Sunday, September 23, 2012

Office 365 Deployment


Office 365 Deployment
Initial Setup
Setup your Office 365 account at www.office365.com according to your environment.
Add your domain to your account.
o   Go to the Admin page and click Domains under the Management heading.
o   Verify your domain via a txt record under your authoritative DNS server.  See the online instructions for your particular provider.
o   Define the services you will enroll for Office365.
 Single Sign-On
Prepare Active Directory
If needed, create UPN to match your external domain - http://technet.microsoft.com/en-us/library/cc772007.aspx
Set users to default to this new UPN.
impADFS 2.0 Deployment
o   For redundancy, consider using a federation farm (WID – Windows Internal Database) with proxies and Network Load Balancers.
§  ADFS servers – Domain joined and not a DC
§  ADFS Proxies – Not domain joined and located in the DMZ (Port 443)
o   Configure internal DNS to point to the cluster name.
o   Configure external DNS to point to the NLB for the cluster.
o   Certificates
§  Secure Channel (SSL) from a 3rd party
§  Token Signing – Auto generated – USE SELF-SIGNED
§  Token Description – Not used often
o   Install ADFS 2.0
§  Run the ADFSSetup.exe
§  After Installation is complete open the AD FS 2.0 Management and Create a new Federation Service.  You will need to choose either a Stand-Alone or Farm Deployment.  Ensure your SSL certificate matches the Federation Service Name.  Make sure to use auto generated certs for the Token Signing.
§  You can ignore the message asking to Add a trusted relying party.  This will be done at a later step.
§  Verify the federation server is operational
        • https://fs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
§  For more details you can go to the online help here:

o   Install Update Rollup 2 for ADFS 2.0
o   ADFS Proxies
§  Consider deploying two federation server proxies to provide fault tolerance and use a network load balancer.
§  Run the ADFSSetup.exe
·         After accepting the license agreement the Server Role page will appear.  Select Federation server proxy.  A restart may be required.
·         Configure the necessary SSL Certificates (3rd Party).
·         Enter a Federation Service name that matches your certificate.  I used sts.domain.com.
·         Enter credentials with the required permissions to authorize a federation server proxy.
·         Review the settings and click next and close.
·         Verify that the proxy is operational.  Check the event logs for event ID 198 under the application logs.
Microsoft Online Services Module for PowerShell
Download and install Microsoft Online Services Sign-In Assistant version 7.0 or greater
http://onlinehelp.microsoft.com/office365-enterprises/hh124998.aspx
Download the Microsoft Online Services Module
o   http://onlinehelp.microsoft.com/office365-enterprises/hh124998.aspx
Import the module
o   PS C:\> Import-Module msonline
Connect to the MS Online Services
o   PS C:\> $cred = Get-Credential
o   PS C:\> Connect-MsolService -Credential $cred
List Commandlets   
o   PS C:\> Get-Command -Module msonline
Connecting to Microsoft Office 365 with PowerShell
$cred = get-credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic –AllowRedirection
Import-PSSession $Session
Directory Synchronization
Use the Microsoft Office 365 Deployment Readiness Tool to check for compatibility.
Do not install on a DC. Can be combined with AD FS.
Activate directory synchronization
o   In your portal, click Admin then Users.  At the top of the page next to the Active Directory synchronization, click Set up and manage Active Directory synchronization and Activate.
o   Install the Directory Synchronization tool – Not on a Domain Controller
§  Download and install the Dir Sync tool for your OS
·         Enterprise Admin permissions are required and a new service account will be created – MSOL_AD_SYNC
·         Once installed, you can manually force a synchronization with the start-onlinecoexistencesync command.  You will need to open the DirSyncConfigShell.psc1 PowerShell command prompt located under the install directory.
Outlook Anywhere
Install a valid SSL certificate for Exchange which includes your autodiscover host name.
Install RPC over HTTP proxy component.
Wait 15 mins or reboot server.
Enable Outlook Anywhere on your Exchange 2007.
Wait 15 mins or reboot server.
If running Windows 2008, you may need to edit your hosts files to include:
o   Internal IP and hostname – 192.168.1.10     exchange
o   Internal IP and internal FQDN – 192.168.1.10 exchange.domain.local
Configure your public autodiscover DNS record to point to your DMZ IP address.
Configure your firewall to allow external access for port 443 to your server.

Hostnames/Certificates/Ports Accessible
Server
Hostname
Certificate
Ports
AD FS Server
fs.domain.com
Auto/3rd Party SSL
443
AD FS Proxy
Sts.domain.com
3rd Party SSL
443
Exchange
Exchange
Mail.domain.com
Webmail.domain.com
Autodiscover.domain.com
3rd Party UC/SAN SSL
25/443









No comments:

Post a Comment