Can Exchange be decommissioned in hybrid deployments?

Microsoft Exchange Hybrid Deployment
Mohnish Kumar
by Mohnish Kumar 28 October 2019

So, you have convinced management to migrate the deteriorating on-premise Exchange system to Exchange online. Great! But what does that really mean for the future of your Exchange server? Isn’t the purpose of cloud migration to ultimately reduce your on-premise workload footprint? The answer may not be that straightforward.

Microsoft Exchange Hybrid  Deployment

Let’s take a closer look at a common mail scenario. Mail is being routed via a third-party email filtering product, it then gets delivered to the on-premise exchange server. User accounts from the on-premise Active Directory are being synchronised to Azure AD via Azure AD Connect:

Figure 1 Common Exchange Hybrid Scenario with Azure AD Connect

Object Synchronisation 

When Exchange objects are synchronised to Azure AD, an additional synchronisation will occur between Azure AD and the Exchange online directory.

In the below image, John Doe has a mailbox on-premise. When the account is synchronised to Office 365, Exchange Online has visibility of the associated on-premise attributes. In Exchange Online, John Doe will appear as a Mail User and it will be aware that the user has a mailbox in an on-premise Exchange server e.g. EXC-MBX01.

Figure 2 - objects from AD synchronised to an Exchange Online user

Exchange Server considerations after migration

Once you complete the migration journey from on-premise to online Exchange, nothing is stopping you from uninstalling and decommissioning the on-premise Exchange servers. It should be noted however that this can have adverse effects:

  • If Azure AD connect is still required, then this forces the business to utilise an “identity hybrid” model. In other words, your active directory identities are synchronised with office 365. Exchange objects rely on Active Directory
  • The majority of Azure AD attributes are read-only in Azure AD.
  • There is no official supported method of updating attributes without the presence of Exchange.
  • ADSI Edit must be used to manually update Active Directory attributes.

When a mailbox is migrated from on-premise to Exchange online, this does not change the fact that the authoritative system for changes are the on-premise Active Directory.

If an administrator attempts to add an email address (modifying an object attribute) to a user in Exchange Online, the following error will prohibit the change:

Figure 3 Exchange Online error demonstrating AD is the source of authority

Once the mailbox is migrated to Exchange online, the on-premise account is now converted to a mail user and the online counterpart will become a mailbox. To avoid the above error, one must make any changes in the on-premise Active Directory.

Attribute Considerations

Below are some important attributes that are commonly edited for Exchange users:

  • msExchMailboxGUID
  • msDSConsistencyGuid
  • proxyAddresses
  • legacyExchangeDN (including X500 addresses in proxyAddresses).

Without an Exchange server it now becomes cumbersome to update the above values.

Options

The below options are available when it comes to Exchange server management moving forward post migration:

  1. Keep the on-premise Exchange server for attribute management and proceed as normal. No mail will be routed via on-premise. No changes needed. You will still be in “hybrid identity” mode, not exchange hybrid.
  2. “Break” Azure AD Connect so Exchange attributes can be fully managed in the cloud, then decommission the exchange server. Passwords will drift out of sync.
  3. Decommission on-premise exchange server and fully manage attributes using Active Directory users and computers. This is not supported by Microsoft; however, it will still work:
  • Decommission on-premise exchange server.
  • Run cmdlets to remove hybrid objects from AD.
  • Moving forward, users will need to be created in ADUC (as opposed to exchange admin centre), attributes will need to be edited manually to include Alias, SMTP addresses etc. This can be bothersome and long winded.

Wrap up

Exchange Hybrid deployments are one of the most popular methods for migrating mailboxes to Office 365. It allows businesses to migrate mailboxes at their own pace, while maintaining co-dependency between on-premise and Office 365.

Azure AD connect is the core tool which forces the presence of an on-premise Exchange server. If the Exchange server is removed, then it can negatively impact the environment and introduce an administration overhead. IT should make life easier, not more complicated! For this reason, it’s highly recommended to maintain an on-premise Exchange server for attribute management purposes.

 

Topics: Microsoft 365, Azure AD Connect, office 365, Exchange Online, Microsoft Exchange, Hybrid Deployment, Azure AD