Documentos de Académico
Documentos de Profesional
Documentos de Cultura
The following article is part 2 of the Hybrid configuration checklist and prerequirements article series.
In the following article, we review the additional components that are involved
and relate to the Hybrid environment:
Page 2 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part 2/3
Hybrid deployment in Office 365 | Checklist and pre requirements | Part 1/3
Hybrid deployment in Office 365 | Checklist and pre requirements | Part 2/3
Hybrid deployment in Office 365 | Checklist and pre requirements | Part 3/3
7. Exchange On-Premise Hybrid server | Autodiscover service
The Autodiscover service serves as a foundation for the Hybrid relationships
between the Exchange On-Premise and the Exchange Online and vice versa.
Autodiscover service will be used for the first-time configuration of the Hybrid
environment (when using the HCW) and for ongoing communication between the
On-Premise and the cloud environment.
For this reason, it is very important to verify and check the following sections that
relate to the Autodiscover services:
1. Autodiscover record and Public Network
We will need to verify that the Autodiscover record for the organization public
domain is published and pointing to Exchange On-Premise server.
The Autodiscover record is based on a reserved naming convention that is
implanted in the following way: Autodiscover.
For example- the Autodiscover record for the public domain o365info.com is:
Autodiscover.o365info.com
We will need to check and verify that the Autodiscover record was published
correctly and that the Autodiscover record is point to the Exchange On-Premise
server
In the following diagram, we can see a description of the Autodiscover process.
In our example, Exchange Online needs to get information about
o365info.com organization.
To get the required information, Exchange Online access a public DNS and query
about the Autodiscover.o365info.com record.
Page 3 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part 2/3
In case that the Autodiscover DNS record is configured correctly, the DNS provides
the Public IP and, Exchange Online use this IP for contacting the Exchange OnPremise Autodiscover services.
Note In this section we relate only to the DNS settings for the Autodiscover service
and the rest of the section, we review other aspects the Autodiscover service that
we need to verify and check.
Autodiscover DNS record | A record
In a hybrid environment, the Autodiscover should be implemented as an A record
that is published trough the Public DNS server.
In some scenario, the Exchange On-Premise Autodiscover configuration is based on
SRV record. This scenario is not supported in Hybrid environment.
In other words: in case that the current Exchange On-Premise Autodiscover is
based on an SRV DNS record, you will need to change\update this configuration to
a standard AutoDiscover configuration that is implemented by using A record that
points to the public IP address of the Exchange On-Premise server.
Page 4 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part 2/3
Youd also need to include these records in the SAN certificate. You could use
CNAME records for Autodiscover redirection, but that wouldnt change the fact that
you have to add all Autodiscover records to the SAN certificate. Also, Exchange
hybrid deployments dont support SRV-based Autodiscover redirection.
[Source of information: Exchange Queue & A: Handling hybrid environments ]
2. Verify successful operation of Exchange On -Premise Autodiscover
process
The fact that the Autodiscover services Record and the Public IP is published is only
the first part of the required settings. In the next step, we need to verify that we can
access Exchange On-Premise Autodiscover service + gets the required information
(Exchange On-Premise will provide the required information using an XML file).
In the following diagram, we can see that external host (such as Exchange Online)
tries to connect the local Exchange On-Premise (the AutoDiscover services of the
Exchange on-Premises server).
In case the Exchange on-Premises server respond, the Exchange Online will need
to identify and after a successful authentication, the Exchange On-Premise provides
the required information using a file named autodiscover.xml
Page 5 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part 2/3
Page 6 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part 2/3
3. In the result screen, we can see that the header is: Connectivity Test Successful
with Warning.
This is the required result, despite that the result includes a Yellow
exclamation mark. The Autodiscover test will include by default some minor
errors, that caused by the trial and error mechanism of the Autodiscover
process.
The fact that we get the Green icon is the Indication for the successful
Page 7 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part 2/3
4. In case that we want to get more detailed information, we can click on the Test
Step.
In the following screenshot, we can see the content of the Autodiscover XML file.
Page 8 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part 2/3
Technically, each of the Exchange servers since Exchange version 2007 can provide
Autodiscover services, but the why that Exchange server prepare the required
data (the XML file), and the content of the Autodiscover file, is created and
implemented in a different way in each of the Exchange server versions.
In a mix Exchange environment, the backward computability concept is
implemented.
The latest Exchange server version can get queries for AutoDiscover information
and understand how to format the required answer.
For example, in case that we point the Autodiscover record to the Exchange 2013
server, and external client asks for the Free\busy time of a recipient (Availability
services) who is hosted on the Exchange 2007 server, the Exchange 2013 knows
how to format the request and the answer that is sent from the Exchange 2007
server in a proper way.
4. Autodiscover record pointing to the Exchange On -Premise server
One of the most common mistakes related to Autodiscover record and Hybrid
implementations is: updating the Autodiscover record to point the cloud
(autodiscover.outlook.com).
This assumption may seem logic, but this update should not be implemented.
In a Hybrid configuration, the Autodiscover record that represent the Public
domain name should point to the Exchange On-Premise server.
Page 9 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part 2/3
Note we dont need to configure or update any of the Autodiscover settings that
related to the cloud because in Office 365, all the required configurations of the
Autodiscover services are configured automatically by using the service domain or
the Tenet Office 365 domain such aso365info.mail.onmicrosoft.com
Page 10 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
Page 11 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
In our scenario, the Public name of the Exchange On-Premise is: mail.o3655info.com
We will open a web browser and use the following URL
address:https:/mail.o365info.com/ews/exchange.asmx
In the following screenshot, we can see that we can successfully connect the EWS
services of the Exchange On-Premise.
As a response, Exchange on-Premises server sends a requirement for
authentication.
Additionally, we can see that the server certificate is proper because the Lock icon
has no errors.
The credentials that we will need to provide are just a simple user credential of any
recipient who has a mailbox on the Exchange On-Premise server.
Page 12 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
The Exchange On-Premise answer is an XML file that includes the required
information or description about the Exchange On-Premise Web Services.
There is no actual meaning for us. The only meaning is that we could access the
Exchange On-Premise EWS service and get the Exchange server response.
Page 13 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
1. Choose the Exchange server tab and then under the Microsoft Exchange Web
Services Connectivity Tests choose the option: Synchronization, Notification,
availability and Automatic reply
Page 14 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
3. In the result screen, we can see that the header is: Connectivity Test Successful
with Warning.
This is the required result despite that the result includes a Yellow Exclamation
mark.
The Exchange On-Premise Web service test will include by default some minor
errors that caused by the trial and error mechanism of the AutoDiscover process.
The fact that we get the Green icon is the Indication for the successful
implementation of the Exchange On-Premise Web service process.
Page 15 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
4. In case that we want to get more detailed information, we can click on the Test
Step.
In the following screenshot, we can see the content of the AutoDiscover XML file.
Page 16 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
Additional reading
Page 17 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
creating data encryption. Data integrity, mutual authentication and so on, is based
on a Public certificate that is the use of both sides (Exchange Online and Exchange
On-Premise).
The basic assumption is that the Exchange Online Public certificate is configured
correctly and available.
In our scenario, we will need to verify the subject of the Public certificate on the
Exchange On-Premise server side.
Note we will not get into details about how to create a certificate request install a
public certificate on the Exchange On-Premise and so on.
The basic assumption is that the Exchange On-Premise includes an insulation of
Public certificate, and we just want to verify that the Public certificate is installed
and include the required information.
The Exchange On-Premise public certificate will be used as part of the AutoDiscover
service and actually for the encryption of the mail flow (SMTP/TLS) between the
Exchange On-Premise server and Exchange Online server.
In the following diagram, we can see an example for the Hosts names that will
need to be included in the Exchange On-Premise public certificate.
In our scenario, the Exchange On-Premise public certificate should include the
hosts name:Autodiacover.o3655info.com for the Autodiscover services and
additional hostname mail.o3655info.com
this is the host name which will be used by Exchange Online server for addressing
Exchange On-Premise server (creating a secure communication channel to the
Exchange On-Premise server).
Page 18 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
Page 19 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
There are three main requirements that relate to the Exchange On-Premise
certificate:
1. Public certificate
The meaning of the term Public certificate is that the certificate was created by a
Public CA (Certificate Authority).
In the following screenshot, we use the Exchange 2010 On-Premise MMC interface
for getting information about the Public certificate.
We can see that under the section of self-Signed, the value of the certificate is:
False (number1 in the screenshot).
The meaning is that this certificate was not created by the Exchange On-Premise
server (self- Signed but instead was created by a Public Certificate provider.
2. Certificate assignment
Page 20 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
The Public Certificate should be assigned to the following Exchange services: IIS and
SMTP (number 2 in the screenshot).
Page 21 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
Option 1: get information about the Pubic Certificate using Exchange MMC
To be able to verify the hosts named that are included in the Public certificate,
double-click on the public certificate and on the details tab look for the field
Subject Alternative Name
In the following screenshots, we can see that the public certificate includes all of the
required hosts names.
Note the subject of including hosts names in a Public certificate is not relevant
when we use a wild-card certificate because in this scenario, the certificate relates
to all the of the hosts under a specific domain.
Page 22 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
10. Microsoft MFG server and the proof of the ownership process
The first step when we need to create a Hybrid configuration is the step in which
the Exchange On-Premise server creates trust relations with the Microsoft
Federation gateway (MFG).
This trust relationship described as Federation trust
Note when using hybrid configuration both of the sides (Exchange On-Premise
and Exchange Online) need to trust the MFG. The Office 365 cloud infrastructure
Page 23 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
is set to automatically trust the MFG server so the only requirement is to build a
new trust between the Exchange On-Premise and MFG.
The creation of the Federation trust with the Microsoft MFG server, is created by
implementing a proof of ownership process for the public domain that we use.
For example: in case that we want to configure Hybrid configuration using the
public domain name: o3655info.com, we will need to prove that we own this
domain.
The proof of ownership process is implemented in the following way: when using
the HCW, Exchange On-Premise contacts the Microsoft MFG server.
The MFG server reply with a TXT string.
We will need to copy this text string, go to our public DNS server, add a new TXT
record that includes the value that was provided by the MFG server and only after
we have created the proof, MFG servers will access our public DNS server looking
for this TXT string.
Page 24 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
In the following diagram, we can see a description of the flow or the steps that are
required for building the trust with the Microsoft MFG server.
When using the HCW (Exchange Hybrid configuration wizard), the required TXT
string that sent from the MFG server will be displayed on the screen.
In case that for some reason the required TXT string is not displayed, we can use a
PowerShell command for displaying the TXT string (the TXT Domain Proof).
The PowerShell that we use is based on the following syntax:
PowerShell
1 Get-FederatedDomainProof -DomainName "<Domain name>"
In the following screenshot, we can see the Domain Proof Text string.
Page 25 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
Option 1: Verify that the TXT record is configured correctly in the Public DNS
using a Nslookup command tool
In case that we want to verify that the TXT record (TXT Domain Proof) was
configured correctly in the Public DNS, we can create a query for a TXT record.
To verify that the TXT record (TXT Domain Proof) was configured in the Public DNS,
you can check the information by using the NSLOOKUP command.
For example we can use the NSLOOKUP tool for getting information about the
TXT record that are configured in the domain: o3655info.com
from the command prompt we type:
Nslookup
Set type=txt
Next we will type the name of the domain name which we want to query.
o365info.com
In the following screenshot, we can see the result of the Nslookup command
Page 26 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
Option 2: Verify that the TXT record is configured correctly in the Public DNS
using web tool.
There are many free web tools that can help us to check and query DNS server.
In the following example, we will use the site: mxtoolbox
1. Choose the More menu
Page 27 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
2. Choose the TXT option and type the domain name that you want to query.
3. In our example, we would like to get information about all the TXT records in the
domain o365info.com
In the following screenshot, we can see the result of the query. There is a two
TXT record under the o365info.com domain.
One of this TXT record is the Text string that was provided by the Microsoft MFG
server and was updated in the o365info.com domain as a TXT record.
Page 28 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
Page 29 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
In the following diagram, we can see an example for the required configuration for
the secure communication link between the Exchange On-Premise and the
Exchange Online server.
In our scenario, the shared domain is o365info.com
Each of the mail that will be sent from Exchange On-Premise recipient to cloud
recipient (Exchange Online) and vice versa, that include the domain name:
o365info.com, will be routed through the direct secure communication channel that
exists.
Note the direct secure communication channel is implemented by a set of four
connectors:
1 send connector, and 1 receive connector that created on the Exchange OnPremise hybrid server and the same on the Exchange Online side.
Page 30 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
Page 31 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
Page 32 of 32 | Hybrid deployment in Office 365 | Checklist and pre requirements | Part
2/3
Video links