Deploying Office 365 in

Production: Part 1
October 2013
Session Overview
Session Overview
This session details the options and considerations when
expanding a pilot Office 365 environment into a production
deployment. Unlike on-premises implementations, IT professionals
can scale out their Office 365 tenants with ease. However, with
added scale, it is important to start to automate user provisioning,
add a production domain and set up the desired workloads
 Step 2 Deployment Overview
What is DirSync?

Agenda
Purpose What does it do?
Understanding Synchronization
Understanding Coexistence
Understanding Migrations
Self Service
Admin lead
Migration Options
PST migrations
IMAP migrations
Staged Exchange migrations
Step 2: Deployment
Overview
First use in hours, Onboarding in days
Exchange, SharePoint, Lync, Office 365 ProPlus, WA Active Directory

1 Pilot 2 Deploy 3 Enhance

Full Office 365 service Core onboarding Optional integration
Pilot in hours Deploy in days Extend in weeks
Persist to deployment Companywide cloud use Meet business needs
User led migration IT led migration Customized to landscape

What What What

Office 365 Service All Pilot Features + Deploy +
Exchange, SharePoint, Lync, Office Web Apps, Shared namespace, simple coexistence, external Federation, Hybrid Delegation, and more
Office 365 ProPlus, Mobile sites

How How How

Service domain Office client Pilot + Deploy+ *
Cloud Identity Self Service IT led migration * Password sync Configure adv. features SharePoint Hybrid
Web Client Customer domain Admin migrations Federated Identity Lync Hybrid
Directory sync OnRamp Exchange Hybrid 3rd party migration tools
Corporate app store

Pilot complete Deploy Complete Adopt new features

Deploy Experience whats added
Setup in days Sign-on
Integrated identity management
Sign-on with the same user and password as on premises

Adds on-premises Integrated mail flow and migration

Global address list
integration Full mail content migration mail, calendar, contacts

Mail From EX 2010 Mail Servers From EX 2007/03 Mail From Others

Pilot user and info is Managed mail moves (MRS)

Free/busy cross premises
Servers
Staged mail migration
User migration (PST import) or
IMAP Migration
sustained Use existing OST New mail file download New mail file

IT driven migration Sharing and working with others

Lync business partner federation
Collaboration Site governance and provisioning support
Mail migration that best Setup of Apps for Office corporate app catalog

fits environment IT managed client productivity

Clients Office 365 ProPlus deployed to user desktop via IT process

Managed mobile connectivity

Mobile Send and receive mail from mobile device as on-prem email

Control & monitor

Administration Data loss prevention configuration (limited)
Exchange Online Protection mail protection configuration (limited)
Deploy whats required
Unique requirements per Whats Required
Directory Sync server/s
Identity
mail platform AD meets service requirements for hygiene
Same password on-prem and in cloud via password sync

Dedicated customer IT What you need to connect

team Network
Network access to service from client end points
Network bandwidth availability
Access to maintain DNS entries for share domains

Change management
Required to setup and migrate
readiness Admin access

Mail From EX 2010 Mail Servers From EX 2007/03 Mail From Others
Exchange 2010 SP3 Servers PST requirement
Certificates - public Outlook Anywhere Access

Required to connect and deploy

Clients Web client minimum browser
Office 365 Pro Plus clients running Windows 7 +
Deploy Identity Scenario
1 Pilot 2 Deploy 3 Enhance
Directory & Password
Cloud Identity Synchronization Federated Identity

Windows Azure Active Directory Windows Azure Active Directory Windows Azure Active Directory

Dirsync & Password Sync Federation Directory Sync

On-Premises Identity On-Premises Identity

Single federated identity

Single identity in the cloud Single identity without federation
and credentials
What is Azure AD
DirSync?

http://aka.ms/sync
What is Windows Azure AD DirSync?
Application that synchronizes on-premises Active
Directory with Office 365
Designed as a software based appliance
Set it and forget it

x64version based on FIM 2010

Bundled with SQL Server 2012 Express Edition

11
Purpose (#1)
Enables coexistence
Provisions objects in Office 365 with same email addresses as the
objects in the on-premises environment
Provides a unified Global Address List (GAL) experience between
on-premises and Office 365
Objects hidden from the GAL on-premises are also hidden from the GAL in Office 365

Enables coexistence for Exchange

Works in both simple and hybrid deployment scenarios

Enabler for mail routing between on-premises and Office 365 with a
shared domain namespace
Enables coexistence for Microsoft Lync
12
Purpose (#2)
Enables run stateadministration and management
of users, groups, and contacts
Synchronizes adds/deletes/modifications of users, groups, and contacts from
on-premises to Office 365
Enabler for Single Sign-On
Mandatory component for ADFS / Federated Identities deployments

Not intended as a single use bulk upload tool

13
Understanding
Synchronization
Synchronization (#1)
Synchronize a single Active Directory Forest to Office 365
Entire Active Directory forest is scoped for synchronization
(default)
Filtering can be configured based on OU, AD domain, and user attribute

What is synchronized?
All user objects
All group objects
Mail-enabled contact objects
Synchronization (#2)
Passwords synchronization is now supported
Most Synchronization is from on-premises to Office 365
In an Exchange Hybrid Deployment, DirSync is configured to write attributes
back to the on-premises Active Directory
Synchronization occurs every 3 hours
Use Start-OnlineCoexistenceSync cmdlet to force a sync outside of regular
synchronization schedule

16
Synchronization - users
User Objects
Mail-enabled/mailbox-enabled users are synchronized as mail-
enabled users (not mailbox-enabled users)
Visible in the Office 365 GAL (unless explicitly hidden from GAL)
Logon enabled, but not automatically licensed to use services
Target address is synchronized for mail-enabled users

Regular AD users are synchronized as regular AD users

Not automatically provisioned as mail-enabled in Office 365

Resource mailboxes are synchronized as resource mailboxes

Synchronized users are not automatically assigned a license

17
Synchronization groups and contacts
Group Objects
Mail-enabled groups are synchronized as mail-enabled
Group memberships are synchronized
Security groups are synchronized as security groups
Dynamic Distribution Groups are NOT synchronized

Contacts Objects
Only mail-enabled contacts are synchronized
Target address is synchronized to Office 365

18
Synchronization objects
creation/update
New user, group, and contact objects that are added to
on-premises are added to Office 365
Licenses are not automatically assigned

Existing user, group, or contact objects attributes that are

modified on-premises are modified in Office 365
Not all on-premises AD attributes are synchronized

19
Synchronization objects deletion
Existing user, group, and contact objects that are deleted
from on-premises are deleted from Office 365
Existing user objects that are disabled on-premises are
disabled in Office 365
License is not automatically unassigned

20
Synchronization synchronization
cycles
First synchronization cycle after installation is a full
synchronization
May be a time consuming process relative to the number of objects
synchronized
Approximately 5,000 objects every 45 to 60 minutes
Plan ahead if synchronizing tens or hundreds of thousands of objects

Subsequent synchronization cycles are deltas only

and much faster
21
Synchronization ownership and scoping
Once implemented, on-premises AD becomes the
source of authority for synchronized objects
Modifications to synchronized objects must occur in the on-premises AD
Synchronized objects cannot be modified or deleted via the portal unless
DirSync is disabled for the tenant
Ability to DirSync to Windows Azure AD only a
subset of your users
Options for Filtering
OU
Domain-based
User attribute
22
Step-by-step instructions available on TechNet
Synchronization objects matching
On-premises objectGuid AD attribute is assigned as
the value for immutableID attribute during initial
synchronization of an object
Referred to as a hard match
DirSync knows which Office 365 objects it is the source of authority for by
examining sourceAnchor attribute
DirSync can also match user objects created via the
portal with on-premises objects if there is a match
using the primary SMTP address
23
Referred to as a soft match
Synchronization - proxyAddresses
On-premises proxyAddresses attribute values are
synchronized
Requires a matching verified domain
Updates/modifications to on-premises proxyAddresses attribute are
synchronized even after license assignment

24
Synchronization dirsync quotas
By default,
only the first 50,000 objects are
synchronized
Sync quota increased to 300,000 objects automatically once first vanity
domain is verified
Quota limit can be increased by contacting technical support
Synchronization service will be stopped
Email sent to technical contact

Deleted objects count against quota for up to 30

days
25
Synchronization - miscellaneous
10GB SQL Server 2012 Express Edition database file
size is estimated to max out ~50,000 objects
50,000+ total objects requires full SQL Server

Authorization and synchronization occur via SSL

Outbound call from DirSync server

26
Synchronization errors logs
Synchronization errors areemailed to the Technical
Contact for the subscription
Recommend using a distribution group as the Technical Contact email address

Example errors include:

Synchronization health status
Sent once a day if a synchronization cycle has not registered 24 hours after last successful
synchronization
Objects whose attributes contain invalid characters
Objects with duplicate/conflicting email addresses
Sync quota limit exceeded
27
Synchronization objects flow
Sync Cycle
Stage 1:
Import Users, Groups,
On-premises
and Contacts from on-premises Office 365
Sync Cycle
Stage 4:
Export Write Back attributes
Sync Cycle Sync Cycle Authentication Platform
Stage 2: Stage 3:
Import Users, Groups, and Export Users, Groups, and
Contacts from Office 365 Contacts to Office 365
Active Directory Exchange Windows Azure
Active Directory
User Object
Logon Enabled User
Mailbox-Enabled Mail-Enabled (not mailbox-enabled)
Exchange Online
ProxyAddresses: ProxyAddresses:
SMTP: John.Doe@contoso.com SMTP: John.Doe@contoso.com
smtp: John.Doe@contoso.onmicrosoft.com
smtp: John.Doe@contoso.mail.onmicrosoft.com
TargetAddress:
SMTP: John.Doe@contoso.com

SharePoint Online

Directory
Synchronization Provisioning Web
Service Lync Online

28
Password synchronization
Password Synchronization
Introduced with DirSync in June 2013
Benefits of using Password Sync as an alternative to
Federated Authentication
Single set of credentials to access both on-premises and
online resources
Managed in the customers Active Directory and is synchronized with Office 365
(username + password)

Fully integrated in the DirSync appliance

No requirement for Active Directory Federation Services.
30
Keeps the deployment simple and eliminates IT costs associated with AD/FS
Password Sync Security
Does not require nor access the plain text password
No requirement for AD reversible encrypted format
AD user password hash is hashed again using a non-
reversible encryption function and digest is
synchronized into Azure AD
The digest in Azure AD cannot be used to access
resources in the customers on-premises
31environment
Password Sync Key password policies
One-way synchronization from on-premises to the
cloud

Password Complexity Policy implemented in the on-

premises AD is the master policy
Password Expiration Policy on the Azure AD is set to Never Expire
Password expiration and sync to Azure AD is driven by on-premises events

32
Understanding
Coexistence
What is Coexistence?
Some users are provisioned in Office 365 while the
remaining users are provisioned in the on-premises
environment
Office 365 users see the same objects in the Global
Address List as the on-premises users
Email messages are routed seamlessly from Office
365 users to on-premises users, and vice-versa
Simple Coexistence Deployment
Uses Directory Synchronization for GAL
synchronization
Enables mail routing between on-premises and Office 365 using a shared DNS
namespace
Provides a unified GAL experience

Can be used with cloud identities or federated

identities
Does not require an on-premises Hybrid server

35
Mail Routing: Pre-Coexistence
On-premises
MX Record:
contoso.com

Message Filtering
Active Directory Exchange

User Object
Mailbox-Enabled
ProxyAddresses:
SMTP: John.Doe@contoso.com

36
Mail Routing: On-Premises To Office
365 On-premises Office 365
MX Record:

Exchange Online Protection

contoso.com

Message Filtering
Active Directory Exchange Exchange Online Online Directory

User Object Logon Enabled User

Mail-Enabled (not mailbox-enabled) Mailbox-Enabled
ProxyAddresses: ProxyAddresses:
SMTP: Jane.Doe@contoso.com SMTP: Jane.Doe@contoso.com
TargetAddresses: smtp: Jane.Doe@contoso.onmicrosoft.com
SMTP: Jane.Doe@contoso.mail.onmicrosoft.com smtp: Jane.Doe@contoso.mail.onmicrosoft.com

MX Record:
contoso.onmicrosoft.com
DirSync contoso.mail.onmicrosoft.com DirSync Web
Service

37
Mail Routing: Office 365 To On-
Premises On-premises Office 365
MX Record:

Exchange Online Protection

contoso.com

Message Filtering
Active Directory Exchange Exchange Online Online Directory
Logon Enabled User
User Object Mail-Enabled (not mailbox-enabled)
Mailbox-Enabled ProxyAddresses:
ProxyAddresses: SMTP: John.Doe@contoso.com
SMTP: John.Doe@contoso.com smtp: JohnDoe@contoso.onmicrosoft.com
smtp: JohnDoe@contoso.mail.onmicrosoft.com
TargetAddresses:
SMTP: John.Doe@contoso.com

MX Record:
contoso.onmicrosoft.com
DirSync contoso.mail.onmicrosoft.com DirSync Web
Service

38
Understanding
Migrations
Migration Option Decision Factors
Coexistence Provisioning Time to Value
Size Requirement
Self serve or
Simple DirSync
Large Admin Driven
Manual/Bulk
Medium Rich Provisioning
Features by
user type
Small Cloud or on-
premises tools

Identity
Source Server Management

Exchange DEPLOYMENT In-Cloud

IMAP PLAN On-Premise
Lotus Migration Single
Notes solution is part Sign-On
of the plan
40Google
| Microsoft Confidential

40
FastTrack Step 2 Migration Options
PST Migration
Import of Archived/Offline Mail
Stag
PST
IMAP ed Hybr
Migr
migr migr id
ation
Migr IMAP migration
ation ation

ation Supports wide range of email platforms

Email only (no calendar, contacts, or tasks)
Exchange 5.5 X X
Staged Exchange migration Exchange 2000 X X
No server required on-premises Exchange 2003 X X X
Identity federation with on-premises directory
Exchange 2007 X X X

Hybrid deployment Exchange 2010 X X X

Manage users on-premises and online Exchange 2013 X X X

Hybr
Enables cross-premises calendaring, smooth migration, and easy off- Notes/Domino X X
id
boarding GroupWise X X
Other X X

* Additional options available with tools from migration partners

Self Service or Admin Driven Options
Control Deployment Type Description
User receives new green field mailbox. i.e.
New mailbox
user is on boarded to without data migration.

User receives new mailbox and either attaches

Self Service New mailbox + Outlook PST or imports PST files for access to pre-Office
365 data.

User receives new mailbox and configures

New mailbox + Connected Accounts
connected accounts via OWA.

User receives a new mailbox and admin uses

PST Export features of Exchange and 3rd Party
Admin-Driven New mailbox + PST import (central)
tools to import PST data into the users
Exchange Online mailbox.

42
Understand what each
Migration Options offers
IMAP
Migrations
IMAP migrations features and benefits
Works with a large number of source mail systems
Works with on-premises or hosted systems
Users can be migrated in batches
On-premises migration tool is not required

45
IMAP Requirements and Limitations
Access to IMAP4 ports (TCP/143/993)
SMTP domains configured in Office 365 tenant
Users + mailboxes must be provisioned prior to migration
Bulk provisioning, CSV parser, manual, etc.
Gather user credentials or setup admin credentials
Prepare a CSV file with list of users
EmailAddress, UserName, Password
Max of 50,000 rows
Max 10 MB in size

46
Very limited data migration scope (mail items only)
IMAP Data Migration Scope
Migrated
Mail messages
(Inbox and other folders)
Maximum of 500,000 items
Possible to exclude specific
folders from migration
(e.g. Deleted Items, Junk E-
Mail)
47
Not Migrated
Contacts, Calendars, Tasks, etc.
Excluded folders
Folders with a forward slash
( / ) in the folder name
Messages larger than 25 MB
IMAP Migration Flow

Gather Initial
IMAP EAC sync
Provision
creds, Wizard: Mark
users Change Final
configure migration
+ MX sync and
IMAP Enter as
mailboxes record cleanup
endpoint server complete
in O365
and settings
prepare and upload Delta
(license sync
CSV CSV
assigned) every 24
hours

48
IMAP
Migrations

Questions?
Staged
Exchange
Migrations
(SEM)
SEM Features and Benefits
Simple and flexible migration solution
High-fidelity solution all mailbox content is migrated
Typically best suited to medium and large organizations
Users are provisioned with Directory Sync prior to migration
No limit on the number of mailboxes
Users can be migrated in batches (up to 1,000 per batch)
Works with Exchange 2003 and 2007 only, on-premises or
hosted
Identity management on-premises
51

SEM Requirements
Outlook Anywhere service on source system
(must have SSL certificate issued by a public CA)
Migration Account with Full Access or Receive-As permissions to
all mailboxes that will be migrated
SMTP domain(s) configured in Office 365 tenant
Directory Sync tool enabled in Office 365 tenant
(i.e. requires simple coexistence)

52
SEM Limitations
SEM is not supported with Exchange 2010 and 2013
Only simple coexistence is available
(no sharing of Free&Busy, calendar, etc.)

53
SEM Accounts and Passwords
Accounts Provisioning
Migration tool relies on DirSync to do provisioning
For every on-premises mailbox to be migrated there needs
to be a MEU or Mailbox in Office 365
Passwords
Target mailbox passwords must be specified* for all users
Administrators can force users to change passwords on
first login

54
*Password management has been simplified with DirSync and password sync.
SEM Batch File Format
CSV format
EmailAddress, Password*, ForceChangePassword*
One user per line
Max of 1,000 users in each CSV
Smart-check against the Office 365 directory

55
*Password and ForceChangePassword field in csv not needed if Password Sync is enabled
SEM Data Migration Scope
Migrated Not Migrated
Mail messages and folders Security Groups, DDLs
Rules and categories System mailboxes
Calendar (normal, recurring) Dumpster
Send-As Permissions
Out-of-Office settings
Messages larger than 25 MB
Contacts
Tasks
Delegates and folder perms
Outlook settings (e.g. favorites)

56
SEM Data Migration Scope
Partial migrations are not possible
(no folder exclusion, no time range selection, etc.)
Mailboxes enabled for Unified Messaging cannot be migrated
Hidden mailboxes (not visible to tool) cannot be migrated
New cloud mailbox is created (new GUID) and data is copied
Existing cached-mode files (OST files) cannot be preserved

57
SEM User Experience
Admin needs to distribute new passwords* to users
Users create their new Outlook profile using O365 username
and new passwords (Autodiscover)
All mail is downloaded from the Office 365 mailbox
(i.e. the OST file must be recreated)
IT Admins must convert on-premises mailbox-enable user to mail-
enable user (which will delete on-premises content)

*Not
58 required if Password Sync is enabled
SEM Migration Flow
Configur
e Convert
EAC
Outlook on-
Wizard: Migrate
Anywher premises
Batch Delete
e MBX to
Configur Enter migration License
MEU
e server Convert batch users
Test
Directory settings , onprem (optional)
using Change
Sync admin mailboxes
ExRCA MX
creds, to MEU
Record
batch
Assign
CSV
migration
perms

59
Staged
Exchange
Migrations

Questions?
Questions?
 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.