Now that Exchange Server 2013 Service Pack 1 is out, many organizations are beginning to seriously evaluate the latest iteration of Microsoft’s messaging platform. Many of these same organizations may have divisions, offices, or even vast swaths of their company using Exchange Online or Office 365 and Microsoft’s hosted Exchange platform. Helpfully, Service Pack 1 enables some key functionality in Exchange as it relates to hybrid on premises and cloud deployments. In this piece, I examine two important developments in hybrid Exchange deployments that are possible now that Exchange 2013 Service Pack 1 is available:


Hybrid Deployments with More than One Active Directory Forest


The Hybrid Configuration Wizard can be used to interoperate with Exchange Online across all of your forests, especially in larger deployments with multiple forests containing an Exchange organization—a newly supported scenario.

First off, each forest you want to deploy in this way needs at least an Exchange Server 2013 machine with the Client Access and Mailbox server roles server installed, including service pack 1. This server is the one that will receive mail from Exchange Online Protection, the mail hygiene service running in the cloud, and the one that transmits outbound messages to either EOP or another filtering service for forwarding onto the big bad Internet or to Exchange Online mailboxes in the cloud. You also need to deploy Forefront Identity Manager 2010 R2 or later in order to enable the Active Directory synchronization required to match up with a single Office 365 tenant (a tenant is simply an organizational account).

After you have the hardware and software requirements out of the way, you will need to set up the right autodiscover DNS and/or SRV records within each of your forests’ namespaces, and have SMTP namespaces configured within Exchange on premises for each of these forests. (It’s important to note that each organization’s namespace must be different—you can’t have a single namespace across different organizations in different forests.) In addition, the autodiscover records need to be accessible from outside the network because Exchange Online will need to query them as part of regular service operation. In addition, each forest needs a secure digital certificate signed by a trusted third party certification authority. Additionally, each certificate has to be different—either the common name (the DNS name that the certificate authenticates) or the third party certification authority issuing the certificate must be different. Finally, you need to configure single sign on for all hybrid deployments with multiple forests, which lets you use Active Directory Users & Computers and other on premises tools to manage identities that are hosted in your company’s Exchange Online tenant. Alternatively, Password sync would work here equally as well.

How does all of this come together? IF AD FS is deployed, users are able to use their current on premises username and password to access your organization, and Office 365 or Exchange Online will understand and accept these credentials. You can use multiple e-mail address domains (,, etc.) within your organizations. Outbound mail heads to the Internet via your on premises servers and relays mail sent by users whose mailboxes lives on Exchange Online. Calendars and free and busy information share between on premises and the cloud freely. Users have one URL for webmail regardless where the system their mailbox actually lives.

If you have a large organization, want to move to the cloud, and have the right licenses for Forefront Identity Manager, this could be a good model for you. (Of course, the new Azure Active Directory Sync tool is coming in release form sometime this summer, and will be a great alternative to FIM. You can join the preview at


Exchange 2013 OAuth Support in Hybrid Deployments


OAuth is now supported as an authentication mechanism, and can be configured automatically with Exchange 2013 SP1 Cumulative Update 5. Using Exchange OAuth lights up for a hybrid configuration three additional Exchange 2013-specific features unavailable to customers using down level versions: Exchange in-place archiving, Exchange in-place eDiscovery, and message rights management, or MRM. OAuth also manages the free and busy information shared between your network and Exchange Online, MailTips (the little pop-ups with information about recipients and their availability that your users get when they begin a draft of a message in the full Outlook client or Outlook Web Access), and the enhanced message tracking that lets administrators see the exact path a message takes through the system and to its eventual recipient.

What is cool about OAuth? For one, it is a widely accepted authentication protocol that’s used primarily when two different applications want to share a common user-base. Microsoft alreadyallows SharePoint 2013 and Lync 2013 use OAuth to talk to Exchange, mainly for extended support of eDiscovery, but now you could write native business applications that also speak OAuth and use this in conjunction with your hybrid deployment.

Further Reading


Published: 6/20/2014 11:59