SharePoint 2013 hybrid end-to-end - PowerPoint Presentation

Slide1
Slide2

SharePoint 2013 hybrid end-to-end

Sam HassaniPrincipal ConsultantBrightStarr

SPC339Slide3

Introductions…

Who am I?Principal Consultant at BrightStarr

Microsoft Certified Master:

SharePoint 2010

Microsoft Certified Solutions Master: SharePointSharePoint 2013 Beta EngineerContact detailsTwitter: @samhassaEmail: sam.hassani@brightstarr.comWeb: www.brightstarr.comWeb: www.samhassani.comYammer: Operations and Management GroupSlide4

Hybrid at SPCSlide5

Agenda

Why Hybrid?Configuring HybridIdentity Management

Choosing a Hybrid Topology

SharePoint Configuration

Hybrid ChallengesResourcesQuestionsSlide6

Why Hybrid?Slide7

Benefit from the latest and greatest

Focus on the core business and easily scale up and

down

SharePoint Online is attractive

More easily collaborate with external partnersSlide8

SharePoint Online has limitations

Existing investments with lots of data and customizations

But my business runs on premises

Protect sensitive dataSlide9

“Leverage the strengths of both parts while minimizing the components’ weaknesses”Slide10

A Hybrid DeploymentSlide11

Get started in the cloud

Migrate existing workloads in a phased approach

Supplement cloud

environments

Rapid provisioning of new workloads

Common Hybrid ScenariosSlide12

SharePoint Hybrid Options

SearchGet Search Results in SharePoint On-Premises or in SharePoint Online from the SharePoint On-Premises or SharePoint Online search indexes

Business

Connectivity Services (BCS)

Enable a SharePoint Online site collection to work with data in an on-premises OData serviceDuet Enterprise Online Enable SharePoint Online users to perform both read and write operations against an on-premises SAP system.Identity ManagementProvide a single identity and single sign on experienceSlide13

Results from the Cloud

Results from On PremisesSlide14

Identity Management

Cloud

Identity

Single identity in the cloud

Windows Azure Active Directory

On-Premises Identity

Dirsync

& Password Sync

Directory Synchronization 

Single identity

Windows Azure Active Directory

Federated Identity (SSO)

On-Premises Identity

Federation

Single federated identity

Windows Azure Active Directory

Directory SyncSlide15

Configuring HybridSlide16

Directory synchronization

Synchronization of objects for on-premises AD to Azure ADLimited to 50,000 objects, can be increased by engaging Microsoft

Synchronization occurs every 3 hours by default, can be initiated manually

Can filter based on OU, Domain or User Attribute

This is a requirement for SharePoint Hybrid scenarios including SearchWhen a user issues a query from On-premises to SP Online, SP Online must rehydrates the user’s identityThe rehydration process looks up attributes in the SP Online profile storeIf no or multiple profiles exist the query will fail rather than security trimmed results being returnedSlide17

Add on-premises domain to Office 365

Determine and register public domain nameAdd domain in Office 365Provide name

Create verification record with DNS hosting provider

Verify domain name ownershipSlide18

Activate Directory Synchronization

Activate Active Directory Synchronization for your Office 365 TenantSlide19

Configure Directory Synchronization

Download and install DirSync tool on a member server in on-premises environmentSlide20

Configure Directory Synchronization

Run DirSync tool on server where installedSlide21

Configure SSO

Prepare Active DirectoryWindows Server 2003 R2 functional level at a minimumUPNs are correctly

set (if public domain differs to corporate domain name)

Deploy

ADFS 2.0Install Microsoft Online Services Sign in Assistant and Windows Azure AD PowerShell ModulesSet up a trust between ADFS and Windows Azure ADConnect-

MSOLService

Set-MSOLADFSContext

Convert-MsolDomainToFederated

–

DomainName

<domain>Slide22

Demo EnvironmentSlide23

Demo

DirSync and SSO with Office 365Slide24

One-way outbound

topologySlide25

One-way

inbound topologySlide26

Two-way bi-directional topologySlide27

Reverse Proxy Device options

Only required for ‘Inbound’ Hybrid topologye.g. Users issuing queries from a Search Center

in SharePoint Online attempting to retrieve search results from an on-premises farm

Reverse Proxy Device Requirements

Support client certificate authentication with a wildcard of SAN SSL certificateSupport pass-through authentication for OAuth 2.0Accept unsolicited inbound traffic on TCP port 443 (HTTPS)Bind a wildcard or SAN SSL certificate to a published endpointRelay traffic to an on-premises SharePoint 2013 farm without rewriting any packet headersSupported Reverse Proxy DevicesForefront Threat management Gateway (TMG) 2010Windows Server 2012 R2 with Web Application Proxy (WAP)F5 BIG-IPSlide28

Configure SharePoint Environment

Ensure SharePoint services are started and configuredUser Profile ServiceApp Management Service

Subscription Settings Service

Establish a trust relationship between on-premises farm and SharePoint Online (S2S authentication)

Create a new STS certificate, replace in on-premises farm and upload to SharePoint OnlineRegister the on-premises STS as a service principal in Office 365Establish a trust between on-premises farm and Windows Azure AD

Publish SharePoint web applications through reverse-proxy device Slide29

Configure server-to-server (S2S) authentication

$cer.Import

("C:\SelfSignedSTS.cer")

$

binCert = $cer.GetRawCertData()$credValue = [System.Convert]::ToBase64String($binCert);New-MsolServicePrincipalCredential -AppPrincipalId $spoappid -Type asymmetric -Usage Verify -Value $credValue

-StartDate $cer.GetEffectiveDateString() -EndDate

$cer.GetExpirationDateString()$SharePoint = Get-MsolServicePrincipal -AppPrincipalId $spoappid$

spns = $SharePoint.ServicePrincipalNames$spns.Add("$spoappid/*.hassanionprem.com")Set-MsolServicePrincipal

-

AppPrincipalId

$

spoappid

-

ServicePrincipalNames

$

spns

$site=Get-

Spsite

"https://intranet.hassanionprem.com"

$

appPrincipal = Register-SPAppPrincipal -site $site.rootweb -nameIdentifier "00000003-0000-0ff1-ce00-000000000000@bce49a51-dea4-44c3-8da0-0af70dbd186a" -displayName "SharePoint Online"Set-SPAuthenticationRealm

-realm bce49a51-dea4-44c3-8da0-0af70dbd186aNew-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri "https://accounts.accesscontrol.windows.net/bce49a51-dea4-44c3-8da0-0af70dbd186a/metadata/json/1" -DefaultProxyGroupNew-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://accounts.accesscontrol.windows.net/bce49a51-dea4-44c3-8da0-0af70dbd186a/metadata/json/1" -IsTrustBroker

-Name "ACS" Slide30

Configure SharePoint For Hybrid Search

Configure result source

In this case as a remote SharePoint index

URL

of remote locationSecure Store (for client certificate authentication)*Configure Query rule to show remote resultsChoose context of Query ruleCan add a condition or fire on any query textDetermine search vertical e.g. Results block, promoted resultEnsure results block points to a specific results source (remote index)Slide31

Demo

Search Hybrid User Experience and ConfigurationSlide32

Hybrid ChallengesSlide33

Handling the Social experience

Application Lifecycle Management

User Experience and Transitions

Business Continuity Management and Operations

Hybrid ChallengesSlide34

Handling the Social Experience

Users work in sites in both SharePoint On-premises and SharePoint OnlineE.g. Intranet On-premises, and Project/Collaboration sites Online

Which social experience should users be presented with?

Editing Profile?

Newsfeed?OneDrive for Business?Slide35

Demo

Consistent Social Experience in a Hybrid EnvironmentSlide36

Handling the Social Experience

Users work in sites in both SharePoint On-premises and SharePoint OnlineE.g. Intranet On-premises, and Project/Collaboration sites Online

Which social experience should users be presented with?

Editing Profile?

Newsfeed?SkyDrive Pro?What about the rest of the social experience?@mentions, tags, notes, following, commenting capability are stored in social/content databasesNo way Out of the box to replicate this informationSlide37

Application Lifecycle Management

Rapid, incremental updates to SharePoint onlineTesting is important

Invest in test and development automation

Automated nightly builds

Automation involves site and content recreation, solution deployment, managed property creation, etc.Only one test tenant per AD??You can use multiple dirsync servers syncing to each unique tenantYou cannot sync the same objects into different tenants – use dirsync filteringSlide38

BCM and Operations

Operations don’t stop because services are in the cloudHow do you integrate Online operations and support with your own?

IT Operations to consider:

Monitoring and Alerting

Support DesksBackup and RestoreService Level AgreementsSlide39

User Experience and TransitionsSlide40

Final Thoughts

Hybrid allows you to move to the cloud on your own termsHybrid is not the answer to every business requirement

Understand the strengths and weakness of Hybrid

Plan a phased transition of appropriate workloads to the cloudSlide41

Resources

Hybrid for SharePoint Server 2013:http

://technet.microsoft.com/en-us/library/jj838715.aspx

Windows Azure AD PowerShell

http://technet.microsoft.com/en-us/library/jj151815.aspxOffice 365 Communities and Wikis http://community.office365.com/en-us/default.aspxYour CommunitySlide42

MySPC

Sponsored by

connect.

reimagine.

transform.

Evaluate sessions

on

MySPC

using your

laptop or mobile device:

m

yspc.sharepointconference.comSlide43

©

2014

Microsoft Corporation. All rights reserved. Microsoft, Windows,

and

other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.