Office 365 — Common Problems When Planning and Implementing Hybrid Configurations

1. The problem of planning ADFS & NLB & DC

The official HELP Office 365 recommends the use of NLB clusters using existing domain controllers to reduce the number of new servers with a configuration of up to 1000 users.

Due to the use of the concept of NLB by technical writers in the official help when planning, many questions arise. It would be more correct to use the abbreviation HLB, which would not have caused so many questions on the Office 365 technical support forums. How would you understand this piece of reference - for the federation servers, use two existing active directory servers. For NLB, configure the NLB server (I quote phrases from the original source, ie in English). First NLB is a feature, not a role. Secondly, if we are talking about WNLB, we cannot use a separate balancing host. Thirdly, if someone tries to put WNLB on existing domain controllers and set up a cluster, then they will surely face replication problems. It remains only to guess why here not explicitly indicate the HLB, or at least to make a transcript.
')
Further, by the way, as I understand it, the certificate still speaks about WNLB in the paragraph about ADFS Proxy - for the federation servers, for getting two dedicated servers, and then .... NLB host . Firstly, once again - Install the NLB server - here we definitely mean WNLB, since we are talking about Win2008 R2, but again this is a feature, not a role. Secondly, configure an existing NLB host - how can I configure a separate WNLB server, I don’t understand, you still need to install WNLB on all servers in a cluster.

In general, confused finally.

How really? Since in many HLB companies there is no, then for the general case when building a hybrid with up to 1000 users, 5 (3 is not recommended minimum for test configurations if not using NLB) separate servers are required. All of them support virtualization and, more recently, Windows 2008 R2:

• ADFS (2 in NLB cluster) on the local network
• ADFS Proxy (2 in NLB cluster) in DMZ
• DirSync -1 server in local network

2. Frequently, after installing the federation, Free-Busy does not work, and Test-FederationTrust does not completely pass the test.

In particular, it may not pass the TokenRequest test with the error Failed to request delegation token.

Solution :

At first we google (some may pobing) the solution, we try, we try, and more often than not nothing helps. The easiest way is to re-create the federation again under the item “Configure federated delegation for a hybrid deployment” according to the following instruction .

After this, a certificate validation error occurs if you replace the certificate, ( Certificate referenced by property OrgPrivCertificate in the FederationTrust object is expired ) in the Test-FederationTrust command. What do you think helps? In any case, think wrong. It is necessary to wait 1 day (as it is not funny, but 3 times it was just that - the error is corrected itself the next day). As I understand it, the server will pump up the CRL and the federation will work.

3. After installing DirSync, the FIM service or its dependent services do not start.

This often happens if DirSync is installed under an account with insufficient privileges.

Solution :

Everything here is reminiscent of the Sharepoint installation and further configuration of the profile synchronization service. The FIM service is quite capricious and requires proper installation from the very beginning - otherwise problems cannot be avoided. It is recommended to completely remove all installed components and reinstall from an account with Enterprise Admin rights.

4. Archive mailboxes located in the cloud of users whose main mailboxes are located on the local server do not open.

This problem only applies to Outlook Web Access and is diagnosed with an error in the Application log on CAS servers:
Archive mailbox access failed. User: "Domain \ user", Exception: "Microsoft.Exchange.Clients.Owa.Core.OwaArchiveNotAvailableException: Failed to open a mailbox session for the archive mailbox 6c2b44b3-2be3-4043-8a13-d8570cdcb48c ---> Microsoft.Exchange. Data.Storage.MailboxOfflineException: can't access mailbox because it's located on a remote server

Solution :

Run Get-OrganizationRelationship | fl TargetOWAUrl, ArchiveAccessEnabled
If ArchiveAccessEnabled is set to false (the default is exactly this), run the command:
Get-OrganizationRelationship | Set-OrganizationRelationship -ArchiveAccessEnabled $ true

5. Chrome and FireFox do not enter via ADFS

Update browsers to the latest version. Follow the recommendations described
here

6. The voice mailbox does not work, after it is transferred to the cloud

An error “Failed to route to Exchange Server” occurs in the Lync server logs; source = ”< lync front-end >“; dialplan = ”Hosted__exap.um.outlook.com__ domain “;

The configuration instructions indicate that the Organization parameter of the New-CsHostedVoicemailPolicy cmdlet takes multiple values. But! When setting policies for Office 365, it is possible to specify only 1 value in this field. And here many indicate the main accepted domain.com domain. This is a mistake.

Decision:

In the New-CsHostedVoicemailPolicy command, you must specify in the organization field a service domain of the type service.domain.com or company.onmicrosoft.com, which is authoritative for Office 365, and not domain.com.

7. During creation of a request to move a box to the cloud, an error “Exception has been thrown” occurs.

Decision:

1. Check the existence of an associated Exchange license to the user
2. Specify in the first step of the wizard credentials in the explicit form of the local Exchange administrator
3. Check for errors in IIS for this article.
4. If Exchange is published via TMG, configure Flood Mitigation as per the following article.

We hope you helped!