Professional Documents
Culture Documents
A hybrid deployment provides the seamless look and feel of a single Exchange
organization between an on-premises Exchange organization and Exchange Online
in Microsoft Office 365. A hybrid deployment offers organizations the ability to extend the
feature-rich experience and administrative control they have with their existing on-premises
Microsoft Exchange organization to the cloud.
5. On the Enter the Windows user account credential page, enter the on-premises
administrator account name in the On-premises administrator name text field
and enter the associated password for this account in the On-premises
administrator password text field. For example, corp\administrator and a
password. ClickNext.
6. On the Confirm the migration endpoint page, verify that the FDQN of your onpremises Exchange server is listed when the wizard confirms the migration endpoint.
For example, mail.contoso.com. Click Next.
7. On the Move configuration page, enter a name for the migration batch in the New
migration batch name text field. Use the down arrow to select the Target
delivery domain for the mailboxes that are migrating to Office 365. In most
hybrid deployments, this is the primary SMTP domain used for the Exchange Online
organization mailboxes. For example, contoso.mail.onmicrosoft.com. Verify that
the Move primary mailbox along with archive mailbox option is selected, and
then click Next.
8. On the Start the batch page, select at least one recipient to receive the batch
complete report. Verify that the Automatically start the batch option is selected,
and then select the Automatically complete the migration batch check box.
Click New.
Offline access in Outlook on the web (formerly called Outlook Web App) lets users access
their mailbox when they're not connected to a network. If you migrate Exchange mailboxes
to Exchange Online, users have to reset the offline access setting in their browser to use
Outlook on the web offline.
ADFS Server
Server that links to the credentials, and has the claims configuration as well as the
trusts. Generally not publicly accessible.
Single server installation option removed and now have single farm install
(recommended to install a farm always in prior release anyway)
Separate ADFS proxy role removed. ADFS proxy now based off Web Application
Proxy (WAP), and is used to publish the ADFS server to the Internet. WAP can
publish many other applications, not just ADFS.
ADFS extranet lockout ADDS account lockout protection on the ADFS proxy
We dont need to add any additional features. Remember that the IIS dependency was
removed in ADFS 2012 R2.
Clicking next takes us to the ADFS splash screen. Note that it helpfully tells us that the
specific ADFS proxy role has been removed in Windows 2012 R2 and how to go about
installing it. Shame I missed that the very first time I ran this, and could not find the
old school ADFS Proxy role
Shuffling has been completed, and the installation is complete. You can launch the
ADFS configuration wizard from here, or alternatively if this window is closed it can be
launched from server manager.
Before starting the ADFS configuration wizard I already installed my 3rd party certificate
and tested that is was correctly installed.
Additionally a service account called ADFS-Service was also pre-created.
The wizard also states that you must have access to Domain Admin (DA) credentials!
Note that you are only given an option to either make a new ADFS farm or add this box
to an existing farm. This saves the painful issue from older ADFS builds, where ADFS
was not installed into a farm you were then unable to easily the add the second ADFS
server for redundancy.
We need to select the SSL certificate that we will use and also provide the ADFS name
we selected in the design process.
In this case the name is adfs.tailspintoys.ca note that there is no concept of an
InternalURL or ExternalURL for the ADFS namespace. Clients will use the same name on
the intranet and internet to locate ADFS. Thus split DNS will make life simple!
Provide your chosen display name, and click next.
As mentioned earlier it is possible to use a GMSA as the ADFS service account. GMSA
will automatically update the service accounts credentials and administrators will also
be oblivious as to its password.
In this case a standard service account was used.
#
# Windows PowerShell script for AD FS Deployment
#
Import-Module ADFS
# Get the credential used for the federation service account
$serviceAccountCredential = Get-Credential -Message "Enter the credential
for the Federation Service Account."
Install-AdfsFarm `
-CertificateThumbprint:"5804746A7980C8682FBF408D48EF6C3B02A5ZORG"
`
-FederationServiceDisplayName:"Tailspintoys STS" `
-FederationServiceName:"adfs.Tailspintoys.ca" `
-ServiceAccountCredential:$serviceAccountCredential
The ADFS pre-requisite checks are done, and we can proceed to the configuration:
What is Federation?
Active Directory Federation Services (AD FS) can be used to provide
federation and single sign-on capabilities for end users who want to access
Office 365 applications. Windows Server 2012 R2 includes an AD FS role that
can function as an identity provider or as a federation provider. An identity
provider authenticates users to provide security tokens to applications that
trust AD FS (e.g. Office 365 applications). A federation provider consumes
tokens from other identity providers and then provides security tokens to
applications that trust AD FS.
64 bit versions.
**Windows Server 2008 R2 is the same codebase bits as Windows 7 x64. It is only available in the
64 bit version.
In Simple terms..
Windows Vista SP1 = Windows Server 2008
Windows Vista SP2 = Windows Server 2008 SP2
Windows 7 = Windows Server 2008 R2
Windows Server 2008 is the same codebase bits as Vista. It is available in two flavors 32 bit
and 64 bit versions.
Windows Server 2008 R2 is the same codebase bits as Windows 7 x64. It is only available in
the 64 bit version.
Windows server 2012 R2 brings many new features and enhancements to windows server
world compared to older version windows server 2012, will discuss major difference between
windows server 2012 and windows server 2012 R2 and some of the very innovative
Windows Server 2012 R2 Features and improvements.
Windows Server 2012 Schema version is 56 and Windows Server 2012 R2 is 69, schema
will be updated while doing Forest preparation/installing Windows Server 2012 R2
Active Directory comes first when I think about windows server, will start with Active Directory
new features on Windows Server 2012 R2
Microsoft RemoteFX, introduces a new set of remote userexperience capabilities that enable a media-rich user
environment for virtual and session-based desktops.
Normal Power
Management Service
Normal Data
managemnet server
Windows Server 2008 uses NT 6.0 SP1 kernel, like Windows Vista SP1
Windows Server 2008 R2 uses NT 6.1 kernel, like Windows 7
Windows Server 2012 uses NT 6.2 kernel, like Windows 8
Windows Server 2012 R2 uses 6.3 kernel, like NT Windows 8.1
What is an MX record?
An MX record tells senders how to send email for your domain.
When your domain is registered, its assigned several DNS records, which enable it to be located on the
Internet. These include MX records, which direct the domains mail flow. Each MX record points to an
email server thats configured to process mail for that domain. Theres typically one record that points to a
primary server, then additional records that point to one or more backup servers. For users to send and
receive email, their domain's MX records must point to a server that can process their mail.
To filter email through the message security service, you must insert new records that point to the
message security service's servers.
For more about MX records, watch the video Understanding and Working with MX Records
Every DNS host has a different user interface for MX records. Some use a trailing period and some don't.
Some allow you to set your TTL and some won't. Our instructions include information for most common
MX hosts, but yours may be different. If you're not sure what to enter, use the same format as your
existing MX records. Be sure that the message security service MX records have the first priority; the
exact numbers don't matter as long as the message security service MX records are the first. If your DNS
server allows fewer than 4 records, enter as many as you can.
For detailed instructions on how to update your MX records, see Change Your MX Records.
Should I update A records when routing mail to the message security service?
Do not update your A records. Since your MX records point to psmtp.com, you do not need to change any
A records.
A Records are the most basic type of DNS record and are used to point a
domain or subdomain to an IP address. Assigning a value to an A record is
as simple as providing your DNS management panel with an IP address to
where the domain or subdomain should point and a TTL.
CNAME records are another commonly used type of DNS entry and are
used to point a host/name to another host/name.
Mail Exchanger (MX) records are used to help route email according the
domain owners preference. The MX record itself specifies which server(s)
to attempt to use to deliver mail to when this type of request is made to
the domain. They differ from A Records and CNAMEs in the way that they
also require a priority value as a part of their entry. The priority number
is used to indicate which of the servers listed as MX records it should
attempt to use first.
In the screenshot above, you can see that I am using two MX records that
have separate priority values and point to different subdomains. These
subdomains are pointed at two different email servers that are
designated to handle email. The MX record with the lower priority number
(0 in this case) is the first to be tried for email delivery. If this server is
unable to handle the mail request, the next lowest priority number is
used, which in this case would be 10.
Some email providers have only one MX record and some have well over
two. The number of MX entries you will need to create depends largely on
the mail provider and how they expect the load on these email servers to
be handled.
Youll notice the host name here is designated as the naked/primary form
( @ ). If you wanted to receive mail on a subdomain, you would adjust the
host/name accordingly and ensure your email provider is setup to handle
email from the subdomain.
TXT Record
to create a
2. On the New receive connector page, specify a name for the Receive connector and
then select Frontend transport for the Role. Since you are receiving mail from the
Internet in this case, we recommend that you initially route mail to your Front End
server or servers, to simplify and consolidate your mail flow.
3. Choose Internet for the type. The Receive connector will receive mail from Internet
senders.
4. For the Network adapter bindings, observe that All available IPV4 is listed in
the IP addresses list and the Port is 25. (Simple Mail Transer Protocol (SMTP) uses
port 25.) This indicates that the connector listens for connections on all IP addresses
assigned to network adapters on the local server.
5. Click the Finish button to create your connector.
Once you have created the Receive connector, it appears in the Receive connector list.
Create the Send connector that's required to send mail to the Internet.
When install your first Exchange Server 2016 server, the server isn't able to send mail
outside of your Exchange organization. To send mail outside your Exchange organization,
you need to create a Send connector.
. This
Name Enter a descriptive name for the Send connector, for example, To
Internet.
In the Address space section, click Add . In the Add domain dialog box
that appears, in Fully Qualified Domain Name (FQDN), enter an asterisk
(*), and then click Save. This value indicates that the Send connector applies
to messages addressed to all external domains.
2.
3.
In the classic admin center, next to Set Multifactor authentication requirements, choose Set up.
4.
Disabled
This is the default state for a new user not enrolled
in multi-factor authentication.
Enabled
6.
7.
1.
2.
3.
In the classic admin center, Next to Set Multifactor authentication requirements, choose Set up.
4.
5.
6.
1.
2.
Permissions
Members of your compliance team who will
create DLP policies need permissions to the
Security & Compliance Center. By default, your
2.
3.
What is DLP?
Data Loss Prevention is the capability to monitor potential data breaches inside your organization that
must comply with a set of policies. It allows a system to control and block sensitive information from
leaving an organization.
In Office 365, the platform helps you to identify, track and protect sensitive information in your
organization through deep content analysis and makes it easy to setup the policies. The DLP capability
applies to content in Exchange Online, SharePoint Online and OneDrive for Business services on Office
365.
Enterprise E3
Enterprise E4
Government E3
Government E4
Nonprofit E3
Nonprofit E4
Benefits of DLP
The DLP offerings in Office 365 let businesses quickly and easily comply with various industry or
government standards without making a big expensive investment. Which in the end puts you and your
organization in a much better place. It provides easier control over auditing information exchange inside
your organization. It will also keep the Security Officers more relaxed in your organization!
The DLP policies provide Policy Tips to your end users without affecting their productivity and allows
users to get educated into being compliant with organizational policies. There are more benefits to list
here, but you get the idea by now.
In the output, there is a section for the command running on each DC. If
the attributes are listed, the object has been replicated. But if an error
occurs, such as DsReplicaGetInfo() failed with status 8333, then the object
has not yet been replicated to that DC.
Repadmin options you might not know about
Although Repadmin is a well-known tool for troubleshooting replication issues,
there are some commands that admins might not be as familiar with that can
replication.
DISABLE_OUTBOUND_REPL -- Disables outbound
replication.
For example:
C:\Users\olseng>repadmin /options *
Remember, this command is not a fool-proof fix and doesnt always do the job.
For the best results, make sure the StrictReplication regkey is enabled on all
DCs to prevent lingering objects from returning. Its also important to run this
command on all naming contexts when working with multiple domain forests,
and keep checking for lingering object-related events in the event log to make
sure they are gone.
These are just some of the commands admins can use when working with
Repadmin and can be best learned by implementing them in a lab
environment. There are several other resources that discuss the ins and outs
of Repadmins as well. Start by reading the ExpertHelp files to learn several
other commands that were not covered here. Youll be glad you did.