Step-By-step Guide To Office 365 Hybrid Deployment

Step-by-Step Guide to Office 365 Hybrid Deployment
Step-by-step Guide to Office 365 Hybrid

Deployment
A companion guide to configuring and deploying your Office 365 Hybrid
Written By Thuan Ng, Tung Pham

Published December 29, 2016
I1
About The eBook

The "Step-by-Step Guide to Office 365 Hybrid Deployment” eBook is provided "as is”. The
information and views expressed in this eBook, including URL and other web site references, may
change without notice.
This eBook does not provide you with legal rights to the ownership of a Microsoft product, but just
the use, unless this is explicitly stated in the eBook. "Trial” keys are provided for a single purpose of
the experiment.
If you need any assistance, please feel free to reach us at thuan[at]outlook.com or

tung[at]ict24h.net.
About the Author

Tung Pham is the Managing Director of ICT24H Online Solution - a certified
Microsoft Cloud Productivity partner in Vietnam. With over 16 years of
experiences in the field of information technology & telecommunication,
Tung has helped small to large organizations design and implement
Microsoft products & technologies.
Tung has been recognized as an Office Services & Servers Most Valuable
Professional (MVP) by Microsoft from 2014 until now. He is an active
speaker in the Microsoft Technical community.
Thuan Nguyen is a Subject Matter Expert in Digital Workplace. With over 8

years of experience spanning across industry of Information Technology
and Services, Thuan has been involved in number of successful Digital
Workplace adoptions for mid-tier and large organizations, including
government agencies.
Thuan has been recognized as a SharePoint Most Valuable Professional

(MVP) by Microsoft 4 years in a row before switching to Office Services
I2
and Servers MVP (from 2015 until now). He has been a guest speaker at
number of different events and conferences such as SharePoint Saturday
Vietnam, Microsoft SharePoint Day Malaysia, Azure Global Bootcamp,
Business 365 Saturday Singapore and European SharePoint Conference.
I3
Introduction
Inspired by Microsoft, its products and technologies, our heads huddled together thinking about an
eBook which would provide step-by-step guide to you in the Office 365 Hybrid deployment because
we’ve realized the huge trend for the modern collaboration during our work today. We consider
ourselves to be fortunate to have worked and discussed with number of different IT executives and
CIO during the last three years before kicking off writing this eBook.
This eBook is not only written for the audience of IT Pros, but also for anyone who starts thinking
about the hybrid deployment of Office 365 to maximize the usage of infrastructure resource, and to
contribute to cost-effective technology adoption in business. What people will learn from this eBook
is how to install and configure number of different Office Services and Server products in an on-
premises environment to work with Microsoft Office 365 - an innovative SaaS digital workplace
platform.
We are not going to dig into Hybrid scenario in cloud computing because that is not our main
purpose writing this eBook. When it comes to Hybrid there are many scenarios to be considered,
including gotchas which may happen. Such a topic can be found easily via Internet
This eBook assumes that you have fundamental knowledge of Microsoft SharePoint Server 2013,
Microsoft Exchange Server 2013, Skype for Business 2016, Windows Server, Forefront Threat
Management Gateway and Office 365. At least you know what they are, and how they are helpful in
your organization. If you do not, we still appreciate your time as this eBook provides you
progressively many steps including screenshots that always simplifies your followup.
I4
Office 365 Hybrid What & Why

The term Hybrid is used in the world of cloud computing these days to describe a scenario in which
a component in an on-premises environment connects to a service or a system hosted in a public
cloud. The component may vary. It can be an on-premises identity management system connecting
to a Software-As-A-Service (SaaS) document management system.
In Office 365 scenario, the Hybrid deployment is when you wish your end users whose accounts are
hosted in on-premises Active Directory to be able to have access to a SharePoint Online site
collection. Offering the capability of sharing calendar across on-premises to Exchange Online is also
considered a scenario of Office 365 Hybrid deployment. In a nutshell, when you do a hybrid
deployment, you are going to connect services between on-premises and public cloud infrastructure
no matter where it is. Sometimes people consider the separate use of public and private cloud a
hybrid, for example, developing application on Office 365 then deploying into SharePoint on-
premises environment.
Perimeter
Microsoft Data Center Internet On-Premises
Network
1 1 ||4
w*
. 1
ib
)
Office 365 Identity
End-user
AD FS
SharePoint Online t
0
That said via a few examples above, realizing the fact that hybrid is to balance the infrastructure
DirSync
resource between both cloud environments. For example, before Public Site features were
deactivated by Microsoft on Office 365, folks utilized the cloud resources of Microsoft Cloud
infrastructure to cater massive number of public users for their internet facing website deployment,
while the identity of website’s content editor was hosted in in-house Active Directory. With this case,
I5
you are to make the best use of your investment to high availability for your internet facing website,
while still meeting compliance such as authentication and identity management.
Why should you consider Office 365 hybrid deployment? It’s perhaps everyone else is doing it. Cost
for hybrid is not going to be discussed here. However, when you do the hybrid, you are going to cut
at least operational infrastructure and licensing cost which occupies entirely your cloud budget. In
many cases when doing hybrid, you are to outsource data security responsibility which might be a
big concern.
The following articles below would give you more helpful information about Pros & Cons of Hybrid
Cloud:
■ http://blog.rackspace.com/10-reasons-whv-a-hybrid-cloud-is-better
■ http://www.zdnet.com/article/hvbrid-cloud-whv-hvbrid-it-mav-be-the-better-choice/
■ http://www.datacenterknowledge.com/archives/2015/02/16/hybrid-cloud-continues-grow-
look-real-use-cases/
■ http://www.cio.com.au/brand-post/content/607556/whv-hvbrid-cloud/
I6
Environment Preparation
Below is the environment we used during the step-by-step guide. You could have less than the
number of servers as ours by combining roles into a group of servers. However, we highly
recommend to isolate roles and services to make it more practical in the deployment.
NO. SERVER IP ADDRESS SUBNET MASK GATEWAY OS
1 AD01 192.168.1.5 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
2 ADFS01 192.168.1.6 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
3 EX01 192.168.1.7 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
4 SFB 192.168.1.8 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
5 SP01 192.168.1.10 255.255.255.0 192.168.1.100 Windows Srv 2012 R2
192.168.1.100 255.255.255.0
6 TMG 125.253.124.163 255.255.255.240 125.253.124.161 Windows Srv 2008
255.255.255.0 172.16.1.100
192.168.1.9 255.255.255.0 192.168.1.100
7 EDGE 172.16.1.9 255.255.255.0 172.16.1.100 Windows Srv 2012 R2
125.253.124.164 255.255.255.240 125.253.124.161
192.168.1.15 255.255.255.0 192.168.1.100
8 WAP01 Windows Srv 2012 R2
125.253.124.162 255.255.255.240 125.253.124.161
All of these servers above are virtualized in a physical host with the deployment of Microsoft Hyper-V
Virtualization. Microsoft Hyper-V is not required but it supports virtualizing Microsoft workload with
optimal performance. Here is the overall picture of the hybrid topology.
Below are role descriptions:
I7
■ AD01: this is an Active Directory domain controller virtual machine, playing as an identity
provider in an on-premises environment.
■ ADFS01: this is an Active Directory Federation Service virtual machine, playing as a
federation party to provide federation trust between the identity providers in both
environment (on-premises and cloud).
■ EX01: this is a server running Microsoft Exchange Server 2013
■ SFB: this is a server running Microsoft Skype for Business 2015
■ SP01: this is a server running Microsoft SharePoint Server 2013
■ TMG: this is a server running Microsoft Forefront Threat Management Gateway 2010.
Although this product is no longer supported, we still would like to use it to do the
configuration to help you get more understanding of the deployment context.
■ EDGE: this is a server running Skype For Business Server 2015, playing as edge server
role.
■ WAP: this is a server running Web Application Proxy service.
I8
Lab 1 - DirSync, SSO Configuration

Lab 1.1 - Configure Wildcard SSL certificate
Configuring Office 365 Hybrid requires initial steps to configure DirSync, Single Sign-On (SSO).
Before the configuration, you must purchase certificate from trusted third-party. There are the
following options:
■ Third-party certificate across multiple servers: with this option, you purchase a single
certificate which is purposely used for all servers and services. This is an advantage for an
environment of many servers. Wildcard SSL certificate is commonly preferred.
■ Third-party certificate for each server: with this option, you purchase a dedicated
certificate for each server or service. When the certificate is expired, you must renew and
replace it on that server or service. This type of certificate is used commonly for the number
of servers less than 5.
Here is the list of trusted third-party certificate providers recommended by Microsoft.

CA friendly name Issued by Intended purposes
Comodo Comodo Certification Authority Server authentication, client authentication
Digicert Digicert Global Root Certification Authority Server authentication, client authentication
Digicert High Assurance EV Digicert Global Root Certification Authority Server authentication, client authentication
Entrust Entrust.net Secure Server Certification Authority Server authentication, client authentication
Entrust (2048) Entrust.net Secure Server Certification Authority Server authentication, client authentication
Equifax Equifax Secure Certification Authority Server authentication, client authentication
GlobalSign GlobalSign Certification Authority Server authentication, client authentication
Go Daddy Go Daddy Class 2 Certification Authority Server authentication, client authentication
Network Solutions Network Solutions Certification Authority Server authentication, client authentication
PositiveSSL Comodo Certification Authority Server authentication, client authentication
SECOM SECOM Trust Systems Certification Authority Server authentication, client authentication
UTN-UserFirst-Hardware Comodo Certification Authority Server authentication, client authentication
Verisign Class 3 Public Primary Certification Authority Server authentication, client authentication
VeriSign VeriSign Trust Network Server authentication, client authentication
In this lab, we purchased a certificate from Comodo (https://www.comodo.com/). Perform the

following steps to import certificate onto ADFS01 virtual machine.
1. Create a request with private key from IIS. Open IIS Management Console and click Server
Certificates.
I9
2. Click Create Certificate Request and fill in information. In this case, we entered
*.ict24h.info because we decided to use Wildcard SSL.
3. Select a cryptographic service provider you want. We selected Microsoft RSA Schannel
Cryptographic Provider with the bit length of 2048
4. Specify the location to store your certificate content which is used for signing.
| 10
5. If you open the file, the content may look like below
CertREQ - Notepad
File Edit Fo mat Help
Vie«
I----- BEGIN NEW CERTIFICATE REQUEST -
MIIEXjCCA0YCAQAwajELMAkGA1UEBhMCVk4xDDAKBgNVBAgMA0hDTT
EMMAoGAlUE
BwwDSENNMQ8wDQYDVQQKDAZIQ0gyNEgxFjAUBgNVBAsMDUlUIERlcG
FydGllbnQx Fj AUB gNVBAMMDSouaWN0MjRoLmluZm8wggE1MA0G CS
qG SIb3DQE BAQUAA4IBDwAw ggEKAolBAQDqmdzyS/f73Wbt42e
kehDmshf]pNWh/Hwc 7a 2bZ0Zxd Z9IvhKOxEat
s7MLFM2wO249opr0jlB2GBT85IbOz7Mm+O071XCyYHHtV0wtIlvGq4Hyf
7/Xiebw mpoZD3+62A8Xshia Kx0YRoIMS5f/Z /u U4P7z0r9G KMdPll
cU7Hg01y90t KmgJ cPU
LCuUgsCuNmHdNjh5xzBqD23TBENOCDL0CYkIuvIGYCTSq9MVQnb0A8kx
LE9kt/5F
b4Ht/20VDqT0IlcwgOqoLInrDGNw5r8BGXlfudOVPUXVEZUz91nuTkH+M
kITzDX2
MDxk+nNvi73YHqRZu0IC5AP/VdEjbFlgjAgMBAAGgggGtMBoGCisGAQQB
gjcNAgMx
DBYKNi4yL:kyMDAuHjBIBgkrBgEEAYI3FRQxPDA6AgEFDBIBREZTMDEua
WN0MjRo
LmluZm8MFElDVDI0SFxhZGlpbralzdHIhdG9yDAtIbmV0TWdyLraV4ZTBy
BgorBgEE
AYI3DQICMWQwYgIBAR5aAE0AaQBjAHIAbwBzAG8AZgB0ACAAUgBTAE
EAIABTAEMA
aABhAG4AbgBlAGwAIABDAHIAeQBwAHQAbwBnAHIAYQBwAGgAaQB j
ACAAUAByAGSA
HQYDVR0OBBYEFGVLxmGXwEBsIPZAIuycG4M3MIO4MA0GCSqGSIb3DQ
EBBQUAA4IB
AQAfNKGnijVUoGGQMsuolVBarnit06CDuRq9AZ50kBZqA3/ZdF9QCf0CLr'
P/CyeGu
VgcS14ICbX5H6qw4FgboZcz4WI6gi72RoGYSXqGqS99GEyZFsG31i»Q50
c6M+0H2W alXhO0aTPlyVtA8bHKEu
Z+TC/I8WWe]w+/fFYaceyTe0DkfLPKjxj UG/3AuE7Vb0
SNUhpS7jGaKMnQ±KlPEBKPXUYs9GjZW2ZS/MBP9jLhR7hWowZYyGgoo
GRXWnGmxq
I9yHOpu2mtSErM/M8U7H73+WxXBuvQ+x44niEZBuG9L0kn0c0Dq+FRY
ehMEGkNzp8 aSj Cye5 HydQxwclHGq 9t 21nl END NEW
CERTIFICATE REQUEST -----------------------
6. Open Comodo website and start purchasing a wildcard certificate
7. Fill all information required in the form, including your credit card information.
| 11
8. After the payment is processed successfully, you will receive an email along with a guide to
configuring the certificate.
^ SSLSHOP JP™
Hi. Tung Pham
Credit: to.oa add logout
My Orders view all orders »
Quick Links
order No. Date Product Name Price Details -r My Dashboard -> My invoices
09/15/2015 |^CamodoPosltlve5! 5L eWildcard t-Multi- 460.00 view Purchase SSL -* My

Domain | Orders -► Manage credit
itJffw all
My Invoices imttlicea»
-* My Profile
Im/olc. No. Dot. Status Transaction No. T atal D-t-is

•Ticket
CreateSupport
Titkfil Q
09/15/2015 paid 105694732224 S 60.00 ilia • Manage Ticket
My Credit view ell credit » My Cart (o itm) Cj
Date Transaction Details Credit Debit Balance

cart 1. empty retinue Chawnlm,
There is no record!!
9. Click View and click CONFIGURE SSL
10. Enter your code that Comodo has sent to you via email and click Go!
I 12
g https://www.configuressl.com/7pin=d56128b1 -1615-4441 -801 a-2fd90690d0e5

Learning Q Tool Config BOM □ vCloud Q
Linux
ssl configuration wizard

:Tabs | jr Boo I. marts | jg vLigerCRU 5 - Com... Q VT_ Cloud computing Q Windows Azure □ OFFICE 365 Q Partner Portal Q
COMODO
Creating Trust Online*
Welcome to SSL configuration wizard!
You may need below information to complete configuration process.
Configuration PIN: If you don't have this information, please login your account and get PIN or contact support.
CSR Key: Certificate Signing Request key for the domain name you want to generate SSL Certificate.
Contact Details: Organization, Administrator and Technical contact details: Organization Name, Address, Phone, Email, etc.
Enter PIN (d56128b 1-161S-4441-801 a-2fd&06£

1
Verify (jNZDCl J Nz D G
11. Copy the CRS (Certificate Request Signing) content you have requested in step 5 into CRS
box and click Finish. If this step is complete, you will receive a *.ZIP file sent from Comodo
to your registered email.
Comodo Order Number 175
Domain Name *.ict24h.info Contact Email tung@ict24h.net

CSR*
12. Verify the *.ZIP file

13. Use certificate you’ve purchased from Comodo to import onto the ADFS01 virtual machine. Click
> Google Drive > LAB > Document > SSL
Name Date modified Type Size
* r^p 17572994 9/16/201512:00 AM Security Certificate 2 KB

* AddTrustExternalCARoot 5/30/2000 10:48 AM Security Certificate 2 KB
* COMODORSAAddTrustCA 5/30/2000 10:48 AM Security Certificate 2 KB
COMODORSADomainValidationSecureSe... 2/12/2014 12:00 AM Security Certificate 3 KB
Complete Certificate Request from the Actions panel. Locate to your certificate, and enter
Friendly name. Select Personal.
I 13
14. Verify the certificate you just imported.
15. Because you purchased a Wildcard certificate, you can use for every of virtual machines you
have. You simply need to export this certificate into the format of *.pfx with private key. Go to
MMC > Local Computer > Personal > Certificate.
16. Right click on your wildcard certificate, select All Tasks > Export.
| 14
17. In the Certificate Export Wizard page, click Next
18. Select Yes, export the private key option. Click Next.
I 15
19. Select Personal Information Exchange - PKCS #12 (.PFX) option. Select Include all
certificates in the certification path if possible and Export all extended properties. Click
Next.
20. Enter password to protect your certificate.
21. Specify the location to export your certificate (*.pfx). Click Next.
I 16
22. Verify the export and click Finish to complete.
Now you already had a certified certificate which can be imported to all virtual machines you need.
All the virtual machines that connect to Office 365 need to have the certificate imported. This
certificate is to encrypt the traffic passed over the Internet. Perform the following steps to import
the certificate onto another virtual machine:
1. Login to the virtual machine you want to import the certificate then go to MMC > Local
Computer > Personal > Certificate.
2. Right click on Personal > All Tasks > Import.
I 17
n Console Root Object Type

A Certificates (Local Computer)
1 ^3 ~ .1
Find Certificates...
> [3 Tru:
> Q Ente All Tasks ► Find Certificates...
> 3 Inte
View ► Request New Certificate...
> □ Tru:
New Window from Here Import...
> L3 Unt
> □ Thir
New Taskpad View... Advanced Operations ►
> □ Tru:
> □ Clie Refresh
> Q Rerr Export List...
> Q Sme Help
> Q Tru: ---------- ------
3. In Welcome to the Certificate Import Wizard page, click Next.
4. Specify the certificate you want to import. Click Next.
5. Specify the password that you entered earlier into the Password box. Click Next.
| 18
6. Select Personal as a certificate store. Click Next.
Certificate 5tore
Certificate stores are system areas where certificates
are kept,
Windows can automatically select a certificate store, or you can specify

a location for the certificate,
O Automatically select the certificate store based on the type of
certificate (?) Place all certificates in the following store
Certificate store:
| Personal | | Browse,., ]
7. Click Finish to complete.
| 19
8. After completing import step, you will see the list of certificates in your personal store
Now we assume you have already successfully imported certificates to all virtual machines which are
required to connect to Microsoft Office 365 we will configure later in the eBook. Because the
connection is over the Internet, make sure you purchase certificate from internationally trusted third-
party providers.
Lab 1.2 - Configure DirSync

In every hybrid deployment, DirSync is very critical to identity synchronization between onpremises
Active Directory with Azure Active Directory which plays as a Microsoft Cloud identity provider.
DirSync tool allows directory objects including user accounts and password hashes to be
synchronized to Office 365.
1
I
I
| 20
Perform the following steps to install and configure DirSync before you synchronize on-premises Active
Directory user accounts to Office 365.
1. Log into Office 365 Portal with your administrator account.

2. From the Dashboard screen, select Active Users. From Active Directory
synchronization, click Set up.
Search users, admin tasks an Sinqle siqn-on: Set up | Learn more

| Active Directory synchronization: Set up | Learn more |
Change the password expiration policy for your users:
Change
DASHBOARD now
Set Multi-factor authentication requirements: Set up |
SETUP Learn m
A USERS
| Activ^^^^^ Select a view: 1 All users
+
4*
Q.
Deleted Users K-r

Partner Relationships 1 1 Display name User name * Status
COMPANY PROFILE □ TUNG PHAM admin@ict24h.info Indcud

Select users to:
^ Dung Nguyen dung@ict24h.info In cloud • Edit user details
• Delete users
I | Duy Pham duy@ict24h.info In cloud • Reset user password
SHARED MAILBOXES
I | Thanh Chu thanh@ict24h.info In cloud
MEETING ROOMS
In rlrn irl
GROUPS
DOMAINS Thuan Nguyen thuan@ict24h.info Indoud
PUBUC WEBSITE I | Trang Pham tra ng @ict24h.i nfo In cloud
I 21
3. In Set up and manage Active Directory synchronization page you will see 7 basic steps for
Active Directory synchronization. From step 3, click Activate.
| 22
4. Office 365 will ask for your confirmation to activate Active Directory synchronization. Click
Activate.
5. After your confirmation, Office 365 displays statement "Active Directory

synchronization is activated”.
| 23
You have done the activation of Active Directory synchronization in Office 365 portal. Now you need
to install Azure Active Directory Sync. Perform the following steps to install the tool:
1. Download the tool at http://go.microsoft.com/fwlink/?LinkID=278924 and execute the

installation file.
2. In Welcome page, Click Next.
3. In Microsoft Software License Terms page, select I Accept. Click Next.
| 24
4. Specify directory where you want to store the tool binaries and files. Click Next.
5. Wait for the installation process
6. When the installation process is complete, click Next.
I 25
7. Select Start Configuration Wizard now from the next screen. Click Finish.
8. In Welcome page, read the information and brief guide. Click Next.
I 26
9. Enter your Windows Azure Active Directory account. This account must have
administrator permission in your Office 365. Click Next.
10. In Active Directory Credential page, enter your Active Directory domain administrator
account. Click Next.
| 27
11. In Hybrid Deployment page, select Enable Hybrid Deployment option. Click Next.
12. In Password Synchronization page, select Enable Password Sync option. Click Next.
I 28
13. In Configuration page, you can track progress of the configuration you have done.
14. After the configuration is complete, click Next.
| 29
15. In Finish page, select Synchronize your directories now. Click Finish.
Now you have done the configuration of Active Directory synchronization. Depending on the number
of user accounts to be synced, the duration may vary. You will realize which type of accounts under
Status column (e.g. Synced with Active Directory)
| 30
Search users, admin tasks an JD Single sign-on: Set up | Learn more

Active Directory synchronization: Deactivate | Manage | Last synced less than an hour ago | Learn more Change
the password expiration policy for your users: Change now Set Multi-factor authentication requirements: Set up |
Learn more
Select a view: All users
Active Users + ps
Deleted Users 1 1 Display name User name * Status
Partner
□ TUNG IPHAM admin@ict24h.info In cloud
Relationships
□ Danh Bao bao@kt24h.info Synced with Active Directory

COMPANY
PROFILE IMPORT 2 Dung Nguyen du ng@ict24h.info In cloud
CONTACTS SHARED I | Duy Pham duy@ict24h.info In cloud
MAILBOXES I | Hoan Tran hoan@ict24h.info Synced with Active Directory
MEETING ROOMS
2 Nguyen Pham nguyen@ict24h.info Synced with Active Directory
GROUPS DOMAINS
□ Thanh Chu thanh@ict24h.info In cloud
PUBLIC WEBSITE ^
□ Thi Vo thi@ict24h.info In cloud
BILLING
2 Thinh Nguyen thlnh@ict24h.info Synced with Active Directory
^ EXTERNAL
SHARING MOBILE 2 Thuan Nguyen thuan@ict24h.info In cloud
DEVICES ^ SERVICE
SETTINGS REPORTS
^ SERVICE HEALTH > SUPPORT
Lab 1.3 - Configure Single Sign-On (SSO)
In the simplest explanation, Single Sign-On (SSO) is to allow users to have access to different
services using a single account and password. With this, users do not have to remember different
accounts for different services. Moreover, SSO helps administrator simplify identity management.
To enable SSO in Office 365 hybrid deployment, there are several third-party products in the market,
for example PingFederate, CA Single Sign-On, Active Directory Federation Services (AD FS). In this
case, we would like to introduce Active Directory Federation Services because it’s a free tool.
| 31
Perform the following steps to configure SSO, install and configure Active Directory Federation
Services on ADFS01 virtual machine:
1. From Dashboard in Office 365 Portal, click Active Users.

2. From Single sign-on option, click Set up.
Search users, admin tasks an £)
Single sign-on: Set up | Learn more
Active Directory synchronization: Deactivate | Manage | Last synced less than an hour ago | Learn more Change
the password expiration policy for your users: Change now Set Multi-factor authentication requirements: Set up |
Learn more
Select a view: | All users
i + ^p0
Deleted Users Partner

□ Display name User name A Status
Relationships
□ TUNG PHAM admin® ict24h.info In cloud

COMPANY PROFILE IMPORT
□ Danh Bao bao@ict24h.info Synced with Active Directory
CONTACTS SHARED MAJLBOXES
MEETING ROOMS GROUPS □ Dung Nguyen dung@ict24h.info In cloud
DOMAINS PUBLIC WEBSITE y □ Duy Pham duy@ict24h.info In cloud
BILLING
□ Hoan Tran hoan @ict24h.info Synced with Active Directory
y EXTERNAL SHARING MOBILE

□ Nguyen Pham nguyen@ict24h.info Synced with Active Directory
DEVICES y SERVICE 5ETTINGS
□ Thanh Chu thanh@ict24h.info In cloud
REPORTS
□ Thi Vo thi@rct24h.info In cloud
y SERVICE HEALTH y SUPPORT
□ Thinh Nguyen thinh@ict24h.info Synced with Active Directory
□ Thuan Nguyen thuan@ict24h.info In cloud
I 32
3. In Set up and manage single sign-on page, Microsoft provides you 10 steps for SSO
configuration. From step 3, select Windows 64-bit version (if your operating system only
supports 64-bit) to download Windows Azure Active Directory Module for Windows
PowerShell in order to configure trust relationship.
4. After downloading, execute installation file and start installing the tool. In Welcome page,
read the information and brief guide. Click Next.
| 33
5. In License Terms page, read carefully licensing terms and select I accept the terms in the
License Terms. Click Next.
x
Windows Azure Active Directory Module for Windows PowerShel...
License Terms
Please read the following license terms carefully.
MICROSOFT SOFTWARE LICENSE TERMS
MICROSOFT WINDOWS POWERSHELL MODULE FOR WINDOWS AZURE

ACTIVE DIRECTORY
These license terms are an agreement between Microsoft Corporation (or based on
where you live, one of its affiliates) and you. Please read them. They apply to the
software named above, which includes the media on which you received it, if any. The
terms also apply to any
(§) I accept the terms in the License Terms O I do not accept the terms in the License Terms
:Back ]| Next^^^j[~ Cancel
6. In Install Location page, specify the location for Windows Azure Active Directory Module for
Windows PowerShell directory. Click Next.
| 34
7. When you are ready for the installation, click Install.
8. Wait until the installation is complete, click Finish.
Now you have done the installation of Windows Azure Active Directory Module for Windows
PowerShell. Next, you need to install and configure Active Directory Federation Services. Perform
the following steps:
1. On ADFS01 virtual machine, open Server Manager. Select Add Roles and Features.
I 35
r Server Manager
■) Server Manager *■ Local Server

T ▼ 1 Manage Tools View Help
PROPERTIES Remove Roles and

l!i Dashboard ForADFS Features
Add Servers Create
ADFS Last installed updates 8/29/2015 2:02 Server Group

i All Servers iet24h.info Windows Update Last Al Install updates
i File and Storage Services > checked for updates aui Today at 3:33
PM
iwall Domain: Windows Error Reporting Customer

Off Experience Improvement Progra IE
igement Enabled Enhanced Security Configuration Time
top Enabled zone Product ID (UTC+07:00) Bangkok, Hanoi,
Disabl Jakarta 00252-70000-00000-
ed AA535 [activated)
192.1
68.1.6
stem version Microsoft Windows Server 2C12 R2 Standard Processors Intel(R) Xeon(R) CPU E5504 @ 2.00GHz
ormation VMware, Inc. VMware Virtual Platform Installed memory 2 GB 79.66 GB
(RAM)
Total disk space
2. In Before you begin page, click Next.
3. In Select installation type page, select Role-based or feature-based installation option. Click
Next.
I 36
4. In Select destination server page, select Select a server from the server pool and select
your AD FS virtual machine. Click Next.
5. In Select server roles page, select Active Directory Federation Services. Click Next.
6. In Select feature page, select .NET Framework 3.5 Features (1 of 3 installed) and .NET
Framework 4.5 Features (3 of 7 installed). Click Next.
| 37
7. In Active Directory Federation Services (AD FS) page, read information of AD FS introduction
and notes provided by Microsoft. Click Next.
8. In Web Server Role (IIS) page, read information of web server introduction and notes provided
by Microsoft. Click Next.
I 38
9. In Select role services page, make sure you have services selected in the below screen.
Click Next.
I 39
10. In Confirm installation selections page, select Restart the destination sever
automatically if required. Click Install.
11. In Installation progress page, review all services and features you have installed. Click Close.
12. Open Server Manager, you are notified to continue the AD FS configuration. Click
Configure the federation service on this server.
| 40
*• Server Manager
Server Manager • Dashboard v | Manage Tool!
| Post-deployment
WHAT'S NEW
Configure,
m 4 Create a server gr|
I Local Server ■i All Servers -? 5 Correct this serve
AD FS : the federation service on this
server, I
■i File and Storage Services > Feature installation
ROLES AND SERVER GROUPS

Roles: 3 | Server groups; 1 | Servers total; 1
Add Roles and
Features
AD FS iS
(+) Manageability (?) Manageability ^t^^Manageabint^-
13. In Welcome page, select Create the first federation server in a federation server farm. Click
Next.
14. In Connect to Active Directory Domain Services page, specify your Active Directory domain
administrator account. Click Next.
| 41
15. In Specify Service Properties page, select wildcard SSL certificate you imported.
Federation Service Name is the ADFS01 virtual machine FQDN (Full Qualified Domain
Name). You can create a CNAME and point to the ADFS01 virtual machine’s FQDN (for
example sts.ict24h.info). Enter Federation Service Display Name. Click Next.
Welcome
SSL Certificate: | *.ict24h.info |T| upon..
Connect to AD DS
Specify Service Properties

Specify Service Account Federation Service Name:
Specify Database | sts.icl24h,info |w \
Example: fs.contoso.cam
Federation Service Display Name:
ADFS for QFFFICE 365
Users will see the display name at sign in.
Example: Contoso Corporation
16. In Specify Service Account page, enter service account which is automatically added to
Managed Service Account group. Click Next.
TARGET
Specify Service Account SERVER
ADFS.ict24h.info
Show more X
Welcome Connect to AD
Specify a domain user account or group Managed Service Account O
DS Specify Service
Create a Group Managed Service Account Account Name:
Properties
Specify Service Account ICT24H\
(?) Use an existing domain user account or group Managed Service
Specify Database Account
Account
Name:
Account
Password:
A Group Managed Service Accounts are not available because the KDS Root Key has not been set Use the following PowerSheil command to create the key: “Add-KdsRootKey -EffectiveTime (Get-Date),AddHours(-IO)"
17. In Specify Configuration Database page, select Create a database on this server using
Windows Internal Database. Click Next.
TARGET
Specify Configuration Database SERVER
ADFS.ict24h.inf
o
Specify a database to store the Active Directory Federation Service configuration
DS Specify Service data.
Properties Specify (?) Create a database on this server using Windows Internal Database.
Service Account
O Specify the location of a SQL Server database,
Specify Database
Review Database Host Name:
Options Pre-
Database Instance:
requisite
To use the default instance, leave this field blank.
Checks
18. Select Overwrite existing AD FS configuration database data. Click Next.
| 42
Review Options Pre-requisite Checks
19. In Review Options page, review your configuration again. Click Next.
lAKtitl StKVtK
Review Options ADFS.ict24h.rnf
o
Welcome Connect to AD Review your selections:
DS Specify Service This server will be configured as the primary server in a new AD FS farm
Properties Specify
'adfs.ict24h.info'.
Service Account Specify
AD FS configuration will be stored in Windows Internal Database.
Database Confirm
Overwrite Windows Internal Database feature will be installed on this server if it is not already
Review Options
installed. All existing configuration in the database will be deleted.
Pre-requisite
Checks Federation service will be configured to run as iCT24H\Administrator.
20. In Pre-Requisite Checks page, AD FS automatically runs check to verify if all pre-
requisites are passed. Click Next.
TARGET SERVER
Pre-requisite Checks ADFS,ict24h.info
© All prerequisite checks passed successfully. Click 'Configure' to begin Show more X
installation.
Prerequisites must be validated before Active Directory Federation Services is configured on this
DS Specify Service
computer, Rerun prerequisites check
Properties Specify
A
Service Account Specify View results
Database Confirm O Prerequisites Check Completed
Overwrite Review Q All prerequisite checks passed successfully, Click 'Configure' to begin installation.
Options
Pre-requisite Checks
21. Wait until the installation is complete and open AD FS Management to review
information.
I 43
To securely connect AD FS services to Office 365, you need to deploy an AD FS proxy using Web
Application Proxy in Windows Server 2012 R2. Perform the following steps to install and configure
Web Application Proxy:
1. On WAP virtual machine, open Server Manager. Select Add Roles and Features.
2. In Before you begin page, Click Next.
3. In Select installation type page, select Role-based or feature-based installation. Click
Next.
4. In Select destination server page, select WAP virtual machine. Click Next.
5. In Select server roles page, select Remote Access. Click Next.
6. In Select role services page, select Web Application Proxy. Click Next.
I 44
7. In Confirm installation selections page, select Restart the destination automatically if

required. Click Install.
After you have successfully done the installation of Web Application Proxy (WAP), you need to
connect WAP service to the AD FS virtual machine. Perform the following steps to configure WAP:
1. Open Remote Access Management on WAP01 virtual machine.

2. In Welcome page, click Next.
3. In Federation Server page, enter Federation service name (note that sts.ict24h.net is the
CNAME we created to point to the ADFS01 virtual machine). Enter local administrator
account on WAP01 virtual machine.
4. In AD FS Proxy Certificate page, select wildcard SSL certificate. Click Next.
| 45
5. In Confirmation page, review the configuration again and make sure the thumbprint of your
certificate is valid. Click Configure.
6. In Result page, you will receive a message "Web Application Proxy was configured
successfully”. Click Close.
| 46
After successfully configuring Web Application Proxy, you need to publish it through AD FS virtual
machine. Perform the following steps:
1. Open Remote Access Management. Select Web Application Proxy. Select Publish from
General panel on the right hand.
| 47
3. In Preauthentication page, select Pass-through. Click Next.

(§) Pass-through
Welcome Specify the preauthentication method:
Preauthentication O Active Directory Federation Services (AD FS)

Publishing Settings All unauthenticated client requests are redirected to the federation server. After successful authentication by
AD FS, client requests are forwarded to the backend server. Web Application Proxy can also provide
credentials to backend servers that are configured to use Integrated Windows authentication.
No preauthentication is performed by Web Application Proxy. All requests are forwarded to the backend server.
4. In Publishing Settings page, enter name of WAP and external URL, certificate and backed
server URL. These are required before you can publish your service.
5. In Confirmation page, review information of your Web Application Proxy setting. Click
Publish.
Welcome The following PowerShell command will be run when you click Publish. It can also be used to set up additional published applications. If
you want to re-use the command, copy it before you click Publish.
Preauthentication
Publishing Settings
Add-WebApplicationProxyApplication
Confirmation
-BackendServerUrl 'https://sts.ict24h.info/'
-ExternalCertificateThumbprint '1F9FE135FBBD4A9B4521B5318624F53327B090B3' -ExternalUrl
'https://sts.ict24h.info/'
-Name 'ADFS'
-ExternalPreAuthentication PassThrough
To publish the web application, click Publish.
I 48
6. To verify whether you have successfully published WAP or not, open the URL
https://sts.ict24h.info/adfs/ls/idpinitiatedsignon on a computer which has Internet connection.
7. Try with an account in your Active Directory and see how it goes.
If you have done these steps above successfully without any error, when opening an Office 365 site,
you shall be redirected to federation URL for federation trust.
Now you have successfully done enabling SSO in Hybrid deployment. Every time when you open
site in Office 365 and enter federated account, Office 365 recognizes that there is a trusted party
then it redirects you to published AD FS for authentication.
Lab 2 - Exchange Server Hybrid Configuration

We assume in this lab you have already installed Microsoft Exchange Server 2013 in your on-
premises environment. This lab is going to provide step-by-step guide after Microsoft Exchange
| 49
Server 2013 installation.
Lab 2.1 - Send Connector Configuration
Send Connector requires to be configured to establish connection between your on-premises

Exchange and Exchange Online. Perform the following steps:
1. Log into Exchange admin center. Select mail flow > send connectors. Select plus icon.
2. From the Send Connector windows, name your connector and select Custom (For example,
to send mail to other non-Exchange servers). Click Next.
3. Select MX record associated with recipient domain. Click Next.
4. In Address Space windows, select SMTP under Type and allow all emails to be sent
through this connector by entering * under FQDN, and 1 under Cost. Click Save.
| 50
5. In Select a Server windows, select server which is responsible for sending email. Select
add button to add the server. Click OK.
6. Click Finish to complete the Send Connector configuration.
| 51
Lab 2.2 - Configure Certificate for Exchange Server

Configuring certificate for Exchange Server is an important step for hybrid deployment. As said
previously, you must purchase certificate from internationally trusted third-party provider. Below is
the list of providers that Microsoft recommends:
CA friendly name Issued by Intended purposes
Comodo Comodo Certification Authority Server authentication, client authentication
Digicert Digicert Global Root Certification Authority Server authentication, client authentication
Digicert High Assurance EV Digicert Global Root Certification Authority Server authentication, client authentication
Entrust Entrust.net Secure Server Certification Authority Server authentication, client authentication
Entrust (2045) Entrust.net Secure Server Certification Authority Server authentication, client authentication
Equifax Equifax Secure Certification Authority Server authentication, client authentication
GlobalSign GlobalSign Certification Aulhorfty Server authentication, client authentication
Go Daddy Go Daddy Class 2 Certification Authority Server authentication, client authentication
Network Solutions Network Solutions Certification Authority Server authentication, client authentication
PositiveSSL Comodo Certification Authority Server authentication, client authentication
SECOM SECOM Trust Systems Certification Authority Server authentication, client authentication
UTN-UserFirst-Hardware Comodo Certification Authority Server authentication, client authentication
Verisign Class 3 Public Primary Certification Authority Server authentication, client authentication
Verisign Verisign Trust Network Server authentication, client authentication
We already purchased a wildcard certificate and imported onto Exchange Server virtual machine.
Now you need to open Exchange admin center to verify that certificate. Perform the following steps:
1. Open Exchange admin center. Select servers > certificates.

2. Select your imported certificate and select edit icon.
I 52
3. In Exchange Certificate windows, select SMTP and IIS. Click Save.
4. You are asked to overwrite the existing default SMTP certificate. Click Yes.
5. Open PowerShell and execute iisreset/restart command.

6. Verify the certificate with assigned services and other information
I 53
Now your certificate is successfully configured. You are going to need to publish Exchange service
over the Internet through Web Application Proxy you configured in Lab 1.3.
Lab 2.3 - Publish Exchange Service

To publish Exchange service over the Internet, you need to use public IP address and Web
Application Proxy. Perform the following steps:
1. Log into internet domain control panel, create record A mail.ict24h.info then point to the
WAP01 virtual machine’s public IP address.
2. Create a new CNAME autodiscover.ict24h.info which is pointed to mail.ict24h.info.
| 54
o ™ https: ■ dcc
godaddy.i
:c50/C P - A GoDaddy.co,,, (J
STS At Cisco Unified CM Console & IIM and Presence Service C„, CJ Office 365 Login Portal f* Godday Sign in to Office
365
u;s
ADD ZONE RECORD !3W AH*
HK H4?4Fi MT f-
ICT24H.INFO
View current DSEEBAEM

owtam:
t EESdSlfiC SflEi.-.
POINTS TO: * @
Custom
ADD ANOTHER ■ F N SH Cance
3. Create MX record with the priority value is 20, pointed to mail.ict24h.info
ADD ZONE RECORD

ICT24H.INFO
A
______________ View
RECORD TYPE:*
rurnenf ________
MX (Mail Exchanger)
HOST: * Q
e
POINTS TO; *0
mail.ict24h.info
PRIORITY: *0
20| X
-- TfLt "171 --------------------------------------------------
ADD ANOTHER FINISH Cancel
| 55
4. Open Exchange admin center. Select server > virtual directories. The external URL is blank.
Click edit icon and add EX01 virtual machine which is the Exchange Server you prepared at the
beginning. Click OK.
5. Enter external DNS address. Click save.
| 56
6. Repeat from step 4 - 5 for other virtual directories in your Exchange Server.
| 57
Welcome
You need to configure Web Application Proxy to publish Exchange service over the Internet. Perform
1. Open Remote Access Management on WAP01 virtual machine.

CONNECTED TO AD FS jts.ict24h.info
Publish |*~| Cancel |
Welcome Welcome to the Publish New Application Wizard.

This wizard helps you publish a new web application through Web Application Proxy.
Preauthentication
3. In Preauthentication page, select Pass-through option.
| 58
Publishing
Welcome Settings
Preauthentication Specify the preauthentication method:
Preauthentication CUNNtCItU IU AL> t-b
sts.ict24h.info
O Active Directory Federation Services (AD FS)
All unauthenticated client requests are redirected to the federation server. After successful authentication by
AD FS, client requests are forwarded to the backend server. Web Application Proxy can also provide
credentials to backend servers that are configured to use Integrated Windows authentication.
(§) Pass-through
No preauthentication is performed by Web Application Proxy. All requests are forwarded to the backend
server.
4. In Publishing Setting page, enter name of the new publishing for your Exchange
service, including external URL and backend server URL. Make sure wildcard SSL
certificate is chosen because this is used over the Internet. Click Next.
5. In Results page, you will receive message "Web application published successfully”. Select
Close.
6. You need to repeat step 1 - 5 for other services.
Now you have done the configuration of publishing. To verify the connection, Microsoft provides a
tool named Microsoft Remote Connectivity Analyzer http://testconnectivity.microsoft.com. From the
website, select Exchange Server. Select Exchange ActiveSync Autodiscover. Click Next on
your right hand.
I 59
Fill all information the tool asks and select Perform Test. If the result is green then your Exchange
is publicly available over the Internet.
Lab 2.4 - Configure Hybrid Wizard Config

Before this lab, make sure you have done from Lab 2.1 to 2.3 without any error, especially
certificate stuffs. Now you are going to need to establish a hybrid connection between your
Exchange Server and Office 365.
1. Open Exchange Admin Center, select hybrid. Click enable.
2. There is a popup providing you a link to sign in to Office 365

information
You must log in to Office 365 before you can run the Hybrid Configuration
wizard. Please try again after you log in to Office 365.
| 60
0 sign in to Office 365
cancel
3. Log into Office 365 portal with your administrator account.

4. You will be redirected to a new page asking you to download Microsoft Office 365 Hybrid
Configuration Wizard. Click click here.
5. Select Install when you receive security warning.
| 61
6. Wait until the wizard is successfully downloaded.
7. Click Run when you receive a security warning
8. Office 365 Hybrid Configuration windows appears. Click Next.
| 62
9. The wizard can automatically detect Exchange Server virtual machine which is playing CAS role.
In this case, it’s EX01 virtual machine. If you have more than one virtual machine, select
Specify a server running Exchange 2013 CAS or Exchange 2016. Click next.
CJ Office 365 Office 365 Hybrid Configuration
On-premises Exchange Server Organization ® Detect a server running Exchange 2013 CAS or Exchange 2016
EX01
Derain ietSih.info
Version Version 15.0 (Build 11307) Unofficial Build
StaDdardEvaluotion Edition R:I
Maibox. OientAccess
o Specify a server running Exchange 2013 CAS or Exchange 2016

Exchange Hybrid setup requires a connection to an Exchange 2013 CAS or Exchange 2016
server in your environment to perform management tasks.
Client Access server EX01.ict24h.info
Office 365 Exchange Online
My Office 365 organization is hosted by:
Microsoft Office 365
10. In Credentials page, Office 365 Hybrid wizard asks you to provide domain administrator account
and Office 365 administrator account. Click next.
□.Office 365 Office 365 Hybrid Configuration
Credentials
Exchange hybrid setup needs both on-premises and Office 365 account credentials before it can confine.
Both accounts must be members of the Organization Management role group.
Learn more
Enter your on-premises account credentials,
0 Use current Windows credentials Domain\user name:
ICT24H\administrator
Enter your Office 365 credentials. Office 365 user ID: admin@ict24happs.onmicrosoftcom Password:
★ Give Feedback back next cancel
I 63
11. The wizard will validate the credential and connection. Click next
12. In Hybrid Configuration page, select Configure my Client Access and Mailbox servers for
secure mail transport (typical). If you want to have centralized mail transport, select Enable
centralized mail transport option. Microsoft already explained what this feature is in the page.
Click next.
| 64
13. In Receive Connector Configuration page, select your Exchange virtual to host Receive
connector. Click next.
(J Office36S Office 365 Hybrid Configuration
Receive Connector Configuration
Choose one or more on-premises Exchange Servers to host receive connectors for secure mail transport
with Exchange Online. If you are using Exchange 2013 these servers must have the Client Access Server
role.
Learn more
LAV
Dorra r iet24h.info
or: c Version 15.0 (Build 1130.7) Unofficial Build
StartSardEvaluaiion Edit Roles Mailbox,
OientAccess
★ Give Feedback
14. In Send Connector Configuration page, select your Exchange virtual machine to host Send
connector. Click next.
| 65
15. In Organization FQDN page, select the FQDN of your on-premises Exchange virtual machine to
start configuring outbound mail connector to route email from Exchange Online to On-premises
one.
0 Office 365 Office 365 Hybrid Configuration
Organization FQDN
Enter a fully qualified domain name (DomainFqdn) for your on-premises organization. This will configure the outbound
mail connector to route mail from the Exchange Online Protection (EOP) service to your on-premises organization.
Learn more
For example: mail.contoso.com m ail. ict24h.info
★ Give Feedback
back next cancel
16. In Ready for Update page, click update.
| 66
17. In Configuring...page, you will see progress of your configuration.
□ Office 365 Office 365 Hybrid Configuration
Configuring..
Task: Configure Organization Relationship Phase: Checking Configuration

Com -and: Get-Federation!nfo rmat'ion -DomainName 'ict24happs.mail.onmicrosoft.com' -BypassAdditionaDomain'1.
Click 'stop' to cancel the operation. Stopping the operation won't undo the changes already applied.
★ Give Feedback stop
Now the configuration is done. To verify whether your configuration is successful or not, perform the
following steps:
1. Open Exchange admin center. Select organization. Click sharing tab.
2. Select mail flow. Select accepted domain to verify a newly added domain, in our case, it’s
ict24happs.mail.onmicrosoft.com.
| 67
3. Select recipient. Select mailboxes and open any mailbox, you will see the new stmp
address from Exchange Online.
4. Select mail flow. Select send connectors. There is a new Send connector whose name is
Outbound to Office 365 which is automatically added after your hybrid configuration was
successful.
5. If you edit this new Send connector, you will see both addresses from your on-premises
Exchange and Exchange Online.
| 68
6. Next, you can test by migrating email from your on-premises Exchange to Office 365. From
Exchange admin center, select Office 365 from top bar.
7. Select recipients. Select migration. Click plus icon to add a new migration.
8. There are two migration options: migration from your on-premises to Office 365 and vice
versa. Select the first option
I 69
Exchange admin center
dashboard mailboxes groups resources contacts shared migration
recipients
Click to view the status for all current migration batches. Status for all batches
permissions
+- / m o
compliance management
Migrate to Exchange Online * STATUS TOTAL SY
organization Migrate from txchange Online There are no items to show in this view.
protection
9. From the windows, select Remote move migration (supported by Exchange Server 2010 and
later version) for experiment. Click Next.
new migration batch Select a migration type

The migration type to use depends on your existing email system, how many mailboxes you want to migrate, Select this if you're planning
and whether you plan to maintain some mailboxes in your on-premises organization or migrate them all to the an Exchange hybrid
cloud. You'll also want to consider how long the migration will take and whether user identity will be managed deployment with mailboxes
in your on-premises organization or in Office 365, both onpremises and in
Exchange Online. If you plan
to
ES Remote move migration (supported by Exchange Server 2010 and later versions)
O Staged migration (supported by Exchange Server 2003 and Exchange Server 2007 only)
< migrate all mailboxes to
Exchange Online over a long
Cutover migration (supported by Exchange Server 2003 and later versions)
period of time, this migration
O IMAP migration (supported by Exchange and other email systems)
type lets you use hybrid
10. Select on-premises account you want to migrate. Click deployment features during
migration. After the migration,
OK. user identity will still be

managed in your on-
premises organization. You
have to use this type of
migration to migrate more
than 2,000 Exchange 2010 or
Exchange 2013 mailboxes.
| 70
11. Enter username and password of the administrator account. Click Next.
12. Enter FQDN of your on-premises Exchange virtual machine where the Mailbox Replication
Service (MRS) Proxy is enabled.
new migration batch Confirm the migration endpoint

The connection settings for this migration batch have been automatically selected based on the migration
endpoints created in your organization. Learn more
Remote MRS proxy server:

The FQDN of the Exchange server that the Mailbox Replication Service (MRS) Proxy is on. |mail.ict24h.info|
13. From the windows, name your migration batch and select the Exchange Online address under
Target delivery domain. Select Move the primary mailbox and the archive mailbox if one
exists option and enter the bad item limit you want.
new migration batch

Move configuration
These configuration settings will be applied to the new batch. Learn more
*New migration batch name:
[Migrate LamCT Email to 0365
*Target delivery domain:

ict24happs.mail.onmicrosoftcom
□
■
Archive:
Move the primary mailbox and the archive mailbox if one exists
O Move archive mailbox only, without moving primary mailbox

This option ts only valid for mailboxes on Exchange 2010 and Exchange 2013.
Bad item limit;
I10
Large item limit:
14. Select the recipient which receives the report after the batch is complete. Select Automatically
start the batch and Automatically complete the migration batch depending on your
expectation.
| 71
new migration batch

Start the batch
A new migration batch will be created after you click new. Learn more
Please select the preferred option to start the batch:

selecting it in the migration dashboard and then clicking Start)
• Automatically start the batch
Please select the preferred option to complete the batch:

o Manual Complete the batch (by clicking the "Complete this migration batch" link on the right
■tacif aftfrthf link hfrnmn flrtivrl ____________
Automatically complete the migration batch
15. Wait until the status is Completed.
Exchange admin center

mailboxes groups resources contacts shared migration
dashboard
recipients Click to view the status for all current migration batches. Status for all batches
permissions +- ,/§s -
' '
Migrate LamCT to 0365 Completed 1 0
compliance
management
organization
protection
Now you have done the migration test to verify the hybrid configuration. As seen, when hybrid is
successfully configured you can work with both on-premises Exchange and Exchange Online in the
same experience.
Lab 3 - Skype for Business Hybrid Configuration

In this lab, we will look through pre-requisites installation before Skype for Business deployment,
then Hybrid.
Lab 3.1 - Install Skype for Business Server Admin Tool
Before hybrid deployment, you need to install some features and roles required for Skype for
Business 2015, including the installation of pre-requisites. Perform the following steps:
1. Log into your virtual machine you are going to deploy Skype for Business 2015.
I 72
2. Open PowerShell to install required features and roles for Skype for Business 2015
deployment.
Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server,

Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-
Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-
Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering,
Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-
Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, BITS
Administrator: Windows PowerShell
PS C:\Users\adinimstrator. ICT24H> Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Ser ver, Web-Static-Content,
Web-Default-Doc, Web-ttttp-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, We b-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-
Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows- Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-
WCF-HTTP-Activation45, Web-Asp-Net4 5, Web-Mgmt-Tools, Web-Scripting-Toois, Web-Mgmt-Compat, Server-Media-Foundation, BITS
Success Restart Needed Exit Code Feature Result
True Yes SuccessRest... {Background Intelligent Transfer Service 0■■

WARNING: You must restart this server to finish the installation process.
WARNING: Windows automatic updating is not enabled. To ensure that your newly-installed role or feature is automatically updated, turn on
Windows Update.
PS C:\Users\administrator.ICT24H> .
3. Now you need to create a file share because Skype for Business 2015 requires that in order
to exchange file among servers.
4. Grant Full Control, Change and Read permission on this file share for domain
administrator account.
I 73
5. Open DVD where Skype for Business Server 2015 installation source is stored. Run
setup.exe file or autorun.
PC k DVD Drive
Name Administrator: Windows PowerShell

M Setup
j.
Support
jjjTl
autorun
6. From Skype for Business Server 2015 installation windows, select Don’t check for the
update right now. Specify installation location then click Install.
7. In License Agreement page, read licensing agreement carefully. Select I accept the terms in
the license agreement. Click OK.
I 74
8. In Install Administrative Tools page, click Next.
9. Wait until the installation is complete. Click Finish.
You have successfully installed administrative tools for Skype for Business Server 2015 deployment.
Now you are going to need to prepare Active Directory with the support of Deployment Wizard. Perform
1. From the Deployment Wizard, click Prepare Active Directory.
I 75
2. From Step 1: Prepare Schema, click Run.
3. Wait until the schema preparation process is complete. Click Finish.
I 76
4. From Step 3: Prepare Current Forest click Run
5. In Prepare Forest page, click Next.
6. In Universal Group Location page, select Local domain. Click Next.
7. Final step is to add domain administrator to CSAdministrator group.
I 77
Lab 3.2 - Install Skype for Business Server 2015
In this lab, we are going to install and configure Skype for Business Server 2015 in an onpremises
environment. The topology for lab consists of two virtual machine: Front-End Pool and Edge Server.
Before the lab, create internal DNS records as follows:
Loai Record Name Tro tai

A Sfb.ict24h.info FrontEnd Server:192.168.1.8
A Lyncdiscover.ict24h.info
Internal mobile client sa dung public
IP cua Front End: 125.253.124.163
A Lyncdiscoverinternal.ict24h.info FrontEnd Server:192.168.1.8
A Dialin.ict24h.info FrontEnd Server:192.168.1.8
A Meeting.ict24h.info FrontEnd Server:192.168.1.8
A Admin.ict24h.info FrontEnd Server:192.168.1.8
A Edge.ict24h.info Edge Server:192.168.1.9
A Sip.ict24h.info FrontEnd Server:192.168.1.8
SRV _xmpp-serve r._tcp .ict24h.info Sip.ict24h.info port:5269
SRV _sipinternaltls._tcp.ict24h.info Sip.ict24h.info port:5061
SRV _sipfederationtls._tcp.ict24h.info Sip.ict24h.info port:5061
Create external DNS records as follows:

Loai Record Name Tro tai
A Lyncdiscover.ict24h.info TMG Public IP: 125.253.124.163
A Sfb.ict24h.info TMG Public IP: 125.253.124.163
I 78
A Edge.ict24h.info Edge Public IP: 125.253.124.164

A Dialin.ict24h.info TMG Public IP: 125.253.124.163
A Meeting.ict24h.info TMG Public IP: 125.253.124.163
A Sip.ict24h.info Edge Public IP: 125.253.124.164
SRV _sip._tls.ict24h.info Sip.ict24h.info port:5061
SRV _xmpp-serve r._tcp .ict24h.info Sip.ict24h.info port:5269
SRV _sipfederation._tcp.ict24h.info Sip.ict24h.info port:5061
Type Data Timestamp

a DNS
A | AD01 Name □ _udp
A j Forward Lookup Zones > ® DomainDnsZones
_msdcs.ict24h.info PI ForestDnsZones
A |jjp ict24h,info P Ivncdiscover Host (A) 125.253,124,163 | static

6 ^ _msdcs gSPOl Host (A) 192.163,1,10 9/17/2015 7:00:00 PM
> Q _sites l> □ Jcp t> Q @WAC Host (A) 192.168,1,11 9/17/2015 7:00:00 PM
_udp gADFSOI Host [A) 192.168,1.12 9/17/2015 6:00:00 PM
@sts Host (A) 192.168,1,12 static
t? Q ForestDnsZones gWAPOl Host (A) 192.168,1,15 9/17/201512:00:00 PM

@ [same as parent folder) Host (A) 192.168,1,5 9/17/2015 5:00:00 PM
0adO1 Host (A) 192.168,1.5 static
> 0 1.168,192.in-addr,arp
H Trust Points gADFSQI Host (A) 192.168,1,6 9/17/2015 6:00:00 PM
H Conditional Forwarders HEX Host (A) 192.168,1,7 9/18/201512:00:00 AM
> _yj Global Logs QEXOI Host (A) 192.168,1.7 9/18/201512:00:00 PM
@ mail Host (A) 192.168,1.7 static
Hadrnin Host (A) 192.168,1,8 static
Host (A) 192.168,1,8 static
@ lyncdiscoverinternal Host (A) 192.168,1,8 static
P| meet Host (A) 192.168,1,8 static
HSFE Host (A) 192.168,1,8 static

Hsip Host (A) 192.168,1,8 static
HEDGE Host (A) 192.168,1,9 static

§ mail Mail Exchanger (MX) [10] mail.ict24h.info. static
E] [same as parent folder) Start of Authority (SOA) [151], adfll .ict24h.infov ho... static
Perform the following steps to install Front End Pool Server on SFB virtual machine
(sfb.ict24h.info)
1. Open DVD source. Navigate to amd64 folder (under Setup folder) and install SQL Express
Edition (SQLEXPR_x64)
I 79
2. Install SQL Express with the instance name is RTC. After the installation is complete, go to
SQL Server Configuration Manager to enable TCP/IP to allow your SQL Express to be able to
communicate via TCP/IP protocol.
3. You also need to verify the default port 1433 and make sure SQL Server Browser is
running with Automatic mode.
4. .Now you need design and publish topology for your Skype For Business Server 2015. This
can be done by Skype For Business Server Topology Builder tool you installed in lab 3.1.
Run Topology Builder, select New Topology. Click OK
5. Specify the location to store topology configuration file, and name your topology.
6. In Define the primary domain page, enter your primary SIP domain. Click Next.
I 80
7. In Specify additional supported domains page, if you have no additional SIP domain,
leave it blank and select Next.
8. In Define the first site page, enter your site name. Select Next.
9. In Specify site details page, provide more information about your new site. Select Next.
I 81
10. In New topology was successfully defined page, select Open the New Front End
Wizard when this wizard closes in order to start defining the Front End Pool server. Click
Finish.
11. In Define the New Front End pool page, click Next.
| 82
12. In Define the Front End pool FQDN page, enter FQDN of your SFB virtual machine. Select
Standard Edition Server. Click Next.
13. In Select features page, select Conferencing (includes audio, video, and application
sharing). Select Call Admission Control. We need these things for experience and lab
testing purpose only. Click Next.
| 83
14. In Select collocated server roles and Associate server roles with this Front End
pool pages you can assign more role for the Front End pool you are configuring.
15. In Define the SQL Server store page, select your SQL Express instance you configured.
Click Next.
16. In Define the file store page, enter file server FQDN and file share. Click Next.
| 84
17. In Specify the Web Services URL page, enter external base URL. Click Next.
18. In Select an Office Web App Server page, if you have a server hosting Office Web App
services select one, unless leave it blank. Click Finish.
| 85
19. Once you have done, from Topology Builder windows, you will active status (green icon)
20. Right click on Skype for Business Server 2015. Select Topology > Publish.
| 86
21. In Publish the topology page, click Next.
22. In Select Central Management Server page, select Front End pool server you just configured.
| 87
23. In Publishing wizard complete page, you may need to click to open to-do list. Unless click
Finish.
You have done the tasks of defining Front End Pool server and publishing topology. Perform the
following steps to start installing Skype for Business Server 2015
1. On SFB virtual machine, run Skype For Business Server 2015 Deployment Wizard. Click
Install or Update Skype for Business Server System.
| 88
2. In Install or update member system page, click Run from Step 1: Install Local
Configuration Store.
3. In Configure Local Replica of Central Management Store page, select Retrieve directly
from the Central Management store (requires read access to the Central Management
store). Click Next.
I 89
4. In Executing Commands page, wait until the process is complete. Click Finish.
5. Now you need to start installing Skype for Business Server Component. Click Run from Step
2.
| 90
6. In Set Up Skype for Business Server Components page, click Next.
| 91
8. From Step 3: Request, Install or Assign Certificate, click Run.
9. From Certificate Wizard windows, select Import Certificate to import certificate you
purchased (in this case Comodo)
| 92
10. Browse to your certificate, and enter password of the private key you set before. Click
Next.
11. In Import Certificate Summary page, review your configuration. Click Next.
| 93
13. Back to Certificate Wizard windows, click Assign to assign certificate to Front End Pool
server.
| 94
14. In Certificate Store page, you will see your wildcard certificate. Click Next.
15. In Certificate Assignment Summary page, review your certificate information again. Click
Next.
| 95
17. Repeat assigning certificate steps for other web services. Click Close.
18. Back to Deployment Wizard windows, from step 4 you are guided to run Start-
CsWindowsService on every server. Open PowerShell to run it.
. ___________ Ariminktratnr; . Windows PowerShell
PS C:\Users\admmstrator. ICT24H> St art-Cs Windows Service _______ _________
PS C :\U s er s\adirn n i st r at ar. ICT24h> ”
19. Click Run from Service Status (Optional)
| 96
20. Open Services.msc to verify all running services for Skype for Business Server.
Services bdaJ *
File Action View Help
M |[S| B 1 Is- □ H
Services [Local) Name * Description Status Startup Type Log On As -
^Secondary Logon Enables star... Manual Local Syste..,
■^Secure Socket Tunneling Protocol Service Provides su... Manual Local Service
3% Security Accounts Manager The startup... Running Automatic Local Syste..,
£i} Server Supports fil„. Running Automatic Local Syste..,
Shell Hardware Detection Provides no... Running Automatic Local Syste..,
;. Skype for Business Server Application Sharing Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server Audio Test Service Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server Audio/Video Conferencing Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server Centralized Logging Agent Skype for B... Running Automatic (D... Network S...
Service
£4 Skype for Business Server File Transfer Agent Skype for B... Running Automatic (D... Network S...
2 Skype for Business Server Front-End Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server Health Agent Skype for B... Running Automatic (D... Network S... |—|
£ 4 Skype for Business Server IM Conferencing Skype for B... Running Automatic (D... Network S...
£ 4 Skype for Business Server Master Replicator Agent Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server Replica Replicator Agent Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server Web Conferencing Skype for B... Running Automatic (D... Network S...
£4 Skype for Business Server XMPP Translating Skype for B... Running Automatic (D... Network S...
—
Gateway
^
■Vjsmart î_ara
, .. Manages ac... -
** 111
iuisaoiea Local Service
£4 Smart Card Device Enumeration Service Creates soft... Running Manual (Trig,.. Local Syste...
£4Smart Card Removal Policy Allows the s... Manual Local Syste...
SNMP Trap Receives tra... Manual Local Service
Software Proteetion Enables the... Automatic (D... Networks..,
V
<) ....... ...................... ................ ~ Ill
\ Extended /, Standard /
11■
21. Click Run from Enable Microsoft Update.
| 97
22. In Enable Microsoft Update page, select Use Microsoft Update when I check for
updates (recommended). Click OK.
23. Wait until the process is complete. You have completed the Front End Server installation.
Now you need to install and configure Edge Server. Perform the following steps:
1. Because Edge server is not joined to domain controller and is put in DMZ, you need to
configure Primary DNS suffix for this server.
| 98
2. Configure IP address for two network card interfaces on the Edge server.
IPS C:\Users\Administrator> ipconfig^^^n
Windows IP Configuration
Host Name ..................................................... EDGE

Primary Dns Suffix .......................................... ict24h.info
Node Type ....................................................... Hybrid
IP Routing Enabled......................................... No
WINS Proxy Enabled ....................................... No
DNS Suffix Search List..................................... ict24h.info
Ethernet adapter DMZ:

Connection-specific DNS Suffix .
Description ...................................................... Intel(R) 82574L Gigabit Network Connection #2
Physical Address ............................................. 00-OC-29-F3-EA-12
DHCP Enabled ................................................... No
Autoconfiguration Enabled . . . . Y e s
IPv4 Address................................................... : 172.16.1.9(Preferred)
Subnet Mask ................................................... 255.255.255.0
Default Gateway ............................................. 172.16.1.1
DNS Servers .................................................... 192.168.1.5
NetBIOS over Tcpip ......................................... Enabled
Ethernet adapter Internal:

Description ...................................................... Intel(R) 82574L Gigabit Network Connection
Physical Address .............................................. OO-0C-29-F3-EA-O8
DHCP Enabled ................................................... No
IPv4 Address.................................................... 192.168.1.9(Preferred)

Subnet Mask ................................................... 255.255.255.0
Default Gateway ............................................
DNS Servers .................................................... 192.168.1.5
NetBIOS over Tcpip ......................................... Enabled
rTunnel adapter isatap.{850370F1-71CE-4719-ADA5-40B6C52CD247}:

Media State ...................................................... Media disconnected
Description ...................................................... Microsoft ISATAP Adapter
Physical Address .............................................. OO-OO-OO-OO-OO-OO-OO-EO
DHCP Enabled ................................................. No
Autoconfiguration Enabled . . . . Y e s
3. Before installing Edge server, you need .NET Framework 3.5. Go to Server Manager and
install features.
I 99
4. Import wildcard certificate from Front End to Edge server. You can refer the step in Lab 1.1
5. On the Front End server (sfb.ict24h.info), run Topology Builder. Right click on Edge pools
and select New Edge Pool
6. In Define the New Edge Pool page, click Next.
7. Enter FQDN of Edge server (in our case it’s edge.ict24h.info) you just configured IP Address.
Select This pool has one server. Click Next.
| 100
8. In Enable federation page, select all options. Click Next.
9. In Select features page, select Use a single FQDN and IP address. Click Next.
| 101
10. In Select IP options page, enable IPv4 for both internal and external interfaces. Select The
external IP address of this Edge pool is translated by NAT. Click Next.
11. In External FQDNs page, enter FQDN of your Edge server and enter correct port. Click
Next.
| 102
12. In Define the internal IP address page, enter the internal IP address of your Edge
server. Click Next.
13. In Define the external IP address page, enter external IP address of your Edge server. Click
Next.
| 103
14. In Define the public IP address page, enter the public IP address of your Edge server. Click
Next.
15. In Define the next hop server page, select Front End Pool. Click Next.
| 104
16. In Associate Front End or Mediation pools page, select your Front End pool to
associate with your Edge pool. Click Finish.
17. Review Edge pool information you have completed.
| 105
18. Right click on Site name (ICT24h). Select Edit properties. Configure all settings per
screenshot below. Click OK.
19. Publish the topology again
| 106
20. Export configuration into zip file by running the following command with PowerShell
Export-CSConfiguration -Filename c:\edge.zip
21. Copy edge.zip file onto the Edge server and start installing Skype for Business Server
2015 on this server.
22. Open DVD source and run Setup.exe. Select Connect to the internet to check for
updates. Click Install.
23. In Licensing Agreement page, read license terms carefully. Select I accept the terms in the
| 107
license agreement. Click OK.
24. From Deployment Wizard on Edge server, select Install or Update Skype for Business
Server System. Click OK.
25. Click Run from step 1
| 108
26. Select Import from a file (recommended for Edge Servers) and browser to your
edge.zip file you exported before. Click Next.
| 109
28. Back to Deployment Wizard windows, click Run from step 2.
29. In Set Up Skype for Business Server Component page, click Next.
| 110
31. Next step is to configure certificate. Click Run from step 3.
| 111
Skype for Business Server 2015 - Deployment Wizard
Install or update member system

| 5tep 3:|Request, Install or Assign Certificates
T> n
Deploy > Install or update
Prerequisites ▼
• Local administrator rights
• Domain user credentials with read access to Active Directory users and groups in the current
domain
Help ► Run
This step starts the Certificate Wizard. Create certificate request for local system. Install, and assign certificates for this system
based on the topology definition.
Prerequisites ►
Help ► I Kun
Step 4: Start Services

Manual After you've installed Skype for Business Server on all of the servers in the pool, you'll need to start the services. You can start
the services in a pool with the Skype for Business Server cmdlets.
To start the services in a user pool, connect to one of the servers in the pool and run the Start-CsPool cmdlet, All the servers
in the pool should be running Skype for Business Server before you use the Start-CsPool cmdlet.
To start the services in a non-user pool, run the Start-CsWindowsService cmdlet on every server in the pool.
Not Available: Not all certificate usages have been assigned.
Prerequisites ►
Help ►
Service Status (Optional)

Starts the Services MMC tool, which displays the status of all Skype for Business Server services.
Artivate Wim p
32. In Certificate Wizard windows, select Edge internal. Click Assign.
33. In Certificate Assignment page, click Next.
| 112
34. In Certificate Store page, select your wildcard certificate. Click Next.
35. In Certificate Assignment Summary page, review your certificate information. Click
Next.
| 113
37. In Certificate Wizard page, select other web services to assign certificate. Click
Assign.
38. In Certificate Assignment page, click Next.
| 114
39. In Certificate Store page, select your wildcard certificate. Click Next.
40. In Certificate Assignment Summary page, review your certificate information. Click
Next.
| 115
41. In Executing Commands page, wait until the process is complete. Review status in
Certificate Wizard windows again. Click Close.
42. Now you need to open PowerShell to run Start-CsWindowsService command and also verify
all running services from Services.msc.
| 116
43. From Deployment Wizard, run Windows Update to check all updates available for Skype for
Business Server 2015.
You have successfully set up and configured Skype for Business Server 2015 on your Edge server.
Lab 3.3 - Configure Hybrid Mode for Skype for Business Server 2015
Before this lab, make sure you completed Active Directory Federation Services installation and
configuration in Lab 1.3. Perform the following steps to configure Hybrid mode:
1. On Front End Server (sfb.ict24h.info). Run PowerShell with administrator account and run the
following commands. When you are asked your Office 365 credential, enter administrator
account
Import-Module SkypeOnlineConnector $cred = Get-Credential

$CSSession = New-CsOnlineSession -Credential $cred Import-PSSession $CSSession -AllowClobber
Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true
Administrator; Windows PowerShell

indows Power;
lopyright (C) 2014 Microsoft Corporation. All rights reserved.
PS C:\Users\administrator.ICT24H> Import-Module SkypeOnlineConnector

WARNING: WSMari NetworkDelaynts has Deer set to j0000 mi l liseconds. I ne previous value was 5000 milliseconds.
WARNING: To improve the performance of the Lync Online Connector, it is recommended that the network delay be set to 30000 milliseconds (30 seconds). However,
you can use Set-WinRMNetworkDelayWS to change the network delay to any integer value.
PS C:\Users\admimstrator. ICT24H> $cred = Get-Credential
cmdlet Get-Credential at command pipeline position 1 Supply values for the following parameters:
Credential
PS C:\Users\administrator.ICT24H> SCSSession = New-CsOnlineSession -Credential Icred PS C:\Users\administrator.ICT24H> Import-PSSession jCSSession -
AllowClobber
oduleType
|FS Version
C :\User5\administrator. ICT24H> ExportedCommands
tmp_s23shw3r.f1v {Clear-CsOnlineTelephoneNumberReservation, Copy-CsVoicePol.

IPS C:\Users\adniini5trator.ICT24H> Set-CsTenantFederationConfiguration -SharedSipAddressSpace Strue
| 117
2. Next, run the command below to configure federation

Set-CsHostingProvider -Identity "Skype For Business Online" -EnabledSharedAddressSpace $true -
HostsOCSUsers $true -VerificationLevel UseSourceVerification -AutodiscoverUrl
https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root
PS G:\Users\Administrator> Set-CsHostingProvider -Identity "Skype For Business Online" -EnabledSharedAddressSpace Strui -HostsOCSUsers Itrue -VerificationLevel UseSourceVerification -
AutodiscoverUr1 https://webdirOf.online.lync.com/Autodi cover/AutodiscoverService.svc/root PS C:\Users\Administrator> Get-CsHostingProvider
3. Open Skype for Business Control Panel and log into Office 365 with administrator
Identity Skype For Business Onlii Skype For
Name Business Onlii sipfed.online.lync.com
ProxyFqdn IlseSnurceVerification
VerificationLevel
Enabled
EnabledSharedAddr essSpace
HostsOCSUsers
IsLocal Activat
AutodiscoverUrl https: //webdi r Of. online, lync. com/Aut odi s cover/Autodi s cover Servi ce. svc/root Go to Sys
account.
Skype for Business Server Administrator | Sign out 6.0.9319.0 | Privacy statement
4. Click Set up hybrid with Skype for Business Online
Home
UsersSkype for Business ServerWelcome, Administrator Getting Started

v View your roles First Run Checklist
Topology Using Control Panel
Home
IM and Presence Top Actions Skype for Business Server 2015
Enable users for Skype for Business Server Edit Using Office 365
Users
Persistent Chat
Welcome,
or move users ViewAdministrator
topology status Getting Started
"+ View your roles First Run Checklist
Topology v View Monitoring reports Getting Help
Using Control Panel
Voice Routing
Online Documentation on Tech Met Ubrary
IM and Presence Top Actions Skype for Business Server 2015
Skype for Business Server Management Shell
Voice Features Connection
Enable toBusiness
users for Skype for Skype Serverfor
Edit orBusiness SkypeOffice
Using for Business
365 Server Management Shell Script Library
Persistent Chat move users View topology status Skype for Business Server Resource Kit Tools
Response Groups Online
Voice Routing vCheck recommendations
View Monitoring reports from Office 365 Getting Help
Conferencing Community
Online Documentation onTechMet Library
Voice Features
Clients Connection to Skype for Business Skype for Business Server Management Shell
Skype for Business Server Management Shell Script Library
FederationGroups
and Blogs
Response
External Access
Online
You are signed on to Office 365 as: Skype for Business Server Resource Kit Tools
Check recommendations from Office 365
admin@ict24happs,onmicrosoftcom Sign-in to
Conferencing
Monitoring and Office 365 using a different account Set up hybrid
You are signed on to Office 365 as: ad
with Skype for Business Online
Community
Archiving
Clients min@ict24ha pps.onm icrosoft.com
îgn-in tn Office 365 using a Hiffprent account
Federation and Blogs
Security Set up hybrid with Skype for Business Online I
External Access
Network
Monitoring and
Configuration
Archiving
Activate Windows
Go to System in Control Panel to activate
WinrlnuK
Security
Network
Administrator | Sign out 6.0.9319.0 | Privacy statement
Configuration Activate Windows
Go to System in Control Panel to activate
Winrlnwc
| 118
5. In Set up Hybrid with Skype for Business Online windows, click Next.
Set up Hybrid with Skype for Business Online @*

In a hybrid deployment, some of your users have accounts homed on Skype for Business Server on-premises while other
users have accounts homed on Skype for Business Online. However, all users share the same domain. For example, all
users might have SIP addresses on contoso.com.
To set up a hybrid deployment, you'll need to:
» Have an Office 365 account that includes Skype for Business Online.
• Configure Active Directory synchronization between Skype for Business Server and Office 365.
• Configure user authentication by either setting up Directory sync with Password Sync, or by configuring Active Directory
Federation Services (AD FS).
• Set up an Audio Conferencing Provider if you plan to use ACP in your hybrid deployment.
If your deployment meets these prerequisites select Next.

If you need more information about installing or configuring these prerequisites, see:
Skype for Business Server hybrid deployments
6. The tool will check if your on-premises configuration is configured correctly with federation
service. Make sure all configuration needed are verified.
| 119
7. Check by moving one user from on-premises Skype for Business to Office 365. Select User from
the left navigation. Choose one user and select Action > Move selected users to Skype for
Business Online.
8. Read carefully Microsoft’s guidance. Make sure the user you want to move have Skype for
Business Online license assigned. Click Next.
Move users to Skype for Business Online HI
Before you move the selected users to Skype for Business Online, you should make sure that:
• Each user is assigned a license for Office 365. A license is required to sign in to Office 365 and use services such as
Skype for Business Online.
• You are familiar with the differences between the features supported in Skype for Business Server and Skype for
Business Online. The user experience may be different for some users depending on how they use Skype for
Business. For more information, see
Compare Skype for Business Options
| 120
9. You will see the status from the windows. Click Close.
10. Verify the status in Skype for Business Server control panel.
You have done setting up Hybrid mode for on-premises Skype for Business Server and Skype for
Business Online.
The last step is to publish your on-premises Skype for Business Server over the Internet and test its
functionality for both type of users: on-premises and online. Before doing that, make sure your
firewall rules are configured correctly for required port:
| 121
Public IP Public Port Private IP Private Port Reason
Lync Web Services, Dial-In,

125.253.124.163 443/TCP 192.168.1.8 4443/TCP
Web App, Address book
443 A/V Edge (443), Web

125.253.124.164 172.16.1.9 443-444/TCP
444/TCP Conferencing (444)
XMPP (eXtensible Messaging and

Presence Protocol) Federation
125.253.124.164 5269/TCP 172.16.1.9 5269/TCP
125.253.124.164 3478/UDP 172.16.1.9 3478/UDP STUN, yeu ciu cho PIC
Access Edge (5061),SIP

125.253.124.164 5061/TCP 172.16.1.9 5061/TCP federated connectivity
Perform the following steps on TMG virtual machine you prepared at the beginning of your lab:
1. Create a Network Rule to translate outbound traffic from Edge server (172.16.1.9) to
Internet using this IP address: 125.253.124.164 (your IP address may be different)
2. In firewall policy, create an access rule to allow all on Edge server.
| 122
Microsoft Forefront Threat Managemei B Forefront

^ Forefront TNG (TMG) fTT Dashboard jd|
Monitoring . Firewall Policy fey Web Access
Threat Management Gateway20io
Policy jp E-Mail Policy
Intrusion Prevention System O ^Ml Firewall Policy ^
Remote Access Policy (VPN) dt | ,, |p| Examples
Networking || System ; j| Logs 3
Order 1 Name ] Action 1 Protocols 1 From / Listener TTV | Condition I
Reports C-V Update Center If
Troubleshooting sll Skype for Busines,.. Allow HTTPS 1^ Web Listener [#] sfb,ict2'tlh.infb ijj^! All Users
EU RDP to EX $ Allow RDP 3392 Êxternal § 192.168.1.7
RDP to REMOTE ^ Allow fcjjS RDP (Terminal.,, ^ All Networks (, g 192.168.1.115
3. Create publishing i| [3| Edge to all Allow 5^ All Outbound ... 1 Edge-Server ^ All Networks (., ; All Users |
rules Non-Web
server for listed ports above by select Tasks tab. Select Publish Non-Web Server
Protocols
Firewall PoRcy Tasks
_fj Publish Exchange;
Client Access _f) Publish Mail Servers
_f) Publish Sh a rePoint Sites _f) Publish
WebSites
_f] Publish Non-Web Server
Protocols ______________
J) Create Access Ruie Configure VoIP ^

Configure Client Access
4. In the welcome page, enter name for server publishing rule. Click Next.
New Server Publishing Rule Wizard
Welcome to the New Server

Publishing Rule Wizard
This wizard helps you create a new server publishing rule. Server publishing
rules map incoming client requests to the appropriate internal server.
Server publishing rule name:
To continue, click Next.
Next Cancel
>
| 123
5. In Select Server page, enter the IP address of your Edge server. Click Next.
6. In Select Protocol page, select SIPS Server. Click Next.
7. In Network Listener IP Addresses page, select External. Click Address...
| 124
8. From External Network Listener IP Selection windows, select Specified IP

addresses on the Forefront TMG computer in the selected network and enter public IP
address. Click OK.
9. Review your configuration again. Click Finish.
| 125
Mew Server Publishing Rule Wizard
Completing the New Server

Publishing Rule Wizard
You have successfully completed the New Sen/er Publishing

Rule Wizard. The new Sen/er Publishing Rule will have the
Following configuration are
SIPS Server
Published Sen/er:
Published Service:
5 PS Server
Listen on:
Btena
To c ose the wizard, dick Finish
- nwh
a- :.e
10. Repeat from step 3 - 9 for other ports: TCP 443 - 444, TCP 5268, UDP 3478.
B ^ Forefront IMG (TMG)

^ Dashboard |^j ■ Forefront'
Monitoring /■, Firewall Threat Management Gateway 2010
Policy Web Access
Policy Efca E-Mail ! All Firewall Policv\
Policy 1* Examples
Intrusion Prevention Order * | Name | Action | Protocols | From / Listener | Condition 3E
System Remote
Access Policy (VPN) ■9' fkyv -cr Binner.. Alow 1^3 vVrh 1 istrrer |#| -th irt.'Jt ntr> ,^j All 1 Ivn
Networking System
til Logs 8. Reports ey
Update Center |£_Y
T
T-
RTPfoFK
hJPtoF_MOI.
1 A low
^ A Jew
339? ^ = XVI-MI g :<5?.1S3 1.7
-OF (1 er- nal. . ^ AJI Ner.vor-s ( g L52.IS8 1.11.
Troubleshooting y Ai Outbound . 4 ;cge-3erver v; All Netwxncs ( . All Users
EH. Ecqe x a
1
^ Ale'A
AV Coi l AufssF. 1^ Alow IrJjÂV Wt hCi/il
40 =xt»in.sl Q 177. IS. i.9
Tr SI .NF-kjt-
1 A low
tj^SlIJNFilje ^ -NVCMI g 1/Z.1S.!.*}
3 > XKPJ Ldge

& A lew XMM Server
'40 .xter-ial 2 :/2.UKL9
:
SIPS Server ^ Allow tjj SIPS Server 40 External 2 172.16.1.9
RDP to SFB Allow fc^RDP 3392 2 192.168,1.8
40 External
H10 RDP to AD Allow IjJ^RDP 3392 ^ External 2 192.168,1.5
fflu open port ^ Allow !!»All Outbound . . 4} # -Xternal % All Users

External i Internal ^ +„ c,„+
Internal
11. To publish port

443 and 444, create a publishing rule and name it AV WebConf with the inbound port range
is 443-444.
| 126
| 127
12. To publish UDP port 3478, create a protocol named STUN Edge. The direction is
Receive Send.
13. To publish TCP port 5269, create a protocol named XMPP Server.
14. From firewall rule, select Publish Web sites.

15. In welcome page, enter your web publishing rule name. Select Next.
| 128
16. In Publishing Type page, select Publish a single Web site or load balancer. Click
Next.
17. In Server Connection Security page, select Use SSL to connect to the published
Webb server or server farm. Click Next.
18. In Internal Publishing Details page, enter internal site name. Click Next.
| 129
19. Enter “I*" to include all files and subfolders.
20. Select This domain name (type below): at Accept requests for setting. Enter the
public domain you configured before with path “/*". Click Next.
| 130
21. Now you need to create a new web listener. In welcome page, enter your web listener
name. Click Next.
New Web Listener Definition Wizard
Welcome to the New Web

Listener Wizard
This wizard helps you create a new Web listener. Web listeners specify how Forefront TMG listens for and
authenticates incoming Web requests from clients
Web listener name
To continue, dick Next
Next >
22. In Client Connection Security page, select Require SSL secure connections with
clients. Click Next.
| 131
23. In Web Listener IP Addresses page, select External. Click Select IP Addresses
24. From the selection windows, select Specified IP addresses on the Forefront TMG
computer in the selected network and add available IP address. Click OK.
| 132
25. In Listener SSL Certificates page, select Assign a certificate for each IP address and
select your IP address. Click Select Certificate.
26. In Select Certificate windows, select your wildcard certificate you already imported. Click
Select.
| 133
27. Verify information with assigned certificate again in Listener SSL Certificates page.
Click Next.
28. In Authentication Settings page, select No Authentication. Click Next.
| 134
29. In Single Sign On Settings page, click Next.
30. In Authentication Delegation page, select No delegation, but client may

authenticate directly. Click Next.
| 135
31. In User Sets page, add All Users that the rule is applied to. Click Next.
32. Go to Skype for Business 2015 rule and edit its property on TMG.
33. Click Bridging tab, select Redirect requests to SSL port and change to 4443 port. Click
OK.
| 136
34. Click Public Name tab, add two addresses to the list: dialin.ict24h.info and
meet.ict24h.info.
| 137
35. Now you just need to test the publishing rule by browsing meet.ict24h.info. If you are asked
to provide credential before calling and chatting, you have done the Hybrid configuration for
Skype for Business Online.
Lab 4 - SharePoint Hybrid Configuration

In this lab, we will look through steps to configure hybrid for SharePoint. We assume that you have
already installed SharePoint farm before this lab. Hybrid Search is our example although there are
several hybrid scenarios in SharePoint including hybrid workflow you would need to read here
http://thuansoldier.net/?p=4599
With Search Hybrid, you have the following types:
■ Outbound Search: allow users to search information stored in SharePoint Online from on-
premises SharePoint Server.
■ Inbound Search: allows users to search information stored in on-premises SharePoint
Server from SharePoint Online
■ Two-way Search: include Outbound and Inbound Search.
| 138
Perform the following steps to configure SharePoint Search hybrid:
1. The very first step is to establish trust between on-premises SharePoint Server and Azure
Access Control Services. On SharePoint Server, open IIS > Server Certificates.
2. Click Create Self-Signed Certificate from Actions panel.
| 139
3. In Specify Friendly Name page, enter name for your certificate. Select Personal. Click OK.
4. Open the certificate you just created. Click Details tab > Copy to File.
5. In welcome page, click Next.
| 140
Welcome to the Certificate Export Wizard
This wizard helps you copy certificates, certificate trust lists and certificate revocation lists from
a certificate store to your disk.
A certificate, which is issued by a certification authority, is a confirmation of your identity and

contains information used to protect data or to establish secure network connections. A
certificate store is the system area where certificates are kept.
To continue, dick Next.
Next | Cancel |
6. Select Yes, export the private key. Click Next.
7. Select Personal Information Exchange - PKCS #12 (.PFX). Select Include all
certificates in the certification path if possible. Click Next.
| 141
8. Add your account which can have access to the certificate and enter password to protect the
private key. Click Next.
9. Specify the location to store your exported certificate. Click Next.
| 142
10. Review all information and click Finish.

11. You then need to import it to Trusted Root Certificates
Now you need to establish server-to-server (S2S) trust by PowerShell. Perform the following steps:
1. Open PowerShell and run the following commands
$spcn="*.<public_root_domain_name>.com"
$spsite=Get-Spsite <principal_web_application_URL>
$site=Get-Spsite $spsite
$spoappid="00000003-0000-0ff1-ce00-000000000000"
$spocontextID = (Get-MsolCompanyInformation).ObjectID
$metadataEndpoint = "https://accounts.accesscontrol.windows.net/" + $spocontextID +
"/metadata/json/1"
2. The result of ACS with ID returns
'isplayName TypeName Id
CS Azure Access Cont... 73705d66-104a-4123-ac0f-110b9a7a32e2
| 143
3. You need to update STS certificate into SharePoint Online. The model looks like the below
illustration
4. Run the following command by PowerShell

$cerPath = "<path to replacement certificate (.cer file)>"
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -
ArgumentList $pfxPath, $pfxPass
$cer.Import($cerPath)
$binCert = $cer.GetRawCertData()
$credValue = [System.Convert]::ToBase64String($binCert);
New-MsolServicePrincipalCredential -AppPrincipalId $spoappid -Type asymmetric -Usage Verify -
Value $credValue
5. Update SPN in Azure Active Directory.

$msp = Get-MsolServicePrincipal -AppPrincipalId $spoappid $spns = $msp.ServicePrincipalNames
$spns.Add("$spoappid/$spcn")
Set-MsolServicePrincipal -AppPrincipalId $spoappid -ServicePrincipalNames $spns
6. Register SharePoint Online application principal object ID with your on-premises SharePoint
Server
$spoappprincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $spoappid).ObjectID

$sponameidentifier = "$spoappprincipalID@$spocontextID"
$appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier $sponameidentifier
-displayName "SharePoint Online"
7. Create a new Azure Access Control Service application proxy and Security Token Issuer
New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri
$metadataEndpoint -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint $metadataEndpoint -IsTrustBroker:$true -
Name "ACS"
| 144
IPS C:\> New—SPTrustedSecurityTokenlssuer -MetadataEndpoint "https://accounts.acc lesscontrol. windows

.net/metadata/json/1/*' -1sTrustBroker -Name "ACS"
IsSeIfIssuer ^me I d False

RegisteredlssuerName 00000001 0000-0000 C000000000000000P*
I dentityClaimTypeInformation Microsoft.SharePoint.Administration.Claims-SPTr
ustedClaimTypelnformation
Description [Subject I
SigningCertificate CN=accounts.accesscontrol.windows.net
[Issuer]
CN-accounts.accesscontrol.windows.net
[Serial Number]
B1188CD2385E15984A938F580F448AD5
[Not Before]
1/1/2014 2:00:00 PM
[Not After]
1/1/2016 2:00:00 PM
[Thumbprint 1
92B88C3DD981BF1EBCB244FCFA63C007706C79E0
<[Subject 1
AdditionalSigningCertificates
CN-accounts.accesscontrol.windows.net
[Issuer]
CN=accounts.accesscontrol.windows.net
[Serial Number]
40D5EB9B384B37B5469545C3602453DF
[Not Before]
10/28/2014 7:00:00 AM
[Not After]
10/27/2016 7:00:00 AM
[Thumbprint]
3270BF5597004DF339A4E62224731B6BDB2B10A6
letadataEndPoint https://accounts.accesscontrol.windows.net/meta data/json/1/
IsAutomaticallyUpdated True
Hame ACS
typeName Microsoft.SharePoint.Administration.Claims.SPTr
DisplayName ustedSecurityTokenSeroice
Id ACS
Status a284f82f-c26b-4559-98bS-d687b38eb689
Parent Online
Jersion SPSecurityTokenServiceManager
Properties Name=SecurityToEenSeroicerianager
Farm 14798
LI pgradedPers ist edPro pe rt ies <>
SPFarm Name=SharePoint_Config {>
PS C:\>
You have successfully established server-to-server trust between your on-premises SharePoint
Server and the identity provider of SharePoint Online.
Now you need to configure Search for testing. Perform the following steps:
1. Open a SharePoint site collection > Site

Users and Permissions
People and groups Site
permissions Site collection
SharePoint administrators site app Newsfeed OneDrive | Administrator •» 0 ?
permissions
O SHARE tx renew Jbj
Web Designer Galleries
!CT24h Portal / EDIT LINKS
Site columns
Site content types
Site Settings
Web parts
List templates
Master pages
Themes
Home
Solutions
Documents Composed looks
Site Contents
Site Administration
Regional settings Site
libraries and lists
Settings > Search Result Sources.
Look and Feel
RSS Title, description, and logo
Sites and workspaces Quick launch
Workflow settings Site Top link bar
Closure and Deletion Tree view
Popularity Trends Change the look
/ EDIT LINKS
Site Actions
Manage site features
Save site as template
Enable search configuration export
Reset to site definition
Delete this site
Site Collection Administration
| Search Result Sources |

Sparer Result lypes
Search Query Rules Search
Schema search Settings Search
Configuration Import Search
Configuration Export Site
collection features Site hierarchy
| 145
2. Click New Result Source.
| 146
3. Enter name for the new resource. Select Remote SharePoint protocol
General information Naas ___________________
l| ICT24H Portal Outbound
Search
Description
Names must be unique at each

administrative level, for example, two
result sources in a site cannot share
a name, but one in a site and one
0 Local SharePoint
provided by the site collection can.
® Remote
Descriptions ate shown as tooltips
SharePoint C) Open
when selecting result sources in
other configuration pages. Search 1.0/11
OExchange
Protocol
Select Local SharePoint for results from the index of this Search Service.
Select Open Search 1.0/1.1 for results from a search engine that uses that protocol
4. Enter your site collection in SharePoint Online at Remote Service URL. Select
SharePoint Search Results. Click Save.
| 147
5. From Site Settings page, click Search Query Rules.

SharePoint
Users and Look and Feel

Permissions People Title, description, and logo
and groups Site permissions Quick launch
Site collection administrators Top link bar
Site app permissions Tree view
Change the look
Web Designer Site Actions

Galleries Manage site features
Site columns Save site as template
Site content types Enable search configuration export
Web parts Reset to site definition
List templates Delete this site
Master pages
Themes
Solutions
Site Collection
Composed looks
Administration
Recycle bin Search Result
Sources Search Result Types
Site |J>earchQueryRule^
Administration Search Schema Search

Regional settings Site Settings Search Configuration
libraries and lists User Import Search Configuration
alerts RSS Export Site collection features
Site hierarchy
Sites and workspaces
Site collection audit settings
Workflow settings Site
Audit log reports
Closure and Deletion
Popularity Trends Term
store managementmts V All Topic Categories v|
Conversations (System)
ICT24h Portal Outbound Search |
Herns mulching a conkiil Ty|:-e i.Sys'eini
Items matching a tag (System)
Items related to current user (System)
Items with same keyword as this item (System) is on that source. -1
Local People Results (System)
Local Reports And Data Results (System)
Local SharePoint Results (System)
Local Video Results (System)
Pages (System)
Pictures (System)
Popular (System)
Recently changed items (System)
Recommended Hems (System)
Wiki (System)
All Sources
6. Select the result source you just created from the list of result sources.
Newsfeed OneDrive Sites Administrator 0 ?
Q SHARE ft FCUOW X
Use query rules to conditionally promote important results, show blocks of additional results, and even tune ranking. Changes may take several seconds to take effect, but you can
test immediately with Test a Query below. Note that dictionaries may take several minutes to update. Learn more about query rules.
For what context do you want to configure rules?
7. Enter name for the search query rule. Select One of these sources which indicates the new
result source you just created. Select All categories and All user segments.
| 148
General Information
Rule name ____________

| Result from SP Online] x"~j
Fires only on source ICT24h Portal Outbound Search.
* Con text
You can restrict this rule to queries
performed on a particular mult source,
Query is performed on these sources OAII sources ®
from a particular category of topic
One of these sources
page, or by a user matching a
particular user segment For instance, ICT24h Portal Outbound Search remove Add
restrict a rule to the Local Video
Results source so that rt only fires in Source
Video search, Query is performed from these categories ® AM
categories OOne of these categories Add Category
Query is performed by these user segments ® All user
segments Oone of these user segments Add User
Segment
8. In Query Conditions setting, select Query Matches Keyword

Exactly (for testing purpose). Click Remove Condition. Then
click Add Result Block

9. From Add Result Block page, under Search this source, select your new result
source.
| 149
10. Under Settings, select This block is always shown above core results. Click Save.
11. Review your configuration again
Use query rules to conditionally promote important results, show blocks of additional results, and even tune ranking. Changes may take several seconds to take effect but you
SharePoint Newsfeed OneDrive Administrator ▼ 0 ?

sites
SHARE FOLLOW X
can test immediately with Test a Query below. Note that dictionaries may take several minutes to update. Learn more about query rules.
For what rnntprt dra ynu want tn rmfigure riilpv1
ICT24h Portal Outbound Searciv All User Segments [vj 1 All Topic Categories m
sir New Query Rule | Order Selected Rules
Test a Query... ____________0| find rules that fire for a query ^1 3
Name Modified Conditions Actions

Defined for this site collection (1)
Result from SP Online 9/22/201

On Result Source Add Promoted Result Blocks
5
ICT24h Portal Outbound Search Results for '{subjectTerms}"
A condition or action in this rule is not supported by these admin pages.

Provided by SharePoint (1)
12. Go to your on-premises SharePoint site collection and SharePoint Online to test hybrid search
| 150
ICT24h Portal / EDIT LINKS
Search
doc -P
Results found in ICT24h Portal -r Preference for results in English ▼
Trang Nhom - Tai lieu

Doc online ... 2 22/09/2015 2:47 SA SharePoint Farm
Account Doc ict24happs.sharepoint.com/Shared
Documents/Forms/Allltems.aspx
Doc online 3
ict24happs.sharepoint.com/Shared Documents/Doc online
3.txt Doc online 2
ict24happs.sharepoint.com/Shared Documents/Doc online
2.txt Doc online 1

ict24happs.sharepoint.com/Shared Documents/Doc online 1.txt
ICT24h Portal
Doc onprem2 ... Doc onprem3 ... Doc onpreml sp01
Doc onpreml
sp01/Shared Documents/Doc onprem1.txt Doc onprem2
sp01/Shared Documents/Doc onprem2.txt Doc onprem3

sp01/Shared Documents/Doc onprem3.txt
Appendix - Configure Domain in Office 365

We try to assume that you have never configured your domain in Office 365. In the appendix, we
would like to assist you. Perform the following steps to configure domain in Office 365 before you
can set up hybrid:
1. Log into Office 365 portal. Select DOMAINS. Click Add domain
| 151
2. You are redirected to an introductory page. Click Let’s get started.

Office 365
Add a new domain in Office 365
What you need to know about domains

and DNS
3. Enter your domain. Click Next.
4. Office 365 will recognize the domain provider that you purchase your domain. In our case, Office
365 recognized GoDaddy. Office 365 will ask you to sign in to the domain control panel. For
example, in our case, click Sign in to GoDaddy.
5. Enter credential in GoDaddy Login page.
| 152
6. From Confirm Access page, GoDaddy will ask you to accept to allow Office 365 to make some
changes to the domain. Click Accept.
Login - Microsoft Edge — □X
^ GoDaddy.com, LLC [US] id; godaddy.com/oauthlogin.aspx?domain_name=ict24h.info&client_id=wmxxsn617cqhzael4zvr
0 Office 365 tG«Da<Mjr Domain management
Confirm Access
Office 365 is requesting permission to make changes to your domain ict24h.info at GoDaddy.
Click Accept to allow Office 365 to make these changes to ict24h.info.
7. Office 365 shall automatically complete the domain verification. Click Next.
| 153
1 Office 365
*
Add a new domain in

Office 365
We've verified that you own ict24h.info

Now. let's update user IDs far your current users in Office 365.
Step 1 *
Verify domain
Step 2
Add users
Next ©
Step 3
Set up domain l/V
8. Select user in Office 365 you want to update domain. For example, updating from
admin@ict24happs.onmicrosoft.com to admin@ict24h.info. Click Update selected users.
9. After you receive information on your update. Click Next.
i Office 365 1
□P
X
Add a new domain

in Office 365
1 user was updated successfully

Here s the user whose user ID was updated
User ID after update

V TUNG PHAM 9dmin@irt2dh.info
Step 1
Step 2
Add users
Step 3 Next ©
set up domain
< Back
10. Sign out to your Office 365. Click Sign Out.
| 154
11. Sign in to your Office 365 portal with the newly updated account.
12. You are redirected to DNS update page. Click Next.
13. Select No, I have an existing website or prefer to manage my own DNS
records.
| 155
a:H Office 365
Do you want us to set up DNS records for

Office 365 for you?
I Add a new domain
14. By default, Office 365 assists you to update configuration for Exchange, Skype for
Business and Mobile Device Management. Click Next.
Office 365
Step l
Verily domain
Step 2
Add users
Step 3
Set up domain
15. From the record page, there are number of different records in Office 365. Click Add
records to add a new one.
16. Add your own records with custom domain.
17. Once you have finished, you are redirected to the final page. Click Finish.
| 156
18. From DOMAINS page, verify the new domain you just added and configure.
--End--
| 157

Step-By-step Guide To Office 365 Hybrid Deployment

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Step-By-step Guide To Office 365 Hybrid Deployment

Caricato da

Copyright:

Formati disponibili

Step-by-Step Guide to Office 365 Hybrid Deployment

Step-by-step Guide to Office 365 Hybrid

Written By Thuan Ng, Tung Pham

About The eBook

If you need any assistance, please feel free to reach us at thuan[at]outlook.com or

About the Author

Thuan Nguyen is a Subject Matter Expert in Digital Workplace. With over 8

Thuan has been recognized as a SharePoint Most Valuable Professional

Office 365 Hybrid What & Why

Below are role descriptions:

Lab 1 - DirSync, SSO Configuration

Here is the list of trusted third-party certificate providers recommended by Microsoft.

Comodo Comodo Certification Authority Server authentication, client authentication

Equifax Equifax Secure Certification Authority Server authentication, client authentication

GlobalSign GlobalSign Certification Authority Server authentication, client authentication

Go Daddy Go Daddy Class 2 Certification Authority Server authentication, client authentication

PositiveSSL Comodo Certification Authority Server authentication, client authentication

UTN-UserFirst-Hardware Comodo Certification Authority Server authentication, client authentication

VeriSign VeriSign Trust Network Server authentication, client authentication

In this lab, we purchased a certificate from Comodo (https://www.comodo.com/). Perform the

6. Open Comodo website and start purchasing a wildcard certificate

09/15/2015 |^CamodoPosltlve5! 5L eWildcard t-Multi- 460.00 view Purchase SSL -* My

Im/olc. No. Dot. Status Transaction No. T atal D-t-is

My Credit view ell credit » My Cart (o itm) Cj

Date Transaction Details Credit Debit Balance

9. Click View and click CONFIGURE SSL

g https://www.configuressl.com/7pin=d56128b1 -1615-4441 -801 a-2fd90690d0e5

ssl configuration wizard

Welcome to SSL configuration wizard!

You may need below information to complete configuration process.

Enter PIN (d56128b 1-161S-4441-801 a-2fd&06£

Comodo Order Number 175

Domain Name *.ict24h.info Contact Email tung@ict24h.net

12. Verify the *.ZIP file

Name Date modified Type Size

* r^p 17572994 9/16/201512:00 AM Security Certificate 2 KB

14. Verify the certificate you just imported.

17. In the Certificate Export Wizard page, click Next

20. Enter password to protect your certificate.

22. Verify the export and click Finish to complete.

n Console Root Object Type

3. In Welcome to the Certificate Import Wizard page, click Next.

4. Specify the certificate you want to import. Click Next.

6. Select Personal as a certificate store. Click Next.

Windows can automatically select a certificate store, or you can specify

O Automatically select the certificate store based on the type of

certificate (?) Place all certificates in the following store

7. Click Finish to complete.

Lab 1.2 - Configure DirSync

1. Log into Office 365 Portal with your administrator account.

Search users, admin tasks an Sinqle siqn-on: Set up | Learn more

Deleted Users K-r

COMPANY PROFILE □ TUNG PHAM admin@ict24h.info Indcud

DOMAINS Thuan Nguyen thuan@ict24h.info Indoud

PUBUC WEBSITE I | Trang Pham tra ng @ict24h.i nfo In cloud

5. After your confirmation, Office 365 displays statement "Active Directory

1. Download the tool at http://go.microsoft.com/fwlink/?LinkID=278924 and execute the

3. In Microsoft Software License Terms page, select I Accept. Click Next.

5. Wait for the installation process

6. When the installation process is complete, click Next.

14. After the configuration is complete, click Next.

Search users, admin tasks an JD Single sign-on: Set up | Learn more

□ Danh Bao bao@kt24h.info Synced with Active Directory