This post outlines the technical steps on the road to implementing our Federated Office 365 with SSO and Exchange Hybrid Deployment. Each of these steps will be expanded upon in subsequent posts.
About Our Environment
Our Active Directory Forest consists of three Domains. An ‘empty’ Forest Root Domain fangorn.ncl.ac.uk (this was best practice when the Forest was created), a resource domain ‘campus.ncl.ac.uk’ which contains all objects used to manage the campus in Newcastle UK. There is also a third domain which is used to manage computer objects at our campus in Malaysia. For the purposes of deploying Office 365 we can ignore this last domain.
Our DNS namespace .ncl.ac.uk runs on a UNIX BIND system and domain controllers for the zones mentioned above have delegated authority for these subdomains. The Forest and all domains are running at Server 2008 R2 Functional level.
We run a mixture of Exchange 2007 SP2 and Exchange 2010 SP2 and are in the midst of migrating our staff and postgraduate research students to Exchange 2010. Exchange 2007 remains on SP2 due to an incompatibility with a third-party archiving solution. All Exchange servers are separated by role (CAS, HUB and MBX) and generally multiple instances for site-based resilience. The Exchange Client Access infrastructure is fronted by a hardware load balancer.
Office 365 Tenancy Configuration
Configuring the Office 365 tenancy involved running the Office 365 deployment readiness tool and contacting Microsoft in order to have the tenancy located in the appropriate location relative to the number of users (size of the organisation). Another important step at this stage is proof of ‘ownership’.
Active Directory Federation Services Configuration
Federation of the Active Directory means that users can access services in Microsoft Office 365 using the existing Active Directory credentials (user name and password). Just as importantly this means we can use our existing User lifecycle, provision and access configuration tools to manage users using both cloud and on premises services.
The setup of Identity Federation and single sign-on (SSO) for Office 365 requires Active Directory Federation Services (AD FS).
Directory Synchronisation Configuration
The Microsoft Online Services Directory Synchronisation Tool (DirSync) establishes a one way synchronization from the on-premise Active Directory Forest (all domains) to Microsoft Online.
Dirsync is a requirement for running an Exchange Hybrid Deployment and allows global address list (GAL) synchronization from the on premises Microsoft Exchange Server environment to Microsoft Exchange Online.
Exchange Hybrid Deployment Configuration
An Exchange Hybrid Deployment refers to the full-featured deployment of a cross-premises Exchange messaging solution with Office 365 for enterprises and Exchange Online.
The features that an Exchange Hybrid Deployment delivers are:
- Mail routing between on-premises and cloud-based organisations
- Mail routing with a shared domain namespace. For example, both on-premises and cloud-based organisations use the University’s standard @newcastle.ac.uk SMTP domain.
- A unified global address list, also called a “shared address book”
- Free/busy and calendar sharing between on-premises and cloud-based organisations
- Centralised control of mail flow. The on-premises organisation can control mail flow for the on-premises and cloud-based organisations.
- A single Outlook Web App URL for both the on-premises and cloud-based organisations
- The ability to move existing on-premises mailboxes to the cloud-based organisation
- Centralised mailbox management using the on-premises Exchange Management Console (EMC)
- Message tracking, MailTips, and multi-mailbox search between on-premises and cloud-based organisations
The team responsible for the implementation of Office 365 is the ISS Infrastructure Systems Group with our very own John Donaldson managing the project. A steering group with student representation provides strategic direction and sign-off.
Our broad testing and implementation strategy are the creation of two test environments followed by production.
POC Environment: A simple proof of concept comprising of a single domain with the minimal infrastructure required for to test the concepts of Federated Office 365 with SSO and Exchange Hybrid Deployment.
Full Test Environment: A fully virtualised environment which mimics (as closely as possible) our production environment. This environment will be maintained in tandem with the production environment and any future changes will be tested here first.