Coexistence, Hybrid, Migration, Federation

Question 1

What is a Federation Trust?

Answer 1

A relationship established between your Exchange organization and the Microsoft Federation Gateway (MFG), also known as the Azure Active Directory Authentication System (AADAS).

It is used to manage Organization Relationships between Exchange organizations, which enables Federated Sharing, which allows authenticated requests for Calendar free/busy information.

Question 2

What is this?

MFG

Answer 2

Microsoft Federation Gateway

Acts as a trust broker between federated organizations.

Technically, it has been renamed and is now officially known as the Azure Active Directory Authentication System (AADAS). However, MFG may appear on the exam instead.

Question 3

What does this stand for?

AADAS

Answer 3

Azure Active Directory Authentication System

The newer name for MFG.

Question 4

What is Federated Sharing?

Answer 4

Allows for authenticated requests for Calendar information between Exchange Organizations. Also allows Mail Tips and other small features to be shared.

It requires an Organization Relationship being established through a Federated Trust.

Question 5

How can sharing of Calendar information through Federated Sharing be limited?

Answer 5

When configuring the Organization Relationship, you can choose between sharing:

• No access
• free/busy info with time only
• free/busy info with time, subject, and location

Additionally:

• You can limit sharing to a specified security group, rather than organization-wide
• Individual users can prevent access to their own Calendar information, by removing the “Default” permissions entry on the calendar, or setting it to “No Access.”

Question 6

If you want users to be able to share more details of their calendars, how can you do so?

Answer 6

• Configure a sharing policy for either all domains or the specific domain, which allows sharing of “All calendar appointment information”.
• This will work for both federated and non-federated Exchange organizations.
• To share with non-Exchange organizations, allow sharing with specified domain “Anonymous,” and users will select the “Publish” calendar option to share it.

Question 7

What are the requirements for Federated Sharing?

Answer 7

Both organizations must have:

• A federation trust established with the MFG
• an Organization relationship with the other organization
• Autodiscover records in DNS
• Firewalls open for HTTPS requests
• Valid SSL certificates

Question 8

What kind of certificates does Microsoft recommend for Federation?

Answer 8

Self-signed certificates.

You can use a third-party CA, but it is not necessary.

Question 9

What is a Sharing Policy?

Answer 9

They control whether individual users can share calendar information with external users, including:

• users in another federated Exchange organization
• users in a non-federated Exchange organization
• users a non-Exchange mail service, such as Gmail
• publishing calendars to the internet

Question 10

How are Sharing Policies applied?

Answer 10

Sharing Policies are assigned to mailboxes.

You can have multiple policies in an organization, but only one policy can be assigned to any given mailbox at a time.

Question 11

What is Individual Sharing?

Answer 11

A name for the features controlled by a Sharing Policy.

Question 12

How can a user publish their calendars online?

Answer 12

• Modify the Sharing Policy that is applied to the user’s mailbox by adding a sharing rule for a specific domain called “Anonymous”.
• Note, the Calendar virtual directory needs to be enabled on Client Access servers, and set to allow Anonymous Features. (It is by default.)
• Access is only over HTTP, so port 80 will also need to be opened from the internet to your Exchange server.

Question 13

What is Cross-forest Availability?

Answer 13

• Allows calendar free/busy info lookups between NON-FEDERATED Exchange organizations.
• Does not involve the MFG.
• Can be used for both trusted and non-trusted AD forests.

Question 14

For Cross-forest availability, what are the setup requirements regarding User accounts?

Answer 14

• Users and groups the in the source forest must be created as contacts in the target forest, so that they can be seen in the GAL.
• For temporary cross-forest availability setups, you can run a script to do this once.
• For ongoing setups, a GAL synchronization tool must be used so changes are always synced. Microsoft and third parties have tools available.

Question 15

What does this stand for?

GAL

Answer 15

Global Address List

Question 16

How is Cross-forest Availability controlled differently, between Trusted vs. Non-Trusted Forests?

Answer 16

Trusted Forests:

• Availability can be controlled on a per-user basis, because each request can be authenticated as coming from a specific user.
• Thus, Mailbox users can set different levels of calendar permissions for different users in the remote forest.

Non-trusted Forests:

• Availability is organization-wide only
• Only the “default” permissions entry on a calendar can be used to control the level of free/busy info accessible by users in the remote forest.

Question 17

What are the Autodiscover Requirements for Cross-forest availability?

Answer 17

• For Trusted Forests:

– Either use the Autodiscover CNAME record, or:

– Export the Autodiscover SCP from one forest to another.

• For non-trusted forests,
only the Autodiscover CNAME can be used

Question 18

What is Cloud Identity?

Answer 18

One of the Identity management models for Office 365.

Office 365 accounts are stored in Azure AD, and not integrated with any on-premises directory.

If any on-prem AD exists, it is separate and not integrated.

Question 19

What is Directory Synchronization?

Answer 19

• One of the Identity management models for Office 365.
• The on-prem AD is the source of identity, and objects are synced to Azure AD via a directory synchronization tool.
• When cloud resources are accessed, authentication is performed by Azure AD.

Question 20

What form of Identity Management is recommended for smaller organizations (1-50 users)?

Answer 20

Cloud Identity

Question 21

What form of Identity Management is recommended for larger organizations (51 or more users)?

Answer 21

Directory Synchronization (either with or without ADFS)

Question 22

What is Azure AD Connect?

Answer 22

The most recent name for Microsoft’s directory synchronization tool.

Used for syncing objects, such as users, contacts, and groups, from an on-prem AD to Azure AD for use in Office 365.

Passwords can also optionally be synchronized using Password Sync.

Question 23

What is Directory Synchronization with Federation?

Answer 23

One of the Identity management models for Office 365.

Based on Directory Synchronization, but the authentication for cloud resources isn’t performed by Azure AD.

Instead, Office 365 passes the authentication requests to an on-prem ADFS instance.

Question 24

What is ADFS?

Answer 24

Active Directory Federation Services

Usually deployed as a farm for high availability.

Question 25

What are the pros and cons of using ADFS for Office 365 authentication?

Answer 25

Changes to authentication and policies are applied immediately instead of needing to be synced. It also allows for more restrictions.

However, it requires more on-prem servers and infrastructure.

Question 26

What is a Hybrid Configuration?

Answer 26

• A coexistence between Exchange On-Premises and Exchange Online
• Can be used either as a migration method, or a permanent state of coexistence.
• Supported for Exchange 2010 or later

Question 27

What are the benefits of a Hybrid Configuration?

Answer 27

If using both on-prem and Office 365 Exchange accounts, a Hybrid configuration allows for:

• Integrated administration via a single EAC interface
• All interaction between both systems is considered internal to the single organization.
• Mail flow between them is secured with TLS encryption, with internal message headers preserved.

Question 28

What are the requirements for a Hybrid Configuration?

Answer 28

• Office 365 tenant with Exchange Online licenses
• Directory Synchronization, either with Password Sync, or with ADFS

• Firewall Access:
– TCP 443 for Autodiscover and Exchange Web Services
– TCP 25 for SMTP mail flow

• Certificates

Question 29

In a Hybrid Configuration, what Exchange features depend on OAuth authentication if they are to work between Office 365 and on-prem Exchange?

Answer 29

• Message Records Management
• In-place Discovery
• In-place Archiving

Question 30

What is Centralized Transport?

Answer 30

A Hybrid Configuration option

Enabling it means that all mail flow must pass through the on-prem Exchange servers.

Typically used for compliance requirements, such as journaling that is controlled on-prem.

In detail: Exchange Online mailboxes that send to internet recipients will not go directly to the internet, but be routed through the on-prem Exchange servers first.

If your MX record is pointing to Exchange Online and Centralized Transport is enabled, then also incoming messages for an Exchange Online recipient will be routed back to the on-prem Exchange first. (Though if your MX record points directly to on-prem Exchange, this step is no longer relevant.)

Question 31

What is Exchange Online Protection?

Answer 31

Part of Exchange Online. All messages with an Exchange Online Mailbox as a destination will first route through Exchange Online Protection, regardless of the message origin. (Includes both internet messages and messages from an on-prem hybrid Exchange setup.)

Question 32

When will Directory Synchronization sync changes?

Answer 32

The default synchronization interval is every 30 minutes.

You can also run Start-ADSyncSyncCycle to trigger it immediately.

Question 33

What does it mean when a user account in Office 365 has a status of “Blocked”?

Answer 33

In effect, it is the same as a “disabled” user account in AD. The user is prevented from signing on directly to Office 365 services. When a disabled account is synchronized to Office 365, it will be set to a status of Blocked.

Question 34

What Connectors are necessary for Hybrid Configurations?

Answer 34

For the on-prem Exchange:

• The default Receive Connector is suitable for incoming mail flow from Exchange Online
• The Hybrid Configuration Wizard creates a Send Connector for outbound to Exchange Online

For Exchange Online, the Wizard configures:

• An Inbound Connector that only accepts mail from servers that identify themselves with the correct certificate
• An Outbound Connector that connects to the FQDN provided during configuration, and only sends if it can negotiate an encrypted TLS connection.

Question 35

What is Message Tracing?

Answer 35

The Office 365 equivalent of Message Tracking.

Question 36

For a direct migration to Exchange 2016 from a previous version, what versions are supported?

Answer 36

• Exchange Server 2010 (must be Service Pack 3 & Update Rollup 11, or later)
• Exchange Server 2013 (CU 10 or later)

Question 37

What versions of Exchange can Exchange Server 2016 coexist with?

Answer 37

• Exchange Server 2010 (must be Service Pack 3 & Update Rollup 11, or later)
• Exchange Server 2013 (CU 10 or later)
• Any earlier version of Exchange must be completely uninstalled/decommissioned from an organization before you can install Exchange 2016.

Question 38

If you need to keep running a version of Exchange Server older than 2010, but also need to install Exchange 2016, what options do you have?

Answer 38

• You could deploy Exchange 2016 into a resource forest. This will avoid some of the legacy compatibility blocks.
• But note that Cross-forest coexistence is complex to configure and manage.

Question 39

What versions of Outlook are supported by Exchange 2016?

Answer 39

• Outlook 2010, 2013, and 2016
• Outlook for Mac for Office 365
• Outlook for Mac 2011
• Any older clients may potentially work, but aren’t supported.

Question 40

What is “Up proxy” and “down proxy” for client access?

Answer 40

When different versions of Exchange are in coexistence, some versions can proxy client access up or down to the other version server.

For example, if you have some users with mailboxes on an Exchange 2013 server, and some on an Exchange 2016 server, you can point the namespace to either one of them, and users will be up-proxied or down-proxied to whatever version they need to connect to.

Also known as “Up-level proxy” and “down-level proxy.”

Question 41

What versions of Exchange support up-proxy and down-proxy for client access?

Answer 41

• Exchange 2016 can down proxy to 2013 or 2010
• Exchange 2013 can up proxy to 2016 or down proxy to 2010.
• Exchange 2010 cannot up proxy or down proxy

Question 42

During coexistence, what will the client access namespaces need to be configured in DNS to point to?

Answer 42

• If Exchange 2016 or 2013 is in coexistence with Exchange 2010, namespaces must be directed to the newer version of Exchange before you can migrate any user mailboxes to the newer version.
• If Exchange 2016 is in coexistence with Exchange 2013, you can migrate the mailboxes either before or after updating the client access namespaces to point to the new server.

Question 43

During coexistence, which client access server will users need to connect to, the old or the new version of Exchange?

Answer 43

• Users with mailboxes on the previous version of Exchange can connect to either the new or the old Exchange server. The new server will “down proxy” their connection to the old server.
• Users with mailboxes on Exchange 2016:

– If in coexistence with Exchange 2010, they must connect to a 2016 server to access their mailbox

– If in coexistence with 2013, they can connect to either a 2013 or 2016 server to access their mailbox.

Question 44

During coexistence, when should mail flow to and from the internet be cutover to be directed to and from the new server instead of the old server?

Answer 44

MX Records, NAT policies, and Send Connectors can be configured for the new server at any time: Before, during, or after all mailboxes have been migrated to the new server.

There’s no recommended time, it will always work. Mail will automatically be routed between the differing server versions as needed.

Question 45

What services and data need to be migrated during a migration from a previous version of Exchange?

Answer 45

• Client Access
• Mail Flow (Transport)
• Application Integration
• Mailbox Data
• Public Folder Data

Question 46

What Application Integration is there that needs to be migrated during an Exchange migration?

Answer 46

– It will vary based on what is used in the environment.

– Some products and software need some integration configured, components installed, permissions configured, etc.

– Example applications can include services for:

• Backup agents
• Antivirus/antispam agents
• SMTP relay via custom Receive Connectors
• Email signatures
• Email archiving
• Mobile device management

Question 47

What is a migration batch?

Answer 47

A collection of move requests that are managed together.

The move requests are for mailboxes from one Exchange database to another, such as during a migration.

Question 48

What is MRS?

Answer 48

Mailbox Replication Service

The service that processes Online Mailbox Moves.

Question 49

What is an Online Mailbox Move?

Answer 49

The migration of a mailbox from one Exchange database to another, without interrupting the user’s access to their mailbox.

The move can reach 95% before the final database cutover occurs, which causes a brief interruption for the end user.

If desired, you can choose to automatically suspend moves when they reach 95%, so you can complete it manually when the cutover interruption will be least disruptive.

Question 50

What is an arbitration mailbox?

Answer 50

Arbitration mailboxes are special system mailboxes that handle tasks such as audit logging and transport moderation.

Question 51

In what order should different types of mailboxes be migrated?

Answer 51

• Move the arbitration mailboxes first, because they need to be hosted on the highest version of Exchange in the organization in order for the features they manage to work correctly.
• Recommended: For Shared Mailboxes, move the users that share them, and the shared mailbox itself, together in the same batch.
• Recommended: Likewise, for mailboxes with delegate access, move the mailbox in the same batch as the delegate user’s mailbox.
• Required: If migrating Legacy Public Folders (Exchange 2010) to modern Public folders, they must be migrated last, after all mailboxes. This is because the legacy mailboxes would not be able to access the modern public folders.

Question 52

What’s the deal with transaction logs during a migration?

Answer 52

• Migrations generate a lot of transaction logging in the target database, because a lot of changes are occurring in that database.
• Allow for about 1 GB of logs per 1 GB of mailbox data that you move.
• You can run more frequent backups during the migration to truncate the logs.

Question 53

What is involved in migrating Public Folders?

Answer 53

– If migrating from Exchange 2013, it already uses modern Public Folders, so it is as simple as moving the mailboxes.

– If migrating from Exchange 2010, it uses Legacy Public Folders:

• They must be migrated last, after all other mailboxes have been moved.
• (Technically, you can start the migration at any time, as long as you don’t complete it until other mailboxes are moved.)
• It is a one-way migration process. If something goes wrong, you can roll back, but any changes made since the migration will be lost.

Question 54

What specific steps are involved in migrating Legacy Public Folders to Exchange 2016?

Answer 54

1. Download migration scripts from Microsoft
2. Prepare for migration using the scripts
3. Generate CSV files using the scripts
4. Create public folder mailboxes on Exchange 2016
5. Start the migration
6. Wait for the initial synchronization of Public Folder data to complete
7. Lock public folders (this begins Public Folder outage)
8. Finalize the migration (outage continues)
9. Test and unlock public folders

Question 55

At what point is a legacy Exchange server ready to be removed/decommissioned, following a migration?

Answer 55

• Removal can only be performed if there are no mailboxes of any kind, or any public folders, hosted on the server
• (The server can still host databases; they just need to be completely empty.)
• The server cannot be a member of a DAG, so it will need to be removed first.
• No Send Connectors in the organization can still have the server included as a source transport server
• If any of the above conditions aren’t met, the Exchange setup will block the uninstallation of the Exchange application from the server

Question 56

How do you decommission a legacy Exchange server following a migration?

Answer 56

The Exchange application must be cleanly uninstalled. You cannot simply shut down and remove the server.

This is because all of the Exchange server’s configuration data is still stored in AD, and this will cause problems if it is not cleanly removed during the uninstallation.

Question 57

If you remove the last Exchange 2013 server from your organization, following a migration to 2016, what needs to be done to install a new Exchange 2013 server?

Answer 57

• You cannot. After removing all instances of legacy Exchange versions, you can’t reintroduce that version of Exchange to the environment.
• You should keep a legacy server around if you still need to use the old version.