Secure email servers on Exchange, Office 365 or both
A comprehensive collection of articles, videos and more, hand-picked by our editors
All too often, people think that once they move to Office 365, they no longer have to manage on-premises Exchange...
servers. This can be true, especially if you move to an Exchange Online-only deployment. But this doesn't apply to everyone.
In an Exchange hybrid deployment, for example, you'll most likely have mailboxes in Office 365 and on-premises. On top of that, a hybrid deployment requires DirSync and optionally Active Directory Federation Services, which means you'll have additional servers to manage.
Even if your total number of Exchange servers decreases, you'll still have to invest a decent amount of time to keep everything up and running. Typically, the tasks involved are patching/updating, monitoring and troubleshooting. For this article, we'll focus on your patching and monitoring responsibilities.
Patching in an Exchange hybrid deployment
First, let's look at why patching and updating are so important. Microsoft's support statement is pretty clear. With every Cumulative Update that's released, you need to update within a reasonable time frame to remain in a supported state. It's not that Microsoft won't help you if you run into trouble, but you'll likely be asked to upgrade first before any real troubleshooting is done.
This is also true for DirSync, but less so for ADFS. Microsoft regularly updates DirSync, and it recommends upgrading DirSync whenever a new version becomes available. As a result, you have to worry about Exchange and DirSync.
You can't get around these requirements for updating Exchange or DirSync, but this trick will help you easily find the version of DirSync you run and the latest available version.
To verify your current version, run the following PowerShell command from your DirSync server:
(Get-ItemProperty 'HKLM:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Online Directory Sync').DisplayVersion
When you get the number from the output (Figure 1), you can compare that number with the latest one on Microsoft's site. This Wiki page updates as soon as a new version is available. It might be a good idea to subscribe to the RSS stream so you don't have to revisit the page to find out if a new version is available.
Monitoring in an Exchange hybrid deployment
As part of maintaining an infrastructure, it's important to monitor the health of your environment. This is a relatively simple thing to do in a purely on-premises environment. But in an Exchange hybrid deployment, you need to monitor on-premises and the cloud -- and the cloud can complicate things. After all, you can't avoid deploying monitoring agents in Office 365 data centers and you don't necessarily care about the health of Microsoft services. Instead, you should be more concerned with the service you're getting and that email still works as it should.
The list of Exchange hybrid deployment features we're mostly interested in revolve around four items. But how do you monitor them?
1. Cross-premises free/busy and MailTips. For cross-premises free/busy and MailTips, verify that your organizational relationships (on-premises to Office 365 and vice versa) still work. One way to do that is to run the
Test-OrganizationRelationShip cmdlet. For these results to work, make sure that the trust with Microsoft Federation Gateway still works.
2. Directory Synchronization. You also need to verify that Directory Synchronization still works. You could manually log into the DirSync server, open the Synchronization Service Manager and verify the status of the latest runs. Another way is to edit a test object's attributes and then wait for synchronization to occur. If the object successfully updates, you can safely assume DirSync is working. Although this doesn't guarantee it's working for every object, it does give you a first impression.
3. Cross-premises mail flow. The cross-premises mail flow is also something to watch. Mail flow is pretty straightforward, but the Transport Layer Security encryption between Exchange Online and on-premises Exchange assures that certain features are properly working. It's important to make sure that messages aren't only properly sent and received but that they are also protected properly using TLS.
4. Authentication through ADFS. It's critical to ensure that your ADFS infrastructure is properly servicing requests. As soon as ADFS stops working, no one will be able to access Office 365 services. It's important to not focus solely on the services running on the ADFS server; make sure ADFS still processes requests. The easiest way to do this is to run some kind of synthetic transaction to log into Office 365, relying on your ADFS infrastructure to get it. If the test succeeds, ADFS still works. You can also use the Exchange Remote Connectivity Analyzer and run the Office 365 Single Sign-On test, which does exactly what I just described.
Monitoring an Exchange hybrid deployment is a work-intensive task. If you're busy, then manually monitoring a hybrid deployment isn't an option. I recently discovered a tool called Mailscape for Office 365, which monitors hybrid deployments and includes all of the aforementioned tests and more. If you're looking to proactively monitor your environment and don't want to script everything, this tool could save you some time.
About the author:
Michael Van Horenbeeck is a technology consultant, Microsoft Certified Trainer and Exchange MVP from Belgium, mainly working with Exchange Server, Office 365, Active Directory and a bit of Lync. He has been active in the industry for 12 years and is a frequent blogger, a member of the Belgian Unified Communications User Group Pro-Exchange and a regular contributor to The UC Architects podcast.