SOLVED

Move from Staged Hybrid Migration to full Exchange Online

Copper Contributor

Good Day,

 

I have moved and finalized approx 60 mailboxes from Exchange 2010 On premisis to Exchange online.

 

Currently all mail clients are pointing to Exchange online, however mail is still being delivered on-premise as well.

 

The following article on decomissioning on-premisis has been helpful, however just need to get a plan solidified.

https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx

 

Currently, no MX records have been changed to redirect mail permanently.

 

I would still like to use ADSync after the cutover to unify password management between on premise and online, however I would like to do all exchange managent from portal administration.

 

I would like to completely decomission on-premise exchange post cutover.

 

Can anyone share any info on whether the scenario outlined is possible at all and what I need to do to accomplish it?

 

Thanks

19 Replies

You cannot have both. You either manage the accounts directly in O365, which means no password sync, or use dirsync/password sync, but manage them on-premises. The latter also requires you to keep one Exchange box for management purposes, if you want to stay in "supported" scenario. If you don't care about that part, you can just manage them via ADUC/PowerShell/whatever.

I have AD Sync configured on on-premisis domain controller. 

 

I did not realize that in order to syncronize passwords I would have to keep my exchange box around. Is this correct?

 

I want to completly decomission my exchange server. If this means that I lose the ability to sync passwords then so be it. Just seems strange.

 

Is there a way to easlily "enable" management from the Admin Portal?

 

 

 

 

best response confirmed by Keith Caines (Copper Contributor)
Solution

Every configuration involving dirsync, including password sync, requires you to keep an Exchange box for management purposes. Otherwise you will be in "unsupported" configuration. You dont have to follow the Microsoft recommendations on it, you can manage the objects just fine with other tools, but you riks being denied support.

 

Here's an example article that goes into more detail: https://blogs.msdn.microsoft.com/vilath/2015/05/25/office-365-and-dirsync-why-should-you-have-at-lea...


@Vasil Michev wrote:

Every configuration involving dirsync, including password sync, requires you to keep an Exchange box for management purposes. Otherwise you will be in "unsupported" configuration. You dont have to follow the Microsoft recommendations on it, you can manage the objects just fine with other tools, but you riks being denied support.

 

Here's an example article that goes into more detail: https://blogs.msdn.microsoft.com/vilath/2015/05/25/office-365-and-dirsync-why-should-you-have-at-lea...


Thank you for sharing that thread. Wow. You were not kidding. I wonder why MS hasn't provided what seems to be a very simple solution to an obvious pain point!?

They're looking into it, at least that's the answer we get anytime we raise this topic :)

@Keith CainesActually, this is not longer the case.  Because now there is ad connect. Ad Connect allows you to sync passwords only, without an exchange server. 

Why are you reviving an old topic with redundant and somewhat misleading information? It was already stated, that you can use dirsync (ad connect is just a new version of that) without a local exchange server and using other tools to manage exchange properties, but this will be deemed as unsupported setup by MS support. So you do this at your own risk.

Y@wroot You seem upset, how bout you take a chill pill.  No one said ANYTHING about exchange properties.  In fact, the whole point of the post was getting RID of exchange altogether.  Doing this, have all of your exchange functions handled in O 365 and leave you with only syncing passwords with AD.




 

Have you read what Vasil has provided? If you sync on-premise AD users with dirsync/ad connect and you use Exchange Online (topic's author IS using Exchange, so it IS relevant here), how are you going to say add another alias or change current SMTP address or any other Exchange attribute of a user, so it would reflect in his/her EO mailbox? You have to do this on-premise. You can use AD Users console/PowerShell for that. But Microsoft might decline to provide you support, if you have no local Exchange server in such setup, because for now having local Exchange server when using hybrid setup is the only officially supported way (not technically, but from a support eligibility standpoint).

@wrootDo you know how Microsoft defines "supported?"  I do, because I worked there for 12 years.  It is defined at "we have tested this and can therefore guarantee a certain level of outcome."  Whenever said it was "unsupported" we still gave best effort.  Oh and just an FYI, have several clients with NO onsite exchange server and they are able to sync passwords with AD, without issue.  They also have no issue adding aliases, which is done in the cloud, where the mailbox resides.  

I will leave to readers of my posts to decide how they want to interpret Microsoft "unsupported" and what they hope to receive, but i won't omit such information. I haven't worked for Microsoft, so i can't imply anything. And how working at MS in the past proves something about current policies? I would love an official from MS to approve that.

 

I don't know why you have emphasized password sync in particular when the main point of this thread is Exchange management. Yes, password sync will work with only having local AD. As with Exchange management, i also worked with a hybrid setup without Exchange on-premise (uninstalled after mailboxes migration) and last time i tried to change alias or SMTP of a synced user in Exchange Online admin center i was greeted with an error that my user directory is read-only and i should do changes in my local AD. Haven't seen any announcements about changes in this area yet.

@wroot  The entire point of his post was that he wanted to decommission his exchange server but still wanted password sync.  Perhaps you misunderstood?

"I would still like to use ADSync after the cutover to unify password management between on premise and online, however I would like to do all exchange managent from portal administration.

I would like to completely decomission on-premise exchange post cutover."

He wanted to have both sync and be able to manage exchange from online portal.

@wrootThank you for making my point.

Ok, i will try one last time.

 

He wanted to sync users/passwords from his on-premise AD - yes, you can use AD Connect for that and no Exchange installation is needed for that.

 

He wanted to decomission his Exchange installation and still be able to sync on-premise users/passwords to Office 365 - yes, having only AD Connect is enough for that (although who would just sync users? Usually some other services like Exchange, SharePoint, OneDrive, etc. are used with these users).

 

He wanted to decommission his Exchange installation and be able to manage Exchange in Office 365 Admin Center > Exchange Online console - you can change some settings, but you can't change user settings that are synced from on-premise AD like SMTP addresses. You will get a read-only error and will have to change these settings locally in your AD and then sync them to Exchange Online. You can use PowerShell or AD Users and Computers console to change these attributes, but Microsoft is calling a supported setup if you leave one Exchange server on-premises and do such changes via Exchange Admin Center (or Exchange Management Shell).

@wroot 

I will type this ssssslllllllooooooooowwwwwwwlllllllyyyyyyy so you can understand it.  There is NOTHING in his post that said ANYTHING about wanted to sync users.  NOTHING.  Only passwords.  What seems to be happening now is that you may have realized that you have made a mistake but are too proud to simply bow out gracefully.  Here is entire post 

 

 

Good Day,

 

I have moved and finalized approx 60 mailboxes from Exchange 2010 On premisis to Exchange online.

 

Currently all mail clients are pointing to Exchange online, however mail is still being delivered on-premise as well.

 

The following article on decomissioning on-premisis has been helpful, however just need to get a plan solidified.

https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx

 

Currently, no MX records have been changed to redirect mail permanently.

 

I would still like to use ADSync after the cutover to unify password management between on premise and online, however I would like to do all exchange managent from portal administration.

 

I would like to completely decomission on-premise exchange post cutover.

 

Can anyone share any info on whether the scenario outlined is possible at all and what I need to do to accomplish it?

 

Thanks

Ok ok guys! You’re just going back and forth here! Let’s just call it a day :)

Adam

@sfbtech 

 

OMG, you didn´t understand anything... He wants to stay with his local AD, so he needs ADConnect. But with ADConnect and not Azure AD Pure online, you will need to have an Exchange installation to edit your Exchange specific Attributes in your local AD, which then will get synced to AAD. If you have ADConnect, local AD is the leading Authentication Provider.

 

Hope this helps any new Readers, Oleg is absolutely correct with his statements.

BTW, you can clean up your Exchange Server Databases, shrink your Disks, etc. You only need a small VM after that, just in case you need to edit User Settings. Maybe you can migrate it to Azure and use Azure Automation to start it regularly for 30 minutes and than shut it down to save costs. Just to get a connect to your DCs.
1 best response

Accepted Solutions
best response confirmed by Keith Caines (Copper Contributor)
Solution

Every configuration involving dirsync, including password sync, requires you to keep an Exchange box for management purposes. Otherwise you will be in "unsupported" configuration. You dont have to follow the Microsoft recommendations on it, you can manage the objects just fine with other tools, but you riks being denied support.

 

Here's an example article that goes into more detail: https://blogs.msdn.microsoft.com/vilath/2015/05/25/office-365-and-dirsync-why-should-you-have-at-lea...

View solution in original post