Setting up a multi-forest hybrid Exchange deployment

It's time to get our hands dirty with Office 365, Exchange and Azure Active Directory Sync Services to implement multi-forest directory sync, login and hybrid Exchange. We'll explore why a multi-forest hybrid Exchange deployment might be right for you, what other options are available, and explain how to work through the process.

In a multi-forest hybrid Exchange deployment, an organization has a single Office 365 tenant but multiple Active Directory environments with Exchange installed in each one. The hybrid part is engaged when Exchange 2013 is installed into each forest as either an upgrade or a "bridge" to the cloud, and the Hybrid Configuration Wizard performs multiple times -- once per forest.
Many organizations have multiple Active Directory (AD) forests, each with standalone Exchange implementations. The reasons why vary, but this is often the result of mergers, acquisitions, separate operating divisions or departments with their own IT staff. While it would be wise to bring in new divisions as they went along or not implement multiple AD forests in the first place, not every company does this for several different reasons.
Moving to Office 365 can remove one major challenge involved in a full AD consolidation -- building a central Exchange infrastructure to host all mailboxes and deciding which AD to use. You can use a multi-forest hybrid Exchange deployment to move mailboxes directly to the cloud and separate the AD consolidation.

Multi-forest hybrid setups aren't without issues. It's often best for organizations using a supported version of Exchange because they can have an Exchange 2013 hybrid server installed into each forest. Organizations with large Exchange 2003 estates, for example, are not suited for Exchange multi-forest hybrid Exchange setups.

Real-world hybrid Exchange deployments

To explain this further, I will use an example scenario. Goodman Industries is a multi-national corporation that has a corporate division with a domain and AD forest named GoodmanIndustries.com, and a U.K. division with a domain and AD forest named GoodmanIndustries.co.uk. Goodman Industries recently bought a design company with a domain and AD forest named LisaJaneDesigns.co.uk.
Each forest runs either Exchange 2010 or Exchange 2013, and all environments are connected to a single Multiprotocol Label Switching wide-area network with Domain Name System resolution and AD trusts between domains configured. Although not a prerequisite, Goodman Industries already uses a sync product to provide a single Global Address List (Figure 1).

Figure 1. Goodman Industries' existing multi-forest infrastructure.

Goodman Industries doesn't want to run three separate Exchange environments, so the company purchased Office 365 licenses. Although they maintain existing AD forests for administrative purposes, email will migrate to Exchange Online. For the best possible user experience, the company will implement a multi-forest hybrid Exchange deployment.
To implement this, IT teams must have the following additional servers:

• An Azure AD Sync Server with access to all three Active Directory domains and access to Office 365. We'll install this in GMI, the "Corporate" forest.
• An Exchange 2013 SP1 or higher (Cumulative Update 7 at the time of this writing) installed in the Exchange 2010 organization, GMIUK.

In addition to these servers, we'll need to perform the following tasks common to all hybrid Exchange implementations.

• Use Microsoft's IDFix tool in each domain to ensure AD objects are in a suitable state for Azure AD.
• Ensure all SMTP domains are registered as Custom Domains in Office 365.
• Because it's hybrid, ensure User Principal Names are set to valid domains registered as Custom Domains in Office 365, and ideally match the Primary SMTP address of each user.
• Ensure the existing Exchange 2013 servers are patched to at least SP1 or higher.
• Ensure the existing Exchange 2010 server is patched to at least SP3, ideally with the latest Update Rollups.
• Install valid third-party SSL certificates that include the HTTPS namespaces, Autodiscover namespaces and SMTP hostnames on each server.
• Publish the Autodiscover and Exchange Web Services paths to the Internet. Ensure Office 365 can access those paths without pre-authentication, and that Remote Connectivity Analyzer tests complete successfully.
• Publish SMTP for each Exchange organization so Office 365 can directly access the proposed hybrid servers.
• Ensure the hybrid servers can access Office 365 using HTTP and SMTP, and that the Azure AD Sync server can access Office 365 using HTTPS.

When we've finished our implementation, our multi-forest hybrid implementation will include the additional two servers (Figure 2).

Figure 2. The proposed Goodman Industries multi-forest hybrid Exchange implementation.

So, we've gone through what a multi-forest hybrid Exchange deployment is and when it should be used. We also detailed our example organization and the high-level design and requirements for multi-forest hybrid setups. What's next?
Our next step will be adding multiple custom domains to Office 365 and implementing the Azure Active Directory Sync Services server. But to ensure that we only cover a normal Exchange 2013 hybrid implementation here, we'll focus on implementing the specific multi-forest components in the next part of the series rather than cover common tasks such as object remediation.

About the author:
Steve Goodman is an Exchange MVP and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners. Goodman has worked extensively with Microsoft Exchange since version 5.5 and with Office 365 since its origins in Exchange Labs and Live@EDU.

Next Steps

This is part one of a series about implementing a multi-forest hybrid Exchange setup. In part two, we will begin the implementation of Azure AD Sync Service, which will help us prepare for the multi-forest hybrid configuration.

This was first published in January 2015

Microsoft rolls out new MDM for Office 365

Mobile device management is an increasingly important issue within this bring your own device world. On-premises Exchange includes some basic mobile device management features through Exchange ActiveSync policies, but it was never a full-blown mobile device management option. As mobile devices have become more sophisticated, enterprises require more robust mobile device management options.

Microsoft has Intune as its add-on mobile device management offering, but it has promised additional mobile device management features in Office 365 for quite some time now -- and the wait is nearly over. Microsoft will soon deliver mobile device management (MDM) capabilities with management policies capable of covering Office 365 data across iOS, Android and Windows Phone devices. This option will be no additional cost to customers with business, enterprise, education or government commercial plans, the company added.
The features offered are actually a subset of what Intune provides. Admins who want a side-by-side comparison of MDM for Office 365 and Intune can use this TechNet guide to start.
Conditional access. These security policies allow admins to determine the types of devices that can connect based on Intune and Azure AD. The policies apply to Office apps on devices, which could actually make for a unique MDM experience because Microsoft currently doesn't allow third parties to access or control its apps.

Device management. Exchange admins can establish security policy features such as PIN lock and jailbreak detection, along with improved reporting so admins can gain what Microsoft describes as "critical insights about devices accessing your corporate data."
Selective wipe. This expression varies with different MDM options, but in the case of MDM for Office 365, the selective wipe is actually selective. If a device is lost or stolen, admins can choose to remove corporate data that's from Office 365. This is an improvement over Exchange ActiveSync, in which the entire device is wiped, including personal data. Because it only wipes Office 365 data, admins may require additional features beyond this. Look to Intune or third-party options to add a layer of MDM.
Customers who selected First Release for their Office 365 portals should soon see features roll out. To enable First Release, admins can go to their Office 365 Admin Center, expand the Service Settings and then select Updates. Turn the slider to "On" (Figure 1).

Figure 1

Once the option is active in the portal, admins will see a setting called Mobile Devices within the Office 365 Admin Center. Admins can get started from there (Figure 2). To learn more about creating device policies, to enroll end users' devices or to manage devices, admins can visit the step-by-step instructions that TechNet provides.

Figure 2

MDM for Office 365 is a bit of a balancing act. It's not the straw house we have with Exchange ActiveSync, and it isn't the brick house we have with Intune or a third-party options. It's that middle of the road structure that may be perfect for small to medium-sized organizations that require more bring your own device help on a budget. Admins will have to do some testing with it to see if it adequately meets the needs of their particular environment. If it doesn't, consider Intune or a third-party option to bolt-on to Office 365 and layer MDM.

About the author:
J. Peter Bruzzese is a Microsoft Office 365 MVP, as a five-time awardee with previous technical expertise in Exchange, a Triple-MCSE, an MCT and an MCITP: Enterprise Messaging. He is the co-founder of an end-user training solution called ClipTraining.com and is a strategic technical consultant for Mimecast. He is an internationally published author with more than a dozen titles to his name. He is a technical speaker for a number of conferences, including Techmentor, IT/Dev Connections and Microsoft TechEd. He writes for online and in-print tech and has written InfoWorld's Enterprise Windows column for more than five years. More recently, he focused his attention on new users in the Exchange/Office 365 community and wrote a short book (in 10 days) titled Conversational Exchange to help them learn Exchange's conceptual side. In his spare time -- well, let's face it, folks, with all that, JPB has no spare time.

Exchange 2016!

Since it is that time of the year (Microsoft Ignite) just wanted to mention that Exchange 2016 is right around the corner.  Pre-Release sometime this summer and RTM later this year!

http://searchexchange.techtarget.com/news/4500245789/Admins-get-a-glimpse-of-Exchange-Server-2016?track=NL-1810&ad=900647&src=900647#.VVN4QU5Wprg.email

Exchange Shared Mailboxes: Sent items appear only within the sending user's mailbox, not within the Shared Mailbox Sent Items.

The next round of Exchange 2013 Cumulative Updates (CU9) will include a feature (turned off by default) that will allow you to save a copy of Sent Items in both the sending user's mailbox and also the Shared Mailbox Sent Items.  Once the update is applied you simply run the following command:

Set-Mailbox "Mailbox Name" -MessageCopyForSentAsEnabled $True

 

Set-Mailbox "Mailbox Name" -MessageCopyForSendOnBehalfEnabled $True

Public Folder Migrations Exchange 2010 to 2013: Relinquishing job because the mailbox is locked.

Recently I was troubleshooting an issue where I could not get Public Folder migrations to perform the final sync before cutting over to Exchange 2013 hosted Public Folders.  I searched for a solution but all I could find was a few technicians that had a similar problem and restarting the Exchange Replication Service on the 2010 server would resolve the issue. 

After restarting this service the problem was still present.  Following some additional troubleshooting it was determined that Exchange 2010 still had a lock on the folders after the service restart and would not allow the final sync.  The end resolution was to restart the Exchange 2010 Information Store and then the Exchange Replication Service.  The Public Folder migration job then restarted and completed the sync.  Hope this helps anyone else that may get stuck on this issue as well.

Office 365 Message Encryption

Office 365 Message Encryption is the new version of Exchange Hosted Encryption (EHE). This version includes all of the capabilities of EHE plus new features, such as the ability to apply your company’s branding to encrypted messages. Like EHE, Office 365 Message Encryption works with Office 365 mailboxes as well as with on-premises mailboxes that use Exchange Online Protection.
Here’s the added good news: Office 365 E3 and E4 users will get Office 365 Message Encryption at no extra cost. We’re including it in Windows Azure Rights Management, which is already part of E3 and E4 plans.  We’re also including it in the standalone version of Windows Azure Rights Management, without raising the price of that service. For $2 per user per month you can get a complete solution for internal and external information protection: traditional Rights Management capabilities like Do Not Forward for internal users, plus the new ability to encrypt outbound messages to any recipient.

Microsoft Script Explorer

Do you ever need a little help with Powershell.....?  Check out the free download Microsoft Script Explorer found at http://www.microsoft.com/en-us/download/details.aspx?id=29101  With Microsoft Script Explorer you will find community submitted scripts for just about all Microsoft technologies.  Check it out!!