Forum Discussion
Jerry Meyer
Mar 20, 2017Iron Contributor
The question nobody dares to ask! How do you create a new user in a hybrid environment.
Hi, the last couple fo days the question how to create a new user in a hybrid exchange environment is floating around in my head. Most of the time when i create a user i create a onpremise accoun...
- Mar 20, 2017
The best practice is whatever works for your user management workflows. You can create it either way. In a hybrid you can move mailboxes back and forth whether they were created on-prem or in the cloud.
One caveat with New-RemoteMailbox is that it can't do Shared mailboxes. Those you need to create on-prem and then move, or, create in EXO as a user mailbox and then convert to Shared. Either way, same result.
Martin Meraner
Mar 20, 2017Brass Contributor
Also not an answer to your question, but a comment. We were advised by our consultants too, to do exactly what you describe. And indeed it is a back and forth between the systems, especially if you do it manually (note I talk here still of experience with dirsync).
We also had cases where admins would create e.g. distribution groups only on EXO. That gave some issues with adding members of only on-premise users (obviously). So from my experience the procedure makes sense, as the hyrbrid setup does not enforce the online setup to sync back entirely (note, still just talking about dirsync).
Additionally I noted that there is a difference attribute wise on the user AD object if you create the user in the AD and then mail enable it, or directly let create the AD user object in Exchange (all on-premise).
So I ended up making a script that
- creates the AD user object and the mailbox on our Exchange server (Exchange managment shell)
- forces a dirsync run
- assigns a license once the user is visible in O365
- create a move request, once the mail user is visible in EXO (that is different than the msol user object)
If there is a shorter or recommended way, I am also very interested (AD sync experience differences included).
- ShrenikSalgunaFeb 18, 2019Copper ContributorCould you kindly share the script where you create the user in AD and force the dir-sync.
What i'm trying to achieve is to make the whole process automated
The user fields(properties) will be generated by a CSV file
1.Create the user in AD OU that is AD-Connected
2.force AD Sync
3.Assign License (by PS script) - we use only two types of license: Business Premium and E3
4.Send Notification to Admin that email account was activated.- Martin MeranerMar 18, 2019Brass Contributor
I use the on-premise Exchange server to create the user if that helps you (note the below cannot simply be used, just for inspiration)
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://[yourExchangeServer].dca.dk/PowerShell/ -Authentication Kerberos -Credential $adminCredential
Import-PSSession $Session -Prefix XXX
$remoteMailbox = New-XXXRemoteMailbox -Alias $initials -SamAccountName $initials -UserPrincipalName $userUPN `
-Name $fullName -FirstName $firstname -LastName $lastname -DisplayName $fullName `
-Password (ConvertTo-SecureString -AsPlainText $password -Force) -ResetPasswordOnNextLogon $false `
-OnPremisesOrganizationalUnit $ou.DistinguishedName `
-Confirm:$false `
-DomainController $domainController -PrimarySmtpAddress $userUPN # `
#-Archive #latest addition to have an archive mailbox active
Start-Sleep -Seconds 8 -Verbose
$remoteMailbox | Set-XXXRemoteMailbox -EmailAddressPolicyEnabled $True
Remove-PSSession $Sessionand for sync I run the following:
$Session = New-PSSession -ComputerName [syncserver].dca.dk -Authentication Kerberos -Credential $adminCredential
$JobSync1 = Invoke-Command -Session $Session -Scriptblock { Import-Module ADSync }
$JobSync2 = Invoke-Command -Session $Session -Scriptblock { Start-ADSyncSyncCycle -PolicyType Delta }
Remove-PSSession $Session - John PinegarFeb 19, 2019Copper Contributor
ShrenikSalguna wrote:
Could you kindly share the script where you create the user in AD and force the dir-sync.
What i'm trying to achieve is to make the whole process automated
The user fields(properties) will be generated by a CSV file
1.Create the user in AD OU that is AD-Connected
2.force AD Sync
3.Assign License (by PS script) - we use only two types of license: Business Premium and E3
4.Send Notification to Admin that email account was activated.I posted my script in the following location because I used the OP's script as the starting point for my script. I have since added valuable functionality to my script and will be posting an update as soon as I take the time to remove all my company information from it.
- Ivan54Mar 20, 2017Bronze Contributor
Martin Meraner wrote:So I ended up making a script that
- creates the AD user object and the mailbox on our Exchange server (Exchange managment shell)
- forces a dirsync run
- assigns a license once the user is visible in O365
- create a move request, once the mail user is visible in EXO (that is different than the msol user object)
If there is a shorter or recommended way, I am also very interested (AD sync experience differences included).
I'm not sure your path is correct, but I believe you have to enable the license AFTER the mailbox move. Because when you enable it before, you're pratically provisioning a cloud mailbox additionally to the existing onPrem Mailbox. It could be though that the remote move request to Exchange Online understands this, deprovisions the existing cloud mailbox, moves the onPrem, and enables is it afterwards.
Might not be an issue if the users doesn't technically exist yet, but there might be a small time window where the user could access the cloud mailbox, before his onPrem is properly moved.
- Paul BridgesMar 20, 2017Copper Contributor
If the environment is Hybrid, licensing the user prior to the mailbox move is fine, it will not create a duplicate mailbox.
- Jimmy WhiteOct 11, 2019Copper Contributor
Paul Bridges Incorrect, if no on-premise mailbox exists when the account is synced and licenced, it will create a mailbox. And this leads to major problems with the user not being able to receive mail (depending on your mail routing), not appearing in the GAL and a real pain to sort out.