This is a quick guide how to set up Office 365 according to Microsoft best practice. This is what the setup looks like:
This is what you need:
- Windows Server 2008 R2 for DirSync.
- Windows Server 2008 R2 for ADFS federation. This can be a domain controller.
- Windows Server 2008 R2 for ADFS federation proxy in DMZ. This can be an IIS.
- Account to log into these machines. This account needs to be local admin to be able to install DirSync and ADFS.
- Account that is member of Enterprise Admins. This account is needed to configure DirSync. A service account, MSOL_AD_SYNC, is created in Users container.
- Active Directory service account for ADFS, e.g. ADFS2SVC.
- SSL certificate for ADFS, e.g. fs.powerkjell.com. This certificate needs to be added to IIS of both ADFS and ADFS proxy servers.
- External DNS record for fs.powerkjell.com to point at ADFS proxy. In internal DNS it should point at internal ADFS.
Information about setting up DirSync: http://technet.microsoft.com/en-us/library/hh967642.aspx
Read more about SSO with ADFS: http://technet.microsoft.com/en-us/library/hh967628.aspx
- Make sure you have the service account created.
- Make sure you have the SSL certificate available.
- You may need an account with higher priviledges when configuring ADFS on first server, since it creates a container in Active Directory.
- Make sure DNS records are correct. ADFS proxy needs to finns ADFS on fs.powerkjell.com.
- Run the Powershell commands to create a trust to Office 365 from ADFS (not ADFS proxy).
According to the recommendations from Microsoft you need load balanced ADFS and ADFS proxy servers, which means they should be at least two on each side.
Upgrading from Live@edu to Office 365 can either be a very simple process or fairly complicated. The actual process of upgrading the domain is a three-click-procedure where most of the job is done behind the scenes.
To upgrade the domain, follow these three steps: http://www.microsoft.com/liveatedu/upgrade-center/upgrade-center-home.aspx?locale=en-US&country=US
However, you probably have automatic provisoning of accounts and maybe a Single-Sign-On (SSO) solution using certificate för Live@edu. The Microsoft recommended way of replacing OLMA for creating accounts is DirSync, but there will be an Office 365 agent for FIM and that’s what you really should use. Replacement for SSO is federation and there are two ways to implement federation:
- Active Directory Federation Services (AD FS) 2.0
- Shibboleth Identity Provider (IDP) with SAML 2.0 for Active Directory
You need to plan the implementation of these two features before upgrading the domain. This is best done with a test domain. You can set up both FIM agent and ADFS federation for the test domain, verify functionality and then simply switch to production when upgrading the domain. You can follow this checklist or read more about the transition on the Office 365 community.
This checklist is for the Live@edu to Office 365 for education transition, with FIM agent and Single sign-on using federation.
- Create a testdomain.
- Add a public domain, such as test.yourdomain.com.
- Configure the FIM agent for the test domain and create a few accounts. Make sure the UPN is the same in your AD as in Office 365 (e.g. test.yourdomain.com).
- Set up SSO with ADFS or Shibboleth.
- Verify the functionality.
- Upgrade the Live@edu domain.
- Make sure the UPN is correct for the upgraded users or fix it with Powershell.
- Switch the FIM agent to the former Live@edu domain.
- Configure the federation for the former Live@edu domain.
- Kill the test domain.
Most of this information is collected at the community, and it is recommended to read the section about Single sign-on.
It is possible to use federation between Lync in Office 365 and Lync on premises. There have been serveral issues discussed on the Office 365 community and Microsoft has a support article to provide help. I will try to describe the DNS record step more in detail, since this seems to be the problem. Basically you need to to the following:
Add SRV DNS record for Lync federation. According to Microsoft you should add the following:
The problem here is to understand how to add the record. It needs to be added as _sipfederationtls._tcp.<DomainName> and the value as 100 1 5061 sipfed.online.lync.com. Look at this example:
The record can be tested with this great tool: http://www.testmyoffice365.com/
Also, you need to allow federation for your Office 365 domain. Go to the Office 365 admin portal and click on Lync. Open the domain for exteral communication, either by allowing all communication or adding domains to the exception list.