The advent of Exchange 2010 Service Pack 2, released in December of 2011, introduced a new feature called the Manage Hybrid Configuration wizard that continues to improve the level of automation available to achieve hybrid coexistence with Office 365. This wizard automates approximately 50 manual configuration tasks previously required to implement an Office 365 Hybrid solution and reduces it down to 6. Even with the improvement of the integration process and automation options available, there are still significant pitfalls that should be avoided wherever possible.
Many businesses today rely on a multi-faceted brand marketing approach, which has given rise to the average Exchange organization supporting significantly more than a single e-mail domain for their business users. Organizations with a large number of messaging domains will find that this increases the complexity and cost of establishing hybrid coexistence with Exchange Online due to prerequisites that must be met for each domain. Both the Office 365 portal and the Manage Hybrid Configuration wizard employ proof of ownership verification via DNS. Office 365 verification involves querying public DNS for a TXT record in this format:
Alias or Host Name
Office 365 verification subsequently populates the list of accepted domains available to be added in the Manage Hybrid Configuration wizard. The wizard then requires further proof of ownership in the form of a public DNS TXT record in this format:
Alias or Host Name
This TXT record is comprised of 86 randomly generated characters and is suffixed by two = symbols
The Manage Hybrid Configuration Wizard also requires both public and internal DNS A records for the Outlook Autodiscover Service. Each messaging domain must have autodiscover.domain.com pointed to the hybrid server. The reasoning behind this requirement is that a large percentage of support calls to Microsoft are driven by difficulties configuring Outlook to connect to the appropriate server. The Autodiscover Service does this for end users and all they are required to provide is their e-mail address and password. So regardless of whether or not an organization plans to support Outlook as a messaging client, they will be compelled to build the infrastructure to support it in order to establish hybrid coexistence.
In addition, the Manage Hybrid Configuration wizard also requires a Subject Alternative Name (SAN) certificate that includes entries for Outlook Web App, SMTP TLS communication and each messaging domain’s autodiscover FQDN.
New Exchange Certificate wizard in the Exchange Management Console
Provisioning these resources in a timely manner can be complicated if the organization’s public DNS is not centrally hosted and managed. SAN certificates can support up to 100 alternative names, but again coordinating approvals for every domain included in a timely fashion can be complicated for decentralized organizations. Large capacity certificates are also costly and should be budgeted for accordingly.
The bottom line is the Manage Hybrid Configuration wizard (ergo hybrid coexistence) will fail if any of the above mentioned resources are not accounted for. Credera has extensive experience in designing, planning and implementing Office 365 migrations. If you have questions about this post, upcoming posts or Office 365 in general, please contact us.