Office 365 Hybrid Deployment

Continuing my blog series on setting up a Hybrid Office 365 deployment with Exchange 2010 SP2. This part will detail the ADFS and SSO setup.

UAG Setup

So I went with the recommended, actually required, two NIC configuration for UAG, one NIC dedicated to External and one to Internal communications. To properly setup the NICs (in my lab all VMs are in the same VLAN) I had to issue the following commands to set the internal routing using the NIC named ‘Internal’:

Netsh Interface ipv4 add route prefix= "Internal" nexthop= store=persistent

Netsh Interface ipv4 add route prefix= "Internal" nexthop= store=persistent

Netsh Interface ipv4 add route prefix= "Internal" nexthop= store=persistent

The route prefixes indicate internal networks and the Nethop is the gateway.

UAG Getting Started Wizard after Install, this will explain how to setup your UAG for your environment.

This is how my lab environment is setup for UAG:

Great detail huh? J

I have renamed the NICs on my UAG server as Internal and External (I know, I am so clever, maybe I should try to patent this!) A note the in my lab the External NIC has the Default Gateway set as and the Internal has no Default Gateway set. The External also is using an External DNS server,, and the Internal NIC is pointed to my domain DNS.

So to assist me with the complete setup I used the Exchange Deployment Assistant website, Much of the information in this blog series has come from this great tool that Microsoft has made available. I also setup UAG 2010 to publish Exchange 2010 Web Services, and used this guide about Publishing Exchange 2010 with TMG and UAG,

The first step is to install and configure ADFS 2.0

Create an internal DNS entry for the ADFS Service that will point to the ADFS internal server, like FYI I have split DNS setup, which means I have a separate internal and external DNS provider. If you do not have this it will make the implementation a bit more difficult, but can be done. I would recommend that you Bing (hey I’m a Microsoft guy so will not see me use the G word in my blog posts) to find out the differences with a single DNS namespace spared both for internal and external access. The biggest issue you will find is around ADFS for SSO as you will need to probably route all authentication via the ADFS proxy, in my case I am going to utilize Forefront Unified Access Gateway (UAG) for my ADFS proxy. I am also utilizing UAG for publishing the Exchange 2010 on-premises web services, OWA, Outlook Anywhere, ActiveSync, etc.

Create dedicated Service Account for ADFS, Domain account with password never expire, this account does not need any additional privileges within the domain, just a standard domain user.

Obtain a SSL Certificate. My strong recommendation, as the information in the Link will state is to use a Public Certificate Authority, I used to obtain my public Unified Communications(UC)/Subject Alternate Name(SAN) certificate.

Launch ADFSSEtup.exe (download from

Click Next ( so you will see Click Next throughout this and future posts, this really means read everything on the page, but no changes from the default settings are needed, so basically just Click Next!)

Be sure to read the entire EULA (and send me a condensed understanding in under 50 words) and then accept and Click Next

Ensure Federation server is selected and Click Next

Click Next


Click Finish

Install SP1 Hotfix for ADFS 2.0 (download from standard next next next finish J

After the AD FS 2.0 software installation is complete, click Start, then Administrative Tools, and then AD FS 2.0 Management to open the AD FS 2.0 Management snap-in.

Click on the AD FS 2.0 Federation Server Configuration Wizard link

Click Next

Click Next

Ensure the proper Certificate and Federation Service Name is set and Click Next

Set the Service Account (you remember now, the one I told you that was needed to be created earlier in this blog) and Click Next

Click Next


Click Close

Above can be ignored, will be setup later

Verify Configuration

Below verification steps have been taken from:

Procedure 1: To verify that the federation server is operational

  1. Log on to a client computer that is located in the same forest as the federation server.
  2. Open a browser window. In the address bar, type the federation server’s DNS host name, and then append /adfs/fs/federationserverservice.asmx to it for the new federation server; for example:
  4. Press ENTER, and then complete the next procedure on the federation server computer. If you see the message There is a problem with this website’s security certificate, click Continue to this website.

The expected output is a display of XML with the service description document. If this page appears, IIS on the federation server is operational and serving pages successfully.

Procedure 2: To verify that the federation server is operational

  1. Log on to the new federation server as an Administrator.
  2. Click Start, point to Administrative Tools, and then click Event Viewer.
  3. In the details pane, double-click Applications and Services Logs, double-click AD FS 2.0 Eventing, and then click Admin.
  4. In the Event ID column, look for event ID 100. If the federation server is configured properly, you see a new event—in the Application log of Event Viewer—with the event ID 100. This event verifies that the federation server was able to successfully communicate with the Federation Service.


ADFS Proxy, Using UAG this is the site I used to configure ADFS proxy, and really not sure if you can call it proxy as it is more involved than that and more secure, for the internal ADFS service. You can also use the ADFS Proxy role in a DMZ as explained in the help file here:

Create a new Authentication Server, Click……….OK

Create a new UAG Trunk, Click Next

Name the Trunk and apply the public DNS name and External IP address, Click Next

Select the Authentication Provider, Click Next

Select the proper Certificate, Click Next

Click Next

Click Finish

Install the MSOL Powershell Module for Office 365



Click Next

Accept and Click Next

Change if you want but I recommend….. Click Next

Click Install

Click Finish

Add a domain

Taken from

  1. Open the Microsoft Online Services Module.
  2. Run $cred=Get-Credential. When the cmdlet prompts you for credentials, type your Office 365 administration account credentials.
  3. Run Connect-MsolService -Credential $cred. This cmdlet connects you to Office 365. Creating a context that connects you to Office 365 is required before running any of the additional cmdlets installed by the tool.
  4. Run Set-MsolAdfscontext -Computer <AD FS 2.0 primary server>, where <AD FS 2.0 primary server> is the internal FQDN name of the primary AD FS 2.0 server. This cmdlet creates a context that connects you to AD FS 2.0.


If you have installed the Microsoft Online Services Module on the primary AD FS 2.0 server, then you do not need to run this cmdlet.

  1. Run New-MsolFederatedDomain -DomainName <domain>, where <domain> is the domain to be added and enabled for single sign-on. This cmdlet adds the domain.
  2. Using the information provided by the results of the New-MsolFederatedDomain cmdlet, contact your domain registrar to create the required DNS record. This verifies that you own the domain. Note that this may take up to 15 minutes to propagate, depending on your registrar. It can take up to 72 hours for changes to propagate through the system. For more information, see Locate my domain name registrar and Verify a domain at any domain name registrar.
  3. Run New-MsolFederatedDomain a second time, specifying the same domain name to finalize the process.

The above is what the commands from the steps look like for adding a new domain

The above is what the commands look like for converting a domain

Add a Relying Trust in ADFS for UAG

This is only needed if you are using UAG for the ADFS Proxy


I downloaded the UAG Metadata from the UAG Server and then selected the import method, and then I Clicked Next

Name to Relaying party and give some notes and Click Next

Click Next

Click Next at the next screen (sorry missed a screen shot on this one, so shot me!)

Click Close

Click Add Rule…(highlighted button)

Select ‘Pass Through or Filter an Incoming Claim and you guessed it, Click Next

Name the rule and choose the same Claim Type and Click Next

Click Apply


DIR SYNC Install and Setup


Below steps are detailed here to enable Directory Sync in your Office 365 Enviornment,

Enable DirSync from Portal\Users\Active Directory Sync Setup Item #3 Activate


Download from the Portal\Users\Active Directory Sync Setup link

Choose the appropriate version and download

Click Next

Click Next after accepting and reading the complete EULA!

Change at your own RISK and then Click Next

You’ll wait awhile for this then………… Click Next

Click Finish

You guessed it, Click Next

Enter your Admin Credentials for Office 365 (will blog later about setting this password to not expire, but not tonight!) then Click Next

Enter Credentials for your On-premises AD, the account needs to have Enterprise Admin privileges but can be deleted after the completion of the setup as a new account is created to run the sync, Click Next

Click Next

Waiting…..listen to some music, take a break, walk outside, etc…..

Yep… Click Next

Click Finish

Click Ok

Check the DirSync server to ensure the sync completed successfully


Best testing site is

Please check back for Part 3 about the SP2 Hybrid Wizard in Exchange 2010!