What is Email Coexistence?

First a definition: email coexistence refers to keeping some of your users on your own on-
premise Exchange servers, and migrating other users over to BPOS – but you want all users to
have the same SMTP domain. So in the example scenario in this article, all users keep the same
user@bpostutorials.com addresses.

In our example, some users would use Exchange the traditional way – with a mail client like
Outlook pointed at in-house mail servers. However, some users have been migrated over to
BPOS, and their mail client is pointed to cloud servers. But all users have email addresses in the
same domain, and all of them show up in the same Global Address List (GAL), making
corporate-wide communication easy.

Email coexistence is a great solution, but it is not perfect. There are a few things you should be
aware of:

• This is an either/or scenario – users can’t maintain a mailbox on both systems. Old
mailboxes on the on-premise Exchange should be removed as quickly as possible.
• Free/busy data does not get exchanged between the two systems, so on-premise users
can’t see free/busy data for BPOS users. For this reason, it may make the most sense to
migrate entire workgroups to BPOS rather than just a few users.
• One other feature that doesn’t work between the two environments is mailbox delegation
– another reason to migrate entire workgroups at once.

How Email Coexistence Works

Before we start configuring email coexistence, a high-level overview of mail traffic flow is
important. With coexistence, mail is routed as follows:

• First, all incoming mail for our example domain, bpostutorials.com, continues to go to an
on-premise Exchange system.
• Second, the on-premise Exchange server receives the mail. The local Active-Directory
syncs with BPOS, and a migration tool tells Exchange if the mail recipient is local, or has
been activated in BPOS. Then, depending on the setting for each user, the Exchange
server either delivers mail locally or forwards it over to BPOS.
• Finally, BPOS receives the forwarded mail, and delivers it to users’ mailboxes.
The Trickery

Behind the scenes, this all works via some clever user trickery. The secret? The BPOS mailboxes
don't actually use your domain as its SMTP domain. BPOS actually uses a microsoftonline.com
domain – such as bpostutorial.microsoftonline.com.

So, mail is simply being forwarded back and forth between two domains: bpostutorials.com, and
bpostutorial.microsoftonline.com.

However, the system tricks users by displaying their login, mailbox, and sent mail as being part
of the bpostutorials.com domain – hiding the long microsoftonline.com domain and saving users
the agony of changing email addresses.

Step-by-Step: How to Configure Email Coexistence

Now that you understand the basic mail traffic flow, configuring mail coexistence takes a few
simple steps.

1. Add your own domain to BPOS and enable external relay

2. Verify the domain

3. Verify email traffic flow

4. Enable Active Directory synchronization

5. Activate migrated users

6. Migrate mailboxes to BPOS

7. Optional steps: Configure SPF and secure the mail flow

Let’s go through each of these steps in detail. We’ll cover steps one and two in this article, and
finish off the process in our next articles in the series.

Step 1: Add Your Own Domain to BPOS and Enable External Relay

Open up the BPOS Admin site. Click on the Users tab, then the Domain menu item. Then, click
the "New" link in the upper-right corner.

Enter your Domain name in the new window that opens up – in my example I’ve used
bpostutorials.com. And, since we’re setting up email coexistence in this article, click the option
for “External Relay.”

(For a step-by-step guide to use BPOS as your primary mail system instead of email coexistence
mode, check out our article on using your own custom domains with BPOS.)
Click "Create" and a window like the one below will be displayed. Select the box to "Start the
Verification Wizard" if you’re ready to go to the next step, and verify the domain now.

Step 2: Verify Your Domain

Verifying a domain is accomplished by creating a DNS entry called a CNAME, or Alias. Your
DNS records are generally hosted by your domain registrar, though in some cases your DNS may
be hosted elsewhere.

First we need Microsoft to tell us how to configure the CNAME. If you didn’t select the option
to start the Verification wizard in the previous step, then go back to the Users tab, and click on
the Domains menu item. The newly added domain will now appear in the domains list. Click
the "Verify Now" link.

Select your registrar from the drop-down if available, otherwise select "Other" and click
"Next".

On the next screen you’ll be provided with DNS settings that you’ll need to configure with your
domain registrar. Don’t use the ones in the screenshot here, they will all be unique. Make a note
of the Host name, and "Points To" information.
Keep this window open. Now, fire up a new browser window and log in to your domain
registrar’s admin site. The example below was created using Go Daddy, but most registrars will
have a similar tool. Microsoft has also compiled a detailed list of instructions for popular
registrars.

Open up your registrar’s DNS tool and add a CNAME record. For example, with Go Daddy I
would click the "Add New CNAME Record" button on the right-hand side of the screen.
Enter the Alias information that BPOS gave you. Note that you usually don’t have to fully
qualify an Alias (i.e. the full domain name isn’t required, just the host name).

Success! Keep your registrar’s admin site open, because you’ll need it again in a minute.

Flip back to your BPOS window (you left that open right?) and click the "Verify" button. If you
did it right, then you should see a message like the one below. If it was unsuccessful then go
back and confirm that you typed in the alias properly. Some registrars could take anywhere from
15 minutes to a 72 hours to activate the new records.
If it’s not working, try doing a DNS lookup from another system to confirm that the alias is
configured properly. BPOS won’t verify the domain until it can resolve the new alias you created
to the server name it provided you in the previous steps.

Verify that you’ve configured everything correctly so far by going back to the Domains window.
You should see your domain listed with a Status of “Verified”, Inbound messaging “Disabled”,
and a Type that shows “External Relay”.

Once you’ve added and verified your domain, you'll be ready for part II of this series. In part II
we'll synchronize Active-Directory with BPOS. In part III, we'll cover the final pieces of the
puzzle: activating and migrating users.

To recap, configuring email coexistence with BPOS requires the following steps:

1. Add your own domain to BPOS and enable external relay (Covered in Part I)
2. Verify the domain (Covered in Part I)
3. Verify email traffic flow
4. Enable Active Directory Synchronization
5. Activate migrated users
6. Migrate mailboxes to BPOS
 7. Optional steps: Configure SPF and secure the mail flow

This 2nd installment covers steps 3 and 4:

• Verify email traffic flow

• Enable Active-Directory Synchronization

Step 3: Verify Email Traffic Flow

This step may seem out of order, but it’s actually very important. Before configuring Active-
Directory sync, it’s crucial to verify that the two SMTP domains used for coexistence can
successfully communicate.

As explained in part I of this article series, BPOS makes it look as if all users are using the same
SMTP domain, whether using BPOS or your on-premise Exchange. However, behind the scenes
it uses two different domains, and some tricky forwarding techniques. So, it’s important to verify
that the two domains can talk to each other.

For this example we’ll continue to use the sample domain bpostutorials.com, and the BPOS
domain bpostutorial.microsoftonline.com.

To verify email flow:

1. In your BPOS environment, create a test user with a mailbox in the microsoftonline.com
domain. For example, UserOne@bpostutorial.microsoftonline.com
2. Create a test user in your on-premise Exchange environment. For example,
UserTwo@bpostutorials.com
3. Log on to the BPOS Outlook Web Access as UserOne@bpostutorial.microsoftonline.com
4. Send an email message to UserTwo@bpostutorials.com
5. Verify that UserTwo received the message, and reply back to the email.
6. From OWA, confirm that UserOne received the reply.

Troubleshooting:

If messaging doesn’t work, check to confirm that the microsoftonline.com domain has been
added to your safe-senders list in Exchange. It may also be worth confirming that any 3rd party
Spam filters aren’t rejecting the messages, and that your MX records are configured correctly to
point at your on-premise Exchange.

Don’t move on until you’ve confirmed that basic mail-flow works as expected. Email
coexistence won’t work if you can’t email between the two domains.

Step 4: Enable Active-Directory Synchronization

Active-Directory synchronization does exactly what you might expect. It copies your local
active-directory user information over to BPOS. This simplifies user administration, since BPOS
automatically has a list of all users. It also makes your full Global Address List available to all
users, whether they are on BPOS or on-premise Exchange. Synchronization is performed using a
tool called the “Active-Directory Synchronization Tool”, or Dirsync for short.

Dirsync will copy AD user information over to BPOS, with the exception of passwords. It will
perform an initial sync, then re-sync every 3 hours. After running Dirsync, it’s important to make
all user changes in your local AD, not on the Microsoft Online environment.

Before beginning, there are a few prerequisites.

• Dirsync cannot be installed on a domain controller. It must be installed on a member-

server joined to the same AD forest that you plan to sync with BPOS.
• It cannot run on a 64-bit system, it must be installed on a 32-bit, Microsoft Windows
Server 2003 SP2 or newer OS.
• The .NET framework 2.0 or greater must be installed on the computer that will run
Dirsync
• Powershell must be installed
• Enterprise Administrator credentials for your AD will be required
• BPOS Administrator credentials will be required

To install Dirsync:

From the machine that you plan to install Dirsync on, open up the BPOS admin console, and go
to the Migration tab.

In the “Directory Synchronization” section click on Configure.

The window that opens provides a series of steps.

Read the planning document under Step 1 and check the box.

Next, under Step 2, click the button to Enable Directory Synchronization.

Now, under Step 3, click the download button which will take you to the download page for
Dirsync.
Download and run the Dirsync setup file. Go ahead and install it using all default options.
Ensure that the option to "Start Configuration Wizard now" is selected, then click Finish.

Enter your BPOS administrator’s credentials when prompted:

And next enter your Active-Directory Enterprise administrator credentials:
We want synchronization to start immediately, so leave the checkbox labelled “Synchronize
directories now” selected, and click Finish

Verify Synchronization

There are a couple of ways to verify that synchronization is working correctly.

First, open up the Event Log on the server running Dirsync. Check the Application Log for
events with a source of “Directory Synchronization” and Event ID 4. Events logged with ID 4
indicate that synchronization completed successfully.
Next, we can verify that users and groups were copied to BPOS. Dirsync copies all accounts over
and automatically disables them in BPOS by default, so you’ll need to view “Disabled User
Accounts” in BPOS to find the synchronized accounts.

To do this, log in to the BPOS admin center. Go to the Users tab, and click on the User List sub-
tab. Select “Disabled User Accounts” from the left-hand navigation pane. You should see a list
of user accounts that were synchronized from your own Active-Directory.

If you can see user accounts from your domain, then congratulations! Directory synchronization
is working correctly. For now, leave the accounts disabled. You should only activate accounts
when you’re ready to complete the user migration process.
We’ll cover the final steps required to configure email coexistence in Part 3 of this series. In
Part 3 we’ll use the BPOS migration tool to copy mailbox data to BPOS, and configure the
forwarding information that makes co-existence possible.

To recap, configuring email coexistence with BPOS requires the following steps:

1. Add your own domain to BPOS and enable external relay (Covered in Part I)
2. Verify the domain (Covered in Part I)
3. Verify email traffic flow (Covered in Part II)
4. Enable Active Directory Synchronization (Covered in Part II)
5. Activate migrated users
6. Migrate mailboxes to BPOS
7. Optional steps: Configure SPF and secure the mail flow

At this point you should be able to send email between your on-premise Exchange, and a test
user on BPOS. You also should have installed the Dirsync tool, and have successfully
synchronized your own Active-Directory to BPOS.

In this final article of the series, we’ll activate users and then set up the key tool that makes this
all work – the Mailbox Migration tool.

Step 5: Activate Migrated Users

Synchronized user accounts are disabled by default. First step – activate them.

Open up the BPOS admin center. Click on the Users tab, then the User List sub-tab. Click on
“Disabled User Accounts” from the left-hand task pane.

A list of all users synchronized from your domain should appear if synchronization is working
correctly.

Click on one of the users to open up their properties window, then click the “Activate User
Wizard” link.
To activate a large number of users at once, simply select them using the checkboxes beside their
accounts on the Disabled Users screen. Then, click the “Activate Users” link to do a bulk
activation.

Go ahead and enter an email address if you want BPOS to email a login link and password to
your users. Then click next.

Select the location of your users, then click next.

And finally, select mailbox size limits for your users, then click next.

Next you should see a successful confirmation and list of activated users, as well as temporary
passwords. Make a note of the passwords if you did not select the option to have them emailed to
your users.

One last important note – In the previous steps, BPOS Dirsync may have imported users with a
default domain set to [whatever].microsoftonline.com. If you want your users to log in to BPOS
using your own domain (e.g. bpostutorials.com vs bpostutorial.microsoftonline.com), and send
mail from your own domain name, then you should change this after activating users.

Step 6: Migrate Mailboxes to BPOS

Now that you’ve made it to this point, you’ve completed all the prep work for email-coexistence.
In this last step we will install the Migration tool, and finally migrate selected mailboxes to
BPOS.

The migration tool is the key piece to configure coexistence. The tool configures your on-
premise Exchange SMTP settings to forward mail over to BPOS for migrated users. And, it will
also migrate mailbox data over to BPOS. With the migration tool, users won’t lose content like
mail and calendar items.

First, download and install the migration tool. To do this, go to the “Migration” tab in BPOS,
then launch the “Migrate Mailboxes” link.

Before you can download the tool you’ll have to check the box to confirm that you’ve read the
planning document. Then, download the tool.
The migration tool can be installed on any machine that meets the prerequisites below. It does
not have to be installed on your Exchange server.

• Windows PowerShell is installed.

• Windows Vista, Windows Server 2003, or Windows XP with Service Pack 2 is installed.
• If Windows Server is installed, the computer can be configured as an Active Directory
domain controller.
• Microsoft .NET Framework 2.0 or later must be installed.

In addition, you’ll need to run the migration tool from an account with Exchange server
administrator privileges. And of course, you’ll also need admin permissions in BPOS.

Install the Migration tool using all of the default settings.

Once you’ve finished the install, open up the Migration Console from the Start menu (Start-
Programs-Microsoft Online Services-Migration-Migration Console)

A sign-in box will prompt you for your BPOS user name and password. Enter the credentials for
an account with administrator permissions, then click Sign In.
Click on “Mailboxes Ready to Migrate” to see a list of mailboxes that correspond to Activated
BPOS user accounts. Any of these mailboxes can be migrated when you're ready to proceed.

Select the mailboxes that you wish to migrate, then right-click on one of the mailboxes. From
the context-sensitive pop-up menu, choose “Migrate mailboxes”.

This will launch a migration wizard. Click Next on the introductory screen.

You now have two options. You can either configure forwarding records and migrate mailbox
content, or configure forwarding records without migrating any content. You should migrate
content if you want users to have access to their old data once they move over to BPOS.

If you chose to migrate content, then you can also decide whether to allow data to pass over an
unsecured connection. Be aware that if you chose to allow this, then mailbox data could pass
from your exchange server to the internet in an unsecured manner. Microsoft recommends
securing the connection, though it’s not necessary. (For more information on securing traffic,
please see Step 6 in this article.)

Assuming you’re going to migrate content to BPOS, choose the option to “Copy the local
mailbox content”, then click Next.

Next, review the mailboxes you plan to migrate. Ensure that the source mailbox isn’t larger than
the quota you’ve assigned to the BPOS users. Mailboxes could take considerable time to migrate
depending on size and network bandwidth, so be cautious about how many mailboxes you move
at once.
Now, select mailbox content types to migrate, like mail and calendar items. If desired, select the
date ranges of data to migrate. Click Next when you’re ready to proceed.

Note that some items will not be migrated by the tool – more details on that here:
http://www.microsoft.com/online/help/en-us/helphowto/fa139bc5-76d7-4e1a-9029-
abc431b3c39a.htm
The tool provides one last opportunity to do a final review. If everything looks correct, then click
Migrate to start the process.
The Migration tool will show a progress window like this one:
Once migration is complete, then review the status window for any errors or warnings, then click
Finish.

Verifying Migration in Active-Directory

Let’s jump back to your own Active-Directory where you can view the changes made by the
migration tool.

Open up Active Directory Users and Computers, and navigate to the Users container. You’ll see
that in addition to your user objects (e.g. User Three) the migration tool has created a new
contact object for each of the migrated users. So in this example, we now have a contact for
UserThree@bpostutorial.microsoftonline.com. The contact is only for back-end use, so it will be
hidden from the GAL.
Open up the new contact for one of your users. As you can see in the screenshot below for User
Three, the “Email:” field uses the smtp domain for your BPOS domain – in this case the mail
address is userthree@bpostutorial.microsoftonline.com. This contact is created simply so that
Exchange has somewhere to forward mail that arrives in the userthree@bpostutorials.com
mailbox.
Next, open up the User object for your migrated user, and open up Delivery Options from the
Exchange General tab. In our User Three example below, you can see that the migration tool
has configured Exchange to forward all mail to the User Three (MSOL) contact object that we
just looked at in the previous step.

Finally, back in the BPOS admin console, you can see that User Three has been activated with a
user name of UserThree@bpostutorials.com.

At this point, User Three can log on to BPOS using the password provided earlier. They will be
able to send and receive email from the bpostutorials.com domain. Once migration is complete,
migrated users should only use BPOS to avoid problems with mailboxes becoming out of sync.
They can access BPOS using Outlook Web Access, or reconfure their mail client to point to
BPOS.

Step 6: Optional steps: Configure SPF and secure the mail flow

Microsoft recommends a couple of additional steps to complete your coexistence setup.

First, consider enable Autodiscover and adding Sender Policy Framework records. SPF records
are still not very common, but are probably worth adding anyway. More information on both of
those settings can be found here: http://www.microsoft.com/online/help/en-
us/helphowto/6a984970-1606-480f-92e2-585ff1ddae84.htm

Second, since intra-organization mail is now going to be passed over the internet, they
recommend that you secure the flow of traffic between your on-premise Exchange and
BPOS. This involves obtaining a certificate and configuring TLS – for more information see this
detailed guide from Microsoft: http://www.microsoft.com/online/help/en-
us/helphowto/ad854daa-75aa-4fc7-bb1d-86e7bc8cfcf1.htm

But, these steps are optional and may not be necessary depending on your organization’s security
requirements.

Once you’ve completed these steps, send a few test messages to confirm that things are
working. If so, congratulations! You’ve successfully configured email coexistence with BPOS.