kantver - Fotolia


Setting up a multi-forest hybrid Exchange deployment

Exchange admins should learn what a multi-forest hybrid setup is, when it should be used, and the requirements to implement it.

It's time to get our hands dirty with Office 365, Exchange and Azure Active Directory Sync Services to implement...

multi-forest directory sync, login and hybrid Exchange. We'll explore why a multi-forest hybrid Exchange deployment might be right for you, what other options are available, and explain how to work through the process.

In a multi-forest hybrid Exchange deployment, an organization has a single Office 365 tenant but multiple Active Directory environments with Exchange installed in each one. The hybrid part is engaged when Exchange 2013 is installed into each forest as either an upgrade or a "bridge" to the cloud, and the Hybrid Configuration Wizard performs multiple times -- once per forest.

Many organizations have multiple Active Directory (AD) forests, each with standalone Exchange implementations. The reasons why vary, but this is often the result of mergers, acquisitions, separate operating divisions or departments with their own IT staff. While it would be wise to bring in new divisions as they went along or not implement multiple AD forests in the first place, not every company does this for several different reasons.

Moving to Office 365 can remove one major challenge involved in a full AD consolidation -- building a central Exchange infrastructure to host all mailboxes and deciding which AD to use. You can use a multi-forest hybrid Exchange deployment to move mailboxes directly to the cloud and separate the AD consolidation.

Multi-forest hybrid setups aren't without issues. It's often best for organizations using a supported version of Exchange because they can have an Exchange 2013 hybrid server installed into each forest. Organizations with large Exchange 2003 estates, for example, are not suited for Exchange multi-forest hybrid Exchange setups.

Real-world hybrid Exchange deployments

To explain this further, I will use an example scenario. Goodman Industries is a multi-national corporation that has a corporate division with a domain and AD forest named GoodmanIndustries.com, and a U.K. division with a domain and AD forest named GoodmanIndustries.co.uk. Goodman Industries recently bought a design company with a domain and AD forest named LisaJaneDesigns.co.uk.

Each forest runs either Exchange 2010 or Exchange 2013, and all environments are connected to a single Multiprotocol Label Switching wide-area network with Domain Name System resolution and AD trusts between domains configured. Although not a prerequisite, Goodman Industries already uses a sync product to provide a single Global Address List (Figure 1).

Goodman Industries' existing multi-forest infrastructure
Figure 1. Goodman Industries' existing multi-forest infrastructure.

Goodman Industries doesn't want to run three separate Exchange environments, so the company purchased Office 365 licenses. Although they maintain existing AD forests for administrative purposes, email will migrate to Exchange Online. For the best possible user experience, the company will implement a multi-forest hybrid Exchange deployment.

To implement this, IT teams must have the following additional servers:

  • An Azure AD Sync Server with access to all three Active Directory domains and access to Office 365. We'll install this in GMI, the "Corporate" forest.
  • An Exchange 2013 SP1 or higher (Cumulative Update 7 at the time of this writing) installed in the Exchange 2010 organization, GMIUK.

In addition to these servers, we'll need to perform the following tasks common to all hybrid Exchange implementations.

  • Use Microsoft's IDFix tool in each domain to ensure AD objects are in a suitable state for Azure AD.
  • Ensure all SMTP domains are registered as Custom Domains in Office 365.
  • Because it's hybrid, ensure User Principal Names are set to valid domains registered as Custom Domains in Office 365, and ideally match the Primary SMTP address of each user.
  • Ensure the existing Exchange 2013 servers are patched to at least SP1 or higher.
  • Ensure the existing Exchange 2010 server is patched to at least SP3, ideally with the latest Update Rollups.
  • Install valid third-party SSL certificates that include the HTTPS namespaces, Autodiscover namespaces and SMTP hostnames on each server.
  • Publish the Autodiscover and Exchange Web Services paths to the Internet. Ensure Office 365 can access those paths without pre-authentication, and that Remote Connectivity Analyzer tests complete successfully.
  • Publish SMTP for each Exchange organization so Office 365 can directly access the proposed hybrid servers.
  • Ensure the hybrid servers can access Office 365 using HTTP and SMTP, and that the Azure AD Sync server can access Office 365 using HTTPS.

When we've finished our implementation, our multi-forest hybrid implementation will include the additional two servers (Figure 2).

The proposed Goodman Industries multi-forest hybrid Exchange implementation
Figure 2. The proposed Goodman Industries multi-forest hybrid Exchange implementation.

So, we've gone through what a multi-forest hybrid Exchange deployment is and when it should be used. We also detailed our example organization and the high-level design and requirements for multi-forest hybrid setups. What's next?

Our next step will be adding multiple custom domains to Office 365 and implementing the Azure Active Directory Sync Services server. But to ensure that we only cover a normal Exchange 2013 hybrid implementation here, we'll focus on implementing the specific multi-forest components in the next part of the series rather than cover common tasks such as object remediation.

About the author:
Steve Goodman is an Exchange MVP and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners. Goodman has worked extensively with Microsoft Exchange since version 5.5 and with Office 365 since its origins in Exchange Labs and [email protected]

Next Steps

This is part one of a series about implementing a multi-forest hybrid Exchange setup. In part two, we will begin the implementation of Azure AD Sync Service, which will help us prepare for the multi-forest hybrid configuration.

Dig Deeper on Exchange Server setup and troubleshooting