Office 365 Hybrid Deployment Guide

Step-by-Step Guide to Office 365 Hybrid Deployment
Step-by-step Guide to Office 365 Hybrid

Deployment
A companion guide to configuring and deploying your Office 365 Hybrid
Written By Thuan Ng, Tung Pham

Published December 29, 2016
1
About The eBook

The “Step-by-Step Guide to Office 365 Hybrid Deployment” eBook is provided “as is”. The
information and views expressed in this eBook, including URL and other web site references,
may change without notice.
This eBook does not provide you with legal rights to the ownership of a Microsoft product, but
just the use, unless this is explicitly stated in the eBook. “Trial” keys are provided for a single
purpose of the experiment.
If you need any assistance, please feel free to reach us at thuan[at]outlook.com or

tung[at]ict24h.net.
About the Author

Tung Pham is the Managing Director of ICT24H Online Solution – a
certified Microsoft Cloud Productivity partner in Vietnam. With over 16
years of experiences in the field of information technology &
telecommunication, Tung has helped small to large organizations design
and implement Microsoft products & technologies.
Tung has been recognized as an Office Services & Servers Most

Valuable Professional (MVP) by Microsoft from 2014 until now. He is an
active speaker in the Microsoft Technical community.
Thuan Nguyen is a Subject Matter Expert in Digital Workplace. With

over 8 years of experience spanning across industry of Information
Technology and Services, Thuan has been involved in number of
successful Digital Workplace adoptions for mid-tier and large
organizations, including government agencies.
Thuan has been recognized as a SharePoint Most Valuable Professional

(MVP) by Microsoft 4 years in a row before switching to Office Services
2
and Servers MVP (from 2015 until now). He has been a guest speaker
at number of different events and conferences such as SharePoint
Saturday Vietnam, Microsoft SharePoint Day Malaysia, Azure Global
Bootcamp, Business 365 Saturday Singapore and European SharePoint
Conference.
3
Introduction
Inspired by Microsoft, its products and technologies, our heads huddled together thinking about
an eBook which would provide step-by-step guide to you in the Office 365 Hybrid deployment
because we’ve realized the huge trend for the modern collaboration during our work today. We
consider ourselves to be fortunate to have worked and discussed with number of different IT
executives and CIO during the last three years before kicking off writing this eBook.
This eBook is not only written for the audience of IT Pros, but also for anyone who starts
thinking about the hybrid deployment of Office 365 to maximize the usage of infrastructure
resource, and to contribute to cost-effective technology adoption in business. What people will
learn from this eBook is how to install and configure number of different Office Services and
Server products in an on-premises environment to work with Microsoft Office 365 – an
innovative SaaS digital workplace platform.
We are not going to dig into Hybrid scenario in cloud computing because that is not our main
purpose writing this eBook. When it comes to Hybrid there are many scenarios to be
considered, including gotchas which may happen. Such a topic can be found easily via Internet
This eBook assumes that you have fundamental knowledge of Microsoft SharePoint Server
2013, Microsoft Exchange Server 2013, Skype for Business 2016, Windows Server, Forefront
Threat Management Gateway and Office 365. At least you know what they are, and how they
are helpful in your organization. If you do not, we still appreciate your time as this eBook
provides you progressively many steps including screenshots that always simplifies your follow-
up.
4
Office 365 Hybrid What & Why

The term Hybrid is used in the world of cloud computing these days to describe a scenario in
which a component in an on-premises environment connects to a service or a system hosted in
a public cloud. The component may vary. It can be an on-premises identity management system
connecting to a Software-As-A-Service (SaaS) document management system.
In Office 365 scenario, the Hybrid deployment is when you wish your end users whose accounts
are hosted in on-premises Active Directory to be able to have access to a SharePoint Online
site collection. Offering the capability of sharing calendar across on-premises to Exchange
Online is also considered a scenario of Office 365 Hybrid deployment. In a nutshell, when you
do a hybrid deployment, you are going to connect services between on-premises and public
cloud infrastructure no matter where it is. Sometimes people consider the separate use of public
and private cloud a hybrid, for example, developing application on Office 365 then deploying
into SharePoint on-premises environment.
That said via a few examples above, realizing the fact that hybrid is to balance the infrastructure
resource between both cloud environments. For example, before Public Site features were
deactivated by Microsoft on Office 365, folks utilized the cloud resources of Microsoft Cloud
infrastructure to cater massive number of public users for their internet facing website
5
deployment, while the identity of website’s content editor was hosted in in-house Active
Directory. With this case, you are to make the best use of your investment to high availability for
your internet facing website, while still meeting compliance such as authentication and identity
management.
Why should you consider Office 365 hybrid deployment? It’s perhaps everyone else is doing it.
Cost for hybrid is not going to be discussed here. However, when you do the hybrid, you are
going to cut at least operational infrastructure and licensing cost which occupies entirely your
cloud budget. In many cases when doing hybrid, you are to outsource data security
responsibility which might be a big concern.
The following articles below would give you more helpful information about Pros & Cons of
Hybrid Cloud:
 http://blog.rackspace.com/10-reasons-why-a-hybrid-cloud-is-better
 http://www.zdnet.com/article/hybrid-cloud-why-hybrid-it-may-be-the-better-choice/
 http://www.datacenterknowledge.com/archives/2015/02/16/hybrid-cloud-continues-grow-
look-real-use-cases/
 http://www.cio.com.au/brand-post/content/607556/why-hybrid-cloud/
6
Environment Preparation
Below is the environment we used during the step-by-step guide. You could have less than the
number of servers as ours by combining roles into a group of servers. However, we highly
recommend to isolate roles and services to make it more practical in the deployment.
NO. SERVER IP ADDRESS SUBNET MASK GATEWAY OS

1 AD01 192.168.1.5 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
2 ADFS01 192.168.1.6 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
3 EX01 192.168.1.7 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
4 SFB 192.168.1.8 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
5 SP01 192.168.1.10 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
192.168.1.100 255.255.255.0
6 TMG 125.253.124.163 255.255.255.240 125.253.124.161 Windows Srv 2008
255.255.255.0 172.16.1.100
192.168.1.9 255.255.255.0 192.168.1.100
7 EDGE 172.16.1.9 255.255.255.0 172.16.1.100 Windows Srv 2012 R2
125.253.124.164 255.255.255.240 125.253.124.161
192.168.1.15 255.255.255.0 192.168.1.100
8 WAP01 Windows Srv 2012 R2
125.253.124.162 255.255.255.240 125.253.124.161
All of these servers above are virtualized in a physical host with the deployment of Microsoft
Hyper-V Virtualization. Microsoft Hyper-V is not required but it supports virtualizing Microsoft
workload with optimal performance. Here is the overall picture of the hybrid topology.
7
Below are role descriptions:
 AD01: this is an Active Directory domain controller virtual machine, playing as an identity
provider in an on-premises environment.
 ADFS01: this is an Active Directory Federation Service virtual machine, playing as a
federation party to provide federation trust between the identity providers in both
environment (on-premises and cloud).
 EX01: this is a server running Microsoft Exchange Server 2013
 SFB: this is a server running Microsoft Skype for Business 2015
 SP01: this is a server running Microsoft SharePoint Server 2013
 TMG: this is a server running Microsoft Forefront Threat Management Gateway 2010.
Although this product is no longer supported, we still would like to use it to do the
configuration to help you get more understanding of the deployment context.
 EDGE: this is a server running Skype For Business Server 2015, playing as edge server
role.
 WAP: this is a server running Web Application Proxy service.
8
Lab 1 – DirSync, SSO Configuration

Lab 1.1 – Configure Wildcard SSL certificate
Configuring Office 365 Hybrid requires initial steps to configure DirSync, Single Sign-On (SSO).
Before the configuration, you must purchase certificate from trusted third-party. There are the
following options:
 Third-party certificate across multiple servers: with this option, you purchase a single
certificate which is purposely used for all servers and services. This is an advantage for
an environment of many servers. Wildcard SSL certificate is commonly preferred.
 Third-party certificate for each server: with this option, you purchase a dedicated
certificate for each server or service. When the certificate is expired, you must renew
and replace it on that server or service. This type of certificate is used commonly for the
number of servers less than 5.
Here is the list of trusted third-party certificate providers recommended by Microsoft.
In this lab, we purchased a certificate from Comodo (https://www.comodo.com/). Perform the

following steps to import certificate onto ADFS01 virtual machine.
1. Create a request with private key from IIS. Open IIS Management Console and click
Server Certificates.
9
2. Click Create Certificate Request and fill in information. In this case, we entered
*.ict24h.info because we decided to use Wildcard SSL.
3. Select a cryptographic service provider you want. We selected Microsoft RSA

Schannel Cryptographic Provider with the bit length of 2048
4. Specify the location to store your certificate content which is used for signing.
10
5. If you open the file, the content may look like below
6. Open Comodo website and start purchasing a wildcard certificate
7. Fill all information required in the form, including your credit card information.
11
8. After the payment is processed successfully, you will receive an email along with a guide
to configuring the certificate.
9. Click View and click CONFIGURE SSL
10. Enter your code that Comodo has sent to you via email and click Go!
12
11. Copy the CRS (Certificate Request Signing) content you have requested in step 5 into
CRS box and click Finish. If this step is complete, you will receive a *.ZIP file sent from
Comodo to your registered email.
12. Verify the *.ZIP file
13. Use certificate you’ve purchased from Comodo to import onto the ADFS01 virtual
machine. Click Complete Certificate Request from the Actions panel. Locate to your
certificate, and enter Friendly name. Select Personal.
13
14. Verify the certificate you just imported.
15. Because you purchased a Wildcard certificate, you can use for every of virtual machines
you have. You simply need to export this certificate into the format of *.pfx with private
key. Go to MMC > Local Computer > Personal > Certificate.
16. Right click on your wildcard certificate, select All Tasks > Export.
14
17. In the Certificate Export Wizard page, click Next
18. Select Yes, export the private key option. Click Next.
15
19. Select Personal Information Exchange – PKCS #12 (.PFX) option. Select Include all
certificates in the certification path if possible and Export all extended properties.
Click Next.
20. Enter password to protect your certificate.
21. Specify the location to export your certificate (*.pfx). Click Next.
16
22. Verify the export and click Finish to complete.
Now you already had a certified certificate which can be imported to all virtual machines you
need. All the virtual machines that connect to Office 365 need to have the certificate imported.
This certificate is to encrypt the traffic passed over the Internet. Perform the following steps to
import the certificate onto another virtual machine:
1. Login to the virtual machine you want to import the certificate then go to MMC > Local
Computer > Personal > Certificate.
2. Right click on Personal > All Tasks > Import.
17
3. In Welcome to the Certificate Import Wizard page, click Next.
4. Specify the certificate you want to import. Click Next.
5. Specify the password that you entered earlier into the Password box. Click Next.
18
6. Select Personal as a certificate store. Click Next.
7. Click Finish to complete.
19
8. After completing import step, you will see the list of certificates in your personal store
Now we assume you have already successfully imported certificates to all virtual machines
which are required to connect to Microsoft Office 365 we will configure later in the eBook.
Because the connection is over the Internet, make sure you purchase certificate from
internationally trusted third-party providers.
Lab 1.2 – Configure DirSync
In every hybrid deployment, DirSync is very critical to identity synchronization between on-
premises Active Directory with Azure Active Directory which plays as a Microsoft Cloud identity
provider. DirSync tool allows directory objects including user accounts and password hashes to
be synchronized to Office 365.
20
Perform the following steps to install and configure DirSync before you synchronize on-premises
Active Directory user accounts to Office 365.
1. Log into Office 365 Portal with your administrator account.

2. From the Dashboard screen, select Active Users. From Active Directory
synchronization, click Set up.
3. In Set up and manage Active Directory synchronization page you will see 7 basic
steps for Active Directory synchronization. From step 3, click Activate.
21
4. Office 365 will ask for your confirmation to activate Active Directory synchronization.
Click Activate.
5. After your confirmation, Office 365 displays statement “Active Directory

synchronization is activated”.
22
You have done the activation of Active Directory synchronization in Office 365 portal. Now you
need to install Azure Active Directory Sync. Perform the following steps to install the tool:
1. Download the tool at http://go.microsoft.com/fwlink/?LinkID=278924 and execute the

installation file.
2. In Welcome page, Click Next.
3. In Microsoft Software License Terms page, select I Accept. Click Next.
23
4. Specify directory where you want to store the tool binaries and files. Click Next.
5. Wait for the installation process
6. When the installation process is complete, click Next.
24
7. Select Start Configuration Wizard now from the next screen. Click Finish.
8. In Welcome page, read the information and brief guide. Click Next.
25
9. Enter your Windows Azure Active Directory account. This account must have
administrator permission in your Office 365. Click Next.
10. In Active Directory Credential page, enter your Active Directory domain administrator
account. Click Next.
26
11. In Hybrid Deployment page, select Enable Hybrid Deployment option. Click Next.
12. In Password Synchronization page, select Enable Password Sync option. Click Next.
27
13. In Configuration page, you can track progress of the configuration you have done.
14. After the configuration is complete, click Next.
28
15. In Finish page, select Synchronize your directories now. Click Finish.
Now you have done the configuration of Active Directory synchronization. Depending on the
number of user accounts to be synced, the duration may vary. You will realize which type of
accounts under Status column (e.g. Synced with Active Directory)
29
Lab 1.3 – Configure Single Sign-On (SSO)
In the simplest explanation, Single Sign-On (SSO) is to allow users to have access to different
services using a single account and password. With this, users do not have to remember
different accounts for different services. Moreover, SSO helps administrator simplify identity
management.
To enable SSO in Office 365 hybrid deployment, there are several third-party products in the
market, for example PingFederate, CA Single Sign-On, Active Directory Federation Services
(AD FS). In this case, we would like to introduce Active Directory Federation Services because
it’s a free tool.
30
Perform the following steps to configure SSO, install and configure Active Directory Federation
Services on ADFS01 virtual machine:
1. From Dashboard in Office 365 Portal, click Active Users.

2. From Single sign-on option, click Set up.
31
3. In Set up and manage single sign-on page, Microsoft provides you 10 steps for SSO
configuration. From step 3, select Windows 64-bit version (if your operating system
only supports 64-bit) to download Windows Azure Active Directory Module for Windows
PowerShell in order to configure trust relationship.
4. After downloading, execute installation file and start installing the tool. In Welcome
page, read the information and brief guide. Click Next.
32
5. In License Terms page, read carefully licensing terms and select I accept the terms in
the License Terms. Click Next.
6. In Install Location page, specify the location for Windows Azure Active Directory
Module for Windows PowerShell directory. Click Next.
7. When you are ready for the installation, click Install.
33
8. Wait until the installation is complete, click Finish.
Now you have done the installation of Windows Azure Active Directory Module for Windows
PowerShell. Next, you need to install and configure Active Directory Federation Services.
Perform the following steps:
1. On ADFS01 virtual machine, open Server Manager. Select Add Roles and Features.
34
2. In Before you begin page, click Next.
3. In Select installation type page, select Role-based or feature-based installation

option. Click Next.
35
4. In Select destination server page, select Select a server from the server pool and
select your AD FS virtual machine. Click Next.
5. In Select server roles page, select Active Directory Federation Services. Click Next.
6. In Select feature page, select .NET Framework 3.5 Features (1 of 3 installed)

and .NET Framework 4.5 Features (3 of 7 installed). Click Next.
36
7. In Active Directory Federation Services (AD FS) page, read information of AD FS

introduction and notes provided by Microsoft. Click Next.
8. In Web Server Role (IIS) page, read information of web server introduction and notes
provided by Microsoft. Click Next.
37
9. In Select role services page, make sure you have services selected in the below
screen. Click Next.
10. In Confirm installation selections page, select Restart the destination sever
automatically if required. Click Install.
38
11. In Installation progress page, review all services and features you have installed. Click
Close.
12. Open Server Manager, you are notified to continue the AD FS configuration. Click
Configure the federation service on this server.
39
13. In Welcome page, select Create the first federation server in a federation server
farm. Click Next.
14. In Connect to Active Directory Domain Services page, specify your Active Directory
domain administrator account. Click Next.
40
15. In Specify Service Properties page, select wildcard SSL certificate you imported.
Federation Service Name is the ADFS01 virtual machine FQDN (Full Qualified Domain
Name). You can create a CNAME and point to the ADFS01 virtual machine’s FQDN (for
example sts.ict24h.info). Enter Federation Service Display Name. Click Next.
16. In Specify Service Account page, enter service account which is automatically added
to Managed Service Account group. Click Next.
17. In Specify Configuration Database page, select Create a database on this server
using Windows Internal Database. Click Next.
18. Select Overwrite existing AD FS configuration database data. Click Next.
41
19. In Review Options page, review your configuration again. Click Next.
20. In Pre-Requisite Checks page, AD FS automatically runs check to verify if all pre-
requisites are passed. Click Next.
21. Wait until the installation is complete and open AD FS Management to review
information.
42
To securely connect AD FS services to Office 365, you need to deploy an AD FS proxy using
Web Application Proxy in Windows Server 2012 R2. Perform the following steps to install and
configure Web Application Proxy:
1. On WAP virtual machine, open Server Manager. Select Add Roles and Features.
2. In Before you begin page, Click Next.
3. In Select installation type page, select Role-based or feature-based installation.
Click Next.
4. In Select destination server page, select WAP virtual machine. Click Next.
5. In Select server roles page, select Remote Access. Click Next.
6. In Select role services page, select Web Application Proxy. Click Next.
43
7. In Confirm installation selections page, select Restart the destination automatically

if required. Click Install.
After you have successfully done the installation of Web Application Proxy (WAP), you need to
connect WAP service to the AD FS virtual machine. Perform the following steps to configure
WAP:
1. Open Remote Access Management on WAP01 virtual machine.

2. In Welcome page, click Next.
3. In Federation Server page, enter Federation service name (note that sts.ict24h.net is
the CNAME we created to point to the ADFS01 virtual machine). Enter local
administrator account on WAP01 virtual machine.
4. In AD FS Proxy Certificate page, select wildcard SSL certificate. Click Next.
44
5. In Confirmation page, review the configuration again and make sure the thumbprint of
your certificate is valid. Click Configure.
6. In Result page, you will receive a message “Web Application Proxy was configured
successfully”. Click Close.
45
After successfully configuring Web Application Proxy, you need to publish it through AD FS
virtual machine. Perform the following steps:
1. Open Remote Access Management. Select Web Application Proxy. Select Publish
from General panel on the right hand.
46
3. In Preauthentication page, select Pass-through. Click Next.
4. In Publishing Settings page, enter name of WAP and external URL, certificate and
backed server URL. These are required before you can publish your service.
5. In Confirmation page, review information of your Web Application Proxy setting. Click
Publish.
47
6. To verify whether you have successfully published WAP or not, open the URL
https://sts.ict24h.info/adfs/ls/idpinitiatedsignon on a computer which has Internet
connection.
7. Try with an account in your Active Directory and see how it goes.
If you have done these steps above successfully without any error, when opening an Office 365
site, you shall be redirected to federation URL for federation trust.
Now you have successfully done enabling SSO in Hybrid deployment. Every time when you
open site in Office 365 and enter federated account, Office 365 recognizes that there is a
trusted party then it redirects you to published AD FS for authentication.
48
Lab 2 – Exchange Server Hybrid Configuration

We assume in this lab you have already installed Microsoft Exchange Server 2013 in your on-
premises environment. This lab is going to provide step-by-step guide after Microsoft Exchange
Server 2013 installation.
Lab 2.1 – Send Connector Configuration
Send Connector requires to be configured to establish connection between your on-premises

Exchange and Exchange Online. Perform the following steps:
1. Log into Exchange admin center. Select mail flow > send connectors. Select plus icon.
2. From the Send Connector windows, name your connector and select Custom (For
example, to send mail to other non-Exchange servers). Click Next.
3. Select MX record associated with recipient domain. Click Next.
49
4. In Address Space windows, select SMTP under Type and allow all emails to be sent
through this connector by entering * under FQDN, and 1 under Cost. Click Save.
5. In Select a Server windows, select server which is responsible for sending email. Select
add button to add the server. Click OK.
6. Click Finish to complete the Send Connector configuration.
50
Lab 2.2 – Configure Certificate for Exchange Server

Configuring certificate for Exchange Server is an important step for hybrid deployment. As said
previously, you must purchase certificate from internationally trusted third-party provider. Below
is the list of providers that Microsoft recommends:
We already purchased a wildcard certificate and imported onto Exchange Server virtual
machine. Now you need to open Exchange admin center to verify that certificate. Perform the
following steps:
1. Open Exchange admin center. Select servers > certificates.

2. Select your imported certificate and select edit icon.
51
3. In Exchange Certificate windows, select SMTP and IIS. Click Save.
4. You are asked to overwrite the existing default SMTP certificate. Click Yes.
5. Open PowerShell and execute iisreset /restart command.

6. Verify the certificate with assigned services and other information
52
Now your certificate is successfully configured. You are going to need to publish Exchange
service over the Internet through Web Application Proxy you configured in Lab 1.3.
Lab 2.3 – Publish Exchange Service
To publish Exchange service over the Internet, you need to use public IP address and Web
Application Proxy. Perform the following steps:
1. Log into internet domain control panel, create record A mail.ict24h.info then point to the
WAP01 virtual machine’s public IP address.
2. Create a new CNAME autodiscover.ict24h.info which is pointed to mail.ict24h.info.
53
3. Create MX record with the priority value is 20, pointed to mail.ict24h.info
54
4. Open Exchange admin center. Select server > virtual directories. The external URL
is blank. Click edit icon and add EX01 virtual machine which is the Exchange Server you
prepared at the beginning. Click OK.
5. Enter external DNS address. Click save.
6. Repeat from step 4 – 5 for other virtual directories in your Exchange Server.
55
You need to configure Web Application Proxy to publish Exchange service over the Internet.
Perform the following steps:
1. Open Remote Access Management on WAP01 virtual machine.

3. In Preauthentication page, select Pass-through option.
56
4. In Publishing Setting page, enter name of the new publishing for your Exchange
service, including external URL and backend server URL. Make sure wildcard SSL
certificate is chosen because this is used over the Internet. Click Next.
5. In Results page, you will receive message “Web application published successfully”.
Select Close.
6. You need to repeat step 1 – 5 for other services.
Now you have done the configuration of publishing. To verify the connection, Microsoft provides
a tool named Microsoft Remote Connectivity Analyzer http://testconnectivity.microsoft.com.
From the website, select Exchange Server. Select Exchange ActiveSync Autodiscover.
Click Next on your right hand.
57
Fill all information the tool asks and select Perform Test. If the result is green then your
Exchange is publicly available over the Internet.
Lab 2.4 – Configure Hybrid Wizard Config
Before this lab, make sure you have done from Lab 2.1 to 2.3 without any error, especially
certificate stuffs. Now you are going to need to establish a hybrid connection between your
Exchange Server and Office 365.
1. Open Exchange Admin Center, select hybrid. Click enable.
2. There is a popup providing you a link to sign in to Office 365
58
3. Log into Office 365 portal with your administrator account.

4. You will be redirected to a new page asking you to download Microsoft Office 365 Hybrid
Configuration Wizard. Click click here.
5. Select Install when you receive security warning.
59
6. Wait until the wizard is successfully downloaded.
7. Click Run when you receive a security warning
8. Office 365 Hybrid Configuration windows appears. Click Next.
60
9. The wizard can automatically detect Exchange Server virtual machine which is playing
CAS role. In this case, it’s EX01 virtual machine. If you have more than one virtual
machine, select Specify a server running Exchange 2013 CAS or Exchange 2016.
Click next.
10. In Credentials page, Office 365 Hybrid wizard asks you to provide domain administrator
account and Office 365 administrator account. Click next.
61
11. The wizard will validate the credential and connection. Click next
12. In Hybrid Configuration page, select Configure my Client Access and Mailbox
servers for secure mail transport (typical). If you want to have centralized mail
transport, select Enable centralized mail transport option. Microsoft already explained
what this feature is in the page. Click next.
62
13. In Receive Connector Configuration page, select your Exchange virtual to host
Receive connector. Click next.
14. In Send Connector Configuration page, select your Exchange virtual machine to host
Send connector. Click next.
63
15. In Organization FQDN page, select the FQDN of your on-premises Exchange virtual
machine to start configuring outbound mail connector to route email from Exchange
Online to On-premises one.
16. In Ready for Update page, click update.
64
17. In Configuring…page, you will see progress of your configuration.
Now the configuration is done. To verify whether your configuration is successful or not, perform
the following steps:
1. Open Exchange admin center. Select organization. Click sharing tab.
2. Select mail flow. Select accepted domain to verify a newly added domain, in our case,
it’s ict24happs.mail.onmicrosoft.com.
65
3. Select recipient. Select mailboxes and open any mailbox, you will see the new stmp
address from Exchange Online.
4. Select mail flow. Select send connectors. There is a new Send connector whose
name is Outbound to Office 365 which is automatically added after your hybrid
configuration was successful.
5. If you edit this new Send connector, you will see both addresses from your on-premises
Exchange and Exchange Online.
66
6. Next, you can test by migrating email from your on-premises Exchange to Office 365.
From Exchange admin center, select Office 365 from top bar.
7. Select recipients. Select migration. Click plus icon to add a new migration.
8. There are two migration options: migration from your on-premises to Office 365 and vice
versa. Select the first option
67
9. From the windows, select Remote move migration (supported by Exchange Server 2010
and later version) for experiment. Click Next.
10. Select on-premises account you want to migrate. Click OK.
68
11. Enter username and password of the administrator account. Click Next.
12. Enter FQDN of your on-premises Exchange virtual machine where the Mailbox
Replication Service (MRS) Proxy is enabled.
13. From the windows, name your migration batch and select the Exchange Online address
under Target delivery domain. Select Move the primary mailbox and the archive
mailbox if one exists option and enter the bad item limit you want.
14. Select the recipient which receives the report after the batch is complete. Select
Automatically start the batch and Automatically complete the migration batch
depending on your expectation.
69
15. Wait until the status is Completed.
Now you have done the migration test to verify the hybrid configuration. As seen, when hybrid is
successfully configured you can work with both on-premises Exchange and Exchange Online in
the same experience.
Lab 3 – Skype for Business Hybrid Configuration

In this lab, we will look through pre-requisites installation before Skype for Business
deployment, then Hybrid.
Lab 3.1 – Install Skype for Business Server Admin Tool
Before hybrid deployment, you need to install some features and roles required for Skype for
Business 2015, including the installation of pre-requisites. Perform the following steps:
1. Log into your virtual machine you are going to deploy Skype for Business 2015.
70
2. Open PowerShell to install required features and roles for Skype for Business 2015
deployment.
Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server,

Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-
Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-
Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering,
Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-
Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, BITS
3. Now you need to create a file share because Skype for Business 2015 requires that in
order to exchange file among servers.
4. Grant Full Control, Change and Read permission on this file share for domain
administrator account.
71
5. Open DVD where Skype for Business Server 2015 installation source is stored. Run
setup.exe file or autorun.
6. From Skype for Business Server 2015 installation windows, select Don’t check for the
update right now. Specify installation location then click Install.
7. In License Agreement page, read licensing agreement carefully. Select I accept the
terms in the license agreement. Click OK.
72
8. In Install Administrative Tools page, click Next.
9. Wait until the installation is complete. Click Finish.
You have successfully installed administrative tools for Skype for Business Server 2015
deployment. Now you are going to need to prepare Active Directory with the support of
Deployment Wizard. Perform the following steps:
1. From the Deployment Wizard, click Prepare Active Directory.
73
2. From Step 1: Prepare Schema, click Run.
3. Wait until the schema preparation process is complete. Click Finish.
74
4. From Step 3: Prepare Current Forest click Run
5. In Prepare Forest page, click Next.
6. In Universal Group Location page, select Local domain. Click Next.
7. Final step is to add domain administrator to CSAdministrator group.
75
Lab 3.2 – Install Skype for Business Server 2015
In this lab, we are going to install and configure Skype for Business Server 2015 in an on-
premises environment. The topology for lab consists of two virtual machine: Front-End Pool and
Edge Server. Before the lab, create internal DNS records as follows:
Loại Record Name Trỏ tới

A Sfb.ict24h.info FrontEnd Server:192.168.1.8
A Lyncdiscover.ict24h.info Internal mobile client sử dụng
public IP của Front End:
125.253.124.163
A Lyncdiscoverinternal.ict24h.info FrontEnd Server:192.168.1.8
A Dialin.ict24h.info FrontEnd Server:192.168.1.8
A Meeting.ict24h.info FrontEnd Server:192.168.1.8
A Admin.ict24h.info FrontEnd Server:192.168.1.8
A Edge.ict24h.info Edge Server:192.168.1.9
A Sip.ict24h.info FrontEnd Server:192.168.1.8
SRV _xmpp-server._tcp.ict24h.info Sip.ict24h.info port:5269
SRV _sipinternaltls._tcp.ict24h.info Sip.ict24h.info port:5061
SRV _sipfederationtls._tcp.ict24h.info Sip.ict24h.info port:5061
Create external DNS records as follows:

Loại Record Name Trỏ tới
A Lyncdiscover.ict24h.info TMG Public IP: 125.253.124.163
A Sfb.ict24h.info TMG Public IP: 125.253.124.163
76
A Edge.ict24h.info Edge Public IP: 125.253.124.164

A Dialin.ict24h.info TMG Public IP: 125.253.124.163
A Meeting.ict24h.info TMG Public IP: 125.253.124.163
A Sip.ict24h.info Edge Public IP: 125.253.124.164
SRV _sip._tls.ict24h.info Sip.ict24h.info port:5061
SRV _xmpp-server._tcp.ict24h.info Sip.ict24h.info port:5269
SRV _sipfederation._tcp.ict24h.info Sip.ict24h.info port:5061
Perform the following steps to install Front End Pool Server on SFB virtual machine
(sfb.ict24h.info)
1. Open DVD source. Navigate to amd64 folder (under Setup folder) and install SQL
Express Edition (SQLEXPR_x64)
2. Install SQL Express with the instance name is RTC. After the installation is complete, go
to SQL Server Configuration Manager to enable TCP/IP to allow your SQL Express to be
able to communicate via TCP/IP protocol.
77
3. You also need to verify the default port 1433 and make sure SQL Server Browser is
running with Automatic mode.
4. .Now you need design and publish topology for your Skype For Business Server 2015.
This can be done by Skype For Business Server Topology Builder tool you installed in
lab 3.1. Run Topology Builder, select New Topology. Click OK
5. Specify the location to store topology configuration file, and name your topology.
6. In Define the primary domain page, enter your primary SIP domain. Click Next.
78
7. In Specify additional supported domains page, if you have no additional SIP domain,
leave it blank and select Next.
8. In Define the first site page, enter your site name. Select Next.
9. In Specify site details page, provide more information about your new site. Select Next.
79
10. In New topology was successfully defined page, select Open the New Front End
Wizard when this wizard closes in order to start defining the Front End Pool server.
Click Finish.
11. In Define the New Front End pool page, click Next.
80
12. In Define the Front End pool FQDN page, enter FQDN of your SFB virtual machine.
Select Standard Edition Server. Click Next.
13. In Select features page, select Conferencing (includes audio, video, and
application sharing). Select Call Admission Control. We need these things for
experience and lab testing purpose only. Click Next.
81
14. In Select collocated server roles and Associate server roles with this Front End
pool pages you can assign more role for the Front End pool you are configuring.
15. In Define the SQL Server store page, select your SQL Express instance you
configured. Click Next.
16. In Define the file store page, enter file server FQDN and file share. Click Next.
82
17. In Specify the Web Services URL page, enter external base URL. Click Next.
18. In Select an Office Web App Server page, if you have a server hosting Office Web App
services select one, unless leave it blank. Click Finish.
83
19. Once you have done, from Topology Builder windows, you will active status (green icon)
20. Right click on Skype for Business Server 2015. Select Topology > Publish.
84
21. In Publish the topology page, click Next.
22. In Select Central Management Server page, select Front End pool server you just
configured.
85
23. In Publishing wizard complete page, you may need to click to open to-do list. Unless
click Finish.
You have done the tasks of defining Front End Pool server and publishing topology. Perform the
following steps to start installing Skype for Business Server 2015
1. On SFB virtual machine, run Skype For Business Server 2015 Deployment Wizard. Click
Install or Update Skype for Business Server System.
86
2. In Install or update member system page, click Run from Step 1: Install Local
Configuration Store.
3. In Configure Local Replica of Central Management Store page, select Retrieve

directly from the Central Management store (requires read access to the Central
Management store). Click Next.
87
4. In Executing Commands page, wait until the process is complete. Click Finish.
5. Now you need to start installing Skype for Business Server Component. Click Run from
Step 2.
88
6. In Set Up Skype for Business Server Components page, click Next.
89
8. From Step 3: Request, Install or Assign Certificate, click Run.
9. From Certificate Wizard windows, select Import Certificate to import certificate you
purchased (in this case Comodo)
90
10. Browse to your certificate, and enter password of the private key you set before. Click
Next.
11. In Import Certificate Summary page, review your configuration. Click Next.
91
13. Back to Certificate Wizard windows, click Assign to assign certificate to Front End Pool
server.
92
14. In Certificate Store page, you will see your wildcard certificate. Click Next.
15. In Certificate Assignment Summary page, review your certificate information again.
Click Next.
93
17. Repeat assigning certificate steps for other web services. Click Close.
18. Back to Deployment Wizard windows, from step 4 you are guided to run Start-
CsWindowsService on every server. Open PowerShell to run it.
19. Click Run from Service Status (Optional)
94
20. Open Services.msc to verify all running services for Skype for Business Server.
21. Click Run from Enable Microsoft Update.
95
22. In Enable Microsoft Update page, select Use Microsoft Update when I check for
updates (recommended). Click OK.
23. Wait until the process is complete. You have completed the Front End Server
installation.
Now you need to install and configure Edge Server. Perform the following steps:
1. Because Edge server is not joined to domain controller and is put in DMZ, you need to
configure Primary DNS suffix for this server.
96
2. Configure IP address for two network card interfaces on the Edge server.
3. Before installing Edge server, you need .NET Framework 3.5. Go to Server Manager
and install features.
4. Import wildcard certificate from Front End to Edge server. You can refer the step in Lab
1.1
5. On the Front End server (sfb.ict24h.info), run Topology Builder. Right click on Edge
pools and select New Edge Pool
97
6. In Define the New Edge Pool page, click Next.
7. Enter FQDN of Edge server (in our case it’s edge.ict24h.info) you just configured IP
Address. Select This pool has one server. Click Next.
98
8. In Enable federation page, select all options. Click Next.
9. In Select features page, select Use a single FQDN and IP address. Click Next.
99
10. In Select IP options page, enable IPv4 for both internal and external interfaces. Select
The external IP address of this Edge pool is translated by NAT. Click Next.
11. In External FQDNs page, enter FQDN of your Edge server and enter correct port. Click
Next.
100
12. In Define the internal IP address page, enter the internal IP address of your Edge
server. Click Next.
13. In Define the external IP address page, enter external IP address of your Edge server.
Click Next.
101
14. In Define the public IP address page, enter the public IP address of your Edge server.
Click Next.
15. In Define the next hop server page, select Front End Pool. Click Next.
102
16. In Associate Front End or Mediation pools page, select your Front End pool to
associate with your Edge pool. Click Finish.
17. Review Edge pool information you have completed.
103
18. Right click on Site name (ICT24h). Select Edit properties. Configure all settings per
screenshot below. Click OK.
19. Publish the topology again
104
20. Export configuration into zip file by running the following command with PowerShell
Export-CSConfiguration -Filename c:\edge.zip
21. Copy edge.zip file onto the Edge server and start installing Skype for Business Server
2015 on this server.
22. Open DVD source and run Setup.exe. Select Connect to the internet to check for
updates. Click Install.
105
23. In Licensing Agreement page, read license terms carefully. Select I accept the terms
in the license agreement. Click OK.
24. From Deployment Wizard on Edge server, select Install or Update Skype for Business
Server System. Click OK.
25. Click Run from step 1
106
26. Select Import from a file (recommended for Edge Servers) and browser to your
edge.zip file you exported before. Click Next.
107
28. Back to Deployment Wizard windows, click Run from step 2.
29. In Set Up Skype for Business Server Component page, click Next.
108
31. Next step is to configure certificate. Click Run from step 3.
109
32. In Certificate Wizard windows, select Edge internal. Click Assign.
33. In Certificate Assignment page, click Next.
110
34. In Certificate Store page, select your wildcard certificate. Click Next.
35. In Certificate Assignment Summary page, review your certificate information. Click
Next.
111
37. In Certificate Wizard page, select other web services to assign certificate. Click
Assign.
38. In Certificate Assignment page, click Next.
112
39. In Certificate Store page, select your wildcard certificate. Click Next.
40. In Certificate Assignment Summary page, review your certificate information. Click
Next.
113
41. In Executing Commands page, wait until the process is complete. Review status in
Certificate Wizard windows again. Click Close.
42. Now you need to open PowerShell to run Start-CsWindowsService command and also
verify all running services from Services.msc.
114
43. From Deployment Wizard, run Windows Update to check all updates available for Skype
for Business Server 2015.
You have successfully set up and configured Skype for Business Server 2015 on your Edge
server.
Lab 3.3 – Configure Hybrid Mode for Skype for Business Server 2015
Before this lab, make sure you completed Active Directory Federation Services installation and
configuration in Lab 1.3. Perform the following steps to configure Hybrid mode:
1. On Front End Server (sfb.ict24h.info). Run PowerShell with administrator account and
run the following commands. When you are asked your Office 365 credential, enter
administrator account
Import-Module SkypeOnlineConnector
$cred = Get-Credential
$CSSession = New-CsOnlineSession -Credential $cred
Import-PSSession $CSSession –AllowClobber
Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true
115
2. Next, run the command below to configure federation

Set-CsHostingProvider -Identity "Skype For Business Online" -EnabledSharedAddressSpace $true
-HostsOCSUsers $true -VerificationLevel UseSourceVerification -AutodiscoverUrl
https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root
3. Open Skype for Business Control Panel and log into Office 365 with administrator
account.
4. Click Set up hybrid with Skype for Business Online
116
5. In Set up Hybrid with Skype for Business Online windows, click Next.
6. The tool will check if your on-premises configuration is configured correctly with
federation service. Make sure all configuration needed are verified.
7. Check by moving one user from on-premises Skype for Business to Office 365. Select
User from the left navigation. Choose one user and select Action > Move selected
users to Skype for Business Online.
117
8. Read carefully Microsoft’s guidance. Make sure the user you want to move have Skype
for Business Online license assigned. Click Next.
9. You will see the status from the windows. Click Close.
118
10. Verify the status in Skype for Business Server control panel.
You have done setting up Hybrid mode for on-premises Skype for Business Server and Skype
for Business Online.
The last step is to publish your on-premises Skype for Business Server over the Internet and
test its functionality for both type of users: on-premises and online. Before doing that, make sure
your firewall rules are configured correctly for required port:
119
Public IP Public Port Private IP Private Port Reason
Lync Web Services, Dial-In,

125.253.124.163 443/TCP 192.168.1.8 4443/TCP Web App, Address book
443- A/V Edge (443), Web

125.253.124.164 444/TCP 172.16.1.9 443-444/TCP Conferencing (444)
XMPP (eXtensible Messaging

and Presence Protocol)
125.253.124.164 5269/TCP 172.16.1.9 5269/TCP Federation
125.253.124.164 3478/UDP 172.16.1.9 3478/UDP STUN, yêu cầu cho PIC
Access Edge (5061),SIP

125.253.124.164 5061/TCP 172.16.1.9 5061/TCP federated connectivity
Perform the following steps on TMG virtual machine you prepared at the beginning of your lab:
1. Create a Network Rule to translate outbound traffic from Edge server (172.16.1.9) to
Internet using this IP address: 125.253.124.164 (your IP address may be different)
2. In firewall policy, create an access rule to allow all on Edge server.
120
3. Create publishing rules Non-Web server for listed ports above by select Tasks tab.
Select Publish Non-Web Server Protocols
4. In the welcome page, enter name for server publishing rule. Click Next.
121
5. In Select Server page, enter the IP address of your Edge server. Click Next.
6. In Select Protocol page, select SIPS Server. Click Next.
7. In Network Listener IP Addresses page, select External. Click Address...
122
8. From External Network Listener IP Selection windows, select Specified IP

addresses on the Forefront TMG computer in the selected network and enter public
IP address. Click OK.
9. Review your configuration again. Click Finish.
123
10. Repeat from step 3 – 9 for other ports: TCP 443 – 444, TCP 5268, UDP 3478.
11. To publish port 443 and 444, create a publishing rule and name it AV WebConf with the
inbound port range is 443-444.
124
12. To publish UDP port 3478, create a protocol named STUN Edge. The direction is
Receive Send.
13. To publish TCP port 5269, create a protocol named XMPP Server.
14. From firewall rule, select Publish Web sites.

15. In welcome page, enter your web publishing rule name. Select Next.
125
16. In Publishing Type page, select Publish a single Web site or load balancer. Click
Next.
17. In Server Connection Security page, select Use SSL to connect to the published
Webb server or server farm. Click Next.
18. In Internal Publishing Details page, enter internal site name. Click Next.
126
19. Enter “/*” to include all files and subfolders.
20. Select This domain name (type below): at Accept requests for setting. Enter the
public domain you configured before with path “/*”. Click Next.
127
21. Now you need to create a new web listener. In welcome page, enter your web listener
name. Click Next.
22. In Client Connection Security page, select Require SSL secure connections with
clients. Click Next.
128
23. In Web Listener IP Addresses page, select External. Click Select IP Addresses
24. From the selection windows, select Specified IP addresses on the Forefront TMG
computer in the selected network and add available IP address. Click OK.
129
25. In Listener SSL Certificates page, select Assign a certificate for each IP address
and select your IP address. Click Select Certificate.
26. In Select Certificate windows, select your wildcard certificate you already imported.
Click Select.
130
27. Verify information with assigned certificate again in Listener SSL Certificates page.
Click Next.
28. In Authentication Settings page, select No Authentication. Click Next.
131
29. In Single Sign On Settings page, click Next.
30. In Authentication Delegation page, select No delegation, but client may

authenticate directly. Click Next.
132
31. In User Sets page, add All Users that the rule is applied to. Click Next.
32. Go to Skype for Business 2015 rule and edit its property on TMG.
33. Click Bridging tab, select Redirect requests to SSL port and change to 4443 port.
Click OK.
133
34. Click Public Name tab, add two addresses to the list: dialin.ict24h.info and
meet.ict24h.info.
134
35. Now you just need to test the publishing rule by browsing meet.ict24h.info. If you are
asked to provide credential before calling and chatting, you have done the Hybrid
configuration for Skype for Business Online.
Lab 4 – SharePoint Hybrid Configuration

In this lab, we will look through steps to configure hybrid for SharePoint. We assume that you
have already installed SharePoint farm before this lab. Hybrid Search is our example although
there are several hybrid scenarios in SharePoint including hybrid workflow you would need to
read here http://thuansoldier.net/?p=4599
With Search Hybrid, you have the following types:
 Outbound Search: allow users to search information stored in SharePoint Online from
on-premises SharePoint Server.
 Inbound Search: allows users to search information stored in on-premises SharePoint
Server from SharePoint Online
 Two-way Search: include Outbound and Inbound Search.
135
Perform the following steps to configure SharePoint Search hybrid:
1. The very first step is to establish trust between on-premises SharePoint Server and
Azure Access Control Services. On SharePoint Server, open IIS > Server Certificates.
2. Click Create Self-Signed Certificate from Actions panel.
136
3. In Specify Friendly Name page, enter name for your certificate. Select Personal. Click
OK.
4. Open the certificate you just created. Click Details tab > Copy to File.
5. In welcome page, click Next.
137
6. Select Yes, export the private key. Click Next.
7. Select Personal Information Exchange – PKCS #12 (.PFX). Select Include all
certificates in the certification path if possible. Click Next.
138
8. Add your account which can have access to the certificate and enter password to protect
the private key. Click Next.
9. Specify the location to store your exported certificate. Click Next.
139
10. Review all information and click Finish.

11. You then need to import it to Trusted Root Certificates
Now you need to establish server-to-server (S2S) trust by PowerShell. Perform the following
steps:
1. Open PowerShell and run the following commands
$spcn="*.<public_root_domain_name>.com"
$spsite=Get-Spsite <principal_web_application_URL>
$site=Get-Spsite $spsite
$spoappid="00000003-0000-0ff1-ce00-000000000000"
$spocontextID = (Get-MsolCompanyInformation).ObjectID
$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $spocontextID +
"/metadata/json/1"
2. The result of ACS with ID returns
3. You need to update STS certificate into SharePoint Online. The model looks like the
below illustration
140
4. Run the following command by PowerShell

$cerPath = "<path to replacement certificate (.cer file)>"
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -
ArgumentList $pfxPath, $pfxPass
$cer.Import($cerPath)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipalCredential -AppPrincipalId $spoappid -Type asymmetric -Usage
Verify -Value $credValue
5. Update SPN in Azure Active Directory.

$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid
$spns = $msp.ServicePrincipalNames
$spns.Add("$spoappid/$spcn")
Set-MsolServicePrincipal -AppPrincipalId $spoappid -ServicePrincipalNames $spns
6. Register SharePoint Online application principal object ID with your on-premises

SharePoint Server
$spoappprincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $spoappid).ObjectID

$sponameidentifier = "$spoappprincipalID@$spocontextID"
$appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier
$sponameidentifier -displayName "SharePoint Online"
7. Create a new Azure Access Control Service application proxy and Security Token Issuer
New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri
$metadataEndpoint -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true
-Name "ACS"
141
You have successfully established server-to-server trust between your on-premises SharePoint
Server and the identity provider of SharePoint Online.
Now you need to configure Search for testing. Perform the following steps:
1. Open a SharePoint site collection > Site Settings > Search Result Sources.
2. Click New Result Source.
142
3. Enter name for the new resource. Select Remote SharePoint protocol
4. Enter your site collection in SharePoint Online at Remote Service URL. Select
SharePoint Search Results. Click Save.
143
5. From Site Settings page, click Search Query Rules.
6. Select the result source you just created from the list of result sources.
7. Enter name for the search query rule. Select One of these sources which indicates the
new result source you just created. Select All categories and All user segments.
144
8. In Query Conditions setting, select Query Matches Keyword Exactly (for testing
purpose). Click Remove Condition. Then click Add Result Block
9. From Add Result Block page, under Search this source, select your new result
source.
145
10. Under Settings, select This block is always shown above core results. Click Save.
11. Review your configuration again
12. Go to your on-premises SharePoint site collection and SharePoint Online to test hybrid
search
146
Appendix – Configure Domain in Office 365

We try to assume that you have never configured your domain in Office 365. In the appendix,
we would like to assist you. Perform the following steps to configure domain in Office 365 before
you can set up hybrid:
1. Log into Office 365 portal. Select DOMAINS. Click Add domain
147
2. You are redirected to an introductory page. Click Let’s get started.
3. Enter your domain. Click Next.
4. Office 365 will recognize the domain provider that you purchase your domain. In our
case, Office 365 recognized GoDaddy. Office 365 will ask you to sign in to the domain
control panel. For example, in our case, click Sign in to GoDaddy.
5. Enter credential in GoDaddy Login page.
148
6. From Confirm Access page, GoDaddy will ask you to accept to allow Office 365 to
make some changes to the domain. Click Accept.
7. Office 365 shall automatically complete the domain verification. Click Next.
149
8. Select user in Office 365 you want to update domain. For example, updating from
admin@ict24happs.onmicrosoft.com to admin@ict24h.info. Click Update selected
users.
9. After you receive information on your update. Click Next.
10. Sign out to your Office 365. Click Sign Out.
150
11. Sign in to your Office 365 portal with the newly updated account.
12. You are redirected to DNS update page. Click Next.
13. Select No, I have an existing website or prefer to manage my own DNS records.
151
14. By default, Office 365 assists you to update configuration for Exchange, Skype for
Business and Mobile Device Management. Click Next.
15. From the record page, there are number of different records in Office 365. Click Add
records to add a new one.
16. Add your own records with custom domain.

17. Once you have finished, you are redirected to the final page. Click Finish.
152
18. From DOMAINS page, verify the new domain you just added and configure.
--End--
153

Office 365 Hybrid Deployment Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Office 365 Hybrid Deployment Guide

Uploaded by

Copyright:

Available Formats

Step-by-Step Guide to Office 365 Hybrid Deployment

Step-by-step Guide to Office 365 Hybrid

Written By Thuan Ng, Tung Pham

About The eBook

If you need any assistance, please feel free to reach us at thuan[at]outlook.com or

About the Author

Tung has been recognized as an Office Services & Servers Most

Thuan Nguyen is a Subject Matter Expert in Digital Workplace. With

Thuan has been recognized as a SharePoint Most Valuable Professional

Office 365 Hybrid What & Why

NO. SERVER IP ADDRESS SUBNET MASK GATEWAY OS

Below are role descriptions:

Lab 1 – DirSync, SSO Configuration

Here is the list of trusted third-party certificate providers recommended by Microsoft.

In this lab, we purchased a certificate from Comodo (https://www.comodo.com/). Perform the

3. Select a cryptographic service provider you want. We selected Microsoft RSA

6. Open Comodo website and start purchasing a wildcard certificate

9. Click View and click CONFIGURE SSL

12. Verify the *.ZIP file

14. Verify the certificate you just imported.

17. In the Certificate Export Wizard page, click Next

20. Enter password to protect your certificate.

22. Verify the export and click Finish to complete.

3. In Welcome to the Certificate Import Wizard page, click Next.

4. Specify the certificate you want to import. Click Next.

6. Select Personal as a certificate store. Click Next.

7. Click Finish to complete.

Lab 1.2 – Configure DirSync

1. Log into Office 365 Portal with your administrator account.

5. After your confirmation, Office 365 displays statement “Active Directory

1. Download the tool at http://go.microsoft.com/fwlink/?LinkID=278924 and execute the

3. In Microsoft Software License Terms page, select I Accept. Click Next.

5. Wait for the installation process

6. When the installation process is complete, click Next.

14. After the configuration is complete, click Next.

Lab 1.3 – Configure Single Sign-On (SSO)

1. From Dashboard in Office 365 Portal, click Active Users.

7. When you are ready for the installation, click Install.

8. Wait until the installation is complete, click Finish.

2. In Before you begin page, click Next.

3. In Select installation type page, select Role-based or feature-based installation

6. In Select feature page, select .NET Framework 3.5 Features (1 of 3 installed)

7. In Active Directory Federation Services (AD FS) page, read information of AD FS

18. Select Overwrite existing AD FS configuration database data. Click Next.

7. In Confirm installation selections page, select Restart the destination automatically

1. Open Remote Access Management on WAP01 virtual machine.

4. In AD FS Proxy Certificate page, select wildcard SSL certificate. Click Next.

3. In Preauthentication page, select Pass-through. Click Next.

Lab 2 – Exchange Server Hybrid Configuration

Lab 2.1 – Send Connector Configuration

Send Connector requires to be configured to establish connection between your on-premises

3. Select MX record associated with recipient domain. Click Next.

6. Click Finish to complete the Send Connector configuration.

Lab 2.2 – Configure Certificate for Exchange Server

1. Open Exchange admin center. Select servers > certificates.

3. In Exchange Certificate windows, select SMTP and IIS. Click Save.

5. Open PowerShell and execute iisreset /restart command.

Lab 2.3 – Publish Exchange Service

2. Create a new CNAME autodiscover.ict24h.info which is pointed to mail.ict24h.info.

3. Create MX record with the priority value is 20, pointed to mail.ict24h.info

5. Enter external DNS address. Click save.

1. Open Remote Access Management on WAP01 virtual machine.

3. In Preauthentication page, select Pass-through option.