Hybrid Exchange

Before an organization that has an on-premises only Exchange deployment can shift to a hybrid deployment, it will need to meet certain prerequisites. The first requirement is that an organization needs to have Exchange 2007 or later on-premises. So, If your organization has Exchange 2003 deployed, you won’t be able to deploy Exchange in a hybrid configuration.

The version of Exchange that you have deployed determines the type of hybrid deployment that is available (see Table 4-1).

Table 4-1 Hybrid deployment options

When selecting a hybrid deployment option, you should choose the most modern version available for your organization. For example, if your organization has Exchange 2013 deployed, your preference should be to configure an Exchange 2019 based hybrid deployment.

Hybrid deployments require that the on-premises Exchange systems have the most recent cumulative update or update rollup deployed. Generally, the release prior to the most recent cumulative update or update rollup will also work, but older cumulative updates or update rollups will not be supported. Cumulative updates and update rollups are generally released on a quarterly basis.

You need to have specific roles deployed within the on-premises Exchange organization. Which roles are deployed depends on the hybrid deployment option you are choosing. These requirements are as follows:

• Exchange 2010 hybrid deployment A minimum of one Exchange 2010 server with the Mailbox, Hub Transport, and Client Access server roles installed. You can also meet the prerequisite requirements by deploying these Exchange 2010 roles on separate servers. Autodiscover public DNS records for existing SMTP domains point at on-premises Client Access server.

• Exchange 2013 hybrid deployment A minimum of one server with the Mailbox and Client Access roles installed. The prerequisites can also be met by deploying these roles on separate servers. Autodiscover public DNS records for existing SMTP domains point at on-premises Client Access server.

• Exchange 2016 hybrid deployment A minimum of one server with the Mailbox server role installed. Autodiscover public DNS records for existing SMTP domains point at on-premises Mailbox server.

• Exchange 2019 hybrid deployment A minimum of one server with the Mailbox server role installed. Autodiscover public DNS records for existing SMTP domains point at the on-premises Mailbox server.

Hybrid Exchange deployments have the following additional requirements:

• Azure AD Connect are configured to synchronize on-premises Active Directory with Azure Active Directory.

• Custom domains are registered with your organization’s Azure AD tenancy.

• Connect the Office 365 organization to the Exchange Admin Center. You must do this prior to running the Hybrid Configuration Wizard.

• Install valid digital certificates purchased from a trusted CA on the IIS instance on Exchange servers configured in the hybrid deployment. The Exchange Web Services external URL and the Autodiscover endpoint specified in your organization’s public DNS records must be listed in the Subject Alternative Name (SAN) section of these certificates.

• If your organization’s Exchange deployment uses Edge Transport servers and you want to configure those servers for hybrid secure mail transport, you will need to ensure that EdgeSync is configured prior to running the Hybrid Configuration Wizard.

• If Unified Messaging enabled mailboxes are present in the on-premises Exchange deployment, and you want to migrate them to Office 365, the following conditions must be met prior to migrating these mailboxes:

  • You must have deployed Lync Server 2019, Lync Server 2013, or Skype for Business Server 2015 or later, and integrated it with your organization’s on-premises telephony system. Alternatively, you have Skype for Business Online integrated with your organization’s on-premises telephony system.

  • You have Unified Messaging mailbox policies created in Exchange Online that have names that reflect the Unified Messaging mailbox policies used with the on-premises deployment.

Hybrid SharePoint

Beyond the basics of having a functional on-premises Active Directory instance, and a configured Microsoft 365 tenancy, you will need to have a functional on-premises SharePoint Server farm. This SharePoint Server farm must be configured so that all services are running locally on the farm as farms that leverage federated services and are not supported in a hybrid configuration.

You will need to configure the SharePoint primary web application on the on-premises SharePoint farm to use a certificate from a trusted public third party CA for Transport Layer Security (TLS), also known as Secure Sockets Layer (SSL) communication. Microsoft recommends using the default SharePoint Security Token Services (STS) certificate when configuring hybrid workloads and it is not necessary to have a new certificate for this service issued by a public third party CA.

You will need to configure a reverse proxy device to support inbound connectivity for your hybrid SharePoint deployment if you want to support the following services:

• Inbound hybrid search

• Hybrid Business Connectivity Services

• Hybrid Duet Enterprise Online for Microsoft SharePoint and SAP

The certificate used for authentication and encryption between the reverse proxy device and SharePoint Online must be configured either as a wildcard certificate, or have an appropriate Subject Alternative Name. It must also be issued by a trusted public third party certification authority.

Hybrid Skype for Business

When configuring Skype for Business in a hybrid configuration with Skype for Business Online, you will need to ensure that the following steps are taken:

• Skype for Business Online must be enabled in the Microsoft 365 tenancy.

• On-premises servers must all run either Skype for Business Server 2019, Skype for Business Server 2015, or Lync Server 2013. A deployment that has a mixture of servers is also supported, as long as that mixture is limited to two different versions of Skype for Business Server or Lync Server. You cannot configure a hybrid deployment if all three servers are present in the on-premises environment.

• You must federate the on-premises environment with Microsoft 365. While federation is more complicated than the default Azure AD Connect identity synchronization option, you can use Azure AD Connect to configure federation. Doing so will require the deployment of Active Directory Federation Services servers in your on-premises environment, although Azure AD Connect makes this process easier.

• You need to configure the on-premises environment to share SIP address space with Skype for Business Online. This will allow Skype for Business Online to host user accounts for the same set of SIP domains as the on-premises environment. It will also allow messages to be routed within the hybrid environment.

• You must enable the share SIP address space for Skype for Business Online. Configuring this shared address space is the second element in ensuring that messages can be routed between the on-premises and cloud environments.

Microsoft also recommends that you configure OAuth between Exchange on-premises and Skype for Business Online if you have both Exchange and Skype for Business in a hybrid configuration.

Exchange hybrid connectivity

The ports, protocols, and endpoints listed in Table 4-2 need to be configured to allow the appropriate connectivity in an Exchange hybrid deployment.

Table 4-2 Exchange hybrid ports, protocols, and endpoints

SharePoint Server hybrid connectivity

In a SharePoint Server hybrid configuration, you need to make sure the following networking requirements are met:

• Ensure that the publicly resolvable DNS record for the SharePoint primary site points at the external endpoint for the reverse proxy device, which publishes the primary site to the Internet.

• Ensure that the SharePoint primary site has a binding for a TLS certificate from a publicly trusted certificate authority.

• Choose an appropriate site collection strategy. Options include host-named site collection, path-based web application with alternate access mappings, or path-based web application without alternate access mapping.

• Configure split DNS so that internal clients connect to the internal IP address of the SharePoint primary site, and external clients connect to the external endpoint of the reverse proxy device.

Skype for Business hybrid connectivity

In a hybrid configuration, all Skype for Business external DNS records must point to on-premises servers. There are specific DNS resolution requirements for the following records:

• DNS SRV record for _sipfederationtls._tcp.<sipdomain.com> must resolve to the Access Edge external IP addresses. This record must be resolvable by Edge servers in the hybrid configuration.

• DNS A record or records for Edge Web Conferencing Service must resolve to the Web Conferencing Edge external IP addresses. This record or records must be able to be resolved by any user’s computers on the organization’s internal network.

Your organization’s firewall needs to be configured to accept incoming traffic from Office 365 domain names:

• *.lync.com

• *.teams.microsoft.com

• *.broadcast.skype.com

• *.skypeforbusinesss.com

• *.sfbassets.com

• *.skype.com

Exchange migration strategy

How you migrate Exchange mailboxes from an on-premises deployment to Exchange Online will depend on the nature of your existing deployment. The approach you use with Exchange 2007 may be different to your approach if you have Exchange 2019, but will depend on the number of mailboxes that need to be moved. Table 4-3 lists the difference between the different methods you can use to migrate from an on-premises messaging environment to Exchange Online.

Table 4-3 Migration type comparison

SharePoint Server migration strategy

While it’s possible to directly upload one file at a time to a SharePoint online tenant, or install the OneDrive sync client and have that content automatically synchronize to either OneDrive or SharePoint online, most organizations that are migrating from an on-premises SharePoint Server deployment to SharePoint online will use the SharePoint Migration Tool.

The SharePoint Migration Tool (SPMT) allows for the migration of files from on-premises SharePoint Server document libraries to SharePoint Online. You can also use the SPMT to migrate existing file shares to SharePoint Online. To allow web parts to be migrated, 24 hours prior to performing a migration with the SPMT, you need to configure the following settings in the SharePoint Admin Center:

• Allow users to run custom script on personal sites

• Allow users to run customer script on self-service created sites

When running the tool, you have the option of specifying a migration either from a SharePoint on-premises deployment or from a file share. When migrating a SharePoint on-premises site, you’ll need to specify the site location, the credentials to access that site, and the specific document library that you wish to migrate. If you are migrating an on-premises file share to SharePoint online, you’ll need to specify the file share location, the URL of the SharePoint Online site that is the destination for the migrated files, and the document library within that site that will host the files.

After you perform a migration, you have the option of saving the migration job so that it can be run at a different time. This allows you to migrate any files that were modified or created after the last migration from the source location to the destination SharePoint online site.

Skype for Business migration strategy

You can move users from an on-premises deployment to the cloud by either using the Skype for Business Admin Control panel or the Move-CsUser PowerShell cmdlet. Both tools are used in the on-premises environment. It’s also possible to use these tools to move users from Skype for Business Online to an on-premises host when Skype for Business Online is in a hybrid configuration. You can move a user from Skype to Business Online directly to Teams only if Skype for Business Server 2019 or Skype for Business Server 2015 with cumulative update 8 or later is deployed in the on-premises environment.

When migrating users from an on-premises environment to the cloud, the user performing the migration must have the CSServerAdministrator role in the on-premises Skype for Business Server deployment and must be either the Microsoft 365 Global Administrator role or have both the Microsoft 365 Skype for Business Administrator and Microsoft 365 User Administrator roles.

Manual deployment

The typical method of deploying Office 365 ProPlus on a computer is for a user to access the installation files from the Microsoft 365 portal. You can install Office 365 ProPlus on a computer by performing the following steps:

1. Sign in to the computer with a user account that is a member of the local administrators group.

2. Open a web browser and sign in to the Office 365 portal at https://portal.office.com. You can click Install Office if you want to install using the default, or click Other Installs if you want to choose between the 32 bit and the 64 bit option.

3. If you want to install the 64-bit version of Office ProPlus, select the language and click Advanced as shown in Figure 4-9.

   

4. Once you click Advanced, you can select between the 32-bit and the 64-bit option. Once you’ve selected the appropriate option, click Install. This will begin the download of the Office 365 ProPlus installer Click-to-Run setup file.

5. Choose to Save or Run the installation file. It’s often sensible to save the file and then run it as this simplifies the process of running the installer again should something interrupt the installation process.

6. Once the Click-to-Run installer has downloaded, double click on it to initiate installation. On the User Account Control dialog box, verify that the Program name is set to Microsoft Office, as shown in Figure 4-10, and then click Yes. The installation process will commence.

   

7. On the “You’re all set!” page, shown in Figure 4-11, click Close.

   

8. Open one of the Office ProPlus applications. The first time you run one you’ll be presented with the “Office is almost ready” screen shown in Figure 4-12. Click Accept and start Word, or whichever Office ProPlus application you selected to run first.

   

9. On the Word Recent page shown in Figure 4-13, click “Sign in to get the most out of Office.”

   

10. On the Sign In page, shown in Figure 4-14, enter the email address of your Office 365 account and click Next.

    

11. On the Work or school account page shown in Figure 4-15, enter the password and click Sign In.

    

12. Once you have signed in, your account will be listed on the Recent page as shown in Figure 4-16 and documents stored in Office 365 will be available.

    

Central deployment

With special preparation, Office 365 ProPlus can be downloaded to a local shared folder and then deployed centrally. To use this central deployment method, the IT department must use the Office Deployment Tool to download the Office 365 ProPlus software from Microsoft servers on the Internet. While it is possible to deploy Office 365 ProPlus centrally, successful installation of Office 365 ProPlus requires the ability for the software to activate against Microsoft Office 365 servers on the Internet. You can’t use a volume licensing activation solution, such as a Key Management Services (KMS) server, to activate Office 365 ProPlus even when you are deploying it centrally.

Office Deployment Tool

The Office Deployment Tool allows IT departments to perform the following tasks:

• Generate a Click-to-Run for Office 365 installation source This allows administrators to create a local installation source for Office 365 rather than requiring that the files be downloaded for each client from the Internet.

• Generate Click-to-Run for Office 365 clients This allows administrators to configure how Office 365 ProPlus is installed. For example, blocking the installation of PowerPoint.

• Creating an App-V package Allows administrators to configure Office 365 ProPlus to work with application virtualization.

To install the Office Deployment Tool, perform the following steps:

1. On the computer on which you want to deploy the Office Deployment Tool, open a web browser and navigate to the following address: https://www.microsoft.com/download/details.aspx?id=49117.

2. On the Office Deployment Tool For Click-To-Run webpage, shown in Figure 4-17, click Download.

   

3. Save the installer file to a location on the computer. Figure 4-18 shows the file downloaded to the Downloads folder.

   

4. After the deployment tool has downloaded, double-click the self-extracting executable file to start the deployment tool setup.

5. On the User Account Control dialog box, click Yes.

6. On the Microsoft Software License Terms page, select the Click Here To Accept The Microsoft Software License Terms option and click Continue.

7. On the Browse For Folder page, select the folder in which to store the files associated with the tool. While these files can be extracted anywhere, you will need to interact with the tool frequently so you should create a folder in the root folder of a volume.

8. Four files will be extracted as shown in Figure 4-19.

   

The Office Deployment Tool is a command line utility that provides administrators with three general options:

• The download mode allows administrators to download the Click-to-Run installation source for Office 365 ProPlus, as well as language pack files to a central on-premises location.

• The configure mode allows for the configuration and installation of Click-to-Run Office products and language packs.

• The packager mode allows for the creation of an App-V package from downloaded Click-to-Run installation files.

• The customize mode allows you to apply new application settings to computers that already have Office 365 ProPlus installed.

The Office Deployment Tool must be run from an elevated command prompt in the / configure and /packager modes. To run the Office Deployment tool in download mode against a configuration file stored in the c:ClickToRun folder, use the syntax:

Click here to view code image

Setup.exe /download c:ClickToRunconfiguration.xml.

To run the Office Deployment Tool in configure mode, when the tool is hosted on the share \SYD-DeployO365 and the configuration file is stored on the share \SYD-DeployConfigs, run the command:

Click here to view code image

\SYD-DeployO365Setup.exe /configure \SYD-DeployConfigsConfiguration.xml.

Configuration.xml

The deployment tool ships with three example Configuration.xml files: Configuration-Office365-x64.xml, Configuration-Office365-x86.xml and Configuration-Office2019Enterprise.xml. You use these Configuration.xml files to perform the following tasks:

• Add or remove Office products from an installation.

• Add or remove languages from the installation.

• Specify display options, such as whether the installation occurs silently.

• Configure logging options, such as how much information will be recorded in the log.

• Specify how software updates will work with Click-to-Run.

Figure 4-20 shows one of the example Configuration.xml files that is available with the Office Deployment Tool.

Important attributes include:

• SourcePath When you run the tool in download mode, the SourcePath attribute determines the location where the Click-to-Run files will be stored. When you run the tool in configure mode, the SourcePath attribute determines the installation source.

• OfficeClientEdition This value is required and either must be set to 32 or 64. This determines whether the x86 or x64 version of Office applications are retrieved or installed.

• Version If this element is not set, the most recent version of files will be either downloaded or installed. If a version is set, then that version of the files will either be downloaded or installed.

• Display The display element allows you to specify what information the user sees during deployment. The options are:

  • Level=None The user sees no UI, completion screen, error dialog boxes, or first run UI.

  • Level=FULL The user sees the normal Click-to-Run user interface, application splash screen, and error dialog boxes.

  • AcceptEULA=True The user does not see the Microsoft Software License Terms dialog box.

  • AcceptEULA=False The user will see the Microsoft Software License Terms dialog box.

• ExcludeApp You use this element to exclude applications from being installed. Valid values of this attribute are as follows:

  • Access

  • Excel

  • Groove (used for OneDrive for Business)

  • InfoPath

  • Lync (used for Skype for Business)

  • OneNote

  • OneDrive

  • Outlook

  • PowerPoint

  • Project

  • Publisher

  • SharePointDesigner

  • Visio

  • Word

• Language ID This element allows you to specify which language packs are installed. For example, you have en-us for US English. You can have multiple Language ID elements, one for each language that you wish to install.

• Logging This element allows you to disable logging, enable logging, and specify the path where the log file is to be written.

• Product ID This element allows you to specify which products to install. The available options are:

  • O365ProPlusRetail Office 365 ProPlus

  • VisioProRetail Visio Pro

  • ProjectProRetail Project Professional

  • SPDRetail SharePoint Designer

• Remove If this element is set ALL=TRUE then all Click-to-Run products are removed.

• Updates The updates element allows you to configure how updates are managed and includes the following options:

  • Enabled When set to true, Click-to-Run update system will check for updates.

  • UpdatePath If this element is not set, updates will be retrieved from Microsoft servers on the Internet. If the element is set to a network, local, or HTTP path, then updates will be sourced from the specified path.

  • TargetVersion Allows you to have updates applied to a specific Office build version. If not specified, the most recent version is updated.

  • Deadline Specifies the deadline by which updates must be applied. You can use Deadline with Target Version to force Office applications to be updated to a specific version by a specific date. The Deadline will only apply to a single set of updates. To ensure that Office applications are always up-to-date, it is necessary to revise the deadline when new updates are available.

Click-to-Run vs. MSI

Click-to-Run and MSI are two different formats through which Office applications can be distributed to users. Click-to-Run offers the following features:

• Streaming installation Streaming installation allows an application to be run before installation has completed. When the installation of an application is streamed, the first part of the application installed provides the minimum functionality necessary to get the application running. This allows the user to begin working with the application while installation completes.

• Slipstreamed Servicing The Click-to-Run functionality of Office 365 ProPlus means that updates are included in the installation. Rather than installing Office in a traditional manner and then running a Windows Update check to locate and install any relevant updates, relevant updates are already included within the Click-to-Run installation files. Slipstreamed Servicing means that end users have the most secure and up-to-date version of the application immediately, rather than having to wait for the post-deployment update cycle to complete.

• User-based licensing User-based licensing means that the Office 365 ProPlus license is associated with the Office 365 user account, not the computer that the user is signed on to. Depending on the type of license associated with the user and the tenancy, the user is able to install Office 365 ProPlus on up to five different computers as well as tablets and phones. It is possible to remove licenses from computers that have had Office 365 ProPlus installed on them at an earlier point in time.

• Retail activation Office 365 ProPlus is activated using retail rather than volume license methods. Activation occurs over the Internet. This means that the computer must connect to the Internet every 30 days, otherwise Office ProPlus will enter reduced functionality mode.

• SKU-level application suites Unless an administrator configures an appropriate configuration file, Office 365 ProPlus installs all products in the suite. The products that are installed will depend on the specifics of the Office 365 subscription, but this usually means Access, Excel, InfoPath, OneNote, Outlook, PowerPoint, Publisher, and Word. The products that are installed will be installed to all users in the tenancy. It is not possible to choose to install the PowerPoint program to some users but not to others when all users are using the same Click-to-Run installation file and configuration file. It is possible to have separate sets of applications deployed to users, but this requires separate configuration files for each set of applications.

MSI files are a method through which applications are packaged. MSI files allow organizational IT departments to automate the deployment applications, such as Office, using tools such as Microsoft Intune and System Center Configuration Manager. MSI files are appropriate for organizations that have a managed desktop environment and are less suitable for the types of “Bring Your Own Device” scenarios in which Click-to-Run products, such as Office 365 ProPlus, are suitable. MSI files offer the following features:

• Classic installation MSI files can be installed by double-clicking on the installer file, can be deployed using Group Policy, Microsoft Intune, System Center Configuration Manager, or third-party application deployment products. The application is not available to the user until the installation of the application is complete. This differs from the Click-to-Run method’s streaming technology which allows a user to begin using an application with a reduced set of features before the installation of the application completes.

• Layered servicing MSI files represent the application at the time that it was packaged as an MSI file. This means that after deployment it will be necessary for the IT department to apply any necessary software updates to the application. Depending on the age of the MSI file and the number of software updates that have been released since the application was first packaged, it can take quite some time for the application to be updated to the current patch level after the application is deployed. This substantially increases the amount of time between an application being deployed and the user being able to use the application to perform their job role. IT departments can update MSI files with the latest updates and patches, but this is a complex, usually manual, process which requires deploying the application to a reference computer, updating the application, and then performing a technique known as a capture that creates the new updated MSI file. With Click-to-Run technology, the application updates are slipstreamed into the application by Microsoft, meaning that the application is current with updates as soon as it is deployed.

• Volume licensing The versions of Office that you can deploy from an MSI file, including Office 2016 and Office 2019, have editions that support volume licensing. Volume licensing gives you the option of using a volume license key. Volume licensing is not something that is automatically supported by the MSI format and depends on the properties of the deployed software. Volume licensing is only available to organizations that have volume licensing agreements with Microsoft.

• Volume activation Like volume licensing, volume activation is not a property of an MSI file, but a feature that is supported by some versions of Office that use this packaging format. Volume activation allows large numbers of products to be activated, either through use of a special activation key used each time the installation is performed, or through technologies such as a Key Management Services (KMS) server on the organization’s internal network. Volume activation is only available to organizations that have volume-licensing agreements.

• Selective application installation Rather than deploying all products in the Office suite, the MSI-based deployment method makes it simple for organizations to deploy individual products in the suite. For example, it is possible to choose to deploy Word and Excel to some users, and PowerPoint to others.

• Scenario limitations Unlike Click-to-Run Office 365 ProPlus, which uses retail activation, the volume-licensed versions of Office 2016 and Office 2019 can be used on Remote Desktop Services servers, can be deployed on Windows To Go USB devices, and can be deployed on networks that do not have Internet connectivity.

While there are differences between the Click-to-Run Office 365 ProPlus and MSI-based Office 2019, there are also certain similarities:

• Both can be configured through Group Policy.

• Both provide telemetry visible through the Telemetry Dashboard.

• Extensions designed for the Office 2019 version of a product will work with the Office 365 version of that product.