Home Lab Secrets: Building the Killer Home Lab Part 8 (Configuring Exchange Hybrid Configuration Wizard)(New Azure Portal)


In Part 7 we configured our On-Premise Active Directory to sync with our Office 365 Tenant.  In Part 8 we will be utilizing the Hybrid Configuration Wizard to sync our On-Premise Exchange Organization with our Office 365 Tenant.  This will link our On-Premise Exchange Organization with our Office 365 Tenant which is also an Exchange Organization.  The easiest method for implementing the required configurations is by using the Exchange Hybrid Configuration Wizard (HCW).  This tool will deploy all the changes you will need to link up your On-Premise and Office 365 Exchange Organizations.

In order to successfully complete our Hybrid Configuration Wizard we will need to acquire a few additional Certificates for our Mailbox Server (OP-EX) our Edge Server (KHL-EX) and our WAP Server (OP-WAP.   These first 2 certificates will be used to establish a Mutual TLS session between our Edge Transport Server and our Office 365 Servers as well as between our Edge Transport Server and our Mailbox Servers Transport Service. The second certificate will be for our WAP Server and will unfortunately have to be a Third-Party Certificate.  The requirement is due the MRS Proxy (Mail Replication Service Proxy) utilizing a TLS session for Remote Mailbox Moves.  The Source and Destination Servers must utilize Certificates that the other Trusts.  Since up until this point all of our certificates have been generated from our CA, they will not be trusted by the Office 365 Mail Servers.  Fortunately we will only need a Single Name Certificate for our MRS Proxy and at the time of the writing of this post a Single Name Certificate can be obtained for anywhere between $70-$140 per year.  For our Lab certificates should include the following names:

Single Name Third-Party Certificate

  • outlook.it.dmgva.com (TLS between Office 365 Servers and WAP Server)

Single Name Certificate

  • op-ex.killerhomelab.com (TLS between On-Premise and Edge Server)

SAN Certificate

  • smtp.it.dmgva.com (TLS between Office 365 Servers and Edge Server)
  • khl-ex.killerhomelab.com (TLS between Edge and On-Premise Server)

Follow the steps below to request our Single Name Third-Party Certificate:

1.  Log onto OP-WAP.

2.  Right-Click the Windows Log and select Run.

3.  Enter CERTLM.msc then click OK.

certlm

4.  In the Left-Pane right-click Personal and select All Tasks | Advanced Operations | Create Custom Request...

certrequest1

5.  At the Before You Begin screen click Next.

6.  At the Select Certificate Enrollment Policy screen click Next.

7.  At the Custom request screen use the Template: pull-down menu and select (No template) Legacy key then click Next.

8.  At the Certificate Information screen expand Details and click on Properties.

customcertrequest1

9.  Under Friendly name: enter MRS Proxy.

10.  Under Subject name: use the pull-down menu and select Common name then enter outlook.it.dmgva.com under Value and click Add.

customcertrequest3

11.  Click on the Extensions tab and click on the Down Arrow next to Key usage.

customcertrequest4

11.  Under Available options highlight Digital signature then click Add.

12.  Under Available options highlight Key encipherment then click Add.

13.  Click on the Down Arrow next to Extended Key Usage (application policies).

customcertrequest5

14.  Under Available options highlight Server Authentication then click Add.

15.  Under Available options highlight Client Authentication then click Add.

16.  Click on the Private key tab and click on the Down Arrow next to Cryptographic Service Provider then un-select Microsoft Strong Cryptograhic Provider (Signature) scroll down and select Microsoft RSA SChannel Cryptographic Provider (Encryption).

17.  Click on the Down Arrow next to Key options.

18.  Use the Key size: pull-down menu and select 2048 then select Mark private key exportable

19.  Click on the Down Arrow next to Key type and select Exchange then click OKNext.

20.  At the Where do you want to save the offline request? screen enter C:\outlook.<mydomainname>.req then click Finish.

Submitting your Certificate Signing Request (CSR)

Once your CSR has been created then you must pick a Certificate Issuer such as DigiCert, GoDaddy, etc.  to submit your CSR to.  Since the instructions for each vendor varies and CSR submittal is outside of the scope of this paper, please refer to each vendors instructions on how to Submit your Certificate Request. 

Retrieving your Certificate

After submitting your CSR you should receive an email that your request is complete.  This email should contain a zipped attachment that includes your certificate or instructions on how to retrieve your certificate.  Save this attachment to your VM, extract it and save as C:\outlook.<mydomainname>.com.cer then follow the steps below:

1.  In the Left-Pane right-click Personal and select All Tasks | Import.

2.  At the Welcome to the Certificate Import Wizard screen click Next.

3.  At the File to Import screen enter C:\outlook.<mydomainname>.com.cer then click Next.

4.  At the Completing the Certificate Import Wizard screen click Finish then at the pop-up click OK.

 

Now that we have generated, requested and issued our Third-Party Certificate lets request our internal certificates.  Follow the steps below to request our Single Name Certificate:

1.  Log onto OP-EX.

2.  Right-Click the Windows Log and select Run.

3.  Enter CERTLM.msc then click OK.

certlm

4.  In the Left-Pane right-click Personal and select All Tasks | Advanced Operations | Create Custom Request...

certrequest1

5.  At the Before You Begin screen click Next.

6.  At the Select Certificate Enrollment Policy screen click Next.

7.  At the Custom request screen use the Template: pull-down menu and select KHL Web Server then click Next.

certrequest2

8.  At the Certificate Information screen expand Details and click on Properties.

certrequest3a

9.  Under Subject name: use the pull-down menu and select Common name then enter khl-ex.killerhomelab.com under Value and click Add.

op-ex-khl-ca-cert

9.  Click on the General tab then under Friendly name: enter Exchange SMTP then OK, Enroll.

CA-Enroll

10.  At the Certificate Installation Results screen click Finish.

CA-Enroll-Finish

Follow the steps below to request our SAN Certificate:

1.  Log onto OP-EX.

2.  Right-Click the Windows Log and select Run.

3.  Enter CERTLM.msc then click OK.

certlm

4.  In the Left-Pane right-click Personal and select All Tasks | Advanced Operations | Create Custom Request...

certrequest1

5.  At the Before You Begin screen click Next.

6.  At the Select Certificate Enrollment Policy screen click Next.

7.  At the Custom request screen use the Template: pull-down menu and select KHL Web Server then click Next.

certrequest2

8.  At the Certificate Information screen expand Details and click on Properties.

certrequest3a

 

8.  Under Subject name: use the pull-down menu and select Common name then enter smtp.<mydomainname>.com under Value and click Add.

certrequest3

9.  Under Alternative name: use the pull-down menu and select DNS then enter smtp.<mydomainname>.com under Value and click Add.

10.  Repeat the previous step for the following additional FQDN’s then click OK, then Enroll.

  • khl-ex.killerhomelab.com

11.  At the Certificate Installation Results screen click Finish.

CA-Enroll-Finish

 

Enabling Certificate our Single Name Certificate on OP-EX

Although our Exchange Server has been issued an SSL Certificate to it’s Local Computer Store, we must still enable it within Exchange for it to be used.  Since all Exchange 2016 Services utilize the HTTPS protocol we will enable this certificate by all “IIS” Services by following the steps below:

1.  Launch Internet Explorer and navigate to the following URL:

https://owa.it.dmgva.com/ecp

2.  Enter your Killer Home Lab Credentials.

3.  From the Exchange Administrative Center in the Left-Pane click on servers.

4.  On the Top-Pane click on certificates.

5.  In the Middle-Pane select Exchange SMTP then click on Edit as shown below:

enablecert2a

6.  At the pop-up click on services and select SMTP then click Save.

enablecert3

7.  At the pop-up click Yes.

8.  Run IISReset /noforce once complete.

 

Now that our Single Name Certificate has been Imported and Enabled for Exchange usage on our Mailbox Server we will need to Export a copy of our SAN Certificate that was created for our Edge Server.  Follow the procedures below to Export the Certificate:

1.  Right-click the Windows Logo and select Run.

2.  Enter certlm.msc then click OK.

3.  In the Left-Pane expand Personal and select Certificates then in the Right-Pane right-click the smtp.<mydomainname>.com certificate and select All Tasks | Export.

4.  At the Welcome to the Certificate Export Wizard click Next.

5.  At the Export Private Key screen select Yes, export the private key then click Next.

6.  At the Export File Format screen click Next.

7.  At the Security screen select Password then enter and re-enter a secure password of your choice then click Next.

8.  At the File to Export screen enter C:\Edge-SMTP.pfx then click Next, then Finish.

9.  Click OK at the pop-up.

Now we must copy this certificate over to our Edge Server (KHL-EX) and import it into our Local Computer Certificate Store.  This can be done by copying the file C:\Edge-SMTP.pfx from your RDP session on your Exchange Server to the RDP sessions the other Servers using a simple Cut & Paste.  Once the file has been copied to both Servers follow the steps below to import.

1.  Log onto KHL-EX.

2.  At the Command Prompt type the following then hit Enter.

certlm.msc

3.  In the Left-Pane right-click Personal and select All Tasks | Import.

4.  At the Welcome to the Certificate Import Wizard screen click Next.

5.  At the File to Import screen enter C:\Edge-SMTP.pfx then click Next.

6.  At the Private key protection screen enter the password you used to secure the Certificate Export then click Next.

7.  At the Completing the Certificate Import Wizard screen click Finish then at the pop-up click OK.

8.  In the Right-Pane right-click smtp.it.dmgva.com and select Properties.

9.  Under Friendly Name enter Exchange SMTP then click OK.

Now that we have Imported our Certificate, we will need to configure it for use on our Edge Server.  Follow the procedures below to enable it:

1.  Log onto KHL-EX.

2.  Click the Windows Logo then click the Down Arrow then locate and open Exchange Management Shell.

3.  At the Exchange Management Shell prompt enter the command below to get your Certificate Thumbprint:

Get-ExchangeCertificate

exchangesmtp1

4.  Run the following command to using the Thumbprint you gathered in the previous step:

Enable-ExchangeCertificate -Services SMTP -Thumbprint [Thumbprint from previous step] -Force

 

Now that both our Exchange Server certificates has been updated we will need to re-run our edge subscription to update it with the new Certificate information.  Follow the procedures below to create a New-Edge Subscription on KHL-EX and Import it on OP-EX:

Creating Edge Subscription

1.  Log onto KHL-EX

2.  From the Taskbar click on the Windows Logo then click on the Down Arrow.

3.  Locate and right-click Exchange Management Shell and select Run as administrator.

4.  At the Exchange Management Shell enter the following command and click enter:

New-EdgeSubscription -FileName C:\EdgeSubscriptions\KHL-EX[DATE].xml

 

Importing Edge Subscription

Now we must copy the EdgeSubscription file over to our Mailbox Server and import it.  This can be done by copying the file C:\EdgeSubscriptions\KHL-EX[DATE[.xml from your RDP session on your Edge Server to the RDP session of your Mailbox Server using a simple Cut & Paste.  Once the file has been copied follow the steps below to import.

1.  Log onto OP-EX.

2.  Open the Exchange Management Shell and use the commands below to import the Edge Synchronization File.

[byte[]]$Temp = Get-Content -Path “C:\EdgeSubscriptions\KHL-EX[DATE].xml” -Encoding Byte -ReadCount 0
New-EdgeSubscription -FileData $Temp -Site “Onpremise-Lab”

Now that we have enabled our Public Certificate on all of the necessary servers, we will finally run our Exchange Hybrid Configuration Wizard.  Follow the steps below to deploy the HCW:

1.  Logon to OP-EX.

2. From within Internet Explorer navigate to the following URL and download Exchange Hybrid Configuration Wizard:

https://aka.ms/TAPHCW

3.  You will be presented with an Launching Application pop-up then at the Application Install screen click Install

exchangehcwinstall1exchangehcwinstall2

4.  At the Open File pop-up click Run.

5.  At the Hybrid Configuration Wizard Welcome screen click Next.

exchangehcwinstall3

6.  At the On-premises Exchange Server Organization screen make sure Detect the optimal Exchange Server is selected then click next.

7.  At the Credentials screen sign in button and then at the Sign in to your account pop-up enter your Office 365 Admin Credentials then click Sign in then click next.

8.  At the Validating Connections and Credentials screen make sure both Exchange & Office 365 show as Succeeded then click next.

exchangehcwinstall4

9.  At the Hybrid Features screen select Full Hybrid Configuration then click next.

exchangehcwinstall5

10.  At the Federation Trust screen click Enable.

exchangehcwinstall6

11.  At the Hybrid Domains screen check it.dmgva.com then under Autodiscover click on False to change it to True then click Next.

12.  At the Domain Ownership screen make note of the Token provided for the DNS TXT Record.

14.  Open a new Brower tab and navigate to http://portal.azure.com and login with your Azure Credentials.

15.  In the Left-Pane click on Resource Groups.

16.  Under Resource Groups click on Killer-Home-Lab.

17.  Under the Killer-Home-Lab Resource Group click on the dmgva.com DNS Zone.

18.  Under the dmgva.com DNS Zone click on Record set.

19.  At the Record set screen enter the following then click OK:

domainproof1

20.  At the Domain Ownership screen click verify domain ownership.

21.  At the Hybrid Configuration screen select Configure my Edge Transport servers for secure mail then click next.

22.  At the Edge Transport Servers screen use the pull-down menu and select KHL-EX then click Next.

23.  At the Transport Certificate screen select OP-EX then select the op-ex.killerhomelab.com certificate then click Next.

24.  At the Organization FQDN screen enter outlook.<mydomainname>.com then click next.

25.  At the Ready for Update screen click update.

At the Congratulations! screen take note of the two messages we are getting.

hybridconfigfinisherror

We can safely ignore the first message since we will fix this issue later, however the second warning actually provides us a command we will need to run on our Edge Server with 1 modification.  Instead of using OP-EX.killerhomelab.com for our FQDN we will be using smtp.<mydomainname>.com.  Follow the steps below to run this command on our Edge Transport Server:

1.  Log onto KHL-EX.

2.  Click the Windows Logo then click the Down Arrow then locate and open Exchange Management Shell.

3.  At the Exchange Management Shell prompt enter the command below as shown in the message:

Get-Receiveconnector | Set-Receiveconnector -TlsDomainCapabilities mail.protection.outlook.com:AcceptOorgProtocol -Fqdn smtp.<mydomainname>.com

The Hybrid Configuration wizard assumes that you will be using a Third-Party issued Certificate that is trusted by Office 365.  Because we are using a certificate issued by our own CA we will need to run a few commands to tell the Connectors created by the wizard that we are using a Non-Trusted certificate.  Follow the steps below to complete these commands.

Updating the “Outbound to Office 365” Send Connector

1.  Log onto OP-EX.

2.  Click the Windows Logo then click the Down Arrow then locate and open Exchange Management Shell.

3.  At the Exchange Management Shell prompt enter the commands below as shown in the message:

Get-SendConnector “Outbound to Office 365” | Set-SendConnector -TlsCertificateName “<I>CN=KHL-CA, DC=killerhomelab, DC=com<S>CN=smtp.it.dmgva.com”

Start-EdgeSynchronization

4.  Log into the Office 365 Portal using the URL below along with your Office 365 Admin Credentials:

https://outlook.office365.com/ecp

5.  In the Left-Pane click on mail flow then on the top click on Connectors, highlight your Inbound connector and click the Edit button.

office365connectors1

6.  At the initial screen click Next.

7.  At the How should Office 365 identical email from your email server? screen select the By verifying that the subject name… option is selected then add the following Certificate DN and click Next:

office365connectors2

8.  At the Confirm your settings screen click Save.

9.  In the Left-Pane click on mail flow then on the top click on Connectors, highlight your Outbound connector and click the Edit button.

10.  At the initial screen click Next.

11.  At the When do you want to use this connector? screen click Next.

12.  At the How do you want to route email messages highlight outlook.it.dmgva.com and click the Delete button.

13.  Click the Add button and at the pop-up  enter smtp.it.dmgva.com then click Save, then Next.

14.  At the How should Office 365 connect to your email server screen select Any digital certificate including self-signed certificates then click Next.

15.  At the Confirm your settings screen click Next.

16.  At the Validate this connector screen click the Add button and at the pop-up  enter tuser1@it.dmgva.com then click Save, then Validate.

17.  Once the validation is complete click Close then Save.

There is actually another change that will need to be modified manually using the Exchange Management Shell if we would like to have users utilize a single URL which will be our On-Premise URL https://owa.it.dmgva.com/owa.  In order to do this we must update an attribute of the Organization Relationship called TargetOWAURL.   By default this attributes value is https://outlook.com/owa/<tenantname>.onmicrosoft.com.  This value is presented to Office 365 Users that access the On-Premise URL.  We need to change this value to the following URL which should include the Federated Domain (Realm) that users use for their logon:

https://outlook.com/owa/it.dmgva.com

Use the steps below to change this attribute using Exchange Management Shell:

1.  Log onto OP-EX.

2.  Click on the Windows Logo then use the down arrow to locate and run Exchange Management Shell.

3.  At the Exchange Management Shell run the following command:

Get-OrganizationRelationship | Set-OrganizationRelationship -TargetOWAURL https://outlook.com/owa/it.dmgva.com

Now that we have our Organizations communicating we will continue over to review what additional DNS Records need to be added, deleted or changed in order to work in a Hybrid Configuration.  Logon in to Office 365 portal (portal.office365.com) and follow the steps below:

1.  In the Left-Pane click on Settings | Domains.

2.In the Middle-Pane click on it.dmgva.com

3.  Under the Required DNS settings shown below, notate the DNS records and create them within your Azure DNS Zone following the steps below:

!!!Note:  Don’t change your autodiscover.it.dmgva.com.  Since we are running in a Hybrid Configuration we must keep this record until we have removed On-Premise Exchange.

 

office365dns1

4.  Open a new Brower tab and navigate to http://portal.azure.com and login with your Azure Credentials.

5.  In the Left-Pane click on Resource Groups.

6.  Under Resource Groups click on Killer-Home-Lab.

7.  Under the Killer-Home-Lab Resource Group click on the dmgva.com DNS Zone.

8.  Under the dmgva.com DNS Zone click on Record set.

record-set1

9.  At the Record set screen enter the following then click OK:

Name:  it

Type:  MX

TTL:  15

TTL Unit:  Minutes

PREFERENCE:  0

MAIL EXCHANGE:  it-dmgva-com.mail.protection.outlook.com

10.  Under the dmgva.com DNS Zone click on the existing “it” TXT Record Set:

txt-record-add1

11.  Under the “it” TXT Record Set add the following entry then click Save:

txt-record-add2

12.  Under the dmgva.com DNS Zone click on Record set.

13.  At the Record set screen enter the following then click OK:

Name:  sip.it

Type:  CNAME

TTL:  15

TTL Unit:  Minutes

ALIAS:  sipdir.online.lync.com

14.  Under the dmgva.com DNS Zone click on Record set.

15.  At the Record set screen enter the following then click OK:

Name:  lyncdiscover.it

Type:  CNAME

TTL:  15

TTL Unit:  Minutes

ALIAS:  webdir.online.lync.com

16.  Under the dmgva.com DNS Zone click on Record set.

17.  At the Record set screen enter the following then click OK:

Name:  _sip._tls.it

Type:  SRV

TTL:  15

TTL Unit:  Minutes

PRIORITY:  100

WEIGHT:  1

PORT:  443

TARGET:  sipdir.online.lync.com

18.  Under the dmgva.com DNS Zone click on Record set.

19.  At the Record set screen enter the following then click OK:

Name:  _sipfederationtls._tcp.it

Type:  SRV

TTL:  15

TTL Unit:  Minutes

PRIORITY:  100

WEIGHT:  1

PORT:  5061

TARGET:  sipfed.online.lync.com

20.  Under the dmgva.com DNS Zone click on Record set.

21.  At the Record set screen enter the following then click OK:

Name:  enterpriseregistration.it

Type:  CNAME

TTL:  15

TTL Unit:  Minutes

ALIAS:  enterpriseregistration.windows.net

22.  Under the dmgva.com DNS Zone click on Record set.

23.  At the Record set screen enter the following then click OK:

Name:  enterpriseenrollment.it

Type:  CNAME

TTL:  15

TTL Unit:  Minutes

ALIAS:  enterpriseenrollment.manage.microsoft.com

24.  Under the dmgva.com DNS Zone click on Record set.

25.  At the Record set screen enter the following then click OK:

Name:  msoid.it

Type:  CNAME

TTL:  15

TTL Unit:  Minutes

ALIAS:  clientconfig.microsoftonline-p.net

26.  Once all DNS Records have been created click on Continue setup.

27.  At the Update DNS settings click Finish.

Now that the Hybrid Configuration Wizard has completed, we will test out it’s modifications by creating a new On-Premise Mailbox User, Moving this mailbox to Office 365 and validating the following:

  • Single-Sign on for Office 365 and On-Premise Users
  • Mail Flow between On-Premise Users
  • Free/Busy between Office 365 and On-Premise Users

Using the steps below let’s create a new On-Premise User.

1.  Navigate to the following URL and enter your Administrator Credentials:

https://owa.it.dmgva.com/ecp

2.  Within the EAC in the Left-Pane click on recipients then in the middle-pane click on mailboxes.

3.  Click the + button and select User Mailbox. (You may notice that there is now an Office 365 mailbox options.  We will discuss this option later in the post.)

newmailboxaftero365

4.  At the new user mailbox enter TUser3 and select New user.

5.  Fill in the rest of the form  and Browse to the Office 365 Users OU as shown below then click Save.

newmailbox1

6.  Close Internet Explorer.

Up until this point we have been using our Default Administrator account for everything.  Going forward we will need an account that has rights to both On-Premise Exchange as well as Office 365.  To do this we will need to do the following:

  • Create a New Account
  • Add it to Organization Management Group
  • Sync it to Office 365
  • Add it as a Global Administrator

User the steps below to create our On-Premise/365 Admin.

1.  Log onto OP-EX.

2.  Right-click on the Windows Logo and select Run.

3.  Enter dsa.msc then click OK.

4.  In the Left-pane right-click the Office 365 Users OU and select New | User.

5.  Fill out the New Object – User form as shown below and make sure to use the pull-down for User Logon name: to select your @it.dmgva.com domain that we federated with Office 365 then click Next:

newuser1

6.  At the next screen enter the password twice and uncheck User must change password at next logon then click Next, Finish.

7.  In the Right-pane double-click Exchange Admin then select the Member Of tab.

8.  Click the Add button then at the Select Groups pop-up enter Organization Management.

9.  In the Left-pane click on Users then on the Right-pane double-click khl-admin.

10.  Click on the Account tab then use the pull-down for User Logon name: to select your @it.dmgva.com domain that we federated with Office 365 then click OK.

9.  Close Active Directory Users and Computers.

 

Unless we want to wait for 30 minutes, we will need to manually sync our newly created account to Office 365 using the Synchronization Service Manager so we can enable it as an Office 365 Exchange Administrator.  This tool can be launched from the following location:

C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe

Since our account was actually created on OP-EX which is in our On-Premise AD Site, our account was actually created on OP-DC.  We will also need to use Active Directory Sites and Services to sync the newly created account from our On-Premise Domain Controller (OP-DC) to our Azure Domain Controller (KHL-DC)

Follow the steps below to initiate an immediate Synchronization with Office 365:

1.  Log onto KHL-DC.

2.  Click on Server Manager.

3.  Under Tools in the top-right corner click on Active Directory Sites and Services.

4.  At the Active Directory Sites and Services window within the Left-Pane expand Sites | Azure-KHL | Servers | KHL-DC then select NTDS Settings.

5.  In the Right-Pane right-click the <automatically generated> connection object to OP-DC and select Replicate.

6.  At the pop-up click OK.

7.  Right-click the Windows Logo then select Run and open the following path:

C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe

8.  Click  on Connectors then in the Middle-Pane, right-click killerhomelab.com and select Run.

9.  At the Run Connector windows under Run Profiles select Delta Import then click on OK. (Wait for the connector to complete all of it’s steps before moving on)

10.  Click  on Connectors then in the Middle-Pane, right-click killerhomelab.com and select Run.

11.  At the Run Connector windows under Run Profiles select Delta Sychronization then click on OK. (Wait for the connector to complete all of it’s steps before moving on)

12.  Under Connectors in the Middle-Pane, right-click <tenantname>.onmicrosoft.com and select Run.

13.  At the Run Connector windows under Run Profiles select Export then click on OK. (Wait for the connector to complete all of it’s steps before moving on)

Now we can head back over to Office 365 to verify that our Exchange Admin account which is an On-Premise user has synced successfully.

 

1.  Navigate to the following URL:

https://portal.office365.com

2.  Once prompted enter your Office 365 Admin Credentials.

3.  At the Office 365 Welcome screen click the Admin tile.

365welcome

4.  In the Left-pane expand Users then select Active users.

5.  In the Middle-pane locate Exchange Admin and click on it.

6.  At the Account Properties pop-up under Roles click Edit.

365admin1

7.  At the Edit user roles screen select Customized administrator and check Exchange Administrator then enter a valid email and click Save then Close.

365admin2

Now we can head back over to our On-Premise Server to Move the TUser3 Mailbox to Office 365.  Follow the steps below to complete this task:

1.  Logon to OP-EX and launch Internet Explorer.

2.  Within Internet Explorer click on Tools  as shown below and select Internet options

internetoptions

3.  Click on the Privacy tab and click on Sites.

4.  At the Per Site Privacy Actions under Address of website: enter *.<mydomainname>.com then click Allow, OK, OK.

cookieprivacy

5.  Logon to OP-EX using your newly created credentials that have access and Navigate to the following URL:

https://owa.it.dmgva.com/ecp

6.  In the Middle-Pane select TUser3 then in the right-pane under Move Mailbox click on To Exchange Online.

movetoexchangeonline1

3.  At the information pop-up click sign in to Office 365.

4. Re-highlight Test User3 and under Move Mailbox click on To Exchange Online.

5.  At the Confirm the migration endpoint screen click Next.

6. At the Move configuration screen under New migration batch name: screen enter 1st Move then click Next.

7.  At the Start the batch screen click on Browse and select your Office 365 Account then click Add, OK then make sure Automatically start the batch and Automatically complete the migration batch are selected then click New.

mailboxmove1

8.  At the information pop-up click Yes.

9.  Continue to monitor the status of your mailbox move by using the Refresh button as shown below:

365mailboxmove1

10.  Once the mailbox has been successfully moved the Status will show as Completed.

365mailboxmove2

Now that the mailbox has been moved click on mailboxes and you will notice that it has been created as a Office 365 Mailbox Type.

newoffice3651

Lets follow the steps below to make sure that Free/Busy is working between our On-Premise users and Office 365 users:

1.  Log onto KHL-DC

2.  If any windows are opened Right-click the Taskbar and select Show the Desktop if no windows are opened moved on to step 3.

showthedesktop

3.  Open Internet Explorer and navigate to the following URL:

https://owa.it.dmgva.com/owa

4.  When prompted with the Security Windows enter your TUser3 credentials as shown below then click OK:

 

windowssecurity2

5.  You will be redirected to the best performance page click on the provided link shown below:

https://outlook.com/owa/it.dmgva.com

onpremise-redirect

6.  At the next screen use the Time zone pull-down menu and select your Time Zone then click Save.

firstmailboxlogon

!!!Note:  The fact that we were able to use our On-Premise URL for an Office 365 mailbox and were redirected shows that our Single Sign-On is working correctly!!!

6.  Now that you have logged into the TUser3 Mailbox, within Internet Explorer press Ctrl + Shift +P to open an InPrivate Browser window.

7.  Within the new InPrivate Windows navigate to the same URL:

https://owa.it.dmgva.com/owa

8.  When prompted with the Security Windows enter your TUser1 credentials as shown below then click OK:

windowssecurity1

9.  Once logged into both accounts right-click the Taskbar and select Show windows side by side. 

showwindowsidebyside

Your windows should be displayed as shown below:

freebusytest1

Now that we have both of our Mailboxes open, we will test emails to confirm that mail is flowing between our On-Premise and Office 365 Mailboxes.  Follow the steps below to complete these tests:

1.  In the Left Window (TUser1) click on New | Email message.

newmessage1

2.  At the New Message windows enter tuser3@it.dmgva.com under To then click on Add a subject and enter Test from On-Premise as shown below:

newmessage2

3.  In the Right Window Left-Pane (TUser1) click on More then Junk Email.

4.  In the Middle-Pane click on the Test User1 message then click on Not Junk.

5.  At the Report as not junk screen click on Don’t report.

6.  In the Left-Pane click on Inbox then in the Right Windows (TUser1) look in the middle-pane and locate the message sent as shown below:

newmessage3

7.  In the Right Window (TUser3) click on New | Email message.

newmessage4

8.  At the New Message windows enter tuser1@it.dmgva.com under To then click on Add a subject and enter Test from Office 365 as shown below:

newmessage5

9.  In the Left Windows (TUser1) look in the middle-pane and locate the message sent as shown below:

newmessage6

Now that we have confirmed mail flow between On-Premise and Office 365, lets take a look at our actual message header to confirm it is being sent using TLS as advertised.  TLS still utilizes port 25/TCP, but also leverages our Public Certificate to encrypt the body of the message.  Follow the steps below to view our message header for our message sent from Office 365 to On-Premise:

1.  In the Right Windows (TUser3) look in the middle-pane and double-click the “Test from Office 365” message.

2.  With the message click the down Arrow next to Reply All as shown below then select Message Details:

messagedetails1

3.  Review the message header which shows the message was passed Received From NAM03-CO1-obe.outbound.protection.outlook.com by smtp.it.dmgva.com and encrypted using TLS 1.2 which was passed Received From KHL-EX.killerhomelab.com by OP-EX.killerhomelab.com:

messagedetails1

Now that we are finished testing mail flow, we will test our Free/BusyNow we will create appointments in each mailbox and validate that the other mailbox can view it.  Follow the steps below to create the appointments:

1.  In the Test User1 window click the pull-down arrow next to New and select Calendar event as shown below:

calendarevent1

 

2.  At the Details pop-up enter the information below, select a time in the future and then click Save.

freebusy1a

3.  In the Test User3 window click the pull-down arrow next to New and select Calendar event as shown below:

calendarevent1

4.  At the Details pop-up under People enter TUser1, then click Search Directory then click the + button.

freebusytest3

5.  Once TUser1 is added click on Scheduling assistant. (You will notice it already shows as Busy)

freebusy3

6.  As the image shows below we can now see that our TUser1’s Free/Busy is working and we can see the meeting created on their Calendar.

freebusy4

7.  Click Discard to exit the Scheduling Assistant.

freebusy5

8.  At the Calendar Event remove Test User1 as shown below:

freebusy8

9.  Under Details enter Weekly HR Meeting then click Save.

freebusy9

10.  In the Test User1 window click the pull-down arrow next to New and select Calendar event as shown below:

calendarevent1

11.  At the Details pop-up under People enter TUser3, then click Search Directory then click the + button.

freebusy10

12.  Now click on Scheduling assistant.

freebusy11

13.  As the image shows below we can now see that our TUser3’s Free/Busy is working and we can see the meeting created on their Calendar.

freebusy12

So far we have confirmed Mail Flow as well as Free/Busy.  However we have done this all utilizing Outlook Web App.  Lets test our Office 365 Mailbox utilizing a Domain-Joined workstation.  In order to do this for our Office 365 Mailbox we will need to turn on Modern Authentication.  This can be done by utilizing Exchange Online via Powershell to change the OAuth2ClientProfileEnabled value to true:

1.  Open an Elevated Powershell Prompt from OP-EX.

2.  Run the following commands to connect to Exchange Online

$UserCredential = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session

3.  Once prompted enter your Office 365 Admin Account.

4.  Enter the following command to Enable Modern Authentication:

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$True

5.  Reset IIS using the following command:

iisreset /noforce

 

We will need to also enable Modern Authentication for our workstation since we are using Office 2013 so follow the steps below to enable this for our Office 365 Mailbox:

1.  Log onto your Domain Joined workstation that has Office 2013 or greater using Test User3.

2.  Right-click on the Windows Logo and select Run then enter regedit.

3.  At the pop-up click Yes.

4.  In the Left-Pane expand  HKEY_CURRENT_USER | SOFTWARE | Microsoft | Office | 15.0 | Common then right-click on Identity and select New | DWORD (32-bit) Value.

5.  In the Right-Pane under the new key enter EnableADALthen set it to 1.

enableadal

 

Now we are ready to test our Office 2013 using Modern Authentication!  Follow the steps below to test our Domain Joined Workstation:

1.  Launch Office 2013.

2.  At the Welcome to Outlook 2013 click Next.

4.  At the Add an Email Account screen click Next.

5.  At the Auto Account Setup screen click Next.

6.  At the Searching for your mail server settings…screen click Finish once the Auto config is complete.

autoconfig

Now that we have confirmed the ability to utilize On-Premise and Office 365 based users utilizing OWA , Outlook clients, confirmed Free/Busy and moved mailboxes from On-Premise to Office 365, we are now finished with Part 8 of this Series.  In Part 9 of our Series (Configuring Office 365 for Multi-Factor Authentication), we will be Configuring Multi-Factor Authentication for On-Premise and Office 365 Users. Have fun with the lab!!!

Comments (0)

Skip to main content