Whereas many organizations are flocking to cloud choices, reminiscent of Workplace 365 and Trade On-line, others proceed to host their e mail on-premises. By releasing the most recent iteration of Change (Microsoft Trade Server 2019), Microsoft has given these organizations a couple of extra years of “on-prem” time. Will there be an on-prem Change answer past 2019? Who is aware of? Nevertheless, with Change Server 2019 right here, I figured it will be a good suggestion to elucidate tips on how to configure it to work with Trade On-line in Full Hybrid mode.
What we’ll cowl
On this tutorial, we’ll stroll by means of the method of provisioning an O365 tenant after which we’ll use the Hybrid Configuration Wizard to attach an on-prem Trade 2019 group with the O365 tenant that’s provisioned. We’ll cowl the HCW setup course of, the preparation of the on-prem Lively Listing, after which the deployment of Azure AD Join.
If you end studying this tutorial, you should not have any issues connecting an on-premises Change 2019 group to an O365 tenant, utilizing the Hybrid Configuration Wizard. Let’s get began!
Earlier than going into the method of establishing a Full Hybrid between Trade 2019 and Trade On-line, let’s cowl what my lab seems to be like.
The lab for this tutorial consists of an on-prem AD, a website controller, and Trade 2019 server (each hosted on VMs in Azure), and a publicly routed e mail area:
- Lively Listing: bluewidgets.native
- AD Area Controller: DC01.bluewidgets.native (Home windows 2016)
- Trade 2019 Server: EX01.bulewidgets.native (Home windows 2016)
- E mail Area: bluewidgets.org (hosted at GoDaddy)
I’ve added bluewidgets.org as an alternate UPN suffix for the bluewidgets.native AD area, and I’ve up to date all customers within the area to make use of bluewidgets.org as their UPN suffix. That is mandatory as a result of, when the customers ultimately sync to O365, they have to be syncing with an Web-routable area identify as their UPN suffix.
Step one within the course of is to provision an O365 tenant. For this tutorial, I provisioned a tenant with a single E1 license. (E1 supplies an Trade On-line license.)
To join a brand new O365 tenant, go to this hyperlink.
In case you are following together with this tutorial, all you should do is buy a single E1 license throughout tenant provisioning.
Upon getting the O365 tenant provisioned, login and add your e mail area to the tenant. The e-mail area that I’m utilizing for this tutorial is bluewidgets.org in order that’s the area I’ve added to my newly-provisioned O365 tenant. To do that, click on on Setup, after which Domains, after logging into the tenant as a International Admin. Click on “Add Area” after which add your on-prem e mail area.
After including the e-mail area to the O365 tenant, you’ll have to confirm the area. Doing so proves to Microsoft that you simply personal the area that you’re including.
To confirm the area, you possibly can both sign up to GoDaddy (in case your area’s DNS is hosted there) or you possibly can add a TXT report to your public DNS. I want so as to add a TXT report in all instances.
After including the requested TXT document to DNS, click on the Confirm button to permit O365 to verify for the report’s existence.
After verifying the area, you’ll be prompted to replace DNS data in order that issues like autodiscover, MX, and such level to O365. Skip this for now as a result of altering them now will break mail circulate to your on-prem setting.
After clicking the “Skip” button, click on “End” to finish the DNS setup.
After clicking “End,” your new area will present “Potential service points” as a result of O365 continues to be on the lookout for the DNS entries it beforehand needed you so as to add. That is OK to disregard.
Run the Hybrid Configuration Wizard
The Hybrid Configuration Wizard is the software program that connects the on-premises Change 2019 org to Trade on-line. It creates a HybridConfiguration object within the on-prem Lively Listing, which shops the hybrid configuration info for the hybrid deployment. This info is then up to date by the HCW. The HCW then collects present on-prem Trade and AD topology info, O365 tenant knowledge, and Change On-line configuration knowledge. It then defines organizational parameters and performs a number of configuration duties in each the on-prem Change org and the Change On-line org.
To run the HCW, open the on-prem Trade Admin Middle and click on “Hybrid” after which “Configure.”
After clicking “Configure,” you’re prompted to sign up to your O365 tenant.
Login with the International Admin account.
After logging into O365, click on “Configure” once more to proceed the HCW setup and configuration.
The HCW software is downloaded after which launches.
You may be prompted to specify a server operating Trade. On this lab surroundings, there is just one Change server, so I’ve chosen EX01.
Generally, you’ll choose “Workplace 365 Worldwide” as the situation internet hosting Change On-line. After doing so, click on “Subsequent” so you possibly can present login credentials for each the on-prem setting and for the Change On-line setting.
After supplying each units of login credentials, click on “Subsequent” to permit the HCW to collect configuration info for each environments.
When the gathering is full, you’re prompted to decide on a hybrid mode. For this tutorial, we’re overlaying a full hybrid answer, so I’ve chosen the Full Hybrid Configuration choice.
Clicking “Subsequent” takes you to the Federation Belief setup display when you have to click on “Allow” to allow a Federation Belief between the 2 orgs. As a aspect word, such a belief is NOT vital when configuring a Minimal Hybrid answer.
Whenever you allow the Federation Belief, you’ll be prompted so as to add a TXT document to the general public DNS for the e-mail area. Copy the TXT report worth provided and add it to the general public DNS for the e-mail area.
After including the TXT report to DNS, proceed with the Area Possession affirmation portion of the Federation Belief setup course of.
After confirming area possession by clicking “Subsequent,” you’re prompted to decide on a method to make sure safe mail between the on-prem org and Change on-line. You could select to configure the CAS/MBX servers for safe mail or you should use Edge Transport. The primary choice is most — and is what we’ll do for this tutorial (since there isn’t a Edge Transport server in place).
After clicking “Subsequent,” configure a obtain connector. You may be prompted to pick an on-prem server. I’ve chosen EX01 (my solely server) on this instance.
After clicking “Subsequent,” you’re prompted to configure a ship connector and are, once more, requested to decide on an on-prem server to host it.
After configuring the ship connector and clicking “Subsequent,” you should select the transport certificates that might be used to safe mail between the organizations. This have to be a public cert (sometimes the one already put in on the on-prem Trade server).
Clicking subsequent brings you to the Group FQDN display, the place you need to present a totally certified identify in your on-prem org. I’ve used mail.bluewidgets.org on this instance.
Click on “Subsequent” to maneuver onto the “Replace” web page, the place you’ll full the configuration of hybrid.
The Hybrid Configuration Wizard will take all the info that you’ve offered and full the hybrid connection setup, making modifications as required.
When the method completes, you’re greeted with the “Congratulations” display that signifies the Hybrid Configuration Wizard has efficiently created the hybrid connection.
As soon as the Hybrid Configuration Wizard has accomplished, you possibly can then setup Azure AD Hook up with sync on-prem customers to O365. To get began, login to a domain-joined server and browse to the Lively Listing Admin Middle within the Azure portal. From the portal, obtain the newest model of Azure AD Join.
In my lab for this tutorial, I did this from the area controller. Though this works, my private choice is to make use of a separate server particularly for Azure AD Join. You must do what’s greatest in your setting.
After downloading Azure AD Join, launch the installer.
Settle for the license phrases and click on “Proceed.”
Comply with the directions on-screen to find out whether or not you need to use Categorical or Customized. Though my lab Lively Listing is a single-forest AD, I’m utilizing bluewidgets.native, a non-routable area identify, as my AD area identify. As you possibly can see within the screenshot, the Customized choice is really helpful when utilizing a nonroutable area identify — so on this instance, I selected Customized.
After clicking “Customise,” start the set up by putting in required elements. The elective checkboxes can all be left unchecked.
After you click on “Set up,” the set up begins.
When prompted to decide on a sign-in choice, choose Password Hash Synchronization and click on “Subsequent.”
After clicking “Subsequent,” you’re prompted to hook up with Azure AD by offering International Admin credentials. Achieve this after which click on “Subsequent.”
After Azure AD Join connects to Azure AD, you’re prompted to hook up with the on-prem org. Achieve this by offering an Enterprise Admin account. In my lab, I opted to permit Azure AD Hook up with create a service account for me by choosing the primary radio button.
After offering admin credentials for each environments, click on “Subsequent” to attach the directories.
As soon as the directories are related, you’re taken to the “Azure AD Signal-In” display. In case your on-premises AD makes use of a nonroutable area identify (.native, for instance), you’ll see a notification that not all domains have been added (and the .native might be referred to as out). So long as the area listed with the alternate UPN suffix is displaying as “Verified,” you possibly can proceed.
/You’ll need to verify that you’re OK with the UPN suffix mismatch by checking the field after which clicking “Subsequent.”
After clicking “Subsequent,” configure Area/OU Filtering by both syncing all domains and OUs or by filtering them. For this tutorial, I’ve chosen to sync simply the “Staff” OU. I selected to take action to stop sync of pointless accounts to O365 (ie. service accounts and such).
After choosing which OUs to sync, click on “Subsequent” to specify how customers ought to be recognized within the on-prem AD.
For this lab, I simply left the choices at their defaults (and also you also needs to have the opportunity to take action typically as properly). Click on “Subsequent” to maneuver onto the group filtering settings.
The filtering choice provides the power to restrict synchronization to a selected group of customers. That is useful for piloting. For this tutorial, I omitted group filtering since I used to be already filtering on a selected OU.
Click on “Subsequent” to maneuver on to non-compulsory options.
When configuring the Non-compulsory Options, verify the “Change hybrid deployment” checkbox and depart every little thing else unchecked. Clearly, when you needed to allow different options, reminiscent of password writeback, you’d allow these — however these choices are outdoors the scope of this tutorial.
Click on “Subsequent.”
Whenever you arrive on the “Able to Configure” display, make sure the “Begin sync” field is checked after which click on “Set up.” Azure AD Join will full configuration and it’ll carry out a sync of chosen OUs to O365.
When configuration completes, you’re introduced with a “Success” display that gives an summary of settings.
In the event you change over to the O365 tenant, you possibly can affirm that your customers have been synchronized into O365 as anticipated.
You’ll be able to additional check your hybrid configuration by opening the Change Admin Middle for the on-premises surroundings and provisioning a mailbox. If you click on on “Recipients” after which the “+” signal to create a brand new mailbox, you must now see “Workplace 365 Mailbox” as an choice. This lets you create an on-prem consumer that makes use of a mailbox hosted in O365.
Optionally available configuration
When you’ve confirmed the hybrid is working as anticipated, you possibly can modify your DNS data (those that you simply skipped at the start of this tutorial) in order that autodiscover and MX data level on to Trade On-line / O365, as an alternative of the on-prem Trade surroundings. Nevertheless, in the event you determine to do that, be sure to modify each inner and exterior data for autodiscover. There ought to solely be an exterior MX document.
These DNS modifications ought to solely be accomplished in case you are migrating your on-prem mailboxes to O365 — and will solely be accomplished in any case mailboxes have been migrated.
For those who select to make these DNS modifications, choose “Change” and make the DNS modifications which might be introduced to you.
After making the modifications, click on the “Verify DNS” button to make sure you’ve made the right modifications.
The general course of for deploying a hybrid answer, primarily, consists of just some principal steps. These steps embrace:
- Provision O365 Tenant
- Add and Confirm Area in O365
- Run Hybrid Configuration Wizard
- Deploy and Configure Azure AD Join
- Modify Remaining DNS (elective)
The method sounds scary however after you’ve executed one or two hybrid deployments, it turns into obvious that the method isn’t almost as scary because it seems.
report this advert