|
Tab8715 posted:Two question, Depends on the hardware and setup you're running the on prem stuff on. I have a bunch of 2010 Exchange installs running on enterprise hardware with high availability/colo DR and the setup is almost bulletproof. I've seen the opposite though, but it depends on how knowledgeable you are with Exchange, and also Tab8715 posted:On-prem environment with best practices. Tab8715 posted:On-prem environment with best practices.
|
# ? Apr 16, 2015 21:01 |
|
|
# ? May 29, 2024 10:18 |
|
Tab8715 posted:Two question, if you're a 1,000+ user 501(c)3 then yes
|
# ? Apr 16, 2015 21:30 |
|
I migrated and manage two O365 tenancies and I cannot recommend it enough. Yes, a 2003 Exchange Server is pretty bulletproof, but it is also ancient and modern versions of Outlook won't connect to it. First move was ~800 users from GroupWise 8 to O365 about a year ago, and that ballooned to over 1000 with seasonal work. Second move was a couple of months ago from on-prem 2003 to O365 for about 200 users. Not having to worry about any hardware or software concerns is amazing. We have 2 vm's that do ADFS/DirSync and that is it.
|
# ? Apr 17, 2015 19:05 |
|
mayodreams posted:I migrated and manage two O365 tenancies and I cannot recommend it enough. Yes, a 2003 Exchange Server is pretty bulletproof, but it is also ancient and modern versions of Outlook won't connect to it. When you start poking into the range of thousands of users for O365, does MS entertain negotiation for special pricing / licensing?
|
# ? Apr 17, 2015 19:08 |
|
How is that all configured from a high-level? I'm thinking you have your local AD Server, ADFS with DirSync that's pointed at your office 365 tenant? Or did you include a non-domain ADFS Proxy? How did the initial sync work? Which "Dirsync" tool did you use?
|
# ? Apr 17, 2015 19:17 |
|
Once we finally made our big purchase of Exchange Online Licenses to go from the pilot 15 seats to 800, there was an automatic price break from $4 to $3.88 or so. You can negotiate with MS/Reseller over 250 seats I think. We have two separate AD deployments so I had to create everything discreetly. They were also at a very low functional level and it took some work to get it to 2008 R2 levels that are required for ADFS / DirSync on 2008 R2 server. ADFS 3.0 and AAD are better solutions now if you are on 2012 R2, and that is what we are looking to do this year as we made a new AD and are merging the two existing ones in. The current config has one ADFS/DirSync VM that is the landing page for OWA for each domain. We are doing password sync and replicating users in specific OU's via the DirSync/FIM tool. I have 4 extra tenancies due to an option in GroupWise that allowed any alias to respond to any number of domains, and those domains have their own customer service queue. Therefore, having customerservice@contoso.com as the primary mailbox and adding aliases for customerservice@fartspray.com would not work for our workflow.
|
# ? Apr 17, 2015 19:32 |
|
When a user goes to O365 while on the Domain they're automatically logged in correct? If a user gets their domain password reset does this instantly sync to O365? When a local user is sync how is the local domain user distinguished between O365? na.contoso.com (local domain) and office 365 (contoso.com)?
|
# ? Apr 17, 2015 20:21 |
|
I haven't gotten SSO to work yet, but that is probably more of a function of the state of our desktop deployments more than anything else. The basic flow for authorization is that the user is prompted for credentials on the ADFS Web Proxy / Server, and if successful, a token is passed to O365 to log them into the account. No passwords go from internal AD to O365 directly. The sync takes your AD objects with some of the key attributes and replicates them in the Azure AD. This is essentially magic and not really visible from the user perspective. From the admin view, you have two portals: Office 365 and Exchange. I tell people that the Office 365 portal is analogous to ADUC, and that is where you manage users, licensing, and tenancy configuration. Email configuration in the Exchange Admin Center where you can do groups, shared mailbox, distro lists, etc. When you do DirSync, ALL user and synced group configurations must be done in the local AD. So the process for creating a new mail enabled user is: 1) Create user object in local AD in a synced OU 2) Populate the mail field and open the Attribute Editor and add the necessary aliases in the ProxyAddress field. In our case smtp:username@contoso.com and SMTP:first.last@contoso.com 3) Office 365 by default gives you a username@contoso.onmicrosoft.com alias that you cannot remove. The addition of the SAM and first.last gives our users 3 aliases. 4) After a DirSync (every 3 hours or I can fire one manually) the user is now in the O365 Portal and can be licensed. 5) Apply a license and a mailbox is created after about 5 minutes. 6) User logs in with username and password.
|
# ? Apr 17, 2015 21:49 |
|
Does that keep a constant sync? If the domain admin reset the users password is that immediate to O365? I was also under the impression having ADFS On-prem enabled SSO automatically but only to O365.
|
# ? Apr 17, 2015 22:57 |
|
Tab8715 posted:Does that keep a constant sync? If the domain admin reset the users password is that immediate to O365? If you're using ADFS there is no password sync. Every authentication request is sent to your local AD servers (via ADFS) so once the password is changed locally the user will be able to use the new password immediately in O365. ADFS on prem can allow SSO for some thick clients (outlook/skype for business) if the machine is domain joined. You will always have to authenticate when using a web portal (domain joined IE may be an exception), and depending on client versions some thick clients may also need to authenticate.
|
# ? Apr 17, 2015 23:06 |
|
Will Styles posted:If you're using ADFS there is no password sync. Every authentication request is sent to your local AD servers (via ADFS) so once the password is changed locally the user will be able to use the new password immediately in O365. Yea, there's a password "hash" that's transferred from the on-prem DC to O365 but there aren't any extra steps to enable SSO as your bob@contoso.com logging into a pc that's on the domain contoso.com.
|
# ? Apr 18, 2015 00:10 |
|
Tab8715 posted:Yea, there's a password "hash" that's transferred from the on-prem DC to O365 but there aren't any extra steps to enable SSO as your bob@contoso.com logging into a pc that's on the domain contoso.com. The "hash" is part of the Password Sync Feature of Dirsync. If you're using Password Sync you are not using ADFS, and there is no SSO capabilities available. In this scenario you'd have to wait for the Dirsync tool to synchronize the hashed passwords before a user could use their new passwords in the cloud. I believe by default this happens every 5 minutes, or maybe even 2 minutes. If you are using ADFS, there is no synchronization of passwords, and no hashed passwords stored in the cloud. When a user attempts to authenticate in an implementation that uses ADFS the authentication request is referred to the ADFS servers who authenticate the user against the local domain controllers.
|
# ? Apr 18, 2015 02:01 |
|
Does ProofPoint just not give a poo poo about false positives at all? They've listed an entire /24 that I have a /28 in due to one IP address somewhere else in the /24 spamming and haven't responded to delist requests for over a week. I've had to renumber our edge transport into a different /24 due to these clowns. Anyone else have a fun time with their blacklist?
|
# ? Apr 18, 2015 19:25 |
|
What are you guys using for anti-spam these days with Exchange 2013 for less than 1000 users? We need something to run on the server itself or be a virtual appliance. Our current product has dropped the ball and is just terrible these days.
|
# ? Apr 22, 2015 18:54 |
|
ghostinmyshell posted:What are you guys using for anti-spam these days with Exchange 2013 for less than 1000 users? We need something to run on the server itself or be a virtual appliance. Our current product has dropped the ball and is just terrible these days. You sure it has to be on prem? Mimecast has been wonderful for us.
|
# ? Apr 22, 2015 19:01 |
|
Seconding Mimecast.
|
# ? Apr 22, 2015 19:33 |
|
Mimecast is the best I've used.
|
# ? Apr 22, 2015 19:57 |
|
ghostinmyshell posted:What are you guys using for anti-spam these days with Exchange 2013 for less than 1000 users? We need something to run on the server itself or be a virtual appliance. Our current product has dropped the ball and is just terrible these days. SpamTitan's been pretty great for us on-prem. Pretty much no spam gets through when it's configured properly, and I haven't seen a false positive in years.
|
# ? Apr 22, 2015 20:02 |
|
Mimecast here.
|
# ? Apr 22, 2015 21:39 |
|
When trying to convince suits to switch to exchange online vs a onsite exchange talk to your accountant the ability to write off exchange online's fee as apposed having to depreciate hardware and software over a 3 to 5 years.
|
# ? Apr 22, 2015 22:27 |
|
Any of you use Mimecast for mail archiving? I need to archive all mail for 7 years and I'm getting sick of storing it locally.
|
# ? Apr 23, 2015 08:23 |
|
Swink posted:Any of you use Mimecast for mail archiving? I need to archive all mail for 7 years and I'm getting sick of storing it locally. Yes, I am. I think I would recommend it.
|
# ? Apr 23, 2015 16:54 |
|
Swink posted:Any of you use Mimecast for mail archiving? I need to archive all mail for 7 years and I'm getting sick of storing it locally.
|
# ? Apr 23, 2015 21:25 |
|
I want to talk to somebody who's running hybrid exchange, with normal-people mailboxes on prem and sharepoint site mailboxes in o365.
|
# ? Apr 24, 2015 13:51 |
|
I don't think you can have Sharepoint mailboxes with O365 unless it's changed.
|
# ? Apr 24, 2015 14:54 |
|
Tab8715 posted:I don't think you can have Sharepoint mailboxes with O365 unless it's changed. You definitely can in pure o365 environment - I have it in at least one place that doesn't have directory integration. If directory integration or hybrid prevents site mailboxes, I am totally cool with that but need to show link to article.
|
# ? Apr 24, 2015 15:11 |
|
A Mimecast rep is asking me how much we currently pay for spam protection. Should I tell him the truth?
|
# ? Apr 29, 2015 22:22 |
|
Papercut posted:A Mimecast rep is asking me how much we currently pay for spam protection. Should I tell him the truth? Tell him the truth minus ~20%
|
# ? Apr 29, 2015 22:23 |
|
Papercut posted:A Mimecast rep is asking me how much we currently pay for spam protection. Should I tell him the truth? Edit: Oh, and Mimecast is 1,000 times better than the shitshow that Postini was. carlcarlson fucked around with this message at 23:35 on Apr 29, 2015 |
# ? Apr 29, 2015 23:33 |
|
LmaoTheKid posted:Tell him the truth minus ~20% This is about what I figured. carlcarlson posted:I managed to get them to lower their quote just by mostly ignoring their sales guy, only responding to tell him how much more it was than what we were currently paying. Took three months from first contact to get the contract signed and the final proposal was 20% cheaper than their first and upgraded support. Yeah that seems like it would work, he was basically like "tell me what you're paying so we can match it" so it sounds like they'll basically charge whatever. Not really worth a ton of time though, we're paying $450 per year currently so it's not worth more than a few hours of my time. e: 20-25 users Papercut fucked around with this message at 05:49 on Apr 30, 2015 |
# ? Apr 30, 2015 05:20 |
|
^ how many users?
|
# ? Apr 30, 2015 05:27 |
|
carlcarlson posted:Oh, and Mimecast is 1,000 times better than the shitshow that Postini was. It really is, and I'm not even using the plugin or any of it's crazy "advanced" features. The web interface annoys me sometimes though when I accidentally hit the back button on my mouse and it resets everything.
|
# ? Apr 30, 2015 16:30 |
|
is mimecast msp-friendly
|
# ? May 3, 2015 14:23 |
|
Very https://www.mimecast.com/partners/
|
# ? May 3, 2015 15:47 |
|
cool
|
# ? May 4, 2015 17:05 |
|
So this is sort of interesting. Microsoft will no longer be supporting Exchange databases where eseutil repair has been run. http://blogs.technet.com/b/exchange/archive/2015/05/01/new-support-policy-for-repaired-exchange-databases.aspx quote:In short, Microsoft is changing the support policy for databases that have had a repair operation performed on them. Originally a database was supported if the repair was performed using ESEUTIL and ISINTEG/repair cmdlets. Under the new support policy, any database where the repair count is greater than 0 will need to be evacuated – all mailboxes on such a database will need to be moved to a new database.
|
# ? May 4, 2015 17:11 |
|
makes sense since 9 times out of 10 it is easier/better to just create a new database and migrate, especially if it is on the same server or organization and you're at 2010+ (no interruption for users!)
|
# ? May 4, 2015 17:30 |
|
I've got an external domain that right now we just add as an smtp address to a regular exchange email address and boom we're done. Now the group wants to be able to send as either email address. I'm trying to figure out how to do it with mail contacts, so it all goes to the same inbox and just changes the from field. I'd rather not have to set up two separate accounts/mailboxes etc and have the users monitor all that. Is this possible and is there a good article on setting it up. I'm finding old articles that don't do what I want, or windows 101 what is a mail contact stuff.
|
# ? May 4, 2015 17:56 |
|
Slow is Fast posted:I've got an external domain that right now we just add as an smtp address to a regular exchange email address and boom we're done. I don't think what you're looking to do is possible in the traditional sense if I'm understanding the issue correctly. You might want to look at shared mailboxes, though.
|
# ? May 4, 2015 17:58 |
|
|
# ? May 29, 2024 10:18 |
|
^^ ThisSlow is Fast posted:I've got an external domain that right now we just add as an smtp address to a regular exchange email address and boom we're done. You can put together a kluge solution using a distribution list (maybe contact) and give them send as on that object instead or you could create a IMAP profile on their Outlook client and set the email address to whatever you want to essentially spoof the address.
|
# ? May 4, 2015 18:23 |