Email Coexistence for BPOS and Exchange: Part 1 - Introduction and Verifying Your Domain
Microsoft’s cloud service, the Business Productivity Online Standard (BPOS) Suite is designed to integrate with your existing on-premise Exchange system. BPOS can host your mail domains in parallel with your own servers. It also can sync with your own Active-Directory, making it simple to migrate users to BPOS.
This is the first article of a three-part series. In this article, we’ll look at how Exchange coexistence with the cloud works, and start working through the technical steps to make this happen.
What is Email Coexistence?
First a definition: email coexistence refers to keeping some of your users on your own on-premise Exchange servers, and migrating other users over to BPOS – but you want all users to have the same SMTP domain. So in the example scenario in this article, all users keep the same [email protected] addresses.
In our example, some users would use Exchange the traditional way – with a mail client like Outlook pointed at in-house mail servers. However, some users have been migrated over to BPOS, and their mail client is pointed to cloud servers. But all users have email addresses in the same domain, and all of them show up in the same Global Address List (GAL), making corporate-wide communication easy.
Email coexistence is a great solution, but it is not perfect. There are a few things you should be aware of:
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
- This is an either/or scenario – users can’t maintain a mailbox on both systems. Old mailboxes on the on-premise Exchange should be removed as quickly as possible.
- Free/busy data does not get exchanged between the two systems, so on-premise users can’t see free/busy data for BPOS users. For this reason, it may make the most sense to migrate entire workgroups to BPOS rather than just a few users.
- One other feature that doesn’t work between the two environments is mailbox delegation – another reason to migrate entire workgroups at once.
How Email Coexistence Works
Before we start configuring email coexistence, a high-level overview of mail traffic flow is important. With coexistence, mail is routed as follows:
- First, all incoming mail for our example domain, bpostutorials.com, continues to go to an on-premise Exchange system.
- Second, the on-premise Exchange server receives the mail. The local Active-Directory syncs with BPOS, and a migration tool tells Exchange if the mail recipient is local, or has been activated in BPOS. Then, depending on the setting for each user, the Exchange server either delivers mail locally or forwards it over to BPOS.
- Finally, BPOS receives the forwarded mail, and delivers it to users’ mailboxes.
Behind the scenes, this all works via some clever user trickery. The secret? The BPOS mailboxes don’t actually use your domain as its SMTP domain. BPOS actually uses a microsoftonline.com domain – such as bpostutorial.microsoftonline.com.
So, mail is simply being forwarded back and forth between two domains: bpostutorials.com, and bpostutorial.microsoftonline.com.
However, the system tricks users by displaying their login, mailbox, and sent mail as being part of the bpostutorials.com domain – hiding the long microsoftonline.com domain and saving users the agony of changing email addresses.
Step-by-Step: How to Configure Email Coexistence
Now that you understand the basic mail traffic flow, configuring mail coexistence takes a few simple steps.
1. Add your own domain to BPOS and enable external relay
2. Verify the domain
3. Verify email traffic flow
4. Enable Active Directory synchronization
5. Activate migrated users
6. Migrate mailboxes to BPOS
7. Optional steps: Configure SPF and secure the mail flow
Let’s go through each of these steps in detail. We’ll cover steps one and two in this article, and finish off the process in our next articles in the series.
Step 1: Add Your Own Domain to BPOS and Enable External Relay
Open up the BPOS Admin site. Click on the Users tab, then the Domain menu item. Then, click the “New” link in the upper-right corner.
Enter your Domain name in the new window that opens up – in my example I’ve used bpostutorials.com. And, since we’re setting up email coexistence in this article, click the option for “External Relay.”
(For a step-by-step guide to use BPOS as your primary mail system instead of email coexistence mode, check out our article on using your own custom domains with BPOS.)
Click “Create” and a window like the one below will be displayed. Select the box to “Start the Verification Wizard” if you’re ready to go to the next step, and verify the domain now.
Step 2: Verify Your Domain
Verifying a domain is accomplished by creating a DNS entry called a CNAME, or Alias. Your DNS records are generally hosted by your domain registrar, though in some cases your DNS may be hosted elsewhere.
First we need Microsoft to tell us how to configure the CNAME. If you didn’t select the option to start the Verification wizard in the previous step, then go back to the Users tab, and click on the Domains menu item. The newly added domain will now appear in the domains list. Click the “Verify Now” link.
Select your registrar from the drop-down if available, otherwise select “Other” and click “Next“.
On the next screen you’ll be provided with DNS settings that you’ll need to configure with your domain registrar. Don’t use the ones in the screenshot here, they will all be unique. Make a note of the Host name, and “Points To” information.
Keep this window open. Now, fire up a new browser window and log in to your domain registrar’s admin site. The example below was created using Go Daddy, but most registrars will have a similar tool. Microsoft has also compiled a detailed list of instructions for popular registrars.
Open up your registrar’s DNS tool and add a CNAME record. For example, with Go Daddy I would click the “Add New CNAME Record” button on the right-hand side of the screen.
Enter the Alias information that BPOS gave you. Note that you usually don’t have to fully qualify an Alias (i.e. the full domain name isn’t required, just the host name).
Success! Keep your registrar’s admin site open, because you’ll need it again in a minute.
Flip back to your BPOS window (you left that open right?) and click the “Verify” button. If you did it right, then you should see a message like the one below. If it was unsuccessful then go back and confirm that you typed in the alias properly. Some registrars could take anywhere from 15 minutes to a 72 hours to activate the new records.
If it’s not working, try doing a DNS lookup from another system to confirm that the alias is configured properly. BPOS won’t verify the domain until it can resolve the new alias you created to the server name it provided you in the previous steps.
Verify that you’ve configured everything correctly so far by going back to the Domains window. You should see your domain listed with a Status of “Verified”, Inbound messaging “Disabled”, and a Type that shows “External Relay”.
Once you’ve added and verified your domain, you’ll be ready for part II of this series. In part II we’ll synchronize Active-Directory with BPOS. In part III, we’ll cover the final pieces of the puzzle: activating and migrating users.