Centralized Mail-Transport In Exchange Multi-Forest Environments

Outbound messages to the Internet are routed from the Exchange Online organization through your on-premises organization. With the exception being messages sent to other recipients in the same Exchange Online organization, all messages sent from recipients in the Exchange Online organization are sent through the on-premises organization. This enables you to apply compliance rules to these messages and any other processes or requirements, like digital sign emails at your smtp gateway, or that must be applied to all of your recipients, regardless of whether they’re located in the Exchange Online organization or the on-premises organization.

Read more at the ENow Software Blog.

Delegated Administration with Azure Active Directory Administrative Units

Office 365 comes with a set of admin roles that can be assigned to users within your organization. Each admin role maps to common business functions and gives your users permissions to do specific tasks in the Office 365 admin center and Windows PowerShell.
This is especially true for large organizations or universities with multiple brands or decentralized administration within a single Office 365 tenant, the default admin roles can cause headaches. While the delegation of permissions in Exchange Online works very well with Role Based Access Control (RBAC), other applications and services are hard to manage at a granular level. For example, license management or helpdesk for different countries, brands, and organizations. In these organizations, only a subset of administrative users are allowed to edit properties based on their region or brand.

Read more at the ENOW SOFTWARE BLOG

Exchange Hybrid MRS vs. MigrationService Migrations

I would like to share some Exchange 2010 hybrid migration facts with you that we figured out.

First, again many thanks to Michael Van Horenbeeck! He helped me discuss this with a customer. I’m always very happy to work with him. And many thanks to Ben Winzenz and Jeff Kizner as well, I’m very grateful for your help.

In short: a customer is trying to keep about 65k mailboxes in sync to ensure a short cutover time. We are using a maximum of 1,500 mailboxes per batch, 5 batches per week, and switching 7,500 mailboxes with an overall data of about 5TB per week. For some technical details, we are using Azure ER (800 Mbit) for migration with 4 TMG as a proxy and some kind of F5 load balancing in between, PAW is activated, and two migration endpoints with each 100 sync/complete in parallel. We did some networking measuring and move request statistics and we had an average migration velocity of 18.6GB/h for batches starting the first incremental sync (0% to 95%) which is great. Of course, the migration velocity depends on the number of batches, mailboxes, mailbox items, network workload, etc.

Continue reading “Exchange Hybrid MRS vs. MigrationService Migrations”

Delegated Administration in Exchange Online

My colleagues and I are working on a (pilot) multi-forest Exchange hybrid environment with a single Office 365 tenant. In this early stage of the project we will have two companies, each with their own on-premises environment. One of the requirement is a delegated administrative concept for Exchange Online, which means administrators and helpdesk workers should only manage and configure settings for their specific domains. This blog post will show you how to handle this with Role Based Access Control (RBAC).

Read more at the atwork blog.

Troubleshooting Active Directory Federation Services

Enabling single sign-on for your users must not be a big deal. There are multiple hybrid identity authentication scenarios available to obtain single sign-on capabilities to your users:

  • Active Directory Federation Services (AD FS): single sign-on, based on one identity in your on-premises Active Directory and publishes on-premises and cloud web applications. This is the most complex scenario and often used by organizations with 250+ seats. They are not only using Office 365 applications for single sign-on, but also for other Intranet and Internet applications to achieve SSO user experience.
  • Password Hash Sync (PHS): same sign-on, which means you must authenticate again with your on-premises credentials accessing Office 365 services.
  • Pass-through authentication (PTA): single sign-on, allows your users to sign in to Azure Active Directory directly validating the users’ passwords against your on-premises Active Directory.
  • Seamless single sign-on: single sign-on, automatically signs your users in when they are on their corporate devices connected to your corporate network. Can be combined with either PHS or PTA.

When should I use AD FS instead of other hybrid authentication methods?

Read more at the atwork blog.

Microsoft Ignite 2017: BRK3155 – Thrive in as an enterprise organization in Microsoft Exchange Online

Large enterprise customers often have unique and specialized requirements for adoption Exchange Online. This session showcases the lifecycle of an enterprise customer leveraging features designed just for them. Demo and some several new features will be covered, such as Mailbox Plans, Client Access Rules, on send event APIs, and a first look at technology for mergers and divestitures.

The full recorded session can be found here: https://www.youtube.com/watch?v=pN6lsxKRrJQ&t=1503s

This blog post covers a summary of the session. Continue reading “Microsoft Ignite 2017: BRK3155 – Thrive in as an enterprise organization in Microsoft Exchange Online”

Microsoft Ignite 2017: BRK3154 – The epic Exchange preferred architecture debate

What is the best, DAS or SAN? Are SSDs on the way in or are slow spindles here to stay? Should you give up and migrate to the cloud? What about virtualization? This session covers the various Exchange architectures that can be deployed on-premises and hybrid.

Announcements:

  • Exchange 2016 now supports up to 192GB of memory
  • Item Recovery Enhancements20170927_163343930_iOS

Sample questions:

  1. Should I follow the PA? Yes. If it is possible, follow the PA. This is the tested and best practices solution from Microsoft running in Exchange Online. This simplifies the operation process in case of outage, failures, etc.
  2. Should I deploy SSD? No. Jeff Guillet mentioned a good example for this. If you are using SSD’s for Exchange, it is like you are driving a Ferrari on a gravel road.
  3. Should I virtualize Exchange? Yes and no. Of course, you can virtualize Exchange. Be sure that you use the calculator for virtualization 1:1 as you would do it for physical servers. Physical servers are more easier to manage and deploy because virtualization needs some more things to do.
  4. What should I do if I plan to have a hybrid deployment with O365? Follow the same approach as you would do it for an on-premises environment. If all your mailboxes are migrated to Exchange Online, use a single Exchange server for recipient management purposes only.
  5. What size mailbox should I deploy? Are 1GB mailboxes valid anymore? You already get 25GB mailboxes for free today and simple JBOD storage is a very low cost factor.
  6. Third-party archiving solutions or keep in Exchange? The Microsoft perspective is that archive mailboxes should be retain in Exchange. In case of big mailboxes and Outlook OST slider, there is no reason to use archive mailboxes anymore. If you are having strict compliance regulations for archiving, you can use Exchange, Exchange Online, or of course third-party archiving solutions.

Microsoft Ignite 2017: BRK4029 – Inside Exchange Online

Matt Gossage and Ananth Sundararaj show how Exchange Online works. The engineering leaders who design and build the infrastructure reveal the secrets of deep neural networks, machine learning, substrate, shards, and much more. They also share how these mystical creatures actually impact IT pros and users of Exchange and Outlook.

Continue reading “Microsoft Ignite 2017: BRK4029 – Inside Exchange Online”