. which may be handled by non-technical For exam- some of administrative tasks, for conducting ple, the responsibility sive administrative privileges.

Chapter 612

Chapter 12

compliance andlegalprofessionals weidentified earlier, administrativetasks. canperform that itisdesignedtobeuserfriendlysoevennon-technical administrator the majorityof dailyadministrativefunctionsthrough theECP. Asyouexplore theUI,notice resources. However, tonotethatyoucanperform before weleavethistopic itisimportant As mentionedearlier, wewillleavethedetailedadministration of Exchangetoother Figure 12-39 thescopeofyou canmodify eachrole’s capabilitiesandcreate newRBAC roles. A numberof RBAC roles are availableoutof thebox, asshowninFigure 12-39.However, RBAC andcompliancemanagementcapabilitiesare locatedontheRoles&Auditingpage. &Groupsthe Users page. groups, andexternal contacts.Additionally, youcanaccesstheE-MailMigrationwizard on tions. Figure 12-38showstheadministrativecapabilitytomanagemailboxes, distribution sideofAlong theleft ECPisnavigationpanethatgroups theadministrativefunc-

Roles &AuditingpageintheEMC. Administering

E xchange s, suchasthe

O nline

613

Chapter 12 - e 12-40. Online

om the ECP. Exchange administering and

Accessing FOPE fr migration ailbox M Figure 12-40 Figure This will start the FOPE administration interface, 12-41. The FOPE as shown in Figure administration interfaceto create statistics on mail hygiene and enables you provides reports, mail-handling policies. track messages, and create At this point, we will leave the ECP and move on to discuss Forefront Online Protection for Online Protection Forefront move on to discuss will leave the ECP and this point, we At (FOPE). Exchange Protection Exchange for ForefrontOnline administration Online 2010 and is a separate inter in Exchange for email protection FOPE is responsible face that is launched through the ECP. From the ECP, select Mail Control and click Configure and click Configure select Mail Control the ECP, From the ECP. through face that is launched as shown in Figur message tracking, and e-mail policies, IP safelisting, perimeter

Chapter 614

Chapter 12

policies are created andmaintainedinFOPE: Your core activityinFOPEisthecreation of mailpolicies.Followthese stepstoseehowmail Figure 12-41 2. 1.

Click NewPolicy RulelocatedunderTasks. Policy Rules. From theFOPEadministration console,clicktheAdministrationtab,andthenselect

FOPE administrationinter face. Administering

E xchange

O nline

615

Chapter 12 s action, as shown in s action, as Online

. Exchange

New FOPE policy administering and migration

Provide settings for the Expiration date field, if applicable, and determine if you want if you want settings for the Expiration date field, if applicable, and determine Provide is triggered. to send notifications whenever this rule that would lead to the triggering In the Match pane, define the data patterns and sender, As you can see, you have the option to match by header, this policy. of and attachment, subject, body, domains, or e-mail address, IP addresses, recipient message properties. to save this policy. Rule on the Actions pane Click Save Policy Figure 12-42 Figure Set the domain scope, set the traffic scope, and select the policy’ traffic scope, and select scope, set the Set the domain Figure 12-42. Figure

ailbox 5. 6. 4. 3. M As with the ECP, there are other administrative functions for FOPE that we will let you other are there As with the ECP, section serves on your own. This explore to FOPE administration. only as an introduction will now move on to look at the Exchange admin center (EAC). We

Chapter 616

Chapter 12

ance Managementpage,asshowninFigure 12-44. EAC. One of the new capabilities is in Exchange Online 2013 and the respective administration functions that are exposed in the The main difference between the ECP and the EAC is the introduction of several new capabilities Figure 12-43 Figure 12-43. a browser-based thatorganizes administrativefunctionsintogroups, interface asshownin The EAC isthesuccessortoECPinlatestrelease of Office365and,liketheECP, itis admin center Exchange separate Exchange 2013Enterprise CAL. for allpremium features implemented on-premises, includingDLP, andwillnotrequire a Exchange(CAL). Inahybrid implementation,Exchange are OnlinePlan2users covered 2013 implemented on-premises requires anExchange Enterprise clientaccess license DLP isapremium feature thatrequires anExchange Exchange OnlinePlan 2subscription. Note C. The EA Data Leakage Prevention (DLP) that is located on the Administering

E xchange

O nline Compli-

617

Chapter 12 Online

Exchange

evention in the EAC. administering and

Data loss pr migration

U.S. Personally Identifiable Information (PII) Identifiable Information U.S. Personally U.S. Social Security Act U.S. Financial Information U.S. Health Information Portability Act (HIPAA) Portability U.S. Health Information ● ● ● ● ● ● ● ● ailbox M Prior to the latest release of Office 365, you had to rely on on-premises DLP solutions and DLP solutions rely on on-premises Office 365, you had to of Prior to the latest release Office of that solution. With the latest release all email through have Exchange Online route content triggers that can create You DLP capability. 365, Exchange Online 2013 provides ISO stands for the International data patterns. on ISO-based templates to recognize rely develops entity that recognized and is the internationally for Standardization Organization the included DLP a few examples of are Following standards. and publishes international templates: Figure 12-44 Figure

Chapter 618

Chapter 12

disclosure of sensitiveinformation through email. byproviding anotherbuilt-inenhances theservice mechanismtoprevent theaccidental additiontoExchangeOnlinebecauseitfurther The newDLPfeature isanimportant Figure 12-45 You can clearthebox next toaruledisableitordeletealtogetherifdoesnotapply. external recipients,handling forinternal versus andhowattachmentsshouldbehandled. you havethegranularabilitytodefineactionssuchaswhetherallowoverrides,differ this policywillbecreated inthemailflowsection,asshownFigure 12-45.Noticethat At thesametime,corresponding rulesthatdictatehowtohandleemailstrigger template andnamethepolicyHIPAA Rules,thisrulewillshowupintheDLPlistof policies. from thedrop-down menu.Forexample,ifwecreate aDLPpolicybasedontheHIPAA click the+icon,asshowninFigure 12-44,andthenselectNewDLPpolicyfrom template There are international DLPtemplatesincluded aswell.To seethefull listof DLPtemplates,

DLP policyandthecorr esponding mailflowrules. Administering

E xchange

O nline

ent 619

Chapter 12 f Exchange f administration and C. Online

Exchange administering and

EOP management incorporated into the EA migration ailbox M Figure 12-46 Figure will not go into the details o As with the other administration tools, we to look at other new capabilities o instead will continue in the following sections Online. Exchange Online Protection user does not have a separate successor to FOPE, (EOP), the Online Protection Exchange the protection interface. through EAC integrated into the is now fully EOP administration 12-46. in Figure page, as shown

Chapter 620

Chapter 12 Compliance, Legal Hold, and eDiscovery concepts Compliance, LegalHold,andeDiscovery this isknownasIn-PlaceHold. We willlookatholdsindetailshortly. retention isaccomplishedbyExchangeOnline2010 LegalHold.InExchangeOnline2013, yet permit thenormal mailbox functions,includingdeletions andmodifications.Enforced emailcontenttomakeitdiscoverableand Enforced retention isthecapabilitytopreserve Enforced retention email basedontheageof theemailtimestamp.We willlook at MRMindetailsoon. MRM consistsof retention tagsandpolicies, which helptoautomaticallyarchive ordelete store them,Exchange introduces aconcept calledmessagingrecords management (MRM). To properly control thedeletionof emailsandtocounter-balance theabilitytoindefinitely Automated deletions in detailshortly. This capabilityisprovided bytheintroduction of archive, thepersonal which wewilldiscuss thereby reducing theriskof accidentaldeletions. willfeellesscompelledtodeletecontentjustfreelocation isbigenough,users upspace, ifthecentralizedstorage Furthermore, efforts. that willeasemanagementandeDiscovery asanauthoritativedatasource tralized location.Acentralizedstoragelocationcanserve contentisthecapabilitytoallowforindefinitestorage of contentinacen Preserving content Preserving The overallcompliancestrategyforExchangeinvolvesthefollowingkeycapabilities: enhancedinExchangeOnline2013. whichisfurther natively builtintotheservice, transactions asevidence.Assuch,ExchangeOnline2010hasthesecompliancecapabilities organization. Almostalllegalcasesalloworrequire the introduction of emailcontentand fashion. Emailsusuallymakeupasignificant,ifnotmajority, of thecontentmanagedbyan ordisposingofimplications fornotproperly communicationcontentinatimely preserving for manyorganizations becauseof inthepublicandprivatesectors thelegalandfinancial topics Compliance, eDiscovery, LegalHold,andrecordsimportant managementare very ● ● ● ● ● ● Enforced retention Automated deletions content Preserving Compliance,

Legal

Hold,

and

eDiscovery

concepts

- 621

Chapter 12 - - Personal Storage Tables (PSTs) (PSTs) Tables Storage Personal Online

Exchange administering and migration

Note amount each user with an unlimited provides Online Archiving that Exchange Remember as 100 GB, and it is accessible provisioned that is initially space mailbox archive of App. Outlook and Outlook Web through ailbox M Therefore, the first step to compliance remediation is to assign usersremediation is to first the a personal step to compliance archive. Therefore, can choose to do this for every only for certain user or a personal users. Provisioning You EMC, or Windows PowerShell. ECP, the EAC, can be done through archive Management Messaging Records you might still need to personalAfter users archive, with a generous you have provided is accom- email content. MRM of or dispose implement MRM to automatically archive policies. tags and retention retention plished through Personal archive Personal technology that supports as the foundational the personal archive think of compliance. We or Exchange Online archive to as the online sometimes referred is The personal archive Exchange Online workload. if it is implemented as a stand-alone (EOA) Archiving sizes because of users the personal had limited mailbox archive, of the introduction Before why is That Exchange. of performance the manage to need the Putting it all together Putting a comprehen to form to work together designed are capabilities see, the three As you can sive corporate compliance strategy. There is a centralized email storage location that makes location that centralized email storage is a There compliance strategy. sive corporate to help manage and deletion mechanism archiving an automated email easier and search there intervention,content without user or oversight. Finally, error human reducing thereby preservation to mod content that overrides any other action is a mechanism to enforce of ify that provide look in detail at the actual technologies that content. Let us now or destroy capabilities. these three to them move or mailbox their in space up free to emails delete either Users popular. became when it comes to compliance. of concern major causes of these actions are .pst files. Both between the primary a 25 GB storage that is shared Exchange Online Plan 1 provides mail- space that archive unlimited Exchange Online Plan 2 provides mailbox. and the archive box a 25 GB primaryis separate from mailbox.

Chapter 622

Chapter 12 concept about enforced preservation is that the user is not prevented from carrying out isthattheusernotprevented fromconcept aboutenforced carrying preservation (Exchange Online2010)oran In-PlaceHold(ExchangeOnline2013).Anotherinter To of enforce emailcontent,Exchangeusesthe conceptof thepreservation aLegalHold doing so. dayitarrives,the first retention policy youjustputinplacedoesnotprevent theuserfrom content.Thismeansifauserdecidestodeleteanemail onthe do notactuallypreserve to ensure thecontent doesnotexceeditsretention schedule.Retentiontagsandpolicies get thatretention tagsandpoliciesare responsible onlyformovingordeletingcontent Retention policiesare becauseof sometimesmisunderstood theirname.Itiseasytofor Holds recover itfrom itwasautomaticallydeleted. yourrecycle binwithin14daysafter an emailwasaccidentallyidentifiedasjunkandyoudidnot gettoitwithin5days,youcan whichtheywillbedeleted.However,the junkmailfolderfor5days,after ifyoubelievethat manently deleted.Emailsthatare determined bythesystemtobejunkmailare stored in archive,your personal where theywillreside atwhichtimetheywillbeper for4.5years, mailboxAll emailsthatare to 180daysoldare automatically movedfrom yourprimary Adatum Inc.EmailRetentionPolicy email compliancestatementwilllooksomethinglikethis: policy andapplytheretention policytoallmailboxes. Ifyoudothat,yourorganization’s retention tagexamples,youcancombineallof themintoasingleorganization retention Usingthethreemailbox fiveyears. iftheyare old,andthendeletingthemafter twoyears mailbox tothearchive sequential actionsonitems,suchasmovingitemsfrom theprimary out tion tagstodifferent itemsunderasinglepolicyandtofacilitateworkflowsthatcarry Retention policiescomprisemultipleretention tags.Itisawaytoapplydifferent reten- policies Retention granular.Retention tagsare designedtobevery Here are afewexamplesof retention tags: Retention tagsare discrete actionsthatcanbeappliedtoemailmessagesandfolders. tags Retention ● ● ● ● ● ● folder. of itemsthatareDelete, butenablerecovery olderthan5daysintheJunkMail years). Permanently deleteitemsinthePersonal Archive thatare olderthan1,825days(five Move itemsthatare 180daysoldfrom theInbox tothePersonal Archive. Compliance,

Legal

Hold,

and

eDiscovery

concepts esting

- - 623

Chapter 12 In-Place Hold, and it now addresses the ability the addresses now it and Hold, In-Place Legal Hold is not an issue. Legal Hold is not an Online

Exchange administering and migration

Time-based hold, including indefinite hold Criteria-based hold ● ● ● ● ailbox M Criteria-based hold Criteria-based logic to preserve and Boolean on keywords a Criteria-based hold relies content. Aside from date ranges, and mes- criteria match, you can also specify and recipients, keyword source on). sage types (email, calendar items, and so Time-based hold tag holds, work like an MRM retention to as rolling Time-based holds, sometimes referred an email. As long as the timestamp of timestamp of in that the hold is applied based on the will be preserved the time-based hold, the email content the email falls within the limits of eDiscovery a multi-mailbox and is discoverable through After the search. the timestamp of - the email will no longer be pre the content of email falls outside the time-based holds, servedof the user or MRM. to the modification or deletion actions and will be subject actions that modifyactions that operations because mailbox This is by design delete email content. or is a very This it strategy because Microsoft significant to function normally. should continue does not affect at the same time and compliance requirements organization’s balances your your users. it is discoverable. content is on hold, When email of the productivity through implemented and level mailbox the at applied is 2010 Online Exchange in Hold Legal accomplished be A can immutability of concept the While PowerShell. Windows or ECP, EMC, the not be granular level might at the mailbox Legal Hold, the ability to apply it only through is important is what Nonetheless, hold. on placed be might content much too because enough consumption space the archive, personal large a with and, preserved immutably is content that preservation content of under as a result In Exchange Online 2013, Legal Hold is renamed renamed is Hold Legal 2013, Online Exchange In for you to be more granular in selecting the content to preserve by introducing two types of In- of types two introducing by preserve to content the selecting in granular more be to you for Place Holds:

Chapter 624

Chapter 12

INSIDE OUT INSIDE Figure 12-47 page of theEAC, asshowninFigure 12-47. You can create time-basedholdsandcriteria-basedonthecompliancemanagement discoverable. any of andis theholdremains applicabletotheemail,thenitscontentswillbepreserved cific individuals,ortodistributiongroups. Ifanemailissubjecttomultipleholds,aslong You can create andapplymultipleholdstotheentire organization (allmailboxes), tospe- holds Creating other KQL syntaxexamples. located amaximumdistanceof three words from theword debt.Search theInternet for The preceding KQL syntaxallowsyou to search forcontent thathastheword acquisition “acquisition” NEAR(n=3)“debt” ple of KQL syntax: KQL isasyntaxthatallowsyou to conductproximity searches. Thefollowingisanexam- Language(KQL). istheKeyword well advertised Query A newcapability thatisnotvery eating In-PlaceHoldsthrough theEAC. Cr

Keyword Query Language Query Keyword Compliance,

Legal

Hold,

and

eDiscovery

concepts

625

Chapter 12 + icon. In-Place Hold policy, an organization could choose to choose could organization an policy, Hold In-Place Online

Exchange administering and

Define hold settings.

Global Address List (GAL) dialog box, select a distribution group, such as Everyone. as such group, distribution a select box, dialog (GAL) List Address Global migration

In the EAC, select compliance management, and then select in-place eDiscoveryIn the EAC, & hold. a new in-place hold. Click the + icon to create a name for the hold, and then click next. Provide and then click the Select Specify to search, mailboxes the In you can simply select the Click add, and then click ok to close the GAL. Alternatively, option in Step 4. Click next. all mailboxes Search

ailbox 5. 2. 3. 4. 1. M Figure 12-48 Figure corporate-enforced, a of example an As create an organization-wide, time-based hold by following these steps: an organization-wide, create When prompted for the holding period, you can choose to hold indefinitely or to hold for a to hold indefinitely you can choose for the holding period, When prompted 12-48. certain shown in Figure days, as of number

Chapter 626

Chapter 12

INSIDE OUT INSIDE logic, KQL, andtheothersettingstodefineyourcriteria-basedsearch. user mailbox contentinStep6,selectFilterbasedoncriteriaandusekeywords, Boolean preceding stepstocreate anewhold withonedifference: insteadof selectingIncludeall thesame need tocreate anewholdbasedoncriteriaratherthantime,youwillperform You have nowimplementedanorganization-wide, time-basedhold.Intheeventthat you additional Discovery mailboxes. Furthermore, each Discovery mailbox islimitedto50GB. eachDiscovery mailboxes. Furthermore, additional Discovery mailbox, butyoucancreatemailbox. Eachtenantisprovisioned with asingleDiscovery results of amulti-mailbox search are stored inaspecialtypeof mailbox calledtheDiscovery Multi-mailbox search enablesyoutosearch mailboxes foritemsthatmeet yourcriteria.The Multi-mailbox search (eDiscovery) 7. 6. if((Get-MailboxSearch “”)status–eq“Failed” toscript check thestatusof thesearch itisthefollowing: andattempt to start ning. We fewminutes. TheWindowsPowerShell created every andhaditrun ascript thestatusof itif thesearchto start isFailed becausetwo othersearches are already run- Windows PowerShell thatchecksthestatusof script eachsearch request andattempts An alternate optionisto create searches, alltherequired andthenwrite a eDiscovery temporarily increase thislimit. can submitarequest withabusinesscase fortheneedto to Microsoft OnlineSupport rent multi-mailbox searches. Ifyou have theneedformultipleconcurrent searches, you butyou Description, are limited to twoIt isnotstated concur- explicitlyintheService

Start-MailboxSearch –identity“”–Force } relative totheirreceived dateoption.Type 180inthetextbox, andthenclickfinish. numberofin selectedmailboxes onhold.SelecttheSpecify daystoholditems On theIn-PlaceHoldsettingspage,selectPlacecontentmatchingsear of allemail,regardlesspreservation of content.Clicknext. page, selectIncludeallusermailbox content.Thisenforces the On theSearch query

Concurrent searches Compliance,

Legal

Hold,

and

eDiscovery

concepts ch quer

y 627

Chapter 12 Online

Exchange

f search results. f search administering and

Estimate o migration ailbox M Figure 12-49 Figure Results of multi-mailbox searches are located on the same page as In-Place Holds. As you page as In-Place located on the same are searches multi-mailbox Results of hold, the or criteria-based an existing time-based 12-49, by clicking on Figure can see in pane in the informational shown are results the search of including estimates information to the right.

Chapter 628

Chapter 12

Summary grates withyouron-premises messagingsolution. provided youwith a strong ExchangeOnlineandhowitinte foundationtounderstand focused onExchangehybridmodelsandmailbox migrations.We have hopethesechapters specifictoExchangeinthecloud. What wecoveredWe in thelastthree isvery chapters form of In-Place Holds, multi-mailbox search, and Messaging Records Management (MRM). Prevention (DLP).Finally, wecovered thecompliance capabilitiesof ExchangeOnlineinthe Online Protection for Exchange(FOPE),OnlineProtection (EOP),andDataLoss also covered theadministration of Exchange anditsdifferent workloads, suchasForefront box migrationoptions,includingastrategytomigrate.pstcontentwithPST Capture. We We covered alotof information inthischapter. bylookingatthe different We mail- started Figure 12-50 mate forsearch results, preview thesearch results, orcopythesearch results. glassicon,asshowninFigure 12-50,youcanre-runBy clickingthemagnifying theesti ch results options. Sear Summary

- - 629

Chapter 12 - - emises f Exchange admin f Exchange Online

Exchange administering and migration ailbox M Because it is not possible for this book to be exhaustive on all aspects o on all aspects book to be exhaustive is not possible for this Because it istration, bear in mind that Exchange Online 2010 is equivalent to Exchange on-pr is equivalent to Exchange Online 2010 in mind that Exchange istration, bear Therefore, 2013. Exchange on-premises is equivalent to Exchange Online 2013 2010, and many good are Exchange, there administering the topic of to dive deeper into if you need all its work administration and solely on Exchange the market that focus in books already meet your needs. loads, and these should Online, which is another service provided we will look at SharePoint In the next chapter, under Office 365.

Chapter 630

Chapter 12

Index

Add Features Wizard, 409 Index Add Groups or Objects dialog box, 316 ADD IT button, 651 Symbols Add-MailboxPermission cmdlet, 417, 418 1.5 Mbps pipe, 27 Add & Manage Sources option, 682 32-bit vs. 64-bit version, 775 Add Roles and Features Wizard, 226, 332 > (greater-than symbol), 422 Add Roles Wizard, 92 # (pound) key, 800 Add SLA dialog box, 322 Add Token-Decrypting certificate option, 120 A Add Token-Signing certificate option, 120 AAD (Azure Active Directory) connector, 788 AD Enterprise Administrator account, 150, 172 AAW (Application Approval Workflow), 211 AD FS 2.0 Federation Server Configuration Wizard, 106, 109 Accepted Domain dialog box, 522 AD FS 2.0 Management snap-in, 106 Access management, 787 AD FS (Active Directory Federation Services) account forest, 792 architecture planning ACTIONS link, 658 database, 101 activating services via script, 819–820 proxy, 100–101 Activation Error message, 778 server farm, 100 active-active synchronized configuration, 439 certificates Active Alerts view, 289 creating requests, 93–97 Active Directory. See AD (Active Directory) installing on Internet Information Server, 97–98 Active Directory Federation Services. See AD FS (Active protecting default website with, 98–99 Directory Federation Services) using enterprise certificate authority to issue, 97 Active Directory Integration Pack, 344 configuring, 106–112 Active Directory User and Computer (ADUC) management converting domain from standard authentication to identity console, 72, 89 federation ActiveSync, 36, 433, 512, 535 server on remote Windows 7 workstation, 114–115 AD (Active Directory) server on Windows Server 2008 R2 or later, 113–114 Clean Up link, 24 server on Windows Server 2008 SP2, 114–115 discovering information about, 23 verifying successful conversion, 115–117 domain name, adding to Office 365 federation URL endpoint, updating, 117–121 DNS, configuring, 81–82 hybrid Lync environment, 754 domain purpose, setting, 81–82 identity management in Windows Azure, 797 licenses, assigning, 80 installing, 101–106 TXT records, entering, 77–79 Internet Information Server role, installing, 92 users, adding, 80 on-premises technologies, 207 verifying domain, 79–80 removing module, 53 completely uninstalling, 125–135 schema, updating, 140–143 converting domain from identity federation to standard and SSO, 71 authentication, 123–124 synchronizing account with Office 365 using single sign on requirements, 84–86 PowerShell, 375 single sign on scenarios Adatum Inc., 678 remote worker not logged on to corporate network, 84 Add a domain link, 75 remote worker on virtual private network Add Exchange Forest dialog box, 479 connection, 83–84

823 824 ADFSAppPool

stand-alone AD FS server, 108 B testing federation server, 112 B2B (business-to-business) partners, 139 user principal name suffix, remediating, 86–91 backup and recovery for Exchange Online, 439–441, verifying successful domain conversion, 117–118 449–450 ADFSAppPool, 125 bandwidth AdfsSetup.exe, 102 “burstable”, 38 ADM (Classic Administrative Templates), 752 and network latency, 26–27 .adm file, 749 requirements for Lync Online, 45 Admin Audit log, 421–422 testing for Lync Online, 719–721 admin center Basic authorization for WinRM listener, 402 directory synchronization, activating through, 145–147 BCS (Business Connectivity Services) Profile Pages directory synchronization, verifying through, 176–177 feature, 634 AdministrationConfig-en installation file, 57 BI (business intelligence), 632 Administration node, 256 Binary Tree, 601 admin resource center, 19 BIS (Blackberry Internet Service), 436 .admx file, 749 bits per second (bps), 27 ADSIEdit.msc, 131 BitTitan, 601 ADUC (Active Directory User and Computer) management Blackberry devices, 436 console, 72, 89 BlockedSendersHash attribute, 172 ADVANCED option, 667 BPOS (Business Productivity Online Services), 147 alert notifications (SCOM) bps (bits per second), 27 creating alert recipients, 262–270 bring your own device (BYOD), 38, 438, 669, 760 creating subscription, 270–281 British Telecom (BT), 717 customizing, 289–290 Browse button, 569 resources for, 280–281 Browse for Computer dialog box, 346 Alert Type window, 274 BT (British Telecom), 717 Alias attribute, 139 bulk emails All Adatum Communications eDiscovery set, 687 sending responsibly, 439 Allow action, 446 sending to users, 820–821 All targeted objects setting, 298 “burstable” bandwidth, 38 anti-spam in Exchange Online, 443–445 business case for Office 365 App Catalog site, 634, 653 core competency, 12 App Controller, System Center, 219–221 economies of scale, 11 Apple iMessage, 433 redundancy, 11–12 Application Approval Workflow (AAW), 211 scalability, 11 Application Pools node, 129 subscription model, 10–11 Application Virtualization (App-V) technology, 764 Business Connectivity Services (BCS) Profile Pages app licenses, managing, 657–659 feature, 634 App-V (Application Virtualization) technology, 764 business intelligence (BI), 632 architecture for SharePoint Online, 633 Business Productivity Online Services (BPOS), 147 Archive Mailbox page, 546 Business Productivity Online Standard Suite, 49 ASP.NET 3.5, 225 business-to-business (B2B) partners, 139 Assign Licenses activity, 349 BYOD (bring your own device), 38, 438, 669, 760 Assign Services to Certificate page, 502, 505 audio conferencing, dial-in, 717–718 C Autodiscover service CA (certificate authority), 48, 93, 482 in Microsoft Remote Connectivity Analyzer Tool, 47 CAL (client access license), 11, 786 resetting virtual directory, 539–542 calendaring. See also Exchange Online troubleshooting Exchange hybrid model Can view option, 663 deployment, 534–537 CAS (Client Access Server), 53, 207, 461, 591 automated deletions in Exchange Online, 621 Cemaphore, 601 Availability Tracker, 310 centralized mail transport (hybrid Exchange) Available classes box, 273 disabled, 558–559 AVIcode, Inc., 213 enabled, 560–562 Azure Active Directory (AAD) connector, 788 enabling/disabling, 562–564 criteria for subscriptions 825

CentralizedTransportEnabled, 564 Complete Pending Request Wizard, 500 certificate authority (CA), 48, 93, 482 Completion page, Assign Services to Certificate Wizard, 506 Certificate Configuration page, 486, 493 Completion page, Manage Hybrid Configuration certificates Wizard, 533 creating requests, 93–97 compliance Exchange hybrid model automated deletions, 621 acquiring certificate, 495–497 enforced retention, 621 generating certificate request, 482–494 holds importing purchased certificate, 498–506 creating, 625–627 verifying certificates, 506–507 criteria-based hold, 624–625 installing on Internet Information Server, 97–98 overview, 623–624 protecting default website with, 98–99 time-based hold, 624 using enterprise certificate authority to issue, 97 Management page for, 617 wildcard certificates, 95 Messaging Records Management Certificate Sharing Container retention policies, 623 determining location of, 125–126 retention tags, 623 removing, 131–135 multi-mailbox search (eDiscovery), 627–630 certificate signing request (CSR), 470, 482, 496, 507 personal archive, 622 certifications, 13–14 preserving content, 621 certreq command, 97 in SharePoint Online with eDiscovery, 674–693 Channel Type drop-down box, 267 Computers node, 596 Check Out Runbook option, 347 Configuration Management Database (CMDB), 217, 352, Chief Security Officer (CSO), 150 366 Citrix, 214 Configuration Manager, System Center, 210–212 CJIS (Criminal Information Services) Security Addendum, 14 Configuration Results page, 110 Classic Administrative Templates (ADM), 752 Configuration.xml file, 770 Clear Move Request action, 555 Configure External Client Access Domain option, 508 Click-to-Run installation method, 762 Configure Prompts page, 389 client access license (CAL), 11, 786 ConfigWizard.exe file, 169 Client Access Server (CAS), 53, 207, 461, 591 Confirm installation selections page, 234 Client Mix tab, 40, 43 Connection Configurations page, 552 client-side session, 403 Connect-MsolService cmdlet, 62, 113, 115, 121, 144 Client tab, 47 consumer vs. enterprise, 3–4 cloud identities content management system (CMS), 632 creating from csv file, 814 conversation history for Lync Online, 742–754 defined, 72 converting users, 124 Cloud Import List option, 599 Convert-MSOLFederatedUser cmdlet, 123 cloud services, consumer vs. enterprise, 3–4 copper cables, 27 CMDB (Configuration Management Database), 217, 352, CorpSQL, 159 366 Create a new Federation Service option, 107 cmd command, 397 Create a New Group option, Tasks pane, 284 cmdlets Create App Catalog Site Collection page, 648 defined, 396 Create Certificate Request option, 94 general discussion, 53 Create Request Offering option, 387 Office 365 commands listing, 424 Create Run As Account option, 293 CMS (content management system), 632 Create Service Offering option, 390 CN (common name), 139, 469 Create User activity, 348 Collect Needed Information page, 466 credentials Command Add-on library, 410, 411 in Manage Hybrid Configuration Wizard, 520 Command Channel text box, 267 management by FIM, 786 Command Pane in PowerShell ISE, 67, 410 storing in variable, 61 Command Prompt program, 397 $cred variable, 60, 113, 144 common name (CN), 139, 469 Criminal Information Services (CJIS) Security Addendum, 14 Community site, Office 365, 19 criteria-based hold for Exchange Online data, 624–625 Complete-Migration cmdlet, 590 criteria for subscriptions, 271–272 826 Cryptographic Service Provider Properties page

Cryptographic Service Provider Properties page, 96 changing MX record, 558 CSO (Chief Security Officer), 150 configuring Exchange Web Services, 508–512 CSR (certificate signing request), 470, 482, 496, 507 configuring hybrid deployment, 517–534 CSV File Maker link, 25 EMC configuration, 471–482 .csv files establishing hybrid relationship, 514–516 creating cloud identities from, 814 requirements, 460–462 IMAP migration, 585 testing mailbox creation, 542–549 staged migration, 574–575 testing mailbox move, 549–557 Custom Compliance Policy Settings folder, 752 troubleshooting, 534–542 Customer Experience Improvement Program, 248 using Exchange Server Deployment Assistant, 462–471 CustomLync2013IMArchive.adm file, 750 Lync Online cutover migration allowing outgoing connections, 723 with EAC, 570–573 DNS entries, 723–727 with ECP, 568–570 overview, 718 overview, 566–567 policies, 742–754 ports and protocols, 722–723 D testing network bandwidth and latency, 719–721 dashboards (SCOM) Microsoft Office 365 Deployment Readiness Toolkit, 21–26 creating, 312–317 Office 365 Deployment Guide, 20–21 operator console dashboards, 311–312 Office 365 Professional Plus SLA dashboards, 317–323 32-bit vs. 64-bit version, 775 databases, AD FS architecture planning, 101 Group Policy, 775–776 Data Bus in Orchestrator, 370 overview, 762–763 data center locations, 28 system requirements, 775 Data Leakage Prevention (DLP), 422, 456, 460, 562, 617 virtualization, 776–777 Data Protection Manager, System Center. See DPM, System Office 365 Service Descriptions, 19–20 Center of OS, 211 Data Reader account, 249 tools for, 18–19 Data Tables tab, 42 Depot PC scenario, 210 Data Warehouse Write account, 249 Details Information window, 348 Data Writer account, 249 Device Management node, 256 DC (domain controller), 84, 283, 746, 794 dial-in audio conferencing, 717–718 debugging Differential configuration, 214 in ISE, 406 DigiCert, 495 in PowerShell ISE, 66 directory-based blocking, 444 decommissioning on-premises Exchange, 607 directory synchronization default website, protecting with certificates, 98–99 activating deleted users, purging, 820 Active Directory schema, updating, 140–143 Deliver with Bcc action, 446 through admin center, 145–147 Delta Confirming Import option, 190 with Windows PowerShell, 144–145 Delta Import Delta Sync profile, 183, 186 changing schedule, 195 Delta Import operation, 182 Directory Sync Setup Wizard, 164 Delta Synchronization operation, 182 Directory Sync tool, 137 dependent servers, identifying, 283–286 forcing unscheduled Deploy IP to Runbook Server or Runbook Designer run profiles and management agents, 182–183 option, 345 with Synchronization Service Manager, 183–192 deployment through Windows PowerShell, 191–195 Deployment Guide, 18 new feature, 138 Deployment Readiness Toolkit, 18 process of, 140–142 Exchange hybrid model troubleshooting common errors capabilities, 460 with MOSDAL toolkit, 199–204 centralized mail transport disabled, 558–559 synchronization not running, 197–198 centralized mail transport enabled, 560–562 unrecognized or invalid data in Active Directory, 198–199 centralized mail transport, enabling/disabling, 562–564 verifying certificates, 482–507 through admin center, 176–177 EMC (Exchange Management Console) 827

Event Viewer, checking, 181–182 Microsoft Online Service Sign-in Assistant, 56 service status, 177 Microsoft Report Viewer Redistributable Package, 226 with Synchronization Service Manager, 178–181 MOSDAL, 49 Windows Azure Active Directory Sync /download mode, 769 configuring, 170–176 Download Report button, 691 installing with dedicated computer running SQL Download Results button, 691 Server, 151–163 DPM (Data Protection Manager), System Center, 214–215 installing with Windows Internal Database, 164–168 Dynamic Members page, 286 direct synchronization, 790 DirSync command, 327 E DirSyncConfigSell.psc1 file, 192 EAC (Exchange admin center) DirsyncInstallshell.psc1 file, 158 administration interface, 612 DirSyncObjects.xml file, 202 cutover migration with, 567, 570–573 disaster recovery, 439, 455 IMAP migration with, 587–589 DisplayName attribute, 139 overview, 617–619 Distinguished Name Properties page, 94 staged migration with, 579–584 Distribute apps for Office task, 649 EAS (Exchange ActiveSync Services), 212, 435 Distribute apps for SharePoint task, 649 ECP (Exchange Control Panel) distribution lists (DLs), 92, 138 administration methods, 53 DLP (Data Leakage Prevention), 422, 460, 562, 617 cutover migration with, 568–570 DLs (distribution lists), 92, 138 E-Mail Migration window, 587 DNS (Domain Name System) IMAP migration with, 585–587 configuring, 81–82 overview, 612–613 creating entries for Lync Online, 723–727 staged migration with, 575–579 creating TXT record, 76 Edge Transport server, 465 dependent technologies, 223 eDiscovery (electronic discovery) entering TXT records, 77–79 Download Manager page, 692 planning environment for Exchange Online, 461 multi-mailbox search in Exchange Online, 627–630 domain controller (DC), 84, 283, 746, 794 responsibility for, 612 domain names Sets page, 687 adding to Office 365 in SharePoint Online, 674–693 DNS, configuring, 81–82 Edit Bindings option, 98 domain purpose, setting, 81–82 Edit Federation Service Properties option, 118 licenses, assigning, 80 Edit in Browser option, 670 TXT records, entering, 77–79 editions of Microsoft Office, 760–762 users, adding, 80 Edit user settings page, Lync Online Control Panel, 738 verifying domain, 79–80 Education suites, 6 associating multiple to tenant, 75 EHE (Exchange Hosted Encryption), 438, 451–452 converting from identity federation to standard electronic discovery. See eDiscovery (electronic discovery) authentication, 123–124 email. See also Exchange Online converting from standard authentication to identity accounts federation creating runbooks for, 346–349 AD FS server on remote Windows 7 workstation, 114–115 mailbox access, granting, 417–418 AD FS server on Windows Server 2008 R2 or time zones, changing, 418–419 later, 113–114 campaigns, sending responsibly, 439 AD FS server on Windows Server 2008 SP2, 114–115 clients vs. server, 433 verifying successful conversion, 115–117 sending bulk email to users, 820–821 Domain Name System. See DNS EmailAddress attribute, 574, 585 Domain Proof of Ownership page, 524 E-Mail Addresses tab, 556 Domain Scope page, 485 E-Mail Migration page, 569, 576, 578 Domains page, Manage Hybrid Configuration Wizard, 521 EMC (Exchange Management Console) downloading adding Exchange Online, 479–482 Management Pack, 254 administration options, 53 Microsoft Office 365 Deployment Readiness Toolkit, 22 installing, 469 Microsoft Online Service Module, 57 migrating mailboxes, 603 828 -EnabledSharedAddressSpace parameter

overview, 468, 608–609 configuring hybrid deployment, 517–534 on server, 471 EMC configuration, 471–482 on workstation, 471–478 establishing hybrid relationship, 514–516 -EnabledSharedAddressSpace parameter, 755 requirements, 460–462 Enable Exchange hybrid deployment check box, 173 testing mailbox creation, 542–549 Enable multi-factor authentication page, 802 testing mailbox move, 549–557 Enable-OrganizationCustomization cmdlet, 423 troubleshooting, 534–542 Enable Password Sync check box, 174 using Exchange Server Deployment Assistant, 462–470 Enable-PSRemoting cmdlet, 114 migrating mailboxes, 591 Enable User activity, 349 Exchange Management Console. See EMC Enable wildcard certificate check box, 485 Exchange Management Shell window, 607 encryption for Exchange Online, 435 Exchange Online. See also Exchange hybrid model Endpoint Protection, System Center, 218–219 administration enterprise EAC, 617–619 certificate authority, 97 ECP, 612–613 Enterprise suites, 6 EMC, 608–609 Enterprise Voice vs. peer-to-peer voice, 700 EOP, 620 vs. consumer, 3–4 FOPE, 614–617 environment, readiness, 21 remote Windows PowerShell, 611 EOA (Exchange Online Archiving) capabilities of access, 450–451 backup and recovery, 439–441 archive size, 448–449 Data Leakage Prevention, 456–457 backup and recovery, 449–450 messaging limits, 439 compliance, 451 Rights Management Service, 457–458 hybrid archiving, 454 service availability and redundancy, 441–442 overview, 434 compliance personal archives, 622 automated deletions, 621 EOP (Exchange Online Protection) enforced retention, 621 next release, 438 holds, 623–627 overview, 620 Messaging Records Management, 623 Error Reporting page, 473 multi-mailbox search (eDiscovery), 627–630 E suites, 7, 20 personal archive, 622 ESX, 214 preserving content, 621 Event Viewer, 181–182 core workloads and concepts EWS (Exchange Web Services) archiving, 434 configuring for Exchange hybrid model, 508–512 communication between clients and Exchange planning for deployment, 469 Online, 435–436 Exchange 2010 Pre-Deployment Analyzer (ExPDA), 462 communication between Exchange Online and Exchange Active Sync is enabled check box, 486 destination email servers, 436–437 Exchange ActiveSync Services (EAS), 212, 435 communication between Exchange Online Exchange admin center. See ACE customers, 437 Exchange Client Network Bandwidth Calculator, 40 filtering, 438–439 Exchange Control Panel. See ECP handling and transport, 435–437 ExchangeGUID property, 605, 607 mailboxes and calendaring, 433–434 Exchange Hosted Encryption (EHE), 438, 451–452 security, 438 Exchange Hub Transport server, 561 Deployment Readiness tool, 24 Exchange hybrid model domain purpose, 81 deploying establishing Windows PowerShell session with, 414–416 capabilities, 460 Exchange Hosted Encryption, 451–452 centralized mail transport disabled, 558–559 Exchange Online Archiving centralized mail transport enabled, 560–562 access, 450–451 centralized mail transport, enabling/disabling, 562–564 archive size, 448–449 certificates, 482–508 backup and recovery, 449–450 changing MX record, 558 compliance, 451 configuring Exchange Web Services, 508–512 Full Backup configuration 829

Forefront Online Protection for Exchange file upload size for SharePoint Online, 637 anti-spam, 443–445 FIM (Forefront Identity Manager) layered protection, 443–444 automating default UPN using, 90 message handling, 446–447 dependent technologies, 223 message quarantining, 445 directory synchronization, 138 policies, 445–446 licensing, 786 reporting, 447–448 management agents, 788 hybrid environment, 20 multi-forest scenarios implementation options account forest and resource forest scenario, 792 enabling hybrid deployment, 173 direct synchronization, 790 hybrid archiving model, 454–455 indirect synchronization, 791 hybrid mailbox model, 452–453 overview, 788–789 hybrid mail protection and routing model, 455 overview, 786–788 plans, 431–432 purpose of, 781 and public-facing sites, 82 FIMSyncAdmins group, 201 recovering deleted items, 440 FIMSynchronizationService database, 163 Service Descriptions, 430 Find Text activity, 327 Exchange Online Archiving. See EOA firewalls, 27 Exchange Online for Kiosk Workers, 431 FISMA (Federal Information Security Management Act), 13 Exchange Online Protection. See EOP FOPE (Forefront Online Protection for Exchange) Exchange On-Premises node, 498 actions in, 447 Exchange Server 2010 Setup Wizard, 473 anti-spam, 443–445 Exchange Server Deployment Assistant, 462–470 future releases, 438 Exchange Server Enterprise Edition, 431 layered protection, 443–444 Exchange Server Standard Edition, 431 message handling, 446–447 Exchange Unified Communications Certificate, 484 message quarantining, 445 Exchange Unified Messaging (UM), 173 overview, 614–616 Exchange Web Services. See EWS policies, 445–446 Exchange Web Services is enabled check box, 487 prerequisite for EHE, 451 Excluded Members page, 286 reporting, 447–448 Exit And Show Files option, 200 vs. SCEP, 218 ExPDA (Exchange 2010 Pre-Deployment Analyzer), 462 vs. Hub Transport, 445 Export operation, 183 ForceChangePassword attribute, 574 ExRCA (Microsoft Exchange Remote Connectivity force TLS action, 446 Analyzer), 534 Forefront Endpoint Protection 2010, 218 external collaboration with SkyDrive Pro, 660–664 Forefront Identity Manager. See FIM (Forefront Identity Manager) F Forefront Online Protection for Exchange. See FOPE Family Education Right and Privacy Act (FERPA), 14 Forefront Online Protection for Exchange Outbound Federal Information Security Management Act (FISMA), 13 Connector box, 530 Federal Trade Commission (FTC), 456 Forefront Protection 2010 for Exchange Server (FPE), 438 federated identities forests, AD converting domain from standard authentication to discovering information about, 23 AD FS server on Windows Server 2008 R2 or multi-forest scenarios later, 113–114 account forest and resource forest scenario, 792 AD FS server on Windows Server 2008 SP2, 114–115 direct synchronization, 790 verifying successful conversion, 115–117 indirect synchronization, 791 converting domain to standard authentication overview, 788–789 from, 123–124 one-way forest trusts, 785 overview, 72–73 trusts, 785 Federation server option, 104 two-way forest trusts, 785 federation URL endpoint, 117–121 FPE (Forefront Protection 2010 for Exchange Server), 438 FERPA (Family Education Right and Privacy Act), 14 FQDN (fully qualified domain name), 74, 94, 96 fiber optic cable, 27 FTC (Federal Trade Commission), 456 FILES tab, 668 Full Backup configuration, 214 830 Full Import/Delta Synchronization operation

Full Import/Delta Synchronization operation, 183 groups Full Import/Full Synchronization operation, 183 creating distribution, 419–421 Full Import operation, 182 viewing, 419 Full Synchronization operation, 183 G-tenant, 10 fully qualified domain name (FQDN), 74, 94, 96 GUI (Graphical User Interface), 52, 405 G H GAL dialog box, 626 headquarters (HQ), 36 GAL (global address list), 92, 452, 460 Health Insurance Portability and Accountability Act gateways, 27 (HIPAA), 14, 438, 456 Gbps (gigabits per second), 27 Heating Ventilation and Air Conditioning (HVAC) GCC (Government Community Cloud), 8, 10 systems, 212 General page, Service Level Tracking Wizard, 318 helper scripts, 68 General Properties page, Create Group Wizard, 285 Help files, updating, 416 General Properties page, Update Configuration Wizard, 315 /help mode, 769 geolocation, 29 HIPPA (Health Insurance Portability and Accountability geo-redundancy, 11, 442 Act), 14, 438, 456 Get-AutodiscoverVirtualDirectory cmdlet, 542 holds (Exchange Online data) Get-Command cmdlet, 416 creating, 625–627 Get-Credentials cmdlet, 121, 403 criteria-based hold, 624–625 Get-CSUser cmdlet, 756 overview, 623–624 Get-ExchangeCertificate cmdlet, 507 time-based hold, 624 Get-ExecutionPolicy cmdlet, 64, 401 hops, 27 Get-FederationInformation cmdlet, 538, 539 -HostedMigrationOverrideUrl parameter, 756 Get-Group cmdlet, 419, 421 HQ (headquarters), 36 Get-HybridConfiguration cmdlet, 534 HR (Human Resources) task, 325 Get-HybridMailFlow cmdlet, 563, 564 HTTPS (Hypertext Transfer Protocol Sercure), 433, 435 Get-Mailbox cmdlet, 415 Hub Transport Get-MailboxPermission cmdlet, 418 email handling, 435 GetMailboxRegionalConfiguration cmdlet, 418 Exchange hybrid deployment, 489, 530 Get-MsolDomainFederationSettings cmdlet, 116 vs. FOPE, 445 Get-MsolSubscription cmdlet, 62 Human Resources (HR) task, 325 GetO365LicInfo.ps1 script, 63, 66 HVAC (Heating Ventilation and Air Conditioning) Get Object activity, 349 systems, 212 Get Relationship activity, 349 Hybrid Configuration tab, 517 Get-RetentionPolicy cmdlet, 422 hybrid deployments gigabits per second (Gbps), 27 defined, 9 GLBA (Gramm-Leach-Biley Act), 456 establishing hybrid relationship, 514–516 Global Address List dialog box, 626 Exchange Online global address list (GAL), 92, 452, 460 configuring, 517–534 Global Administrator account, 150, 197 general discussion, 20, 172 Go Daddy, 76 hybrid archiving model, 454–455 Government Community Cloud (GCC), 8, 10 hybrid mailbox model, 452–453 Government suites, 6 hybrid mail protection and routing model, 455 GPOs (Group Policy Objects), 72, 743, 775 planning for, 463 Gramm-Leach-Biley Act (GLBA), 456 Lync Online Graphical User Interface (GUI), 52, 405 configuring, 754–756 greater-than symbol ( > ), 422 overview, 714–717 Group management, 786 SharePoint Online, 637 Group Membership tab, 201 SharePoint Online search Group Policy one-way inbound topology, 697 deploying Office 365 Professional Plus, 775–776 one-way outbound topology, 697 Group Policy Management, 746 two-way topology, 698 Group Policy Objects (GPOs), 72, 743, 775 Hypertext Transfer Protocol Sercure (HTTPS), 433, 435 licenses 831

Hyper-V Dynamic Memory setting, 244 Integration Packs (IPs) hypervisor, 215 and Management Server, 325 SCO, 216 I using with Office 365 automation, 344–346 IaaS (Infrastructure as a Service), 101, 209, 781 IntelliSense, 66, 406, 408, 410 IBE (Identity-Based Encryption), 452 Intercall, 717 IDE (Integrated Development Environment), 410 Internet backbone, 28 Identity-Based Encryption (IBE), 452 Internet Engineering Task Force (IETF), 700 Identity Management (IDM), 786 Internet Information Server. See IIS identity management in Windows Azure Internet message access protocol. See IMAP components all deployed in, 796 Internet Protocol (IP), 700 components duplicated in, 797–798 Internet Service Provider (ISP), 76 overview, 794–795 In-Transit flag, 555 IETF (Internet Engineering Task Force), 700 Introduction page, Manage Hybrid Configuration IIS 6 Management Compatibility node, 472 Wizard, 519 IIS (Internet Information Server) Introduction page, New Remote Move Request Wizard, 550 administrators for SharePoint Online, 633 IP (Internet Protocol) certificates, installing on, 97–98 discovering IP addresses, 30 installing on AD FS server, 92 SIP and, 700 Metabase Compatibility, 231 Iplocation.net, 31 requirement for Orchestrator, 331 IPs (Integration Packs). See Integration Packs restoring, 127–131 ISE (Integrated Scripting Environment). See PowerShell ISE IMAP (Internet message access protocol) (Integrated Scripting Environment) and EOA, 450 ISP (Internet Service Provider), 76 Exhange Online protocol support, 433 ITIL (IT Infrastructure Library), 217, 326, 352 protocol, 585 ITPA (IT process automation), 325 IMAP migration creating .csv file, 585 J with EAC, 587–589 Join Lync Meeting option, 705 with ECP, 585–587 IMAutoArchivingPolicy, 748 K IM (Instant Message), 703 KB (Knowledge Base), 112 Import-ExchangeCertificate cmdlet, 501 Key Management Server (KMS), 760 importing key performance indicators (KPIs), 353, 632 Management Pack, 253–263 Keyword Query Language (KQL), 625, 684 purchased certificate, 498–506 Kiosk plans, 6, 20 Import-Module cmdlet, 414 KMS (Key Management Server), 760 Import-PSSession cmdlet, 405 Knowledge Base (KB), 112 Incremental Backup configuration, 214 KPIs (key performance indicators), 353, 632 indirect synchronization, 791 KQL (Keyword Query Language), 625, 684 Infrastructure as a Service (IaaS), 101, 209, 781 Initialize Data activity, 348 L In-Place Hold, 624, 626, 627, 684 LAN (Local Area Network), 36, 223 Input tab, 42 large VMs, 799 Installation Type page, 474 latency, network installing and bandwidth, 26–27 Microsoft Exchange PST Capture, 593–600 testing for Lync Online, 719–721 Microsoft Online Services Module, 54 Legal Hold, 624 Microsoft Online Services Sign-in Assistant, 56 LIBRARY tab, 668 selecting path Operations Manager installation, 240 Library workspace, 387 Install-OnlineCoexistenceTool cmdlet, 160 licenses Instant Message (IM), 703 accepting terms, 245 Integrated Development Environment (IDE), 410 assigning, 80 Integrated Scripting Environment. See PowerShell ISE script for swapping, 818–819 (Integrated Scripting Environment) stand-alone purchases, 5 832 limits, SharePoint Online

suites, 6–8 cutover migration limits, SharePoint Online with EAC, 570–573 file upload size, 637 with ECP, 568–570 site collection limits, 636 overview, 566–567 storage limits, 635–636 decommissioning on-premises Exchange, 607 users, 636–637 Exchange hybrid model deployment $LiveCred variable, 404 creating, 542–549 LOB (line-of-business), 632, 635 moving, 549–557 Local Area Network (LAN), 36, 223 IMAP migration Local System account, 249 creating .csv file, 585 Locations Mapper app, 651, 653, 657 with EAC, 587–589 locations of data centers, 28 with ECP, 585–587 Lock and turn off Auto Archiving for IMs option, 753 limits for Exchange Online plans, 431 Log Location page, 541 Microsoft Exchange PST Capture Logon with default credential check box, 480 installing and using, 593–600 Long URL option, 487 overview, 592 Lotus Notes to Exchange Online, 20 migration best practices Lync Federation, 713–714 performance, 601–602 Lync Online reducing TTL for MX records, 601 client, 702–704 service throttling, 602 conversation history, 742–754 user throttling, 602 deploying migration overview, 565–566 allowing outgoing connections, 723 migration using remote Windows PowerShell, 590–591 DNS entries, 723–727 migration with Exchange hybrid environment, 591 overview, 718 moving to on-premises Exchange policies, 742–754 originally created in Exchange Online, 605–607 ports and protocols, 722–723 originally created on-premises, 603–605 testing network bandwidth and latency, 719–721 recovering deleted, 432 dial-in audio conferencing, 717–718 staged migration domain purpose, 81 creating .csv file, 574–575 features, 713 with EAC, 579–584 hybrid Lync Online with ECP, 575–579 configuring, 754–756 third-party migration tools, 601 overview, 714–717 Mailbox Replication Service (MRS), 591 Lync Federation, 713–714 mail-enabled user (MEU), 573 Lync Web App, 708–712 Mail Flow Security page, 531 managing Mail Flow Settings page, 530 Lync Online 2010, 736–741 malware, 218 Lync Online 2013, 728–735 Manage Hybrid Configuration Wizard, 517, 519 meetings, 704–707 Manage License option, 659 migration considerations, 757 management agents mobile, 707 defined, 182–183 Outlook Web App and, 708–712 FIM, 788 and public-facing sites, 82 Management Agents tab, 184, 189 terminology management groups, naming, 244 peer-to-peer voice vs. Enterprise Voice, 700 Management Packs (MPs). See MPs SIP, 700 Management Pack Templates node, 300 Lync Online Control Panel, 736 Management server action account, 249 Lync Transport Reliability Probe, 19, 45, 719 Management Server component, 325 Lync Voice Client Access Licenses, 699 Manage My Organization option, 568 Lync Web App, 708–712 Manage Myself option, 568, 576, 586 Manage requests for apps task, 649 M Manage Result Sources page, 679 mailboxes (Exchange Online) MAN (Metropolitan Area Network), 36 changing size of, 432 manual activity, 386 migrating mailboxes (Exchange Online) 833

Map Prompts page, 389, 390 user accounts Mbps (megabits per second), 27 cloud identities, 72 medium VMs, 799 federated identities, 72–73 meetings, Lync Online, 704–707 Microsoft Office 365 Deployment Readiness Toolkit megabits per second (Mbps), 27 overview, 21–26 Members attribute, 139 troubleshooting data quality errors, 198 message quarantining, 445 Microsoft Office Subscription Error message, 777 Message Records Management (MRM), 422, 449 Microsoft.Online.DirSync.Scheduler.exe.Config file, 194 Metalogix, 601 Microsoft Online Services Diagnostics and Logging Metropolitan Area Network (MAN), 36 Toolkit. See MOSDAL Toolkit MEU (mail-enabled user), 573 Microsoft Online Services Module Microsoft Account Team, 19 overview, 54–59 Microsoft Application Virtualization (App-V) testing, 60–65 technology, 764 Microsoft Online Services Sign-in Assistant, 56, 401 Microsoft Cloud Vantage Service, 789 Microsoft Operations Framework (MOF), 217, 326, 352 Microsoft Developer Network (MSDN), 236 Microsoft Outlook, 433 Microsoft Download Center, 409 Microsoft Remote Connectivity Analyzer, 46–48 Microsoft Exchange On-Premises node, 483, 514, 517, 540, Microsoft Report Viewer Redistributable Package, 226 543, 550, 604 Microsoft Server Manager, 397 Microsoft Exchange PST Capture Microsoft Silverlight, 364 installing and using, 593–600 Microsoft Software License Terms for the Directory Sync overview, 592 tool, 153, 165 Microsoft Exchange Remote Connectivity Analyzer Microsoft Software License Terms page, 473 (ExRCA), 534 Microsoft SQL Server Microsoft Federation Gateway, 516 directory synchronization, installing, 151–163 Microsoft Hyper-V virtual machine, 214, 237 installing, 334–335 Microsoft Installer (MSI) package, 762 Microsoft Updates, 218, 363 Microsoft Lync 2013 Custom Compliance Policy Settings Microsoft Visual Studio, 410 folder, 752 Migrate to Exchange Online option, 571, 580 Microsoft Management Console (MMC), 78, 405, 471 migrating mailboxes (Exchange Online) Microsoft .NET Framework 3.5.1, 55 best practices Microsoft Office 365 performance, 601–602 automation with Orchestrator reducing TTL for MX records, 601 applying runbook concept, 327–329 user throttling, 602 creating runbooks for email accounts, 346–349 cutover migration installing, 330–346 with EAC, 570–573 overiew of, 326–327 with ECP, 568–570 using components of, 329–331 overview, 566–567 automation with Service Manager with Exchange hybrid environment, 591 components of, 352–353 IMAP migration configuring, 369–394 creating .csv file, 585 installing, 353–358 with EAC, 587–589 Orchestrator connector, enabling, 367–369 with ECP, 585–587 overview of, 351–352 Microsoft Exchange PST Capture Self-Service Portal, installing, 358–365 installing and using, 593–600 service catalog overview, 365–366 overview, 592 service request automation, 366–367 moving to on-premises Exchange domain name, adding originally created in Exchange Online, 605–607 adding users and assigning licenses, 80 originally created on-premises, 603–605 DNS, configuring, 81–82 overview, 565–566 licenses, assigning, 80 using remote Windows PowerShell, 590–591 setting domain purpose and configuring DNS, 81–82 staged migration TXT records, entering, 77–79 creating .csv file, 574–575 verifying domain, 79–80 with EAC, 579–584 with ECP, 575–579 834 migration

third-party migration tools, 601 MRM (Messaging Records Management) using remote Windows PowerShell, 590–591 retention policies, 422, 623 migration retention tags, 623 Lync Online considerations, 757 time limits on, 449 options for Exchange Online, 566 MRS (Mailbox Replication Service), 591 MigrationErrors.csv, 567 MSDN (Microsoft Developer Network), 236 MigrationStatistics.csv, 567 msExchArchiveStatus attribute, 172 miisclient.exe graphical UI, 180 msExchUCVoiceMailSettings attribute, 173 MMC (Microsoft Management Console), 78, 405, 471 MSI (Microsoft Installer) package, 762 mobile access to SkyDrive Pro, 669–670 multi-factor authentication mobile Lync Online, 707 Azure Multi-Factor Authentication, 800–802 MOF (Microsoft Operations Framework), 217, 326, 352 initial verification process, 802–805 Monitor Folder activity, 327 overview, 799–800 Monitoring Overview pane, Operations Manager, 262 multi-forest scenarios monitoring with System Center account forest and resource forest scenario, 792 alert notifications direct synchronization, 790 creating alert recipients, 262–270 indirect synchronization, 791 creating subscription, 270–281 overview, 788–789 resources for, 280–281 multi-mailbox search (eDiscovery), 627–630 App Controller, 219–221 MX records Configuration Manager, 210–212 Exchange hybrid model, 558 Data Protection Manager, 214–215 reducing TTL, 601 Endpoint Protection, 218–219 verifying DNS, 77 importing Management Pack, 253–263 Operations Manager N downloading Service Pack 1 media, 236–237 NAT (Network Address Translation), 536 installing, 225–235, 238–253 NDR backscatter prevention, 444 overview, 212–214 NetBIOS method, 92 Orchestrator, 216 Netdom command-line tool, 783 overview, 207–209 network planning latency, 26–27 administering monitoring solution, 224–225 performance statistics, 35 evaluating what to monitor, 222–224 signal degradation, 27 monitoring targets, 225 testing speed, 29 Service Manager, 217–218 Network Address Translation (NAT), 536 Virtual Machine Manager, 214–215 New Dashboard and Widget Wizard, 313, 321 MORE ACTIONS option, 659 New-DistributionGroup cmdlet, 419, 420 More secure option, 295 New Exchange Certificate Wizard, 483 MOSDALLog_Directory_Synchronization_Tool file, 200, 202 New federation server farm option, 108 MOSDAL (Microsoft Online Services Diagnostics and New Hybrid Configuration Wizard, 514, 515, 516 Logging) Toolkit New Import List button, 599 overview, 48–52 New Lync Meeting option, 705 troubleshooting data quality errors, 198 New Other Records option, 526 Windows PowerShell and, 52–54 New PC scenario, 210 Move configuration page, 588 New PST Search Wizard, 596 Move Settings page, 553 New Registry Properties dialog box, 748 MPs (Management Packs) New Remote Mailbox Wizard, 542, 547 and monitoring, 222 New Remote Move Request Wizard, 550, 604, 605 catalog for, 253 New-RetentionPolicyTag cmdlet, 423 configuring, 291–304 New Site Collection dialog box, 644 creating runbook automation activity, 380 New Trust Wizard, 783 defined, 253 non-ASCII characters, 575 importing, 253–263 No Subscription Found error message, 777 and Operations Manager, 213 Notification node, Administration pane, 263 watcher nodes, 300–304 Overview page, Lync Online Control Panel 835

notifications patching, 774 creating alert recipients, 262–270 Service Description, 762 creating subscription, 270–281 troubleshooting resources for, 280–281 Activation Error, 778 Notification Subscriber Wizard, 264–271 Microsoft Office Subscription Error, 777 No Subscription Found, 777 O Office Subscription Removed, 777 O365 tab, 199 Office 365 Service Descriptions, 19–20 OAB (offline address book), 470, 512 Office 365 Small Business Premium, 6 Object Selection page, 286 Office Customization Tool (OCT), 773 OCT (Office Customization Tool), 773 Office Deployment Tool, 769 Office 365 Office Professional Plus subscription, 218 admin resource center, 19 Office Subscription Removed error message, 777 certifications, 13–14 Office Web Apps, 670–674 Community site, 19 offline address book (OAB), 470, 512 core competency, 12 one-way forest trusts, 785 data center locations, 28 Online Connection Settings page, 595 economies of scale, 11 OnPrem Import List option, 599 GCC version, 10 Opalis, 216 licensing OpenPegasus, 213 stand-alone purchases, 5 operating systems (OS), 54, 210 suites, 6–8 OperationsManagerDW, 305 overview, 4 Operations tab, Synchronization Service Manager portal page, 802 window, 192 redundancy, 11–12 operator console dashboards, 311–312 regulatory compliance, 14–15 opportunistic TLS, 437 scalability, 11 Orchestrator Exchange Admin Integration Pack, 344 screen shots in book, 9 Orchestrator, System Center subscription model, 10–11 console port, 342 suite of tools in, 18 overview, 216 terminology Product registration page, 336 hybrid, 9 runbook changes not updated, 379 tenant, 8 Runbook Designer console, 347, 370 tenant name, 8 Setup window, 335 vanity domain name, 9 Organizational Unit (OU), 90 waves, 9 Organization and Location page, 492 Trust Center, 12–13 OS (operating systems), 54, 210 Office 365 Deployment Guide, 20–21 Other New Records option, 78 Office 365 Home Premium, 6 Other verification option, 808 Office 365 Midsize Business, 6 OU (Organizational Unit), 90 Office 365 Professional Plus outgoing connections, 39 Click-to-Run process Outlook Anywhere is enabled check box, 487 customizing, 769–771 outlook.com modes for, 769–771 geolocation information for, 31 overview, 764–768 pinging, 30 vs. MSI, 771–773 Outlook Web App (OWA) deploying and .pst files, 434 32-bit vs. 64-bit version, 775 ECP, 612 Group Policy, 775–776 Exchange Online plans, 431 overview, 762–763 hybrid Exchange environment, 460 system requirements, 775 Lync Online and, 708–712 virtualization, 776–777 traffic analysis, 36 Microsoft Office editions, 760–762 Overview page, Lync Online Control Panel, 736 Office on Demand, 773–774 836 /packager mode

P PowerShell /packager mode, 771 closing sessions, 405 packet loss, 46 cmdlets, 396 PALs (Partner Access Licenses), 139, 636, 660 customizing user interface, 403 Password attribute, 574, 585 directory synchronization, activating with, 144–145 Password Synchronization screen, 174 directory synchronization, forcing unscheduled Patriot Act, 456 through, 191–195 PBX (Private Branch eXchange), 699 environment preparation peer-to-peer voice vs. Enterprise Voice, 699, 700 configuring WinRM settings, 401–402 performance, migrating mailboxes, 601–602 connecting PowerShell to Office 365 service, 403–405 permissions pre-configured for workstation or server, 396–404 changing using PowerShell, 417 examples and exercises SharePoint Store, 655–657 Admin Audit log, using, 421–422 PERMISSIONS tab, 668 Exchange Online, establishing session with, 414–416 personally identifiable information (PII), 456 groups, creating distribution, 419–421 Personal Storage Table (PST) files, 434, 622 groups, viewing, 419 PGi (Premiere Global), 717 Help files, updating, 416 PhoneFactor, 800 mailbox access, granting, 417–418 PII (personally identifiable information), 456 permissions, validating, 418 ping command, 30 retention policies, creating, 423–425 pipe, defined, 422 retention policies, viewing, 422–423 PKI (private key infrastructure), 451 time zones, changing, 418–419 Plan 1/Plan 2, 20 as future interface, 405 planning for Office 365 Integrated Scripting Environment foundational planning and remediation tasks, 18 navigating, 409–414 Microsoft Office 365 Deployment Readiness Toolkit, 21–26 starting from Windows 7, 407–408 Microsoft Online Services Diagnostics and Logging starting from Windows 8, 407 (MOSDAL) Support Toolkit, 48–52 starting from within Windows PowerShell, 407 Microsoft Remote Connectivity Analyzer, 46–48 Microsoft Online Services Module Microsoft Windows PowerShell Integrated Scripting overview, 54–59 Environment (ISE) 3.0, 66–68 testing, 60–65 network Office 365 commands listing, 424 email traffic analysis, 39–43 online resources, 822 misconception about distance, 28 overview, 52–53 quality vs. quantity, 27 remoting, 53 requirements for Lync Online, 44–46 scripts requirements for SharePoint Online, 43–44 activating services, 819–820 speed tests, 28–34 creating cloud identities from csv file, 814 traffic analysis, 35–39 determining subscription name, 813 Office 365 Deployment Guide, 20–21 generating subscription assignment report, 815–818 Office 365 Service Descriptions, 19–20 generating user list, 815 service-specific planning and remediation tasks, 18 purging deleted users, 820 tools for, 18–19 sending bulk email to users, 820–821 Windows PowerShell and swapping licenses, 818–819 Microsoft Online Services Module, 54–59 synchronizing AD account with Office 365, 375 overview, 52–53 testing scripts on test tenant, 414 testing Microsoft Online Services Module, 60–66 underlying services, 395–396 POC (proof of concept), 330 upgrading, 399 Policies node, 751 verifying successful domain conversion, 115–116 Policy management, 786 PowerShell ISE (Integrated Scripting Environment) POP (Post Office Protocol) Command Pane, 410 and EOA, 450 debugging in, 406 Exchange Online protocol support, 433 executing scripts in, 91 ports for Lync Online, 722–723 Module view in, 424 pound (#) key, 800 navigating, 409–414 RTO (Recovery Time Objective) 837

overview, 66–68 Relying Party Trust option, 117 required tools, 53 remediation tasks starting from Windows 7, 407–408 defined, 18 starting from Windows 8, 407 foundational planning and, 18 starting from within Windows PowerShell, 407 service-specific planning and, 18 upgrading, 409 Remote-AutodiscoverVirtualDirectory cmdlet, 542 using as Administrator, 399 Remote Procedure Call (RPC), 48, 435 Preboot Execution Environment (PXE), 210 Remote Target Database box, 604 Preferred Server drop-down box, 32 remote workers, single sign on scenarios Premiere Global (PGi), 717 not logged on to corporate network, 84 Preview Results window, 685 on virtual private network connection, 83–84 primary federation server, 101 remoting with PowerShell, 53 primary mailbox, searching, 433 Remove on the Actions pane, 129 Private Branch eXchange (PBX), 699 Remove-PSSession cmdlet, 405, 611 private key infrastructure (PKI), 451 Repair-SPOSite cmdlet, 696 Progress page, Manage Hybrid Configuration Wizard, 532 Repeat Count value, 289 Project Online, 4 Replace PC scenario, 210 proof of concept (POC), 330 Report a Violation option, 659 protocols for Lync Online, 722–723 reports (SCOM), 305–310 ProxyAddresses attribute, 173 Report Tasks pane, 306 proxy role, 100–101 Request License option, 659 PSTN (public switched telephone network), 700 request offering PST (Personal Storage Table) files, 434, 622 creating, 387–390 public-facing website, 82 in Self-Service Portal, 392–394 public switched telephone network (PSTN), 700 Request timed out error message, 30 purging deleted users, 820 Require sign-in check box, 664 PXE (Preboot Execution Environment), 210 re-routing of connections, 28 Research In Motion (RIM), 436 Q Resolution State window, 275 QoS (Quality of Service), 35 resource forest, 792 Quarantine action, 446 Resource Record Type dialog box, 78 Quest Software, 601 resources, SCOM notifications, 281 Quick Links, 24 Restart Manager, 408 retention of data R enforced, 621 RAM (random-access memory), 244 policies RBAC (Role Based Access Control), 224, 612, 786 creating, 423–425 Readiness Checks page, 476 defined, 623 read-only domain controller (RODC), 793 viewing, 422–423 Recipient Configuration node, 543, 550, 604 tags, 623 recipients, limits on, 439 Return on Investment (ROI), 4, 222, 325 Recoverable Items folder, 440 Return to site link, 651 recovering deleted items, 440 Rights Management Service (RMS), 457–458 Recover License option, 659 RIM (Research In Motion), 436 Recovery Point Objective (RPO), 442 RODC (read-only domain controller), 793 Recovery Time Objective (RTO), 442 ROI (Return on Investment), 4, 222, 325 Redirect action, 446 Role Based Access Control (RBAC), 224, 612, 786 redundancy Roles & Auditing page, 613 business case for cloud, 11–12 Roles Summary pane, 92 data center locations and, 28 RootCAType, 507 Refresh PC scenario, 210 routers, 27 Registry Editor (Regedit), 744 RPC (Remote Procedure Call), 48, 435 regulatory compliance, 14–15 RPO (Recovery Point Objective), 442 Reject action, 446 RTM (released to manufacturing), 429 released to manufacturing (RTM), 429 RTO (Recovery Time Objective), 442 838 Run As Account Creation Progress page

Run As Account Creation Progress page, 296 executing, 64 Run As Account Credentials page, 294 helper scripts, 68 Run As Account Distribution Security page, 295 in Operations Manager, 213 Run as Administrator icon, 398 PowerShell Run As Configuration node, 293 activating services, 819–820 runbook automation creating cloud identities from csv file, 814 creating activity template, 379–383 determining subscription name, 813 flow of, 367 generating subscription assignment report, 815–818 Orchestrator Runbook Designer console, 370 generating user list, 815 process overview, 369 purging deleted users, 820 Runbook Control Integration Pack folder, 348 sending bulk email to users, 820–821 Runbook Designer, 216, 325, 329, 341 swapping licenses, 818–819 runbooks saving, 68 applying concept to office 365, 327–329 SDK (Software Development Kit), 328 creating for Office 365 email accounts, 346–349 Search-AdminAuditLog cmdlet, 421, 422 defined, 216 Search All Now button, 598 finalizing, 371–379 searching modifying for testing, 379 EOA mailboxes, 451 naming, 372 multi-mailbox in Exchange Online, 627–630 not updating in Orchestrator database, 379 primary mailbox, 433 Run Management Agent dialog box, 190 SharePoint Online hybrid environment run profiles, 182–183 one-way inbound topology, 697 Run the query every option, 302 one-way outbound topology, 697 two-way topology, 698 S secondary federation servers, 101 SaaS (Software as a Service), 720 Secure Sockets Layer (SSL), 27, 700 SafeRecipientHash attribute, 172 Security Assertion Markup Language (SAML) toke, 119 SafeSendersHash attribute, 172 Select a Target Class page, 319 samAccountName attribute, 139 Select a well known Naming Context option, 133 SAML (Security Assertion Markup Language) toke, 119 Select Client Access Server dialog box, 529 SANs (subject alternative names), 496, 537 Select features page, 231 Save Policy Rule on the Actions pane, 616 Select Management Packs page, 256 scalability Select Services page, 504 business case for cloud, 11 Select Stand-Alone or Farm Deployment page, 108 economy of, 11 self-repairing connections, 28 SCO. See Orchestrator, System Center Self-Service Portal SCOM (System Center 2012 Operations Manager) installing, 358–365 alert views, 289–290 request offering in, 392–394 dashboards service offering in, 392–394 creating, 312–317 Silverlight required, 365 operator console dashboards, 311–312 Self Signed column, 498 SLA dashboards, 317–323 Send Instant Message icon, 710 downloading Service Pack 1 media, 236–237 Send Mail activity, 327 identifying dependent servers, 283–286 Server Certificates option, 93 installing, 225–235, 238–253 Server Configuration node, 483, 498, 508, 540, 608 management pack server farm, 100 configuring, 291–304 Server Role selection page, 475 watcher nodes, 300–304 server-side session, 403 overview, 212–214 Service Descriptions reports, 305–310 downloading, 430 state views, 287–288 for Exchange Online, 430 SCOM Web Application Monitoring Wizard, 291 for Office 365 Professional Plus, 762 screen shots in book, 9 for SharePoint Online, 633–635 scripts Service Level Agreement. See SLA authoring pane in PowerShell ISE, 67 Service Level Objectives page, 320 SourceAD update 839

Service Manager Integration Pack, 344 managing external sharing, 664–669 Service Manager, System Center, 217–218 mobility, 669–670 service offering overview, 659–660 creating and publishing, 390–392 storage, 660 in Self-Service Portal, 392 SharePoint Online Management Shell, 694–696 service request template, 383–387 SharePoint Store Service Request Template form, 384 adding apps to sites, 655–657 services, activating via script, 819–820 managing app licenses, 657–659 service (SRV) records, 461 overview, 646–654 service throttling, 602 permissions, 655–657 Session Initiation Protocol. See SIP Sharing dialog box, 663 sessions, PowerShell, 405 Show error details link, 578 Set as common name option, 490 signal degradation, 27 Set-ExecutionPolicy cmdlet, 64, 401 Simple Mail Transfer Protocol (SMTP), 48, 436 Set-HybridMailFlow cmdlet, 563 Simple Network Management Protocol (SNMP), 212 Set it up now button, 802 single sign on. See SSO Set mailbox link, 600 single sign on (SSO) Set-MailboxRegionalConfiguration cmdlet, 419 defined, 71 Set-MsolAdfsContext cmdlet, 121 lifetime, 119 Set Service Communications option, 120 requirements for, 84–86 Set up and manage Active Directory synchronization scenarios page, 145 remote worker not logged on to corporate network, 84 Set up link for Active Directory synchronization, 149 remote worker on virtual private network SharePoint 2010, 359 connection, 83–84 SharePoint Foundation 2010, 359 SLA and, 224 SharePoint Foundation 2013 Server, 359 when to implement, 73 SharePoint Online in Windows Azure, 794–795 architecture, 633 SIP (Session Initiation Protocol) compliance with eDiscovery, 674–693 overview, 699–700 domain purpose, 81 URIs, 700 hybrid model, 637 site collections, limits on, 636 limits sites, SharePoint Online, 655–657 file upload size, 637 -SkipUserConversion parameter, 123, 124 site collection limits, 636 SkyDrive Pro storage limits, 635–636 external collaboration capabilities, 660–664 users, 636–637 managing external sharing, 664–669 managing mobility, 669–670 SharePoint Online 2010, 642–645 overview, 659–660 SharePoint Online 2013, 638–641 SLA (Service Level Agreement) Office Web Apps, 670–674 and Service Descriptions, 19 overview, 631–632 dashboards displaying, 317–323 and public-facing sites, 82 financial obligations, 441 search in hybrid environment for EOA, 449 one-way inbound topology, 697 leveraging with Windows Azure, 101 one-way outbound topology, 697 monitoring, 224, 293 two-way topology, 698 small VMs, 799 Service Description, 633–635 SMS (Systems Management Server) 1.0, 210 SharePoint Online Management Shell, 694–696 SMTP (Simple Mail Transfer Protocol), 48, 278, 436 SharePoint Store SNMP (Simple Network Management Protocol), 212 adding apps to sites, 655–657 Software as a Service (SaaS), 720 managing app licenses, 657–659 Software Development Kit (SDK), 328 overview, 646–654 SourceAD Delta Import Delta Sync operation, 193 permissions, 655–657 SourceAD Export Sync operation, 193 SkyDrive Pro SourceAD Management Agent, 187 external collaboration capabilities, 660–664 SourceAD update, 185 840 spam

spam directory synchronization, verifying with, 178–181 blacklists, 444 Synchronization Statistics pane, 188 FOPE protection, 218, 438, 443 SyncTimeInterval key value, 195 Specify a Service Account page, 109 System Center Specify IM and Call Logging in Outlook dialog box, 753 alert notifications speedtest.net, 31 creating alert recipients, 262–270 SPN (service principal name), 111 creating subscription, 270–281 SQL Reporting Services report, 309 resources for, 280–281 SQL Server App Controller, 219–221 Installation Center, 334 Configuration Manager, 210–212 installing, 354 Data Protection Manager, 214–215 Management Studio console, 379 Endpoint Protection, 218–219 Native Client, 156 importing Management Pack, 253–263 SQL Server Reporting Service (SSRS). See SSRS Operations Manager SRV (service) records, 461 downloading Service Pack 1 media, 236–237 SSL (Secure Sockets Layer), 27, 361, 700 installing, 225–235, 238–253 SSO (single sign on). See single sign on (SSO) overview, 212–214 hybrid Exchange environment, 465 Orchestrator, 216 SSRS (SQL Server Reporting Service) overview, 207–209 Configuration Manager reporting, 212 planning for monitoring Operations Manager reporting, 250 administering monitoring solution, 224–225 staged migration evaluating what to monitor, 222–224 creating .csv file, 574–575 monitoring targets, 225 with EAC, 579–584 Service Manager, 217–218 with ECP, 575–579 Virtual Machine Manager, 214–215 stand-alone AD FS server, 108 System Center 2012 Orchestrator stand-alone purchases, 5 Data Bus in, 370 Start Configuration Wizard now option, 156, 168 installing Start-OnlineCoexistenceSync cmdlet, 192, 607 completing installation, 335–344 star topology, 27 installing Microsoft SQL Server, 334–335 Start-Process cmdlet, 407 Integration Packs, 344–346 Start Test button, 719 prerequisites for, 331–333 StateAlertPerformance dashboard, 304 overiew of, 326–327 state views (SCOM), 287–288 runbooks storage applying concept, 327–329 SharePoint Online limits, 635–636 automation, 367 SkyDrive Pro, 660 creating for email accounts, 346–349 Stored Conversations folder, 433 System Center connector, completing integration, 370–373 Subgroups page, 286 System Center connector, enabling, 367–369 subject alternative names (SANs), 496, 537 using components of, 329–331 Subscriber Addresses page, 269 System Center 2012 Service Manager Subscriber Name text box, Notification Subscriber and SharePoint Foundation 2013 Server, 359 Wizard, 264 architecture of, 352 subscription assignment report, 815–818 components of, 352–353 subscription model, 10–11 configuring automation subscription name, determining, 813 completing Orchestrator integration, 370–371 subscriptions, creating, 270–281 request offering, creating, 387–390 Suffixes tab, UPN, 88 request offering, in Self-Service Portal, 392–394 suites, 6–8 runbook automation activity template, creating, 379–383 Summary Dashboard option, 313 runbooks, finalizing, 371–379 Summary page, 280 service offering, creating and publishing, 390–392 -SupportMultipleDomain parameter, 114, 115 service offering, in Self-Service Portal, 392–394 swapping licenses, 818–819 service request template, creating, 383–387 Synchronization Service Manager hardware requirements, 353 directory synchronization, forcing unscheduled installing, 353–358 with, 183–192 User Prompts page 841

Orchestrator connector, enabling, 367–369 Office 365 Professional Plus overview of, 351–352 Activation Error, 778 runbook automation, 367 Microsoft Office Subscription Error, 777 Self-Service Portal, installing, 358–365 No Subscription Found, 777 service catalog overview, 365–366 Office Subscription Removed, 777 service request automation, 366–367 tools for, 18–19 software requirements, 353 Trust Center, 12–13 System Center connector, completing integration, 370–371 Trust Relationships node, 117 Systems Management Server (SMS) 1.0, 210 trusts one-way forest trusts, 785 T overview, 783–785 Tailspin Toys, 678 two-way forest trusts, 785 TargetAddress property, 573 TTL (Time To Live), 601 Target Delivery Domain box, 553, 604 two-way forest trusts, 785 targets, monitoring, 225 TXT record, 526 TargetWebService, 189, 190 TXT records TargetWebService Delta Confirming Import Sync confirming domain ownership, 77 operation, 193 entering, 77–79 TargetWebService Export Sync operation, 193 Team Foundation Services (TFS) Online, 4 U TechNet, 430 UAC (User Account Control), 397 technical contact, 196 UM (Unified Messaging), 431 tenant, 8 Unified Communications certificate, 494, 495, 537 tenant name, 8 Unified Messaging (UM), 431 tenants Uninterruptable Power Supplies (UPS), 213 for testing, 414 unlimited storage, 449 terminology Update Activity activity, 349 hybrid, 9 Update-Help cmdlet, 416 Lync Online Update-HybridConfiguration cmdlet, 539 peer-to-peer voice vs. Enterprise Voice, 700 Update-SCSMConnector cmdlet, 369 SIP, 700 Update Sequence Number (USN), 183 tenant, 8 UPN Suffixes tab, 88 tenant name, 8 UPN (User Principal Name) vanity domain name, 9 common problems, 86 waves, 9 format, 137, 171 testing, 60–65 remediating suffix, 86–91 test tenant, 414 UPS (Uninterruptable Power Supplies), 213 TFS (Team Foundation Services) Online, 4 uptime ThirdParty certificate type, 507 for EOA, 449 throttling limits, 19 guaranteed by FOPE, 442 ticketing systems, 214 Use AutoDiscover check box, 680 Tier 1 networks, 28 Use Microsoft Update option, 363 time-based hold, 624 Use mutual TLS to help secure Internet mail check box, 489 Time To Live (TTL), 601 Use Office On Demand option, 773 time zones, changing, 418–419 User Account Control (UAC), 397 TLDs (top-level domains), 114, 115 user accounts TLS (Transport Layer Security), 27, 437, 700 adding users and assigning licenses, 80 top-level domains (TLDs), 114, 115 cloud identities, 72 tracing email messages, 448 federated identities, 72–73 Transport Layer Security (TLS), 27, 437, 700 User Administration portal page, 549 troubleshooting user list, generating via script, 815 Exchange hybrid model User management, 786 Autodiscover service, 534–537 UserName attribute, 585 resetting Autodiscover virtual directory, 539–542 User Principal Name (UPN). See UPN virtual directory security settings, 537–539 User Prompts page, 388 842 users

users Windows Authentication, 231 purging deleted, 820 Windows Azure sending bulk email to, 820–821 App Controller and, 219, 220 throttling, 602 identity and SSO for Office 365, 794–795 Users & Groups page, 569, 576 identity management components all deployed in, 796 USN (Update Sequence Number), 183 identity management components duplicated in, 797–798 on-premises dependencies supported in, 793–794 V VM sizing, 798–799 vanity domain name, 9 Windows Azure Active Directory Module for Windows verbose console pane, 67 PowerShell Verification required dialog box, 804 converting domain from identity federation to, 123–124 Verify Prerequisites Again option, 242 downloading, 113 View Installed Updates link, 127 installing, 401 virtual directory security settings Windows Azure Active Directory Sync troubleshooting Exchange hybrid model configuring, 170–176 deployment, 537–539 installing with dedicated computer running SQL virtualization Server, 151–163 deploying Office 365 Professional Plus, 776–777 installing with Windows Internal Database, 164–168 VM sizing in Windows Azure, 798–799 service for, 177 Virtual Machine Manager, System Center. See VMM, System Windows Computer state view, 288 Center Windows Internal Database (WID) virtual private network (VPN), 83 directory synchronization, installing, 164–168 Virtual Server hosts, 328 planning architecture, 99 virus protection, 218, 442 system requirements, 148 VMM (Virtual Machine Manager), System Center, 214–215 Windows InTune, 212 VMs (virtual machines), 244 Windows PowerShell. See PowerShell VMware, 214 Windows PowerShell Integrated Scripting Environment voice quality, Lync Online, 46 (ISE) 3.0. See PowerShell ISE (Integrated Scripting VoIP (Voice over IP), 700 Environment) Voltage Security, 438 Windows Presentation Foundation (WPF), 408 Volume Shadow Service (VSS) API, 214 Windows Remote Management. See WinRM VPN (virtual private network), 83 Windows Server 2008 R2 VSS (Volume Shadow Service) API, 214 converting domain from standard authentication to identity federation, 113–114 W PowerShell ISE in, 409 watcher nodes, 300–304 WinRM versions, 397 waves, 9 Windows Server 2008 SP2, 114–115 Web Application Editor, 301 Windows Server 2012, 397 Web App Transaction Monitoring pane, 300, 301 Windows Server Update Services (WSUS),, 772 Web Management Tools node, 472 Windows WF (Workflow Foundation), 787 Web Server Role page, 232 WinRM (Windows Remote Management) Web Service port, 342 Basic authorization, 402 Welcome page, Configuration Wizard, 170 configuring settings, 401–402 Welcome page, Directory Sync Setup Wizard, 152, 164 determining version, 397–399 -whatif parameter, 91 listener service, 114 WID (Windows Internal Database). See Windows Internal upgrading, 399 Database verifying running status, 399–401 Wildcard certificate, 485 versions, 397 wildcard certificates, 95 WPF (Windows Presentation Foundation), 408 Windows 7 Write Web Page activity, 327 PowerShell ISE in, 407–408 WSUS (Windows Server Update Services), 772 remote workstations, 114–115 WinRM versions, 397 X Windows 8 XenServer, 215 PowerShell ISE in, 407, 409 WinRM versions, 397