Office 365 Deployment


Hi,

Here am explaining how the Office 365 will establish in your organization.

Courtsey- http://www.scribd.com/doc/88442584/68/Dynamic-Distribution-Groups#outer_page_112

 

Customer Environment Discovery

It is important at the outset of your deployment project to gather and capture information
about your existing IT environment. This process is commonly called “discovery.” Discovery
activities provide a comprehensive and up-to-date record of the technology solutionsimplemented by our organization.You should gather information in the following areas:
On-premises infrastructure servers and components
Network architecture and DNS
Authentication solutions
Directory design
Bandwidth
Mail routing
Certificates
Hardware and software
Mail and other client applications
Mail archiving and compliance
Mobile devices
24Microsoft Office 365 Deployment Guide for Enterprises | December 2011
3.3.1
Office 365 Deployment Readiness Tool
The Office 365 Deployment Readiness Tool is available to assist you with discovery activitiesrelated to Office 365 deployments. The tool can be used to check and provide information in thefollowing areas in your on-premises environment:
Domains
Email domains and number of users for each domain
User identity and account provisioning
Statistical information
Active Directory schema data
Forest and domain functional data
Trusts and multi-forest constraints
Directory Synchronization pre-requisite checks and attribute assessment
Attribute assessment and readiness for single sign-on
Exchange Online
Statistical information
Public folder, public delegates, and proxyAddresses
Third-party and unified proxyAddresses information
SharePoint Online
User object count
Lync Online
Statistical information
Summary of SIP domains
Client and end-user experience
Summary of domain joined machines for rich experience and single sign-onreadiness
Networking
Port analysis on specific Office 365 endpoints
DNS records
External DNS records
TXT(DomainValidation)

This record is used for domainvalidation. It proves that you own thedomain but it doesn’t direct incomingmail for the domain to Office 365service offerings.Host: @ (domain name)TXT Value: <text string>The values that you need to enter areprovided to you by the Microsoft OnlineServices Portal add domain wizard.
Note:
The wizard also gives you the optionof using a MX record for domain validation
CNAME(ExchangeOnline)

This record allows Office Outlookclients to connect to the ExchangeOnline service by using theAutodiscover service. Autodiscoverautomatically finds the correctExchange Server host and configuresOutlook for the users.Alias: AutodiscoverTarget: autodiscover.outlook.comFor more information, seeUse a CNAMERecord to Enable Outlook to Connect
MX(ExchangeOnline)
This value directs all incoming mailfor the domain to the ExchangeOnline service.Domain: contoso.comTarget Server <MX token>.mail.eo.outlook.comPreference: 10
SPF (TXT)(ExchangeOnline)
This sender policy framework (SPF)record identifies which of your emailservers are authorized to transmitemail from your domain. This helps toprevent others from using yourdomain to send SPAM or othermalicious email.Values: v=spf1 include:outlook.cominclude: spf.messaging.microsoft.com ~all.For more information, see
include: spf.messaging.microsoft.com
Note
: If the firewall or proxy server blocksTXT lookups on an external DNS, thisrecord should also be added to the internalDNS record.
SRV(LyncOnline)

This value is for SIP federation andallows your Office 365 domain toshare instant messaging (IM) featureswith clients other than Windows LiveMessenger.Service: _sipfederationtlsProtocol: TCPPriority: 10Weight: 1Port: 5061Target: Sipfed.online.lync.com
Note:
If the firewall or proxy server blocksSRV lookups on an external DNS, thisrecord should also be added to the internalDNS record.
SRV(LyncOnline)
This SRV record is used by MicrosoftLync Online to coordinate the flow of information between Lync clients.Service: _sipProtocol: TLSPriority: 100Weight: 1Port: 443Target: sipdir.online.lync.com
CNAME(LyncOnline)
This CNAME record is used by theLync 2010 client to discover the LyncOnline service and sign in.
Alias: sipTarget: sipdir.online.lync.comFor more information, seeEnsuring YourNetwork Works With Lync Online
CNAME(LyncOnline)
This CNAME record is used by theLync 2010 mobile client to discoverthe Lync Online service and sign in.
Alias: lyncdiscoverTarget: webdir.online.lync.com
Host (A)
This record is used for single sign-on.It indicates the end point for your off-premises users (and on-premisesusers if you choose) to connect toyour AD FS federation server proxiesor load-balanced VIP.Target (example): sts.contoso.com
TXT(ExchangeFederation)
Exchange federation for hybriddeploymentTXT record 1: contoso.com and associatedcustom-generated domain proof hash (ex.
“Y96nu89138789315669824”)
TXT record 2:exchangedelegation.contoso.com andassociated custom-generated domainproof hash (for example,
“Y3259071352452626169”)
 MX(ExchangeFederation)

Office 365 Service Record for maildelivery (MX)Domain (example): service.contoso.comTarget Server <MX token>.mail.eo.outlook.comPreference: 10
CNAME(ExchangeFederation)
This record allows Office Outlookclients to connect to the ExchangeOnline service by using theAutodiscover service. Autodiscoverautomatically finds the correctExchange Server host and configuresOutlook for the users.Alias
(example)
:Autodiscover.service.contoso.comTarget: autodiscover.outlook.comFor more information, seeUse a CNAMERecord to Enable Outlook to Connect
Federation Server Certificates
SSL certificate(also called aServerAuthenticationCertificate)

This is a standardSecure SocketsLayer (SSL)certificate that isused for securingcommunicationsbetweenfederationservers, clients,and federationserver proxycomputers.AD FS 2.0 requires an SSL certificate when configuringfederation server settings. By default, AD FS 2.0 uses the SSLcertificate configured for the Default Web Site in the InternetInformation Services (IIS).The subject name of this SSL certificate is used to determinethe Federation Service name for each instance of AD FS 2.0that you deploy. For this reason, you may want to considerchoosing a subject name on any new CA-issued certificatesthat best represents the name of your company ororganization to Office 365 and this name must be internetroutable.
Warning:
AD FS 2.0 requires this SSL certificate to be withouta dotless (short-name) subject name.
Recommendation:
Because this certificate must be trustedby clients of AD FS 2.0, use an SSL certificate that is issued bya public (third-party) certification authority (CA) or by a CA.
Domain Controller Requirements

Table 6 lists the requirements for domain controllers deployed in your Active Directory forest(s)that communicate with the Office 365 environment.
Table 6. Domain Controller Requirements
Component
Requirements
Schema master
32-bit or 64-bit edition of the Windows Server 2003 SP1 Standard orEnterprise operating system
32-bit or 64-bit edition of the Windows Server 2008 Standard orEnterprise operating system
64-bit edition of the Windows Server 2008 Standard R2 or Enterpriseoperating system
Global catalog server
In every Active Directory site where you plan to install the Exchange 2010 SP1hybrid server, you must have at least one global catalog server configured asfollows:
32-bit or 64-bit edition of Windows Server 2003 SP2 Standard orEnterprise
32-bit or 64-bit edition of Windows Server 2008 Standard or Enterprise
64-bit edition of Windows Server 2008 R2 Standard or Enterprise
Active Directory forest
Windows Server 2003 forest functional mode or higher
Domain controller
32-bit or 64-bit Windows Server 2003 Standard Edition or EnterpriseEdition with Service Pack 1 (SP1)
32-bit or 64-bit edition of the Windows Server 2008 Standard orEnterprise, Windows Server 2008 R2 Standard or Enterprise, orWindows Server 2008 Datacenter or Windows Server 2008 R2Datacenter
3.7.3.5
Active Directory Cleanup
It is highly recommended that you prepare your Active Directory forest prior to beginning yourOffice 365 deployment.Your directory remediation efforts should focus on the following tasks:
Remove duplicate proxyAddress and userPrincipalName attributes.
Update blank and invalid userPrincipalName attributes with a valid userPrincipalName.
Remove invalid and questionable characters in the givenName, surname (sn),sAMAccountName, displayName, mail, proxyAddresses, mailNickname, anduserPrincipalName attributes. SeeAppendix F: Directory Object Preparationlater in thisdocument for details on preparing attributes.
 Namespace Considerations and Acceptable Domains

Previously, Active Directory Federation Services only allowed for one namespace perfarm/instance (for example,
contoso.com
). Therefore if your organization maintains multipleunique namespaces (for example,
contoso.com
and
fabrikam.com
) you would need two AD FSfarms deployed in order to provide authentication for each namespace.There is now a update rollup for AD FS 2.0 that works in conjunction with the
“SupportMultipleDomain” switch to enable support
for multiple unique namespaces withoutrequiring additional AD FS 2.0 servers.See the Help articleSupport for Multiple Top Level Domainsfor more information on multipletop-level domain support.
Note
: If your organization owns and manages a primary domain with subdomains(contoso.com/corp.contoso.com) you will also not require a separate AD FS farm.Only routable domains can be used with an AD FS deployment. Examples of non-routabledomains:
.local
.loc
.internalThe domain extensions that use internal namespaces such as .local, .internal, and .int are notroutable on the Internet and would not be acceptable domains for your AD FS deployment. If your organization implements Active Directory with an internal namespace only, you will need toadd a UPN suffix in Active Directory Forests and Trusts that is routable (for example,contoso.com) as well as configure each user with that UserPrincipalName suffix. For example,
johnsmith@contoso.internal
would need to be modified to
johnsmith@contoso.com
.
Important:
Before making any changes to your users
userPrincipalName
attribute it iscritical that you validate that there are no applications that are dependent on the existinguserPrincipalName value such as smart cards, certificates, Unix, or Linux.
3.7.4.9
Deploying Federated and Standard Identities Together
When enabling single sign-on, you cannot mix or match users within a single namespace contoso.com) in the manner that some users utilize a federated identity (single sign-on) andother users use the Microsoft Online Service ID (Office 365 “cloud” identity). For instance, if youregister the domain name

contoso.com
, all sub domains (for example,
northamerica.contoso.com
)are automatically configured as identity federated domains.
Note
: If your organization would like to deploy a hybrid of federated and standard identities,you must configure two separate namespaces to achieve this goal. For example, contoso.commight be used for federated identities and fabrikam.com used for standard identities.
Backup and Restore

To guard against the impacts of a complete outage of your Active Directory federation servers, itis highly recommended that you have a backup and restore plan in place to allow for rapidrecovery of your AD FS environment. In a catastrophic event where your servers cannot berestored, your backup and restore plan can enable you to reinstall your AD FS environment andre-enable single sign-on by following the steps provided in the Prepare phase of this document.
Note
: You will need to run the Update-MSOLFederatedDomain PowerShell commandletprovided by the Microsoft Online Services Module for Windows PowerShell to restore yourAD FS configuration.
Directory Synchronization Tool

Directory synchronization is the synchronization of directory objects (users, groups, andcontacts) from your on-premises Active Directory environment to the Office 365 directoryinfrastructure. The Microsoft Online Services Directory Synchronization Tool is used to performthis synchronization. You install the tool on a dedicated computer in your on-premisesenvironment.Before you use the Directory Synchronization Tool, you must first edit objects you want tosynchronize (user accounts and email-enabled contacts and groups) using Active DirectoryUsers and Computers MMC snap-in or via scripting.
3.7.5.1
About the Directory Synchronization Tool
When you first run the Directory Synchronization Tool, it writes a copy of each user account andall mail-enabled contacts and groups to the directory created for your organization in Office365. Directory synchronization can also provide Global Address List synchronization between theon-premises Exchange Server environment and Exchange Online.When user accounts are synchronized with the Office 365 directory for the first time, they aremarked as non-activated. They cannot send or receive email and they do not consumesubscription licenses. When you are ready to assign Office 365 subscriptions to specific users,you must select and activate these users by assigning a valid license.The Directory Synchronization Tool enables the following features and functionality:
Single sign-on.
Lync Online coexistence.
Exchange hybrid deployment including:
o
Fully shared global address list (GAL) between your on-premises Exchangeenvironment and Exchange Online.
o
Global address list unification of different mail systems with simple email coexistence.
The ability to onboard users to and offboard users from Office 365 service offerings.This requires two-way sync (write-back) enabled in Active Directory synchronizationand an Exchange hybrid server deployment on-premises.
o
The ability to move some user mailboxes to Office 365 while retaining other usermailboxes on-premises.
o
Safe senders and blocked senders on-premises are replicated and respected inExchange Online.
o
Delegation/Send on behalf of (limited).
Synchronization of photos and thumbnails, conference rooms, and security groups(rights in SharePoint Online)
Filtering and scoping (available soon). For more information see the Help topicConfigureFiltering for Directory Synchronization. There is also a 64-bit version of the Directory Synchronization Tool available.To learn more about the Directory Synchronization Tool, see the Help topicsInstall the MicrosoftOnline Services Directory Synchronization toolandDirectory Synchronization tool 64-bitsupport. 3.7.5.1.1
Required Permissions for InstallationIn order to install the directory synchronization tool you will need Enterprise Admin rights onlyduring the installation process. Post-installation a non-privileged Active Directory account willbe required. This account is created automatically at the time of Directory Synchronizationinstallation.
3.7.5.2
Number of Objects to Synchronize
The Microsoft Online Services Directory Synchronization Tool enables you to perform directorysynchronization between your on-premises Active Directory service and Microsoft OnlineServices. Before deploying the Directory Synchronization Tool, you need to determine how manyobjects in your environment will be included in synchronization with your Office 365 directory.
Note
: If your Active Directory service contains more than 20,000 objects, you will need tocontact the Office 365 support team, open a service request, and indicate the number of objectsyou need to synchronize. You can use theDeployment Readiness Toolto help assess how manytotal Active Directory objects, and specifically user objects, are stored in your Active Directoryforest.

The initial synchronization copies user accounts, mail-enabled contacts and groups from youron-premise Active Directory environment to Office 365. Depending on the number of objects and the available network bandwidth, you may want to schedule this first synchronization for aperiod of low network activity. Subsequent synchronizations copy only the incremental changesto the individual objects that have a minimal impact on network utilization.
Exchange Server Migrations

If your organization is using Exchange Sever 2010, Exchange Server 2007, Exchange Server 2003,or Hosted Exchange, you have several ways to migrate mailbox data. Table 12 describes them.The
Microsoft Office 365 Deployment Guide
for Enterprises
is primarily focused on mailboxmigrations for Exchange hybrid deployments.
Table 12. Types of Exchange Server Migrations
Type Description Tools/Methods
Cutover ExchangeMigration(Simple Migration)
Intended for small organizations that desirea quick cutover, with no coexistence, fromtheir existing Exchange mail environment toExchange Online. All on-premises mailboxesare migrated in preparation for moving yourentire email organization to ExchangeOnline. You can migrate a maximum of 1,000 mailboxes from your on-premisesExchange organization to Exchange Online.User identities are automatically provisionedby the tool. After cutover, identity federationmay be deployed.Email Migration tool via theExchange Control Panel.For step-by-step instructions,seeMigrate All ExchangeMailboxes to the Cloud.
Staged Migration
Conference Rooms and Resource Mailboxes

Conference room mailboxes represent a company’s meeting rooms or other facilities. Users can
reserve rooms by adding the conference room email alias to meeting requests in Outlook orOutlook Web App. Conference rooms appear in the Global Address List in Outlook and OutlookWeb App, and administrators can create conference rooms in the Exchange Control Panel orthrough Remote PowerShell. Administrators can also use the Directory Synchronization Tool tosynchronize conference rooms from on-premises Active Directory. The mailbox quota forconference rooms is 250 MB. Conference rooms do not require a user subscription license.For more information, see the Help topicCreate a New Room Mailbox.
3.8.16.1
Resource Booking Attendant
Exchange Online includes the Resource Booking Attendant (RBA), which helps to automate thescheduling of conference rooms. A conference room mailbox that is Resource BookingAttendant -configured automatically accepts, declines, or acknowledges meeting requests basedon its calendar availability. Through the Outlook Web App Options page, administrators cancustomize automated conference room responses and configure booking policies. Thesepolicies include who can schedule a conference room, when it can be scheduled, what meeting
information is visible on the resource’s calendar, and what percentage of scheduling conflicts is
allowed. Administrators can disable the Resource Booking Attendant and assign specific users tomanually manage meeting requests for conference rooms.For more information, see the Help topicConfigure Resource Mailbox Options.
3.8.16.2
Outlook 2010 Room Finder
Exchange Online supports the Room Finder feature of Outlook 2010, which arranges rooms into
lists (for example, a list called “Building 5 rooms”) to make it easier to find a nearby room when
scheduling a meeting. To appear in the room list, a distribution group must be specially markedusing one of two methods:
A new room list can be created using Remote PowerShell (see the TechNet articleCreatea Room List Distribution Group).
Any distribution group that contains only rooms can be converted to a room list through Remote powershell
Prepare Phase

In the Prepare phase of your deployment project, you will begin to take the steps to configure
your organization’s environment for integration with the Office 365 environment.
Figure 11 illustrates the high-level sequence of tasks that you will carry out during this phase toset up Exchange hybrid deployment.
Figure 11. High-level tasks for Exchange hybrid deployment
4.1
Key Activities Summary
The following are the key deployment tasks and events that your carry out in the Prepare phase:
Add and verify your domain name with Office 365
You must add your domain to Office 365 and then create the DNS records to configureyour company domain name for use with Office 365 services.
 Key Activities Summary

The following are the key deployment tasks and events that your carry out in the Prepare phase:
Add and verify your domain name with Office 365
You must add your domain to Office 365 and then create the DNS records to configureyour company domain name for use with Office 365 services.
Prepare your on-premises Active Directory for directory synchronization

Successful directory synchronization between your on-premises Active Directoryenvironment directory and Office 365 requires that your on-premises directory objectsand attributes are properly prepared.
Enable single sign-on (identity federation)
To enable single sign-on, you must deploy and configure Active Directory FederationServices servers on-premises.
Install the Directory Synchronization Tool and perform synchronization
Directory synchronization enables you provision user accounts for an Exchange hybriddeployment and simple coexistence, and is mandatory for single sign-on (identityfederation).
Configure email coexistence
You install and configure an Exchange 2010 hybrid server on-premises to enablecommunication between your existing Exchange servers and Exchange Online.
Configure Lync Online
You optimize your network for Lync conferencing, configuring domain federation andpublic IM connectivity settings.
Configure SharePoint Online
You prepare for deployment of any custom SharePoint solutions and migration of existing SharePoint content.
Deploy client applications and the Office 365 desktop setup
A hybrid deployment requires that rich client applications are deployed and installed on
users’ PCs
. The Office 365 desktop setup is deployed to ensure that client applicationsare properly updated and configured for Office 365.
Perform mailbox size reduction
To improve migration velocity of mailbox content, you may need to reduce the size of user mailboxes.
Prepare customer service desk
Your service desk must be trained to support Office 365 service offerings.
Test and validate email migration and coexistence
Prior to velocity migrations, you set up test user accounts to validate that migrationprocesses and that the Exchange hybrid deployment are properly functioning.
Complete the migration groups and migration schedule
Finalize the groups of users, resources, and shared mailboxes that will be moved at eachmigration window.
4.2
Network and Naming Services Tasks
This section describes the tasks you must perform to configure networking and DNScomponents for an Exchange hybrid deployment.
112Microsoft Office 365 Deployment Guide for Enterprises | December 2011
4.2.1
Add Domain and Verify Ownership
This topic describes the process
of adding a domain that you already own to Office 365. Whenyou add a domain to Office 365 you can create email addresses, Microsoft Lync Online accounts,and distribution lists that use your own domain name. You can also use your domain to host awebsite on Microsoft SharePoint Online.To add a domain, you do the following:
Add and verify your domain name with Office 365
Create the DNS records that are required to route domain traffic to your Office 365service. These are the DNS records that are required for routing inbound email toMicrosoft Exchange Online.Office 365 offers domain verification procedures that are specific to some of the most populardomain registrars. Visit theMicrosoft Online Services Forumsor contact the Office 365 supportteam to see if there is a procedure for your domain registrar. However, the procedure in thissection can be used with
any
domain registrar.You only need to add and verify a domain once. If someone else in your organization hasalready added and verified the same domain, you will receive a message noting this.To add a domain to Office 365, you use the domain wizard at the Microsoft Online ServicesPortal.
To add a domain and verify domain ownership
1.
Log on to theMicrosoft Online Services Portalwith your Office 365 administratorcredentials.2.
In the portal header, click
Admin.
3.
Under
Management
, click
Domains
.4.
Click
Add a domain
.5.
Type the name of the domain you would like to add (for example,
contoso.com
).6.
Click
Next.
7.
Click
Verify
domain.8.
From the table on the
Verify domain
page, record the following information:
o
Alias or Host Name
o
Destination or Points to AddressNow you will add the DNS record for your domain name at your domain registrar.
4.2.2
Change DNS Records at Domain Registrar
The following procedure describes the process to register a TXT or MX record for your company.
113Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Note
This process requires you to access the domain account with your domain registrar.Contact the domain registrar if you need help accessing your domain account. You may
notice differences between your domain name registrar’s
process and those described inthese instructions.
To change your DNS records at your domain registrar
1.
Sign in to your domain name registrar’s website, and then select the domain that you
areverifying.2.
In the DNS management area for your account, select the option to add a
TXT
record foryour domain.3.
In the
TXT
box for the domain, type or paste the alias or host name that you recorded inthe previousAdd Domain and Verify Ownershipsection.4.
In the
Fully qualified domain name (FQDN)
or
Points to
box, type or paste theDestination or Points To Address that you recorded in theAdd Domain and VerifyOwnershipsection.5.
Where it asks for TTL information, type
1
to set TTL to
1 hour
.6.
Save your changes, and then sign out of your domain name registrar’s w
ebsite.7.
Wait 15 minutes. If you are still signed in to the Microsoft Online Services Portal click
Verify.
8.
After your domain is verified, click
Close.
If you prefer, you can use the following procedure to instead create an MX record to verify yourdomain in Office 365.1.
Sign in to your domain name registrar’s website, and then select the domain that you
areverifying.2.
In the DNS management area for your account, select the option to add a
MX
record foryour domain.3.
In the
MX
box for the domain, type or paste the alias or host name that you recorded inthe previousAdd Domain and Verify Ownershipsection.4.
In the
Fully qualified domain name (FQDN)
or
Points to
box, type or paste theDestination or Points To Address that you recorded in theAdd Domain and VerifyOwnershipsection.5.
Where it asks for TTL information, type
1
to set TTL to
1 hour
.6.
Where it asks for a priority (or preference), type a number that is larger than the number
you’ve spe
cified for existing MX records. This can help prevent the new MX record frominterfering with mail routing for the domain. Instead of a priority, you may see thefollowing options:
Low, Medium, High
. In this scenario, choose
Low
.7.
Save your changes, and the
n sign out of your domain name registrar’s website.
114Microsoft Office 365 Deployment Guide for Enterprises | December 2011
8.
Wait 15 minutes. If you are still signed in to the Microsoft Online Services Portal click
Verify.
9.
After your domain is verified, click
Close.
If you are no longer signed in:1.
Log on to theMicrosoft Online Services Portalwith your Office 365 administratorcredentials.2.
Click
Domains
.3.
Select the
Pending Verification
link next to your domain you added in the earlier step.4.
Click
Verify
.5.
After your domain is verified, click
Close.
Repeat the above steps for any other domains you intend on registering with Office 365.
4.2.3
Create Autodiscover and Sender Policy Framework Records
After you have added and verified a domain, you can enable the
Autodiscover service
to helpyour users configure the Office Outlook messaging client. Autodiscover automatically finds thecorrect Exchange Server host and configures Outlook 2010, Outlook 2007, and Windows Phoneand Windows Mobile devices for your users. It also includes an offline address book and theFree-Busy availability service that provides availability information for your users.In order to ensure the successful delivery of your email to outside partners, it is also highlyrecommended that you create a
sender policy framework (SPF) record
to make sure that otheremail environments recognize Office 365 and your on-premises email system as valid sources of email from your company. The SPF record lets you specify which computers are authorized totransmit email from your domain. This helps to prevent others from using your domain to sendspam or other malicious email. As more email environments query for Simple Mail TransferProtocol (SMTP) domain SPF records, you must create or modify your SPF records to allowExchange Online and your on-premises email system to successfully send email from yourdomain.
4.2.3.1
Create Sender Policy Framework Record
This procedure modifies records at your domain registrar to include a sender policy framework(SPF) record to allow Microsoft Exchange Online and your on-premises email system tosuccessfully send email from your domain. This procedure is highly recommended, and it isrequired if your ISP has implemented SPF.
115Microsoft Office 365 Deployment Guide for Enterprises | December 2011
To create an SPF record
1.
Log on to your domain registrar. The interface for the registrar Go Daddy (Figure 12) isreferenced in the remaining steps.2.
Click to access your account information (for example, My Account).3.
Click the domain that you want to register with Office 365.4.
Click to access details for the domain (for example, Advanced Details).5.
Open the DNS management console (for example, Launch DNS Manager).6.
In TXT or Text section, click
Add
(for example, Quick Add).7.
Under
Host
, type
@.
8.
For the
TXT
value, type
v=spf1 include:outlook.com include:spf.messaging.microsoft.com ~all.
If there is an existing SPF record, you must update it to include the
include:outlook.com include: spf.messaging.microsoft.com
statements in additionto your already declared legitimate hosts. Note that
include:spf.messaging.microsoft.com
is only required for existing FOPE customers.9.
For
TTL
/time to live, type
1 Hour
.
Figure 12. Creating an SPF record at a domain registrar
Note:
SPF is a relatively new feature and may not be implemented by your ISP. Even if your ISP has not implemented SPF, we recommend that you create an SPF record tomake sure your domain is compatible with future enhancements at your ISP.
4.2.3.2
Create Autodiscover Record
This procedure modifies records at your domain registrar to help your users configure Outlook.The interface for the registrar Go Daddy is referenced in procedure and in Figure 13.
116Microsoft Office 365 Deployment Guide for Enterprises | December 2011
To create an external Autodiscover record
1.
Log on to your domain registrar.2.
Click on your account information.3.
Click on the domain that you want to register with Office 365.4.
Click on the details for that domain.5.
Open the DNS management.6.
In CNAME or Alias section, click
Add.
7.
Under Host, type
Autodiscover.
8.
For the Points to/Destination field, enter
autodiscover.outlook.com
.9.
In
TTL
(time to live), type
1 Hour
.10.
Click
Save.
Figure 13. Creating an Autodiscover record at a domain registrar
11.
Wait 15 minutes for the Autodiscover record to register.
Note:
Outlook can use either a domain alias (CNAME) or an SRV record to locateExchange Autodiscover service. You should not add both types of record to the domain.For more information about how to use SRV records for Autodiscover, see the MicrosoftSupport articleA new feature is available that enables Outlook 2007 to use DNS ServiceLocation (SRV) records to locate the Exchange Autodiscover service.
4.2.3.3
Create Internal Autodiscover Record
If your organization has a split-brain DNS configuration and does not have an Autodiscoverrecord in its internal DNS environment, it is recommended that you create one.The following procedure demonstrates how to create an Autodiscover record in your internalDNS environment on your Windows DNS Server.
 117Microsoft Office 365 Deployment Guide for Enterprises | December 2011
To create an internal Autodiscover record
1.
Log on to your internal DNS server or domain controller.2.
Click
Start
, click
Administrative Tools
, and then click
DNS
.3.
Click to expand<
yourservername
>.4.
Click to expand
Forward Lookup Zones
.5.
Select the domain for which you would like to create an Autodiscover record.6.
Right-click the domain name and select
New Alias (CNAME)….
7.
In the
Alias Name
field, type
Autodiscover
.8.
Type the fully qualified domain name (FQDN) for the target host (Exchange Server).9.
Click
OK
.
4.3
User Identity and Account Provisioning Tasks

This section describes the tasks you must perform to prepare your Active Directory environmentfor establishing directory synchronization with Office 365 service and to install and configureActive Directory Federation Services for single sign-on. For an overview of the single sign-onfeature, review the Help topicPrepare for single sign-on.
4.3.1
Update Schema for Exchange Hybrid Deployment
If your organization is implementing an Exchange hybrid deployment, you will need to upgradeyour Active Directory schema to the Exchange Server 2010 SP1 version. Before you begin, ensureyou have the Exchange Server 2010 SP1 media available, or have downloaded theExchangeServer 2010 SP1files to an available location.
Note:
The domain controller on which you update your schema must be a 64-bit machineand included in the same Active Directory site as the schema master.
To update your Exchange schema for hybrid deployment
1.
Log on to your domain controller with an account that has schema administrative rights.2.
Click
Start
.3.
Click
Run
.4.
Type
CMD
.5.
Click
OK
.6.
Navigate to the location of the Exchange Server 2010 SP1 media or downloaded files.7.
Extract the executable. Note the location where you extract the files.8.
Type
CD
<space> <directory location of Exchange Server 2010 SP1 binaries>.Example:
cd c:\exchangeserver2010sp1
9.
Press
Enter
.
10.
Type
setup /preparead
.11.
Press
Enter
.Wait for the tool to copy files, perform pre-requisite checks, and complete the organizationalpreparation. When complete you should see a message
The Microsoft Exchange Server setupoperation completed successfully
.
4.3.2
Clean Up Active Directory
Your organization will need to prepare or
“clean up”
your Active Directory environment prior tothe initial directory synchronization with the Office 365 environment.
Important:
If Active Directory cleanup is not performed before the deployment process,there can be a significant negative impact to the directory synchronization and on-boardingprocess. It could take days, or even weeks, to iterate through the cycle of directory syncing,identifying syncing errors, and re-syncing.
In your organization’s Active Directory fore
st, perform the following clean-up tasks:
Ensure each user that is assigned Office 365 service offerings has a valid and uniqueemail address. Remove any duplicate values in the
ProxyAddres
s attribute field andUserPrincipalName that exists in your forest.
Populate the following username attributes:
o
First Name
o
Last Name
o
Display Name
Note:
For a better user experience and more complete global address list (GAL),do not leave these Username attributes blank.
For optimal use of the Global Address List (GAL), populate the following GAL attributes:
o
Job Title
o
Department
o
Office
o
Office Phone
o
Mobile Phone
o
Fax Number
o
Street Address
o
City
o
State or Province
119Microsoft Office 365 Deployment Guide for Enterprises | December 2011
o
Zip or Postal Code
o
Country or Region
4.3.2.1
Directory Object Preparation
Successful directory synchronization between your on-premises Active Directory environmentdirectory and Office 365 requires that your on-premises directory objects and attributes areproperly prepared. For example, you will need to ensure that specific characters are not used incertain Active Directory objects and attributes that are synchronized with the Office 365environment. These objects and attributes include:
userPrincipalName
sAMAccountName
proxyAddresses
givenName
sn (surname)
displayName
mailNickname (Exchange alias)
mailFor details about valid characters associated with these attributes and about additional attributerequirements, seeAppendix F: Directory Object Preparationlater in this document.
Note:
It is required that the
targetAddress
attribute (for example,SMTP:John.Doe@contoso.com) that is populated for the user must appear in the ExchangeOnline Global Address List. In third-party messaging migration scenarios, this would require theExchange schema extension for the on-premises Active Directory. The Exchange schemaextension would also add other useful attributes to manage Office 365 objects that arepopulated using the Directory Synchronization tool from on-premises. For example, the
msExchHideFromAddressLists
attribute to manage hidden mailboxes or distribution groupswould be added.
4.3.2.2
Prepare UPN Attribute
Your Active Directory environment must be properly configured in order to work with singlesign-on. In particular, the
userPrincipalName
(UPN) attribute, also known as a user logon name,must be set up for each user in a specific way.4.3.2.2.1
Add Alternative UPN Suffix to Active Directory
You must add an alternative UPN suffix to associate the user’s corporate credentials with the
Office 365 environment. A UPN suffix is the part of a UPN to the right of the @ character. UPNs
that are used for single sign-on can contain letters, numbers, periods, dashes, and underscores,but no other types of characters.
To add an alternative UPN suffix
1.
Log on to
one your organization’s Active Dire
ctory domain controllers.2.
Click
Start
,
Administrative Tools
, and then click
Active Directory Domains and Trusts
.3.
In the console tree, right-click
Active Directory Domains and Trusts
and then click
Properties
.4.
Select the
UPN Suffixes
tab, type an alternative UPN suffix for the forest, and then click
Add
.5.
Repeat step 3 to add additional alternative UPN suffixes.
Note:
If your Active Directory domain name ends with a “.local” suffix, you will need
to set a UPN that can be registered with Office 365. It is recommended that you usesomething familiar to the user, such as his or her email domain.4.3.2.2.2
Match On-Premise UPN with Office 365 UPNIf you have not yet set up Active Directory synchronization, you can skip this task and continuewith the next section.If yo
u have already set up Active Directory synchronization, the user’s UPN for Office 365 maynot match the user’s on
-premises UPN defined in Active Directory. This can occur when a userwas assigned a license before the domain was verified. To remedy this issue, use WindowsPowerShell to update users
’ UPNs
to ensure that their Office 365 UPN matches their corporateuser name and domain.
4.3.3
Deploy a Federation Server Farm
After your Active Directory environment is properly prepared, you deploy and configure ActiveDirectory Federation Services on-premises to create single sign-on access for your Office 365users.The most important operation you need to perform to provide your users with single sign-onaccess to Office 365 is to deploy a new AD FS 2.0 federation server farm. We recommend thatyou deploy at least two federation servers and two federation server proxies in order to providefault tolerance, load balancing, and scalability to your organization’s AD FS 2.0 productionenvironment.You should review the Help topicPlan for and deploy AD FS 2.0 for use with single sign-onbefore you begin your single sign-on deployment.
Pre-Installation Requirements
During the AD FS 2.0 installation process, the setup wizard attempts to automatically check forand, if necessary, install prerequisite applications and dependent hotfixes. In most cases, thesetup wizard will install all of the prerequisite applications necessary for AD FS 2.0 to operateand install.When installing AD FS 2.0 on the Windows Server 2008 platform, you will first need to makesure that Microsoft .NET Framework 3.5 Service Pack 1 (SP1) is installed on the servers runningWindows Server 2008. This is a prerequisite of AD FS 2.0. If .NET Framework 3.5 SP1 is notinstalled, the AD FS 2.0 Setup Wizard will prevent installation of the AD FS 2.0 software.You will need to install AD FS 2.0 Update Rollup 1 after you have installed AD FS 2.0. This is alsorequired to use new features such as Multiple Top-Level Domains and Client Access Policies. Formore information, see the support articleUpdate Rollup 1 for Active Directory FederationServices (AD FS) 2.0. You must complete the following tasks before you set up the single sign-on feature.
Deploy on-premises AD FS federation servers and federation server proxies. Federationserver proxies are necessary for remote access for users without a VPN with clients suchas Outlook and ActiveSync.
Add your Active Directory Federation Services server(s) to your Active Directory forest.
Create a service account in Active Directory to deploy Active Directory FederationServices in a farm.
Download and install the Windows Management Framework Core package (WindowsPowerShell 2.0 and WinRM 2.0).
Download and run theActive Directory Federation Services 2.0installation package. Thefollowing roles and features will be automatically be installed in the process:
o
Windows PowerShell
o
.NET Framework 3.5 SP1
o
Internet Information Services (IIS) 7
o
Windows Identity Foundation
Download the Office 365 desktop setup or manually install the Microsoft Online ServicesSign-in assistant
Install and configure MicrosoftSQL Server 2008(Standard or Enterprise) if yourorganization has more than 60,000 users who will use Office 365 service offerings.
Configure an external DNS Host (A) Record for your AD FS Proxy (examplests.contoso.com).
Prepare for trusted third-party SSL certificate (for example, Go Daddy or VeriSign) withAD FS instance name (example, sts.contoso.com).The instructions in the next sections include how to obtain your certificate and configure it forAD FS.

Note:
Certificates are an integral part of deploying AD FS with Office 365 identity federation.It is highly suggested that you attain a separate certificate with the name of your AD FSendpoint (sts.contoso.com) with a trusted third-party SSL provider. Additionally, if yourorganization leverages wildcard certificates (*.contoso.com), review your third-party SSLproviders documentation on creating and exporting wildcard certificates prior to proceeding onwith this document.
4.3.3.2
Join Federation Servers to Your Domain
You must join your federation servers to the Active Directory domain where you authenticateusers.

Note:
You can ignore this step if you will use existing domain controllers for federation.
To join your federation servers to the domain
1.
On the computer that you want to join to a domain, click
Start
, click
Control Panel
, andthen double-click
System
.2.
Under
Computer name, domain, and workgroup settings
, click
Change settings
.3.
On the
Computer Name
tab, click
Change
.4.
Under
Member of
, click
Domain
and type the name of the domain that the computerwill join.5.
Click
OK
.
4.3.3.3
(Optional) Add Resource Record to Corporate DNS for NLB Cluster
For clients on your corporate network to successfully access the Federation Service, you mustfirst create a host (A) resource record in the corporate DNS that resolves the cluster DNS nameof the Federation Service (for example, fs.fabrikam.com) to the cluster IP address in thecorporate network (for example, 172.16.1.3). You can use the following procedure to add a host(A) resource record to the corporate DNS for the NLB cluster.
Note:
This procedure is optional if you are not using a hardware network load balancer (NLB).
To add a resource record to corporate DNS for the cluster DNS name configured on thecorporate NLB host
1.
On a DNS server for the corporate network, open the DNS snap-in.2.
In the console tree, right-click the applicable forward lookup zone (for example,fabrikam.com), and then click
New Host (A or AAAA)
.3.
In the
Name
box
,
type only the computer name of the federation server or federationserver cluster; for example, for the fully qualified domain name (FQDN) fs.fabrikam.com,type
fs
.4.
In the
IP address
box, type the IP address for the federation server or federation servercluster (for example, 172.16.1.3).5.
Click
Add Host
.

Important:
It is assumed that you are using a DNS server running Windows Server 2008,Windows Server 2003, or Windows Server 2000 with the DNS Server service to control the DNSzone.
4.3.3.4
Request and Import Server Authentication Certificate to Default Web Site
This section describes the tasks you perform to request a certificate and import it to the DefaultWeb site on your AD FS server.You will later export this certificate and import it to all computers that you configure to be partof the federation server farm.4.3.3.4.1
Active Directory Federation Services CertificateAfter Active Directory Federation Services is installed, you will need to request a certificate.

Note:
The common name of your certificate will match the URL that will point your users toAD FS. For example,
sts.contoso.com
will route your users to
. It isvery important that the common name value matches the name of the AD FS website for Office365. If the value does not match, users will be prompted with a certificate warning.
To request an AD FS certificate
1.
Log on to your AD FS server.2.
Click
Start
.3.
In the search dialog box, type
Internet Information Server
.4.
Click
Internet Information Server (IIS) Manager
in the search results.5.
Click to expand your <
servername
>.6.
Double-click
Server Certificates
.
7.
Under the
Actions
choices, click
Create Certificate Request.
8.
In the
Request Certificate
dialog box, populate the fields listed.
o
Common name: sts.<
yourcompany
>.com (suggested value)
o
Organization: Your organization’s name
o
Organizational Unit: Value you may designate
o
City/locality: City/locality location of your organization
o
State/province: State/province of your organization
o
Country/region: Country/region of your organization9.
Click
Next
.10.
Select
Microsoft RSA SChannel Cryptographic Provider
(default).11.
For bit length, choose
2048,
then click
Next
.12.
In the
Specify a file name for the certificate request
window, type a file name (forexample, C:\adfscertificaterequest.txt).13.
Click
Finish
.4.3.3.4.2
Create Certificate Request with Third-Party SSL Certificate Provider
Note:
You may skip this step if you already have multiple domains Unified CommunicationsCertificates (UCC) or wildcard certificates with your third-party SSL certificate provider.If this is the first time that your organization has obtained third-party SSL certificates, considerusing either a UCC or a wildcard certificate for your organization if you need to have multiplecertificates under the same domain name as shown in the following example:
sts.contoso.com (AD FS)
mail.contoso.com (Exchange)
autodiscover.contoso.com (Exchange)
contoso.com (website)Be sure to review your third-party
SSL provider’s documentation for more information
oncreating a certificate request. If you are unsure on what type(s) of certificates to attain for yourorganization, a single domain SSL is suggested for each name space for which you desire acertificate.
Note:
In the procedures that follow, the steps reference the web interface of the domainregistrar GoDaddy for example purposes.
To create a third-party SSL certificate request
1.
Log on to your AD FS server.2.
Open Internet Explorer.3.
Enter the URL of your preferred third-party SSL certificate provider (for example,
).4.
Create an account with the third party SSL certificate provider if you do not have onealready.5.
Sign in to your account with your username and password.6.
To purchase an SSL certificate, choose
SSL & Security.
7.
Chose
Single Domain SSL
.8.
Complete the purchase of your certificate (if applicable).9.
On the right hand side of the screen, click
My Account
.10.
Under My Products, select
SSL Certificates
.11.
Select your new certificate.12.
Choose
Request Certificate
in the bottom right corner.13.
Click
Start
and type
C:\adfscertificaterequest.txt
(or the file location and name youprovided in your certificate request).14.
Press
Enter
. The certificate text file will open in Notepad.15.
In Notepad, click
Edit
.16.
Choose
Select All
.17.
Click
Edit
.18.
Choose
Copy
.19.
In Internet Explorer, on your domain registrar page, choose
Third Party or DedicatedServer or Virtual Dedicated Server without Simple Control Panel
.20.
Under
Enter your Certificate Signing Request (CSR) below
, right-click on the blankportion of the screen.21.
Chose
Paste
.22.
Click
OK
.23.
Verify the domain name is correct. The domain name
sts.contoso.com
should match yourAD FS website URL (for example,
).24.
Click
Next
.25.
Click
Finish
.4.3.3.4.3
Download Certificate from Third-Party SSL Certificate ProviderNow you will download the certificate that you created with your domain registrar.
To download a third-party SSL certificate
1.
Log on to your AD FS server.2.
Open the Internet Explorer browser.3.
Enter the URL of your preferred third-party SSL certificate provider (for example,
).4.
Log on with your username and password.5.
Under My Products, select
SSL Certificates
.6.
Check the box next to the name of your certificate you created earlier (for example,
sts.contoso.com).
7.
Check
Manage Certificate
.8.
Check the box next to the name of your certificate.9.
Choose
Download
.10.
In
Select your server type
, select
II7
.11.
Click
Download
.12.
In the
File Download
dialog box, choose
Save
.13.
Type the name of the certificate. Be sure to include the file extension (for example,
c:\sts.contoso.com.zip
).
You may choose a different folder location to save the file.14.
Double-click on the file you just saved (for example,
c:\sts.contoso.com.zip
).15.
At the top of Windows Explorer window, click
Extract all files
.16.
Choose the default directory or a different directory.17.
Click
Extract
.4.3.3.4.4
Install Third-Party SSL CertificateAfter you have downloaded your certificate, you install it on your AD FS server.
To install a third-party SSL certificate
1.
Log on to your AD FS server.2.
Click
Start
.3.
In the search dialog box, type
Internet Information Server
.4.
In the search results, click
Internet Information Server (IIS) Manager
.5.
Click to expand <
yourservername
>.6.
Double-click
Server Certificates
.7.
Under the
Actions
pane, click
Create Certificate Request
.8.
Click
Complete Certificate Request
.9.
Click the
Browse
button.10.
In the file name containing the certification authority’s response
, type the path of thecertificate you created with your domain registrar (for example,
c:\sts.contoso.com\
).11.
Next to the
File Name
field, choose
*.*
.
 Select the name of your certificate (for example,
c:\sts.contoso.com\
) and click
Open
.13.
Type a friendly name for the certificate (for example,
AD FS Certificate or sts.contoso.com
).14.
Click
OK
.4.3.3.4.5
Configure Third-Party SSL CertificateAfter you install the certificate on your AD FS server, you must configure it.
To configure the third-party SSL certificate
1.
Log on to your AD FS server.2.
Click
Start
.3.
In the search dialog box, type
Internet Information Server.
4.
In the search results, click
Internet Information Server (IIS) Manager
.5.
Expand your <
servername
> folder.6.
Expand the
Sites
folder.7.
Click
Default Web Site
.8.
In the
Actions
pane, click
Bindings.
9.
Click
https
.10.
Click
Edit
.11.
Select your certificate (for example,
sts.contoso.com
) in the SSL certificate dialog box.12.
Chose the IP address for which IIS will listen to the request for https://sts.contoso.com, orleave the default setting.13.
Click
OK
.
4.3.3.5
Create Dedicated Service Account
Before you install Active Directory Federation Services, you must first create a service account forthe federation server farm.
To create an ADFS service account
1.
Log on to a domain controller in your Active Directory forest.2.
Click
Start,
select
All Programs
, and click
Administrative Tools
.3.
Click
Active Directory Users and Computers
.(Optional) Right-click
Active Directory Users and Computers
and select the domainyou would like to create the service account.4.
Right-click the Organizational Unit you would like to create your ADFS service account in(for example
, Users
) and select
New,
and then
User
.5.
Enter the values in the required fields (First Name, Initial, Last Name, Full Name, Userlogon name, and User logon name (pre-Windows 2000). (An example of a User logonname is
svc_adfs
).6.
Click
Next
.
128Microsoft Office 365 Deployment Guide for Enterprises | December 2011
7.
Enter a
Password
and re-enter password in the
Confirm Password
field.8.
In the checkboxes, the following is recommended:
o
Select
User cannot change password
.
o
Select
Password never expires
.
o
Deselect
User must change password at next logon
.9.
Click
Next
.10.
Click
Finish
.To set the SPN of the service account, see the Help articleManually Configure a Service Accountfor a Federation Server Farm.
4.3.3.6
Install AD FS 2.0 Software
After you have created an AD FS service account you can install Active Directory FederationServices. You will need to download the AD FS software package atActive Directory FederationServices 2.0 RTWto perform this step.
To install AD FS 2.0
1.
Download the AD FS 2.0 software package for your operating system (either WindowsServer 2008 or Windows Server 2008 R2) and save the
AdfsSetup.exe
setup file to thecomputer.2.
Navigate to and double-click
AdfsSetup.exe
.3.
On the
Welcome to the AD FS 2.0 Setup Wizard
page, click
Next
.4.
On the
End-User License Agreement
page, read the license terms.5.
If you agree to the terms, select the
I accept the terms in the License Agreement
check box, and then click
Next
.6.
On the
Server Role
page, select
Federation server
, and then click
Next
.7.
On the
Completed the AD FS 2.0 Setup Wizard
page, click
Finish
.8.
Install theAD FS 2.0 Update Rollup 1. In some instances, the AD FS 2.0 installation may require a restart (for example, when dependenthotfixes have been installed).
4.3.3.7
Configure First Federation Server in Federation Server Farm
After you have installed AD FS on the computer, you can set up the computer to become thefirst federation server in a new federation server farm. You do this using the AD FS 2.0Federation Server Configuration Wizard. Membership in Domain Admins or a delegated domainaccount that has been granted write access to the Program Data container in Active Directory isthe minimum requirement to complete this procedure.
To create the first federation server to the federation server farm
1.
Click
Start
,
Administrative Tools
,
AD FS 2.0 Management
and open the
AD FS 2.0Management snap-in
.2.
On the
Overview
page, click the AD FS 2.0 Federation Server Configuration Wizard link.3.
On the
Welcome
page, verify that
Create a new Federation Service
is selected, andclick
Next
.4.
On the
Select Stand-Alone or Farm Deployment
page, click
New federation serverfarm
, and click
Next
.5.
On the
Specify the Federation Service Name
page, verify that the SSL certificate that isshowing matches the name of the certificate that was imported into the Default Web Sitein IIS previously. If this is not the correct certificate, select the appropriate certificate fromthe SSL certificate list.

Note:
The configuration wizard will not allow you to override the certificate if anSSL certificate is configured for IIS. This ensures that any intended prior IISconfiguration for SSL certificates is preserved. To work around this issue, you can goback and import the certificate to the Default Web Site of IIS again.
6.
If you have previously reinstalled AD FS on this computer, then the
Existing AD FSConfiguration Database Detected
page appears. If that page appears, click
Deletedatabase
, and then click
Next
.7.
On the
Specify a Service Account
page, click
Browse
. In the Browse dialog box, locatethe domain account that will be used as the service account in this new federation serverfarm, and then click
OK
. Type the password for this account, confirm it, and then click
Next
.8.
On the
Ready to Apply Settings
page, review the details. If the settings appear to becorrect, click
Next
to begin configuring AD FS 2.0 with these settings.9.
On the Configuration Results page, review the results. When all the configuration stepsare finished, click
Close
to exit the wizard.When you finish the steps in this procedure, the AD FS 2.0 Management snap-in willautomatically open and a message will display indicating that the required configuration isincomplete and that you should add a trusted relying party. You can disregard this message. Arelying party trust for Office 365 will be added in a later step and the message will no longerdisplay in the AD FS 2.0 Management snap-in.
4.3.3.8
Add Federation Server to Federation Server Farm
To add another federation server to the server farm, you install the AD FS 2.0 software andconfigure the required certificates on a computer. You can then configure the computer to
become a federation server in the federation server farm.4.3.3.8.1
Export and Import AD FS Federation Server CertificateBefore you configure computers as federation farm servers, you need to export the certificatefrom the first federation server and import it to any computer you want to add to the federationserver farm.
To export the AD FS federation server certificate
1.
Log on to the first AD FS federation server that you deployed on-premises.2.
Click
Start
, type
Internet Information Services (IIS) Manager
, and click
InternetInformation Services (IIS) Manager
.3.
On the
Home
page, click to expand <
servername
>.4.
In
Features View
, double-click
Server Certificates
.5.
Right-click your third-party SSL server certificate (for example,
sts.contoso.com)
and select
Export…
.6.
In the
Export to:
field, enter a path on your local computer (for example,
c:\sts.contoso.com).
A .pfx extension will automatically be added to the file you create.7.
In the
Password
field, enter a password.8.
In the
Confirm
password field, enter the same password.9.
Locate the file you created (for
example,
c:\sts.contosto.com.pfx)
.10.
Copy the file to the computers that you will add to AD FS federation server farm.4.3.3.8.2
Configure Federation Server Farm ComputerYou join a computer to a farm with the AD FS 2.0 Federation Server Configuration Wizard. Whenyou use this wizard to join a computer to an existing farm, the computer is configured with aread-only copy of the AD FS configuration database and it must receive updates from a primaryfederation server.
To configure a federation server to the federation server farm
1.
To open the AD FS 2.0 Management snap-in, click
Start, Administrative Tools, andthen AD FS 2.0 Management.
2.
On the
Overview
page or in the
Actions
pane, click
AD FS 2.0 Federation ServerConfiguration Wizard
.3.
On the
Welcome
page, verify that
Add a federation server to an existing FederationService
is selected, and then click
Next
.4.
If the AD FS 2.0 database that you selected already exists, the
Existing AD FSConfiguration Database Detected
page appears. If that occurs, click
Delete database
,and then click
Next
.
 131Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Caution:
Select this option only when you are sure that the data in this AD FS 2.0database is not important or that it is not used in a production federation serverfarm.
5.
On the
Specify the Primary Federation Server and Service Account
page, under
Primary federation server name
, type the computer name of the primary federationserver in the farm, and then click
Browse
.6.
In the
Browse
dialog box, locate the domain account that is used as the service accountby all other federation servers in the existing federation server farm, and then click
OK
.7.
Type the password and confirm it, and then click
Next
.
Note:
For more information about creating this service account, see theCreateDedicated Service Accountprocedure provided earlier in this document. Eachfederation server in the federation server farm must specify the same service accountfor the farm to be operational. For example, if the service account created was
contoso\svc_adfs,
each computer you configure for the federation server role andthat will participate in the same farm must specify
contoso\svc_adfs
at this step inthe Federation Server Configuration Wizard for the farm to be operational.
8.
On the
Ready to Apply Settings
page, review the details. If the settings appear to becorrect, click
Next
to begin configuring AD FS 2.0 with these settings.9.
On the
Configuration Results
page, review the results. When all the configuration stepsare finished, click
Close
to exit the wizard.
4.3.3.9
Verify Federation Server Is Operational
You can use either of the following procedures to verify that a federation server is operational;that is, that any client on the same network can reach a new federation server.
Procedure 1: To verify that the federation server is operational
1.
Log on to a client computer that is located in the same forest as the federation server.2.
Open a browser window, in the address bar type the federation server’s DNS host name,
and then append /adfs/fs/federationserverservice.asmx to it for the new federationserver, for example:
3.
Press ENTER, and then complete the next procedure on the federation server computer.
 Note:
If you see the message
There is a problem with this website’s security
certificate
, this is because the FQDN used is different from the names registrered inthe certificate; however, this issue will be resolved with farm configuration and DNSrecord creation. Click
Continue to this website
.
Procedure 2: To verify that the federation server is operational
1.
Log on to the new federation server as an Administrator.2.
Click
Start
, point to
Administrative Tools
, and then click
Event Viewer
.3.
In the
Details
pane, double-click
Applications and Services Logs
, double-click
AD FS 2.0 Eventing
, and then click
Admin
.4.
In the
Event ID
column, look for event ID 100. If the federation server is configuredproperly, you see a new event
in the
Application
log of Event Viewer
with theevent ID 100. This event verifies that the federation server was able to successfullycommunicate with the Federation Service.
4.3.3.10
Install Microsoft Online Services Sign-In Assistant
The Microsoft Online Services Sign-In Assistant must be installed on federation server. The Sign-In Assistance can be downloaded at theMicrosoft Online Services Portal. Also seeManually update and configure desktops for Office 365.
To install the Microsoft Online Services Sign-In Assistant
1.
Log on to your AD FS federation server.2.
Click
Start
.3.
In the search dialog box, type the location where you saved the Sign-In Assistantinstallation package.4.
Double-click the .msi file for the package and then click
Run
.5.
At the
Welcome
screen, click
Next
.6.
Select the default directory for installation (you may change this if needed) and click
Install
.7.
When the installation is complete, click
Finish
.8.
Allow the tool to find any necessary patches to install and then restart the server.
4.3.3.11
Install Microsoft Online Services Module for Windows PowerShell
In order to configure single sign-on, you must install the Microsoft Online Services Module forWindows PowerShell. You can download the tool at theMicrosoft Office 365 Help site.
To install the Microsoft Online Services Module for Windows PowerShell
1.
Log on to your AD FS server.2.
Click
Start
.3.
In the search dialog box, type the location where you downloaded and saved theinstaller file for the Microsoft Online Services Module for Windows PowerShell (forexample,
c:\FederationConfig.msi
).4.
Double-click the installer file.5.
Click
Run
.6.
Click
Next
.7.
Review and accepts the license terms and click
Next
.8.
Select the default directory and options and click
Next
.9.
Click
Install
.10.
Click
Finish
.
4.3.3.12
Enable Single Sign-On
After you have installed the Microsoft Online Services Module for Windows PowerShell, you runa series of commands in the Windows PowerShell command-line interface to enable the singlesign-on feature.
To enable single sign-on with Office 365
1.
Log on to your AD FS server.2.
Open
Microsoft Online Services Module for Windows PowerShell.
PowerShell will open.3.
Type
cd\
and press
Enter.
4.
Type
$cred=Get-Credential
and press
Enter.
5.
Enter your Office 365 administrator name and password and click
OK
.6.
Type
Connect-MsolService
Credential $cred
and press
Enter
.7.
Type
Set-MsolAdfscontext -Computer <AD FS 2.0 primary server>
Note:
<AD FS 2.0 primary server> is the internal FQDN name of the primary AD FS 2.0server. This cmdlet creates a context that connects you to AD FS 2.0.8.
Press
Enter
.9.
Type
New-MsolFederatedDomain
DomainName <domain>
Example:
New-MsolFederatedDomain
DomainName contoso.com10.
Press
Enter
.11.
Using the information provided by the results of the New-MsolFederatedDomain cmdlet,contact your domain registrar to create the required DNS record. This record verifies thatyou own the domain.
134Microsoft Office 365 Deployment Guide for Enterprises | December 2011
12.
Type
New-MsolFederatedDomain
a second time, specifying the same domain name tofinalize the process
and press
Enter
.SeeSupport for Multiple Top Level Domainsif you will configure multiple top-level domains.
4.3.3.13
Verify Single Sign-on Functionality
After setting up single sign-on, you should verify that it is working correctly.
To verify single sign-on functionality
1.
In the portal header, click
Admin
.3.
Under
Management
, click
Users
.4.
Select your Cloud User ID or a test User ID that has been synchronized into the Office365 service. Ensure you know the username and password in your on-premises ActiveDirectory and that the user you have selected has a username (UserPrincipalName) thatmatches the domain you have federated.5.
Select the check box beside the test user.6.
Click the
user’s Display Name
. (For example,
John Smith
).7.
On the
Licenses
page for the user, select a license for the user (for example,
Microsoft Office 365 (Plan X
).
Warning:
If planning for Hybrid configuration do not activate a user for Exchange Onlineif this user already has an Exchange on-premises mailbox.8.
Click
Save
.9.
Select the location of the user (for example,
United States
).10.
Click
Save
.11.
Now log on to a PC.
Note:
As ADFS Proxy servers have not yet been deployed a domain-joined machineconnected to the private corporate network must be used.12.
Open Internet Explorer.13.
In the address bar, type
.14.
In the
User ID
field, type the user name for the user you assigned a license to (forexample,
jsmith@contoso.com
).15.
The web page should display with
You are now required to sign in at
<
yourdomainname.com
>.
16.
Click the sign-in link and enter your on-premises Active Directory credentials for theaccount you chose (for example, username
and password
Orang312
).17.
If the home screen to the Microsoft Online Services Portal is displayed (Figure 14) aftersigning in, it indicates that single sign-on is working properly.
Deploy a Federation Server Proxy

You deploy an AD FS 2.0 federation server proxy to act as a proxy for client logons to afederation server that is located in the corporate network. The federation server proxy alsofacilitates the distribution of security tokens for remote clients that are attempting to accessOffice 365 service offerings.Before you get started, note the following:
It is recommended that you deploy at least two federation server proxies in order toprovide fault tolerance and deploy an NLB host or third-party hardware load balancer forfault tolerance and load balancing.
You can also use third-party HTTP reverse proxies solutions to publish AD FS to theextranet. See the TechNet articleLimiting Access to Office 365 Services Based on theLocation of the Clientfor more information on pre-requisites when supporting clientaccess policies.
To complete all of the tasks using the procedures in this section you must log on to thecomputers as a member of the Administrators group, or have been delegated equivalentpermissions.Table 19 and 20 are checklists of the deployment tasks that are necessary to deploy twofederation server proxies that will redirect authentication requests to a federation server in yournew federation server farm.
Table 19. Checklist: Prepare Network Infrastructure for Federation Server Proxies
Deployment task CompletedPrepare two computers running either the Windows Server 2008 or Windows Server2008 R2 operating system to be set up as federation server proxy. Depending on thenumber of users you have, you can use existing web or proxy servers or use adedicated computer.
136Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Deployment task CompletedAdd the name of the Federation Service in the corporate network (the cluster DNSname you created earlier on the NLB host in the corporate network) and itsassociated cluster IP address to the hosts files on each federation server proxymachine in the perimeter network.Create a new cluster DNS name and cluster IP address on the NLB host in theperimeter network and then add the federation server computers to the NLB cluster.If you are using Windows Server technology for your current NLB hosts, choose theappropriate link to the right based on your operating system version.
Warning
The cluster DNS name used for this new NLB cluster must match the name of theFederation Service in the corporate network.Create a new resource record for the NLB cluster in the perimeter network DNS thatpoints the cluster DNS name of the NLB cluster to its cluster IP address.Use the same server authentication certificate as the one used by the federationservers in the corporate network and install it in IIS on the Default Web Site of thefederation server proxy.
Table 20. Deploy Federation Server Proxies
Deployment task CompletedInstall the AD FS 2.0 software on the computer that will become the federationserver proxy.Configure the AD FS 2.0 software on the computer to act in the federation serverproxy role by using the AD FS 2.0 Federation Server Proxy Configuration Wizard.Using Event Viewer, verify that the federation server proxy service has started.
4.3.4.1
Export and Import AD FS Federation Server Certificate
To start the your AD FS proxy server deployment, you export your AD FS federation servercertificate and then import it to the Default Web Site for each federation server proxy in yourorganization.
To export the AD FS federation server certificate
1.
Log on to your AD FS federation server that you deployed on-premises.2.
Click
Start
, type
Internet Information Services (IIS) Manager
, and click
InternetInformation Services (IIS) Manager
.3.
On the
Home
page, click to expand <
servername
>.4.
In
Features View
, double-click
Server Certificates
.
137Microsoft Office 365 Deployment Guide for Enterprises | December 2011
5.
Right-click your third-party SSL server certificate (for example,
sts.contoso.com)
and select
Export…
.6.
In the
Export to:
field, enter a path on your local computer (for example,
c:\sts.contoso.com).
A .pfx extension will automatically be added to the file you create.7.
In the
Password
field, enter a password.8.
In the
Confirm
password field, enter the same password.9.
Locate the file you created (for
example,
c:\sts.contosto.com.pfx)
.10.
Copy the file to your AD FS proxy server.
Import Server Authentication Certificate to Default Web Site
After you obtain a server authentication certificate used by one of the federation servers in yourcorporate network, you must manually install that certificate on the Default Web Site for eachfederation server proxy in your organization.Because this certificate must be trusted by clients of AD FS 2.0, use an SSL certificate that isissued by a public certificate authority (CA) that is subordinate to a publicly trusted root (forexample, VeriSign or Thawte). For information about installing a certificate from a public CA, seethe TechNet articleRequest an Internet Server Certificate.
Note:
The subject name of this server authentication certificate must match the FQDN of thecluster DNS name (for example,
fs.contoso.com
) that you created earlier on the NLB host. If Internet Information Services (IIS) has not been installed on the proxy server, you must install IISfirst in order to complete this task. When installing IIS for the first time, we recommend that youuse the default feature options when prompted during the installation of the server role.
To import a server authentication certificate to the Default Web Site on the proxy server
1.
Click
Start
, point to
All Programs
, point to
Administrative Tools
, and then click
Internet Information Services (IIS) Manager
.2.
In the console tree, click
ComputerName
.3.
In the center pane, double-click
Server Certificates
.4.
In the
Actions
pane, click
Import
.5.
In the
Import Certificate
dialog box, click the
button.6.
Browse to the location of the Personal Information Exchange (. pfx) certificate file,highlight it, and then click
Open
.7.
Type a password for the certificate, and then click
OK
.
4.3.4.2
Add Cluster DNS Name and IP Address to Hosts File
In order for the federation server proxy to work as expected in the perimeter network, you mustadd an entry to the hosts file on each federation server proxy computer that points to the
138Microsoft Office 365 Deployment Guide for Enterprises | December 2011
cluster DNS name hosted by the NLB in the corporate network (for example, fs.fabrikam.com)and its IP address (for example, 172.16.1.3). Adding this entry to the hosts file enables thefederation server proxy to properly route a client-initiated call to a federation server eitherwithin the perimeter network or outside the perimeter network.
To add the cluster DNS name and IP address to the hosts file on the proxy server
1.
Navigate to the %systemroot%\Winnt\System32\Drivers directory folder and locate the
hosts
file.2.
In Notepad, open the
hosts
file.3.
Add the IP address and the host name of a federation server in the account partner tothe
hosts
file, as shown in the following example:
172.16.1.3 fs.fabrikam.com
4.
Save and close the file.

Caution:
If the cluster IP address ever changes on the NLB host in the corporatenetwork, you must update the local hosts file on each federation server proxy.
4.3.4.3
Add Resource Record to Perimeter DNS for Cluster DNS Name
To service authentication requests from clients either in the perimeter network or outside theperimeter network, AD FS 2.0 requires name resolution to be configured on external-facing DNS
servers that host the organization’s zone (for example, fabrikam.com).
To do this, add a Host (A) Resource Record to the external-facing DNS server that serves onlythe perimeter network for the cluster DN
S name (for example, “fs.fabrikam.com”) to point to the
external cluster IP address that has just been configured.
To add a resource record to the perimeter DNS for the cluster DNS name configured onthe perimeter NLB host
1.
On a DNS server for the perimeter network, click
Start
, point to
Administrative Tools
,and then click
DNS
.2.
In the console tree of the DNS snap-in, right-click the applicable forward lookup zone(for example, fabrikam.com), and then click
New Host (A or AAAA)
.3.
In the
Name
box, type only the name of the cluster DNS name you specified on the NLBhost in the perimeter network (this should be the same DNS name as the name of theFederation Service). For example, for the FQDN fs.fabrikam.com, type
fs
.4.
In the
IP address
box, type the IP address for the new cluster IP address you specified onthe NLB host in the perimeter network (for example,
192.0.2.3)
.5.
Click
Add Host
.
139Microsoft Office 365 Deployment Guide for Enterprises | December 2011
4.3.4.4
Install the AD FS 2.0 Software on Proxy Computer
You must install the AD FS 2.0 software on any computer that you are preparing for thefederation server proxy role. You can install this software by either using the AD FS 2.0 SetupWizard or by using a command line parameter. For more information about this parameter, seetheAD FS 2.0 Deployment Guide. Make sure to complete the installation process by installing all of the required hotfixes on eachfederation server proxy, as indicated by the last step in this procedure.
To install the AD FS 2.0 software on the proxy computer
1.
Download the AD FS 2.0 software package for your specific operating system version(either Windows Server 2008 or Windows Server 2008 R2) by saving the
AdfsSetup.exe
setup file onto the computer. To download this file, go toActive Directory FederationServices 2.0 RTW. 2.
Locate and double-click the
AdfsSetup.exe
setup file that you downloaded to thecomputer.3.
On the
Welcome to the AD FS 2.0 Setup Wizard
page, click
Next
.4.
On the
End-User License Agreement
page, read the license terms.5.
If you agree to the terms, select the
I accept the terms in the License Agreement
check box, and then click
Next
.6.
On the
Server Role
page, select
Federation server proxy
, and then click
Next
.7.
On the
Completed the AD FS 2.0 Setup Wizard
page, verify that the
Start theAD FS 2.0 Federation Server Proxy Configuration Wizard when this wizard closes
check box is selected, and then click
Finish
to restart the computer.
4.3.4.5
Configure Federation Server Proxy Role
After you configure the proxy computer with the required certificates and have installed theAD FS 2.0 software, you are ready to configure the computer to become a federation serverproxy. You can use the following procedure so that the computer acts in the federation serverproxy role.
140Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Important:
Before you use this procedure to configure the federation server proxycomputer, make sure that you have completed your federation server farm deployment asdescribed in theDeploy a Federation Server Farmsection. Make sure that at least one federationserver is deployed and that all the necessary credentials for authorizing a federation server proxyconfiguration are implemented. You must also configure Secure Sockets Layer (SSL) bindings onthe Default Web Site, or this wizard will not start. All these tasks must be completed before thisfederation server proxy can function.
After you finish setting up the computer, verify that the federation server proxy is working asexpected. For more information, see theVerify Federation Server Proxy Is Operationalsection of the document.
To configure the computer for the federation server proxy role
1.
On the
Completed the AD FS 2.0 Setup Wizard
page in the AD FS 2.0 Setup Wizard,the check box
Start the AD FS 2.0 Federation Server Proxy Configuration Wizardwhen this wizard closes
is selected by default.2.
Start the wizard, and on the
Welcome
page, click
Next
.3.
On the
Specify Federation Service Name
page, under
Federation Service name
, typethe name that represents the Federation Service for which this computer will act in theproxy role (for example, fs.contoso.com).4.
Based on your specific network requirements, determine whether you will need to use anHTTP proxy server to forward requests to the Federation Service. If so, select the
Use anHTTP proxy server when sending requests to this Federation Service
check box,under
HTTP proxy server address
type the address of the proxy server, click
TestConnection
to verify connectivity, and then click
Next
.5.
When you are prompted, specify the credentials that are necessary to establish a trustbetween this federation server proxy and the Federation Service.By default, only the service account used by the Federation Service or a member of thelocal BUILTIN\Administrators group can authorize a federation server proxy.6.
On the
Ready to Apply Settings
page, review the details. If the settings appear to becorrect, click
Next
to begin configuring this computer with these proxy settings.7.
On the
Configuration Results
page, review the results. When all the configuration stepsare finished, click
Close
to exit the wizard.
4.3.4.6
Verify Federation Server Proxy Is Operational
You can use the following procedure to verify that the federation server proxy can communicatewith the Federation Service in AD FS 2.0. You run this procedure after you run the
AD FS 2.0
141Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Federation Server Proxy Configuration Wizard
to configure the computer to run in thefederation server proxy role.
Important:
The result of this test is the successful generation of a specific event in EventViewer on the federation server proxy computer.
To verify that the federation server proxy is operational
1.
Log on to the federation server proxy as an Administrator.2.
Click
Start
, point to
Administrative Tools
, and then click
Event Viewer
.3.
In the details pane, double-click
Applications and Services Logs
, double-click
AD FS 2.0 Eventing
, and then click
Admin
.4.
In the
Event ID
column, look for event ID
198
.If the federation server proxy is configured properly, you will see a new event in the Applicationlog of Event Viewer, with the event ID 198. This event verifies that the federation server proxyservice was started successfully and now is online.
4.3.4.7
Testing Naming Services
You now can test network connectivity to your AD FS federation server and federation serverproxies.
Internal Network Test
In your DNS environment, you should have an entry for your AD FS instance (sts.contoso.com),or your local hosts file should be modified to point to your AD FS instance, (sts.contoso.com) toyour AD FS federation server.1.
Log on to your AD FS proxy server you deployed on-premises in your edge network.2.
Click
Start
, and then click
Run
.3.
Type
CMD
and then click
OK
.4.
Type
ping
<space> and then your federation name (for example,
sts.contoso.com
).5.
Press
Enter
.For example, the response you receive is 167.2.2.1, a reply from your internal network.
External Network Test
You should be able to ping
sts.contoso.com
from a computer and reach the externally facing ADFS proxy server.1.
Log on to a computer.2.
Click
Start
, and then click
Run
.3.
Type
CMD
and then click
OK
.
142Microsoft Office 365 Deployment Guide for Enterprises | December 2011
4.
Type
ping
<space> and the name of your federation name (for example,sts.contoso.com).For example, the response you receive is a reply from 65.64.63.123 (your external network).
4.3.4.8
Post Installation Validation
You can verify that single sign-on was set up correctly by testing it further.1.
Log on to a computer.
Note:
You must use a computer connected to the Internet and not the corporate networkso that it will be redirected to the ADFS proxy servers.2.
Open Internet Explorer and type
in the addressbar.3.
In the
User ID
field, type your user name (for example,
jsmith@contoso.com
).4.
The web page should update with
You are now required to sign in at<
yourdomainname.com
>.
5.
Click the sign-in link and, in the Sign In page (Figure 15), enter your on-premises ActiveDirectory credentials for the account you chose (for example, username
jsmith@contoso.com
and password
Orang312
).
Figure 15. Sign in page for Microsoft Online Service Portal
6.
If you are presented with the Microsoft Online Services Portal home screen (Figure 16),this indicates that your proxy server with identity federation is working properly.
143Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Figure 16. Microsoft Online Services Portal home page
4.3.5
Advanced Option: Deploy Federation Services with SQL Server
The AD FS configuration database stores all the configuration data that represents a singleinstance of AD FS 2.0 (also known as the Federation Service). You can store this configurationdata in either a Microsoft SQL Server® database or using the Windows Internal Database (WID).As indicated in theCapacity Planningsection of this document, customers with 15,000-60,000users or more and multiple federation servers in the farm may want to consider using a SQLServer-based policy store. An AD FS 2.0 federation server farm configured to use WID supports amaximum of five federation servers. If you need more than five federation servers, you need toconfigure a SQL Server database to store the AD FS 2.0 configuration database.
4.3.5.1
Installation Steps
These steps provide a high-level instruction on how to install AD FS for use with SQL Server.
To install SQL Server AD FS configuration database
1.
Install the full version (not Express version) of SQL Server 2005 or higher in your on-premises environment. Note whether you install using the default instance or with aninstance name as this is important later during the configuration process.2.
Install the AD FS Core Services onto a machine designated to run this service. Bestpractice is to install on a Windows Server 2008 R2/x64 with at least 4GB of memory.3.
After the AD FS Core Services installation stops, do not default to Configuration whenasked. Uncheck the configuration option and close the application.4.
Now navigate to the following location:c:\program files\Active Directory Federation Services 2.05.
Run the following command:
FSConfig.exe CreateSQLFarm /ServiceAccount “domain\user”/ServiceAccountPassword “password” /SQLConnectionString”database=AdfsConfigurationServer;server=MSSQLSERVER\Instance [asneeded];integrated security=SSPI” /port 443 /FederationServiceName”sts.contoso.com” /AutoCertRolloverEnabled
144Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Notes:
/
ServiceAccount: Must be created before this command is run, see theCreateDedicated Service Accountsection.
Server: Should either be the MSSQLSERVER which is the default install for SQL orMSSQLSERVER\Instance IF an instance has been created for use with the AD FSServices.
/FederationServiceName
:
Should refer to the Common Name of your certificate usedfor your AD FS Services
4.3.5.2
Configure Communication with Federation Gateway
After the AD FS server has been configured to use SQL, use the following steps to configure theserver to communicate with the Microsoft Federation Gateway.1.
Download and install the Microsoft ID components and ensure the Microsoft OnlineServices Module for Windows PowerShell is installed.2.
Run the following PowerShell cmdlets to create your custom federated domain:
Import-module msonline$cred=Get-Credential [Enter your Online Admin Account]Connect-MsolService
Credential $credSet-MsolAdfscontext
Computer <AD FS 2.0 primary server internal FQDN>New-MsolFederatedDomain
DomainName <domain>
4.3.5.2.1
Install Second or future AD FS Core Services with Full SQL1.
Follow the above steps but change the command to Join the SQL Farm instead of creating, as it has already been created.2.
After the initial SQL Database has been created, use the following command on any ADFS Servers wanting to use Full SQL:
FSConfig.exe JoinSQLFarm /ServiceAccount “domain\user”/ServiceAccountPassword “password” /SQLConnectionString”database=AdfsConfigurationServer;server=MSSQLSERVER\Instance [asneeded];integrated security=SSPI”
Note
4.3.5.3
Converting from Windows Internal Database to SQL Database
The Windows Internal Database is a Windows Server feature that is automatically installed on
145Microsoft Office 365 Deployment Guide for Enterprises | December 2011
the computer after you complete the AD FS 2.0 Federation Server Configuration Wizard for thefirst time. Because the wizard does not provide an option to choose SQL Server as the store forthe AD FS configuration database, your organization may simply continue to use the wizarddefaults to see if they work well for your infrastructure.However, it is highly possible that in time you will want to scale out your federation server farmto use more than five federation servers by migrating the configuration database to SQL Server.
By migrating to SQL you will obtain scale, high availability and also be able to use SQL’s backup
mechanisms.This section is provided for just this situation and will walk you through all the steps necessaryto migrate your existing AD FS configuration data from your current Windows Internal Databasestore (in a production environment) to a new SQL Server store.4.3.5.3.1
AD FS 2.0: Migrate Your AD FS Configuration Database to SQL ServerIn the steps that follow, use steps 1, 2, 3, and 5 on the primary federation server. Follow steps1,2, 4, and 5 on each of the secondary federation servers in the farm. These steps include:1.
Backing up the federation server2.
Temporarily disable the computer in the load balancer3.
Performing steps on the primary federation server4.
Performing steps on all of the secondary federation servers5.
Enabling the computer on the load balancerFor more information seeAD FS 2.0: Migrate Your AD FS Configuration Database to SQL Serveron the TechNet Wiki site. For more information about the pros and cons of using eitherWindows Internal Database or SQL Server to store AD FS 2.0 configuration data, see the TechNetarticleThe Role of the AD FS Configuration Databasein the AD FS 2.0 Design Guide.
Step 1: Backing up the federation server
Use Windows Server Backup to back up the entire federation server computer including the ADFS configuration database stored in Windows Internal Database. You can also use WindowsServer Backup to restore the AD FS configuration database.More information about how to back up the AD FS configuration database will be out soon.Once this content is provided we will update this link.
Step 2: Temporarily remove server from load balancer
If your federation server is running in a farm and you have a load balancer, temporarily removethis machine from the load balancer configuration.
146Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Step 3: Performing steps on the primary federation server
1.
On the primary federation server in the farm, download the SQL Server 2008Management Studio Express software and install it on the primary federation server. Thesoftware is available from theMicrosoft Download Center.

Note
: This software is necessary in order to install and register the SQLCMDcommand-line tool, which is used in an upcoming step.
2.
Stop the AD FS 2.0 Windows Service on the primary federation server.3.
Open an elevated command prompt, type the following command-line to stop the AD FS2.0 Windows Service and then press ENTER.
net stop adfssrv
4.
Connect to the Windows Internal Database that currently stores the AD FS configurationdatabase and then detach both the AD FS configuration and artifact databases. In thecommand prompt window, type the following SQLCMD command-line syntaxes in order,and then press ENTER after each one.
sqlcmd -S \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\queryuse mastergosp_detach_db ‘adfsconfiguration’gosp_detach_db ‘adfsartifactstore’go
5.
Connect to SQL server and attach the configuration and artifact database from theprimary federation server. This process assumes you have copied the database file andlogs to the SQL server prior to reattaching the database. In the command promptwindow, type the following SQLCMD command-line syntaxes in order, and then pressENTER after each one. In SQLServer\SQLInstance below, type in the appropriate SQLServer and SQL Server instance name where you are migrating the configuration data to.For example,
contososrv01\adfs
.
sqlcmd -S <SQLServer\SQLInstance>use mastergosp_attach_db ‘adfsconfiguration’,’c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsconfiguration.mdf’,’c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsconfiguration_log.ldf’ go sp_attach_db ‘adfsartifactstore’,
147Microsoft Office 365 Deployment Guide for Enterprises | December 2011
‘c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsartifactstore.mdf’,’c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsartifactstore_log.ldf’goalter database AdfsConfiguration set enable_broker with rollbackimmediatego
6.
Change the configuration database connection string to point to the new SQL Server-based AD FS configuration database. Open a Windows PowerShell command-line, typethe following command-line syntaxes in order, and then press ENTER after each one. InSQLServer\SQLInstance below, type in the appropriate SQL Server and SQL Serverinstance name where you are migrating the configuration data to. For example,contososrv01\adfs.
$temp= GEt-WmiObject -namespace root/AD FS -class SecurityTokenService
$temp.ConfigurationdatabaseConnectionstring=”data
source=<SQLServer\SQLInstance>; initial
catalog=adfsconfiguration;integrated security=true”
$temp.put()
7.
Open an elevated command-line prompt, type the following command-line syntax tostart the AD FS 2.0 Windows Service, and then press ENTER.
Net start adfssrv
8.
Change the artifact connection string to point to the new SQL Server-based artifact datalocation. Open a Windows PowerShell command-line, type the following command-linesyntaxes in order, and then press ENTER after each one. In SQLServer\SQLInstance below,type in the appropriate SQL Server and SQL Server instance name where you aremigrating the artifact data to. For example, contososrv01\adfs.
Add-pssnapin microsoft.adfs.powershellSet-adfsproperties
–artifactdbconnection “data
source=<SQLServer\SQLInstance>; initial
catalog=adfsartifactstore;integrated security=true”
9.
Stop and restart the AD FS 2.0 Windows Service to refresh the new settings. Open aregular command-line prompt, type the following command-line syntaxes to stop andstart the AD FS 2.0 Windows Service, and then press ENTER after each one.
Net stop adfssrvNet start adfssrv
148Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Step 4: Performing steps on the secondary federation server
Make sure the primary federation server has been added back to the load balancer beforeproceeding with this section.1.
Make sure the secondary federation server has been temporarily removed from the loadbalancer before proceeding.2.
On a secondary federation server in the farm, open an elevated command prompt, typethe following command-line to stop the AD FS 2.0 Windows Service, and then pressENTER.
net stop adfssrv
3.
Change the configuration database connection string to point to the new SQL Server-based AD FS configuration database. Open a Windows PowerShell command-line, typethe following command-line syntaxes in order, and then press ENTER after each one. InSQLServer\SQLInstance, type in the appropriate SQL Server and SQL Server instancename where you are migrating the configuration data to. For example,contososrv01\adfs.
$temp= GEt-WmiObject -namespace root/AD FS -class SecurityTokenService
$temp.ConfigurationdatabaseConnectionstring=”data
source=<SQLServer\SQLInstance>; initial
catalog=adfsconfiguration;integrated security=true”
$temp.put()
4.
Open a regular command-line prompt, type the following command-line syntax to startthe AD FS 2.0 Windows Service, and then press ENTER:
Net start adfssrv
5.
Change the artifact connection string to point to the new SQL Server-based artifact datalocation. Open a Windows PowerShell command-line, type the following command-linesyntaxes in order, and then press ENTER after each one. In SQLServer\SQLInstance below,type in the appropriate SQL Server and SQL Server instance name where you aremigrating the artifact data to. For example, contososrv01\adfs.
Add-pssnapin microsoft.adfs.powershellSet-adfsproperties
–artifactdbconnection “data
source=<SQLServer\SQLInstance>; initial
catalog=adfsartifactstore;integrated security=true”
6.
Stop and restart the AD FS 2.0 Windows Service to refresh the new settings. Open aregular command-line prompt, type the following command-line syntaxes to stop andstart the AD FS 2.0 Windows Service, and then press ENTER after each one:
Net stop adfssrv
149Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Net start adfssrv
7.
Verify that the service starts up successfully.8.
Repeat these steps for every federation server in this Windows Internal Database-basedfarm.
Step 5: Enabling this computer on the load balancer
Enable the computer in the load balancer so that requests are sent to it.
4.3.6
Advanced Option: Limiting Office 365 Access Based on ClientLocation
You can create custom claim rules in AD FS 2.0 that will limit your users’ access to Office 365
services based on the physical location of the client computer or client device through whichyour user is requesting access.For more information about how to create these rules, seeLimiting Access to Office 365 ServicesBased on Client Location.
4.3.7
Deploy Directory Synchronization
After you have completed Active Directory clean up, reduced user mailbox sizes if necessary, andimplemented Active Directory Federation Services, you can move forward with the steps tosynchronize information from your on-premises Active Directory to the Office 365 directoryservice.Synchronization is performed with the Microsoft Online Services Directory Synchronization Tool.By default, the Directory Synchronization Tool will install Microsoft SQL Server 2008 R2 Expressfor database purposes. If your organizations has more than 50,000 objects to synchronize, yourorganization should install the full version of SQL Server 2008 or 2008 R2.For additional information, see the following Help topics:
4.3.7.1
Install and Configure Directory Synchronization Tool (Fewer Than 50,000Objects)
The following steps are recommended for organizations with fewer than 50,000 Active Directoryobjects to synchronize and require only SQL Server 2008 R2 Express Edition. When you installand set up of the Directory Synchronization Tool on a dedicated computer, SQL Server 2008 R2Express Edition is also installed. Before beginning the installation process, refer to the
150Microsoft Office 365 Deployment Guide for Enterprises | December 2011
deployment plan and verify that you have met the computer requirements and that you havethe necessary permissions.The first step is to activate the directory synchronization in the Microsoft Online Services Portal.
To activate directory synchronization
1.
Sign in to the Microsoft Online Services Portal with your Office 365 administratorcredentials.2.
In the portal header, click
Admin
.3.
Under
Management
, click
Users
.4.
Next to
Active Directory synchronization (Deactivated)
, click
Activate
.5.
On the
Set up Active Directory Synchronization
page, at step 3
Activate ActiveDirectory Synchronization
, click
Activate
.6.
When the
Are you sure you want to activate
message is displayed, click
Yes
.After activating directory synchronization, you install the Directory Synchronization Tool andSQL Server Express Edition on its own member server or install the tool on its own memberserver and point to a SQL Server cluster. See the guidance that follows on using a separate SQLServer with the Directory Synchronization Tool.You should have downloaded and saved the Microsoft Online Directory Synchronization Toolpackage to your computer before you start.
To install the Directory Synchronization Tool
1.
Log on to the computer that will run the Directory Synchronization Tool.2.
Click
Start,
click
Run
, type the path to where you saved the Directory SynchronizationTool package, and then click
OK.
3.
Double-click
DirSync.exe
.4.
Click
Run
.5.
At the
Welcome
screen, click
Next
.6.
Review and accept the license terms, and then click
Next
.7.
At the
Installation Folder
screen, click
Next
.You may consider installing the tool in a directory different from the default location.There is the potential for better tool performance if installed on a separate physical disk.8.
At the
Installation Complete
screen, click
Next
.9.
Leave the
Start Configuration Wizard now
box checked and click
Finish
.10.
At the Configuration Wizard
Welcome
page, click
Next
.11.
Enter your Office 365 administrator account credentials at the Microsoft Online Servicescredentials screen and click
Next
. (For example, user name: johnsmith@contoso.com;password: Orang312.)
151Microsoft Office 365 Deployment Guide for Enterprises | December 2011
12.
Enter your Active Directory enterprise administrator account credentials at the
ActiveDirectory Enterprise Admin Credentials
screen and click
Next
.(For example, username: administrator@contoso.com; password: Appl312.)13.
At the
Configuration Complete
screen, click
Next
.14.
Leave the
Synchronize directories now
box checked, and click
Finish
.15.
At the final screen that highlights the information on verifying directory synchronization,click
OK
.
4.3.7.2
Install Directory Synchronization Tool (More Than 50,000 Objects)
These procedures describe the Directory Synchronization Tool installation with SQL Server 2008or 2008 R2 Full Edition for organizations with more than 50,000 Active Directory objects.You begin by activating directory synchronization in the Microsoft Online Services Portal.
To activate directory synchronization
1.
Sign in to the Microsoft Online Services Portal with your Office 365 administratorcredentials.2.
In the portal header, click
Admin
.3.
Under
Management
, click
Users
.4.
Next to
Active Directory synchronization (Deactivated)
, click
Activate
.5.
On the
Set up Active Directory Synchronization
page, at step 3
Activate ActiveDirectory Synchronization
, click
Activate
.6.
When the
Are you sure you want to activate
message is displayed, click
Yes
.After activating directory synchronization, you install the Directory Synchronization Tool on theSQL Server or install on its own member server and point to a SQL cluster.You should download and save theMicrosoft Online Directory Synchronization Toolpackage toyour computer before you start. If you will use the 64-bit version, seeDirectory Synchronizationtool 64-bit supportfor more information.
To install the Directory Synchronization Tool using a separate SQL Server
1.
Log on to the computer that will run the Directory Synchronization Tool.2.
Click
Start
and click
Run.
3.
Type
CMD
and click
OK
.4.
Type the path of where you saved the Microsoft Online Directory Synchronization Toolpackage.5.
Type
DirSync.exe /fullsql
and press
Enter
.If prompted with a User Account Control prompt, and click
Continue
, or enter theusername and password of an administrator account, and click
OK
.6.
At the
Welcome
screen, click
Next
.
152Microsoft Office 365 Deployment Guide for Enterprises | December 2011
7.
Review and accept the license terms, and click
Next
.8.
At the
Installation Folder
screen, click
Next.
You may consider installing the tool in a directory different than the default location.There is the potential for better tool performance if installed on a separate physical disk.9.
At the
Installation Complete
screen, click
Next
.10.
Click
Finish
.Now you install the Directory Synchronization Tool using Windows PowerShell.
To configure the Directory Synchronization Tool using Windows PowerShell
1.
On the computer on which the Directory Synchronization Tool was installed, openWindows PowerShell by opening the command-line tool and entering the command
Powershell.exe
noexit
.2.
Press
Enter
.3.
At the Windows PowerShell prompt, type
Add-PSSnapin Coexistence-Install
.4.
To install the Directory Synchronization Tool onto the same system as SQL Server 2008or 2008 R2, type
Install-OnlineCoexistenceTool
UseSQLServer
Verbose.
-OR-To install the Directory Synchronization Tool using a remote installation of SQL Server2008, type
Install-OnlineCoexistenceTool
UseSQLServer
SqlServer<SQLServerName> -ServiceCredential (Get-Credential)
Verbose.
5.
At the Windows PowerShell Credential Request prompt, type the username andpassword of the domain account that will be used to run the Microsoft IdentityIntegration Server service and the Microsoft Online Directory Services SynchronizationService.6.
Run the Microsoft Online Services Directory Synchronization Configuration Wizard tocomplete the installation.4.3.7.2.1
Complete Directory Synchronization Tool ConfigurationAfter installing SQL Server 2008 or 2008 R2, you must complete the Microsoft Online ServicesDirectory Synchronization Tool Configuration Wizard before synchronization will occur.
To complete the Directory Synchronization Tool installation
1.
If you are working through the Directory Synchronization Tool Installation Wizard, on theFinish page, select
Start Configuration Wizard now
, and then click
Finish
.- OR -Click
Start
,
All Programs
,
Microsoft Directory Sync
, and then click
Directory SyncConfiguration
.
153Microsoft Office 365 Deployment Guide for Enterprises | December 2011
2.
On the
Microsoft Online Services Credentials
page of the Microsoft Online ServicesDirectory Synchronization Configuration Wizard, provide the user name and passwordfor a user account with Administrator permissions in your organization.3.
On the
Active Directory Credentials
page, provide the user name and password for anaccount with Enterprise Admin permissions on the on-premises Active Directory service.4.
On the
Finish
page, select
Synchronize directories now
, and then click
Finish
.
Important
The Microsoft Online Services credentials that were provided are used tosynchronize information from the on-premises Active Directory to the Office 365 directoryservice. If you change the password associated with this account, you must rerun theconfiguration wizard and provide the updated credentials.The Enterprise Admin credentials that were provided are not saved. They are used to createthe MSOL_AD_Sync directory synchronization service account. This service account is used toread the changes from the on-premises Active Directory.
4.3.7.3
Verify Directory Synchronization
Verifying directory synchronization from your on-premises Active Directory to Office 365requires testing both forced (manual) synchronization and automatic synchronization. Becausethe Directory Synchronization Tool performs an automatic one-way synchronization betweenthe on-premises Active Directory and the Office 365 directory once every three hours,completion of this procedure may take up to three hours. You can also force directorysynchronization at any time using PowerShell.The Directory Synchronization Tool writes entries to an event log. These entries indicate the startand end of a synchronization session. When you review the event log, look for entries where the
source is “Directory Synchronization.” An entry that is designated “Event 4” and that has the
description “The export has completed” indicates that the directory synchronization is complete.Directory synchronization errors are also sent via email to your designated technical contact.After the Directory Synchronization Tool is installed and configured, your on-premises ActiveDirectory is the master for all changes to the synchronized mail-enabled objects in Office 365.The following procedures show how both forced and automatic verification work and youshould perform them in sequence. You make changes to mail-enabled objects in the on-premises Active Directory and verify that those changes are synchronized with Office 365.
154Microsoft Office 365 Deployment Guide for Enterprises | December 2011
4.3.7.4
Forced Directory Synchronization
The following procedure describes how to force immediate directory synchronization and verifythe synchronization changes are made. Forcing directory synchronization bypasses thereplication window of three hours and applies incremental changes immediately.1.
Sign in to theMicrosoft Online Services Portalusing your administrator user name andpassword.2.
Ensure that the Technical Contact information contains a valid email address that ismonitored by the technical contact. The technical contact information can be viewed byclicking your organization’s name in the left hand side of the navigation pane (above theAdmin Overview menu option.)3.
Verify the address properties of a user account that is being synchronized from the on-premises Active Directory to the Microsoft Online Services Portal.4.
Verify that you cannot edit the address properties of that user account using theMicrosoft Online Services Portal.5.
On your domain controller, open Active Directory Users and Computers and target theon-premises Active Directory forest/domain with permissions to edit user accounts,contacts, and distribution groups.6.
Make a simple but obvious change to one of the email address properties of the useraccount that you verified in step 2.7.
Open the Microsoft Online Services Directory Synchronization Configuration Wizard,provide the information requested on the wizard pages, and on the
Finish
page, select
Synchronize directories now
, and then click
Finish
.8.
When the synchronization is complete, view the address properties of the user in theMicrosoft Online Services Portal and verify that the changes you made in the on-premises Active Directory have been synchronized to Office 365.
Note
: You can also use the Windows PowerShell
cmdlet from the dirsync PSSnapin “start
-onlineCoexistenceSync.Next you will see how automatic directory synchronization works using the DirectorySynchronization Tool.
4.3.7.5
Automatic Directory Synchronization
The Directory Synchronization Tool synchronizes changes to user accounts and mail-enabledcontacts and groups from your on-premises Active Directory to your Office 365 directory serviceevery three hours, beginning at the time of the initial synchronization.
155Microsoft Office 365 Deployment Guide for Enterprises | December 2011
To verify automatic directory synchronization
1.
Sign in to theMicrosoft Online Services Portalusing your administrator user name andpassword.2.
Ensure your Technical Contact information contains a valid email address that ismonitored by the technical contact on a daily basis.3.
In the Microsoft Online Services Portal, verify the address properties of a specific useraccount, contact, and distribution group that are being synchronized from your on-premises Active Directory to Office 365.4.
In Microsoft Online Services Portal, modify the address properties of the contact anddistribution group that you verified in step 3 of the forced directory synchronizationprocedure.5.
On your domain controller, open Active Directory Users and Computers and target youron-premises Active Directory forest/domain with permissions to edit user accounts,contacts, and distribution groups.6.
In the on-premises Active Directory, make a simple but obvious change to one of theaddress properties of the user account that you verified in step 3 of the forced directorysynchronization procedure.7.
In the on-premises Active Directory, make simple but obvious changes to the contactand the distribution group that you modified in step 4.8.
Check the directory synchronization event log to determine when directorysynchronization is complete. This may take up to three hours.9.
When synchronization is complete, view the properties of the user, contact, anddistribution list in the Microsoft Online Services Portal and verify that the changes youmade in the on-premises Active Directory now appear in Office 365.In this procedure, the changes you made to the contact and distribution group in Office 365have been overwritten by the changes you made to the same contact and distribution group inthe on-premises Active Directory.
4.3.7.6
Maintain Authentication to On-premises Resources
After your organization has established email coexistence between its on-premises ExchangeServer environment and Exchange Online, and established directory synchronization of useraccounts and mail-enabled contacts and groups from the on-premises Active Directory to Office365, you may want to continue using Active Directory authentication to control access to on-premises printers, file shares, and other network resources.In this scenario, leave directory synchronization running to continue to synchronize useraccounts and mail-enabled contacts and groups from the on-premises Active Directory to Office365. Continue to edit the properties of these objects in the on-premises Active Directory.
156Microsoft Office 365 Deployment Guide for Enterprises | December 2011
4.4
Implement Password Policies for Cloud Identities
Your organization may choose not to federate your on-premises Active Directory for single sign-on functionality. If so, it is important to understand the Office 365 password policies. Table 21shows the password policies and options for Microsoft Online Services IDs (cloud identities).
Table 21. Password PoliciesProperty DescriptionPassword restrictions
8 characters minimum and 16 characters maximumAllowed values:
A
Za
z0
9! @ # $ % ^ & * – _ + = [ ] { } | \
: ‘ , . ? / ` ~ “ < > ( ) ;
Disallowed values:
UNICODESpacesNon-English charactersUsername alias (part before @ symbol)
Password expiryduration
90 days (non-configurable)
Password expiry
Password expiry is enabled by default. When enabled, users are forced tochange their passwords after 90 days. Users do not receive any form of password expiry notification.Administrators are able to enable and disable the password expiry settingat the user level through the Microsoft Online Services Module forWindows PowerShell.
Password strength
Strong passwords require 3 out of 4 of the following:
Lowercase charactersUppercase charactersNumbers (0-9)Symbols (see password restrictions above)
Users by default are required to create strong passwords when theychange their passwords. Administrators are able to enable and disable thissetting at the user level through the Microsoft Online Services Module forWindows PowerShell.
157Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Property DescriptionPassword history
Last password cannot be used again.
Password historyduration
None
Account lockout
After 10 unsuccessful sign-in attempts with the wrong password, the usermust solve a CAPTCHA dialog as part of the sign-in process. After 10unsuccessful additional sign-in attempts with the wrong password andcorrect solving of the CAPTCHA dialog, the user is locked out of theiraccount for a time period. Additional incorrect passwords results in anincrease in the lockout time.
For more information about password policies, seethe Office 365 Identity Service Descriptionand the Help articleChange your password.
4.5
Activate User Licenses
Your organization cannot enable Exchange Online without first activating user licenses. Theprocedure that follows shows the steps to activate licenses for groups of users from the Adminarea within the Microsoft Online Services Portal.There are several strategies to consider when activating groups of users at the same time. Forexample, you might activate groups of users who require the same type of license, or activategroups of users who share the same location.
To activate user licenses
1.
Sign in to theMicrosoft Online Services Portalwith your Office 365 administratorcredentials.2.
In the portal header, click
Admin
.3.
Under
Management,
click
Users
.4.
From the list of users, determine which licenses you want to assign to specific users and
then select the check box next to each user’s name.
5.
Click
Activate Synced Users
.6.
Select the location for the group of users (
example: United States
).7.
Check the license you would like to assign these users.8.
Click
Next
.9.
Click
Activate
.10.
Click
Finish
.
158Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Note:
In addition to using the Microsoft Online Services Portal, your organization canprogrammatically assign user licenses by using the Windows PowerShell cmdlets for Office 365.For more information, see Help topicWindows PowerShell cmdlets for Office 365.
4.6
Exchange Online Preparation
This section provides deployment instruction to enable moving user mailboxes to MicrosoftExchange Online in a hybrid deployment. It is assumed that your organization is runningExchange Server 2003 or later, so that you can configure hybrid deployment between the on-premises Exchange Server environment and Exchange Online.
Note:
Configuring an Exchange hybrid deployment requires directory synchronization.For more information, see theDeploy Directory Synchronizationsection of this document.Many of the steps required to enable email coexistence are performed by selecting the E-MailHybrid mode page from the Migration tab in the Microsoft Online Services Portal.
4.6.1
Deployment Pre-requisites
Ensure you have performed all the procedures in theNetworking and Names Services TasksandUser Identity and Provisioning Taskssections of this document before you start with yourExchange Online preparation steps.
4.6.1.1
Upgrade Active Directory Schema
To implement email coexistence, you will need to upgrade your Active Directory schema toExchange Server 2010 SP1 version. If you have not already completed the Active Directoryscheme upgrade, review theUpdate Schema for Hybrid Deploymentsection found earlier in thisdocument.
4.6.1.2
Install Update Rollup
We recommend installing the latest update rollup for Exchange 2010 SP1 on all your servers.Microsoft releases update rollup packages approximately every six to eight weeks. The rolluppackages are available via Microsoft Update and the Microsoft Download Center. In the Searchbox on theMicrosoft Download Center,type “Exchange 2010 update rollup” to find links to therollup packages.
4.6.2
Establish Email Coexistence
After you have completed the hybrid deployment prerequisites, you can begin to configure the
159Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Exchange hybrid deployment. TheExchange Server Deployment Assistantis the recommendedtool to use for this multi-step process, which include installation of the hybrid server.After you launch the web-based Deployment Assistant, click the
Hybrid
button. TheDeployment Assistant asks you a few questions about your current environment and thengenerates a custom checklist and procedures that help simplify your hybrid deployment. Thechecklist (Figure 17) provides a prioritized list of tasks and steps you need to complete toconfigure your Exchange hybrid deployment and provides references TechNet documentationfor additional information.
Figure 17. Exchange Server Deployment Assistant checklist
In addition to English, the Deployment Assistant is also available in Chinese (Simplified), Chinese(Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), Russian, andSpanish.
4.6.3
Testing Exchange Online with Remote Connectivity Analyzer
To verify that inbound mail, Exchange ActiveSync, Autodiscover, Outlook Anywhere (RPC/HTTP),and other connections are properly configured, you should consider using theExchange RemoteConnectivity Analyzer.The Remote Connectivity Analyzer is a Web-based tool that is designedto help you troubleshoot connectivity issues by testing your Exchange on-premises and on-premises configuration. You may want to become familiar at this tool in advance of yourdeployment to understand its capabilities and usage. For more information about the tool, seethisTechNet article.
160Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Additionally, if you already have ActiveSync, Outlook Anywhere, and Autodiscover enabled inyour on-premises environment we highly recommend you run through the tests provided withthe Remote Connectivity Analyzer to ensure your on-premises environment is functioningappropriately.See the Help articleDNS Troubleshooting for Exchange Onlinefor more information about theRemote Connectivity Analyzer.
4.7
SharePoint Online Preparation
The following sections describe preparations for setting up SharePoint Online.When planning your Office 365 deployment you should evaluate which of the SharePointcapabilities you will implement in your Office 365 environment.
4.7.1
Analysis of Existing SharePoint Environment
Before deciding on a migration strategy it is vital that you perform an analysis of your currentenvironment. This analysis should focus on those SharePoint workloads and content that youplan to move to SharePoint Online.As an outcome of the analysis you should have a clear understanding on the content and thecustomizations you have in your on-premises environment.You should then create a content and customization roadmap that covers what content andcustomizations that will be moved to SharePoint Online and how they will be moved.For each customization you will need to decide if you want to provide that functionality in yourSharePoint Online environment. As the next step you will need to validate if the customizationscan be implemented as sandboxed solutions.
4.7.2
Preparing for Customizations
Once you have an inventory of all the customizations that you want to move to SharePointOnline you need to decide the right packaging and deployment mechanisms. Generally, it isrecommended to package all the customization in Web Solution Packages (WSPs). This willallow the site collection administrators to upload these to the Solution Gallery of each SiteCollection that needs the customization. After the upload the solutions need to be activated.Figure 18 shows the Solution Gallery.
161Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Figure 18. SharePoint Online site collection Solution Gallery
If you have design artifacts such as master pages or page layouts that only need to be deployedto one Site Collection you can upload them manually to the Master Page Gallery of the SiteCollection. However, if you need them in multiple site collections, it is beneficial to packagethem as WSPs as well.For more information about developing solutions for SharePoint Online, see the MSDN articleSharePoint Online for Office 365 Developer Guide.
4.7.3
Content Migration
Office 365 does not provide SharePoint content migration support for customers. If you plan tomigrate SharePoint content from an on-premises or hosted service to SharePoint Online, yourorganization will either use a manual approach or to use a third-party SharePoint migration tool.One way to manually move content to SharePoint Online is by connecting the SharePoint Libraryto SharePoint Workspace. You can then upload content to SharePoint Workspace and it willautomatically synchronize these files to SharePoint Online. Another manual approach is to usethe capability of SharePoint to upload multiple files. This will allow you to upload batches of filesat once.
Note
: If you use the manual migration methods described above, the uploaded files willappear as being created by the user who uploaded them. Also the timestamp of the file willbe the upload time and not the original creation time.
Before choosing the migration tool to migrate your SharePoint content, be sure to verify thatthe tool meets your migration requirements and that it supports all of the SharePoint artifactsyou want to migrate. Refer to the third-party
tool’s documentation and evaluate what
preparation steps your organization will need to implement.
162Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Microsoft partners are also available to assist with migrating your SharePoint content toSharePoint Online using third-party tools. For assistance with SharePoint content migration, see
the “Recommended Deployment Partners” area
at theMicrosoft Online Services deploymentpage.TheOffice 365 Marketplacealso provides names of recommended deployment partnersthat can assist with SharePoint content migrations.
4.8
Lync Online Preparation
Key tasks in preparing your organization for Lync Online include optimizing your network forLync conferencing, configuring domain federation and public IM connectivity settings, and
ensuring the Lync 2010 client is installed on Lync Online user’s computers.
4.8.1
Network Preparation for Conferencing
You can optimize your network environment for use with Lync conferencing by performing thefollowing configurations:
Enabling the required firewall ports to access the Lync conferencing servers.
Disabling authentication for Lync Online audio and video traffic when an authenticatingHTTP proxy is employed.
Configuring the network to allow User Datagram Protocol (UDP) traffic for better audioand video performance.
Adjusting internal routers and optimizing internal network paths for audio and videotraffic (optional).
Filtering traffic (if required by the service provider SLA)As a hosted service, Lync Online conferencing can operate in a large variety of networktopologies. Typically, your network administrator is able to make minor configuration changesto routers and firewalls to provide an optimized user experience that does not interfere with
your organization’s ability to secure its network.
You should conduct a thorough evaluation of network bandwidth for use of Lync Online andconferencing. These services may require a bandwidth increase. For information regardingbandwidth requirements for Lync Server 2010 conferencing, see the TechNet articleDefiningYour Requirements for Conferencing.
4.8.2
Enable and Disable Federation
If you are an Office 365 for enterprises administrator, you can enable domain federation inMicrosoft Lync Online so users in your company can connect with users in other companies thathave deployed Microsoft Office Communications Server 2007, Office Communications Server2007 R2, or Microsoft Lync Server 2010. If you want to establish Lync domain federation with
163Microsoft Office 365 Deployment Guide for Enterprises | December 2011
your own on-premise implementation of Office Communications Server 2007, OfficeCommunications Server 2007 R2, or Microsoft Lync Server 2010, Lync Online and your on-premise system must be using different SIP domains. Note that none of your Lync Server 2010on-premises SIP domains should be in the list of active domains for your Office 365 tenant.Once you have enabled domain federation, users can exchange peer-to-peer instant messages(IM), initiate peer-to-peer audio and video calls, and view presence information. You can alsoenable public IM connectivity, so that users can add contacts from Windows Live Messenger andcommunicate with them by using Lync 2010.
Note
: Domain federation does not create an integrated, searchable address book.
To enable or disable federation with other Office 365 organizations using Lync Online
1.
In the
Lync Online Control Panel
, click
Domain federation
. The current domainfederation status is displayed.2.
Next to the status text, click
Edit
.3.
In the
Choose the domain federation setting for all users
dialog box, choose adomain federation option, and then click
OK
.
4.8.3
Enable Federation with Windows Live Messenger
If your organization would like to establish federation with Windows Live Messenger you mayenable these features through the Microsoft Online Services Portal.
To enable Lync Online federation with public IM services
1.
Log on to the Microsoft Online Services Portal with your Office 365 administratorcredentials.2.
In the header, click
Admin
.3.
Under
Lync Online
, click
Manage
.4.
In the
Microsoft Lync Online Control Panel
, click
Public IM
.5.
Click
Enable
.6.
Click
OK
.For more information about enabling and disabling public IM federation seeEnable or disablepublic IM connectivity.
4.9
Client and End-User Experience
As discussed earlier in the Plan section this deployment guide, your organization will potentiallyneed to upgrade client hardware and software when moving to Office 365. For client software,consider using Microsoft Update or an enterprise software deployment solution (such as
164Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Microsoft System Center Configuration Manager) to ensure that the requirements are met forthe Office 365 web or rich client experience.
4.9.1
Rich Client Experience
For users to experience the highest fidelity with the Office 365, your organization will need to
deploy install rich experience clients to users’ computers and provide for ongoing patches and
updates.Rich experience clients provide users with full-featured desktop applications for email, instantmessaging, and business productivity and require methods for distributing, configuring andupdating clients.Office 365 for enterprises solutions make use of the following rich clients:
Microsoft Office 2010 and Office 2007 SP2 (including Outlook)
Microsoft Office 2008 for Mac
Microsoft Entourage® 2008 Web Services Edition
Microsoft Office 2011 for Mac
Office Web Apps
Microsoft Lync 2011 for Mac
Microsoft Lync 2010When using rich experience clients, you need to install the Office 365 desktop setup package on
user’s computers. This application ensures that the
required components and updates areinstalled for rich clients. The Office 365 desktop setup package automatically configures Outlookand Microsoft Lync for use with Microsoft Online Services. Administrators can allow enterprisesusers to update their desktops on their own using Office 365 desktop setup, or can choose todeploy the updates remotely by using Active Directory.
4.10
Create Migration Groups
Migration groups are the set of users that you migrate to Office 365 during each migrationwindow. Depending on the number of users you have, your organization will likely requiremultiple migrations to move all your users to the Office 365 environment.When defining migration groups, you will want to consider more than just the total size of theincluded mailboxes. Here are some additional things to keep in mind:
Bandwidth considerations.
All of the mailbox content must travel from the on-premisesmail environment over the Internet to Office 365. You can use the migration tools todetermine how much data should be migrated once mailbox reduction has beenperformed. Based on this information, you should scope the size of your migration
165Microsoft Office 365 Deployment Guide for Enterprises | December 2011
groups and schedule migration times to work with your existing network and Internetbandwidth.
User groups.
When migrating groups of users, it is a best practice to migrate users whocommunicate with each other frequently. For example, if an executive team uses email tocommunicate vital information, you should migrate the members of the executive teamat the same time. Schedule your migration groups to ensure that the owners of themailboxes that are migrated will be available immediately after the migration to validatethe success of the migration. This is especially imperative for organizations that have endof month financial, inventory, or other reporting mechanisms that cannot be disrupted.Keep in mind the mailbox and calendaring requirements of shared/delegate mailboxesfor executives and other key customer personnel and their assistants. It is important thatassistants are able to access the calendars of executives and key staff without delay.
User locations
. In addition, be sure to migrate users in accordance with the physicalbuildings they occupy. It makes sense to migrate fourth floor Conference Rooms withusers on the fourth floor. For smaller buildings with limited meeting space it maybecome necessary to survey the rooms that are used on other floors as well to ensurethese resources are available as soon as possible.
User support.
When migrating groups of users, your organization must also consideruser support planning and capabilities for the initial period after migration. There willlikely be a higher volume of service desk calls just after the migration. It is best practiceto distribute migration groups across support teams by location in parallel to increasemigration velocity as well as balance service desk call volume.
166Microsoft Office 365 Deployment Guide for Enterprises | December 2011
5
Migrate Phase
The Migrate phase is primarily focused on the steps required to move user mailbox contentfrom on-premises to Exchange Online.
5.1
Key Activities Summary
The following are the key deployment tasks and events that your carry out in the Migrate phase:
Assign licenses to users
To access Office 365 service offerings, assign licenses to users through the MicrosoftOnline Services Portal. If you have not already done so, review theActivate User Licensessection of this guide.
Issue final communications to end users
Prior to the start of velocity migrations, send all users moving to Office 365 the necessarynotifications and instructions they need to make the transition to the new hostedservices platform.
Migrate mailbox data
Proceed with velocity mailbox migrations from on-premises mailboxes to ExchangeOnline using your selected migration tools and migration group schedule.
Migrate existing collaboration documents
Using third-party migration tools, move files and folders from your existing SharePointenvironment to SharePoint Online.
Change DNS records
When all migrations are completed, change your DNS records (for example, MX and TXTrecords) to at your domain registrar.
Configure mobile phones and devices for Office 365
Set up user mobile phones to access email using the Exchange ActiveSync protocol.
Perform post-migration service testing
After migrations are completed, perform full-scale testing of Office 365 servicefunctionality.
5.2
Send Final End User Communications
Prior to the start of velocity migrations, you should send your final notifications and instructionsto users moving to Office 365 service offerings. SeeAppendix G: Sample Email Migration EndUser Communicationsfor an example of messaging used in these communications.
167Microsoft Office 365 Deployment Guide for Enterprises | December 2011
5.3
Migrate Mailboxes
You can use the New Remote Move Request wizard in the Exchange Management Console(EMC) on the hybrid server to move existing user mailboxes in the on-premises organization tothe Office 365 organization.By default, the Mailbox Replication Proxy service (MRSProxy) running on the hybrid serverautomatically throttles the mailbox move requests when you select multiple mailboxes to moveto Office 365. The total time to complete the mailbox move depends on the total number of mailboxes selected, the size of the mailboxes, and the properties of the MRSProxy.
Steps for migrating mailboxes are provided in the “Move or create a mailbox” topic in the
Exchange Server Deployment Assistant and the Help topicMove or create a mailbox for shareddomains.
5.4
Change MX Record
When you are ready to put your hybrid server into production, you will need to change your MXrecord to redirect inbound mail flow to your hybrid server or Exchange Server 2010 SP1 serverdeployed with the Edge Transport server role.The Exchange Server Deployment Assistant will provide detail steps for how to change the MX
record in the topic “Redirect mail flow to coexistence server.”
5.5
Set Up Mobile Phones and Devices
Information about setting up mobile phones and devices for your Office 365 users is available athttp://help.outlook.com. You can find specific instructions for setting up many popular mobile phones at the Help topicMobile Phone Features.
For instructions for the Apple iPhone, iPod, or iPad seeSet Up Microsoft Exchange E-Mailon an Apple iPhone.
For instructions for the BlackBerry Curve
For instructions for the BlackBerry Pearl
168Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Note
: RIM is introducing a new hosted BES service for Exchange Online customers. RIM willhost, license and support the service. For additional details, see the Office 365 wikiAnnouncingBlackBerry Business Cloud Services for Office 365and the RIM websiteBlackBerry BusinessCloud Services.
5.5.1
ActiveSync Devices
To set up your mobile phone to access your email using the Exchange ActiveSync protocol, youwill need the Exchange ActiveSync server name as well as your user name and password.
5.5.1.1
Set Up Windows Phone and Windows Mobile Devices
If a Windows Mobile device is already set up to synchronize with another computer runningMicrosoft Exchange Server, you must delete that email account from your mobile device beforeyour device can sync with Microsoft Exchange Online.The following procedures describe how your Exchange Online administrator can do thefollowing:
Delete an existing relationship between a Windows Mobile 6.5, 6.1, and 6.0 device andExchange Server
Set up a new Windows Mobile and Windows Phone relationship with Exchange Online.
Use the remote wipe feature.
Note
: The menu options displayed on your device may be different from those described inthe procedures that follow. If you have questions, refer to your mobile device documentation.
To delete an existing Windows Mobile relationship
1.
From the Windows Mobile Start menu on the mobile device, tap
Programs
, and then tap
ActiveSync
.2.
Tap
Menu
, and then tap
Options
.3.
Tap
Microsoft Exchange
, and then tap
Delete
to delete the existing relationship.
To configure a Windows Mobile device connection
1.
On the mobile device, tap
Start
, tap
Programs
, and then tap
ActiveSync
.2.
Tap
Menu
, tap
Add Server Source
, and then enter the mobile device address for your
organization’s data (example;outlook.com)
3.
Select the This server requires an encrypted (SSL) connection check box, and then tap
Next
.4.
In
User name
, enter your Office 365 email address.
169Microsoft Office 365 Deployment Guide for Enterprises | December 2011
5.
In
Password
, enter your password, select
Save Password
, and then tap
Next
. Leave thedomain box blank.6.
Select the check boxes for the types of data you want to synchronize, and then tap
Finish
.Use the following steps to configure your connection on a Windows Phone 7.
To configure a Windows Phone 7 connection
1.
Press the
Windows
button to return to home.2.
Slide right and then up, and select
Settings.
3.
Select
email & accounts
.4.
Click
add an account
.5.
Select
Outlook
.6.
Enter your email address (for example,
johnsmith@contoso.com
)7.
Enter your password (with single sign-on this would be the same as your Active Directorypassword).8.
Click
sign in
.
5.5.1.2
Configure Remote Device Wipe Option
Administrators in your organization have the ability to remotely erase data from an ExchangeActiveSyn
c mobile device in the event that an Exchange Online user’s device is lost, stolen or
otherwise compromised.
To remotely erase data from an Exchange ActiveSync device
1.
Log on to Microsoft Outlook Web App athttps://outlook.comusing the email addressand password of the user account that the mobile device synchronizes with.2.
In the Outlook Web App window title bar, click
Options
.3.
In the navigation pane, click
Mobile Devices
.4.
Click the ID of the device you want to remotely erase, click
Wipe All Data from Device
,and then click
OK
.5.
Click
Remove Device from List
.
5.6
Perform Post-migration Service Testing
After user provisioning and mailbox migrations are completed, you should performcomprehensive testing of the Office 365 service offerings for which your organization hassubscribed to ensure the services operate as described in the Office 365 for enterprises servicedescriptions.SeeAppendix H: Post-deployment Service Test Planfor an example test plan.
170Microsoft Office 365 Deployment Guide for Enterprises | December 2011
6
Feature Enablement
This section describes Office 365 for enterprises features that are available to your organizationbut outside the scope of the deployment tasks described in this deployment guide. Many of these features are described in the Office 365 for enterprises service descriptions, which areavailable at theMicrosoft Download Center. Examples of user account and provisioning features that are available to enable include:
Multi-factor authentication with Active Directory Federation Services
Active Directory Federation Services custom log on pageExamples of Exchange Online features that are available to enable include:
Disclaimers.
Exchange Online enables administrators add disclaimers to messages intransit using transport rules. See the Help topicAdd Disclaimers to Messagesfor details.
Transport rules.
Transport rules are used to inspect emails in transit (including inbound,outbound, and internal messages) and take actions, such as applying a disclaimer,blocking messages, or sending a blind carbon copy to a mailbox for supervisory review.See the Help topicOrganization-Wide Rulesfor details.
Personal archive.
Exchange Online offers archiving through the personal archivecapabilities of Exchange 2010. A personal archive is a specialized mailbox that appears
alongside users’ primary mailbox folders in Outlook or Outlo
ok Web App. See the HelptopicEnable an Archive Mailboxfor details.
Journaling.
Administrators can configure Exchange Online to journal copies of emails toany external archive that can receive messages via SMTP. See the Help topicJournalRulesfor details.
Retention policies.
Exchange Online offers retention policies to help organizationsreduce the liabilities associated with email and other communications. With these
policies, administrators can apply retention settings to specific folders in users’ inboxes.
The retention policy capabilities offered in Exchange Online are the same as thoseoffered in Exchange Server 2010 Service Pack 1. See the Help topicSet Up and ManageRetention Policies in Exchange Onlinefor details.
Legal hold.
Exchange Online provides legal hold capabilities to preserve users
’ deleted
and edited mailbox items (including email messages, appointments, and tasks) fromboth their primary mailboxes and personal archives. See the Help topicPut a Mailbox onLitigation Holdfor details.
Rolling legal hold (single item recovery).
Some organizations want to preserve users’
mailbox contents for archiving and eDiscovery purposes, but only for a specific amountof time, such as one year. The single item recovery feature in Exchange Online can beused to meet this need, by providing rolling legal hold capabilities.
171Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Multi-mailbox search.
Exchange Online provides a web-based interface for searchingthe contents of mailboxes in an organization. Through the Exchange Control Panel,administrators can search a variety of mailbox items
including email messages,attachments, calendar appointments, tasks, and contacts. See the Help topicCreate aNew Multi-Mailbox Searchfor details.
172Microsoft Office 365 Deployment Guide for Enterprises | December 2011
7
Appendix A: Key Deployment Resources
The following resources can provide additional help with deployment questions and tasks.
Office 365 Community
The Office 365 Community site posts the latest developments and information related to Office365. It includes a discussion area where site members post questions and answers. You can alsoaccess the Blogs, Forum, and Wiki pages from this site.
Available at
Office 365 Help
This extensive set of Help topics provides guidance to administrators and users working withExchange Online, SharePoint Online, Lync Online, and Office Professional Plus.
Available at
Office 365 Deployment Readiness Tool
The Office 365 Deployment Readiness Tool is available to assist you with discovery activitiesrelated to Office 365 deployments. The tool can be used to check and provide importantinformation about your on-premises environment.
Available at
Exchange Deployment Assistant
provides detailed guidance for the hybrid deploymentscenario from the on-premises Exchange environment to Exchange Online.
Microsoft Assessment and Planning Toolkit
The Microsoft Assessment and Planning (MAP) toolkit generates detailed readiness assessmentfor migration to cloud-based services such as Office 365 for enterprises.
Available at
MOSDAL (Microsoft Online Services Diagnostics and Logging) Support Toolkit
The MOSDAL Support Toolkit collects system, network, service-based application configurationand logging data along with performing network diagnostics. The toolkit can be used for avariety Office 365 troubleshooting issues.
Available at
You can use theDeployment Readiness Toolto help assess how many totalActive Directory objects, and specifically user objects, are stored in your ActiveDirectory forest.
Purchase of Office 365 for enterprises user licenses
. To provision users for Office 365services, your organization will need to have valid user licenses available to assign tousers.
9.2
Checkpoint 1: Planning Complete
Objectives
Ensure that the deployment project scope and schedule are well understood by all your projectteam members from the Project Manager to the Executive Sponsor.
Checkpoint Exit Criteria1. Identified plans for the following items:
Migration
176Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Mail-enabled applications
User identity and account provisioning options
On-premises infrastructure and hardware requirements
Network bandwidth requirements
Client operating systems and client applications
Service desk training
End user and administrator training
End user communication strategy
2. Completed the following activities:
Customer kickoff meeting with agreement on the following:
o
Dedicated deployment project management team
o
Review of each workstream, milestone activities, and timelines
o
Commitment from all workstream owners on milestone timelines and dates
Customer sign-off on Plan Complete milestone.
9.3
Checkpoint 2: Preparation Complete
Objectives
Ensure all configuration and preparation tasks are completed.
Checkpoint Exit Criteria
Remediation of directory synchronization errors.
Specific service configurations are completed.
Office 365 Desktop Setup package is deployed.
Email migration and coexistence is tested and validated.
Service desk integrated
Migration schedule is completed.
9.4
Checkpoint 3: Migration Complete
Objectives
Velocity mailbox migrations begin.
Criteria to stop the deployment is defined and agreed upon.
Checkpoint Exit Criteria
Mailbox migration is completed.
Plan is in place for deprovisioning of on-premises services (unless hybrid scenarios exist).
177Microsoft Office 365 Deployment Guide for Enterprises | December 2011
10
Appendix D: Key Deployment URLS, Ports, andIP Addresses
This compilation of URLs, ports and IP addresses provides a resource for customers whenconfiguring firewall access during an Office for 365 for enterprises deployment project. Contactthe Microsoft Office 365 support team for IP address ranges requirements, or refer to the HelptopicIP addresses and URLs used by Office 365.You can also subscribe to thisRSS feedtoreceive notice when updates are made to IP addresses and URLs.
10.1
URLs
General Service URLs
Microsoft Online Services Portalhttps://portal.microsoftonline.com
Office 365 Sign In pagehttps://msol.vo.msecnd.net:/
PowerShell Connection URI for Office 365 PowerShellhttps://ps.microsoftonline.com
Community Portal for Office 365 Customershttps://community.office365.com
Active Directory Federation Services End Pointhttps://nexus.microsoftonline-p.com
Directory Synchronization End Pointhttps://adminwebservice.microsoftonline.com
Exchange Online URLS
Exchange Online PowerShell Connection URIhttps://ps.outlook.com
Outlook Web App address for a specific customerhttps://outlook.com/<domain>.onmicrosoft.com
Outlook Web App address for a customer specific domainhttps://www.outlook.com/<companyname>.com
178Microsoft Office 365 Deployment Guide for Enterprises | December 2011
SharePoint Online URLs
*.sharepoint.com
*.sharepointonline.com
Default Root SharePoint site for customer
<domain>.SharePoint.com
Site Settings for the Root Site Collection
<domain>.sharepoint.com/_layouts/settings.aspx
My sites<domain>-my.sharepoint.com
SharePoint Online Administration Center for customer
<domain>-Admin.SharePoint.com
Lync Online URLs
*.online.lync.com
*.infra.lync.com
*.lync.comAdditional URLs that require firewall access include:
*.microsoftonline.com
*.onmicrosoft.com
*.microsoftonlinesupport.net
*.microsoftonline-p.com
*.microsoftonline-p.net
*.microsoftonlineimages.com
*.microsoftonlineimages.net
*.live.com
admin.messaging.microsoft.com
10.2
IP Address Ranges
To help ensure that network traffic from the Microsoft data centers is accepted, you may needto open ports in your on-premises firewall so network traffic originating from the Microsoft datacenter IP addresses is allowed to enter your on-premises organization.Contact the Microsoft Office 365 support team for IP address ranges requirements, or refer tothe Help topicIP addresses and URLs used by Office 365.
10.3
Required Ports
Table 23 lists the protocol and port requirements for Office 365 for enterprises deployments.
179Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Table 23. Protocol and Port Requirements
Protocol /Port Applications
TCP 443
Active Directory Federation Services (federation server role)
Active Directory Federation Services (proxy server role)
Microsoft Online Services Portal
My Company Portal
Microsoft Outlook 2010 and Outlook 2007
Microsoft Entourage 2008 EWS/Outlook 2011 for Mac
Outlook Web App
SharePoint Online
Lync 2010 client (communication to Lync Online from on-premisesLync Server)
TCP 25
Mail routing
TCP 587*
SMTP relay
TCP 143/993
Simple IMAP4 migration tool
TCP 995**
POP3
TCP 80 and 443*
Microsoft Online Services Directory Synchronization Tool
Simple Exchange Migration Tool
Simple IMAP Migration Tool
Staged Exchange Migration Tool
Exchange Management Console
Exchange Management Shell
PSOM/TLS 443
Lync Online (outbound data sharing sessions)
STUN/TCP 443
Lync Online (outbound audio, video, application sharing sessions)
STUN/UDP 3478
Lync Online (outbound audio and video sessions)
RTC/UDP 50000-59999
Lync Online (outbound audio and video sessions)
*
SMTP Relay with Exchange Online requires TCP port 587 and requires TLS. SeeTechNet for details on how to configureSMTP Relay with Exchange Online. Note: you will need to provide the SMTP server which is specific to the mailbox used for relay. See the TechNet articleSet Up Outlook 2007 for IMAP or POP Access to Your E-Mail Account . ** POP3 access with Exchange Online requires TCP port 995 ) and requires SSL. SeeTechNet for details on how toconfigure POP3 with Exchange Online.
180Microsoft Office 365 Deployment Guide for Enterprises | December 2011
11
Appendix E: Exchange Hybrid DeploymentDomain and Host Names Worksheet
Configuring an Exchange hybrid deployment, email coexistence, and directory integrationbetween your on-premises environment and the Office 365 environment requires that youprovide appropriate domain and host names. Table 24 provides a sample list and examples of domain and host names used in the deployment process. You are strongly encouraged to usethe Exchange Deployment Assistant to generate specific examples for your organization.
Table 24. Host Names Worksheet
Description Example value Value in your organization
Active Directory Forest
corp.contoso.com
Internal Exchange Server 200Xserver hostname
DEN-SRV-EXCH-2K3
Exchange External 200X serverFQDN
mail.contoso.com
Proposed internal coexistenceserver host
DEN-SRV-EXCH-2K10
Proposed external coexistenceserver FQDN
mail.contoso.com
Outlook Web App URL
owa.contoso.com
Primary SMTP namespace
Contoso.com
UserPrincipalName domainCloud Identity domain
Contoso.com
Service SMTP namespaceImportant: You must not use theservice tenant FQDN, specifiedbelow, as the service SMTPnamespace. We recommend that you use <service.
your domain
>.
service.contoso.com
Internal Active DirectoryFederation Services (AD FS)server hostname
DEN-SRV-AD FS-FED1
External AD FS server FQDN
sts.contoso.com
181Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Description Example value Value in your organization
Internal directorysynchronization server hostname
DEN-SRV-DIRSync
Exchange federation trustnamespace
Exchangedelegation.contoso.com
On-premises AutodiscoverFQDN
Autodiscover.contoso.com
Service Autodiscover FQDN
Autodiscover.<value>.contoso.com
Service tenant FQDNNote You can only choose thesubdomain portion of thisFQDN. The domain portion mustbe “onmicrosoft.com”.
contoso.onmicrosoft.com
182Microsoft Office 365 Deployment Guide for Enterprises | December 2011
12
Appendix F: Directory Object Preparation
Successful directory synchronization between your on-premises Active Directory environmentdirectory and Office 365 requires that your on-premises directory objects and attributes areproperly prepared.If your organization intends on implementing an Exchange hybrid deployment, you will need toupgrade your Active Directory schema to include Exchange Server 2010 SP1 updates. This isrequired in order to manage email attributes on-premise when using directory synchronization.
Note
: Administrators can hide users, distribution groups, and contacts from the GlobalAddress List by setting the
msExchHideFromAddressLists
attribute for the object in on-premisesActive Directory.Apply the following requirements for user object attributes in preparing your Active Directoryfor directory synchronization.
UserssAMAccountName
Maximum number of characters: 20
Invalid Active Directory characters: !#\$%\^&\{\}\\{`~””,\\/\[\]:@<>\+=;\?\*
If a user has an invalid sAMAccountName but a valid userPrincipalName, the useraccount is created in Office 365.
If both the sAMAccountName and userPrincipalName are invalid, the on-premises ActiveDirectory userPrincipalName must be updated.
givenName
Maximum number of characters: 64
Questionable characters: ?@\+
Note:
The Deployment Readiness Tool checks for questionable characters.
sn (surname)
Maximum number of characters: 64
Questionable characters: ?@\+
Note:
The Deployment Readiness Tool checks for questionable characters.
displayName
Maximum number of characters: 256
183Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Questionable characters: \?@\+
Note:
The Deployment Readiness Tool checks for questionable characters.
mail
Maximum number of characters: 256
Invalid characters: [! #$ %&*+ / = ? ^ ` { }]
Duplicate values: The
mail
attribute cannot contain any duplicate values.Note: If there are duplicate values in mail field, the first user with the value issynchronized to the Office 365 environment. Subsequent users will not appear in theMicrosoft Online Services Portal. You must modify the value not found the portal, ormodify both of the values in the on-premises directory, in order for both users to appearin the Office 365 service.
mailNickname
Maximum number of characters: 64
Invalid characters: “”\\\[\]:><; and space ( )
proxyAddresses
Multi-value attribute
Maximum number of characters: 256
Invalid characters: \)\(;><\]\[\\,
targetAddress
For mail-enabled objects and alternate addresses, the
targetAddress
attribute is required. This isespecially true in third-party messaging migration and coexistence scenarios. If the
targetAddress
attribute is not present, the fallback is to the
mail
attribute.
Maximum number of characters: 256
Invalid characters: [! #$ %&*+ / = ? ^ ` { }]
userPrincipalName
Maximum number of characters for username: 64
Maximum number of characters for domain name: 256
Invalid characters:
}{ # ‘ * + ) ( > < /
\ = ? `
&
character: Automatically changed to underscore:(
_
) character: remains the same.
Duplicate proxies will be emailed as an error before any notification errors.
Additional requirements for a valid userPrincipalName:
@ character is required in each userPrincipalName value.
184Microsoft Office 365 Deployment Guide for Enterprises | December 2011
@ character cannot be first character in each userPrincipalName value.
Username cannot end with a period (.) an ampersand (&) a space ( ), or at sign (@)
Username cannot have a space ( ).
Routable domains must be used (for example, .local or .internal cannot be used)
Unicode is converted to underscore characters.
userPrincipalName may not contain any duplicate values in the forest.
Groups
Mail-enabled character check: All mail-enabled groups must follow the pattern of *@*.
Contacts
Mail-enabled character check: All mail-enabled contacts must follow the pattern of *@*.
185Microsoft Office 365 Deployment Guide for Enterprises | December 2011
13
Appendix G: Sample Email Migration End UserCommunications
The following is a communication timeline and sample emails that your Office 365 administratorcan use to inform managers and employees about the email migration to Exchange Online.For sample emails for the migration to Lync Online, seeLync 2010 Email Templates.
5 Weeks Prior to Migration Date: Send Manager Email
Notify all managers that your organization is migrating to Microsoft
Exchange Online. Tell yourmanagers when it is going to happen. Provide an overview of the process. Explain why you are
migrating. Give your managers tools to promote your organization’s deci
sion to make thischange. Give them information to communicate to their employees so that their employeesknow the migration is coming.
4 Weeks Prior to Migration Date: Send General Email
The following is a sample email for the administrator to send to all organization mail users atfour weeks prior to the email migration.
Subject: ACTION REQUIRED: We are migrating your mailbox to Microsoft Exchange Online!This email is your first notice that your mailbox will be migrated to Microsoft Exchange Online on<Date>. There are many tasks that you must perform before your email can be migrated. Thereare also several actions you can take before migration to improve your Exchange Onlineexperience.See ACTION REQUIRED BEFORE MIGRATION <insert link to before-migration instructions on your Microsoft SharePoint Online site>to prepare for your migration.You can also preview what you will need to do after your mailbox has been migrated. See ACTIONREQUIRED AFTER MIGRATION <insert link to after-migration instructions on your SharePoint site>to preview this information.If you have any questions, check the Exchange Online FAQ <insert link to Microsoft Online FAQ>and the Exchange Online Known Issues <insert link to Microsoft Online Known Issues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>
186Microsoft Office 365 Deployment Guide for Enterprises | December 2011
2 Weeks Prior to Migration Date: Send Manager Email
The following is a sample email for the administrator to send to all managers at two weeks priorto the email migration.
Subject: ACTION REQUIRED: Do you approve mailbox migration for these employees?
We need your approval to migrate your employees’ mailboxes to Microsoft Exchange Online on
<Date>. If we do not receive your approval, the following employees will not be migrated. ACTION REQUIREDReview the list of your employees and respond to this email to let us know if they can be migrated.Employee
Migrate? (yes/no)
Aaron ConCoby Thomas
In the “Migrate?” column next to the employee, please indicate “Yes” to approve mailbox migration. If someone’s mailbox cannot be migrated, or if you do not want them to be migrated at this time, include that information in the “Migrate?” column.
If you have any questions, check the Microsoft Exchange Online FAQ <insert link to Microsoft Exchange Online FAQ> and the Exchange Online Known Issues <insert link to Microsoft OnlineKnown Issues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>
2 Weeks Prior to Migration Date: Send User Email
The following is a sample email for the administrator to send to all mail users at two weeks priorto the email migration.
Subject: ACTION REQUIRED: We are migrating your mailbox to Microsoft Exchange Online!Your mailbox will be migrated to Microsoft Exchange Online on <Date, Day, and Time>. Pleasecomplete the tasks that you must perform before your email can be migrated. There are alsoseveral actions you can take before migration to improve your Exchange Online experience.See ACTION REQUIRED BEFORE MIGRATION <insert link to before-migration instructions on your SharePoint site> to prepare for your migration.
187Microsoft Office 365 Deployment Guide for Enterprises | December 2011
You can also preview what you will need to do after your mailbox has been migrated. See ACTIONREQUIRED AFTER MIGRATION <insert link to after-migration instructions on your SharePoint site>to preview this information.If you have any questions, check the Exchange Online FAQ <insert link to Microsoft Online FAQ>and the Microsoft Online Known Issues <insert link to Microsoft Online Known Issues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>
1 Week Prior to Migration Date: Send User Email
The following is a sample email for the administrator to send to all mail users at one week priorto the email migration.
Subject: IMPORTANT! – ACTION REQUIRED: We are migrating your mailbox to Microsoft ExchangeOnline!We are migrating our mailboxes to Microsoft Exchange Online on <Date>. If you do not completethe required actions by <Date
today’s date + 1 day> your mailbox will not be migrated.
If you have already completed the actions required before migration, please ignore this email.See ACTION REQUIRED BEFORE MIGRATION <insert link to before-migration instructions on your SharePoint site> to prepare for your migration.You can also preview what you will need to do after your mailbox has been migrated. See ACTIONREQUIRED AFTER MIGRATION <insert link to after-migration instructions on your SharePoint site> to preview this information.If you have any questions, check the Microsoft Exchange Online FAQ <insert link to Microsoft Online Exchange FAQ> and the Microsoft Exchange Online Known Issues <insert link to ExchangeOnline Known Issues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>
1 Week Prior to Migration Date: Send General Email
The following is a sample email for the administrator to send to everyone who has completedthe migration survey and is ready to migrate. Instructions for taking the migration survey areincluded in the ACTION REQUIRED BEFORE MIGRATION.
188Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Subject: NOTIFICATION: We are migrating your mailbox to Microsoft Exchange Online!Congratulations! Your mailbox is ready to be migrated on <Date>.You can continue to use your current mailbox as usual until your mailbox is migrated to ExchangeOnline. After your mailbox has been migrated, you will receive a Welcome email with your Office365 logon credentials and a link to instructions describing how to set up and use your new Microsoft Online mailbox. For a preview of those instructions, see ACTION REQUIRED AFTERMIGRATION <insert link to after-migration instructions on your SharePoint site>.If you have any questions, check the Microsoft Exchange Online FAQ <insert link to ExchangeOnline FAQ> and the Exchange Online Known Issues <insert link to Microsoft Online KnownIssues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>
1 Week Prior to Migration Date: Send Manager and Support Mail
The following is a sample email for the administrator to send to the managers of the employeeswhose mailboxes are being migrated, and the designated migration administrators and supportpeople.
Subject: NOTIFICATION: These people will be migrated to Microsoft Exchange Online on <Date>.The following people will be migrated to Microsoft Exchange Online on <Date>:Employee
Comment
Shola Aluko Jesper HessMigration will begin at <Time> on <Day> and is expected to be completed by <Time>, <Day>.The employees whose mailboxes are being migrated will receive a reminder email the day beforetheir migration. When their migration is complete, they will receive a Welcome email withinstructions describing how to use their Microsoft Exchange Online mailbox.The following people will be performing the migration: Administrator 1: <Name> Administrator 2: <Name> Administrator 3: <Name>
189Microsoft Office 365 Deployment Guide for Enterprises | December 2011
The following Support people will be available by phone, <phone number> and by email <Support Alias>.Support Person 1: <Name>Support Person 2: <Name>Support Person 3: <Name>Support coverage will begin at <Start Time> and run through <End Time> until this group hasbeen successfully migrated.If you have any questions, check the Microsoft Exchange Online FAQ <insert link to ExchangeOnline FAQ> and the Exchange Online Known Issues <insert link to Exchange Online KnownIssues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>
1 Day Prior to Migration Date: Send General Mail
The following is a sample email for the administrator to send to everyone who has completedthe migration survey and is ready to migrate. Instructions for taking the migration survey areincluded in the ACTION REQUIRED BEFORE MIGRATION document.
Subject: REMINDER: We will migrate your mailbox to Microsoft Exchange Online tomorrow!Migration will begin at <Time> and is expected to be completed by <Time>. Support will beavailable by phone, <phone number> and by email <Support Alias>.You can continue to use your current mailbox as usual until your mailbox is migrated to ExchangeOnline. After your mailbox has been migrated, you will receive a Welcome email with your Microsoft Online logon credentials and a link to the instructions describing how to set up and use your new Microsoft Online mailbox. For a preview of those instructions, see ACTION REQUIRED AFTER MIGRATION <insert link to after-migration instructions on your SharePoint site>.If you have any questions, check the Exchange Online FAQ <insert link to Exchange Online FAQ>and the Exchange Online Known Issues <insert link to Microsoft Online Known Issues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>
190Microsoft Office 365 Deployment Guide for Enterprises | December 2011
After Migration: Send User Welcome Email
The following is a sample email for the administrator to send to everyone who has beensuccessfully migrated after the migration team has verified that the mailbox migration andforwarding has been successfully accomplished. It can be emailed or printed and distributed byhand.
Subject: ACTION REQUIRED: Get connected to Microsoft Exchange Online!Congratulations! Your mailbox has been successfully migrated to Microsoft Exchange Online.Your new logon credentials are:User name: <username>@example.comTemporary password: <password>There are many tasks that you must perform now that your email has been migrated. Werecommend setting aside two or three hours to complete them. To review the instructions and perform the tasks, see ACTION REQUIRED AFTER MIGRATION <insert link to after-migrationinstructions>.If you have any questions, check the Exchange Online FAQ <insert link to Microsoft Online FAQ>and the Exchange Online Known Issues <insert link to Exchange Online Known Issues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>
191Microsoft Office 365 Deployment Guide for Enterprises | December 2011
14
Appendix H: Post-deployment Services TestPlan
The following is an example of a post-deployment test plan that you can use to verify thefunctionality of Office 365 service offerings.
Post-Migration Services Test Plan
StatusDirectory Synchronization (DirSync) ToolFunctionalityOwner Notes
Not StartedCreate user object to verify DirSync accountcreation3 hour replication interval or force DirSyncNot StartedModify user object to verify DirSyncattribute modification3 hour replication interval or force DirSync
Status End-User Acceptance Owner Notes
Not Started Install and run Office 365 Desktop Setup Download from Microsoft OnlineNot Started Configure OutlookNot StartedOpen Outlook and verify connectivity toExchange OnlineNot Started Launch customer online portalNot StartedAuthenticate using Outlook Web Appverifying URLNot StartedLaunch customer online portal verifyingURLNot Started Launch customer SharePoint verifying URLNot Started Perform necessary updates to internal URLs
Status Individual User Mailbox Migration Owner Notes
Not Started
Create user’s profile and point to the
Office365 serviceNot StartedPermission to their own mailbox post-migration and can read/send emailNot StartedPermission to Shared Mailboxes post-migration and can read/send emailSend-As only available with post-migrationscriptNot StartedUser has ability to sync their BlackBerrydevice post-migration via
RIM’s
BlackBerryBusiness Cloud ServiceNot StartedMigration of delegate permissionsApplicable based on migration toolcapabilitiesNot StartedNo unexpected NDRs for user post- Scope will need to be defined as some NDRs
192Microsoft Office 365 Deployment Guide for Enterprises | December 2011migration will occur
Status Email Owner Notes
Not StartedSend and receive email messages tomigrated usersNot StartedSend and receive email messages to non-migrated usersNot StartedSend and receive email messages toexternal usersNot Started Send email to Distribution ListNot Started Reply to email from migrated usersNot Started Reply to email from external usersNot Started Non-migrated user reply to email Sent from migrated user prior to migrationNot Started Recover deleted item from the Recycle BinNot Started Email access with Outlook Web AppNot Started Reply to an email with a Distribution ListNot Started Incoming mail from an external user To both Distribution List and User
Status Calendaring Owner Notes
Not Started Meetings have been migratedNot StartedBook a meeting in a migrated conferenceroomNot StartedMeeting request can be accepted for anavailable conference roomNot StartedMeeting request is not accepted for a pre-booked conference roomNot StartedRemote booking agent is functional whereappropriateNot StartedUpdated meeting requests notify allattendeesNot StartedView details of free/busy information forthose permittedNot StartedView secondary calendar side-by-side forthose permitted
Status Mobile Devices Owner Notes
Not StartedEmail sent from Exchange arrives at amobile deviceNot StartedEmail sent from a mobile device arrives in
193Microsoft Office 365 Deployment Guide for Enterprises | December 2011ExchangeNot StartedDelete mail item from supported mobiledevicesNot StartedCreate calendar item from supportedmobile devices
Status Message Archiving (Optional) Owner Notes
Not Started Verify inbound emails are archivedNot Started Verify outbound emails are archivedNot StartedVerify internal emails are archivedWith emails which do not contain any externalrecipients in To/CC/BCC fields.Not StartedVerify the members of Archive Group DLThe number of users should be the same withthe number of users in Administration Centerif you archive all.Not StartedVerify search functionality is present andworks correctly for title, message bodyNot Started Verify email is encrypted in transitNot StartedVerify authorized export users can export to.PST fileNot Started Verify ad hoc searches workNot Started Verify nightly harvest is occurringNot StartedVerify keyword and percentage samplingworkNot StartedVerify message review and escalationprocess work
Status Lync Online Conferencing Notes
Not Started Create a ConferenceNot Started Invite people to a conferenceNot Started Initiate a Conference
194Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Status SharePoint Notes
Not Started
Site collection
Not Started Create siteNot Started Create site collectionNot Started Add user to site collectionNot Started Remove user from a site collectionNot StartedCreate new group for a site collection andadd userNot Started
Users and groups
Not Started Add user to siteNot Started Remove user from a siteNot Started Create new group for a site and add userNot Started
Publishing
Not Started Publish a blogNot Started Publish an RSS feedNot Started Remove RSS viewer Web partNot Started
Documents
Not Started Create document libraryNot Started Create documentNot Started Upload document to libraryNot Started
Lists
Not Started Create listNot Started Add list itemsNot StartedAdd approval workflow to list, library, orcontent typeNot Started Remove approval workflow from above listNot Started
Searches
Not Started Perform document searchNot Started Perform people searchNot Started
Bulk Upload content
Not Started Upload calendar information from OutlookNot Started Upload Contacts from OutlookNot Started Upload document libraries
195Microsoft Office 365 Deployment Guide for Enterprises | December 2011
15
Appendix I: Glossary
Active Directory Federation Services (AD FS):
AD FS provides the various end-points that theMicrosoft Federation Gateway uses to redirect clients to the AD FS server for different types of authentication. AD FS must be installed on a separate physical server that is a part of your on-premises network organization.
Active Directory Federation Services configuration database:
A database used to store allconfiguration data that represents a single AD FS 2.0 instance or Federation Service. Thisconfiguration data can be stored using the Windows Internal Database (WID) feature includedwith Windows Server 2008 and Windows Server 2008 R2 or using a SQL Server® database.
Autodiscover:
The Exchange Autodiscover service automatically finds the correct MicrosoftExchange Server host and configures Microsoft Office Outlook 2010 or Outlook 2007 for yourusers. It also includes an offline address book and the Free-Busy availability service that providesavailability information for your users.
BPOS (Business Productivity Online Standard Suite):
This is the acronym for the first versionof the cloud-based, multi-tenant productivity suite from Microsoft Online Services. The BPOSservice offering is being replaced by Office 365 service offerings.
Comma separated value (CSV) file
: A text file in which each value is separated by a comma. Itis typically used as an input file for a software program or script.
CNAME record:
A Canonical Name (CNAME) record is a type of resource record in the DomainName System (DNS) that is an alias for the Address (A) record that maps an IP address to thetarget server. The target server does not have to exist in the same domain as the CNAME recorditself. You can define an alias in one domain to point to a target server in a completely differentdomain. Many organizations use CNAME records with web servers. An organization might pointthe alias www to a Web server that is hosted by a dedicated Web hosting company. Forexample, requests for http://www.contoso.com can be redirected to webserver1.fabrikam.com
Deployment Consultant:
The Deployment Consultant (Microsoft or partner) is the primaryresource for customers to work with on technical and project related items. The DeploymentConsultant is the primary contact for your Technical Lead.
Directory synchronization (DirSync):
Active Directory synchronization (DirSync) replicates an
organization’s
on-premises Active Directory information for mail-enabled objects to the Office365 environment. Using the Microsoft Online Services Directory Synchronization Tool, your
company’s administrators can keep your local Active Directory continuously synchronized with
Office 365. This not only allows you to create synchronized versions of each user account andgroup, but also allows global address list (GAL) synchronization from your local Microsoft
196Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Exchange Server environment to Microsoft Exchange Online. Organizations deployingcoexistence must deploy DirSync on a separate, on-premises server. The synchronization fromyour on-premises Active Directory to the Office 365 Active Directory environment is one way.
Domain registrar:
A domain name registrar is an organization or commercial entity, accreditedby the Internet Corporation for Assigned Names and Numbers (ICANN) or by a national countrycode top-level domain (ccTLD) authority, to manage the reservation of Internet domain namesin accordance with the guidelines of the designated domain name registries and offer suchservices to the public.
Email coexistence:
Email coexistence enables organizations with on-premises Exchange Serveremail environments to establish a connection between their on-premises mail environment andthe Office 365 Exchange Online mail environment. With coexistence configured, some usersconnect to Exchange Online while others continue to use the local Exchange Serverenvironment, and all of the users can share the same email domain name. Email coexistence canbe configured as eithersimple coexistenceor as ahybrid deployment.
Exchange Management Shell:
The command-line interface for Exchange Server 2010 and 2007.
Exchange Control Panel (ECP):
This Web-based console is used to manage the ExchangeOnline environment. The ECP can be accessed through the Admin area of the Microsoft OnlineServices Portal.
Exchange Hosted Archive:
Part of the Exchange Hosted Services (EHS) network, EHA provides arepository that stores email. Using EHA, organizations can manage increasingly complexretention, compliance, and regulatory requirements. The EHA systems receive a message andafter being filtered the clean message is delivered to the corporate mail server. A copy is madeand stored in a security-enhanced online message repository.Note: EHA was an option in the BPOS service and is no longer available with Office 365.Exchange Online Archive can be used instead.
Exchange Online:
A hosted email and messaging service built on Microsoft Exchange Serverand offered by Office 365. For organizations using on-premises Exchange Server and Exchange
Online, Exchange Online is sometimes referred to as their “cloud
based Exchange organization.”
External relay:
A configuration option in Microsoft Online Services Portal when mailboxes for adomain are hosted outside of Exchange Online and the MX record points to an email serveroutside of Exchange Online. Selecting this option requires disabling of inbound messaging.
Federation Service:
A logical instance of AD FS 2.0. A Federation Service can be deployed as astand-alone federation server or as a load-balanced federation server farm. You can configurethe name of the Federation Service using the AD FS 2.0 Management snap-in. The DNS name of the Federation Service must be used in the Subject name of the SSL certificate.
197Microsoft Office 365 Deployment Guide for Enterprises | December 2011
Federation server:
A computer running Windows Server 2008 or Windows Server 2008 R2 thathas been configured to act in the federation server role. A federation server serves as part of aFederation Service that can issue, manage, and validate requests for security tokens and identitymanagement. Security tokens consist of a collection of claims, such as a user’s name or role.
Federation server farm:
Two or more federation servers in the same network that areconfigured to act as one Federation Service instance.
Federation server proxy:
A computer running Windows Server 2008 or Windows Server 2008R2 that has been configured to act as an intermediary proxy service between a client on theinternet and a Federation Service that is located behind a firewall on a corporate network. Inorder to allow remote access to the services in Office 365, such as with a smart phone, homecomputer, or Internet kiosk, you need to deploy a federation server proxy.
FOPE Administration Center:
The service management site for Microsoft ForeFront OnlineProtection for Exchange.
Hybrid Deployment:
A hybrid deployment is an email coexistence configuration offersExchange organizations the ability to extend the feature-rich messaging experience andadministrative control they have with their existing on-premises Exchange Server organization toOffice 365 and Exchange Online. A hybrid deployment provides the seamless look and feel of asingle Exchange organization between an on-premises organization and an Office 365organization. In addition, a hybrid deployment can serve as an intermediate step to movingcompletely to Exchange Online. A hybrid deployment offers a unified global address list (GAL)and mail routing between the on-premises and Office 365 organizations plus additionalmessaging features typically available in an on-premises Exchange deployment, includingsharing free/busy and calendar information between the organizations and the ability to movemailboxes from the on-premises organization to the Office 365 organization.
Hybrid Server:
A hybrid server is an Exchange Server 2010 SP1 server that is installed in yourexisting Exchange organization. It is required for hybrid deployments. The hybrid server enablesmessaging features and messaging delivery between your existing Exchange organization andthe Office 365-based Exchange organization.
Identity federation:
Identity federation provides a true single sign-on (SSO) experience forusers to access both the on-premises and Office 365 service offerings with a single user nameand password. Additionally, identity federation allows administrators to easily control accountpolicies for Office 365 mailboxes by using on-premises Active Directory management tools.
Internet Message Access Protocol (IMAP)
: This is an application-layer Internet standardprotocol used by on-premises email clients to retrieve email from a remote server over a TCP/IPconnection. Microsoft Online supports email data migration from IMAP4 environments.
Advertisements

1 thought on “Office 365 Deployment”

  1. I rarely create responses, however i did some searching and wound up here Office
    365 Deployment Mshiyas Blog. And I actually do have some questions for
    you if you do not mind. Could it be only me or does it look as if like some of
    these responses look as if they are left by brain dead folks?
    😛 And, if you are posting on additional places,
    I would like to keep up with everything new you
    have to post. Could you list of every one of your communal sites like your Facebook
    page, twitter feed, or linkedin profile?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s