Forum Discussion
Remove On Premises exchange Hybrid and go fully Online
Hello,
I currently have a scenario where there is a Hybrid Exchange environment with 1 server. All my mailboxes have been migrated online.
I would like to completely remove dependency on local AD and I do not care about AD synchronization.
How do I "tell" the O365 tenant not function on it's own so that I can manage 100% from 365 Administration?
I do understand that my MX and other DNS records will need to be changed.
Are there any solid guides out there on decommissioning the on premise exchange server. I want to do this with the least impact on users.
Thanks,
Keith
124 Replies
I have almost the same question as the OP, Keith Caines (well done starting conversation that lasted 2 years bud!). I am re-asking the question specific to Minimal Hybrid configuration
Scenario:
- Exchange 2010 with Minimal Hybrid configuration
- No need for ongoing sync AD with Azure/365
- All mailboxes have been moved to 365
At this point what is the process to retire Exchange safely and correctly? As I understand it...
- Replace DNS records with 365 tenant info
- Remove Service Connection Point from 2010 (AutoDiscoverServiceInternalUri)
- Turn off directory synchronization
- Uninstall Exchange
Am I missing anything? I'm trying to be careful because minimal hybrid does not have connectors and organizational sharing (IntraorganizationConnector & OrganizationRelationship) mentioned in the MS decom document.
Also AAD Connect does not have "Exchange Hybrid" configured.
One more thing, I'm not sure about is Remove-FederationTrust is not mentioned in the MS decom document and I dont know why.
So there are a few differences from retiring a full hybrid deployment and I dont want to leave some mystery setting in there that could bite us later.
I really appreciate whatever confirmation or advice you have! Thanks!
- Can just recommend this blog post:
https://petri.com/hafnium-highlights-the-problem-with-removing-the-last-exchange-server- For anyone coming here, this is now possible since 2019 CU12: https://docs.microsoft.com/en-us/exchange/manage-hybrid-exchange-recipients-with-management-tools
Just wondering how you got on with this?
I have to work out how to do this for a customer who has a very aging SBS2011 server with a Hybrid (exch2010<>o365) config. AAD is running also. Thus, is both an SBS 2011 Server Decommsion excercise and Hybrid-Removal because, the customer wishes to do away with the on-prem server and Local Active Directory ENTIRELY and go forward with Azure AD joined computers instead and Office 365 only, with no local AD Domain Servers or Windows Server at all.
Thanks
- Since you already have Azure AD Connect server, just upgrade it to 4vCPU, 8 GB RAM and 60 GB HDD and install exchange 2016 and Run HCW, just to license this server (https://practical365.com/exchange-server/how-to-licence-exchange-hybrid-servers/)
Now after updating MX,CNAME and TXT record you can remove the hybrid config (https://www.agileit.com/news/remove-hybrid-configuration-exchange-server-2010/) and decomm your server.DeepakRandhawa
You had post a link for how to license a Exchange Hybrid Server. The License now is offered in the HCW (Hybrid Configuration Wizard). So I have to finish the HCW and implement a hybrid Exchange Organisation. Is it not possible to install the Exchange Server only for Management and without a hybrid Installation?- you don't have to configure hybrid, just run the HCW, license the server and close the wizard.
I'm getting ready to migrate my Exchange Server 2013 to Exchange Online in about 8 weeks. What if I don't implement Azure AD Connect, and simply manually configure the passwords online to match the passwords in on-premises AD? With only about 30 users, it would be easier for me to simply configure the same passwords in Azure AD manually (for the convenience of my users) than it would be to have AD Connect take care of that, but then have to continue maintaining the on-premises Exchange Server. Do I have to implement Azure AD Connect for some reason? And if not, and I don't, can I then do all my email admin (e.g. aliases, email addresses, hide from address book, distro groups, etc.) online?
- Are you keeping your on premises AD?
Hello,
Hope these links below add some value to this discussion.
How & When to De-commission Hybrid: https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange
can't manage the attribute msExchHideFromAddressLists from Office Admin Panel.: https://social.technet.microsoft.com/Forums/office/en-US/89b424a2-85fa-4b6b-b3b2-71eae2455556/msexchhidefromaddresslists-azure-ad-synchronisation?forum=onlineservicesexchange
Hide from Address List in Dirsynced environment: https://www.tachytelic.net/2017/11/office-365-hide-a-user-from-gal-ad-sync/amp/
The only reason why Microsoft recommends to keep 1 CAS server/Exchange Hybrid (Free version) is to keep MSexch attributes intact. Once you de-commission Exchange, it removes those attributes from AD as well. However since you have AD Connect sync running the source of authority for the synced objects is on-premise & without those attributes it becomes hard to manage objects at times. Not everyone is a pro when it comes to modifying objects using ADSIedit or PS.
Deleted : Decommissioning the last exchange server should not revert the Schema and the msExchange Attributes are still available to be used. The only difference is that you wont have any Exchange Console to do that modification process and also to ensure that the Uniqueness of the SMTP is maintained as mentioned by somebody else earlier in this post.
Deleted wrote:The only reason why Microsoft recommends to keep 1 CAS server/Exchange Hybrid (Free version) is to keep MSexch attributes intact. Once you de-commission Exchange, it removes those attributes from AD as well. However since you have AD Connect sync running the source of authority for the synced objects is on-premise & without those attributes it becomes hard to manage objects at times. Not everyone is a pro when it comes to modifying objects using ADSIedit or PS.
My question to this is: what makes it any different than if I never had Exchange on-prem and started using Office 365? The Exchange attributes wouldn't be attached to the user objects anyway. If all maintenance is to be handled in the cloud, why are the on-prem Exchange attributes needed?
- BrianSmith if you only create users in Office 365 (not syncing from local AD) then such requirement is not applied. But i guess there can be a scenario, that you use AD, never used Exchange and want to sync your AD users instead of creating them in Azure AD. I guess in that case you would have to install Exchange on-premise for such hybrid setup.
- Depends what attributes you are talking about. Most can be done via regular AD console >Attributes editor (no ADSI or PS needed).
Hi Guys,
Did you ever consider finishing the hybrid installation off.
Uninstalling exchange.
Uninstalling the adsync tool , stopping the sync at cloud level. Then just reset the password sync tool up using smtp matching?
This method would then be supported? As your not continueing with a hybrid.
Keith Caines do you still have any considerations/questions regarding Exchange hybrid ?
This question rises every now and then. For short: you don't NEED an exchange server, attributes can be edited in ADUC as described in this message thread. After all, there are organizations which have never had an Exchange server and are running Office 365 (as I do).
AFAIK only thing you'll loose is email policies.
Nestori Syynimaa if you never had Exchange on-premises is something different because your AD objects don't have the exchange attributes and your AD doesn't have the exchange Schema.
If you had Exchange Server in your on-premises AD then your AD objects have exchange attributes. That means that you are going to have conflicts if you don't follow the best practices regarding a hybrid exchange environment.
Sure Spiros Karampinis, it is a bit different but in practice that is irrelevant. Basically all you need is proxyAddresses attribute, which is included "normal" AD schema.
Again, you do not NEED an on-prem Exchange server - although this is not "supported" by Microsoft.
- You should be able to use policy’s as usual!
As said, the caveat is when you use adconnect to sync objects - making it more troublesome to change attributes and settings related to mail, without an on premises exchange serverEmail policies (automatically assign addresses) is a feature only available in on-prem Exchange. I would like to see this feature also in EOL - at least for pure-cloud environment. Anyways, if you remove on-prem Exchange server, you will loose the email policies feature.
Hi Keith,
Been through the comments in your thread and reminded me of my previous project where the customer stated to go fully online after moving the last mailbox to the cloud since they were using a hosted mailbox solution and had to continue paying if they wanted the hybrid to remain.
We did the following
1. Remove the hybrid relationship between the hosted exchange and the Office 365
2. Change DNS records to fully go O365 based ( autodiscover, SPF, DKIM, MX )
3. Update the AAD connect to only use the the current primary AD Forest for sync.
The customer's team had no issues in updating required attributes using AD. But Microsoft FastTrack came back stating that if we do the O365 with only an AAD Connect in place and no exchange server then it puts us in an Un-Supported platform when you call Microsoft for any help.
What they suggested is that you need to have Exchange installed atleast to make sure that your Schema supports the right attributes and that the exchange server should be used to provision the mail enabled accounts so that the right attributes are synced to the cloud.I do have an email from FTC, but unfortunately cannot share it in public as the information contains customer sensitive information in it.
To end the story with that customer, we ended up installing a minimal exchange server and back to hybrid configuration to make sure that the configuration is still supported.
Not sure what you would gain by removing that exchange server unless its a high dependency on some resources, costs etc, i would suggest to leave the hybrid ON. It can also be used as an email relay within the organization. You can trim down the hardware and give just the bare necessary requirements in it.
Hope my previous situation and its outcome helps you.
Regards,Prashant
I have a scenario somewhat similar. All mailboxes, DL's, and contacts are in the cloud. I'm using AADSync to sync passwords to Azure AD. All email management is done in the cloud, nothing in on-prem Exchange. What's the need to keep the on-prem Exchange other than Microsoft's "Because I said so"?
Some replies say that it's minimal, but it's more than that. It's an OS license, it's patch management, it's still uses resources, still needs to be backed up. There is still a lot of maintaining there. I want the on-prem gone since it's not being used.
Also, we don't use AD FS and all DNS records, MX, autodiscover, cname, etc, have been pointed to O365.
BrianSmith wrote:I have a scenario somewhat similar. All mailboxes, DL's, and contacts are in the cloud. I'm using AADSync to sync passwords to Azure AD. All email management is done in the cloud, nothing in on-prem Exchange. What's the need to keep the on-prem Exchange other than Microsoft's "Because I said so"?
Some replies say that it's minimal, but it's more than that. It's an OS license, it's patch management, it's still uses resources, still needs to be backed up. There is still a lot of maintaining there. I want the on-prem gone since it's not being used.
Also, we don't use AD FS and all DNS records, MX, autodiscover, cname, etc, have been pointed to O365.
I can only say that, so far, about 2 months into the transition I don't miss the on-premise Exchange server at all.
I've gotten used to simply managing our AD accounts using the attribute editor and syncing everything using AAD.
Of course, I don't know how things might eventually evolve over those next few years..maybe there'll be indeed a server-side change on Microsoft's part which would eventually require an on-premise Exchange server for necessary AD schema additions..but I'll cross that bridge when I come to it.
Like you said, keeping an on-premise Exchange around, even if just for management purposes, is just too much of a hassle and completely negates the primary motivation of moving everything to the cloud in the first place.
I really hope Microsoft corrects their stance on this particular issue, it really is quite bewildering.
Hi Prashant.
In the scenario you described and concluded by asking "Not sure what you would gain by removing that exchange server" I would like to in turn ask what do you gain or lose by removing that server?
We want to remove as much of our On-Prem as possible and my task is to decommission our On-Prem Exchange altogether and rely solely on the cloud.
Thanks,
Carlos
Hello Carlos,
it is pretty clear at the moment that maintaining one last Exchange server just for management purposes is the supported way to go when you like to synchronize your active directory users and their attributes to Azure AD.
Sure many guys are going to say that you can use ADSI, third-party tools or even nothing to manage your Exchange users in Office 365 BUT the question is, is it really bothering you to keep a last virtual machine with 2 CPUs and 4 GB RAM to be in a supported scenario for your business critical application like mailing ? It will be also more comfortable for your exchange administrators or even just system administrators to manage your exchange objects, even those are in the cloud, Office 365, or on-premises like function mailboxes. Keep in mind that for that purpose the Microsoft provides an Exchange hybrid key to license your on-premises Exchange server. That on-premises server could also be used as SMTP server for on-premises devices like FAX or printers or even on-premises applications that need an SMTP server to send e-mails, think about your NAS System, your firewall etc.
If on the other hand, you would like to go FULL Cloud there is also an option for "small" companies called Microsoft 365 Business. With that license you can join your devices to Azure AD, your mailboxes are hosted in the cloud, you don't have to synchronize anything and you can manage your computers and devices through Microsoft Intune. Almost no server at all on-premises, but again, it depends on your environment, the use case and what are you trying to achieve.
If you don't mind to provide me few more information around your environment, even in a personal message, and I would be glad to share with you my experience and talk about what were the best options for your environment.
Kind regards
Spiros
Gentlemen,
Thank you for this valuable info first of all. Secondly, I am with the school of thought that you can keep managing attributes in AD especially the mail ones like proxyAddress and targetAddress attributes. Having your last Exchange server around is unnecessary to me personally as the simple process of create accounts and syncing attributes is simple enough to provision mailboxes in Exch Online.
However, I can assume why Microsoft has given us a blanket answer for keeping ONE last Exch server around. The answer being that while MS goes around updating exchange server versions behind the scenes for all the client tenants. They may introduce new attributes (perhaps?) that only Active Directory may not house. I am talking about msExch attributes which is a big deal. Having a gap say between customers decommissioning from an Exchange 2013 hybrid while Exch Online will be running 2019 for a customer tenant. This is a dangerous gap to have... wouldn't you all agree? With having one exch server around, the onus will be on the customer to eventually upgrade the AD schema and employ such newer attributes to take advantage of features in Exch online. I hope I make sense in my assumption. What are your thoughts?Everything you say makes sense, but it all comes down to running an environment supported by Microsoft. This may or may not matter in some scenarios but for me anyway I'd rather be managing a supported setup.
I'd highly recommend having a look for Hybrid related sessions coming out of Ignite 2018 as the story may have changed somewhat.
Ian
Everything you need to know right here ..
https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx
If you have removed Azure AD Connect then you can remove on-premise Exchange. It's the presence of this component that would necessitate keeping an on-premise Exchange Server for mailbox management
Sorry Ian, but that is incorrect. We ourselves, as well as the majority of our clients, run Azure AD Connect WITHOUT an on premise exchange server.
I use AD to create users inside my Active Directory for old LAN drives (shares) and local printers. I set their password there -
I then use Office 365 to provision and maintain their mailboxes without issue.
Under what scenario/functionality are you thinking a local Exchange Server is required?
Joe Wichowski Hi Joe, Thanks for your clear information. I am trying to get to your solution. I have got all my mailboxes moved, found all the funny SMTP connectors for devices, got al my DNS pointing to O365, nothing is happening on the onprem server.
I have tested everything ana as you say creating a local user works fine and they can get a mailbox once they are synched to the O365. If I chose not to sync a user that does not need a mailbox it can exsist locally (for managing a device say)
I have the latest AAD connect which has options for Hybrid exchange and Public folders selected.
I ma trying to acertain the order for removing stuff (the Exchange option in AAD Connect, the Exchange Hybrid stuff, and the on prem server), and ideas?
- I've just done some research and it looks like I need to run
Set-MsolDirSyncEnabled –EnableDirSync $false
Apparently this will change all my Mailboxes to "In Cloud" instead of "Synced with Active Directory"
At this stage I assume I will be able to manage mailboxes from the Office 365 Tenant.
Am I correct in saying that my next step would be to change my DNS to point mailflow to 365, or is the something else that needs to be done to take the on-premises "hybrid" server out of the equation?
Thanks!
