Loading...
DS Office 365 System ImplementationAGREEMENT FOR PROFESSIONAL SERVICES FOR OFFICE 365 SYSTEM IMPLEMENTATION This Agreement is made and entered into this/3'Al day of June, 2016, by and between the CITY OF SAN RAFAEL (hereinafter "CITY"), dnd Tangent Computer, Inc. (hereinafter "CONTRACTOR"). RECITALS WHEREAS, CITY requires technical consulting services to migrate its current Microsoft Exchange email environment to a new Microsoft Office 365 environment, and lacks the resources and skills necessary to complete this project on its own; and WHEREAS, CONTRACTOR has the experience and skills necessary to provide technical consulting services for the implementation of an Office 365 migration project; AGREEMENT NOW, THEREFORE, the parties hereby agree as follows: PROJECT COORDINATION. A. CITY'S Project Manager. The CITY's IT Manager is hereby designated the PROJECT MANAGER for the CITY, and said PROJECT MANAGER shall supervise all aspects of the progress and execution of this Agreement. B. CONTRACTOR'S Project Director. CONTRACTOR shall assign a single PROJECT DIRECTOR to have overall responsibility for the progress and execution of this Agreement for CONTRACTOR. Chris Lee is hereby designated as the PROJECT DIRECTOR for CONTRACTOR. Should circumstances or conditions subsequent to the execution of this Agreement require a substitute PROJECT DIRECTOR, for any reason, the CONTRACTOR shall notify the CITY within ten (10) business days of the substitution. 2. DUTIES OF CONTRACTOR. CONTRACTOR shall perform the duties and/or provide services as follows: A. Lead the project team in performing the tasks described in the Exchange Migration Plan, dated June 3, 2016, attached as Exhibit A hereto. B. Provide one year of post sales (gold) support for any issues identified after the completion of the planned email migration project. Gold support includes: • Dedicated access to a support engineer. `\ - 5-t0ID A 1:1 Administrator training. Tier 3 Microsoft support escalation to a Microsoft Engineer. Full management of Office 365 tenant. C. Provide software licensing as needed to support the migration of Exchange public folders to Office 365 shared mailboxes. D. Provide other related services as needed to complete the implementation and/or assist the CITY with its initial use of Office 365. 3. DUTIES OF CITY. CITY will provide access to CITY computer systems as needed to complete the project and space at CITY facilities as necessary for CONTRACTOR to perform the required services, and will pay the compensation to CONTRACTOR as provided in Paragraph 4. 4. COMPENSATION. For the full performance of the services described herein, CITY shall pay CONTRACTOR at the unit prices described in CONTRACTOR's quote dated May 31, 2016, attached as Exhibit B hereto. The specification of the number of public folders and any change in the number of labor hours contained in Exhibit B shall be agreed upon in writing by the parties, as approved by the CITY PROJECT MANAGER, provided that the total amount paid to CONTRACTOR for its services and expenses under this Agreement will not exceed $10,000.00. Payment will be made monthly upon receipt by PROJECT MANAGER of itemized invoices submitted by CONTRACTOR. 5. TERM OF AGREEMENT. The term of this Agreement shall commence on the date first hereinabove written, and shall end upon completion of the one year period of Gold support services as provided in Paragraph 2(B) above. Upon mutual agreement of the parties, and subject to the approval of the City Manager the term of this Agreement may be extended for an additional period of up to 12 months, on the same terms as provided herein. 6. TERMINATION. A. Discretionary. Either party may terminate this Agreement without cause upon thirty (30) days written notice mailed or personally delivered to the other party. B. Cause. Either party may terminate this Agreement for cause upon fifteen (15) days written notice mailed or personally delivered to the other party, and the notified party's failure to cure or correct the cause of the termination, to the reasonable satisfaction of the party giving such notice, within such fifteen (15) day time period. C. Effect of Termination. Upon receipt of notice of termination, neither party shall incur additional obligations under any provision of this Agreement without the prior written consent of the other. D. Return of Documents. Upon termination, any and all CITY documents or materials provided to CONTRACTOR and any and all of CONTRACTOR's documents and materials prepared for or relating to the performance of its duties under this Agreement, shall be delivered to CITY as soon as possible, but not later than thirty (30) days after termination. 7. OWNERSHIP OF DOCUMENTS. The written documents and materials prepared by the CONTRACTOR in connection with the performance of its duties under this Agreement, shall be the sole property of CITY. CITY may use said property for any purpose, including projects not contemplated by this Agreement. 8. INSPECTION AND AUDIT. Upon reasonable notice, CONTRACTOR shall make available to CITY, or its agent, for inspection and audit, all documents and materials maintained by CONTRACTOR in connection with its performance of its duties under this Agreement. CONTRACTOR shall fully cooperate with CITY or its agent in any such audit or inspection. 9. ASSIGNABILITY. The parties agree that they shall not assign or transfer any interest in this Agreement nor the performance of any of their respective obligations hereunder, without the prior written consent of the other party, and any attempt to so assign this Agreement or any rights, duties or obligations arising hereunder shall be void and of no effect. 10. INSURANCE. A. Scope of Coverage. During the term of this Agreement, CONTRACTOR shall maintain, at no expense to CITY, the following insurance policies: 1. A commercial general liability insurance policy in the minimum amount of one million dollars ($1,000,000) per occurrence/two million dollars ($2,000,000) aggregate, for death, bodily injury, personal injury, or property damage. 2. An automobile liability (owned, non -owned, and hired vehicles) insurance policy in the minimum amount of one million dollars ($1,000,000) dollars per occurrence. 3. If any licensed professional performs any of the services required to be performed under this Agreement, a professional liability insurance policy in the minimum amount of two million dollars ($2,000,000) per occurrence/four million dollars ($4,000,000) aggregate, to cover any claims arising out of the CONTRACTOR's performance of services under this Agreement. Where CONTRACTOR is a professional not required to have a professional license, CITY reserves the right to require CONTRACTOR to provide professional liability insurance pursuant to this section. 4. If it employs any person, CONTRACTOR shall maintain worker's compensation and employer's liability insurance, as required by the State Labor Code and other applicable laws and regulations, and as necessary to protect both CONTRACTOR and CITY against all liability for injuries to CONTRACTOR's officers and employees. CONTRACTOR'S worker's compensation insurance shall be specifically endorsed to waive any right of subrogation against CITY. B. Other Insurance Requirements. The insurance coverage required of the CONTRACTOR in subparagraph A of this section above shall also meet the following requirements: 1. Except for professional liability insurance, the insurance policies shall be specifically endorsed to include the CITY, its officers, agents, employees, and volunteers, as additionally named insureds under the policies. 2. The additional insured coverage under CONTRACTOR'S insurance policies shall be primary with respect to any insurance or coverage maintained by CITY and shall not call upon CITY's insurance or self-insurance coverage for any contribution. The "primary and noncontributory" coverage in CONTRACTOR'S policies shall be at least as broad as ISO form CG20 0104 13. 3. Except for professional liability insurance, the insurance policies shall include, in their text or by endorsement, coverage for contractual liability and personal injury. 4. The insurance policies shall be specifically endorsed to provide that the insurance carrier shall not cancel, terminate or otherwise modify the terms and conditions of said insurance policies except upon ten (10) days written notice to the PROJECT MANAGER. 5. If the insurance is written on a Claims Made Form, then, following termination of this Agreement, said insurance coverage shall survive for a period of not less than five years. 6. The insurance policies shall provide for a retroactive date of placement coinciding with the effective date of this Agreement. 7. The limits of insurance required in this Agreement may be satisfied by a combination of primary and umbrella or excess insurance. Any umbrella or excess insurance shall contain or be endorsed to contain a provision that such coverage shall also apply on a primary and noncontributory basis for the benefit of CITY (if agreed to in a written contract or agreement) before CITY'S own insurance or self-insurance shall be called upon to protect it as a named insured. 8. It shall be a requirement under this Agreement that any available insurance proceeds broader than or in excess of the specified minimum insurance coverage requirements and/or limits shall be available to CITY or any other additional insured party. Furthermore, the requirements for coverage and limits shall be: (1) the minimum coverage and limits specified in this Agreement; or (2) the broader coverage and maximum limits of coverage of any insurance policy or proceeds available to the named insured; whichever is greater. C. Deductibles and SIR's. Any deductibles or self-insured retentions in CONTRACTOR's insurance policies must be declared to and approved by the PROJECT MANAGER and City Attorney, and shall not reduce the limits of liability. Policies containing any self-insured retention (SIR) provision shall provide or be endorsed to provide that the SIR may be satisfied by either the named insured or CITY or other additional insured party. At CITY's option, the deductibles or self-insured retentions with respect to CITY shall be reduced or eliminated to CITY's satisfaction, or CONTRACTOR shall procure a bond guaranteeing payment of losses and related investigations, claims administration, attorney's fees and defense expenses. D. Proof of Insurance. CONTRACTOR shall provide to the PROJECT MANAGER or CITY'S City Attorney all of the following: (1) Certificates of Insurance evidencing the insurance coverage required in this Agreement; (2) a copy of the policy declaration page and/or endorsement page listing all policy endorsements for the commercial general liability policy, and (3) excerpts of policy language or specific endorsements evidencing the other insurance requirements set forth in this Agreement. CITY reserves the right to obtain a full certified copy of any insurance policy and endorsements from CONTRACTOR. Failure to exercise this right shall not constitute a waiver of the right to exercise it later. The insurance shall be approved as to form and sufficiency by PROJECT MANAGER and the City Attorney. 11. INDEMNIFICATION. A. Except as otherwise provided in Paragraph B., CONTRACTOR shall, to the fullest extent permitted by law, indemnify, release, defend with counsel approved by CITY, and hold harmless CITY, its officers, agents, employees and volunteers (collectively, the "City Indemnitees"), from and against any claim, demand, suit, judgment, loss, liability or expense of any kind, including but not limited to attorney's fees, expert fees and all other costs and fees of litigation, (collectively "CLAIMS"), arising out of CONTRACTOR'S performance of its obligations or conduct of its operations under this Agreement. The CONTRACTOR's obligations apply regardless of whether or not a liability is caused or contributed to by the active or passive negligence of the City Indemnitees. However, to the extent that liability is caused by the active negligence or willful misconduct of the City Indemnitees, the CONTRACTOR's indemnification obligation shall be reduced in proportion to the City Indemnitees' share of liability for the active negligence or willful misconduct. In addition, the acceptance or approval of the CONTRACTOR's work or work product by the CITY or any of its directors, officers or employees shall not relieve or reduce the CONTRACTOR's indemnification obligations. In the event the City Indemnitees are made a party to any action, lawsuit, or other adversarial proceeding arising from CONTRACTOR'S performance of or operations under this Agreement, CONTRACTOR shall provide a defense to the City Indemnitees or at CITY'S option reimburse the City Indemnitees their costs of defense, including reasonable attorneys' fees, incurred in defense of such claims. B. Where the services to be provided by CONTRACTOR under this Agreement are design professional services to be performed by a design professional as that term is defined under Civil Code Section 2782.8, CONTRACTOR shall, to the fullest extent permitted by law, indemnify, release, defend and hold harmless the City Indemnitees from and against any CLAIMS that arise out of, pertain to, or relate to the negligence, recklessness, or willful misconduct of CONTRACTOR in the performance of its duties and obligations under this Agreement or its failure to comply with any of its obligations contained in this Agreement, except such CLAIM which is caused by the sole negligence or willful misconduct of CITY. C. The defense and indemnification obligations of this Agreement are undertaken in addition to, and shall not in any way be limited by, the insurance obligations contained in this Agreement, and shall survive the termination or completion of this Agreement for the full period of time allowed by law. 12. NONDISCRIMINATION. CONTRACTOR shall not discriminate, in any way, against any person on the basis of age, sex, race, color, religion, ancestry, national origin or disability in connection with or related to the performance of its duties and obligations under this Agreement. 13. COMPLIANCE WITH ALL LAWS. CONTRACTOR shall observe and comply with all applicable federal, state and local laws, ordinances, codes and regulations, in the performance of its duties and obligations under this Agreement. CONTRACTOR shall perform all services under this Agreement in accordance with these laws, ordinances, codes and regulations. CONTRACTOR shall release, defend, indemnify and hold harmless CITY, its officers, agents and employees from any and all damages, liabilities, penalties, fines and all other consequences from any noncompliance or violation of any laws, ordinances, codes or regulations. 14. NO THIRD PARTY BENEFICIARIES. CITY and CONTRACTOR do not intend, by any provision of this Agreement, to create in any third party, any benefit or right owed by one party, under the terms and conditions of this Agreement, to the other party. 15. NOTICES. All notices and other communications required or permitted to be given under this Agreement, including any notice of change of address, shall be in writing and given by personal delivery, or deposited with the United States Postal Service, postage prepaid, addressed to the parties intended to be notified. Notice shall be deemed given as of the date of personal delivery, or if mailed, upon the date of deposit with the United States Postal Service. Notice shall be given as follows: TO CITY's Project Manager: TO CONTRACTOR's Project Director: 16. INDEPENDENT CONTRACTOR. Gus Bush City of San Rafael 1400 Fifth Avenue San Rafael, CA 94915-1560 Chris Lee Tangent Computer, Inc. 191 Airport Blvd Burlingame, CA 94010 For the purposes, and for the duration, of this Agreement, CONTRACTOR, its officers, agents and employees shall act in the capacity of an Independent Contractor, and not as employees of the CITY. CONTRACTOR and CITY expressly intend and agree that the status of CONTRACTOR, its officers, agents and employees be that of an Independent Contractor and not that of an employee of CITY. 17. ENTIRE AGREEMENT -- AMENDMENTS. A. The terms and conditions of this Agreement, all exhibits attached, and all documents expressly incorporated by reference, represent the entire Agreement of the parties with respect to the subject matter of this Agreement. B. This written Agreement shall supersede any and all prior agreements, oral or written, regarding the subject matter between the CONTRACTOR and the CITY. C. No other agreement, promise or statement, written or oral, relating to the subject matter of this Agreement, shall be valid or binding, except by way of a written amendment to this Agreement. D. The terms and conditions of this Agreement shall not be altered or modified except by a written amendment to this Agreement signed by the CONTRACTOR and the CITY. E. If any conflicts arise between the terms and conditions of this Agreement, and the terms and conditions of the attached exhibits or the documents expressly incorporated by reference, the terms and conditions of this Agreement shall control. 18. SET-OFF AGAINST DEBTS. CONTRACTOR agrees that CITY may deduct from any payment due to CONTRACTOR under this Agreement, any monies which CONTRACTOR owes CITY under any ordinance, agreement, contract or resolution for any unpaid taxes, fees, licenses, assessments, unpaid checks or other amounts. 19. WAIVERS. The waiver by either party of any breach or violation of any term, covenant or condition of this Agreement, or of any ordinance, law or regulation, shall not be deemed to be a waiver of any other term, covenant, condition, ordinance, law or regulation, or of any subsequent breach or violation of the same or other term, covenant, condition, ordinance, law or regulation. The subsequent acceptance by either party of any fee, performance, or other consideration which may become due or owing under this Agreement, shall not be deemed to be a waiver of any preceding breach or violation by the other party of any term, condition, covenant of this Agreement or any applicable law, ordinance or regulation. 20. COSTS AND ATTORNEY'S FEES. The prevailing party in any action brought to enforce the terms and conditions of this Agreement, or arising out of the performance of this Agreement, may recover its reasonable costs (including claims administration) and attorney's fees expended in connection with such action. 21. CITY BUSINESS LICENSE / OTHER TAXES. CONTRACTOR shall obtain and maintain during the duration of this Agreement, a CITY business license as required by the San Rafael Municipal Code CONTRACTOR shall pay any and all state and federal taxes and any other applicable taxes. CITY shall not be required to pay for any work performed under this Agreement, until CONTRACTOR has provided CITY with a completed Internal Revenue Service Form W-9 (Request for Taxpayer Identification Number and Certification). 22. APPLICABLE LAW. The laws of the State of California shall govern this Agreement. IN WITNESS WHEREOF, the parties have executed this Agreement as of the day, month and year first above written. CITY OF SAN RAFAEL GV � JA S SCHUTZ, i y Manager TANGENT COMPUTER, INC. it By: v Printed Name:—Ay1 "1 Title: �–[ '�–DYpr kn�� and, ATTEST: ESTHER C. BEIRNE, City Clerk APPROVED AS TO FORM: ROBERT F. EPSTEIN, City Attorney Y By: Printed Name: 'Im Title: V'r" �� —� EXCHANGE MIGRATION PLAN Prepared for City of San Rafael t" Last updated on June 3 2015 Environment Checklist Description Exchange Active Directory forest root Exchange Domain Functional Level Exchange Forest Functional Level Internal Exchange 2003 server host name External Exchange 2003 server FQDN Proposed internal Exchange 2010 SP3 server host name (contains Mailbox, Client Access, and Hub Transport server roles) Proposed external Exchange 2010 SP3 server FQDN Primary SMTP namespace Other SMTP namespace User principal name domain Microsoft Online ID domain Proposed Internal Active Directory synchronization server host name On -premises Autodiscover FQDN Service tenant FQDN Note You can only choose the subdomain portion of this FQDN. The domain portion must be "onmicrosoft.com". Mailboxes Example value in Value in your organization checklist corp.contoso.com CityofSanRafael.org City.CityofSan Rafael.org 2003 2003 2003 2003 SREX.cityofsanrafael.org (dedicated EX2003 NIC) SREX.city.cityofsa n rafael.org (dedicated NIC) mail.contoso.com Webmail.cityofsanrafael.org EX2010 SREX2010 hybrid.contoso.com Hybrid.cityofsanrafael.org contoso.com CityofSanRafael.org fabricam.org SRPD.org CityofSanRafael.org contoso.com SRPD.org ci.san-rafael.ca.us Di rSyn c SREX2010 autodiscover.contoso.com Autod iscover.CityofSa n Rafael.org Autodiscover.SRPD.org contoso.onmicrosoft.com Cityofsanrafael.onmicrosoft.com 765 (See Appendix A) Migration Plan I City of San Rafael 3 Environment Checklist Description Exchange Active Directory forest root Exchange Domain Functional Level Exchange Forest Functional Level Internal Exchange 2003 server host name External Exchange 2003 server FQDN Proposed internal Exchange 2010 SP3 server host name (contains Mailbox, Client Access, and Hub Transport server roles) Proposed external Exchange 2010 SP3 server FQDN Primary SMTP namespace Other SMTP namespace User principal name domain Microsoft Online ID domain Proposed Internal Active Directory synchronization server host name On -premises Autodiscover FQDN Service tenant FQDN Note You can only choose the subdomain portion of this FQDN. The domain portion must be "onmicrosoft.com". Mailboxes Example value in Value in your organization checklist corp.contoso.com CityofSanRafael.org City.CityofSanRafael.org 2003 2003 2003 2003 SREX.cityofsanrafael.org (dedicated EX2003 NIC) SREX.city.cityofsanrafael.org (dedicated NIC) mail.contoso.com Webmail.cityofsanrafael.org EX2010 SREX2010 hybrid.contoso.com Hybrid.cityofsanrafael.org contoso.com CityofSanRafael.org fabricam.org SRPD.org CityofSanRafael.org contoso.com SRPD.org ci.san-rafael.ca.us DirSync SREX2010 autodiscover.contoso.com Autodiscover.CityofSanRafael.org Autodiscover.SRPD.org contoso.onmicrosoft.com Cityofsanrafael.onmicrosoft.com 765 (See Appendix A) Migration Plan I City of San Rafael 3 Corporate Active Directory forest root Contoso.local City.local Migration Plan I City of San Rafael Estimated Timeline May 30 2016 Task Name ■ENNEENNEEMENEE■■i■ Duration Starrt t July 112016 Frr�ish Prepare Environment Pre -requisites 3d 5/30/2016 6%1/2016 Provision Guice 365 Environment 3d 5/30/2016 6/1/2016 Configure Identity Integration to Exchange Forest 2d 6/2171016 6/3/2016 Consolidate Mailbox Licensing 5d 6/6/2016 6/10/2016 Install Exchange 2010 SP3 Serer 2d 6/6/2016 6/7/2016 Configure ;./brid Coexistence Id 6/8/2016 6/8/2016 Moving Mailboxes with Mail Replication Ser/ices 10d 6/91%2016 6/22/2016 Migrate Public Folders (pending) 2d 6/23/2010 6/241/2016 Switch over SMTP Relay Clients 5d 6/27/2016 7/1/2016 Decommission On -premise Exchange Environment 3d 7/4/2016 7./6/2010- /6/2010Configure ConfigureIdentity Integration to Primary Forest id 7/7/2016 7/7/2016 Instal Exchange 2010 SP3 INAanagement Console id 7/3/2016 7/8/2016 �AdminKno,,iledgeTransfer 1d 7/11/2010 7;11/2016 29/20 6 6.5 2016 6/1 12016 6/19/2016 -3,26/2016 ':3%_016 /10/2016 N -i IJV 1 - _ - W 7 C > j INA I W I > > M I W T r ] > ivl I W I F S'S 11 I VV I F ) S M I Yj Migration Plan I City of San Rafael 7 Prepare Environment Pre -requisites To successfully configure your current on -premises Exchange organization for a hybrid deployment, the following components are required .c Drepare a server or virtuai machine with 64-b!t Ed:t,on of Sexier 2008 R2 SP1 Standard or Enterprise This will be the server to host both Exchange 2010 SP3 and Azure AD Connect (Directory Sync) services Recommendation i Prepare a Virtual Machine with 2vCPU, 8GB RAM, 127GB VHD. a. Perform full Y/indows Updates. b. Assign a static IP to the senler. c. Join the server to the Exchange domain d. Install I -S role e. Install Y/inflows Powershell v2.0 role. f. Windows Remote PJlanagement v2.0 role. g. Install Net 3 S SPI feature. h. Install Windokws Management Frame work 3.0 - httus://vwwv.microsoft.com/en- us/download/details.asox?id=34595 i. Install Net 4.5.1 - https://�)vvvvv.microso,t.com en-us/dovvnload/details.asox?id=40779 2. Upgrade Exchange 2003 with the latest SP2 - httos://5upport.,nicrosoft.com/en-us/kb/836993 3 Add the following AHOST record and reso ve it cc an available public IP address. a. Hybrid. ci=yofsanrafae1.or-, 4. MAT port 25 between Hybrid.cityofsanrafael.org and SREX2010 for the following source IP ranges - htt sj technet.microsoft.Com/en-us/library/dn1c3583%?8v=2xchg.150°b?9.aspx 5 PIAT par: 443 betIween Hybrid.cityofsanra=ae .oro and 5REX2010 for all sources. Migration Plan I City of San Rafael 8 Transitory Environment (proposed) Exchange 2010 Hybrid Hub Transport Server Directory Sync Server INTERNAL MAI LFLOW I. v i y ai Ln v X Exchange 2003 Domain Controller W Domains: City. CityofSanRafael.org CityofSanRafael.org SRPD.org Matin literacy. org T INTERNAL TRAFFIC W I Y I � = I�E Domains: Citydocal Migration Plan I City of San Rafael "--,L—DIRSYNC INTERNAL MAILFLO MIGRATION TRAFFIC---[— — — —•EXTERNAL MAILFLOW w 0 c c� Communigate co M v Z MX Logix Spam Filter .ate —EXTERNAL MAILFLO`.. Exchange Online EXTERNAL MAI LFLOW Internet 5 Termination Environment (proposed) Exchange 2010 Management Console Only Directory Sync Server i INTERNAL TRAFFIC Domains: City.loca *--,L—DIRSYNC �0 INTERNAL TRAFFIC W. Exchange Online ALL MAILFLOW Internet Migration Plan I City of San Rafael 6 �• (proposed) Exchange 2010 Management Console Only Directory Sync Server i INTERNAL TRAFFIC Domains: City.loca *--,L—DIRSYNC �0 INTERNAL TRAFFIC W. Exchange Online ALL MAILFLOW Internet Migration Plan I City of San Rafael 6 Provision Office 365 Environment Using Microsoft Office 365 allows you extend your on -premises organization to the cloud, and it's a requirement for configuring a hybrid deployment. A hybrid deployment provides many advantages, including greater messaging flexibility, storage for large user mailboxes, reduced hardware costs, and convenient user management support. Hybrid deployments are supported in all Office 365 plans that support Azure Active Directory synchronization. All Office 365 Enterprise, Government, Academic and Midsize plans support hybrid deployments. Office 365 Small Business and Home plans don't support hybrid deployments. 1. Purchase Government cloud licensing through an authorized partner Licensing can be ourchased on a monthly or yearly basis. Each user mailbox will require an Exchange Online license. Recommendation > Verify that Government licenses are being purchased. This license type will provision a tenant in the Government cloud. Switching from a Commercial tenant to a Government tenant requires a full migration so it's recommended to choose the correct licensing to avoid this. The following licenses are recommended for City of San Rafael. ■ Exchange Online Plan 2 ■ Includes features for legal compliance like archiving, eDiscovery, mailbox hold, message encryption, and data loss prevention. ■ E3 ■ Includes Exchange Online Plan 2 (among other services). ■ Enterprise Mobility Suite • Bundle of licenses that include Azure AD Premium and Intune for light PC management, mobile device management, and mobile application management. ■ See Appendix B for a full plan comparison. Z. Licenses will come with ;nstructions for -,reating an O; ice 365 tenant. As of 3/16/16, the unique tenant name CityofSanRafael onmicrosoft.com is available 3. Log into rhe Offce 365 !adm n console, navigate to the Domains section and start the wizard to add the below vanity domains The nVizard will require verifying domain ownership by adding a unique TXT record to the Public DiiS for the respective domain. CitvofSanRaf ael.or; c S R P D or d Ci.san-rafael.ca us Migration Plan I City of San Rafael 9 VII�IC JVJ �lllll II ',. Clll".1 �� ROMA NS e c --, ks 311 Y CAiHBQir PD SETUP ► USERS :QL'PAdI• -=CPL' I(v1PORT C - NTA.CTS S"APED 41-,IL-=CKET tdEET'r•1:= ROC•61S 3POUPS Manage don,aio_ Add a aomaln ycu 31reaoy oven -O Z Pflce 365 or Lowe 3 new domal + Add domafi !1 .,y 'j 0 r.a In DOMAIN NAME STATUS Recommendation Within Office 365, please do not create a user account or assign a license to a user that you intend to later synchronize from your on -premise AD. Synchronization may fail if an on -premise user tries to synchronize with an existing cloud user. 4 D saole user's 3 _ / to do m oad Or ce . rough Service Settings > User Soft vare .. _ . _ tr =. 'c_ _ 'da: 00 _u _r.._ . a _ ± _i 1- _ cr J--a- ',616 .:.n.,ac2616 +msion Migration Plan I City of San Rafael 10 Z Asr .�i1i�/ ,ME N .h :� _ ,mns or �.l__ �_,,:0p 300: 00 .c.. •� - tKER SOFTWARE J15 .crsion ;Titr: car 70 •'oaj :ro •+;LII .. _ . _ tr =. 'c_ _ 'da: 00 _u _r.._ . a _ ± _i 1- _ cr J--a- ',616 .:.n.,ac2616 +msion Migration Plan I City of San Rafael 10 .h :� _ ,mns or �.l__ �_,,:0p 300: 00 .c.. :an::o ma:a x•a� s r •0r jcvr :�.. J15 .crsion 3j0 :a'•a� � .i�_ _ ....,,, r,:p: nil ._� .0 i_ �.- - cloe� _- r ,_ _ 0...03 v . , Tont•, __ _ .. _ _i rooms 2013 version ja .. _ . _ tr =. 'c_ _ 'da: 00 _u _r.._ . a _ ± _i 1- _ cr J--a- ',616 .:.n.,ac2616 +msion Migration Plan I City of San Rafael 10 Configure Identity Integration to Exchange Forest Active Directory synchronization between your on -premises organization and the Office 365 tenant service organization enables a unified global address list (GAL) and gives you the ability to manage all Active Directory user accounts on -premises. All account changes synchronize automatically to the Office 365 tenant service organization. 1. Create valid UPN suffixes within ADDT. a. On SREX, navigate to Start > All Programs > Administrative Tools > Active Directory Domains and Trusts b. Right -click Active Directory Domains and Trusts > select Properties c- Add the following UPN suffixes. i. CityofSanRafael.org ii. SRPD.org iii. Ci.san-rafael.ci.us FL- AG*V Am Help * IIIT L., I H f L ------- - - AcereDmawrvOaneisaneTnzts(II[tone UPN SBaa l The norm d era timer[ do ad eb root d— ae the defattfuer prtr I al nave (UPN) Mime Ad ft a4arrwve domahr name prwidrs aldmmal logon seamy ad aeglfie u bgvane+ f ym erat alemadve UPN afmn to apweardu q user -Ax add dren to the Ud grd AlemaWe UPN sdr s l cityofsanrafae arpg J OK .mcd Hdp Z. set valid U?N suffixes within ADUC. Since Azure AD only allows authentication by a full publically routable User Principal INalite (UPN), we need to set each user account with a valid UPM. a. On SREX, navigate to Start > All Programs > Administrative Tools > Active Directory Users and Computers b. Select a user or multiole users > ?rooert.ies > Account c. Select the appropriate UPN suffix for the fuser or multiple users. Migration Plan I City of San Rafael 11 x Pamud Rmk-dbon I DQaFn I Emornmert I Ses.ion. I Remote nrdrol %Wle Desidw Sevres PrAe I Per.mal V&W Deddm I CDM- I Ge,eral I Add... ftW I T.W. I tk.., I Member or l Um login name II^..I' L'SK Ua logon name pre-Wndowe 2 r/ofsanrafae •r; I its' Logon Han I Log Dn r. F Mock acraut Accout CPU= r Uw must change oamword at nod logon r U.e Carnot chage naword F Pa.smotd nem omm F gore paa.wad uwv neve ble encrwtxn Acaat epieg; r Nev r end of I J OK Cartel I Heip 3. On SRtX, download and run IDF-i;( - httos://www.microsoft.com/en-us/download/details.asi)x?id=30'832 a Selecting Query avili produce a fist of user accounts that kivill prevent azure AD Connect From syncing accounts properly to Azure AD - b. Duplicate errors indicat? a duplicate In either email alias or display name c Character errors indicate there is an inv3lid character kvithin user's email alias or display name d °ro,i/addresses indicate an incomplete email alias. se P- c pali`lame ind Cates the user account is not set with 3 valid UPhI surix. c,<amp e o D�Ix outpJ below: versiongfIdFix l' NEI x rJOffice365 Query t I Accept Apply Export import Uido DISTINGUGHEDNAME 6�P.JE--T=L.,3 3 ATTRIBUTE ERROR IALI.E UPDATE ACTION ]rr..up malrnchrame duplir_ate -vacher I'cicrAachen -M] C'J=L)onLaaIheiman, DU= contact malnlel:rame character Ocn Leatherman DonLeaherman =.H -Fred Cerenc,OU-Forrm. contact TialnicAi me character F•edCereno FredCereno J :;J -t urrbwtlNavorro!JU'... aver DtcN.Adr-'ro toDlavoldomando... srrzp:humberina•ya. zmtv.humoctt.nava.- ��J=Jrslnrt t2n�I CuoCh3s_. dur licali coachC; IEICn-_the:, J r1a=r,use inn? %Ar, Calireu user rserPlincipalFlarcle rh:rar,t81 Loa:• arra me ,alir Ir, earme rnccifre Recommendation Appendix C indicates there are 15 accounts with a duplicate email alias and 522 user accounts with an invalid UPN suffix. Recommended remediation would be to remove the duplicate email aliases and assign valid UPN suffixes. IDFix can suggest fixes to each problem, however, we would recommend manually performing these changes because the suggestion may not always be the optimal solution for your organization. Migration Plan I City of San Rafael 12 4 On SR X2010, download and install Azure AD Connect - https://www.microsoft.com/en- us/download/details.asox?id=47594 a Deta!ed setuo Instructions can be found 'here - https://azure.microsoft.com/en- us/documentation/articles/active-directorv-aadconnect-get-started-custom/ b. Select the Customized installation opt,on. c. Leave actions unchecked and select ,nstall. =zo:ess Senmy f Install required components r:e existing synchrCr::a[Icn semice nas `.-cr•d cn this cmputer The A --ire AD Ccnrect s;rcnrcm­hcn sane .vill he :rstalled Cpt1cr3I.'cnRg­t1Cnt _ SpaCPl 3 ust:m nstatlatmn c tnn use an amsnng SQL Server use an existing serve ac^.curd _ Spec `. __s:cm s,mc grcuos d. Select Password Synch nization and Next. Sxpris; Set:my; R -q;: am.D'i m . rmam7U °iiCr;ny der tr.'. ry vers _ ,ern❑ ?pCcnal Features ?:nayue User sign -in Se!ect the single sign Cn meth=!: • �3ssv:crd 5}nc=n:aancn =e9eraticn ,in .+C FS 4� 70 -ct =n^gsure si Previous Previcus Ener Azure AD adminlszrator credentials and select Vex' Migration Plan I City of San Rafael 13 Microsoft Azure Active Directory Connect – x Sscres xrtiros leo e7 _cmp nems nA – r tcl e; azure 4D sign 'n –cman U" teorg ern ars to n Ct na ?at es ? I Connect to Azure AD Enter your azure 40 cred=entials. USERNALIE 'ASSWCRD r'. Enver the local on -Premise AD adm'T5trator credentials and select i*\iext Microsoft Azure Active Directory Connect a.ccePr. tha de-aulcs and select Next Migration Plan I City of San Rafael 14 Connect your directories Espr ss 3ettrngs Rewrap Compcnent; ; En[er connection rif—aticn ."cr ycur on -premises directenes cr `crests: User Sign-inORERORF TF'DE _.._.._..... :annect •o .tzure 4D f Active Directory Sync I FOREST a ure 4D sign 'n USERTI NIS Drnnam OU=iL•enng IF45=Il;.a.n syncu:er • oem,Py.ro oars =dtennc ❑gSi':JCRD 'Dtional=eatures :onacur? `���������� ONF:GURED DIRECTORIES `aonkamonhne,pm�4c;na Drt?coryl '� a.ccePr. tha de-aulcs and select Next Migration Plan I City of San Rafael 14 * Microsoft Azure Active Directory Connect – % GaL_a . 3ttlra5 awr• :::mconents ser =;cn• n L nre : �� lore AD Syr: :onnea CreRcres : cmair. CU c.ltenrg aentti;mg _ser$ =�I;erng �ptlCl'al =ea:fir?$ _an;lgure Azure AD sign -in configuration to .:seen-cremises crederoals `s lure AC sten- n _PN ;h^ores n semame ;hcula matcn to one :f the verifies custom ccmams in .s=ire AD The `cllornng :able fists the UPN ;uffrxes cefinec in your on -premises er.•nrcnment, along :•nth the matcnmg :ustcm domain n lure. 4 'abnkam,com Not Aadea a tabrikamcnime eu :acnkamcnlme.¢m Select the an -premises annbute to use as :he A. -ire AD username USEq a41NCloA: NAME userPrindpalNam— Nct venfiea 8 verified 11 Users will not be able to sign •n Ayre AD using their on premises credentials Learn mom h. ,accept the defaults and select Next. 0 Accept the defaults and select Next. Migration Plan I City of San Rafael 15 Doman and OU filter ng �YCr?.i C?:ting$ gegt.ved �' i :amper.ents re .- fabrikamonline.com x • J$er ign-n Sync all damams and Cs ;'c �:,,m AD • Syrc selected demams and CUs ore5 A::.re A. ugn- n 3ililllif:!.t'�'FF;I:.ttl'x�P'+9P:uiY d?rhf•v •sers �� tering Cpncral'eaurzs 0 Accept the defaults and select Next. Migration Plan I City of San Rafael 15 Accept the•defaults a ect Next. rtequireq _omocnems ser Sign- r _grnect m - > nc _cnrecT Dueciones azure AD sign -:n lom3m OU - Itenng den0pcg users Optional=13tures Configure Filter users and devices for 3 pilot oecloynnent soe&j 3 grouo _cntammg your users 3110 aemces that .vdl Se synchronced. T Synchrgm a 311 user. and devices Synchrcmze selected' cS- ;ahnkamonlme :cm Consider check.ng Password writeback and select. i`,lext Recommendation The Password writeback optional feature allows for users to self -reset their passwords from the Office 365 login portal This feature requires an Azure AD Premium license. Migration Plan I City of San Rafael 16 Uniquely identifying your users Exore;s SeRmps Recuved Campeeenis Select now users shcdo he,dennfied in :our nn-oremises girecticnes User Sign- n T Users are ; Microsoft Azure Active Directory Connect — x Accept the defaults and select Next' =Ypre- =etti g, Optional features Expre;; Semrgs gequred :omecnents Sweet erhanced 5:netucnahty if required cy your organization. -ser Sign- n _ : 2x: har.,2 ^ycnc .eplq mer, - -onnea'o a_}re aJ ❑ azure aD app and attribute ltenng Q Sync Ccnncure :he Neo apcsicaticn =rcr/ cn .-mer)s). Connect aredcnes ' -titer'rg ❑ ?assacrd:mteback Q azure aD agn,n Ccmamrcu =dieting -- -,--- r tec3ck dentifymg users _ - .:.r a..3ck 9 Fdterng ❑ Directcry, extension attribute sync Q ,^,`ti•q L•� -•33cl Mo'e 3COJt 2pt;cnat-eatures er.C23CC:L'nt Previous Accept the defaults and select Next' =Ypre- =etti g, Ready to configure Jser _ign-.n , Connect to azure aD cnce 1cu click'nstallyt;ocrace .ve,vrll jo the `c.'cv:ing: .'rrc • Ccri igure;ynchrcmzatien services on this cemouter ! _-nr-c:.. ; eC'Or.Ei 1 C ontioure'eceratlon -er ice t- as;kamcr m2 _-r, cn ser:<rls). i]cmain CL c Itermg 1 Ccnncure :he Neo apcsicaticn =rcr/ cn .-mer)s). cenaf.r-- gars - v� Start the synchrnr_ancn orccer az sccn as the _cnnguraticn :cmp+otos. -titer'rg Snacle ;taglrg mode :-Jhen ;e:ec,eo syrchrenr_ation :•till nct expert 3r -Y data [C aQ er Azure AD 701[;onal =e3ture5 AD =S •-arm =idert:en :ever, nrcx: serve _reC21:I131; er.C23CC:L'nt c .ra AD :cmain e 5. To verify successful installation 7. -ro;r 5E1'_X7Q1 u, :aJnch 5ync'lr onl'ai'o-v ,i Se'ce and verify the connector operations 3 i? shOthiing successful Migration Plan I City of San Rafael 17 ''` Synchronization Service Ma File Tools Actions Help Opertions Connectors i w Metaverse Designer sa Metaverse Search ComectorOpe� Name Profile Name Status Start Time Export success t �• Delta Synchronization success Delta Synchronization success Delta Import success Delta Import success b. Log into the Office 365 Admin Console and aiew the acti)ie users Recommendation Once installed, please be patient. Synchronization can take 5-15 minutes. Synchronization occurs automatically every 30 minutes. To force a sync outside of the regular schedule, use this Powershell cmdlet. ■ Get-ADSyncScheduler ■ Start-ADSyncSyncCycle -PolicyType Initial ■ Start-ADSyncSyncCycle -PolicyType Delta Synchronization can be paused or unpaused with the following Powershell cmdlets. ■ Set-ADSyncScheduler —SyncCycleEna bled $False ■ Set-ADSyncScheduler—SyncCycleEnabled $True Migration Plan I City of San Rafael 18 Install Exchange 2010 SP3 Server Exchange 2010 servers enable communication between your existing Exchange 2003 servers and the Exchange Online service. A hybrid deployment requires installing Exchange 2010 servers that include the Client Access, Hub Transport, and Mailbox server roles. We highly recommend installing more than one Exchange 2010 server in your on -premises organization to help increase reliability and availability of hybrid deployment features. This checklist outlines the best practice of installing the hybrid Client Access/Mailbox/Hub Transport server roles on a single server as part of a typical customer deployment configuration. Although the best practice and recommended configuration is to install the Client Access, Mailbox, and Hub Transport servers on each Exchange 2010 server deployed in your on -premises organization, you may also elect to install these roles on separate servers in your organization. 1 On SREX2010, install Exchange Client Access, Mailbox, and Hub Transport Roles 3. Download Exchange 2010 Service Pack 3 (SP3). b. On the server you want to install the Exchange 2010 server roles, run Exchange2010-SP3-x64.exe to extract the installation files. c. Navigate to the extraction location and double-click Setup.exe. d. The Exchange Server 2010 Setup welcome screen appears. In the Install section, the software listed for Step 1 and Step 2 %A/as installed with the Exchange 2010 prerequisites. However, if these prerequisites aren't already installed, click the appropriate step to install them. When Step 1, Step 2, and Step 3 are listed as Installed, click Step 4: Install Microsoft Exchange. f. On the Introduction page, click Next. U. On the license Agreement page, review the Software license terms. If you agree to the terms, select I accept the terms in the license agreement, and click Next. h. On the Error Reporting page, select Yes or No to enable the 'Exchange Error Reporting feature, and click Next. On the Installation Type page; select Typical Exchange Server Installation. This will install the Client Access, Nlailbox and Hub Transport server roles on the Exchange server. To optionally change the installation path for Exchange 2010, dick Browse, locate the appropriate folder in the folder tree, and then click OK. Click Next. j. Use the Configure Client Access Server external domain page to configure an external fully qualified domain name ( QDNI. This is the EQDN that you give to Outlook V1/eb App users to connect to an Exchange 2010 hybrid Client Access server. =or example, Hybrid. CityofSanRafael.org is the EQDN used I or the Client Access servers il the hybrid deployment checklists. Select the check box, enter your _QDN, and then click Next. k. On :.he Customer Experience Improvement Program page, optionalhv join in the Exchange Customer Experience improvement Program (CEIP] The CEIP collects anonymous information about now you use Exchange 2010 and 3nv problems that you encounter, To join the CEIP, select Join the Customer Experience Improvement Program, choose the industry that best represents your oraar.{_a _ion, and then click Next. I. On .he Readiness Checks page, review the Summary to determine if the system and server are ready for the _xchange 2010 server roles to be Installed if all preraquisite*checks completed successfully, click Install If any of the prerequisite checks wiled, you must resolve the displayed error before you can proceed • il—In installing the Exchange 2010 server roles. In many cases, you don't need to exit Setup while you'r2 fining iS51.12S. After you resolve an error, click Retry to run the prerequisite check again. Also, be sure to re`yie`,v any warnings that are reported. m The Progress page displays the progress and =lapsed tirne for aar_h phase of the installation As each phase ends; is rnarkad completed and the next phase proceeds. If any errors are 2ncoUntared, the phase Mill end as incornplete and unsuccessful. If that happens, you must gait Setup resolve any errors. and - e.. rest3rL Se-UiP Migration Plan I City of San Rafael 19 n. Y/hen ail phases have finished, the Completion page displays. Review the results, and verify that each phase completed successfully. Clear the check box for Finalize this installation using the Exchange Management Console, and then click Finish to exit Setup. _ o U/hen you're returned to the Setup ,welcome screen, click Close. On the Confirm Exit prompt; click Yes. p Restart the computer to complete the installation of this Exchange 2010 server_ 2. Install a free hybrid Exchange 2010 key: a Sign into your Office 305 tenant and procure a free Hybrid 2010 license key - http://a,(a.ms/hvbridi(ev b. Open the Exchange Management Console on an Exchange 2010 server. c. In the console tree, navigate to Server Configuration and select an Exchange 2010 server. d In the action pane, click Enter Product Key Group e. On the Enter Product Key page, enter the Hybrid Edition product key, and then click Enter f On the Completion page. review the following, and then click Finish to close the wizard: i. A status of Completed indicates that the wizard completed the task successfully. ii. A status of railed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes. 3 Verify Exchange 2010 has been setup correctly. a Open Exchange Management Shell b Run the follow ng Powershe 4 cmdlet The cmdlet should output the installed roles on the Exchange server. i Get-ExchangeServer 5REX2010 u Add/set the following CNAME records Pointing to hybrid.cityofsanrafael.org. a. Autodiscover.ci.5an-r3f3el.ca.us e. Autodiscover.CityofSanRafaei.org f, Autodiscover.SRPD.or; 5 purchase a UCC/SAIN1 certificate From a public certificate authority Thiswill be .used to secure all mail hosts and autod stover addresses. b. Webmail.CityofSanRafael.org c. Autodiscover.ci.san-r3fael.ca.us g. Autodiscover.CityofSa nRafael.or; h. Autodiscover.SRPD,org L Hybrid. CityofSanRafael.org o Generate a Certificate Request a. On SREX2010, navigate to the conso e tree, click Server Configuration for the on -premises Exchange organization node and then select a hybrid server. b From the action pane click New Exchange Certificat:e to ope.- c. -e i\lew Exchange Certificate wizard. c. On the introduction page �n the Enter a friendly name for the certificate field, provide a descriptive name for the certificate request, and click Next. d. On the Domain Scope page, see the Enable bvildcard cart f'cate check box. Do not select t', s check bo<. Click Next. On the ;tchange Configuration page. select each of the iollo,wing ser, ces, thee- c ick (Next. Under Client Access server (Outlook Web App), select Outlook Web App is on the Intranet aTid specs v Me internal MON of the hybrid server that has the Client Access server role installed. For example SREX2010.cityoisanrai3el.com. Then select Outlook Pleb App is on the Internet and specif/ ti"ie xternal FC»M o` this inybrid server. `-,r example, Hybrid.CltyofSanRafaeI.org Migration Plan I City of San Rafael 20 g. Under Client Access server (Exchange ActiveSync), select Exchange Active Sync is enabled and specify the external FQDN of the hybrid serer (Hybrid.CityofSanRafael.org) that has the Client Access server role installed. h. Under Client Access server (Web Services, Outlook Anywhere, and Autodiscover), select Exchange Web Services is enabled. Then select Outlook Anywhere is enabled and specify the external FQDN of the hybrid server (Hybrid. CityofSanRafael.org) that has the Client Access server role installed. Then select Autodiscover is used on the Internet, 5eiect Long URL, and specify the Autodiscover URL you want to use for this hybrid server. For example, autodiscover.cityofsanrafael.org. i. Under Hub Transport server Select Use mutual TLS to help secure Internet Mail and then specify the external FQDN of the Exchange 2010 SP3 server that has the Hub Transport serer role installed. For example, Hybrid. Cityof5anRafael.org. j. Under Legacy Exchange server Select Use legacy domains and specify the FQDN of your Exchange 2003 server. For example, webmail.cityofsanrafael.org. k. On the Certificate Domains page, review the domains that will be added to this certificate. Verify the domains you specified on the previous page are present (City.CityofSanRafael. org; SRPD.org, CityofSanRafael.org, MarinLiteracy. org). Then, do the following and click Next: I. Click Add and specify the OY/A domain for your hybrid serer. For example, Hybrid. CityofSanRafael.org Click OK. m. Verify that the external FQDN of your exchange serer (Hybrid.CityofSanRafaeLorg) is set as the common name. If it isn't, Select the external FQDN entry and click Set as common name. n. On the Organization and Location page, provide the relevant information. Location -related settings apply to the location of your hybrid servers. Then click Next. o On the Certificate Configuration page, verify your settings and click New. p. On the Completion page, clink Finish. q Submit the generated request to a trusted to the public certificate authority. You must select a certificate that allows for the number of domain names you specified earlier. FGlloIw the instructions fro+m your CA to select and obtain a certificate. r. Save the certificate obtained from the certificate authority on a network location accessible to SREX2010. 7. Install the purchased certificate to SREX2010 a. On SREX2010, ravigate to the console tree, click Ser�.rer Configuration for the on -premises Exchange organization node. b. From the action pane. clink Import Exchange Certificate to open the Import Exchange Certificate wizard c. On the Introduction page, click Browse to select the file that contains the certificate to be used for the hybrid deployment, and then enter the password for the certificate. d. On the Exchange Server Selection page, select all on -premises hybrid servers, and then click Next. e. On the Import Exchange Certificate page, verify that all previously selected options are co, -ect, and then click Import. f. On the Completion page. �,erifv thai the certificate Import was successful .and clic:( Finish. ZD In the console ree, clic;< Server Configuration for the on -premises Exchange organization node and then select the cert ficate you just imported. h. In the action pane, c?Ick Assign Services to Certificate to open the .'-SSI;gin Services to Certificate mzard i. On the Select Servers gage, 5eiect SR=X21310, and then click Next. 1. On the Select Services page, use the check boxes In the Select 5ervic2s Sectio" tO ChOGSe Lne services you want to 3S5ig�' tJ dour CertifCate f you chOSe ser'diCes during ciertlficate Creation chec'( bo'(e5 - r r! 2 ? S2rvICPS still a read;; be ci-ecked You must a. 3 minimum,' select Si,l'.ple Nlail Transfer Protocol Migration Plan I City of San Rafael 21 (Siv1TP) for hybrid servers with the Hub Transport server role installed and Internet Information Services (IIS) for hybrid servers 1vith the Client Access senier role installed. Click Next. k. NOTE: If the Overwrite the existing default SMTP certificate dialog appears, select No L On the Assign Services page, verify the configuration summary and click Assign. m On the Compietion page, verify that all the services were ass gned correctly. 8 Verify Certificates have been installed successfully to Exchange 2010. a. On SREX2010, open Exchange Management Shell b. Run the following Powershell cmdlet. The cmdlet should output the thumbprint and services assigned to the certificate. i. Get-ExchangeCertificate 9 Configure Exchange Web Services a. On SREX2010, open the Exchange Management Console. b. In the console tree, click the Server Configuration node and select Client Access. _. In the Actions pane, click Configure External Client Access Domain to start the Configure External Client Access Domain avizard d. On the Server Selection wizard page, enter the externally accessible FQDiiI of your hybrid Client .access server (Hybrid. CitypfSanRaflael.org) in the Enter the domain name you will use with your external Client Access servers text box. e. On the Server Selection wizard page click Add in the Select the Client Access servers to use with the external URL section to add one or more hybrid Client Access servers. f Click Configure. g Review and verify Lha: the configuration changes made to the virtual directories are correct, and then click Finish. 10. Verify Web Services have been configured successfully. a On. 5REX2010, open Exchange Nlanagement Shell b Run the folloavin.g Powershell cmdlets. Each of the commands that you nun ,will return the name of the virtual director/ and the value that's stored in the ExternalUrl property. The value stored in the ExternalUrl property should match the FQDN value that you provided when you configured t`+e virtual directories in he wizard. i. Get-\i\/eb5er+!{cess: irtuatDirectory "EbVS (Default Web Site)Format-Table Mame, ExternalUrl ii. Verify that the external URL is set on the OA3 virtual directory. iii. Get -Oa bVirtua IDirectory "OAB (Default Web Site)" I Format -Table Name, ExternalUrl iv Verify that. the external URL is set. on the iwlicrosoft-Sender-ActiveSync virtual directory v Get-,activeSyncVirtualDirecto-y "Pilicrosoft-Server-Active5ync (Default Y/eb Site)" Format - Table Name, Externallirl 11. Test Outlook A.,pivhere and 4-itod'scover a Y/air. For public DNS records to propagate ' pis sometimes can take up to 24 hol.Irs. b. Run Outlook Connectivitv Tests for Outlook Autodiscover Ensure the test passes. — hLCo.//,nv,w,nv.exrca.com/ Migration Plan I City of San Rafael 22 Configure Hybrid Coexistence The Hybrid Configuration wizard helps you establish your hybrid deployment by creating the HybridConfiguration object in your on - premises Active Directory and gathering existing Exchange and Active Directory topology configuration data. The Hybrid Configuration wizard also enables you to define and configure several organization parameters for your hybrid deployment, including secure mail transport options. On SREX2010, navigate to http://aka.ms/Hvbrid\v\/izard. This will download and open the Hybrid Configuration wizard. If you're prompted to do so, click install on the Application Install dialog. Click Next and then, in the On -premises Exchange Server Organization section, select Detect the optimal Exchange server The `Ni7ard will attempt to detect an on -premises Exchange 2010 SP3 Client Access server If the wizard doesn't detect an Exchange 2010 SP3 server, or if you want to use a different server, select Specify a server running Exchange 2010, Exchange 2013 or Exchange 2016 and then specify the internal FQDN of an Exchange 2010 SP3 Client Access server. 3. In the Office 365 Exchange Online section, select Microsoft Office 365 and then click Next. ?. On the Credentials page, in the Enter your on -premises account credentials section, select Use current Windows credentials to have the wizard use the account you're logged into to access your on -premises Active Directory and Exchange 2010 SP3 senjers. If you want to specify a different set of credentials, unselect Use current Windows credentials and specify the username and password an Active Directory account you want to use. Whichever selection you ::hoose, the account used needs to be a member of the Enterprise Admins security group. 5. In the Enter your Office 365 credentials section, specify the username and password of an Office 355 account that has Global Administrator Permissions. Click Next. 6. On the Validating Connections and Credentials page, the �rvizard will connect to both your on -premises organization and your Office 365 organization to validate credentials and examine the current configuration of both organizations Click Next when it's done. 7. On the Hybrid Domains select the domains you want to include in your hybrid deployment. In most deplo,iments you can leave the Auto Discover column set to False for each domain. Only select.True next to a domain if you need ro force the wizard to use the Autodiscover information from a specific domain. Click Next. 3. On the Federation Trust page, click Enable and click then Text. 4. On the Domain Ownership page, click Click copy to clipboard to copy the domain proof token information for the domains you've selected to include in the hybrid deployment. Open a text editor such as Notepad and paste the token information for these domains. Before continuing in the Hybrid Configuration `lizard, you must use rhis info to create a TXT record for each domain in your public DNS. Refer to your DNS host's Help for information about how ro add a TXT record to your DiNIS zone. Click Next after the TXT records have been created and the DNS records have replicated. 10. On the Hybrid Configuration i)aae. select the Configure my Hub Transport servers for secure mail transport (typical) option to configur_; /our on -premises Hub Transport servers for secure mail transport with the Office 365. Click Next. 11. On the Hub Transport Server Configuration page: select an Exchange 2010 SP3 Hub Transport server that has the certificate you configured earlier in the checklist Click Next. 1 ? On the Public IP addresses page, specify the externally accessible IP address of the Exchange 2010 SP3 transport se, -ver thdt `velli accept conneCtlOns from Office 367. Click !Text. 13. On the Transport Certificate page, select rhe certificate lc- use for secure mall transport This list displays t'�-.e d�git.3l Certificate's issued by a third -party Cert'fica e authority (CA) installed on the Hub T`ansport set ler you s2'�er_ted on rhe Hub Transport Server Corrie;aration page Click Next. Migration Plan I City of San Rafael 23 Id, On the Orbanization FQDN page, enter the externally accessible FQDi\I for your Internet -facing Exchange 2010 SP3 transport server. Office 365 uses -this FQDN to configure the service connectors for secure mail transport between your Exchange organizations. For example, enter "mail.contoso.com". Click Next. 15. The hybrid deployment configuration selections have been updated, and you're ready to start the Exchange services changes and the hybrid deployment configuration. Click Update to start the configuration process. While the hybrid configuration process is running, the wizard displays the feature and service areas that are being configured for the hybrid deployment as they are updated. 10. When the wizard has completed all of the tasks it can perform automatically, it II list any tasks that you need to address manually before your hybrid deployment configuration is complete. 17. The wizard displays a completion message and the Close button is displayed. Click Close to complete the hybrid deployment configuration process and to close the wizard. 18. Verify Hybrid Coexistence has been configured successfully. a On SREX2010, open Exchange Nlanagement Shell b R jn the following Powershell cmdlets. i. Get-HybridConfiguration Migration Plan I City of San Rafael 24 Moving Mailboxes with Mail Replication Services Moving mailboxes from the on -premises organization to the Exchange Online organization uses a remote mailbox move request. This approach allows you to move your existing Exchange user mailboxes to the Exchange Online organization instead of creating user mailboxes and importing their mailbox content. 1. Create a Migration Endpoint a. Log into Exchange Online Admin Console - httos://outlook.office365.com/�cp/ b. Navigate to Recipients > Migration > Migration Endpoints __ _ _ -.�: _ �_;r•=== i- i:. migration ,-o ,ii%v d— _tit's trail ..:ri9 t mn_,ratlor I.etd _S. ,tts' 311 1 3t-h'z' +• M-tv}c Viaratico rdp-,w,ST--.T'__ CT',L c. Select Exchange Remote option. d. Enter an on -premise Exchange administrator account. e. Enter the NIRS proxy server Hybrid.CityofSanRaf3el.org. 2. 1Nlove a mailbox.. a Log into Exchange Online Admin Console - https://outlool<.office365.com/eco/ b. Navigate to Recipients > �Nligr3tion > Nligrate to Exchange Online .124v:1.2n tl_; ':r ail _jrr:r -mig r3 ucr 1L.3i=1.95. _ at'.;" .3-_'1__ I lrr3ta o czrhange .= mina ;T_ c. Select ?emote Ibvlove Migration d. Select the users) mailboxes to migrate e. i-onrlr m the eMigra ion Endpoint from the 1-revious Section?. I `nter 20 for Nlax concurrent connectlon5. r Ener 20 fOr Incremental s�inc. h. Enter 30 for Bad item limit. i. Enter 50 for Large item limit. ;. S21e(-T t0 3utomar.icalh/ complete the migration. ba_ch 'K. Confirm the start the ,migration. 3 Assign an =xchange Online license to the migrated userisi- a. Nligr3ted 'ase, ma;lbo,,es ',v1: ha /e -3 urace oeriod o` 30 days to assig^ an Exchange Online license. If a Iic2iSe nas not bee.- assigned m a User naili3OX 3iter 30 mays, tie mailbox Piill be daietCd. Migration Plan I City of San Rafael 25 Recommendation It is recommended to always initiate the migration from the Exchange Online Admin Console. When provisioning new user mailboxes, add their user account to the on -premise AD. Once the user replicates to Office 365, assign an Exchange Online license to their user account. Once a license is assigned, a mailbox will be created. To remove a user's mailbox, either delete the user's account from the on -premise AD or deallocate the Exchange Online license from Office 365. The user will not be able to access their mailbox and the mailbox will delete itself after 30 days. ■ Exception being if the mailbox was placed on an In Place Hold (legal hold), the mailbox will not delete itself until the hold is removed. Migration Plan I City of San Rafael 26 Migrate Public Folders Public folders cannot be migrated from Exchange 2003. If you're running Exchange 2003 in your organization, you must move all public folder databases and replicas to Exchange 2007 SP3 RU10 or later. No public folder replicas can remain on Exchange 2003. 1. Scrub public folder fist to minimize the amount of public folders that need to migr t 2. On SREX, open the Exchange System Manager (ESNI.). 3. Navigate to the Public Folder Store and select Public Folder Instances. 4. Right -click and select Move All Replicas. 5. Select SREX2010 as the server to host the new replicas. 5 Select Ok to continue through the warning. The move could take some time depending on the size of the public folders. 7. Migrate public folders to Exchange Online - https://technet.microsoft.com/en- us/library/dn874017(v=exchg.150).3spx a. Download the all migration scripts from the following repositories. There will be 8 scripts total. i. htto:/;-o.microSOft.com/nNlink/?I inkld=299838 ii. http://;o.micro5oft.com/iwlink/o/?Linkld=532375 b. Rename any public folders with a \ in its name. i. Get-PublicFolderStatistics-ResultSize Unlimited I Where ;5_.Name -like Format -List Name, Identity c. Enumerate the legacy folders and hierarchy on SREX2010. i. .\Export-PublicFolderStatistics.psl \\fileserver\temp\ SREX2010.5anrafael.org d. Create our pubiic folder mapping file on SREX2010. L .\PublicFolderToPilailboxMapGenerator.psl 15 \\i'ileserver\temp\ \\hleserver\temp\ e. Create public folder mailboxes list from SREX2010. i. .\Create-PublicFolderliNilailboxesForUligration.psi-=oiderNl3ppingCsv INlapping.csv - Estimated'i\lumberOfConcurrentUsers:2C0 f. Specify a log location for the migration events on SRE;tZ010. i. SSrnc-INl3ilPublicFolders.ps1 -Credential (Get -Credentials - CsvSLImmaryFile-\\filesen/er\temp\sync_summara.csv 2. On SREX2010, Copy the following InrOrnl3tlon to a notepad. i. Get-INlailbox <PublicFolder administrator Account> I Select -Object Legacy ExchangeDiN ii. Get-ExcnangeSerrer <public folder serfer> 1 Select-Ohject -Expand Exchargel-egacy+Dl`,l iii Get-Oudook,anywhere j Format -Table Identity.ExtemaiHostl�lame h input migration criteria into Exchange Online. $Source Credential = Get -Credential <sou ce_domain\?ublic o+der_,4dministrator_Acco -int> 1. $Solis.e_RemoteiNllallboxLagacyDl\l = "<paste the value mere>' 'k = '<oaste the value here>' ,in IrcO_OUilook,Any�N lel-alExt?r alHosti,Iame = <paste the value her'?>' Migration Plan I City of San Rafael 27 SPIEndpoint = New-NligrationEnd point -PublicFolder -Name PublicFolderEndpoint - RPCProxySenier $Source_Out' ool(AnywhereExternalHostName -Credentials $Source_Credentiai -Source NlailboxLegacyDN $Source_ RemoteMailboxLegacyDN - PublicFolderDatabaseServerLegacyDN $Source_ Remote PublicFolderServerLegacyDN - Authentication Basic vi. New-NligrationBatch -Name Public FolderNligration-CSVData (Ger-Content \\fileserver\temp\- Encoding Byte)-SourceEndpoint $PfEndpoint.ldentity-NotificationEmails <email addresses for migration notifications> i. Start migration batch: i. (Exchange Online)Start-NligrationGatch PublicFolderNligration Lock public folders down for final migration i. (Exchange Online)Set-OrganizationCon fig-PublicFoldersLockedForMigration:$true k. Finalize migrat'on. i. (Exchange Online)Complete-i'V9igrationBatch PublicFolderNligration ii. (Exchange Onl'ne Set-OrganizationConfig-Remote?ublicFolderMailboxes $Null - PublicFoldersEnabled Local iii (Exchange Online)Get-Mailbox -Public=older I Set -Mailbox -PublicFolder - sExcludedFromSeniingHierarchy $false }5REX2010) Set-OrganizationConfig-PublicFolderNligrationCompiete.Strue I ;Exchange Online) Set-OrganizationConfig -Public; oldersE-lab ed Local Migration Plan I City of San Rafael 28 Switch over SMTP Relay Clients In preparation of decommissioning the on -premise Exchange server, SMTP relay clients will need to switch the address they are currently using to the Exchange Online Protection address for Office 365. SMTP relay is typically used by applications and devices (i.e. web applications and multifunction printers) to send notifications and reports. 1. Office 365 Setup - httos:// technet.microsoft.coWen-us/librarv/dn554323(v=exchg.150).aspx a. There are 3 types of Office 365 relay: i. SMTP client submission 1. This is the standard SMTP mail setup authenticated by a username and password. No further configuration is required. ii. Direct send 1 This option is for applications and devices that are unable to authenticate with a username and password. SMTP clients would simply reconfigure their SMTP server address to their domain's EOP address. 2. Only emails sent to internal addresses will be routed. Emails to external recipients will be rejected. iii. 51\i1TP Connector 1. Log into Exchange Online Admin Console - https://outlook.office365.com/eco/ 2. Navigate to iNlail Flow > Connectors 3. Add a new connector. ��. Nlail flow scenario will be from Your organization's email server to Office 363. 7 Click Text. 6. Enter a name and description for the connector. 7. Click Next. 3. Select "3y ver ifyinuthat t -ie IP address of the sending serve!" matches one of these IP address that belong to your organization". 9. ;add the public Ws for your o rices that the device(s'i will be sending an email from. 10 add the following internal IPs (identified from SREX) 10.211.202.11 10.211.202.77 10.211.212.14 10.50.101.12 10.211.202.12 10.211.202.82 10.211.212.17 10.50.101.14 10.211.202.141 10.211.203.10 10.211.212.3 10.50.101.15 10.211.202.16 10.211.203.61 10.211.212.4 10.50.101.181 10.211.202.18 10.211.204.5 10.211.212.6 10.50.101.200 10.211.202.206 10.211.209.30 10.211.215.108 10.50.101.28 1 10.211.202.208 10.211.209.31 10.211.220.101 10.50.101.78 10.211.202.24 10.211.209.34 10.211.220.102 10.50.101.81 10.211.202.33 10.211.209.40 10.211.220.103 10.50.101.9 10.211.202.36 10.211.211.11 10.211.240.50 121.211.212.10 10.211.202.47 10.211.211.150 10.211.250.0 172.16.1.6 10.211.202.62 10.211.211.152 10.211.250.10 172.30.1.11 10.211.202.75 10.211.211.7 10.50.101.10 172.30.10.101 10.211.202.76 10.211.212.10 10.50.101.11 I Migration Plan I City of San Rafael 29 11 Click Save ?. SiNITP Client Setup a. Change the relay server address to your organization's EOP address. This address will be created once the Office 365 tenant has been created i. Typically. this address will be in the forma_. CityofSanRafael-org.mail protection outlook corn b SNITP port 587 (recommended) or 25. c. Transport Layer Security (TLS) encryption enabled Recommendation If the SMTP relay clients will only send emails internally, then the Direct Send method would be the simplest as there would be no additional configuration in Office 365. Migration Plan I City of San Rafael 30 Consolidate Mailbox Licensing All user mailboxes will require an Exchange Online license. To reduce licensing costs, it is advised to convert user mailboxes into shared mailboxes. This should be done with any mailbox that does not need a dedicated username and password. Shared mailboxes can be accessed by unlimited licensed users using send -as or full access permissions. 1. Log into Exchanges Onihr Admin Console - htti)s://outlook.office365.com/ecp/ Navigate to Recipients > Mailboxes 3. Select a maiibo.r. T. Select Convert. 5. Click YES to confirm. Recommendation See Appendix A for a list of mailboxes that were pulled from SREX. Powershell is advisable to convert multiple mailboxes quickly. Example: ■ Set -Mailbox TestUser@CityofSanRafael.org -Type Shared Migration Plan I City of San Rafael 31 Decommission On -premise Exchange Environment After all user mailboxes and public folders have been migrated and SMTP clients have been switched over, on -premise Exchange servers will be decommissioned. Exchange servers will be uninstalled and directory synchronization will be disabled. 1 Updating public and private DNS records - httos://suol)ort.office.com/en-ie/article/Create-DNS-records-for- Office-365-at-anv-DNS-hosting-orovider-7b7b075d-79f9-4e37-8a9e-fb60c1d95166?ui=en-US&rs=en-IE&ad=1E a. NIX Record i. This address will be created once the Office 365 tenant has been created. Typically, this address will be in the format: CiiyofSanRafael-ora. mail. pro tection.outlook.com. ii. Remove any other NIX records. b CNANIE Records Record Type Host Points to TTL CNAME (Alias) CNAME (Alias) CNAME (Alias) CNAME (Alias) CNAME (Alias) CNAME (Alias) Record Type TXT (Text) autodiscover lyncdiscover msoid sip enterpriseregistration enterpriseenrollment c. TXT Records a utod iscover.outlook.com we bd i r.o n l i ne.ly nc.co m cl ientconfig.microsoftonline-p.net sipdir.online.lync.com enterprise registratio n.wi ndows. net Enterpriseenroll ment.manage. microsoft.com Host TXT Value @ v=spfl include:spf.protection.outlook.com -all SRV Records Record Type Name SRV @ (Service) (Or leave blank, if @ is not allowed) SRV @ (Service) (Or leave blank, if @ is not allowed) 1 hour 1 hour 1 hour 1 hour 1 hour 1 hour TTL 1 hour Target Protocol Service Priority Weight Port TTL sipdir.online.lync.com tis _sip 100 1 443 1 hour sipfed.online.lync.com tcp _sipfederationtls 100 1 5061 1 hour Z. Decommission Exchange environment - https://technet.microsort.com/en- us/library/dn931?80(v=excing.150).a sox a. On SREX2010, remove the Se vice Connection Point (SCP. values on your Exchange servers. This ensures that no SCP's are returned and the client will ;n,stead use the DhIS method for Autodlscover Ao examole s snowy below: Ge-ChertACCe55Server I Set-CllenTC.ACcessjerver-A,atoD!scoVe SerVicelnt'rnalUrl "iNhill Migration Plan I City of San Rafael 32 b. On SREX, remove the Service Connection Point (SCP) values on your Exchange servers. This ensures that no SCP's are returned, and the client will instead use the DNS method for Autodiscover. An example is shown below: i. Get-ClientAccessSerier I Set-ClientAccessSerier-AutoDiscoverServicelnternalUri $Null c. There are inbound and outbound connectors created by the Hybrid Configuration Wizard that you will avant to delete Use the following steps to do th s i. Log in to the Office 365 Admin aortal and s'gn in as the Tenant Administrator. ii Select the option to manage Exchange. iii. Navigate to Mail Flow -> Connection. iv. You can now disable or delete the inboL nd and outbound r.nnnectors. The HC\,V creates connectors with unique namespace inbound from <unique identifier> and outbound from <unique identifier> as shown in the graphic oelow. X(hd[-L;Et cILITIII :er d Remove the organ zat on re at onship created by the Hybr d Configuration Wizard- Use the following steps to do this: i. Log in to the Oilice 365 Admin porta and sign n as the Tenant Administrator. ii. Select the option to manage Exchange. iii. Navigate to Or;anization. w. Under Organization Sharing, remove the organization narned 0365 to On -?remises — <unique identifier> as shown in the gr aphlc below. Migration Plan I City of San Rafael 33 I EYc e )r' XJITIIT) ieriier orr7.mrl�lwn + / fl i. e. Disable directory synchronization for your tenant i. Log into the Office 365 Administrator Portal - httDs://oortal.office-com/Admin/ ii. Navigate to Users > Active Users > Active Directory Synchronization: INlanage iii. Select Deactivate. nCeor3L(Cn'N i^ local,ctibellrcctoN _9arr in- 9 Domains verified p -'oln31n5 -,ot /=r" ,ed .j . ."rcCul j ,y fd en3olad .JE •_3sC dire_xr, ;enc last s}n_ed _ hcurs 3gc =3sS,v=rc 7vn_ enabl .� -nj.> _3s; o3ss',vcrd ,ync las synced e,_ .har. ar• heur 3g= Dir -a: -.ori sync --hent vtrricn-c--Ir3d= c. . To_l Liar- lo" -own oad =irec`.or;l ;yn_ status accivatetl iv. When this step is complet'.-d, all user management tasks will be done From the Oft ice 355 management tools. This r,eans you will no longer use the Exchange Management Console or :cchange Administration Cen er (EAC). For more information on how to disao e directory synchronization, see Deactivate directory synchronization. f. On 5PEX2010, uninstali Exchange from the on prem"ses servers through Programs and Features. On SREX, unlnstall Exchange From the o' premises serves through Programs and Features. Migration Plan I City of San Rafael 34 Configure Identity Integration to Primary Forest Active Directory synchronization between your on -premises organization and the Office 365 tenant service organization enables a unified global address list (GAL) and gives you the ability to manage all Active Directory user accounts on -premises. All account changes synchronize automatically to the Office 365 tenant service organization. 1. Preo SREX2010 a. On SREX2010, disjoin the domain and go back to a workgroup b. Reboot SREX2010. c. On SREX2010, join City.local domain. d. Reboot SREX2010. 2. Create valid UPN suffixes within ADDT. a. On a City.local domain controller, navigate to Start > All Programs > Administrative Tools > Active Directory Domains and Trusts b. Right -click .Active Directory Domains and Trusts > select Properties c. Add the following UPM suffixes. i. City. CityofSanRafael.org ii. CityofSanRafael.org iii. SRPD.org iv. MarinLiteracy.org FU Action View Ndp Acbve Dmctoryoasansad Tr ts[l I Nave PN saran ' The rumen I the amrd damn ad the ma damn ae tlm prtcpa rums 1JFN1 fbas ;Yvm ate w_ d— noon adIlwal ligan a— Ay and snwf a Iogma nano Fru rad atena m UPN aroonto appe dung wcaaztim aH Haan to ftfobriq ki Nanarve PN aroas a of g i _•4 J 3. Set valid UPI suffixes within ADUC. Since Azure AD only allows authentication by a full publicaily routable User Principal Name (UPN), ince nerd to set each user account witn a valid UPM. a. On City loca', navigate to Sta -t > All Programs > Administrative Tools > Active Directory Uses and Computers b. Select a user or multiple users > Proper�_ies > Account c. Se ect'Hra aporopriai' 'jP',\l suffi)( for th2 User or multip^.e users Migration Plan I City of San Rafael 35 x Password Repicahon I Oakn I Emmnne t I sesteha I Reewte m lb Remote Deda--p see. Pteie I Perst W Wh A Opp I COM. C-- I Ab—MM Ptafie I Tdephanes 1 Orga— ( Mani -OF LIwbgm none ItemW UW Ivan name pe-Wndows='-tyorsanratae org Al i L.g- Flom i L g On To ' - U*.k davit Accout aptore Uwnsd Change Dmwatd at net login J r W Carrhot change password J W Paswmd never amm r %—p..wnvd —n . nd& —Minn ,c,t em— r Never r• Endai I 'I OK Cahcel J b a SRE:2010 do Nn oad and run DFix https://www.microsoft.com/en-us/download/detaiIs.asi)x?id=36832 a Se ect ng Quer/ N produce a lis of user accounts that will prevent Azure AD Connect from syncing accounts proper y to Azure AD. b Dup cafe errors Ind cate a duplicate in either email alias or display name c Character errors and tate there is an invalid character within user's email alias or display name. d P-oxyaddresses nd cate an incomplete email alias. e Use -Pr nc pa Name ndicates the user account is not set with a v3 Id UPN suffix f Examp e of OF x output below rIGUISHEDNAME — OEJECTC! s:,, .4TTPI9iJT= ERROR -AU E UPDATE .ACTION 1qYffTW—x-q� rnalnichname duplicate. coaches I'cicnyches CtJfirnLeatheiman,OU=. contact nslnickrame character Out Leatherman CronLemFerman CN -Fred Ceren-D OU -For,, -a. contact ,rainicliLme character Fed Cereno FredCereno J C>J=Hturt►tt `bwalro,OU=... zer orcxytAddres=c> WL—veldamain,cb... smtp:humbcrt-nay.:. ;mta.humbeit.na,ro... G4*ra1hucl,cna1 Coccha^_. (JIC4UD mslnickneme durficale Cajche; FIG'. Stec DJ=.'o:e .!�xtne Mr_ Caffrey jt et AmPiincipalrlame character rose- aroe me cafir to-,—rne awcaike 5 0', 5REX201C .dO)Anload and install azure AD Connect - htti3s://www.microsoft.com/en- us/download/details.asox?id=47594 a Detailed setup instructions can be found here - https://azure.microsoft.com/en- us/documents tion/articles/active-directorv-aadconnect-get-started-custom/ c. Select the Customized installation opt or. d Leave opnons unchecked and se ect Instal' Migration Plan I City of San Rafael 36 Microsoft Azure Active DueRPry Connect - x Install required components Us., -,g,. a No evesi-rig ­chrcneanzn service ras 'oj rd - n mputer The Azure A -0 E:c nrea ;yr; IrC r: :atizr 3er,ce v: be nstaVed. 0 Cimt—A xr.cgmtwrr :Ust-. Use an evsvrig SOL Serer Use 3n existing service account Specf/ :.-tcm s)r. g.,--ps e. Select Password Synchronization and Next. I* Miaosoft Azure Active Directory Connect User sign -in Se!e-t the Single Sign Onniethcd: a Passwcra Syricnrmzatc. Federat- •ith AD -5 1. --1 -=.-,pre 4) Previous -tiver Azure AD administrator credentials and select Next. Migration Plan I City of San Rafael 37 Previous the locai on -premise AD administrator credentials and select Text. IL Connect your directories Connect to Azure AD E<cr?s; S?tnrgs Enter conner,,cn nfom aticn '0r tour on-oremtses erreGCRes or forests: ecuu?o Corroon?nts �I 2nter nur.L-ure-lD aeoennals. (� J er gr- Active Directory 3nc -ASS`.vCRD --aaCanton?; I 1 A-.— AD s,g-. - Dcma" CU °,Iter, oenn ;anq users =40-g PASSWORD :.I—.I ........... canrrqure Previous the locai on -premise AD administrator credentials and select Text. IL Previous h Ac,-eot rhe defaults and select Text. Migration Plan I City of San Rafael 38 Connect your directories -egmreo -^-.con?nt; Enter conner,,cn nfom aticn '0r tour on-oremtses erreGCRes or forests: ,ser E.gn- n O,RECTOR� T, = Connect to u_une sD ! Active Directory ff FOREST }� y�ysyy�nc 1�i '�' r res.t36nkamonlinemm •,oma" CU =,term^y eent,'..mg ,stn Ftltenno PASSWORD .Jpnonal=,amre; ........... Con--ure i COr1FICURED DIRECTORIES 'acnkamcn.,n?mm A..^.rvr Dneear., Previous h Ac,-eot rhe defaults and select Text. Migration Plan I City of San Rafael 38 4 Microsoft Azure Active Directory Connect x Azure AD sign -in configuration Express :ea:rgs T: ise pn-premises :redenTals tpr Apure AD s:gn•m LPN suffixes n --<.emame ;hpuld match ;c Lne df the =rhSur-d :pmccnenU ,enfiec custcm domains n Apure AD the `cllcw:ng table .fists the _PN sum axes defined in ,cur on -premises ,ser Sign- n aremcnment along mth the ma=irg Cusicm dcmam m .mite. :crreu •p sure AC .. . . Sync °abnkam Ccm r Nct Acdei _snap ::Irectcnes - ... .�•__-___- ,—�„__. -__ 'dbnkdmLnllne ed ^!Ct 'laniled (� rabnkamcrfine ccm venfied CcmamiCU'dtenng– cernf;in: isers L" -'Itenrg Select the :n-premrsee attnbute td use as me Azure AD usemame Andral-aatum; USER PRINCIPAL NAME 9 -7migura userPrincipaiName i Users will not he able to sign in Azure AD using their on -premises credentials. - cam more Previn.is Accept the defaults and select Next. M,crosoft Azure Active Directory Connect – x :=res; Se:Lngs Regcu�. Ccmocnems r maser =:gni n Ccnr. _t tc Azure AD 3 5Y'c Ij _onne� 7:r- noes s_yre AD ::yr. -in Ij a , cenuy:rg .Se's Fdfer,rr, :pricnai=eatures _Zn5gure f I Domain and OU filtering rv' ' fabrikamonline.com Sync all pcmams and CLS Scr.L selected dcmams and CUs Accept the defaults and select Next. Migration Plan I City of San Rafael 39 Microsoft P--ure Active Directory Connect Uniquely identifying your users ?xFres Sarongs eomred �:emecnenr Select how user srcule be dentifieo n ;our on-orem.ses oirectcnes. er Sign -in a Users are represented anly once across all atrectones. nnect to azure AD User dentities exist MOSS multiple directories. %latch using: tine t 7 reaones Azure AD sign- n 7omamiCU =iltenng ;f: eCliC attnb j, AW * y,, `0 01111111 CUSTOM ATTRJELT=_ It, ring Optional=eaturez Se'ect how user shcu[e be identified .vth acur=_ -1D Ccniigure SOURCE .ANCHOR (� abjectGUID k Accept the defaults and select Next. * Microsoft Azure Active Directory Connect X Filter users and devices EMpress Settings 4eouueo Components =or a pilot --eployment ;tens a group containing ;our .uers and cemces that vi oe synchrom:eci Ser Sign- n 6 Syrchroni:e all masers and aev ces _onnea to azwa ar= Synchronize selected'© tic i = _onn?c Cvectcnes j 'abckamon me.mm Azure AC sign- n i Comain,OU =dtenng dennr; •ng users iR&Il =pnonal?eamres 'tt nrigure consider checking .0asst�vord vvriteback and select ilex, Recommendation The Password writeback optional feature allows for users to self -reset their passwords from the Office 365 login portal. This feature requires an Azure AD Premium license. Migration Plan I City of San Rafael 40 Microsoft Azure Active Directory Connect Ready to configure Optional features :xpress Settings Ccnrect to Azure AG 4Eocired _omecnents Select enhanced `tnclicnality it reewred by your organization. ..ser 3:gn- n Connect hrectenes [Cnnect To azure AD Doman:/cu =dtenng Ccnirgure the Web Apclicatcn crcxy on I serier(s). ❑ Azure AO app and attribute Filtering ivnc -Itenr9 Carr=_c,. J.rectcnes :i:. - - . yy�� ❑ casswcrd .witeback Azure aC iIQn--n -'_`dE(aticn Sen Era :omam CU ziltenng Sr:_c vrteb3ck deru4,;mg user, E ce .. et3C< Q =,Itenng Q �Irectcrj extension attribute ;/nc Q m., } Corrigure -_ ° • '- 3bcut ooticnal seatures m. Acceot the defaults and select Next Express Settings Ready to configure User Sign -.n Ccnrect to Azure AG Once ycu click nsmilrUcgrade, we will do the following; Sync Ccn;igure synchronization services on this computer Connect hrectenes Configure federation service is acrkarncrLre :cm on ' szr+erls). Doman:/cu =dtenng Ccnirgure the Web Apclicatcn crcxy on I serier(s). cern mg s-rs I �, Start the i�n:hr]ng3Ticn access 3z soon 35 the coninguratlen icmplzte=_. -Itenr9 — Enable staging mode: When selected syncnronization ail not export any data tc A7 Zr Azure AD. Colional =aauras la =5 =arm -'_`dE(aticn Sen Era -N'-xy _emers I redeml3ls -ar ce a='mt Azcr AL :cma,rn 5. On SR_;:201C, fun the rollo�tiing ?O'Ne; shell scfipt. 'lis 1NiEl set the Immutai�lelD of the Exchange onfln2 mai ox :C fpaiCll Lae UUlo Of Che On-t7feml5e !Jsef i0 ensuresUCCeSSiUI synchronization. ;poor} -Module iNISOnllne lrnport.-module act ve,-ire-Very 5user = "0355 Username" Soassvaord = "0355 ?assrNord" Seas.cwcrd --•arra Migration Plan I City of San Rafael 41 $credential = New -Object System.Management.Automation.PsCredential(Suse r,$secoass,wd) Connect-iVIsolService -Credential $credential foreach ($user in (Get-iV]solUser -All)) ( SADUser = Get-ADUser -filter (UserP rincipaiNlame -eq Suser.User?rincipalName}-Propert,es $quid = (GUID]$ADUser.ObjectGUID $bytearray = $guid.tobytearray() $immutablelD = (system.convert]::ToBase64String(Sbytearray) Set-MsolUser-UserPrincipalName $user.UserPrincipalName -Immutableld $immutablelD } +++++++++++++++++++++++ 7. To verfy successful installation: crom SREX2010, launch Synchronization Service and verify the connector operations are showing successful. File Tools Actions 1 Help . ---- Synchronization Service Ma Operations >Connectors A, Metaverse Designer 4. Metaverse Search Name Profile Name W Status j Start Time E—Tort success Delta Synchronisation success Deka Synchronzation success Delta Import success _ Delta Import success b. Log into the Office 305 Admin Console and view the active uses Recommendation Once installed, please be patient. Synchronization can take 5-15 minutes - Synchronization occurs automatically every 30 minutes. To force a sync outside of the regular schedule, use this Powershell cmdlet. ■ Get-ADSyncScheduler ■ Start-ADSyncSyncCycle -PolicyType Initial ■ Start-ADSyncSyncCycle -PolicyType Delta .- Synchronization can be paused or unpaused with the following Powershell cmdlets. ■ Set-ADSyncScheduler—SyncCycleEnabled $False ■ Set ADSyncScheduler—SyncCycleEnabled $True Migration Plan I City of San Rafael 42 Install Exchange 2010 SP3 Management Console Exchange 2010 servers will have the sole job of providing an interface for changing user specific attributes within the on -premise AD that would otherwise need to be changed through ADS[ Edit. More information can be found here - httos://blogs. msdn.microsoft.com/vilath/2015/05/25/office-365-and-dirsvnc-whv-should-vou-have-at-east-one-exchan e -server -on -premises/ 1. On SRE(2010, install the Exchange Management Tools. a. Download Exchange 2010 Service Pack 3 (SP3). b. On the server you want to install the Exchange 2010 server roles, run Exchange2010-SP3-x64.exe to extract the installation files. c. Navigate to the extraction location and double-click Setup.exe. d. The Exchange Server 2010 Setup welcome screen appears. In the Install section, the software listed for Step 1 and Step 2 was installed with the Exchange 2010 prerequisites. However, if these prerequisites aren't already installed, click the appropriate step to install them. e. When Step 1, Step 2, and Step 3 are listed as Installed, click Step 4: Install Microsoft Exchange. f. On the Introduction page, click Next. R. On the License Agreement page, review the software license terms. If you agree to the terms, select 1 accept the terms in the license agreement, and click Next. h. On the Error Reporting page, select Yes or No to enable the Exchange Error Reporting feature, and click Next. i. On the Installation Type page; select Custom Exchange Server Installation. This will install the Client Access, IV13ilbox and Hub Transport server roles on the Exchange server. To optionally change the installation path for Exchange 2010, click Browse, locate the appropriate folder in the folder tree, and than click Oil. Click Next. j. On the Server Role Selection page, select Management Tools. Click Next. k. On the Readiness Checks page, review the Summary to determine if the system and server are ready for the Exchange 2010 server roles to be installed If all prerequisite checks completed successful l/, click Install. If any of the prerequisite checks failed, you must resolve the displayed error before you can proceed with installing the Exchange 2010 server roles. In many cases, you don't need to exit Setup +,visile you're fixing issues. .A ter you resolve an error. click Retry to run the prerequisite check again. Also, be sure to review any warnings that are reported. I. The Progress page displays the progress and elapsed time for each phase of the installation. As each phase ends, it's marked completed and the next phase proceeds. If any errors are encountered, the phase will end as Incomplete and unsuccessful, ff that happens, you must exit Setup, resolve any errors, and then restart Setup m. �Nhen all phases have finished, the Completion'page displays. Review the results, and verify than aar_i^. phase completed successfully. Clear the check box for f=inalize this installation using the Exchange Nlanager-nent Console, and then click =finish to exit Seiup n. Wher you're --turned to the Setup welcome screen. click Close On the Confirm Exit Prompt, click. Yes. a Restart the computer" to complete the installation of this Exc'ranga 2010 server nstali a free y b r i d Exchange X010 key: a Sign into your Office 3�5 terant and procure 3 free Hybrid 2010 license kay - http:/:'aka,ms%hybridkav b Open the Exchange h/lanagernent Console on an Exchange 2010 server In the conso':e tree, navigate to Server Configuration and select an Exchange 2010 server d In the 3ct,on aar.e. click. Enter Product Key Group r the Enter Product: Key page, 'nt?r the lybrld _d: -tion Product key, and then cl',--!< Enter Migration Plan I City of San Rafael 43 f On the Completion page, review the following, and then click Finish to close the wizard: i A status or Completed indicates that the wizard completed the task successfully. ii. A status of Failed indicates that the task wasn't completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes. 3. Verify Exchange 2010 has been setup correctly a. Open Exchange iVlanagement Shell b Run the following POWershell cmdlet The cmdlet should output the installed roles on the Exchange server. i. Get-ExchangeServer SREX2010 Recommendation .- Use the Exchange Management Console for these mailbox related tasks. ■ Adding an Alias for a user mailbox. ■ Hiding or revealing a mailbox to the Global Address List. Migration Plan I City of San Rafael 44 Migration Project Complete Congratulations, the migration project has now completed. All mailboxes are now hosted in Exchange Online and directory synchronization is in place. Management of the user objects is handled from the on -premise AD (Source of Authority). Migration Plan I City of San Rafael 45 Deploying Office 365 ProPlus Office 365 E3 and Office 365 ProPlus licensed users are able to use the latest version of Office ProPlus. More information can be found here - htti3s://tech net.rnicrusoft.co Wen-us/Ifibra ry/ee998766.asox 1 jeer -installation method: a. Licensed users can down oad and install the latest Office 365 ProPlus from https://i)ortal.office.com i. Mote: User must be able to install applications to their workstations. 2 Per computer deployment method a Prepare a network file sham with Read permissions for Everyone. b. Download the Office Deployment Tool to the network file share. For these instructions, we will assume you are deploying Office 2016. i. Office 2013 Version - https//go.microsoft.com/fwlink/o/?LinkID=282642 ii Office 2016 Version - http://go.microsoft.com/fwlink/p/?LinkID=626065 c. Run the deployment tool setup d Edit the configuration xml file i. iVlodify SourcePath to match the location of configuration.xml ii. N1odif�y the bit version of Office (32 or 64). iii. Shared Computer Licensing: 1. If you are deploying Office 365 ProPlus to a shared computer (terminal 5erver`VD1 leave the SharedComputerLicensing line intact. 2. If you are deploying Office 365 to a dedicated user computer, remove the SharedComputerLicensing line. 3 Shared Computar Licens ng will allow the user to activate and not consume one of their 5 activations. 4--++r+++f Example: <Configura tion> <Add SourcePath="\\server\Officel6" Off iceClientEdition="32"> <Product ID="0365 ProPlusRetail" > <Language ID="en-us" /> <<Product> </Add> <Display Level="None" AccaptEULA="Tr ije" !> <Property Name="SharedComputerLicensing" Value="!" /> </Configuration> e Create a .bar file in the sa re file share as configur3tion.xml populated with the-ollowing command server\Office15\secup.exe /download � jserverjOfficelo�configuratror xml i Run This bat file ii. The Office 365 ProPlus cab files Wil download to the file share. Tf+is process may take up to an tour. The bat file command prompt will disappear once the necessary files have been downloaded. f Connect to the destination computer where Office 305 ProPlus will be Installed. Create a .uac `Ile awpjvhe�a on the destination com;outer ,populated Nlth the following comrParrd. i, \',enter\Offic=l5\setttip.a,<.a./�:onfig�are �',serrier�Ojj`ic,elo�cor1"iguracion.xrnl ii. Run this bat file. Migration Plan I City of San Rafael 46 iii. O lice 365) ProPlus will now install. This process may take up to 30 minutes. The bat file command prompt will disappear once the necessary files have been downloaded. Migration Plan I City of San Rafael 47 Spam Filter Integration Exchange Online integrates Exchange Online Protection into the Exchange Online Admin Console making 3rd party spam filters unnecessary. However, 3`d party spam filters can be utilized within Office 365. 1. Remove txchange Online Protection MX record from your public and private DNS 2. Add an NIX record pointing to the 3"d party spam filter service. 3. Configure the spam filter service to relay messages to Exchange Online Protection address. Recommendation When a 3`d party spam filter is put in front of Exchange Online Protection, inbound emails will be filtered twice—initially by the 3`d party spam filter, and then again by EOP. It should be noted that this can create some confusion over which spam filter is filtering the email. r Outbound email will be sanitized by EOP. AI Exchange Online will queue mass emails at the server and throttle the rate of delivery. For mass email delivery, email will be delivered from separate pool of servers (higher risk delivery pools) utilizing a separate range of IPs to prevent blacklisting of your primary email server pool. More information about higher risk delivery pools here - htti)s://technet.microsoft.com/en- us/libran//ii200746(v=exchR.150).a sox Migration Plan I City of San Rafael 48 PST Migration Options PST archives are typically created by users to free up space from their on -premise Exchange Mailbox. This results in mail being taken off the on - premise Exchange server and residing in a local PST file on the user's workstation. This can result in potential data loss if the local PST is not backed up and the user's system becomes inaccessible. There are two built-in ways to migrate a user's PST to Exchange Online. 1. User Se f-Sery ce Method: a. If a PST archive is attached to the user's Outlook client. The user can simply drag and drop emails and mail folders from PST archive to their primary mailbox. Recommendation Depending on the amount of emails, this process may cause Outlook to stop responding while it is processing the request so it's best to do after hours or while the user is working in OWA. ?. Office 365 PST Upload a. The latest instructions can be found here - httos://technet.microsoft.com/en-us/library/mt644809.asox 3. Go to httos://oro,2ction.office.com. 4. Sign in to Office 305 using the credentials for an administrator account in your Office 365 organization. 5. In the left pane, click Data management and then dick Import. 6. On the Import page, click Go to the Import service. 7. On the Import files to Orrice 363 page, click New job f, and then click Upload files over the netviork. 8. On the Upload files over the network page, click Download the Azure AzCopy tool. 9. In the pop-up window, click Run to install the ,azure AzCopy tool. 10 Install the Azure AzCooy tool to the default file location. 11. On the Upload files over the network page, under Copy secure network upload SAS key, click Copy netlivork upload SAS key. 12 Copy the key that is displayed in the pox and save it in the file. Be sure to copy the entire key. 1.3 Under Copy the secure netnrork upload URL, click Snow URL for PST files. Tris URI- is used to identify the location in Office 365 where the PST files that you upload in Step 3 will be stored. 11-1. Copy the URL that is displa /ed in this box and save it in the file. Be sure to copy the entire URL. 15 Open a Command Prompt on your local computer 16. Go to the directory where you installed the AzCopy.exe tool in Step 1. If you installed the tool in.the default location, go to %ProgramPiles(x86)%"i'ti-licrosoft SIDI&Azur2 1-7 qun tie following command to upload the PST ii1es to Office 375. A3 A.zCopy.e,te ISource:\�, IL��tF.'•I-R01\PSTs /best:"haps://vte�i>blob.core Nriindol,vs.net, irgestiondata" /DestSAS <SAS key>,/,,':(--:\Us2rs\Admin\Desktop\Uploadlo;.log 19. Download a coov of the PST lmoort ma rin.Q file. 20 Open ;Dr save t.Lie CSV file to your local computer The following exa,� •Ile s,lo,,vs a comrleted PST Import mapcir? -'1e opened in iNot2P3d). Its much easier to use iNlicroso'rt cxcal to edit the CSV file. 1' Wor'tlr_,ad 'ie�aL"1,dame,I�ilallbO;1,ISl�iCill/e,13r�21:I�OOt1-01d2r,5P1-Ile�Dlia!n r.SPS/laillfeSi.�Gili3fi?er_Sr�Sit2l�rl a E (ample Migration Plan I City of San Rafael Workloa d FilePath Name ____Mailbox Exchange annb@contoso.onmicrosoft.co annb.pst m Exchange annb_archive.ps annb@contoso.onmicrosoft.co t m IsArchiv TargetRootFolde SPFileContaine SPSiteUr e r r SPManifestContainer I FALSE /Inbox FALSE /Inbox 22. Go to httos://orotection.office.com. 23 Sign in to Offce 365 using the credentials for an administrator account in your Office 365 organization. 24 In the lert pane; click Data management and then click Import. 2S. On the Import page, click Go to the Import service. 26 On the Import files to Office 365 page, click New job +, and then click Upload files over the network 27 On the Upload files over the network page, click the I'm done uploading my files and 1 have access to the mapping file check boxes, and then click Next. 28 Type a name for the PST Import job. and then click Next. 29 C Ick Add + to select the PST iNlapping file that you created in Step 5. 30. After the name of the CSS,: file appears in the list, select it and then click Validate to check your CSV file for errors. a. The CSV file has to be successfully validated to create a PST Import lob. If the validation fails, click the Invalid link in the Status column A copy of your PST Import mapping file is opened, with a error message for each roliv in the file that failed. 31. When the PST mapping Hes successfully validated, read the terms and conditons document, and then click the checkbox. 32. Click Finish to subm t the lob b The lob s displayed n the 'ist of PST mport fobs on the Import files to Office 365 page. 33 Select the lob and dick Refresh WO to update the status n=ormation that s displayed in the dera, s pane 34 Ir the derails oane click View details _o get the latest status for the selected job Recommendation Alternatively, PSTs can be loaded onto a physical hard drive and shipped to a Microsoft datacenter. Instructions can be found here - https://technet.microsoft.com/en-us/Iibrary/rnt6516'04.asr)x Migration Plan I City of San Rafael 50 eDiscovery Integration Litigation hold and eDiscovery, is an integrated component of Exchange Online and available to any user who has an Exchange Online Plan 2 license. More information can be found here - httos://technet.microsoft.com/en-us/library/dd298021 v=exchs.150).aspx 1. Assign permissions to run eDiscovery. a. Lou into Exchange Online admin Console - httos://outlook.office365.com/ecp/ b. Navigate to Permissions > Admin Roles c. Edit the built-in Discovery Management group. d- Add users or groups that Will have permission to run eDiscovery. Goog:e Chreme cudcck.office3h5-cm.-c,)I!s=r.Grijr.—,_4,t.1imrlR,e3r:uc::- 1 1 ..n__ • �f'r s nage v'e .';up :an o fzc i Cea [l•-]Ihpe: _::°.]-ie Jrga-]aliW fcr dan i T I 2. Lou in:'o htti)s://Drotection.office.com 3. Nlavig31_2 to .Search & Ir iestigation > eDfscoverry d. Create 3 neVv 20iscovery rase. a. Provide a name for the case. b 'Select which users or groups will have access w this case c. Select Finish d. Edit the eDi5covery :ase tlaT v/a< rreaced a. Creat_ legal holds for -nadboxes, r. Create ne\ni searches nor mailboxes. Migration Plan I City of San Rafael SI LE: - ,P, R Service assurance e ry new case management old. search. and export experience for you to try. Create a case to check it out. Ad —.1 n , 2C --r -- -r , — e -, t-ps wlqe•lc --- I. :h,'e:: =— m:7 s- t—ter - Migration Plan I City of San Rafael 52 Key Usage Scenarios The following usage scenarios were identified as part of the planned used of Exchange. These scenarios are key focus areas which are included based on the workloads and success roadmap. FEATURE DESCRIPTION MORE PvIF(' Data loss Data loss prevention (DLP) is an important prevention issue for enterprise message systems because of the extensive use of email for business critical communication that includes sensitive data. In order to enforce compliance requirements for such data, and manage its use in email, without hindering the productivity of workers, DLP features make managing sensitive data easier than ever before. Document Another common frustration with email today Collaboration is dealing with attachments. Maybe you've asked for feedback on a document only to have to manually merge back changes from all the recipients. Maybe you need the context from someone's email to help inform the review of the document they included, and have to keep toggling back and forth. Even if you're leveraging the cloud for storage and collaboration, sending links to files can be tedious. httos://technet.microsoft.com/en- us/li bra ry/i i150527(v=excha.150).aspx In -Place Hold and You can use In -Place Hold or Litigation Hold to httos://technet.microsoft.comien- Litigation Hold accomplish the following goals: usl Iibrarv,ff637980 v=exchg.150).asax • Place user mailboxes on hold and preserve mailbox items immutably. • Preserve mailbox items deleted by users or automatic deletion processes such as MRM. • Use query -based In -Place Hold to search for and retain items matching specified criteria. • Preserve items indefinitely or for a specific duration. • Place a user on multiple holds for different cases or investigations. • Keep holds transparent from the user by not having to suspend MRM. • Enable In -Place eDiscovery searches of items placed on hold. Migration Plan I City of San Rafael 53 Archive mailboxes Archive mailboxes (called an In -Place Archive in httos://technet.microsoft.com/en- in Exchange Exchange Online) help people in your Office us/library/dn922147(v=excha_.150).asox Online 365 organization take control of messaging data by providing additional email storage. Using Outlook or Outlook Web App, people can view messages in their archive mailbox and move or copy messages between their primary and archive mailboxes. After the archive mailbox is enabled, messages in a person's primary mailbox that are older than two years are automatically moved to the archive mailbox by the default retention policy that's assigned to every new mailbox created in your organization. Messaging Users send and receive email every day. If left records unmanaged, the volume of email generated management and received each day can inundate users, impact user productivity, and expose your organization to risks. As a result, email lifecycle management is a critical component for most organizations. Messaging records management (MRM) is the records management technology in Microsoft Exchange Server 2013 that helps organizations manage email lifecycle and reduce the legal risks associated with email. In -Place If your organization adheres to legal discovery eDiscovery requirements (related to organizational policy, compliance, or lawsuits), In -Place eDiscovery in Microsoft Exchange Server 2013 and Exchange Online can help you perform discovery searches for relevant content within mailboxes. Exchange 2013 and Exchange Online also offer federated search capability and integration with Microsoft SharePoint 2013 and Microsoft SharePoint Online. Using the eDiscovery Center in SharePoint, you can search for and hold all content related to a case, including SharePoint 2013 and SharePoint Online websites, documents, file shares indexed by SharePoint (SharePoint 2013 only), mailbox content in Exchange, and archived Lync 2013 content. You can also use In -Place eDiscovery in an Exchange hybrid environment to search on - premises and cloud -based mailboxes in the same search. httDs://technet.microsoft.com/en- us/libraWdd3 5093(v=exchg,150).asox https://technet.microsoft.com/en- u s/I i bra ry/d d 298021(v= excha.150).a spx Migration Plan I City of San Rafael 54 Adoption and Use Summary Pre -Launch These are the activities planned to be completed prior the success plan launch. Timelines are relative the primary deployment date in weeks. TIMELINE CATEGORY DESCRIPTION OWNER N-5 Community Create a Yammer group to Community engage with pilot members and Manager anyone interested before launch. N-5 Communications Send a "Countdown email" to Communication let your audience know what's Lead coming, set expectations, and spark interest by focusing on the "What's in it for me?". N-4 Support Ensure your helpdesk is trained Training Lead & ready for launch. N-4 Engagement Events Host an in-person event to train Training Lead champions & pilot members. Use customizable training decks mapped to the most fundamenta Office 365 usage scenarios. N-3 Tra ning Use an 'nternai team site to Training Lead store training resources such as getting started guides and t,ps & tricks. You can also direct users to Microsoft's public Learning Center. N-3 Measurement Circulate a baseline survey Project Manager shortly before champions participating in your soft launch receive activated accounts and devices, to gather data about their knowledge of Office 365. N-3 Communications Ensure that Office 365 has a Communication visual presence throughout Lead your locations with posters, flyers, educational booklets, and other print messaging. N -Z Measurement Release a survey halfway Project Manager through your soft launch to gather data about champions experiences with Office 365, and use the results to make any adjustments prior to a genera rollout. Migration Plan I City of San Rafael 55 N-2 Communications Work with Internal Communication Communication to make Lead announcements across your Company Portal, IT Portal, etc. as needed. N-2 Communications Play teaser videos during pre- Communication launch event(s), perhaps by the Lead elevator(s) or by the cafeteria It's a great way to generate buzz and excitement. N-1 Measurement Use a final survey immediately Project Manager after the champions' soft - launch period to determine whether you need to make further adjustments to your general training and awareness materials. N-1 Engagement Events Host an in-person event where Training Lead users can discover Office 365, talk to a project team member at various scenario stations, and access training resources. Have the event in a high -traffic area such as a lobby or lunch room. Launch These are the activities planned to be completed at the day or week of the launch. Timelines are relative the primary deployment date in weeks. TIMELINE CATEGORY DESCRIPTION OWNER N-1 Measurement Circulate a baseline survey shortly before users receive Project Manager activated accounts and devices, to gather data about their knowledge of Office 365. N Communications Send out an "Announcement email" to let users know Communication what's available, how to get started, and where to go Lead to find help and resources. N Engagement Host a large-scale launch event, such as a company Communication Events all -hands or town hall style meeting, in which the Lead executive sponsor and rollout team can officially introduce Office 365 and discuss the value proposition. Post -Launch Adoption activities identified to continue beyond your success plan completion. Timelines are relative the primary deployment date in weeks. TINIELIN E CATEGOR`r DESCRIPTIOIII OVVi\IER N+2 Communications Periodically share tips with end-users by using the Communication "tips & tricks" email templates to sustain momentum Lead and broaden the use of each scenario. Migration Plan I City of San Rafael 56 N+2 Communications Periodically share tips with end-users by using the Communication "tips & tricks" email templates to sustain momentum Lead and broaden the use of each scenario. N+2 Engagement Periodically host in-person events (bi-weekly or Training Lead Events monthly Buzz Days) where users can browse Office 365, talk to a project team member at various scenario stations, and access training resources. Have the event in a high -traffic area such as a lobby or lunch room. N+4 Communications Periodically share tips with end-users by using the Communication "tips & tricks" email templates to sustain momentum Lead and broaden the use of each scenario. N+4 Engagement Periodically host in-person events (bi-weekly or Training Lead Events monthly Buzz Days) where users can browse Office 365, talk to a project team member at various scenario stations, and access training resources. Have the event in a high -traffic area such as a lobby or lunch room. N+4 Measurement Release a survey halfway through your launch to Project Manager gather data about users' experiences with Office 365 and use the results to make any necessary adjustments. N+6 Communications Periodically share tips with end-users by using the Communication "tips & tricks" email templates to sustain momentum Lead and broaden the use of each scenario. N+6 Engagement Periodically host in-person events (bi-weekly or Training Lead Events monthly Buzz Days) where users can browse Office 365, talk to a project team member at various scenario stations, and access training resources. Have the event in a high -traffic area such as a lobby or lunch room. N+6 Measurement After your organization -wide rollout, use a final survey Project Manager to assess user satisfaction You can release this survey 90 days after launch, and then in quarterly increments to continue to measure user adoption from a satisfaction and productiv!ty standpoint. Monthly Measurement Track results based on your previously defined Project Manager Success Metrics and measure progress against your benchmark. Periodically report results to key stakeholders. Ongoing Support Maintain a Frequently Asked Questions (FAQ) list to Training Lead address the most anticipated questions. Post the FAQ on your internal site, or Yammer group, and assign a team to update it regularly Ongoing Training Along with end-user training, be sure to communicate Training Lead your organization's specific policies and best practices so users are aware of specific guidelines and how they're expected to use Office 365. Ongoing Measurement Capture success stories & showcase them through Community "Spotlight Days," where an employee or team are Manager recognized for their successful use of Office 365, and in-person "Buzz Days" to inspire users. Migration Plan I City of San Rafael 57 Ongoing Community Make sure to encourage your users and champions to Community develop ideas for how Office 365 can improve • Manager business practices and to share them with others via a Yammer group. Use these ideas to generate additional usage scenarios and kick off additional trainings. Ongoing Support Keep an eye on Office 365 Service Updates and Project Manager leverage our communication templates to let people know about new features released to the service. Scenarios and Solutions Below is the list of scenarios and solutions that have been selected for your success plan. Scenario Email and calendar on the go Target Group All Description Did you know Office 365 is the one destination for email, calendars, files, contacts and tasks? During your morning train commute you can coordinate meetings on the go, access synchronized contacts, check your task list and use intelligent tools to manage your inbox so you can quickly deal with the most important matters. Solution Post attachments to OneDrive for Business to easily share your work with others, inside or outside your organization, while always maintaining just one version of your file. Use People View to read important messages first, from those they communicate with most often, and use Search in both Outlook and Outlook Web App to find exactly what you're looking for while on the go. You can search by sender and date, and also use the filter to get what you want quickly, avoid scheduling hassles by easily sharing calendars and viewing others availability. Scheduling Assist allows you to see the availability of all attendees and nearby conference rooms directly from a meeting invitation. With a click of a button, you can also add Skype for Business Meeting information. Technologies Office Client, Exchange Scenario Get it done from anywhere Target Group All Description PC, Mac, tablet, phone? People work across a variety of devices from different locations and ail need a consistent, clean, and fast experience. Office 365 gives people access to everything they need to get the job done from anywhere. Files and settings are synced from one device to the next, creating freedom and reliability for your team. Solution Experience Office, including Word, Excel, PowerPoint, OneNote, Outlook and Skype for Business, from your favorite device You can edit and share files and notes, access your email, and join online meetings directly from your phone or tablet. Store documents n document libraries using OneDrive for Business and SharePoint Onl'r)e, and collaborate With others in real time using Of -ice and Office Online Create polished documents using Word, Excel and PowerPoint, share documents to Yammer to collect feedback and facilitate ideation, and present results to stakeholders using Skype for Business Technologies Office Client, SharePoint Scenario Nlake meetings matter Target Group All Migration Plan I City of San Rafael 58 Description Getting the right people working together isn't always simple in our on -the -go -world. Skype for Bus'ness makes it easy for people to meet and connect online, from wherever they are on multiple devices. Join or start a meeting with just one click, whether across the ha or across the globe. HD video, screen sharing, and real-time note taking help meetings matter, by producing actionable results and decisions for your team. Solution Schedule virtual meetings on the fly using Skype for Business, with the ability to join meetings from Outlook or the Skype for Business mobile app while on the go. Take collaborative notes in real time using the shared notes option within Skype for Business For those unable to attend, record the meeting to keep everyone on the same page and share the recording and meeting notes to a team site or Yammer group. Technologies Skype for Business Scenario Col aborate on content Target Group A Description Connecting you to the documents and information you need, when you need them, as you work with the people you rely on to help you get things done. SharePoint Online and OneDrive for Business empower teams to collaborate on documents, share reports with partners; and connect with customers — from virtually any device. Solution Use OneDrive for Business to store up to 1 TB of personal documents and access your documents from your PC/Mac, tablet, iPad, or phone. Store files in OneDrive for Business. or SharePoint Online document libraries, and efficiently share documents while maintaining privacy control: Files are private by default, but can be shared inside or outside your organization to allow others to edit or review in real time. Use versioning in SharePoint or track changes in Word to keep track of modifications and revert changes at any time. Share files to Yammer to spark conversations and request feedback, all while working within Office Onl ne. Technologies SharePoint Scenario Bring your team together Target Group all Description Yammer helps your organization listen, adapt, and grow in new ways by working like a network. More than a content repository, it's a place where your teams can discuss various aspects of a project, share ideas, give feedback, take notes together, review the same documents, and much more Yammer makes connecting your distributed workforce easy It helps employees get ansi.Aiers to questions raster with an open community feed. And most importantly, it inspires unity and innovation by allowing people to learn, share, and be heard. Solution Have d;scussions and strengthen communication between team members by working out loud within a Yammer network. \Alith Yammer, conversations only happen in private when they need to and everyone benefits from shared information. Give your staff a voice to share their knowledge and skills with others so that you can make the most out of what you know. By completing their Yammer profile, coworkers can discover new connections and recognize ways to work together. Use Yammer to discover things you wouldn't have normally found othenivise: the right people, documents and conversations you need co get Your best work done. Technologies Yammer Migration Plan I City of San Rafael 59 Scenario Resources Use the scenario specific resources to help you deliver the scenario to the users in your plan. Scenario: Get it done from anywhere About the scenario Giving your employees the freedom to work when and where they need to—on their favorite devices—can increase productivity, simplify team collaboration, and enhance their work -life balance. With Office 365, anything you can do in the office, you can now do on the go. Resources Announcement Template fen -USI Countdown Temolate fen -USI Fiver Template fen -USI Poster Temolate fen -USI Scenario Learnina Path Tips .for using Excel in Office 365 en -US Tips for usina_ OneNote in Office 365 en -US Tips for usina_ Word and PowerPoint en -US Trainina Temolate fen-USI0 Download All Migration Plan I City of San Rafael 60 Additional Resources Hybrid Resources This section provides additional documentation about hybrid deployment: RESOURCES Integrating your on -premises identities with Azure Active Directory Hybrid Deployments with Exchange 2010 SP3 and Exchange 2003 Understanding Certificate Requirements for Hybrid Deployments Hybrid Configuration wizard How and when to decommission your on -premises Exchange servers in a hybrid deployment How and when to decommission your on -premises Exchange servers in a hybrid deployment httos://azure.microsoft.com/en- us/documentation/articles/active-directorv-aadconnect/ httr)s://technet.microsoft.com/en- us/library/hh882407(v=exchq.141).aspx haps://technet.microsoft.com/en- us/library/hh563848(v=excha.141).aspx https://tech net.microsoft.com/en-us/library/hh529921 h-ttos:i /technet.microsoft.com/en - us/library/dn931280(v=excho.150).asox https://tech net. microsoft.com/en- us/library/d n931280(v=excha.150).aspx Office 365 URLs and IP address ranges haps:;`/supoort.office.com/en-us/article/Office-3»- 'JRLs-and-TP-address-ranaes-854'8a2ll-3fe7-4/ cb- abbl-35Sea5aa88a2?ui=en-US&rs=en-US&ad=US Office 365 Service Availability Design This section introduces the key elements to keep you informed of upcoming changes and monitor service impactinq events: RESOURCES Stay informed on about upcoming features and changes: Learn about new features and stay informed with Office 365 news: http://roadmar).office.com '�,tj o //bloas.office.corr View tenant level notations about changes or features: Message Center — in the Office 365 Migration Plan I City of San Rafael 61 Discuss Office 365 with the community: Stay informed about service impacting events: Admin Center httr)://aka.ms/Office365Netvvor`< Via the Office 365 admin center - httos://r)ortal.microsoftonline.com Migration Plan I City of San Rafael 62 tangent Microsoftr :� Paiuner Tangent 191 Airport Blvd Burlingame, CA 94010 650.342.9388 x 2131 1911011flim of City Of San Rafael Att: Gus Bush PO Box 151560 San Rafael, CA �. 0365 -MIG 0365 -Sup 0365- PFM Gov Dis Email Migration Labor (hours) Quote Date 5/31/2016 Valid Until 6/30/2016 Quote # 423030 Customer ID CISA014 r�EPA Office 365 Migration Post Sales - Gold Support (Annual) Public Folder Migration Tools 15% Government Discount 40 $ 150.00 $ 6,000.00 1 $ 1,250.00 $ 1,250.00 Per Folder $ 12.00 TBD $ (1,087.50) (- Subtotal TBD S&H Tax $ TOTAL TBD Above information is an estimate of services/goods described above. Payment will be collected in prior to provision of services/goods described in this quote. Thank you for your business! Should you have any inquiries concerning this quote, please contact Tom Holmes on 650-342-9388 x 2131 e:tomh@tangent.com www.tangent.com Exhibit B PROFESSIONAL SERVICES AGREEMENT/CONTRACT COMPLETION CHECKLIST AND ROUTING SLIP Below is the process for getting your professional services agreements/contracts finalized and executed. Please attach this "Completion Checklist and Routing Slip" to the front of your contract as you circulate it for review and signatures. Please use this form for all professional services aereements/contracts (not just those requiring City Council approval). This process should occur in the order presented below. Step Responsible Description Completion Department Date 1 City Attorney Review, revise, and comment on draft � agreement. +O 2 Contracting Department Forward final agreement to contractor for their signature. Obtain at least two signed originals from contractor. 3 Contracting Department Agendize contractor -signed agreement for Council approval, if Council approval �01 necessary (as defined by City Attorney/City Ordinance*). 4 City Attorney Review and approve form of agreement; bonds, and insurance certificates andj— endorsements. 5 City Manager / Mayor / or Agreement executed by Council authorized Department Head official. 6 City Clerk City Clerk attests signatures, retains original agreement and forwards copies to the ez —r7 contracting department. To be completed by Contracting Department: Project Manager: _Gus Bush Project Name: Tangent Office 365 PSA Agendized for City Council Meeting of (if necessary): FPPC: ❑ , check if required If you have questions on this process, please contact the City Attorney's Office at 485-3080. * Council approval is required if contract is over $20,000 on a cumulative basis.