Office 365 Deployment

Hi,

Here am explaining how the Office 365 will establish in your organization.

Courtsey- http://www.scribd.com/doc/88442584/68/Dynamic-Distribution-Groups#outer_page_112

 

Customer Environment Discovery

It is important at the outset of your deployment project to gather and capture information

about your existing IT environment. This process is commonly called “discovery.” Discovery

activities provide a comprehensive and up-to-date record of the technology solutionsimplemented by our organization.You should gather information in the following areas:

On-premises infrastructure servers and components

Network architecture and DNS

Authentication solutions

Directory design

Bandwidth

Mail routing

Certificates

Hardware and software

Mail and other client applications

Mail archiving and compliance

Mobile devices

24Microsoft Office 365 Deployment Guide for Enterprises | December 2011

3.3.1

Office 365 Deployment Readiness Tool

The Office 365 Deployment Readiness Tool is available to assist you with discovery activitiesrelated to Office 365 deployments. The tool can be used to check and provide information in thefollowing areas in your on-premises environment:

Domains

Email domains and number of users for each domain

User identity and account provisioning

Statistical information

Active Directory schema data

Forest and domain functional data

Trusts and multi-forest constraints

Directory Synchronization pre-requisite checks and attribute assessment

Attribute assessment and readiness for single sign-on

Exchange Online

Statistical information

Public folder, public delegates, and proxyAddresses

Third-party and unified proxyAddresses information

SharePoint Online

User object count

Lync Online

Statistical information

Summary of SIP domains

Client and end-user experience

Summary of domain joined machines for rich experience and single sign-onreadiness

Networking

Port analysis on specific Office 365 endpoints

DNS records

External DNS records

TXT(DomainValidation)

This record is used for domainvalidation. It proves that you own thedomain but it doesn’t direct incomingmail for the domain to Office 365service offerings.Host: @ (domain name)TXT Value: <text string>The values that you need to enter areprovided to you by the Microsoft OnlineServices Portal add domain wizard.

Note:

The wizard also gives you the optionof using a MX record for domain validation

CNAME(ExchangeOnline)

This record allows Office Outlookclients to connect to the ExchangeOnline service by using theAutodiscover service. Autodiscoverautomatically finds the correctExchange Server host and configuresOutlook for the users.Alias: AutodiscoverTarget: autodiscover.outlook.comFor more information, seeUse a CNAMERecord to Enable Outlook to Connect

.

MX(ExchangeOnline)

This value directs all incoming mailfor the domain to the ExchangeOnline service.Domain: contoso.comTarget Server <MX token>.mail.eo.outlook.comPreference: 10

SPF (TXT)(ExchangeOnline)

This sender policy framework (SPF)record identifies which of your emailservers are authorized to transmitemail from your domain. This helps toprevent others from using yourdomain to send SPAM or othermalicious email.Values: v=spf1 include:outlook.cominclude: spf.messaging.microsoft.com ~all.For more information, see

Use an SPFRecord to Validate E-mail Sent from YourDomain. Only existing FOPE customers need

“

include: spf.messaging.microsoft.com

”

Note

: If the firewall or proxy server blocksTXT lookups on an external DNS, thisrecord should also be added to the internalDNS record.

SRV(LyncOnline)

This value is for SIP federation andallows your Office 365 domain toshare instant messaging (IM) featureswith clients other than Windows LiveMessenger.Service: _sipfederationtlsProtocol: TCPPriority: 10Weight: 1Port: 5061Target: Sipfed.online.lync.com

Note:

If the firewall or proxy server blocksSRV lookups on an external DNS, thisrecord should also be added to the internalDNS record.

SRV(LyncOnline)

This SRV record is used by MicrosoftLync Online to coordinate the flow of information between Lync clients.Service: _sipProtocol: TLSPriority: 100Weight: 1Port: 443Target: sipdir.online.lync.com

CNAME(LyncOnline)

This CNAME record is used by theLync 2010 client to discover the LyncOnline service and sign in.

Alias: sipTarget: sipdir.online.lync.comFor more information, seeEnsuring YourNetwork Works With Lync Online

CNAME(LyncOnline)

This CNAME record is used by theLync 2010 mobile client to discoverthe Lync Online service and sign in.

Alias: lyncdiscoverTarget: webdir.online.lync.com

Host (A)

This record is used for single sign-on.It indicates the end point for your off-premises users (and on-premisesusers if you choose) to connect toyour AD FS federation server proxiesor load-balanced VIP.Target (example): sts.contoso.com

TXT(ExchangeFederation)

Exchange federation for hybriddeploymentTXT record 1: contoso.com and associatedcustom-generated domain proof hash (ex.

“Y96nu89138789315669824”)

TXT record 2:exchangedelegation.contoso.com andassociated custom-generated domainproof hash (for example,

“Y3259071352452626169”)

 MX(ExchangeFederation)

Office 365 Service Record for maildelivery (MX)Domain (example): service.contoso.comTarget Server <MX token>.mail.eo.outlook.comPreference: 10

CNAME(ExchangeFederation)

This record allows Office Outlookclients to connect to the ExchangeOnline service by using theAutodiscover service. Autodiscoverautomatically finds the correctExchange Server host and configuresOutlook for the users.Alias

(example)

:Autodiscover.service.contoso.comTarget: autodiscover.outlook.comFor more information, seeUse a CNAMERecord to Enable Outlook to Connect

Federation Server Certificates

SSL certificate(also called aServerAuthenticationCertificate)

This is a standardSecure SocketsLayer (SSL)certificate that isused for securingcommunicationsbetweenfederationservers, clients,and federationserver proxycomputers.AD FS 2.0 requires an SSL certificate when configuringfederation server settings. By default, AD FS 2.0 uses the SSLcertificate configured for the Default Web Site in the InternetInformation Services (IIS).The subject name of this SSL certificate is used to determinethe Federation Service name for each instance of AD FS 2.0that you deploy. For this reason, you may want to considerchoosing a subject name on any new CA-issued certificatesthat best represents the name of your company ororganization to Office 365 and this name must be internetroutable.

Warning:

AD FS 2.0 requires this SSL certificate to be withouta dotless (short-name) subject name.

Recommendation:

Because this certificate must be trustedby clients of AD FS 2.0, use an SSL certificate that is issued bya public (third-party) certification authority (CA) or by a CA.

Domain Controller Requirements

Table 6 lists the requirements for domain controllers deployed in your Active Directory forest(s)that communicate with the Office 365 environment.

Table 6. Domain Controller Requirements

Component

Requirements

Schema master



32-bit or 64-bit edition of the Windows Server 2003 SP1 Standard orEnterprise operating system



32-bit or 64-bit edition of the Windows Server 2008 Standard orEnterprise operating system



64-bit edition of the Windows Server 2008 Standard R2 or Enterpriseoperating system

Global catalog server

In every Active Directory site where you plan to install the Exchange 2010 SP1hybrid server, you must have at least one global catalog server configured asfollows:



32-bit or 64-bit edition of Windows Server 2003 SP2 Standard orEnterprise



32-bit or 64-bit edition of Windows Server 2008 Standard or Enterprise



64-bit edition of Windows Server 2008 R2 Standard or Enterprise

Active Directory forest



Windows Server 2003 forest functional mode or higher

Domain controller



32-bit or 64-bit Windows Server 2003 Standard Edition or EnterpriseEdition with Service Pack 1 (SP1)



32-bit or 64-bit edition of the Windows Server 2008 Standard orEnterprise, Windows Server 2008 R2 Standard or Enterprise, orWindows Server 2008 Datacenter or Windows Server 2008 R2Datacenter

3.7.3.5

Active Directory Cleanup

It is highly recommended that you prepare your Active Directory forest prior to beginning yourOffice 365 deployment.Your directory remediation efforts should focus on the following tasks:



Remove duplicate proxyAddress and userPrincipalName attributes.



Update blank and invalid userPrincipalName attributes with a valid userPrincipalName.



Remove invalid and questionable characters in the givenName, surname (sn),sAMAccountName, displayName, mail, proxyAddresses, mailNickname, anduserPrincipalName attributes. SeeAppendix F: Directory Object Preparationlater in thisdocument for details on preparing attributes.

 Namespace Considerations and Acceptable Domains

Previously, Active Directory Federation Services only allowed for one namespace perfarm/instance (for example,

contoso.com

). Therefore if your organization maintains multipleunique namespaces (for example,

contoso.com

and

fabrikam.com

) you would need two AD FSfarms deployed in order to provide authentication for each namespace.There is now a update rollup for AD FS 2.0 that works in conjunction with the

“SupportMultipleDomain” switch to enable support

for multiple unique namespaces withoutrequiring additional AD FS 2.0 servers.See the Help articleSupport for Multiple Top Level Domainsfor more information on multipletop-level domain support.

Note

: If your organization owns and manages a primary domain with subdomains(contoso.com/corp.contoso.com) you will also not require a separate AD FS farm.Only routable domains can be used with an AD FS deployment. Examples of non-routabledomains:



.local



.loc



.internalThe domain extensions that use internal namespaces such as .local, .internal, and .int are notroutable on the Internet and would not be acceptable domains for your AD FS deployment. If your organization implements Active Directory with an internal namespace only, you will need toadd a UPN suffix in Active Directory Forests and Trusts that is routable (for example,contoso.com) as well as configure each user with that UserPrincipalName suffix. For example,

johnsmith@contoso.internal

would need to be modified to

johnsmith@contoso.com

.

Important:

Before making any changes to your users

’

userPrincipalName

attribute it iscritical that you validate that there are no applications that are dependent on the existinguserPrincipalName value such as smart cards, certificates, Unix, or Linux.

3.7.4.9

Deploying Federated and Standard Identities Together

When enabling single sign-on, you cannot mix or match users within a single namespace contoso.com) in the manner that some users utilize a federated identity (single sign-on) andother users use the Microsoft Online Service ID (Office 365 “cloud” identity). For instance, if youregister the domain name

contoso.com

, all sub domains (for example,

northamerica.contoso.com

)are automatically configured as identity federated domains.

Note

: If your organization would like to deploy a hybrid of federated and standard identities,you must configure two separate namespaces to achieve this goal. For example, contoso.commight be used for federated identities and fabrikam.com used for standard identities.

Backup and Restore

To guard against the impacts of a complete outage of your Active Directory federation servers, itis highly recommended that you have a backup and restore plan in place to allow for rapidrecovery of your AD FS environment. In a catastrophic event where your servers cannot berestored, your backup and restore plan can enable you to reinstall your AD FS environment andre-enable single sign-on by following the steps provided in the Prepare phase of this document.

Note

: You will need to run the Update-MSOLFederatedDomain PowerShell commandletprovided by the Microsoft Online Services Module for Windows PowerShell to restore yourAD FS configuration.

Directory Synchronization Tool

Directory synchronization is the synchronization of directory objects (users, groups, andcontacts) from your on-premises Active Directory environment to the Office 365 directoryinfrastructure. The Microsoft Online Services Directory Synchronization Tool is used to performthis synchronization. You install the tool on a dedicated computer in your on-premisesenvironment.Before you use the Directory Synchronization Tool, you must first edit objects you want tosynchronize (user accounts and email-enabled contacts and groups) using Active DirectoryUsers and Computers MMC snap-in or via scripting.

3.7.5.1

About the Directory Synchronization Tool

When you first run the Directory Synchronization Tool, it writes a copy of each user account andall mail-enabled contacts and groups to the directory created for your organization in Office365. Directory synchronization can also provide Global Address List synchronization between theon-premises Exchange Server environment and Exchange Online.When user accounts are synchronized with the Office 365 directory for the first time, they aremarked as non-activated. They cannot send or receive email and they do not consumesubscription licenses. When you are ready to assign Office 365 subscriptions to specific users,you must select and activate these users by assigning a valid license.The Directory Synchronization Tool enables the following features and functionality:



Single sign-on.



Lync Online coexistence.



Exchange hybrid deployment including:

o

Fully shared global address list (GAL) between your on-premises Exchangeenvironment and Exchange Online.

o

Global address list unification of different mail systems with simple email coexistence.

The ability to onboard users to and offboard users from Office 365 service offerings.This requires two-way sync (write-back) enabled in Active Directory synchronizationand an Exchange hybrid server deployment on-premises.

o

The ability to move some user mailboxes to Office 365 while retaining other usermailboxes on-premises.

o

Safe senders and blocked senders on-premises are replicated and respected inExchange Online.

o

Delegation/Send on behalf of (limited).



Synchronization of photos and thumbnails, conference rooms, and security groups(rights in SharePoint Online)



Filtering and scoping (available soon). For more information see the Help topicConfigureFiltering for Directory Synchronization. There is also a 64-bit version of the Directory Synchronization Tool available.To learn more about the Directory Synchronization Tool, see the Help topicsInstall the MicrosoftOnline Services Directory Synchronization toolandDirectory Synchronization tool 64-bitsupport. 3.7.5.1.1

Required Permissions for InstallationIn order to install the directory synchronization tool you will need Enterprise Admin rights onlyduring the installation process. Post-installation a non-privileged Active Directory account willbe required. This account is created automatically at the time of Directory Synchronizationinstallation.

3.7.5.2

Number of Objects to Synchronize

The Microsoft Online Services Directory Synchronization Tool enables you to perform directorysynchronization between your on-premises Active Directory service and Microsoft OnlineServices. Before deploying the Directory Synchronization Tool, you need to determine how manyobjects in your environment will be included in synchronization with your Office 365 directory.

Note

: If your Active Directory service contains more than 20,000 objects, you will need tocontact the Office 365 support team, open a service request, and indicate the number of objectsyou need to synchronize. You can use theDeployment Readiness Toolto help assess how manytotal Active Directory objects, and specifically user objects, are stored in your Active Directoryforest.



The initial synchronization copies user accounts, mail-enabled contacts and groups from youron-premise Active Directory environment to Office 365. Depending on the number of objects and the available network bandwidth, you may want to schedule this first synchronization for aperiod of low network activity. Subsequent synchronizations copy only the incremental changesto the individual objects that have a minimal impact on network utilization.

Exchange Server Migrations

If your organization is using Exchange Sever 2010, Exchange Server 2007, Exchange Server 2003,or Hosted Exchange, you have several ways to migrate mailbox data. Table 12 describes them.The

Microsoft Office 365 Deployment Guide

for Enterprises

is primarily focused on mailboxmigrations for Exchange hybrid deployments.

Table 12. Types of Exchange Server Migrations

Type Description Tools/Methods

Cutover ExchangeMigration(Simple Migration)

Intended for small organizations that desirea quick cutover, with no coexistence, fromtheir existing Exchange mail environment toExchange Online. All on-premises mailboxesare migrated in preparation for moving yourentire email organization to ExchangeOnline. You can migrate a maximum of 1,000 mailboxes from your on-premisesExchange organization to Exchange Online.User identities are automatically provisionedby the tool. After cutover, identity federationmay be deployed.Email Migration tool via theExchange Control Panel.For step-by-step instructions,seeMigrate All ExchangeMailboxes to the Cloud.

Staged Migration

Conference Rooms and Resource Mailboxes

Conference room mailboxes represent a company’s meeting rooms or other facilities. Users can

reserve rooms by adding the conference room email alias to meeting requests in Outlook orOutlook Web App. Conference rooms appear in the Global Address List in Outlook and OutlookWeb App, and administrators can create conference rooms in the Exchange Control Panel orthrough Remote PowerShell. Administrators can also use the Directory Synchronization Tool tosynchronize conference rooms from on-premises Active Directory. The mailbox quota forconference rooms is 250 MB. Conference rooms do not require a user subscription license.For more information, see the Help topicCreate a New Room Mailbox.

3.8.16.1

Resource Booking Attendant

Exchange Online includes the Resource Booking Attendant (RBA), which helps to automate thescheduling of conference rooms. A conference room mailbox that is Resource BookingAttendant -configured automatically accepts, declines, or acknowledges meeting requests basedon its calendar availability. Through the Outlook Web App Options page, administrators cancustomize automated conference room responses and configure booking policies. Thesepolicies include who can schedule a conference room, when it can be scheduled, what meeting

information is visible on the resource’s calendar, and what percentage of scheduling conflicts is

allowed. Administrators can disable the Resource Booking Attendant and assign specific users tomanually manage meeting requests for conference rooms.For more information, see the Help topicConfigure Resource Mailbox Options.

3.8.16.2

Outlook 2010 Room Finder

Exchange Online supports the Room Finder feature of Outlook 2010, which arranges rooms into

lists (for example, a list called “Building 5 rooms”) to make it easier to find a nearby room when

scheduling a meeting. To appear in the room list, a distribution group must be specially markedusing one of two methods:



A new room list can be created using Remote PowerShell (see the TechNet articleCreatea Room List Distribution Group).



Any distribution group that contains only rooms can be converted to a room list through Remote powershell

Prepare Phase

In the Prepare phase of your deployment project, you will begin to take the steps to configure

your organization’s environment for integration with the Office 365 environment.

Figure 11 illustrates the high-level sequence of tasks that you will carry out during this phase toset up Exchange hybrid deployment.

Figure 11. High-level tasks for Exchange hybrid deployment

4.1

Key Activities Summary

The following are the key deployment tasks and events that your carry out in the Prepare phase:



Add and verify your domain name with Office 365

You must add your domain to Office 365 and then create the DNS records to configureyour company domain name for use with Office 365 services.

 Key Activities Summary

The following are the key deployment tasks and events that your carry out in the Prepare phase:



Add and verify your domain name with Office 365

You must add your domain to Office 365 and then create the DNS records to configureyour company domain name for use with Office 365 services.

Prepare your on-premises Active Directory for directory synchronization

Successful directory synchronization between your on-premises Active Directoryenvironment directory and Office 365 requires that your on-premises directory objectsand attributes are properly prepared.



Enable single sign-on (identity federation)

To enable single sign-on, you must deploy and configure Active Directory FederationServices servers on-premises.



Install the Directory Synchronization Tool and perform synchronization

Directory synchronization enables you provision user accounts for an Exchange hybriddeployment and simple coexistence, and is mandatory for single sign-on (identityfederation).



Configure email coexistence

You install and configure an Exchange 2010 hybrid server on-premises to enablecommunication between your existing Exchange servers and Exchange Online.



Configure Lync Online

You optimize your network for Lync conferencing, configuring domain federation andpublic IM connectivity settings.



Configure SharePoint Online

You prepare for deployment of any custom SharePoint solutions and migration of existing SharePoint content.



Deploy client applications and the Office 365 desktop setup

A hybrid deployment requires that rich client applications are deployed and installed on

users’ PCs

. The Office 365 desktop setup is deployed to ensure that client applicationsare properly updated and configured for Office 365.



Perform mailbox size reduction

To improve migration velocity of mailbox content, you may need to reduce the size of user mailboxes.



Prepare customer service desk

Your service desk must be trained to support Office 365 service offerings.



Test and validate email migration and coexistence

Prior to velocity migrations, you set up test user accounts to validate that migrationprocesses and that the Exchange hybrid deployment are properly functioning.



Complete the migration groups and migration schedule

Finalize the groups of users, resources, and shared mailboxes that will be moved at eachmigration window.

4.2

Network and Naming Services Tasks

This section describes the tasks you must perform to configure networking and DNScomponents for an Exchange hybrid deployment.

112Microsoft Office 365 Deployment Guide for Enterprises | December 2011

4.2.1

Add Domain and Verify Ownership

This topic describes the process

of adding a domain that you already own to Office 365. Whenyou add a domain to Office 365 you can create email addresses, Microsoft Lync Online accounts,and distribution lists that use your own domain name. You can also use your domain to host awebsite on Microsoft SharePoint Online.To add a domain, you do the following:



Add and verify your domain name with Office 365



Create the DNS records that are required to route domain traffic to your Office 365service. These are the DNS records that are required for routing inbound email toMicrosoft Exchange Online.Office 365 offers domain verification procedures that are specific to some of the most populardomain registrars. Visit theMicrosoft Online Services Forumsor contact the Office 365 supportteam to see if there is a procedure for your domain registrar. However, the procedure in thissection can be used with

any

domain registrar.You only need to add and verify a domain once. If someone else in your organization hasalready added and verified the same domain, you will receive a message noting this.To add a domain to Office 365, you use the domain wizard at the Microsoft Online ServicesPortal.

►

To add a domain and verify domain ownership

1.

Log on to theMicrosoft Online Services Portalwith your Office 365 administratorcredentials.2.

In the portal header, click

Admin.

3.

Under

Management

, click

Domains

.4.

Click

Add a domain

.5.

Type the name of the domain you would like to add (for example,

contoso.com

).6.

Click

Next.

7.

Click

Verify

domain.8.

From the table on the

Verify domain

page, record the following information:

o

Alias or Host Name

o

Destination or Points to AddressNow you will add the DNS record for your domain name at your domain registrar.

4.2.2

Change DNS Records at Domain Registrar

The following procedure describes the process to register a TXT or MX record for your company.

113Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Note

This process requires you to access the domain account with your domain registrar.Contact the domain registrar if you need help accessing your domain account. You may

notice differences between your domain name registrar’s

process and those described inthese instructions.

►

To change your DNS records at your domain registrar

1.

Sign in to your domain name registrar’s website, and then select the domain that you

areverifying.2.

In the DNS management area for your account, select the option to add a

TXT

record foryour domain.3.

In the

TXT

box for the domain, type or paste the alias or host name that you recorded inthe previousAdd Domain and Verify Ownershipsection.4.

In the

Fully qualified domain name (FQDN)

or

Points to

box, type or paste theDestination or Points To Address that you recorded in theAdd Domain and VerifyOwnershipsection.5.

Where it asks for TTL information, type

1

to set TTL to

1 hour

.6.

Save your changes, and then sign out of your domain name registrar’s w

ebsite.7.

Wait 15 minutes. If you are still signed in to the Microsoft Online Services Portal click

Verify.

8.

After your domain is verified, click

Close.

If you prefer, you can use the following procedure to instead create an MX record to verify yourdomain in Office 365.1.

Sign in to your domain name registrar’s website, and then select the domain that you

areverifying.2.

In the DNS management area for your account, select the option to add a

MX

record foryour domain.3.

In the

MX

box for the domain, type or paste the alias or host name that you recorded inthe previousAdd Domain and Verify Ownershipsection.4.

In the

Fully qualified domain name (FQDN)

or

Points to

box, type or paste theDestination or Points To Address that you recorded in theAdd Domain and VerifyOwnershipsection.5.

Where it asks for TTL information, type

1

to set TTL to

1 hour

.6.

Where it asks for a priority (or preference), type a number that is larger than the number

you’ve spe

cified for existing MX records. This can help prevent the new MX record frominterfering with mail routing for the domain. Instead of a priority, you may see thefollowing options:

Low, Medium, High

. In this scenario, choose

Low

.7.

Save your changes, and the

n sign out of your domain name registrar’s website.

114Microsoft Office 365 Deployment Guide for Enterprises | December 2011

8.

Wait 15 minutes. If you are still signed in to the Microsoft Online Services Portal click

Verify.

9.

After your domain is verified, click

Close.

If you are no longer signed in:1.

Log on to theMicrosoft Online Services Portalwith your Office 365 administratorcredentials.2.

Click

Domains

.3.

Select the

Pending Verification

link next to your domain you added in the earlier step.4.

Click

Verify

.5.

After your domain is verified, click

Close.

Repeat the above steps for any other domains you intend on registering with Office 365.

4.2.3

Create Autodiscover and Sender Policy Framework Records

After you have added and verified a domain, you can enable the

Autodiscover service

to helpyour users configure the Office Outlook messaging client. Autodiscover automatically finds thecorrect Exchange Server host and configures Outlook 2010, Outlook 2007, and Windows Phoneand Windows Mobile devices for your users. It also includes an offline address book and theFree-Busy availability service that provides availability information for your users.In order to ensure the successful delivery of your email to outside partners, it is also highlyrecommended that you create a

sender policy framework (SPF) record

to make sure that otheremail environments recognize Office 365 and your on-premises email system as valid sources of email from your company. The SPF record lets you specify which computers are authorized totransmit email from your domain. This helps to prevent others from using your domain to sendspam or other malicious email. As more email environments query for Simple Mail TransferProtocol (SMTP) domain SPF records, you must create or modify your SPF records to allowExchange Online and your on-premises email system to successfully send email from yourdomain.

4.2.3.1

Create Sender Policy Framework Record

This procedure modifies records at your domain registrar to include a sender policy framework(SPF) record to allow Microsoft Exchange Online and your on-premises email system tosuccessfully send email from your domain. This procedure is highly recommended, and it isrequired if your ISP has implemented SPF.

115Microsoft Office 365 Deployment Guide for Enterprises | December 2011

►

To create an SPF record

1.

Log on to your domain registrar. The interface for the registrar Go Daddy (Figure 12) isreferenced in the remaining steps.2.

Click to access your account information (for example, My Account).3.

Click the domain that you want to register with Office 365.4.

Click to access details for the domain (for example, Advanced Details).5.

Open the DNS management console (for example, Launch DNS Manager).6.

In TXT or Text section, click

Add

(for example, Quick Add).7.

Under

Host

, type

@.

8.

For the

TXT

value, type

v=spf1 include:outlook.com include:spf.messaging.microsoft.com ~all.

If there is an existing SPF record, you must update it to include the

“

include:outlook.com include: spf.messaging.microsoft.com

”

statements in additionto your already declared legitimate hosts. Note that

include:spf.messaging.microsoft.com

is only required for existing FOPE customers.9.

For

TTL

/time to live, type

1 Hour

.

Figure 12. Creating an SPF record at a domain registrar



Note:

SPF is a relatively new feature and may not be implemented by your ISP. Even if your ISP has not implemented SPF, we recommend that you create an SPF record tomake sure your domain is compatible with future enhancements at your ISP.



4.2.3.2

Create Autodiscover Record

This procedure modifies records at your domain registrar to help your users configure Outlook.The interface for the registrar Go Daddy is referenced in procedure and in Figure 13.

116Microsoft Office 365 Deployment Guide for Enterprises | December 2011

►

To create an external Autodiscover record

1.

Log on to your domain registrar.2.

Click on your account information.3.

Click on the domain that you want to register with Office 365.4.

Click on the details for that domain.5.

Open the DNS management.6.

In CNAME or Alias section, click

Add.

7.

Under Host, type

Autodiscover.

8.

For the Points to/Destination field, enter

autodiscover.outlook.com

.9.

In

TTL

(time to live), type

1 Hour

.10.

Click

Save.

Figure 13. Creating an Autodiscover record at a domain registrar

11.

Wait 15 minutes for the Autodiscover record to register.

Note:

Outlook can use either a domain alias (CNAME) or an SRV record to locateExchange Autodiscover service. You should not add both types of record to the domain.For more information about how to use SRV records for Autodiscover, see the MicrosoftSupport articleA new feature is available that enables Outlook 2007 to use DNS ServiceLocation (SRV) records to locate the Exchange Autodiscover service.

4.2.3.3

Create Internal Autodiscover Record

If your organization has a split-brain DNS configuration and does not have an Autodiscoverrecord in its internal DNS environment, it is recommended that you create one.The following procedure demonstrates how to create an Autodiscover record in your internalDNS environment on your Windows DNS Server.

 117Microsoft Office 365 Deployment Guide for Enterprises | December 2011

►

To create an internal Autodiscover record

1.

Log on to your internal DNS server or domain controller.2.

Click

Start

, click

Administrative Tools

, and then click

DNS

.3.

Click to expand<

yourservername

>.4.

Click to expand

Forward Lookup Zones

.5.

Select the domain for which you would like to create an Autodiscover record.6.

Right-click the domain name and select

New Alias (CNAME)….

7.

In the

Alias Name

field, type

Autodiscover

.8.

Type the fully qualified domain name (FQDN) for the target host (Exchange Server).9.

Click

OK

.

4.3

User Identity and Account Provisioning Tasks

This section describes the tasks you must perform to prepare your Active Directory environmentfor establishing directory synchronization with Office 365 service and to install and configureActive Directory Federation Services for single sign-on. For an overview of the single sign-onfeature, review the Help topicPrepare for single sign-on.

4.3.1

Update Schema for Exchange Hybrid Deployment

If your organization is implementing an Exchange hybrid deployment, you will need to upgradeyour Active Directory schema to the Exchange Server 2010 SP1 version. Before you begin, ensureyou have the Exchange Server 2010 SP1 media available, or have downloaded theExchangeServer 2010 SP1files to an available location.

Note:

The domain controller on which you update your schema must be a 64-bit machineand included in the same Active Directory site as the schema master.



►

To update your Exchange schema for hybrid deployment

1.

Log on to your domain controller with an account that has schema administrative rights.2.

Click

Start

.3.

Click

Run

.4.

Type

CMD

.5.

Click

OK

.6.

Navigate to the location of the Exchange Server 2010 SP1 media or downloaded files.7.

Extract the executable. Note the location where you extract the files.8.

Type

CD

<space> <directory location of Exchange Server 2010 SP1 binaries>.Example:

cd c:\exchangeserver2010sp1

9.

Press

Enter

.

10.

Type

setup /preparead

.11.

Press

Enter

.Wait for the tool to copy files, perform pre-requisite checks, and complete the organizationalpreparation. When complete you should see a message

The Microsoft Exchange Server setupoperation completed successfully

.

4.3.2

Clean Up Active Directory

Your organization will need to prepare or

“clean up”

your Active Directory environment prior tothe initial directory synchronization with the Office 365 environment.



Important:

If Active Directory cleanup is not performed before the deployment process,there can be a significant negative impact to the directory synchronization and on-boardingprocess. It could take days, or even weeks, to iterate through the cycle of directory syncing,identifying syncing errors, and re-syncing.



In your organization’s Active Directory fore

st, perform the following clean-up tasks:



Ensure each user that is assigned Office 365 service offerings has a valid and uniqueemail address. Remove any duplicate values in the

ProxyAddres

s attribute field andUserPrincipalName that exists in your forest.



Populate the following username attributes:

o

First Name

o

Last Name

o

Display Name



Note:

For a better user experience and more complete global address list (GAL),do not leave these Username attributes blank.





For optimal use of the Global Address List (GAL), populate the following GAL attributes:

o

Job Title

o

Department

o

Office

o

Office Phone

o

Mobile Phone

o

Fax Number

o

Street Address

o

City

o

State or Province

119Microsoft Office 365 Deployment Guide for Enterprises | December 2011

o

Zip or Postal Code

o

Country or Region

4.3.2.1

Directory Object Preparation

Successful directory synchronization between your on-premises Active Directory environmentdirectory and Office 365 requires that your on-premises directory objects and attributes areproperly prepared. For example, you will need to ensure that specific characters are not used incertain Active Directory objects and attributes that are synchronized with the Office 365environment. These objects and attributes include:



userPrincipalName



sAMAccountName



proxyAddresses



givenName



sn (surname)



displayName



mailNickname (Exchange alias)



mailFor details about valid characters associated with these attributes and about additional attributerequirements, seeAppendix F: Directory Object Preparationlater in this document.

Note:

It is required that the

targetAddress

attribute (for example,SMTP:John.Doe@contoso.com) that is populated for the user must appear in the ExchangeOnline Global Address List. In third-party messaging migration scenarios, this would require theExchange schema extension for the on-premises Active Directory. The Exchange schemaextension would also add other useful attributes to manage Office 365 objects that arepopulated using the Directory Synchronization tool from on-premises. For example, the

msExchHideFromAddressLists

attribute to manage hidden mailboxes or distribution groupswould be added.



4.3.2.2

Prepare UPN Attribute

Your Active Directory environment must be properly configured in order to work with singlesign-on. In particular, the

userPrincipalName

(UPN) attribute, also known as a user logon name,must be set up for each user in a specific way.4.3.2.2.1

Add Alternative UPN Suffix to Active Directory

You must add an alternative UPN suffix to associate the user’s corporate credentials with the

Office 365 environment. A UPN suffix is the part of a UPN to the right of the @ character. UPNs

that are used for single sign-on can contain letters, numbers, periods, dashes, and underscores,but no other types of characters.

►

To add an alternative UPN suffix

1.

Log on to

one your organization’s Active Dire

ctory domain controllers.2.

Click

Start

,

Administrative Tools

, and then click

Active Directory Domains and Trusts

.3.

In the console tree, right-click

Active Directory Domains and Trusts

and then click

Properties

.4.

Select the

UPN Suffixes

tab, type an alternative UPN suffix for the forest, and then click

Add

.5.

Repeat step 3 to add additional alternative UPN suffixes.

Note:

If your Active Directory domain name ends with a “.local” suffix, you will need

to set a UPN that can be registered with Office 365. It is recommended that you usesomething familiar to the user, such as his or her email domain.4.3.2.2.2

Match On-Premise UPN with Office 365 UPNIf you have not yet set up Active Directory synchronization, you can skip this task and continuewith the next section.If yo

u have already set up Active Directory synchronization, the user’s UPN for Office 365 maynot match the user’s on

-premises UPN defined in Active Directory. This can occur when a userwas assigned a license before the domain was verified. To remedy this issue, use WindowsPowerShell to update users

’ UPNs

to ensure that their Office 365 UPN matches their corporateuser name and domain.

4.3.3

Deploy a Federation Server Farm

After your Active Directory environment is properly prepared, you deploy and configure ActiveDirectory Federation Services on-premises to create single sign-on access for your Office 365users.The most important operation you need to perform to provide your users with single sign-onaccess to Office 365 is to deploy a new AD FS 2.0 federation server farm. We recommend thatyou deploy at least two federation servers and two federation server proxies in order to providefault tolerance, load balancing, and scalability to your organization’s AD FS 2.0 productionenvironment.You should review the Help topicPlan for and deploy AD FS 2.0 for use with single sign-onbefore you begin your single sign-on deployment.

Pre-Installation Requirements

During the AD FS 2.0 installation process, the setup wizard attempts to automatically check forand, if necessary, install prerequisite applications and dependent hotfixes. In most cases, thesetup wizard will install all of the prerequisite applications necessary for AD FS 2.0 to operateand install.When installing AD FS 2.0 on the Windows Server 2008 platform, you will first need to makesure that Microsoft .NET Framework 3.5 Service Pack 1 (SP1) is installed on the servers runningWindows Server 2008. This is a prerequisite of AD FS 2.0. If .NET Framework 3.5 SP1 is notinstalled, the AD FS 2.0 Setup Wizard will prevent installation of the AD FS 2.0 software.You will need to install AD FS 2.0 Update Rollup 1 after you have installed AD FS 2.0. This is alsorequired to use new features such as Multiple Top-Level Domains and Client Access Policies. Formore information, see the support articleUpdate Rollup 1 for Active Directory FederationServices (AD FS) 2.0. You must complete the following tasks before you set up the single sign-on feature.



Deploy on-premises AD FS federation servers and federation server proxies. Federationserver proxies are necessary for remote access for users without a VPN with clients suchas Outlook and ActiveSync.



Add your Active Directory Federation Services server(s) to your Active Directory forest.



Create a service account in Active Directory to deploy Active Directory FederationServices in a farm.



Download and install the Windows Management Framework Core package (WindowsPowerShell 2.0 and WinRM 2.0).



Download and run theActive Directory Federation Services 2.0installation package. Thefollowing roles and features will be automatically be installed in the process:

o

Windows PowerShell

o

.NET Framework 3.5 SP1

o

Internet Information Services (IIS) 7

o

Windows Identity Foundation



Download and install theMicrosoft Online Services Module for Windows PowerShell.



Download the Office 365 desktop setup or manually install the Microsoft Online ServicesSign-in assistant



Install and configure MicrosoftSQL Server 2008(Standard or Enterprise) if yourorganization has more than 60,000 users who will use Office 365 service offerings.



Configure an external DNS Host (A) Record for your AD FS Proxy (examplests.contoso.com).

Prepare for trusted third-party SSL certificate (for example, Go Daddy or VeriSign) withAD FS instance name (example, sts.contoso.com).The instructions in the next sections include how to obtain your certificate and configure it forAD FS.



Note:

Certificates are an integral part of deploying AD FS with Office 365 identity federation.It is highly suggested that you attain a separate certificate with the name of your AD FSendpoint (sts.contoso.com) with a trusted third-party SSL provider. Additionally, if yourorganization leverages wildcard certificates (*.contoso.com), review your third-party SSLproviders documentation on creating and exporting wildcard certificates prior to proceeding onwith this document.



4.3.3.2

Join Federation Servers to Your Domain

You must join your federation servers to the Active Directory domain where you authenticateusers.



Note:

You can ignore this step if you will use existing domain controllers for federation.



►

To join your federation servers to the domain

1.

On the computer that you want to join to a domain, click

Start

, click

Control Panel

, andthen double-click

System

.2.

Under

Computer name, domain, and workgroup settings

, click

Change settings

.3.

On the

Computer Name

tab, click

Change

.4.

Under

Member of

, click

Domain

and type the name of the domain that the computerwill join.5.

Click

OK

.

4.3.3.3

(Optional) Add Resource Record to Corporate DNS for NLB Cluster

For clients on your corporate network to successfully access the Federation Service, you mustfirst create a host (A) resource record in the corporate DNS that resolves the cluster DNS nameof the Federation Service (for example, fs.fabrikam.com) to the cluster IP address in thecorporate network (for example, 172.16.1.3). You can use the following procedure to add a host(A) resource record to the corporate DNS for the NLB cluster.



Note:

This procedure is optional if you are not using a hardware network load balancer (NLB).



To add a resource record to corporate DNS for the cluster DNS name configured on thecorporate NLB host

1.

On a DNS server for the corporate network, open the DNS snap-in.2.

In the console tree, right-click the applicable forward lookup zone (for example,fabrikam.com), and then click

New Host (A or AAAA)

.3.

In the

Name

box

,

type only the computer name of the federation server or federationserver cluster; for example, for the fully qualified domain name (FQDN) fs.fabrikam.com,type

fs

.4.

In the

IP address

box, type the IP address for the federation server or federation servercluster (for example, 172.16.1.3).5.

Click

Add Host

.



Important:

It is assumed that you are using a DNS server running Windows Server 2008,Windows Server 2003, or Windows Server 2000 with the DNS Server service to control the DNSzone.



4.3.3.4

Request and Import Server Authentication Certificate to Default Web Site

This section describes the tasks you perform to request a certificate and import it to the DefaultWeb site on your AD FS server.You will later export this certificate and import it to all computers that you configure to be partof the federation server farm.4.3.3.4.1

Active Directory Federation Services CertificateAfter Active Directory Federation Services is installed, you will need to request a certificate.



Note:

The common name of your certificate will match the URL that will point your users toAD FS. For example,

sts.contoso.com

will route your users to

https://sts.contoso.com/adfs/ls

. It isvery important that the common name value matches the name of the AD FS website for Office365. If the value does not match, users will be prompted with a certificate warning.



►

To request an AD FS certificate

1.

Log on to your AD FS server.2.

Click

Start

.3.

In the search dialog box, type

Internet Information Server

.4.

Click

Internet Information Server (IIS) Manager

in the search results.5.

Click to expand your <

servername

>.6.

Double-click

Server Certificates

.

7.

Under the

Actions

choices, click

Create Certificate Request.

8.

In the

Request Certificate

dialog box, populate the fields listed.

o

Common name: sts.<

yourcompany

>.com (suggested value)

o

Organization: Your organization’s name

o

Organizational Unit: Value you may designate

o

City/locality: City/locality location of your organization

o

State/province: State/province of your organization

o

Country/region: Country/region of your organization9.

Click

Next

.10.

Select

Microsoft RSA SChannel Cryptographic Provider

(default).11.

For bit length, choose

2048,

then click

Next

.12.

In the

Specify a file name for the certificate request

window, type a file name (forexample, C:\adfscertificaterequest.txt).13.

Click

Finish

.4.3.3.4.2

Create Certificate Request with Third-Party SSL Certificate Provider

Note:

You may skip this step if you already have multiple domains Unified CommunicationsCertificates (UCC) or wildcard certificates with your third-party SSL certificate provider.If this is the first time that your organization has obtained third-party SSL certificates, considerusing either a UCC or a wildcard certificate for your organization if you need to have multiplecertificates under the same domain name as shown in the following example:



sts.contoso.com (AD FS)



mail.contoso.com (Exchange)



autodiscover.contoso.com (Exchange)



contoso.com (website)Be sure to review your third-party

SSL provider’s documentation for more information

oncreating a certificate request. If you are unsure on what type(s) of certificates to attain for yourorganization, a single domain SSL is suggested for each name space for which you desire acertificate.

Note:

In the procedures that follow, the steps reference the web interface of the domainregistrar GoDaddy for example purposes.

To create a third-party SSL certificate request

1.

Log on to your AD FS server.2.

Open Internet Explorer.3.

Enter the URL of your preferred third-party SSL certificate provider (for example,

http://www.godaddy.com

).4.

Create an account with the third party SSL certificate provider if you do not have onealready.5.

Sign in to your account with your username and password.6.

To purchase an SSL certificate, choose

SSL & Security.

7.

Chose

Single Domain SSL

.8.

Complete the purchase of your certificate (if applicable).9.

On the right hand side of the screen, click

My Account

.10.

Under My Products, select

SSL Certificates

.11.

Select your new certificate.12.

Choose

Request Certificate

in the bottom right corner.13.

Click

Start

and type

C:\adfscertificaterequest.txt

(or the file location and name youprovided in your certificate request).14.

Press

Enter

. The certificate text file will open in Notepad.15.

In Notepad, click

Edit

.16.

Choose

Select All

.17.

Click

Edit

.18.

Choose

Copy

.19.

In Internet Explorer, on your domain registrar page, choose

Third Party or DedicatedServer or Virtual Dedicated Server without Simple Control Panel

.20.

Under

Enter your Certificate Signing Request (CSR) below

, right-click on the blankportion of the screen.21.

Chose

Paste

.22.

Click

OK

.23.

Verify the domain name is correct. The domain name

sts.contoso.com

should match yourAD FS website URL (for example,

https://sts.contoso.com/adfs/ls

).24.

Click

Next

.25.

Click

Finish

.4.3.3.4.3

Download Certificate from Third-Party SSL Certificate ProviderNow you will download the certificate that you created with your domain registrar.

To download a third-party SSL certificate

1.

Log on to your AD FS server.2.

Open the Internet Explorer browser.3.

Enter the URL of your preferred third-party SSL certificate provider (for example,

http://www.godaddy.com

).4.

Log on with your username and password.5.

Under My Products, select

SSL Certificates

.6.

Check the box next to the name of your certificate you created earlier (for example,

sts.contoso.com).

7.

Check

Manage Certificate

.8.

Check the box next to the name of your certificate.9.

Choose

Download

.10.

In

Select your server type

, select

II7

.11.

Click

Download

.12.

In the

File Download

dialog box, choose

Save

.13.

Type the name of the certificate. Be sure to include the file extension (for example,

c:\sts.contoso.com.zip

).

You may choose a different folder location to save the file.14.

Double-click on the file you just saved (for example,

c:\sts.contoso.com.zip

).15.

At the top of Windows Explorer window, click

Extract all files

.16.

Choose the default directory or a different directory.17.

Click

Extract

.4.3.3.4.4

Install Third-Party SSL CertificateAfter you have downloaded your certificate, you install it on your AD FS server.

►

To install a third-party SSL certificate

1.

Log on to your AD FS server.2.

Click

Start

.3.

In the search dialog box, type

Internet Information Server

.4.

In the search results, click

Internet Information Server (IIS) Manager

.5.

Click to expand <

yourservername

>.6.

Double-click

Server Certificates

.7.

Under the

Actions

pane, click

Create Certificate Request

.8.

Click

Complete Certificate Request

.9.

Click the

Browse

button.10.

In the file name containing the certification authority’s response

, type the path of thecertificate you created with your domain registrar (for example,

c:\sts.contoso.com\

).11.

Next to the

File Name

field, choose

*.*

.

 Select the name of your certificate (for example,

c:\sts.contoso.com\

) and click

Open

.13.

Type a friendly name for the certificate (for example,

AD FS Certificate or sts.contoso.com

).14.

Click

OK

.4.3.3.4.5

Configure Third-Party SSL CertificateAfter you install the certificate on your AD FS server, you must configure it.

►

To configure the third-party SSL certificate

1.

Log on to your AD FS server.2.

Click

Start

.3.

In the search dialog box, type

Internet Information Server.

4.

In the search results, click

Internet Information Server (IIS) Manager

.5.

Expand your <

servername

> folder.6.

Expand the

Sites

folder.7.

Click

Default Web Site

.8.

In the

Actions

pane, click

Bindings.

9.

Click

https

.10.

Click

Edit

.11.

Select your certificate (for example,

sts.contoso.com

) in the SSL certificate dialog box.12.

Chose the IP address for which IIS will listen to the request for https://sts.contoso.com, orleave the default setting.13.

Click

OK

.

4.3.3.5

Create Dedicated Service Account

Before you install Active Directory Federation Services, you must first create a service account forthe federation server farm.

►

To create an ADFS service account

1.

Log on to a domain controller in your Active Directory forest.2.

Click

Start,

select

All Programs

, and click

Administrative Tools

.3.

Click

Active Directory Users and Computers

.(Optional) Right-click

Active Directory Users and Computers

and select the domainyou would like to create the service account.4.

Right-click the Organizational Unit you would like to create your ADFS service account in(for example

, Users

) and select

New,

and then

User

.5.

Enter the values in the required fields (First Name, Initial, Last Name, Full Name, Userlogon name, and User logon name (pre-Windows 2000). (An example of a User logonname is

svc_adfs

).6.

Click

Next

.

128Microsoft Office 365 Deployment Guide for Enterprises | December 2011

7.

Enter a

Password

and re-enter password in the

Confirm Password

field.8.

In the checkboxes, the following is recommended:

o

Select

User cannot change password

.

o

Select

Password never expires

.

o

Deselect

User must change password at next logon

.9.

Click

Next

.10.

Click

Finish

.To set the SPN of the service account, see the Help articleManually Configure a Service Accountfor a Federation Server Farm.

4.3.3.6

Install AD FS 2.0 Software

After you have created an AD FS service account you can install Active Directory FederationServices. You will need to download the AD FS software package atActive Directory FederationServices 2.0 RTWto perform this step.

►

To install AD FS 2.0

1.

Download the AD FS 2.0 software package for your operating system (either WindowsServer 2008 or Windows Server 2008 R2) and save the

AdfsSetup.exe

setup file to thecomputer.2.

Navigate to and double-click

AdfsSetup.exe

.3.

On the

Welcome to the AD FS 2.0 Setup Wizard

page, click

Next

.4.

On the

End-User License Agreement

page, read the license terms.5.

If you agree to the terms, select the

I accept the terms in the License Agreement

check box, and then click

Next

.6.

On the

Server Role

page, select

Federation server

, and then click

Next

.7.

On the

Completed the AD FS 2.0 Setup Wizard

page, click

Finish

.8.

Install theAD FS 2.0 Update Rollup 1. In some instances, the AD FS 2.0 installation may require a restart (for example, when dependenthotfixes have been installed).

4.3.3.7

Configure First Federation Server in Federation Server Farm

After you have installed AD FS on the computer, you can set up the computer to become thefirst federation server in a new federation server farm. You do this using the AD FS 2.0Federation Server Configuration Wizard. Membership in Domain Admins or a delegated domainaccount that has been granted write access to the Program Data container in Active Directory isthe minimum requirement to complete this procedure.

To create the first federation server to the federation server farm

1.

Click

Start

,

Administrative Tools

,

AD FS 2.0 Management

and open the

AD FS 2.0Management snap-in

.2.

On the

Overview

page, click the AD FS 2.0 Federation Server Configuration Wizard link.3.

On the

Welcome

page, verify that

Create a new Federation Service

is selected, andclick

Next

.4.

On the

Select Stand-Alone or Farm Deployment

page, click

New federation serverfarm

, and click

Next

.5.

On the

Specify the Federation Service Name

page, verify that the SSL certificate that isshowing matches the name of the certificate that was imported into the Default Web Sitein IIS previously. If this is not the correct certificate, select the appropriate certificate fromthe SSL certificate list.



Note:

The configuration wizard will not allow you to override the certificate if anSSL certificate is configured for IIS. This ensures that any intended prior IISconfiguration for SSL certificates is preserved. To work around this issue, you can goback and import the certificate to the Default Web Site of IIS again.



6.

If you have previously reinstalled AD FS on this computer, then the

Existing AD FSConfiguration Database Detected

page appears. If that page appears, click

Deletedatabase

, and then click

Next

.7.

On the

Specify a Service Account

page, click

Browse

. In the Browse dialog box, locatethe domain account that will be used as the service account in this new federation serverfarm, and then click

OK

. Type the password for this account, confirm it, and then click

Next

.8.

On the

Ready to Apply Settings

page, review the details. If the settings appear to becorrect, click

Next

to begin configuring AD FS 2.0 with these settings.9.

On the Configuration Results page, review the results. When all the configuration stepsare finished, click

Close

to exit the wizard.When you finish the steps in this procedure, the AD FS 2.0 Management snap-in willautomatically open and a message will display indicating that the required configuration isincomplete and that you should add a trusted relying party. You can disregard this message. Arelying party trust for Office 365 will be added in a later step and the message will no longerdisplay in the AD FS 2.0 Management snap-in.

4.3.3.8

Add Federation Server to Federation Server Farm

To add another federation server to the server farm, you install the AD FS 2.0 software andconfigure the required certificates on a computer. You can then configure the computer to

become a federation server in the federation server farm.4.3.3.8.1

Export and Import AD FS Federation Server CertificateBefore you configure computers as federation farm servers, you need to export the certificatefrom the first federation server and import it to any computer you want to add to the federationserver farm.

►

To export the AD FS federation server certificate

1.

Log on to the first AD FS federation server that you deployed on-premises.2.

Click

Start

, type

Internet Information Services (IIS) Manager

, and click

InternetInformation Services (IIS) Manager

.3.

On the

Home

page, click to expand <

servername

>.4.

In

Features View

, double-click

Server Certificates

.5.

Right-click your third-party SSL server certificate (for example,

sts.contoso.com)

and select

Export…

.6.

In the

Export to:

field, enter a path on your local computer (for example,

c:\sts.contoso.com).

A .pfx extension will automatically be added to the file you create.7.

In the

Password

field, enter a password.8.

In the

Confirm

password field, enter the same password.9.

Locate the file you created (for

example,

c:\sts.contosto.com.pfx)

.10.

Copy the file to the computers that you will add to AD FS federation server farm.4.3.3.8.2

Configure Federation Server Farm ComputerYou join a computer to a farm with the AD FS 2.0 Federation Server Configuration Wizard. Whenyou use this wizard to join a computer to an existing farm, the computer is configured with aread-only copy of the AD FS configuration database and it must receive updates from a primaryfederation server.

►

To configure a federation server to the federation server farm

1.

To open the AD FS 2.0 Management snap-in, click

Start, Administrative Tools, andthen AD FS 2.0 Management.

2.

On the

Overview

page or in the

Actions

pane, click

AD FS 2.0 Federation ServerConfiguration Wizard

.3.

On the

Welcome

page, verify that

Add a federation server to an existing FederationService

is selected, and then click

Next

.4.

If the AD FS 2.0 database that you selected already exists, the

Existing AD FSConfiguration Database Detected

page appears. If that occurs, click

Delete database

,and then click

Next

.

 131Microsoft Office 365 Deployment Guide for Enterprises | December 2011



Caution:

Select this option only when you are sure that the data in this AD FS 2.0database is not important or that it is not used in a production federation serverfarm.



5.

On the

Specify the Primary Federation Server and Service Account

page, under

Primary federation server name

, type the computer name of the primary federationserver in the farm, and then click

Browse

.6.

In the

Browse

dialog box, locate the domain account that is used as the service accountby all other federation servers in the existing federation server farm, and then click

OK

.7.

Type the password and confirm it, and then click

Next

.



Note:

For more information about creating this service account, see theCreateDedicated Service Accountprocedure provided earlier in this document. Eachfederation server in the federation server farm must specify the same service accountfor the farm to be operational. For example, if the service account created was

contoso\svc_adfs,

each computer you configure for the federation server role andthat will participate in the same farm must specify

contoso\svc_adfs

at this step inthe Federation Server Configuration Wizard for the farm to be operational.



8.

On the

Ready to Apply Settings

page, review the details. If the settings appear to becorrect, click

Next

to begin configuring AD FS 2.0 with these settings.9.

On the

Configuration Results

page, review the results. When all the configuration stepsare finished, click

Close

to exit the wizard.

4.3.3.9

Verify Federation Server Is Operational

You can use either of the following procedures to verify that a federation server is operational;that is, that any client on the same network can reach a new federation server.

►

Procedure 1: To verify that the federation server is operational

1.

Log on to a client computer that is located in the same forest as the federation server.2.

Open a browser window, in the address bar type the federation server’s DNS host name,

and then append /adfs/fs/federationserverservice.asmx to it for the new federationserver, for example:

https://fs1.contoso.com/adfs/fs/federationserverservice.asmx

3.

Press ENTER, and then complete the next procedure on the federation server computer.

 Note:

If you see the message

There is a problem with this website’s security

certificate

, this is because the FQDN used is different from the names registrered inthe certificate; however, this issue will be resolved with farm configuration and DNSrecord creation. Click

Continue to this website

.



►

Procedure 2: To verify that the federation server is operational

1.

Log on to the new federation server as an Administrator.2.

Click

Start

, point to

Administrative Tools

, and then click

Event Viewer

.3.

In the

Details

pane, double-click

Applications and Services Logs

, double-click

AD FS 2.0 Eventing

, and then click

Admin

.4.

In the

Event ID

column, look for event ID 100. If the federation server is configuredproperly, you see a new event

—

in the

Application

log of Event Viewer

—

with theevent ID 100. This event verifies that the federation server was able to successfullycommunicate with the Federation Service.

4.3.3.10

Install Microsoft Online Services Sign-In Assistant

The Microsoft Online Services Sign-In Assistant must be installed on federation server. The Sign-In Assistance can be downloaded at theMicrosoft Online Services Portal. Also seeManually update and configure desktops for Office 365.

►

To install the Microsoft Online Services Sign-In Assistant

1.

Log on to your AD FS federation server.2.

Click

Start

.3.

In the search dialog box, type the location where you saved the Sign-In Assistantinstallation package.4.

Double-click the .msi file for the package and then click

Run

.5.

At the

Welcome

screen, click

Next

.6.

Select the default directory for installation (you may change this if needed) and click

Install

.7.

When the installation is complete, click

Finish

.8.

Allow the tool to find any necessary patches to install and then restart the server.

4.3.3.11

Install Microsoft Online Services Module for Windows PowerShell

In order to configure single sign-on, you must install the Microsoft Online Services Module forWindows PowerShell. You can download the tool at theMicrosoft Office 365 Help site.

To install the Microsoft Online Services Module for Windows PowerShell

1.

Log on to your AD FS server.2.

Click

Start

.3.

In the search dialog box, type the location where you downloaded and saved theinstaller file for the Microsoft Online Services Module for Windows PowerShell (forexample,

c:\FederationConfig.msi

).4.

Double-click the installer file.5.

Click

Run

.6.

Click

Next

.7.

Review and accepts the license terms and click

Next

.8.

Select the default directory and options and click

Next

.9.

Click

Install

.10.

Click

Finish

.

4.3.3.12

Enable Single Sign-On

After you have installed the Microsoft Online Services Module for Windows PowerShell, you runa series of commands in the Windows PowerShell command-line interface to enable the singlesign-on feature.

►

To enable single sign-on with Office 365

1.

Log on to your AD FS server.2.

Open

Microsoft Online Services Module for Windows PowerShell.

PowerShell will open.3.

Type

cd\

and press

Enter.

4.

Type

$cred=Get-Credential

and press

Enter.

5.

Enter your Office 365 administrator name and password and click

OK

.6.

Type

Connect-MsolService

–

Credential $cred

and press

Enter

.7.

Type

Set-MsolAdfscontext -Computer <AD FS 2.0 primary server>

Note:

<AD FS 2.0 primary server> is the internal FQDN name of the primary AD FS 2.0server. This cmdlet creates a context that connects you to AD FS 2.0.8.

Press

Enter

.9.

Type

New-MsolFederatedDomain

–

DomainName <domain>

Example:

New-MsolFederatedDomain

–

DomainName contoso.com10.

Press

Enter

.11.

Using the information provided by the results of the New-MsolFederatedDomain cmdlet,contact your domain registrar to create the required DNS record. This record verifies thatyou own the domain.

134Microsoft Office 365 Deployment Guide for Enterprises | December 2011

12.

Type

New-MsolFederatedDomain

a second time, specifying the same domain name tofinalize the process

and press

Enter

.SeeSupport for Multiple Top Level Domainsif you will configure multiple top-level domains.

4.3.3.13

Verify Single Sign-on Functionality

After setting up single sign-on, you should verify that it is working correctly.

►

To verify single sign-on functionality

1.

Sign in to theMicrosoft Online Services Portal. 2.

In the portal header, click

Admin

.3.

Under

Management

, click

Users

.4.

Select your Cloud User ID or a test User ID that has been synchronized into the Office365 service. Ensure you know the username and password in your on-premises ActiveDirectory and that the user you have selected has a username (UserPrincipalName) thatmatches the domain you have federated.5.

Select the check box beside the test user.6.

Click the

user’s Display Name

. (For example,

John Smith

).7.

On the

Licenses

page for the user, select a license for the user (for example,

Microsoft Office 365 (Plan X

).

Warning:

If planning for Hybrid configuration do not activate a user for Exchange Onlineif this user already has an Exchange on-premises mailbox.8.

Click

Save

.9.

Select the location of the user (for example,

United States

).10.

Click

Save

.11.

Now log on to a PC.

Note:

As ADFS Proxy servers have not yet been deployed a domain-joined machineconnected to the private corporate network must be used.12.

Open Internet Explorer.13.

In the address bar, type

https://portal.microsoftonline.com

.14.

In the

User ID

field, type the user name for the user you assigned a license to (forexample,

jsmith@contoso.com

).15.

The web page should display with

You are now required to sign in at

<

yourdomainname.com

>.

16.

Click the sign-in link and enter your on-premises Active Directory credentials for theaccount you chose (for example, username

jsmith@contoso.com

and password

Orang312

).17.

If the home screen to the Microsoft Online Services Portal is displayed (Figure 14) aftersigning in, it indicates that single sign-on is working properly.

Deploy a Federation Server Proxy

You deploy an AD FS 2.0 federation server proxy to act as a proxy for client logons to afederation server that is located in the corporate network. The federation server proxy alsofacilitates the distribution of security tokens for remote clients that are attempting to accessOffice 365 service offerings.Before you get started, note the following:



It is recommended that you deploy at least two federation server proxies in order toprovide fault tolerance and deploy an NLB host or third-party hardware load balancer forfault tolerance and load balancing.



You can also use third-party HTTP reverse proxies solutions to publish AD FS to theextranet. See the TechNet articleLimiting Access to Office 365 Services Based on theLocation of the Clientfor more information on pre-requisites when supporting clientaccess policies.



To complete all of the tasks using the procedures in this section you must log on to thecomputers as a member of the Administrators group, or have been delegated equivalentpermissions.Table 19 and 20 are checklists of the deployment tasks that are necessary to deploy twofederation server proxies that will redirect authentication requests to a federation server in yournew federation server farm.

Table 19. Checklist: Prepare Network Infrastructure for Federation Server Proxies

Deployment task CompletedPrepare two computers running either the Windows Server 2008 or Windows Server2008 R2 operating system to be set up as federation server proxy. Depending on thenumber of users you have, you can use existing web or proxy servers or use adedicated computer.

136Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Deployment task CompletedAdd the name of the Federation Service in the corporate network (the cluster DNSname you created earlier on the NLB host in the corporate network) and itsassociated cluster IP address to the hosts files on each federation server proxymachine in the perimeter network.Create a new cluster DNS name and cluster IP address on the NLB host in theperimeter network and then add the federation server computers to the NLB cluster.If you are using Windows Server technology for your current NLB hosts, choose theappropriate link to the right based on your operating system version.

Warning

The cluster DNS name used for this new NLB cluster must match the name of theFederation Service in the corporate network.Create a new resource record for the NLB cluster in the perimeter network DNS thatpoints the cluster DNS name of the NLB cluster to its cluster IP address.Use the same server authentication certificate as the one used by the federationservers in the corporate network and install it in IIS on the Default Web Site of thefederation server proxy.

Table 20. Deploy Federation Server Proxies

Deployment task CompletedInstall the AD FS 2.0 software on the computer that will become the federationserver proxy.Configure the AD FS 2.0 software on the computer to act in the federation serverproxy role by using the AD FS 2.0 Federation Server Proxy Configuration Wizard.Using Event Viewer, verify that the federation server proxy service has started.

4.3.4.1

Export and Import AD FS Federation Server Certificate

To start the your AD FS proxy server deployment, you export your AD FS federation servercertificate and then import it to the Default Web Site for each federation server proxy in yourorganization.

►

To export the AD FS federation server certificate

1.

Log on to your AD FS federation server that you deployed on-premises.2.

Click

Start

, type

Internet Information Services (IIS) Manager

, and click

InternetInformation Services (IIS) Manager

.3.

On the

Home

page, click to expand <

servername

>.4.

In

Features View

, double-click

Server Certificates

.

137Microsoft Office 365 Deployment Guide for Enterprises | December 2011

5.

Right-click your third-party SSL server certificate (for example,

sts.contoso.com)

and select

Export…

.6.

In the

Export to:

field, enter a path on your local computer (for example,

c:\sts.contoso.com).

A .pfx extension will automatically be added to the file you create.7.

In the

Password

field, enter a password.8.

In the

Confirm

password field, enter the same password.9.

Locate the file you created (for

example,

c:\sts.contosto.com.pfx)

.10.

Copy the file to your AD FS proxy server.

Import Server Authentication Certificate to Default Web Site

After you obtain a server authentication certificate used by one of the federation servers in yourcorporate network, you must manually install that certificate on the Default Web Site for eachfederation server proxy in your organization.Because this certificate must be trusted by clients of AD FS 2.0, use an SSL certificate that isissued by a public certificate authority (CA) that is subordinate to a publicly trusted root (forexample, VeriSign or Thawte). For information about installing a certificate from a public CA, seethe TechNet articleRequest an Internet Server Certificate.

Note:

The subject name of this server authentication certificate must match the FQDN of thecluster DNS name (for example,

fs.contoso.com

) that you created earlier on the NLB host. If Internet Information Services (IIS) has not been installed on the proxy server, you must install IISfirst in order to complete this task. When installing IIS for the first time, we recommend that youuse the default feature options when prompted during the installation of the server role.



►

To import a server authentication certificate to the Default Web Site on the proxy server

1.

Click

Start

, point to

All Programs

, point to

Administrative Tools

, and then click

Internet Information Services (IIS) Manager

.2.

In the console tree, click

ComputerName

.3.

In the center pane, double-click

Server Certificates

.4.

In the

Actions

pane, click

Import

.5.

In the

Import Certificate

dialog box, click the

…

button.6.

Browse to the location of the Personal Information Exchange (. pfx) certificate file,highlight it, and then click

Open

.7.

Type a password for the certificate, and then click

OK

.

4.3.4.2

Add Cluster DNS Name and IP Address to Hosts File

In order for the federation server proxy to work as expected in the perimeter network, you mustadd an entry to the hosts file on each federation server proxy computer that points to the

138Microsoft Office 365 Deployment Guide for Enterprises | December 2011

cluster DNS name hosted by the NLB in the corporate network (for example, fs.fabrikam.com)and its IP address (for example, 172.16.1.3). Adding this entry to the hosts file enables thefederation server proxy to properly route a client-initiated call to a federation server eitherwithin the perimeter network or outside the perimeter network.

►

To add the cluster DNS name and IP address to the hosts file on the proxy server

1.

Navigate to the %systemroot%\Winnt\System32\Drivers directory folder and locate the

hosts

file.2.

In Notepad, open the

hosts

file.3.

Add the IP address and the host name of a federation server in the account partner tothe

hosts

file, as shown in the following example:

172.16.1.3 fs.fabrikam.com

4.

Save and close the file.



Caution:

If the cluster IP address ever changes on the NLB host in the corporatenetwork, you must update the local hosts file on each federation server proxy.



4.3.4.3

Add Resource Record to Perimeter DNS for Cluster DNS Name

To service authentication requests from clients either in the perimeter network or outside theperimeter network, AD FS 2.0 requires name resolution to be configured on external-facing DNS

servers that host the organization’s zone (for example, fabrikam.com).

To do this, add a Host (A) Resource Record to the external-facing DNS server that serves onlythe perimeter network for the cluster DN

S name (for example, “fs.fabrikam.com”) to point to the

external cluster IP address that has just been configured.

►

To add a resource record to the perimeter DNS for the cluster DNS name configured onthe perimeter NLB host

1.

On a DNS server for the perimeter network, click

Start

, point to

Administrative Tools

,and then click

DNS

.2.

In the console tree of the DNS snap-in, right-click the applicable forward lookup zone(for example, fabrikam.com), and then click

New Host (A or AAAA)

.3.

In the

Name

box, type only the name of the cluster DNS name you specified on the NLBhost in the perimeter network (this should be the same DNS name as the name of theFederation Service). For example, for the FQDN fs.fabrikam.com, type

fs

.4.

In the

IP address

box, type the IP address for the new cluster IP address you specified onthe NLB host in the perimeter network (for example,

192.0.2.3)

.5.

Click

Add Host

.

139Microsoft Office 365 Deployment Guide for Enterprises | December 2011

4.3.4.4

Install the AD FS 2.0 Software on Proxy Computer

You must install the AD FS 2.0 software on any computer that you are preparing for thefederation server proxy role. You can install this software by either using the AD FS 2.0 SetupWizard or by using a command line parameter. For more information about this parameter, seetheAD FS 2.0 Deployment Guide. Make sure to complete the installation process by installing all of the required hotfixes on eachfederation server proxy, as indicated by the last step in this procedure.

►

To install the AD FS 2.0 software on the proxy computer

1.

Download the AD FS 2.0 software package for your specific operating system version(either Windows Server 2008 or Windows Server 2008 R2) by saving the

AdfsSetup.exe

setup file onto the computer. To download this file, go toActive Directory FederationServices 2.0 RTW. 2.

Locate and double-click the

AdfsSetup.exe

setup file that you downloaded to thecomputer.3.

On the

Welcome to the AD FS 2.0 Setup Wizard

page, click

Next

.4.

On the

End-User License Agreement

page, read the license terms.5.

If you agree to the terms, select the

I accept the terms in the License Agreement

check box, and then click

Next

.6.

On the

Server Role

page, select

Federation server proxy

, and then click

Next

.7.

On the

Completed the AD FS 2.0 Setup Wizard

page, verify that the

Start theAD FS 2.0 Federation Server Proxy Configuration Wizard when this wizard closes

check box is selected, and then click

Finish

to restart the computer.

4.3.4.5

Configure Federation Server Proxy Role

After you configure the proxy computer with the required certificates and have installed theAD FS 2.0 software, you are ready to configure the computer to become a federation serverproxy. You can use the following procedure so that the computer acts in the federation serverproxy role.

140Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Important:

Before you use this procedure to configure the federation server proxycomputer, make sure that you have completed your federation server farm deployment asdescribed in theDeploy a Federation Server Farmsection. Make sure that at least one federationserver is deployed and that all the necessary credentials for authorizing a federation server proxyconfiguration are implemented. You must also configure Secure Sockets Layer (SSL) bindings onthe Default Web Site, or this wizard will not start. All these tasks must be completed before thisfederation server proxy can function.



After you finish setting up the computer, verify that the federation server proxy is working asexpected. For more information, see theVerify Federation Server Proxy Is Operationalsection of the document.

►

To configure the computer for the federation server proxy role

1.

On the

Completed the AD FS 2.0 Setup Wizard

page in the AD FS 2.0 Setup Wizard,the check box

Start the AD FS 2.0 Federation Server Proxy Configuration Wizardwhen this wizard closes

is selected by default.2.

Start the wizard, and on the

Welcome

page, click

Next

.3.

On the

Specify Federation Service Name

page, under

Federation Service name

, typethe name that represents the Federation Service for which this computer will act in theproxy role (for example, fs.contoso.com).4.

Based on your specific network requirements, determine whether you will need to use anHTTP proxy server to forward requests to the Federation Service. If so, select the

Use anHTTP proxy server when sending requests to this Federation Service

check box,under

HTTP proxy server address

type the address of the proxy server, click

TestConnection

to verify connectivity, and then click

Next

.5.

When you are prompted, specify the credentials that are necessary to establish a trustbetween this federation server proxy and the Federation Service.By default, only the service account used by the Federation Service or a member of thelocal BUILTIN\Administrators group can authorize a federation server proxy.6.

On the

Ready to Apply Settings

page, review the details. If the settings appear to becorrect, click

Next

to begin configuring this computer with these proxy settings.7.

On the

Configuration Results

page, review the results. When all the configuration stepsare finished, click

Close

to exit the wizard.

4.3.4.6

Verify Federation Server Proxy Is Operational

You can use the following procedure to verify that the federation server proxy can communicatewith the Federation Service in AD FS 2.0. You run this procedure after you run the

AD FS 2.0

141Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Federation Server Proxy Configuration Wizard

to configure the computer to run in thefederation server proxy role.

Important:

The result of this test is the successful generation of a specific event in EventViewer on the federation server proxy computer.



►

To verify that the federation server proxy is operational

1.

Log on to the federation server proxy as an Administrator.2.

Click

Start

, point to

Administrative Tools

, and then click

Event Viewer

.3.

In the details pane, double-click

Applications and Services Logs

, double-click

AD FS 2.0 Eventing

, and then click

Admin

.4.

In the

Event ID

column, look for event ID

198

.If the federation server proxy is configured properly, you will see a new event in the Applicationlog of Event Viewer, with the event ID 198. This event verifies that the federation server proxyservice was started successfully and now is online.

4.3.4.7

Testing Naming Services

You now can test network connectivity to your AD FS federation server and federation serverproxies.

Internal Network Test

In your DNS environment, you should have an entry for your AD FS instance (sts.contoso.com),or your local hosts file should be modified to point to your AD FS instance, (sts.contoso.com) toyour AD FS federation server.1.

Log on to your AD FS proxy server you deployed on-premises in your edge network.2.

Click

Start

, and then click

Run

.3.

Type

CMD

and then click

OK

.4.

Type

ping

<space> and then your federation name (for example,

sts.contoso.com

).5.

Press

Enter

.For example, the response you receive is 167.2.2.1, a reply from your internal network.

External Network Test

You should be able to ping

sts.contoso.com

from a computer and reach the externally facing ADFS proxy server.1.

Log on to a computer.2.

Click

Start

, and then click

Run

.3.

Type

CMD

and then click

OK

.

142Microsoft Office 365 Deployment Guide for Enterprises | December 2011

4.

Type

ping

<space> and the name of your federation name (for example,sts.contoso.com).For example, the response you receive is a reply from 65.64.63.123 (your external network).

4.3.4.8

Post Installation Validation

You can verify that single sign-on was set up correctly by testing it further.1.

Log on to a computer.

Note:

You must use a computer connected to the Internet and not the corporate networkso that it will be redirected to the ADFS proxy servers.2.

Open Internet Explorer and type

https://portal.microsoftonline.com

in the addressbar.3.

In the

User ID

field, type your user name (for example,

jsmith@contoso.com

).4.

The web page should update with

You are now required to sign in at<

yourdomainname.com

>.

5.

Click the sign-in link and, in the Sign In page (Figure 15), enter your on-premises ActiveDirectory credentials for the account you chose (for example, username

jsmith@contoso.com

and password

Orang312

).

Figure 15. Sign in page for Microsoft Online Service Portal

6.

If you are presented with the Microsoft Online Services Portal home screen (Figure 16),this indicates that your proxy server with identity federation is working properly.

143Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Figure 16. Microsoft Online Services Portal home page

4.3.5

Advanced Option: Deploy Federation Services with SQL Server

The AD FS configuration database stores all the configuration data that represents a singleinstance of AD FS 2.0 (also known as the Federation Service). You can store this configurationdata in either a Microsoft SQL Server® database or using the Windows Internal Database (WID).As indicated in theCapacity Planningsection of this document, customers with 15,000-60,000users or more and multiple federation servers in the farm may want to consider using a SQLServer-based policy store. An AD FS 2.0 federation server farm configured to use WID supports amaximum of five federation servers. If you need more than five federation servers, you need toconfigure a SQL Server database to store the AD FS 2.0 configuration database.

4.3.5.1

Installation Steps

These steps provide a high-level instruction on how to install AD FS for use with SQL Server.

►

To install SQL Server AD FS configuration database

1.

Install the full version (not Express version) of SQL Server 2005 or higher in your on-premises environment. Note whether you install using the default instance or with aninstance name as this is important later during the configuration process.2.

Install the AD FS Core Services onto a machine designated to run this service. Bestpractice is to install on a Windows Server 2008 R2/x64 with at least 4GB of memory.3.

After the AD FS Core Services installation stops, do not default to Configuration whenasked. Uncheck the configuration option and close the application.4.

Now navigate to the following location:c:\program files\Active Directory Federation Services 2.05.

Run the following command:

FSConfig.exe CreateSQLFarm /ServiceAccount “domain\user”/ServiceAccountPassword “password” /SQLConnectionString”database=AdfsConfigurationServer;server=MSSQLSERVER\Instance [asneeded];integrated security=SSPI” /port 443 /FederationServiceName”sts.contoso.com” /AutoCertRolloverEnabled

144Microsoft Office 365 Deployment Guide for Enterprises | December 2011



Notes:



/

ServiceAccount: Must be created before this command is run, see theCreateDedicated Service Accountsection.



Server: Should either be the MSSQLSERVER which is the default install for SQL orMSSQLSERVER\Instance IF an instance has been created for use with the AD FSServices.



/FederationServiceName

:

Should refer to the Common Name of your certificate usedfor your AD FS Services



4.3.5.2

Configure Communication with Federation Gateway

After the AD FS server has been configured to use SQL, use the following steps to configure theserver to communicate with the Microsoft Federation Gateway.1.

Download and install the Microsoft ID components and ensure the Microsoft OnlineServices Module for Windows PowerShell is installed.2.

Run the following PowerShell cmdlets to create your custom federated domain:

Import-module msonline$cred=Get-Credential [Enter your Online Admin Account]Connect-MsolService

–

Credential $credSet-MsolAdfscontext

–

Computer <AD FS 2.0 primary server internal FQDN>New-MsolFederatedDomain

–

DomainName <domain>

4.3.5.2.1

Install Second or future AD FS Core Services with Full SQL1.

Follow the above steps but change the command to Join the SQL Farm instead of creating, as it has already been created.2.

After the initial SQL Database has been created, use the following command on any ADFS Servers wanting to use Full SQL:

FSConfig.exe JoinSQLFarm /ServiceAccount “domain\user”/ServiceAccountPassword “password” /SQLConnectionString”database=AdfsConfigurationServer;server=MSSQLSERVER\Instance [asneeded];integrated security=SSPI”



Note

: For more information, seeAD FS 2.0: How to Perform an UnattendedInstallation of an AD FS 2.0 STS or Proxy.



4.3.5.3

Converting from Windows Internal Database to SQL Database

The Windows Internal Database is a Windows Server feature that is automatically installed on

145Microsoft Office 365 Deployment Guide for Enterprises | December 2011

the computer after you complete the AD FS 2.0 Federation Server Configuration Wizard for thefirst time. Because the wizard does not provide an option to choose SQL Server as the store forthe AD FS configuration database, your organization may simply continue to use the wizarddefaults to see if they work well for your infrastructure.However, it is highly possible that in time you will want to scale out your federation server farmto use more than five federation servers by migrating the configuration database to SQL Server.

By migrating to SQL you will obtain scale, high availability and also be able to use SQL’s backup

mechanisms.This section is provided for just this situation and will walk you through all the steps necessaryto migrate your existing AD FS configuration data from your current Windows Internal Databasestore (in a production environment) to a new SQL Server store.4.3.5.3.1

AD FS 2.0: Migrate Your AD FS Configuration Database to SQL ServerIn the steps that follow, use steps 1, 2, 3, and 5 on the primary federation server. Follow steps1,2, 4, and 5 on each of the secondary federation servers in the farm. These steps include:1.

Backing up the federation server2.

Temporarily disable the computer in the load balancer3.

Performing steps on the primary federation server4.

Performing steps on all of the secondary federation servers5.

Enabling the computer on the load balancerFor more information seeAD FS 2.0: Migrate Your AD FS Configuration Database to SQL Serveron the TechNet Wiki site. For more information about the pros and cons of using eitherWindows Internal Database or SQL Server to store AD FS 2.0 configuration data, see the TechNetarticleThe Role of the AD FS Configuration Databasein the AD FS 2.0 Design Guide.

Step 1: Backing up the federation server

Use Windows Server Backup to back up the entire federation server computer including the ADFS configuration database stored in Windows Internal Database. You can also use WindowsServer Backup to restore the AD FS configuration database.More information about how to back up the AD FS configuration database will be out soon.Once this content is provided we will update this link.

Step 2: Temporarily remove server from load balancer

If your federation server is running in a farm and you have a load balancer, temporarily removethis machine from the load balancer configuration.

146Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Step 3: Performing steps on the primary federation server

1.

On the primary federation server in the farm, download the SQL Server 2008Management Studio Express software and install it on the primary federation server. Thesoftware is available from theMicrosoft Download Center.



Note

: This software is necessary in order to install and register the SQLCMDcommand-line tool, which is used in an upcoming step.



2.

Stop the AD FS 2.0 Windows Service on the primary federation server.3.

Open an elevated command prompt, type the following command-line to stop the AD FS2.0 Windows Service and then press ENTER.

net stop adfssrv

4.

Connect to the Windows Internal Database that currently stores the AD FS configurationdatabase and then detach both the AD FS configuration and artifact databases. In thecommand prompt window, type the following SQLCMD command-line syntaxes in order,and then press ENTER after each one.

sqlcmd -S \\.\pipe\MSSQL$MICROSOFT##SSEE\sql\queryuse mastergosp_detach_db ‘adfsconfiguration’gosp_detach_db ‘adfsartifactstore’go

5.

Connect to SQL server and attach the configuration and artifact database from theprimary federation server. This process assumes you have copied the database file andlogs to the SQL server prior to reattaching the database. In the command promptwindow, type the following SQLCMD command-line syntaxes in order, and then pressENTER after each one. In SQLServer\SQLInstance below, type in the appropriate SQLServer and SQL Server instance name where you are migrating the configuration data to.For example,

contososrv01\adfs

.

sqlcmd -S <SQLServer\SQLInstance>use mastergosp_attach_db ‘adfsconfiguration’,’c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsconfiguration.mdf’,’c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsconfiguration_log.ldf’ go sp_attach_db ‘adfsartifactstore’,

147Microsoft Office 365 Deployment Guide for Enterprises | December 2011

‘c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsartifactstore.mdf’,’c:\windows\sysmsi\ssee\mssql.2005\mssql\data\adfsartifactstore_log.ldf’goalter database AdfsConfiguration set enable_broker with rollbackimmediatego

6.

Change the configuration database connection string to point to the new SQL Server-based AD FS configuration database. Open a Windows PowerShell command-line, typethe following command-line syntaxes in order, and then press ENTER after each one. InSQLServer\SQLInstance below, type in the appropriate SQL Server and SQL Serverinstance name where you are migrating the configuration data to. For example,contososrv01\adfs.

$temp= GEt-WmiObject -namespace root/AD FS -class SecurityTokenService

$temp.ConfigurationdatabaseConnectionstring=”data

source=<SQLServer\SQLInstance>; initial

catalog=adfsconfiguration;integrated security=true”

$temp.put()

7.

Open an elevated command-line prompt, type the following command-line syntax tostart the AD FS 2.0 Windows Service, and then press ENTER.

Net start adfssrv

8.

Change the artifact connection string to point to the new SQL Server-based artifact datalocation. Open a Windows PowerShell command-line, type the following command-linesyntaxes in order, and then press ENTER after each one. In SQLServer\SQLInstance below,type in the appropriate SQL Server and SQL Server instance name where you aremigrating the artifact data to. For example, contososrv01\adfs.

Add-pssnapin microsoft.adfs.powershellSet-adfsproperties

–artifactdbconnection “data

source=<SQLServer\SQLInstance>; initial

catalog=adfsartifactstore;integrated security=true”

9.

Stop and restart the AD FS 2.0 Windows Service to refresh the new settings. Open aregular command-line prompt, type the following command-line syntaxes to stop andstart the AD FS 2.0 Windows Service, and then press ENTER after each one.

Net stop adfssrvNet start adfssrv

148Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Step 4: Performing steps on the secondary federation server

Make sure the primary federation server has been added back to the load balancer beforeproceeding with this section.1.

Make sure the secondary federation server has been temporarily removed from the loadbalancer before proceeding.2.

On a secondary federation server in the farm, open an elevated command prompt, typethe following command-line to stop the AD FS 2.0 Windows Service, and then pressENTER.

net stop adfssrv

3.

Change the configuration database connection string to point to the new SQL Server-based AD FS configuration database. Open a Windows PowerShell command-line, typethe following command-line syntaxes in order, and then press ENTER after each one. InSQLServer\SQLInstance, type in the appropriate SQL Server and SQL Server instancename where you are migrating the configuration data to. For example,contososrv01\adfs.

$temp= GEt-WmiObject -namespace root/AD FS -class SecurityTokenService

$temp.ConfigurationdatabaseConnectionstring=”data

source=<SQLServer\SQLInstance>; initial

catalog=adfsconfiguration;integrated security=true”

$temp.put()

4.

Open a regular command-line prompt, type the following command-line syntax to startthe AD FS 2.0 Windows Service, and then press ENTER:

Net start adfssrv

5.

Change the artifact connection string to point to the new SQL Server-based artifact datalocation. Open a Windows PowerShell command-line, type the following command-linesyntaxes in order, and then press ENTER after each one. In SQLServer\SQLInstance below,type in the appropriate SQL Server and SQL Server instance name where you aremigrating the artifact data to. For example, contososrv01\adfs.

Add-pssnapin microsoft.adfs.powershellSet-adfsproperties

–artifactdbconnection “data

source=<SQLServer\SQLInstance>; initial

catalog=adfsartifactstore;integrated security=true”

6.

Stop and restart the AD FS 2.0 Windows Service to refresh the new settings. Open aregular command-line prompt, type the following command-line syntaxes to stop andstart the AD FS 2.0 Windows Service, and then press ENTER after each one:

Net stop adfssrv

149Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Net start adfssrv

7.

Verify that the service starts up successfully.8.

Repeat these steps for every federation server in this Windows Internal Database-basedfarm.

Step 5: Enabling this computer on the load balancer

Enable the computer in the load balancer so that requests are sent to it.

4.3.6

Advanced Option: Limiting Office 365 Access Based on ClientLocation

You can create custom claim rules in AD FS 2.0 that will limit your users’ access to Office 365

services based on the physical location of the client computer or client device through whichyour user is requesting access.For more information about how to create these rules, seeLimiting Access to Office 365 ServicesBased on Client Location.

4.3.7

Deploy Directory Synchronization

After you have completed Active Directory clean up, reduced user mailbox sizes if necessary, andimplemented Active Directory Federation Services, you can move forward with the steps tosynchronize information from your on-premises Active Directory to the Office 365 directoryservice.Synchronization is performed with the Microsoft Online Services Directory Synchronization Tool.By default, the Directory Synchronization Tool will install Microsoft SQL Server 2008 R2 Expressfor database purposes. If your organizations has more than 50,000 objects to synchronize, yourorganization should install the full version of SQL Server 2008 or 2008 R2.For additional information, see the following Help topics:



Activate Directory Synchronization



Suggested Hardware for Running the Microsoft Online Services DirectorySynchronization Tool



Directory Synchronization tool 64-bit support

4.3.7.1

Install and Configure Directory Synchronization Tool (Fewer Than 50,000Objects)

The following steps are recommended for organizations with fewer than 50,000 Active Directoryobjects to synchronize and require only SQL Server 2008 R2 Express Edition. When you installand set up of the Directory Synchronization Tool on a dedicated computer, SQL Server 2008 R2Express Edition is also installed. Before beginning the installation process, refer to the

150Microsoft Office 365 Deployment Guide for Enterprises | December 2011

deployment plan and verify that you have met the computer requirements and that you havethe necessary permissions.The first step is to activate the directory synchronization in the Microsoft Online Services Portal.

►

To activate directory synchronization

1.

Sign in to the Microsoft Online Services Portal with your Office 365 administratorcredentials.2.

In the portal header, click

Admin

.3.

Under

Management

, click

Users

.4.

Next to

Active Directory synchronization (Deactivated)

, click

Activate

.5.

On the

Set up Active Directory Synchronization

page, at step 3

Activate ActiveDirectory Synchronization

, click

Activate

.6.

When the

Are you sure you want to activate

message is displayed, click

Yes

.After activating directory synchronization, you install the Directory Synchronization Tool andSQL Server Express Edition on its own member server or install the tool on its own memberserver and point to a SQL Server cluster. See the guidance that follows on using a separate SQLServer with the Directory Synchronization Tool.You should have downloaded and saved the Microsoft Online Directory Synchronization Toolpackage to your computer before you start.

►

To install the Directory Synchronization Tool

1.

Log on to the computer that will run the Directory Synchronization Tool.2.

Click

Start,

click

Run

, type the path to where you saved the Directory SynchronizationTool package, and then click

OK.

3.

Double-click

DirSync.exe

.4.

Click

Run

.5.

At the

Welcome

screen, click

Next

.6.

Review and accept the license terms, and then click

Next

.7.

At the

Installation Folder

screen, click

Next

.You may consider installing the tool in a directory different from the default location.There is the potential for better tool performance if installed on a separate physical disk.8.

At the

Installation Complete

screen, click

Next

.9.

Leave the

Start Configuration Wizard now

box checked and click

Finish

.10.

At the Configuration Wizard

Welcome

page, click

Next

.11.

Enter your Office 365 administrator account credentials at the Microsoft Online Servicescredentials screen and click

Next

. (For example, user name: johnsmith@contoso.com;password: Orang312.)

151Microsoft Office 365 Deployment Guide for Enterprises | December 2011

12.

Enter your Active Directory enterprise administrator account credentials at the

ActiveDirectory Enterprise Admin Credentials

screen and click

Next

.(For example, username: administrator@contoso.com; password: Appl312.)13.

At the

Configuration Complete

screen, click

Next

.14.

Leave the

Synchronize directories now

box checked, and click

Finish

.15.

At the final screen that highlights the information on verifying directory synchronization,click

OK

.

4.3.7.2

Install Directory Synchronization Tool (More Than 50,000 Objects)

These procedures describe the Directory Synchronization Tool installation with SQL Server 2008or 2008 R2 Full Edition for organizations with more than 50,000 Active Directory objects.You begin by activating directory synchronization in the Microsoft Online Services Portal.

►

To activate directory synchronization

1.

Sign in to the Microsoft Online Services Portal with your Office 365 administratorcredentials.2.

In the portal header, click

Admin

.3.

Under

Management

, click

Users

.4.

Next to

Active Directory synchronization (Deactivated)

, click

Activate

.5.

On the

Set up Active Directory Synchronization

page, at step 3

Activate ActiveDirectory Synchronization

, click

Activate

.6.

When the

Are you sure you want to activate

message is displayed, click

Yes

.After activating directory synchronization, you install the Directory Synchronization Tool on theSQL Server or install on its own member server and point to a SQL cluster.You should download and save theMicrosoft Online Directory Synchronization Toolpackage toyour computer before you start. If you will use the 64-bit version, seeDirectory Synchronizationtool 64-bit supportfor more information.

►

To install the Directory Synchronization Tool using a separate SQL Server

1.

Log on to the computer that will run the Directory Synchronization Tool.2.

Click

Start

and click

Run.

3.

Type

CMD

and click

OK

.4.

Type the path of where you saved the Microsoft Online Directory Synchronization Toolpackage.5.

Type

DirSync.exe /fullsql

and press

Enter

.If prompted with a User Account Control prompt, and click

Continue

, or enter theusername and password of an administrator account, and click

OK

.6.

At the

Welcome

screen, click

Next

.

152Microsoft Office 365 Deployment Guide for Enterprises | December 2011

7.

Review and accept the license terms, and click

Next

.8.

At the

Installation Folder

screen, click

Next.

You may consider installing the tool in a directory different than the default location.There is the potential for better tool performance if installed on a separate physical disk.9.

At the

Installation Complete

screen, click

Next

.10.

Click

Finish

.Now you install the Directory Synchronization Tool using Windows PowerShell.

►

To configure the Directory Synchronization Tool using Windows PowerShell

1.

On the computer on which the Directory Synchronization Tool was installed, openWindows PowerShell by opening the command-line tool and entering the command

Powershell.exe

–

noexit

.2.

Press

Enter

.3.

At the Windows PowerShell prompt, type

Add-PSSnapin Coexistence-Install

.4.

To install the Directory Synchronization Tool onto the same system as SQL Server 2008or 2008 R2, type

Install-OnlineCoexistenceTool

–

UseSQLServer

–

Verbose.

-OR-To install the Directory Synchronization Tool using a remote installation of SQL Server2008, type

Install-OnlineCoexistenceTool

–

UseSQLServer

–

SqlServer<SQLServerName> -ServiceCredential (Get-Credential)

–

Verbose.

5.

At the Windows PowerShell Credential Request prompt, type the username andpassword of the domain account that will be used to run the Microsoft IdentityIntegration Server service and the Microsoft Online Directory Services SynchronizationService.6.

Run the Microsoft Online Services Directory Synchronization Configuration Wizard tocomplete the installation.4.3.7.2.1

Complete Directory Synchronization Tool ConfigurationAfter installing SQL Server 2008 or 2008 R2, you must complete the Microsoft Online ServicesDirectory Synchronization Tool Configuration Wizard before synchronization will occur.

►

To complete the Directory Synchronization Tool installation

1.

If you are working through the Directory Synchronization Tool Installation Wizard, on theFinish page, select

Start Configuration Wizard now

, and then click

Finish

.- OR -Click

Start

,

All Programs

,

Microsoft Directory Sync

, and then click

Directory SyncConfiguration

.

153Microsoft Office 365 Deployment Guide for Enterprises | December 2011

2.

On the

Microsoft Online Services Credentials

page of the Microsoft Online ServicesDirectory Synchronization Configuration Wizard, provide the user name and passwordfor a user account with Administrator permissions in your organization.3.

On the

Active Directory Credentials

page, provide the user name and password for anaccount with Enterprise Admin permissions on the on-premises Active Directory service.4.

On the

Finish

page, select

Synchronize directories now

, and then click

Finish

.

Important

The Microsoft Online Services credentials that were provided are used tosynchronize information from the on-premises Active Directory to the Office 365 directoryservice. If you change the password associated with this account, you must rerun theconfiguration wizard and provide the updated credentials.The Enterprise Admin credentials that were provided are not saved. They are used to createthe MSOL_AD_Sync directory synchronization service account. This service account is used toread the changes from the on-premises Active Directory.

4.3.7.3

Verify Directory Synchronization

Verifying directory synchronization from your on-premises Active Directory to Office 365requires testing both forced (manual) synchronization and automatic synchronization. Becausethe Directory Synchronization Tool performs an automatic one-way synchronization betweenthe on-premises Active Directory and the Office 365 directory once every three hours,completion of this procedure may take up to three hours. You can also force directorysynchronization at any time using PowerShell.The Directory Synchronization Tool writes entries to an event log. These entries indicate the startand end of a synchronization session. When you review the event log, look for entries where the

source is “Directory Synchronization.” An entry that is designated “Event 4” and that has the

description “The export has completed” indicates that the directory synchronization is complete.Directory synchronization errors are also sent via email to your designated technical contact.After the Directory Synchronization Tool is installed and configured, your on-premises ActiveDirectory is the master for all changes to the synchronized mail-enabled objects in Office 365.The following procedures show how both forced and automatic verification work and youshould perform them in sequence. You make changes to mail-enabled objects in the on-premises Active Directory and verify that those changes are synchronized with Office 365.

154Microsoft Office 365 Deployment Guide for Enterprises | December 2011

4.3.7.4

Forced Directory Synchronization

The following procedure describes how to force immediate directory synchronization and verifythe synchronization changes are made. Forcing directory synchronization bypasses thereplication window of three hours and applies incremental changes immediately.1.

Sign in to theMicrosoft Online Services Portalusing your administrator user name andpassword.2.

Ensure that the Technical Contact information contains a valid email address that ismonitored by the technical contact. The technical contact information can be viewed byclicking your organization’s name in the left hand side of the navigation pane (above theAdmin Overview menu option.)3.

Verify the address properties of a user account that is being synchronized from the on-premises Active Directory to the Microsoft Online Services Portal.4.

Verify that you cannot edit the address properties of that user account using theMicrosoft Online Services Portal.5.

On your domain controller, open Active Directory Users and Computers and target theon-premises Active Directory forest/domain with permissions to edit user accounts,contacts, and distribution groups.6.

Make a simple but obvious change to one of the email address properties of the useraccount that you verified in step 2.7.

Open the Microsoft Online Services Directory Synchronization Configuration Wizard,provide the information requested on the wizard pages, and on the

Finish

page, select

Synchronize directories now

, and then click

Finish

.8.

When the synchronization is complete, view the address properties of the user in theMicrosoft Online Services Portal and verify that the changes you made in the on-premises Active Directory have been synchronized to Office 365.

Note

: You can also use the Windows PowerShell

cmdlet from the dirsync PSSnapin “start

-onlineCoexistenceSync.Next you will see how automatic directory synchronization works using the DirectorySynchronization Tool.

4.3.7.5

Automatic Directory Synchronization

The Directory Synchronization Tool synchronizes changes to user accounts and mail-enabledcontacts and groups from your on-premises Active Directory to your Office 365 directory serviceevery three hours, beginning at the time of the initial synchronization.

155Microsoft Office 365 Deployment Guide for Enterprises | December 2011

►

To verify automatic directory synchronization

1.

Sign in to theMicrosoft Online Services Portalusing your administrator user name andpassword.2.

Ensure your Technical Contact information contains a valid email address that ismonitored by the technical contact on a daily basis.3.

In the Microsoft Online Services Portal, verify the address properties of a specific useraccount, contact, and distribution group that are being synchronized from your on-premises Active Directory to Office 365.4.

In Microsoft Online Services Portal, modify the address properties of the contact anddistribution group that you verified in step 3 of the forced directory synchronizationprocedure.5.

On your domain controller, open Active Directory Users and Computers and target youron-premises Active Directory forest/domain with permissions to edit user accounts,contacts, and distribution groups.6.

In the on-premises Active Directory, make a simple but obvious change to one of theaddress properties of the user account that you verified in step 3 of the forced directorysynchronization procedure.7.

In the on-premises Active Directory, make simple but obvious changes to the contactand the distribution group that you modified in step 4.8.

Check the directory synchronization event log to determine when directorysynchronization is complete. This may take up to three hours.9.

When synchronization is complete, view the properties of the user, contact, anddistribution list in the Microsoft Online Services Portal and verify that the changes youmade in the on-premises Active Directory now appear in Office 365.In this procedure, the changes you made to the contact and distribution group in Office 365have been overwritten by the changes you made to the same contact and distribution group inthe on-premises Active Directory.

4.3.7.6

Maintain Authentication to On-premises Resources

After your organization has established email coexistence between its on-premises ExchangeServer environment and Exchange Online, and established directory synchronization of useraccounts and mail-enabled contacts and groups from the on-premises Active Directory to Office365, you may want to continue using Active Directory authentication to control access to on-premises printers, file shares, and other network resources.In this scenario, leave directory synchronization running to continue to synchronize useraccounts and mail-enabled contacts and groups from the on-premises Active Directory to Office365. Continue to edit the properties of these objects in the on-premises Active Directory.

156Microsoft Office 365 Deployment Guide for Enterprises | December 2011

4.4

Implement Password Policies for Cloud Identities

Your organization may choose not to federate your on-premises Active Directory for single sign-on functionality. If so, it is important to understand the Office 365 password policies. Table 21shows the password policies and options for Microsoft Online Services IDs (cloud identities).

Table 21. Password PoliciesProperty DescriptionPassword restrictions

8 characters minimum and 16 characters maximumAllowed values:

A

–

Za

–

z0

–

9! @ # $ % ^ & * – _ + = [ ] { } | \

: ‘ , . ? / ` ~ “ < > ( ) ;

Disallowed values:

UNICODESpacesNon-English charactersUsername alias (part before @ symbol)

Password expiryduration

90 days (non-configurable)

Password expiry

Password expiry is enabled by default. When enabled, users are forced tochange their passwords after 90 days. Users do not receive any form of password expiry notification.Administrators are able to enable and disable the password expiry settingat the user level through the Microsoft Online Services Module forWindows PowerShell.

Password strength

Strong passwords require 3 out of 4 of the following:

Lowercase charactersUppercase charactersNumbers (0-9)Symbols (see password restrictions above)

Users by default are required to create strong passwords when theychange their passwords. Administrators are able to enable and disable thissetting at the user level through the Microsoft Online Services Module forWindows PowerShell.

157Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Property DescriptionPassword history

Last password cannot be used again.

Password historyduration

None

Account lockout

After 10 unsuccessful sign-in attempts with the wrong password, the usermust solve a CAPTCHA dialog as part of the sign-in process. After 10unsuccessful additional sign-in attempts with the wrong password andcorrect solving of the CAPTCHA dialog, the user is locked out of theiraccount for a time period. Additional incorrect passwords results in anincrease in the lockout time.

For more information about password policies, seethe Office 365 Identity Service Descriptionand the Help articleChange your password.

4.5

Activate User Licenses

Your organization cannot enable Exchange Online without first activating user licenses. Theprocedure that follows shows the steps to activate licenses for groups of users from the Adminarea within the Microsoft Online Services Portal.There are several strategies to consider when activating groups of users at the same time. Forexample, you might activate groups of users who require the same type of license, or activategroups of users who share the same location.

►

To activate user licenses

1.

Sign in to theMicrosoft Online Services Portalwith your Office 365 administratorcredentials.2.

In the portal header, click

Admin

.3.

Under

Management,

click

Users

.4.

From the list of users, determine which licenses you want to assign to specific users and

then select the check box next to each user’s name.

5.

Click

Activate Synced Users

.6.

Select the location for the group of users (

example: United States

).7.

Check the license you would like to assign these users.8.

Click

Next

.9.

Click

Activate

.10.

Click

Finish

.

158Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Note:

In addition to using the Microsoft Online Services Portal, your organization canprogrammatically assign user licenses by using the Windows PowerShell cmdlets for Office 365.For more information, see Help topicWindows PowerShell cmdlets for Office 365.

4.6

Exchange Online Preparation

This section provides deployment instruction to enable moving user mailboxes to MicrosoftExchange Online in a hybrid deployment. It is assumed that your organization is runningExchange Server 2003 or later, so that you can configure hybrid deployment between the on-premises Exchange Server environment and Exchange Online.

Note:

Configuring an Exchange hybrid deployment requires directory synchronization.For more information, see theDeploy Directory Synchronizationsection of this document.Many of the steps required to enable email coexistence are performed by selecting the E-MailHybrid mode page from the Migration tab in the Microsoft Online Services Portal.

4.6.1

Deployment Pre-requisites

Ensure you have performed all the procedures in theNetworking and Names Services TasksandUser Identity and Provisioning Taskssections of this document before you start with yourExchange Online preparation steps.

4.6.1.1

Upgrade Active Directory Schema

To implement email coexistence, you will need to upgrade your Active Directory schema toExchange Server 2010 SP1 version. If you have not already completed the Active Directoryscheme upgrade, review theUpdate Schema for Hybrid Deploymentsection found earlier in thisdocument.

4.6.1.2

Install Update Rollup

We recommend installing the latest update rollup for Exchange 2010 SP1 on all your servers.Microsoft releases update rollup packages approximately every six to eight weeks. The rolluppackages are available via Microsoft Update and the Microsoft Download Center. In the Searchbox on theMicrosoft Download Center,type “Exchange 2010 update rollup” to find links to therollup packages.

4.6.2

Establish Email Coexistence

After you have completed the hybrid deployment prerequisites, you can begin to configure the

159Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Exchange hybrid deployment. TheExchange Server Deployment Assistantis the recommendedtool to use for this multi-step process, which include installation of the hybrid server.After you launch the web-based Deployment Assistant, click the

Hybrid

button. TheDeployment Assistant asks you a few questions about your current environment and thengenerates a custom checklist and procedures that help simplify your hybrid deployment. Thechecklist (Figure 17) provides a prioritized list of tasks and steps you need to complete toconfigure your Exchange hybrid deployment and provides references TechNet documentationfor additional information.

Figure 17. Exchange Server Deployment Assistant checklist

In addition to English, the Deployment Assistant is also available in Chinese (Simplified), Chinese(Traditional), French, German, Italian, Japanese, Korean, Portuguese (Brazil), Russian, andSpanish.

4.6.3

Testing Exchange Online with Remote Connectivity Analyzer

To verify that inbound mail, Exchange ActiveSync, Autodiscover, Outlook Anywhere (RPC/HTTP),and other connections are properly configured, you should consider using theExchange RemoteConnectivity Analyzer.The Remote Connectivity Analyzer is a Web-based tool that is designedto help you troubleshoot connectivity issues by testing your Exchange on-premises and on-premises configuration. You may want to become familiar at this tool in advance of yourdeployment to understand its capabilities and usage. For more information about the tool, seethisTechNet article.

160Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Additionally, if you already have ActiveSync, Outlook Anywhere, and Autodiscover enabled inyour on-premises environment we highly recommend you run through the tests provided withthe Remote Connectivity Analyzer to ensure your on-premises environment is functioningappropriately.See the Help articleDNS Troubleshooting for Exchange Onlinefor more information about theRemote Connectivity Analyzer.

4.7

SharePoint Online Preparation

The following sections describe preparations for setting up SharePoint Online.When planning your Office 365 deployment you should evaluate which of the SharePointcapabilities you will implement in your Office 365 environment.

4.7.1

Analysis of Existing SharePoint Environment

Before deciding on a migration strategy it is vital that you perform an analysis of your currentenvironment. This analysis should focus on those SharePoint workloads and content that youplan to move to SharePoint Online.As an outcome of the analysis you should have a clear understanding on the content and thecustomizations you have in your on-premises environment.You should then create a content and customization roadmap that covers what content andcustomizations that will be moved to SharePoint Online and how they will be moved.For each customization you will need to decide if you want to provide that functionality in yourSharePoint Online environment. As the next step you will need to validate if the customizationscan be implemented as sandboxed solutions.

4.7.2

Preparing for Customizations

Once you have an inventory of all the customizations that you want to move to SharePointOnline you need to decide the right packaging and deployment mechanisms. Generally, it isrecommended to package all the customization in Web Solution Packages (WSPs). This willallow the site collection administrators to upload these to the Solution Gallery of each SiteCollection that needs the customization. After the upload the solutions need to be activated.Figure 18 shows the Solution Gallery.

161Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Figure 18. SharePoint Online site collection Solution Gallery

If you have design artifacts such as master pages or page layouts that only need to be deployedto one Site Collection you can upload them manually to the Master Page Gallery of the SiteCollection. However, if you need them in multiple site collections, it is beneficial to packagethem as WSPs as well.For more information about developing solutions for SharePoint Online, see the MSDN articleSharePoint Online for Office 365 Developer Guide.

4.7.3

Content Migration

Office 365 does not provide SharePoint content migration support for customers. If you plan tomigrate SharePoint content from an on-premises or hosted service to SharePoint Online, yourorganization will either use a manual approach or to use a third-party SharePoint migration tool.One way to manually move content to SharePoint Online is by connecting the SharePoint Libraryto SharePoint Workspace. You can then upload content to SharePoint Workspace and it willautomatically synchronize these files to SharePoint Online. Another manual approach is to usethe capability of SharePoint to upload multiple files. This will allow you to upload batches of filesat once.

Note

: If you use the manual migration methods described above, the uploaded files willappear as being created by the user who uploaded them. Also the timestamp of the file willbe the upload time and not the original creation time.



Before choosing the migration tool to migrate your SharePoint content, be sure to verify thatthe tool meets your migration requirements and that it supports all of the SharePoint artifactsyou want to migrate. Refer to the third-party

tool’s documentation and evaluate what

preparation steps your organization will need to implement.

162Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Microsoft partners are also available to assist with migrating your SharePoint content toSharePoint Online using third-party tools. For assistance with SharePoint content migration, see

the “Recommended Deployment Partners” area

at theMicrosoft Online Services deploymentpage.TheOffice 365 Marketplacealso provides names of recommended deployment partnersthat can assist with SharePoint content migrations.

4.8

Lync Online Preparation

Key tasks in preparing your organization for Lync Online include optimizing your network forLync conferencing, configuring domain federation and public IM connectivity settings, and

ensuring the Lync 2010 client is installed on Lync Online user’s computers.

4.8.1

Network Preparation for Conferencing

You can optimize your network environment for use with Lync conferencing by performing thefollowing configurations:



Enabling the required firewall ports to access the Lync conferencing servers.



Disabling authentication for Lync Online audio and video traffic when an authenticatingHTTP proxy is employed.



Configuring the network to allow User Datagram Protocol (UDP) traffic for better audioand video performance.



Adjusting internal routers and optimizing internal network paths for audio and videotraffic (optional).



Filtering traffic (if required by the service provider SLA)As a hosted service, Lync Online conferencing can operate in a large variety of networktopologies. Typically, your network administrator is able to make minor configuration changesto routers and firewalls to provide an optimized user experience that does not interfere with

your organization’s ability to secure its network.

You should conduct a thorough evaluation of network bandwidth for use of Lync Online andconferencing. These services may require a bandwidth increase. For information regardingbandwidth requirements for Lync Server 2010 conferencing, see the TechNet articleDefiningYour Requirements for Conferencing.

4.8.2

Enable and Disable Federation

If you are an Office 365 for enterprises administrator, you can enable domain federation inMicrosoft Lync Online so users in your company can connect with users in other companies thathave deployed Microsoft Office Communications Server 2007, Office Communications Server2007 R2, or Microsoft Lync Server 2010. If you want to establish Lync domain federation with

163Microsoft Office 365 Deployment Guide for Enterprises | December 2011

your own on-premise implementation of Office Communications Server 2007, OfficeCommunications Server 2007 R2, or Microsoft Lync Server 2010, Lync Online and your on-premise system must be using different SIP domains. Note that none of your Lync Server 2010on-premises SIP domains should be in the list of active domains for your Office 365 tenant.Once you have enabled domain federation, users can exchange peer-to-peer instant messages(IM), initiate peer-to-peer audio and video calls, and view presence information. You can alsoenable public IM connectivity, so that users can add contacts from Windows Live Messenger andcommunicate with them by using Lync 2010.

Note

: Domain federation does not create an integrated, searchable address book.



►

To enable or disable federation with other Office 365 organizations using Lync Online

1.

In the

Lync Online Control Panel

, click

Domain federation

. The current domainfederation status is displayed.2.

Next to the status text, click

Edit

.3.

In the

Choose the domain federation setting for all users

dialog box, choose adomain federation option, and then click

OK

.

4.8.3

Enable Federation with Windows Live Messenger

If your organization would like to establish federation with Windows Live Messenger you mayenable these features through the Microsoft Online Services Portal.

►

To enable Lync Online federation with public IM services

1.

Log on to the Microsoft Online Services Portal with your Office 365 administratorcredentials.2.

In the header, click

Admin

.3.

Under

Lync Online

, click

Manage

.4.

In the

Microsoft Lync Online Control Panel

, click

Public IM

.5.

Click

Enable

.6.

Click

OK

.For more information about enabling and disabling public IM federation seeEnable or disablepublic IM connectivity.

4.9

Client and End-User Experience

As discussed earlier in the Plan section this deployment guide, your organization will potentiallyneed to upgrade client hardware and software when moving to Office 365. For client software,consider using Microsoft Update or an enterprise software deployment solution (such as

164Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Microsoft System Center Configuration Manager) to ensure that the requirements are met forthe Office 365 web or rich client experience.

4.9.1

Rich Client Experience

For users to experience the highest fidelity with the Office 365, your organization will need to

deploy install rich experience clients to users’ computers and provide for ongoing patches and

updates.Rich experience clients provide users with full-featured desktop applications for email, instantmessaging, and business productivity and require methods for distributing, configuring andupdating clients.Office 365 for enterprises solutions make use of the following rich clients:



Microsoft Office 2010 and Office 2007 SP2 (including Outlook)



Microsoft Office 2008 for Mac



Microsoft Entourage® 2008 Web Services Edition



Microsoft Office 2011 for Mac



Office Web Apps



Microsoft Lync 2011 for Mac



Microsoft Lync 2010When using rich experience clients, you need to install the Office 365 desktop setup package on

user’s computers. This application ensures that the

required components and updates areinstalled for rich clients. The Office 365 desktop setup package automatically configures Outlookand Microsoft Lync for use with Microsoft Online Services. Administrators can allow enterprisesusers to update their desktops on their own using Office 365 desktop setup, or can choose todeploy the updates remotely by using Active Directory.

4.10

Create Migration Groups

Migration groups are the set of users that you migrate to Office 365 during each migrationwindow. Depending on the number of users you have, your organization will likely requiremultiple migrations to move all your users to the Office 365 environment.When defining migration groups, you will want to consider more than just the total size of theincluded mailboxes. Here are some additional things to keep in mind:



Bandwidth considerations.

All of the mailbox content must travel from the on-premisesmail environment over the Internet to Office 365. You can use the migration tools todetermine how much data should be migrated once mailbox reduction has beenperformed. Based on this information, you should scope the size of your migration

165Microsoft Office 365 Deployment Guide for Enterprises | December 2011

groups and schedule migration times to work with your existing network and Internetbandwidth.



User groups.

When migrating groups of users, it is a best practice to migrate users whocommunicate with each other frequently. For example, if an executive team uses email tocommunicate vital information, you should migrate the members of the executive teamat the same time. Schedule your migration groups to ensure that the owners of themailboxes that are migrated will be available immediately after the migration to validatethe success of the migration. This is especially imperative for organizations that have endof month financial, inventory, or other reporting mechanisms that cannot be disrupted.Keep in mind the mailbox and calendaring requirements of shared/delegate mailboxesfor executives and other key customer personnel and their assistants. It is important thatassistants are able to access the calendars of executives and key staff without delay.



User locations

. In addition, be sure to migrate users in accordance with the physicalbuildings they occupy. It makes sense to migrate fourth floor Conference Rooms withusers on the fourth floor. For smaller buildings with limited meeting space it maybecome necessary to survey the rooms that are used on other floors as well to ensurethese resources are available as soon as possible.



User support.

When migrating groups of users, your organization must also consideruser support planning and capabilities for the initial period after migration. There willlikely be a higher volume of service desk calls just after the migration. It is best practiceto distribute migration groups across support teams by location in parallel to increasemigration velocity as well as balance service desk call volume.

166Microsoft Office 365 Deployment Guide for Enterprises | December 2011

5

Migrate Phase

The Migrate phase is primarily focused on the steps required to move user mailbox contentfrom on-premises to Exchange Online.

5.1

Key Activities Summary

The following are the key deployment tasks and events that your carry out in the Migrate phase:



Assign licenses to users

To access Office 365 service offerings, assign licenses to users through the MicrosoftOnline Services Portal. If you have not already done so, review theActivate User Licensessection of this guide.



Issue final communications to end users

Prior to the start of velocity migrations, send all users moving to Office 365 the necessarynotifications and instructions they need to make the transition to the new hostedservices platform.



Migrate mailbox data

Proceed with velocity mailbox migrations from on-premises mailboxes to ExchangeOnline using your selected migration tools and migration group schedule.



Migrate existing collaboration documents

Using third-party migration tools, move files and folders from your existing SharePointenvironment to SharePoint Online.



Change DNS records

When all migrations are completed, change your DNS records (for example, MX and TXTrecords) to at your domain registrar.



Configure mobile phones and devices for Office 365

Set up user mobile phones to access email using the Exchange ActiveSync protocol.



Perform post-migration service testing

After migrations are completed, perform full-scale testing of Office 365 servicefunctionality.

5.2

Send Final End User Communications

Prior to the start of velocity migrations, you should send your final notifications and instructionsto users moving to Office 365 service offerings. SeeAppendix G: Sample Email Migration EndUser Communicationsfor an example of messaging used in these communications.

167Microsoft Office 365 Deployment Guide for Enterprises | December 2011

5.3

Migrate Mailboxes

You can use the New Remote Move Request wizard in the Exchange Management Console(EMC) on the hybrid server to move existing user mailboxes in the on-premises organization tothe Office 365 organization.By default, the Mailbox Replication Proxy service (MRSProxy) running on the hybrid serverautomatically throttles the mailbox move requests when you select multiple mailboxes to moveto Office 365. The total time to complete the mailbox move depends on the total number of mailboxes selected, the size of the mailboxes, and the properties of the MRSProxy.

Steps for migrating mailboxes are provided in the “Move or create a mailbox” topic in the

Exchange Server Deployment Assistant and the Help topicMove or create a mailbox for shareddomains.

5.4

Change MX Record

When you are ready to put your hybrid server into production, you will need to change your MXrecord to redirect inbound mail flow to your hybrid server or Exchange Server 2010 SP1 serverdeployed with the Edge Transport server role.The Exchange Server Deployment Assistant will provide detail steps for how to change the MX

record in the topic “Redirect mail flow to coexistence server.”

5.5

Set Up Mobile Phones and Devices

Information about setting up mobile phones and devices for your Office 365 users is available athttp://help.outlook.com. You can find specific instructions for setting up many popular mobile phones at the Help topicMobile Phone Features.



For instructions for the Apple iPhone, iPod, or iPad seeSet Up Microsoft Exchange E-Mailon an Apple iPhone.



For instructions for the BlackBerry Curve

™

, seeSet Up POP or IMAP E-Mail on aBlackBerry Curve.



For instructions for the BlackBerry Pearl

™

, seeSet Up POP or IMAP E-Mail on aBlackBerry Pearl.

168Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Note

: RIM is introducing a new hosted BES service for Exchange Online customers. RIM willhost, license and support the service. For additional details, see the Office 365 wikiAnnouncingBlackBerry Business Cloud Services for Office 365and the RIM websiteBlackBerry BusinessCloud Services.

5.5.1

ActiveSync Devices

To set up your mobile phone to access your email using the Exchange ActiveSync protocol, youwill need the Exchange ActiveSync server name as well as your user name and password.

5.5.1.1

Set Up Windows Phone and Windows Mobile Devices

If a Windows Mobile device is already set up to synchronize with another computer runningMicrosoft Exchange Server, you must delete that email account from your mobile device beforeyour device can sync with Microsoft Exchange Online.The following procedures describe how your Exchange Online administrator can do thefollowing:



Delete an existing relationship between a Windows Mobile 6.5, 6.1, and 6.0 device andExchange Server



Set up a new Windows Mobile and Windows Phone relationship with Exchange Online.



Use the remote wipe feature.

Note

: The menu options displayed on your device may be different from those described inthe procedures that follow. If you have questions, refer to your mobile device documentation.

►

To delete an existing Windows Mobile relationship

1.

From the Windows Mobile Start menu on the mobile device, tap

Programs

, and then tap

ActiveSync

.2.

Tap

Menu

, and then tap

Options

.3.

Tap

Microsoft Exchange

, and then tap

Delete

to delete the existing relationship.

►

To configure a Windows Mobile device connection

1.

On the mobile device, tap

Start

, tap

Programs

, and then tap

ActiveSync

.2.

Tap

Menu

, tap

Add Server Source

, and then enter the mobile device address for your

organization’s data (example;outlook.com)

3.

Select the This server requires an encrypted (SSL) connection check box, and then tap

Next

.4.

In

User name

, enter your Office 365 email address.

169Microsoft Office 365 Deployment Guide for Enterprises | December 2011

5.

In

Password

, enter your password, select

Save Password

, and then tap

Next

. Leave thedomain box blank.6.

Select the check boxes for the types of data you want to synchronize, and then tap

Finish

.Use the following steps to configure your connection on a Windows Phone 7.

►

To configure a Windows Phone 7 connection

1.

Press the

Windows

button to return to home.2.

Slide right and then up, and select

Settings.

3.

Select

email & accounts

.4.

Click

add an account

.5.

Select

Outlook

.6.

Enter your email address (for example,

johnsmith@contoso.com

)7.

Enter your password (with single sign-on this would be the same as your Active Directorypassword).8.

Click

sign in

.

5.5.1.2

Configure Remote Device Wipe Option

Administrators in your organization have the ability to remotely erase data from an ExchangeActiveSyn

c mobile device in the event that an Exchange Online user’s device is lost, stolen or

otherwise compromised.

►

To remotely erase data from an Exchange ActiveSync device

1.

Log on to Microsoft Outlook Web App athttps://outlook.comusing the email addressand password of the user account that the mobile device synchronizes with.2.

In the Outlook Web App window title bar, click

Options

.3.

In the navigation pane, click

Mobile Devices

.4.

Click the ID of the device you want to remotely erase, click

Wipe All Data from Device

,and then click

OK

.5.

Click

Remove Device from List

.

5.6

Perform Post-migration Service Testing

After user provisioning and mailbox migrations are completed, you should performcomprehensive testing of the Office 365 service offerings for which your organization hassubscribed to ensure the services operate as described in the Office 365 for enterprises servicedescriptions.SeeAppendix H: Post-deployment Service Test Planfor an example test plan.

170Microsoft Office 365 Deployment Guide for Enterprises | December 2011

6

Feature Enablement

This section describes Office 365 for enterprises features that are available to your organizationbut outside the scope of the deployment tasks described in this deployment guide. Many of these features are described in the Office 365 for enterprises service descriptions, which areavailable at theMicrosoft Download Center. Examples of user account and provisioning features that are available to enable include:



Multi-factor authentication with Active Directory Federation Services



Active Directory Federation Services custom log on pageExamples of Exchange Online features that are available to enable include:



Disclaimers.

Exchange Online enables administrators add disclaimers to messages intransit using transport rules. See the Help topicAdd Disclaimers to Messagesfor details.



Transport rules.

Transport rules are used to inspect emails in transit (including inbound,outbound, and internal messages) and take actions, such as applying a disclaimer,blocking messages, or sending a blind carbon copy to a mailbox for supervisory review.See the Help topicOrganization-Wide Rulesfor details.



Personal archive.

Exchange Online offers archiving through the personal archivecapabilities of Exchange 2010. A personal archive is a specialized mailbox that appears

alongside users’ primary mailbox folders in Outlook or Outlo

ok Web App. See the HelptopicEnable an Archive Mailboxfor details.



Journaling.

Administrators can configure Exchange Online to journal copies of emails toany external archive that can receive messages via SMTP. See the Help topicJournalRulesfor details.



Retention policies.

Exchange Online offers retention policies to help organizationsreduce the liabilities associated with email and other communications. With these

policies, administrators can apply retention settings to specific folders in users’ inboxes.

The retention policy capabilities offered in Exchange Online are the same as thoseoffered in Exchange Server 2010 Service Pack 1. See the Help topicSet Up and ManageRetention Policies in Exchange Onlinefor details.



Legal hold.

Exchange Online provides legal hold capabilities to preserve users

’ deleted

and edited mailbox items (including email messages, appointments, and tasks) fromboth their primary mailboxes and personal archives. See the Help topicPut a Mailbox onLitigation Holdfor details.



Rolling legal hold (single item recovery).

Some organizations want to preserve users’

mailbox contents for archiving and eDiscovery purposes, but only for a specific amountof time, such as one year. The single item recovery feature in Exchange Online can beused to meet this need, by providing rolling legal hold capabilities.

171Microsoft Office 365 Deployment Guide for Enterprises | December 2011



Multi-mailbox search.

Exchange Online provides a web-based interface for searchingthe contents of mailboxes in an organization. Through the Exchange Control Panel,administrators can search a variety of mailbox items

—

including email messages,attachments, calendar appointments, tasks, and contacts. See the Help topicCreate aNew Multi-Mailbox Searchfor details.

172Microsoft Office 365 Deployment Guide for Enterprises | December 2011

7

Appendix A: Key Deployment Resources

The following resources can provide additional help with deployment questions and tasks.

Office 365 Community

The Office 365 Community site posts the latest developments and information related to Office365. It includes a discussion area where site members post questions and answers. You can alsoaccess the Blogs, Forum, and Wiki pages from this site.

Available at

http://community.office365.com

Office 365 Help

This extensive set of Help topics provides guidance to administrators and users working withExchange Online, SharePoint Online, Lync Online, and Office Professional Plus.

Available at

http://onlinehelp.microsoft.com/office365-enterprises/ff637592.aspx

Office 365 Deployment Readiness Tool

The Office 365 Deployment Readiness Tool is available to assist you with discovery activitiesrelated to Office 365 deployments. The tool can be used to check and provide importantinformation about your on-premises environment.

Available at

http://community.office365.com/f/183/p/2285/8155.aspx#8155

Exchange Deployment Assistant

TheExchange Deployment Assistant

provides detailed guidance for the hybrid deploymentscenario from the on-premises Exchange environment to Exchange Online.

Microsoft Assessment and Planning Toolkit

The Microsoft Assessment and Planning (MAP) toolkit generates detailed readiness assessmentfor migration to cloud-based services such as Office 365 for enterprises.

Available at

http://technet.microsoft.com/en-us/library/bb977556.aspx

MOSDAL (Microsoft Online Services Diagnostics and Logging) Support Toolkit

The MOSDAL Support Toolkit collects system, network, service-based application configurationand logging data along with performing network diagnostics. The toolkit can be used for avariety Office 365 troubleshooting issues.

Available at

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=457e0786-1bec-40a2-95ab-06428f53b5cc

173Microsoft Office 365 Deployment Guide for Enterprises | December 2011

8

Appendix B: Deployment Planning Template

Table 22 provides a high-level planning template for Office 365 for enterprises deployments.The sequence of tasks and events describe the typical workflow for deployments and serve as aguide for an orderly and efficient rollout of Office 365.Key stakeholders in your organization should feel free to modify this template and workflow tomeet your needs and requirements.

Table 22. Office 365 for Enterprises Deployment TemplateDeployment Tasks /EventsStartDateFinishDateResources Dependencies1. PLAN PHASE

Hold project kickoff meetingBuild risk and issue tracking systemDevelop migration strategyIdentify mailbox size and item countsPlan for mail-enabled applicationsIdentify options for user identity and accountprovisioningIdentify Active Directory preparation andremediation requirementsIdentify your email coexistence strategyIdentify current network links, user concentration,and current utilizationIdentify on-premises infrastructure serverrequirementsIdentify the operating systems and clientapplicationsIdentify the mobile platform that yourorganization will useDevelop an end user and administrator trainingschedule and delivery mechanismDevelop end-user communications strategy

2. PREPARE PHASE

174Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Deployment Tasks /EventsStartDateFinishDateResources Dependencies

Add and verify your domain name with Office 365Prepare your on-premises Active Directory fordirectory synchronizationEnable single sign-on (identity federation)Install the Directory Synchronization Tool andperform synchronizationConfigure email coexistenceConfigure Lync OnlineConfigure SharePoint OnlineDeploy client applications and the Office 365desktop setupPerform mailbox size reductionPrepare customer service deskTest and validate email migration and coexistenceComplete the migration groups and migrationschedule

3. MIGRATION PHASE

Assign licenses to usersIssue final communications to end usersMigrate mailbox dataMigrate existing collaboration documentsChange DNS recordsConfigure mobile phones and devices for Office365Perform post-migration service testing

175Microsoft Office 365 Deployment Guide for Enterprises | December 2011

9

Appendix C: Customer Deployment Checkpoints

To ensure a successful Office 365 deployment, you should periodically review and assess the keymilestones within the deployment project. The following checkpoints are sample entrance andexit criteria to use while moving through the deployment process. If your deployment has notcompleted all exit criteria tasks included in a checkpoint, the deployment should not moveforward on the project until all those tasks are completed.

9.1

Office 365 Deployment Entrance Requirements

Prior to moving forward with your Office 365 for enterprises deployment, you should ensureyour organization has completed the following entrance criteria:



Review of Office 365 service descriptions to ensure solution alignment.

Yourorganization should not move forward with its deployment until all aspects of the servicehave been evaluated for alignment with your existing business and IT requirements.



Review of your Active Directory environment.

Your organization should ensure thatyour Active Directory complies with the requirements for Office 365. During your review,you should keep in mind that hybrid deployments only support email coexistence with asingle Active Directory forest and that the directory synchronization service requires asupport exception for synchronization of more than 20,000 users.



Note:

You can use theDeployment Readiness Toolto help assess how many totalActive Directory objects, and specifically user objects, are stored in your ActiveDirectory forest.





Purchase of Office 365 for enterprises user licenses

. To provision users for Office 365services, your organization will need to have valid user licenses available to assign tousers.

9.2

Checkpoint 1: Planning Complete

Objectives

Ensure that the deployment project scope and schedule are well understood by all your projectteam members from the Project Manager to the Executive Sponsor.

Checkpoint Exit Criteria1. Identified plans for the following items:



Migration

176Microsoft Office 365 Deployment Guide for Enterprises | December 2011



Mail-enabled applications



User identity and account provisioning options



On-premises infrastructure and hardware requirements



Network bandwidth requirements



Client operating systems and client applications



Service desk training



End user and administrator training



End user communication strategy

2. Completed the following activities:



Customer kickoff meeting with agreement on the following:

o

Dedicated deployment project management team

o

Review of each workstream, milestone activities, and timelines

o

Commitment from all workstream owners on milestone timelines and dates



Customer sign-off on Plan Complete milestone.

9.3

Checkpoint 2: Preparation Complete

Objectives

Ensure all configuration and preparation tasks are completed.

Checkpoint Exit Criteria



Remediation of directory synchronization errors.



Specific service configurations are completed.



Office 365 Desktop Setup package is deployed.



Email migration and coexistence is tested and validated.



Service desk integrated



Migration schedule is completed.

9.4

Checkpoint 3: Migration Complete

Objectives



Velocity mailbox migrations begin.



Criteria to stop the deployment is defined and agreed upon.

Checkpoint Exit Criteria



Mailbox migration is completed.



Plan is in place for deprovisioning of on-premises services (unless hybrid scenarios exist).

177Microsoft Office 365 Deployment Guide for Enterprises | December 2011

10

Appendix D: Key Deployment URLS, Ports, andIP Addresses

This compilation of URLs, ports and IP addresses provides a resource for customers whenconfiguring firewall access during an Office for 365 for enterprises deployment project. Contactthe Microsoft Office 365 support team for IP address ranges requirements, or refer to the HelptopicIP addresses and URLs used by Office 365.You can also subscribe to thisRSS feedtoreceive notice when updates are made to IP addresses and URLs.

10.1

URLs

General Service URLs



Microsoft Online Services Portalhttps://portal.microsoftonline.com



Office 365 Sign In pagehttps://msol.vo.msecnd.net:/



PowerShell Connection URI for Office 365 PowerShellhttps://ps.microsoftonline.com



Community Portal for Office 365 Customershttps://community.office365.com



Active Directory Federation Services End Pointhttps://nexus.microsoftonline-p.com



Directory Synchronization End Pointhttps://adminwebservice.microsoftonline.com

Exchange Online URLS



Exchange Online PowerShell Connection URIhttps://ps.outlook.com



Outlook Web App address for a specific customerhttps://outlook.com/<domain>.onmicrosoft.com



Outlook Web App address for a customer specific domainhttps://www.outlook.com/<companyname>.com

178Microsoft Office 365 Deployment Guide for Enterprises | December 2011

SharePoint Online URLs



*.sharepoint.com



*.sharepointonline.com



Default Root SharePoint site for customer

<domain>.SharePoint.com



Site Settings for the Root Site Collection

<domain>.sharepoint.com/_layouts/settings.aspx



My sites<domain>-my.sharepoint.com



SharePoint Online Administration Center for customer

<domain>-Admin.SharePoint.com

Lync Online URLs



*.online.lync.com



*.infra.lync.com



*.lync.comAdditional URLs that require firewall access include:



*.microsoftonline.com



*.onmicrosoft.com



*.microsoftonlinesupport.net



*.microsoftonline-p.com



*.microsoftonline-p.net



*.microsoftonlineimages.com



*.microsoftonlineimages.net



*.live.com



admin.messaging.microsoft.com

10.2

IP Address Ranges

To help ensure that network traffic from the Microsoft data centers is accepted, you may needto open ports in your on-premises firewall so network traffic originating from the Microsoft datacenter IP addresses is allowed to enter your on-premises organization.Contact the Microsoft Office 365 support team for IP address ranges requirements, or refer tothe Help topicIP addresses and URLs used by Office 365.

10.3

Required Ports

Table 23 lists the protocol and port requirements for Office 365 for enterprises deployments.

179Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Table 23. Protocol and Port Requirements

Protocol /Port Applications

TCP 443



Active Directory Federation Services (federation server role)



Active Directory Federation Services (proxy server role)



Microsoft Online Services Portal



My Company Portal



Microsoft Outlook 2010 and Outlook 2007



Microsoft Entourage 2008 EWS/Outlook 2011 for Mac



Outlook Web App



SharePoint Online



Lync 2010 client (communication to Lync Online from on-premisesLync Server)

TCP 25



Mail routing

TCP 587*



SMTP relay

TCP 143/993



Simple IMAP4 migration tool

TCP 995**



POP3

TCP 80 and 443*



Microsoft Online Services Directory Synchronization Tool



Simple Exchange Migration Tool



Simple IMAP Migration Tool



Staged Exchange Migration Tool



Exchange Management Console



Exchange Management Shell

PSOM/TLS 443



Lync Online (outbound data sharing sessions)

STUN/TCP 443



Lync Online (outbound audio, video, application sharing sessions)

STUN/UDP 3478



Lync Online (outbound audio and video sessions)

RTC/UDP 50000-59999



Lync Online (outbound audio and video sessions)

*

SMTP Relay with Exchange Online requires TCP port 587 and requires TLS. SeeTechNet for details on how to configureSMTP Relay with Exchange Online. Note: you will need to provide the SMTP server which is specific to the mailbox used for relay. See the TechNet articleSet Up Outlook 2007 for IMAP or POP Access to Your E-Mail Account . ** POP3 access with Exchange Online requires TCP port 995 ) and requires SSL. SeeTechNet for details on how toconfigure POP3 with Exchange Online.

180Microsoft Office 365 Deployment Guide for Enterprises | December 2011

11

Appendix E: Exchange Hybrid DeploymentDomain and Host Names Worksheet

Configuring an Exchange hybrid deployment, email coexistence, and directory integrationbetween your on-premises environment and the Office 365 environment requires that youprovide appropriate domain and host names. Table 24 provides a sample list and examples of domain and host names used in the deployment process. You are strongly encouraged to usethe Exchange Deployment Assistant to generate specific examples for your organization.

Table 24. Host Names Worksheet

Description Example value Value in your organization

Active Directory Forest

corp.contoso.com

Internal Exchange Server 200Xserver hostname

DEN-SRV-EXCH-2K3

Exchange External 200X serverFQDN

mail.contoso.com

Proposed internal coexistenceserver host

DEN-SRV-EXCH-2K10

Proposed external coexistenceserver FQDN

mail.contoso.com

Outlook Web App URL

owa.contoso.com

Primary SMTP namespace

Contoso.com

UserPrincipalName domainCloud Identity domain

Contoso.com

Service SMTP namespaceImportant: You must not use theservice tenant FQDN, specifiedbelow, as the service SMTPnamespace. We recommend that you use <service.

your domain

>.

service.contoso.com

Internal Active DirectoryFederation Services (AD FS)server hostname

DEN-SRV-AD FS-FED1

External AD FS server FQDN

sts.contoso.com

181Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Description Example value Value in your organization

Internal directorysynchronization server hostname

DEN-SRV-DIRSync

Exchange federation trustnamespace

Exchangedelegation.contoso.com

On-premises AutodiscoverFQDN

Autodiscover.contoso.com

Service Autodiscover FQDN

Autodiscover.<value>.contoso.com

Service tenant FQDNNote You can only choose thesubdomain portion of thisFQDN. The domain portion mustbe “onmicrosoft.com”.

contoso.onmicrosoft.com

182Microsoft Office 365 Deployment Guide for Enterprises | December 2011

12

Appendix F: Directory Object Preparation

Successful directory synchronization between your on-premises Active Directory environmentdirectory and Office 365 requires that your on-premises directory objects and attributes areproperly prepared.If your organization intends on implementing an Exchange hybrid deployment, you will need toupgrade your Active Directory schema to include Exchange Server 2010 SP1 updates. This isrequired in order to manage email attributes on-premise when using directory synchronization.

Note

: Administrators can hide users, distribution groups, and contacts from the GlobalAddress List by setting the

msExchHideFromAddressLists

attribute for the object in on-premisesActive Directory.Apply the following requirements for user object attributes in preparing your Active Directoryfor directory synchronization.

UserssAMAccountName



Maximum number of characters: 20



Invalid Active Directory characters: !#\$%\^&\{\}\\{`~””,\\/\[\]:@<>\+=;\?\*



If a user has an invalid sAMAccountName but a valid userPrincipalName, the useraccount is created in Office 365.



If both the sAMAccountName and userPrincipalName are invalid, the on-premises ActiveDirectory userPrincipalName must be updated.

givenName



Maximum number of characters: 64



Questionable characters: ?@\+

Note:

The Deployment Readiness Tool checks for questionable characters.

sn (surname)



Maximum number of characters: 64



Questionable characters: ?@\+

Note:

The Deployment Readiness Tool checks for questionable characters.

displayName



Maximum number of characters: 256

183Microsoft Office 365 Deployment Guide for Enterprises | December 2011



Questionable characters: \?@\+

Note:

The Deployment Readiness Tool checks for questionable characters.

mail



Maximum number of characters: 256



Invalid characters: [! #$ %&*+ / = ? ^ ` { }]



Duplicate values: The

mail

attribute cannot contain any duplicate values.Note: If there are duplicate values in mail field, the first user with the value issynchronized to the Office 365 environment. Subsequent users will not appear in theMicrosoft Online Services Portal. You must modify the value not found the portal, ormodify both of the values in the on-premises directory, in order for both users to appearin the Office 365 service.

mailNickname



Maximum number of characters: 64



Invalid characters: “”\\\[\]:><; and space ( )

proxyAddresses



Multi-value attribute



Maximum number of characters: 256



Invalid characters: \)\(;><\]\[\\,

targetAddress

For mail-enabled objects and alternate addresses, the

targetAddress

attribute is required. This isespecially true in third-party messaging migration and coexistence scenarios. If the

targetAddress

attribute is not present, the fallback is to the

mail

attribute.



Maximum number of characters: 256



Invalid characters: [! #$ %&*+ / = ? ^ ` { }]

userPrincipalName



Maximum number of characters for username: 64



Maximum number of characters for domain name: 256



Invalid characters:

}{ # ‘ * + ) ( > < /

\ = ? `



&

character: Automatically changed to underscore:(

_

) character: remains the same.



Duplicate proxies will be emailed as an error before any notification errors.

Additional requirements for a valid userPrincipalName:



@ character is required in each userPrincipalName value.

184Microsoft Office 365 Deployment Guide for Enterprises | December 2011



@ character cannot be first character in each userPrincipalName value.



Username cannot end with a period (.) an ampersand (&) a space ( ), or at sign (@)



Username cannot have a space ( ).



Routable domains must be used (for example, .local or .internal cannot be used)



Unicode is converted to underscore characters.



userPrincipalName may not contain any duplicate values in the forest.

Groups



Mail-enabled character check: All mail-enabled groups must follow the pattern of *@*.

Contacts



Mail-enabled character check: All mail-enabled contacts must follow the pattern of *@*.

185Microsoft Office 365 Deployment Guide for Enterprises | December 2011

13

Appendix G: Sample Email Migration End UserCommunications

The following is a communication timeline and sample emails that your Office 365 administratorcan use to inform managers and employees about the email migration to Exchange Online.For sample emails for the migration to Lync Online, seeLync 2010 Email Templates.

5 Weeks Prior to Migration Date: Send Manager Email

Notify all managers that your organization is migrating to Microsoft

Exchange Online. Tell yourmanagers when it is going to happen. Provide an overview of the process. Explain why you are

migrating. Give your managers tools to promote your organization’s deci

sion to make thischange. Give them information to communicate to their employees so that their employeesknow the migration is coming.

4 Weeks Prior to Migration Date: Send General Email

The following is a sample email for the administrator to send to all organization mail users atfour weeks prior to the email migration.

Subject: ACTION REQUIRED: We are migrating your mailbox to Microsoft Exchange Online!This email is your first notice that your mailbox will be migrated to Microsoft Exchange Online on<Date>. There are many tasks that you must perform before your email can be migrated. Thereare also several actions you can take before migration to improve your Exchange Onlineexperience.See ACTION REQUIRED BEFORE MIGRATION <insert link to before-migration instructions on your Microsoft SharePoint Online site>to prepare for your migration.You can also preview what you will need to do after your mailbox has been migrated. See ACTIONREQUIRED AFTER MIGRATION <insert link to after-migration instructions on your SharePoint site>to preview this information.If you have any questions, check the Exchange Online FAQ <insert link to Microsoft Online FAQ>and the Exchange Online Known Issues <insert link to Microsoft Online Known Issues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>

186Microsoft Office 365 Deployment Guide for Enterprises | December 2011

2 Weeks Prior to Migration Date: Send Manager Email

The following is a sample email for the administrator to send to all managers at two weeks priorto the email migration.

Subject: ACTION REQUIRED: Do you approve mailbox migration for these employees?

We need your approval to migrate your employees’ mailboxes to Microsoft Exchange Online on

<Date>. If we do not receive your approval, the following employees will not be migrated. ACTION REQUIREDReview the list of your employees and respond to this email to let us know if they can be migrated.Employee

Migrate? (yes/no)

Aaron ConCoby Thomas

In the “Migrate?” column next to the employee, please indicate “Yes” to approve mailbox migration. If someone’s mailbox cannot be migrated, or if you do not want them to be migrated at this time, include that information in the “Migrate?” column.

If you have any questions, check the Microsoft Exchange Online FAQ <insert link to Microsoft Exchange Online FAQ> and the Exchange Online Known Issues <insert link to Microsoft OnlineKnown Issues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>

2 Weeks Prior to Migration Date: Send User Email

The following is a sample email for the administrator to send to all mail users at two weeks priorto the email migration.

Subject: ACTION REQUIRED: We are migrating your mailbox to Microsoft Exchange Online!Your mailbox will be migrated to Microsoft Exchange Online on <Date, Day, and Time>. Pleasecomplete the tasks that you must perform before your email can be migrated. There are alsoseveral actions you can take before migration to improve your Exchange Online experience.See ACTION REQUIRED BEFORE MIGRATION <insert link to before-migration instructions on your SharePoint site> to prepare for your migration.

187Microsoft Office 365 Deployment Guide for Enterprises | December 2011

You can also preview what you will need to do after your mailbox has been migrated. See ACTIONREQUIRED AFTER MIGRATION <insert link to after-migration instructions on your SharePoint site>to preview this information.If you have any questions, check the Exchange Online FAQ <insert link to Microsoft Online FAQ>and the Microsoft Online Known Issues <insert link to Microsoft Online Known Issues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>

1 Week Prior to Migration Date: Send User Email

The following is a sample email for the administrator to send to all mail users at one week priorto the email migration.

Subject: IMPORTANT! – ACTION REQUIRED: We are migrating your mailbox to Microsoft ExchangeOnline!We are migrating our mailboxes to Microsoft Exchange Online on <Date>. If you do not completethe required actions by <Date

–

today’s date + 1 day> your mailbox will not be migrated.

If you have already completed the actions required before migration, please ignore this email.See ACTION REQUIRED BEFORE MIGRATION <insert link to before-migration instructions on your SharePoint site> to prepare for your migration.You can also preview what you will need to do after your mailbox has been migrated. See ACTIONREQUIRED AFTER MIGRATION <insert link to after-migration instructions on your SharePoint site> to preview this information.If you have any questions, check the Microsoft Exchange Online FAQ <insert link to Microsoft Online Exchange FAQ> and the Microsoft Exchange Online Known Issues <insert link to ExchangeOnline Known Issues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>

1 Week Prior to Migration Date: Send General Email

The following is a sample email for the administrator to send to everyone who has completedthe migration survey and is ready to migrate. Instructions for taking the migration survey areincluded in the ACTION REQUIRED BEFORE MIGRATION.

188Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Subject: NOTIFICATION: We are migrating your mailbox to Microsoft Exchange Online!Congratulations! Your mailbox is ready to be migrated on <Date>.You can continue to use your current mailbox as usual until your mailbox is migrated to ExchangeOnline. After your mailbox has been migrated, you will receive a Welcome email with your Office365 logon credentials and a link to instructions describing how to set up and use your new Microsoft Online mailbox. For a preview of those instructions, see ACTION REQUIRED AFTERMIGRATION <insert link to after-migration instructions on your SharePoint site>.If you have any questions, check the Microsoft Exchange Online FAQ <insert link to ExchangeOnline FAQ> and the Exchange Online Known Issues <insert link to Microsoft Online KnownIssues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>

1 Week Prior to Migration Date: Send Manager and Support Mail

The following is a sample email for the administrator to send to the managers of the employeeswhose mailboxes are being migrated, and the designated migration administrators and supportpeople.

Subject: NOTIFICATION: These people will be migrated to Microsoft Exchange Online on <Date>.The following people will be migrated to Microsoft Exchange Online on <Date>:Employee

Comment

Shola Aluko Jesper HessMigration will begin at <Time> on <Day> and is expected to be completed by <Time>, <Day>.The employees whose mailboxes are being migrated will receive a reminder email the day beforetheir migration. When their migration is complete, they will receive a Welcome email withinstructions describing how to use their Microsoft Exchange Online mailbox.The following people will be performing the migration: Administrator 1: <Name> Administrator 2: <Name> Administrator 3: <Name>

189Microsoft Office 365 Deployment Guide for Enterprises | December 2011

The following Support people will be available by phone, <phone number> and by email <Support Alias>.Support Person 1: <Name>Support Person 2: <Name>Support Person 3: <Name>Support coverage will begin at <Start Time> and run through <End Time> until this group hasbeen successfully migrated.If you have any questions, check the Microsoft Exchange Online FAQ <insert link to ExchangeOnline FAQ> and the Exchange Online Known Issues <insert link to Exchange Online KnownIssues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>

1 Day Prior to Migration Date: Send General Mail

The following is a sample email for the administrator to send to everyone who has completedthe migration survey and is ready to migrate. Instructions for taking the migration survey areincluded in the ACTION REQUIRED BEFORE MIGRATION document.

Subject: REMINDER: We will migrate your mailbox to Microsoft Exchange Online tomorrow!Migration will begin at <Time> and is expected to be completed by <Time>. Support will beavailable by phone, <phone number> and by email <Support Alias>.You can continue to use your current mailbox as usual until your mailbox is migrated to ExchangeOnline. After your mailbox has been migrated, you will receive a Welcome email with your Microsoft Online logon credentials and a link to the instructions describing how to set up and use your new Microsoft Online mailbox. For a preview of those instructions, see ACTION REQUIRED AFTER MIGRATION <insert link to after-migration instructions on your SharePoint site>.If you have any questions, check the Exchange Online FAQ <insert link to Exchange Online FAQ>and the Exchange Online Known Issues <insert link to Microsoft Online Known Issues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>

190Microsoft Office 365 Deployment Guide for Enterprises | December 2011

After Migration: Send User Welcome Email

The following is a sample email for the administrator to send to everyone who has beensuccessfully migrated after the migration team has verified that the mailbox migration andforwarding has been successfully accomplished. It can be emailed or printed and distributed byhand.

Subject: ACTION REQUIRED: Get connected to Microsoft Exchange Online!Congratulations! Your mailbox has been successfully migrated to Microsoft Exchange Online.Your new logon credentials are:User name: <username>@example.comTemporary password: <password>There are many tasks that you must perform now that your email has been migrated. Werecommend setting aside two or three hours to complete them. To review the instructions and perform the tasks, see ACTION REQUIRED AFTER MIGRATION <insert link to after-migrationinstructions>.If you have any questions, check the Exchange Online FAQ <insert link to Microsoft Online FAQ>and the Exchange Online Known Issues <insert link to Exchange Online Known Issues>, or contact support <insert your support contact information>.Thank you,<Your Migration or Support Contact Alias>

191Microsoft Office 365 Deployment Guide for Enterprises | December 2011

14

Appendix H: Post-deployment Services TestPlan

The following is an example of a post-deployment test plan that you can use to verify thefunctionality of Office 365 service offerings.

Post-Migration Services Test Plan

StatusDirectory Synchronization (DirSync) ToolFunctionalityOwner Notes

Not StartedCreate user object to verify DirSync accountcreation3 hour replication interval or force DirSyncNot StartedModify user object to verify DirSyncattribute modification3 hour replication interval or force DirSync

Status End-User Acceptance Owner Notes

Not Started Install and run Office 365 Desktop Setup Download from Microsoft OnlineNot Started Configure OutlookNot StartedOpen Outlook and verify connectivity toExchange OnlineNot Started Launch customer online portalNot StartedAuthenticate using Outlook Web Appverifying URLNot StartedLaunch customer online portal verifyingURLNot Started Launch customer SharePoint verifying URLNot Started Perform necessary updates to internal URLs

Status Individual User Mailbox Migration Owner Notes

Not Started

Create user’s profile and point to the

Office365 serviceNot StartedPermission to their own mailbox post-migration and can read/send emailNot StartedPermission to Shared Mailboxes post-migration and can read/send emailSend-As only available with post-migrationscriptNot StartedUser has ability to sync their BlackBerrydevice post-migration via

RIM’s

BlackBerryBusiness Cloud ServiceNot StartedMigration of delegate permissionsApplicable based on migration toolcapabilitiesNot StartedNo unexpected NDRs for user post- Scope will need to be defined as some NDRs

192Microsoft Office 365 Deployment Guide for Enterprises | December 2011migration will occur

Status Email Owner Notes

Not StartedSend and receive email messages tomigrated usersNot StartedSend and receive email messages to non-migrated usersNot StartedSend and receive email messages toexternal usersNot Started Send email to Distribution ListNot Started Reply to email from migrated usersNot Started Reply to email from external usersNot Started Non-migrated user reply to email Sent from migrated user prior to migrationNot Started Recover deleted item from the Recycle BinNot Started Email access with Outlook Web AppNot Started Reply to an email with a Distribution ListNot Started Incoming mail from an external user To both Distribution List and User

Status Calendaring Owner Notes

Not Started Meetings have been migratedNot StartedBook a meeting in a migrated conferenceroomNot StartedMeeting request can be accepted for anavailable conference roomNot StartedMeeting request is not accepted for a pre-booked conference roomNot StartedRemote booking agent is functional whereappropriateNot StartedUpdated meeting requests notify allattendeesNot StartedView details of free/busy information forthose permittedNot StartedView secondary calendar side-by-side forthose permitted

Status Mobile Devices Owner Notes

Not StartedEmail sent from Exchange arrives at amobile deviceNot StartedEmail sent from a mobile device arrives in

193Microsoft Office 365 Deployment Guide for Enterprises | December 2011ExchangeNot StartedDelete mail item from supported mobiledevicesNot StartedCreate calendar item from supportedmobile devices

Status Message Archiving (Optional) Owner Notes

Not Started Verify inbound emails are archivedNot Started Verify outbound emails are archivedNot StartedVerify internal emails are archivedWith emails which do not contain any externalrecipients in To/CC/BCC fields.Not StartedVerify the members of Archive Group DLThe number of users should be the same withthe number of users in Administration Centerif you archive all.Not StartedVerify search functionality is present andworks correctly for title, message bodyNot Started Verify email is encrypted in transitNot StartedVerify authorized export users can export to.PST fileNot Started Verify ad hoc searches workNot Started Verify nightly harvest is occurringNot StartedVerify keyword and percentage samplingworkNot StartedVerify message review and escalationprocess work

Status Lync Online Conferencing Notes

Not Started Create a ConferenceNot Started Invite people to a conferenceNot Started Initiate a Conference

194Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Status SharePoint Notes

Not Started

Site collection

Not Started Create siteNot Started Create site collectionNot Started Add user to site collectionNot Started Remove user from a site collectionNot StartedCreate new group for a site collection andadd userNot Started

Users and groups

Not Started Add user to siteNot Started Remove user from a siteNot Started Create new group for a site and add userNot Started

Publishing

Not Started Publish a blogNot Started Publish an RSS feedNot Started Remove RSS viewer Web partNot Started

Documents

Not Started Create document libraryNot Started Create documentNot Started Upload document to libraryNot Started

Lists

Not Started Create listNot Started Add list itemsNot StartedAdd approval workflow to list, library, orcontent typeNot Started Remove approval workflow from above listNot Started

Searches

Not Started Perform document searchNot Started Perform people searchNot Started

Bulk Upload content

Not Started Upload calendar information from OutlookNot Started Upload Contacts from OutlookNot Started Upload document libraries

195Microsoft Office 365 Deployment Guide for Enterprises | December 2011

15

Appendix I: Glossary

Active Directory Federation Services (AD FS):

AD FS provides the various end-points that theMicrosoft Federation Gateway uses to redirect clients to the AD FS server for different types of authentication. AD FS must be installed on a separate physical server that is a part of your on-premises network organization.

Active Directory Federation Services configuration database:

A database used to store allconfiguration data that represents a single AD FS 2.0 instance or Federation Service. Thisconfiguration data can be stored using the Windows Internal Database (WID) feature includedwith Windows Server 2008 and Windows Server 2008 R2 or using a SQL Server® database.

Autodiscover:

The Exchange Autodiscover service automatically finds the correct MicrosoftExchange Server host and configures Microsoft Office Outlook 2010 or Outlook 2007 for yourusers. It also includes an offline address book and the Free-Busy availability service that providesavailability information for your users.

BPOS (Business Productivity Online Standard Suite):

This is the acronym for the first versionof the cloud-based, multi-tenant productivity suite from Microsoft Online Services. The BPOSservice offering is being replaced by Office 365 service offerings.

Comma separated value (CSV) file

: A text file in which each value is separated by a comma. Itis typically used as an input file for a software program or script.

CNAME record:

A Canonical Name (CNAME) record is a type of resource record in the DomainName System (DNS) that is an alias for the Address (A) record that maps an IP address to thetarget server. The target server does not have to exist in the same domain as the CNAME recorditself. You can define an alias in one domain to point to a target server in a completely differentdomain. Many organizations use CNAME records with web servers. An organization might pointthe alias www to a Web server that is hosted by a dedicated Web hosting company. Forexample, requests for http://www.contoso.com can be redirected to webserver1.fabrikam.com

Deployment Consultant:

The Deployment Consultant (Microsoft or partner) is the primaryresource for customers to work with on technical and project related items. The DeploymentConsultant is the primary contact for your Technical Lead.

Directory synchronization (DirSync):

Active Directory synchronization (DirSync) replicates an

organization’s

on-premises Active Directory information for mail-enabled objects to the Office365 environment. Using the Microsoft Online Services Directory Synchronization Tool, your

company’s administrators can keep your local Active Directory continuously synchronized with

Office 365. This not only allows you to create synchronized versions of each user account andgroup, but also allows global address list (GAL) synchronization from your local Microsoft

196Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Exchange Server environment to Microsoft Exchange Online. Organizations deployingcoexistence must deploy DirSync on a separate, on-premises server. The synchronization fromyour on-premises Active Directory to the Office 365 Active Directory environment is one way.

Domain registrar:

A domain name registrar is an organization or commercial entity, accreditedby the Internet Corporation for Assigned Names and Numbers (ICANN) or by a national countrycode top-level domain (ccTLD) authority, to manage the reservation of Internet domain namesin accordance with the guidelines of the designated domain name registries and offer suchservices to the public.

Email coexistence:

Email coexistence enables organizations with on-premises Exchange Serveremail environments to establish a connection between their on-premises mail environment andthe Office 365 Exchange Online mail environment. With coexistence configured, some usersconnect to Exchange Online while others continue to use the local Exchange Serverenvironment, and all of the users can share the same email domain name. Email coexistence canbe configured as eithersimple coexistenceor as ahybrid deployment.

Exchange Management Shell:

The command-line interface for Exchange Server 2010 and 2007.

Exchange Control Panel (ECP):

This Web-based console is used to manage the ExchangeOnline environment. The ECP can be accessed through the Admin area of the Microsoft OnlineServices Portal.

Exchange Hosted Archive:

Part of the Exchange Hosted Services (EHS) network, EHA provides arepository that stores email. Using EHA, organizations can manage increasingly complexretention, compliance, and regulatory requirements. The EHA systems receive a message andafter being filtered the clean message is delivered to the corporate mail server. A copy is madeand stored in a security-enhanced online message repository.Note: EHA was an option in the BPOS service and is no longer available with Office 365.Exchange Online Archive can be used instead.

Exchange Online:

A hosted email and messaging service built on Microsoft Exchange Serverand offered by Office 365. For organizations using on-premises Exchange Server and Exchange

Online, Exchange Online is sometimes referred to as their “cloud

–

based Exchange organization.”

External relay:

A configuration option in Microsoft Online Services Portal when mailboxes for adomain are hosted outside of Exchange Online and the MX record points to an email serveroutside of Exchange Online. Selecting this option requires disabling of inbound messaging.

Federation Service:

A logical instance of AD FS 2.0. A Federation Service can be deployed as astand-alone federation server or as a load-balanced federation server farm. You can configurethe name of the Federation Service using the AD FS 2.0 Management snap-in. The DNS name of the Federation Service must be used in the Subject name of the SSL certificate.

197Microsoft Office 365 Deployment Guide for Enterprises | December 2011

Federation server:

A computer running Windows Server 2008 or Windows Server 2008 R2 thathas been configured to act in the federation server role. A federation server serves as part of aFederation Service that can issue, manage, and validate requests for security tokens and identitymanagement. Security tokens consist of a collection of claims, such as a user’s name or role.

Federation server farm:

Two or more federation servers in the same network that areconfigured to act as one Federation Service instance.

Federation server proxy:

A computer running Windows Server 2008 or Windows Server 2008R2 that has been configured to act as an intermediary proxy service between a client on theinternet and a Federation Service that is located behind a firewall on a corporate network. Inorder to allow remote access to the services in Office 365, such as with a smart phone, homecomputer, or Internet kiosk, you need to deploy a federation server proxy.

FOPE Administration Center:

The service management site for Microsoft ForeFront OnlineProtection for Exchange.

Hybrid Deployment:

A hybrid deployment is an email coexistence configuration offersExchange organizations the ability to extend the feature-rich messaging experience andadministrative control they have with their existing on-premises Exchange Server organization toOffice 365 and Exchange Online. A hybrid deployment provides the seamless look and feel of asingle Exchange organization between an on-premises organization and an Office 365organization. In addition, a hybrid deployment can serve as an intermediate step to movingcompletely to Exchange Online. A hybrid deployment offers a unified global address list (GAL)and mail routing between the on-premises and Office 365 organizations plus additionalmessaging features typically available in an on-premises Exchange deployment, includingsharing free/busy and calendar information between the organizations and the ability to movemailboxes from the on-premises organization to the Office 365 organization.

Hybrid Server:

A hybrid server is an Exchange Server 2010 SP1 server that is installed in yourexisting Exchange organization. It is required for hybrid deployments. The hybrid server enablesmessaging features and messaging delivery between your existing Exchange organization andthe Office 365-based Exchange organization.

Identity federation:

Identity federation provides a true single sign-on (SSO) experience forusers to access both the on-premises and Office 365 service offerings with a single user nameand password. Additionally, identity federation allows administrators to easily control accountpolicies for Office 365 mailboxes by using on-premises Active Directory management tools.

Internet Message Access Protocol (IMAP)

: This is an application-layer Internet standardprotocol used by on-premises email clients to retrieve email from a remote server over a TCP/IPconnection. Microsoft Online supports email data migration from IMAP4 environments.