Office 365 Deployment
Initial
Setup
Add your domain to your account.
o
Go
to the Admin page and click Domains under the Management heading.
o
Verify
your domain via a txt record under your authoritative DNS server. See the online instructions for your
particular provider.
o
Define
the services you will enroll for Office365.
Single Sign-On
Prepare Active Directory
If needed, create UPN to match your external domain - http://technet.microsoft.com/en-us/library/cc772007.aspx
Set users to default to this new UPN.
impADFS 2.0 Deployment
o
For
redundancy, consider using a federation farm (WID – Windows Internal Database)
with proxies and Network Load Balancers.
§ ADFS servers – Domain joined and not
a DC
§ ADFS Proxies – Not domain joined and
located in the DMZ (Port 443)
o
Configure
internal DNS to point to the cluster name.
o
Configure
external DNS to point to the NLB for the cluster.
o
Certificates
§ Secure Channel (SSL) from a 3rd
party
§ Token Signing – Auto generated – USE SELF-SIGNED
§ Token Description – Not used often
o
Install
ADFS 2.0
§ Run the ADFSSetup.exe
§ After Installation is complete open
the AD FS 2.0 Management and Create a new Federation Service. You will need to choose either a Stand-Alone
or Farm Deployment. Ensure your SSL
certificate matches the Federation Service Name. Make sure to use auto generated certs for the
Token Signing.
§ You can ignore the message asking to
Add a trusted relying party. This will
be done at a later step.
§ Verify the federation server is
operational
- https://fs.domain.com/FederationMetadata/2007-06/FederationMetadata.xml
§ For more details you can go to the
online help here:
o
Install
Update Rollup 2 for ADFS 2.0
o
ADFS
Proxies
§ Consider deploying two federation
server proxies to provide fault tolerance and use a network load balancer.
§ Run the ADFSSetup.exe
·
After
accepting the license agreement the Server Role page will appear. Select Federation server proxy. A restart may be required.
·
Configure
the necessary SSL Certificates (3rd Party).
·
Enter
a Federation Service name that matches your certificate. I used sts.domain.com.
·
Enter
credentials with the required permissions to authorize a federation server
proxy.
·
Review
the settings and click next and close.
·
Verify
that the proxy is operational. Check the
event logs for event ID 198 under the application logs.
Microsoft
Online Services Module for PowerShell
Download and install Microsoft Online Services Sign-In
Assistant version 7.0 or greater
http://onlinehelp.microsoft.com/office365-enterprises/hh124998.aspx
Download the Microsoft Online Services Module
o
http://onlinehelp.microsoft.com/office365-enterprises/hh124998.aspx
Import the module
o
PS
C:\> Import-Module msonline
Connect to the MS Online Services
o
PS
C:\> $cred = Get-Credential
o
PS
C:\> Connect-MsolService -Credential $cred
List Commandlets
o
PS
C:\> Get-Command -Module msonline
Connecting
to Microsoft Office 365 with PowerShell
$cred = get-credential
$Session = New-PSSession -ConfigurationName
Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/
-Credential $cred -Authentication Basic –AllowRedirection
Import-PSSession $Session
Directory
Synchronization
Use the Microsoft Office 365 Deployment Readiness Tool to
check for compatibility.
Do not install on a DC. Can be combined with AD FS.
Activate directory synchronization
o
In
your portal, click Admin then Users. At
the top of the page next to the Active Directory synchronization, click Set up
and manage Active Directory synchronization and Activate.
o
Install
the Directory Synchronization tool – Not on a Domain Controller
§ Download and install the Dir Sync
tool for your OS
·
Enterprise
Admin permissions are required and a new service account will be created –
MSOL_AD_SYNC
·
Once
installed, you can manually force a synchronization with the
start-onlinecoexistencesync command. You
will need to open the DirSyncConfigShell.psc1 PowerShell command prompt located
under the install directory.
Outlook
Anywhere
Install a valid SSL certificate for Exchange which includes
your autodiscover host name.
Install RPC over HTTP proxy component.
Wait 15 mins or reboot server.
Enable Outlook Anywhere on your Exchange 2007.
Wait 15 mins or reboot server.
If running Windows 2008, you may need to edit your hosts
files to include:
o
Internal
IP and hostname – 192.168.1.10
exchange
o
Internal
IP and internal FQDN – 192.168.1.10 exchange.domain.local
Configure your public autodiscover DNS record to point to
your DMZ IP address.
Configure your firewall to allow external access for port 443
to your server.
Hostnames/Certificates/Ports
Accessible
Server
|
Hostname
|
Certificate
|
Ports
|
AD FS Server
|
fs.domain.com
|
Auto/3rd Party SSL
|
443
|
AD FS Proxy
|
Sts.domain.com
|
3rd Party SSL
|
443
|
Exchange
|
Exchange
Mail.domain.com
Webmail.domain.com
Autodiscover.domain.com
|
3rd Party UC/SAN SSL
|
25/443
|
No comments:
Post a Comment