Exchange Server hybrid “edition” myths and misunderstandings
Rate this post

There’s a common misunderstanding that Exchange Server hybrid (whichever version you may be running) is needed to be kept on-premises forever if you have Azure AD Connect. AADC syncs on-premises Active Directory with Azure AD. When AADC and federated identity is enabled, MOST of the cloud attributes in Azure AD are READ ONLY. From that statement it’s been understood that hybrid is needed to be maintained to do all that Exchange Online remote management goodness. Wrong!

I hate to burst the bubble here, but, I’m going to burst the bubble.

Exchange Server Hybrid

Being a consultant, I’m going to do that frustrating thing and say those famous words: “it depends on the situation”. I love being ambiguous sometimes as it affords room for different options and ideas which is great for brainstorming and architecting.

Looking at Exchange Server hybrid functionality independently of thinking about the common tech phrase “hybrid”, what does Exchange Server hybrid do? Put simply, which isn’t very clear on TechNet or other publications, hybrid creates send and receive connectors between on-premises and Office 365 EXO. It’s now just a wizard / setup application that completes a few commands that can be achieved manually through powershell. It’s not even an Exchange Server role anymore.

From there though, with the additions of AD FS and Azure AD Connect + Azure AD, a seamless solution that “joins two disparate ADDS forests and Exchange organizations” so an enterprise can complete a staged migration. Hybrid alone won’t do any of that apart from allow for mail to be sent as “internal” between on-premises and Exchange Online. That’s as simple as it gets.

busted

Use hybrid

It’s quite easy to complete a staged migration to EXO and leave a handful (two’s enough really, even Microsoft recommend that) of Exchange Server servers on-premises with hybrid enabled. For larger or enterprise customers that perhaps have SMTP relay requirements for legacy on-premises applications, leaving hybrid is a requirement to keep that mail flow and connectivity between cloud and on-premises for an ongoing basis.

Mid to large deployments where federated identity is enabled could also leave hybrid enabled without impacting the solution in any negative way either.

Hybrid is there to make the journey to Office 365 Exchange Online easier through staged migrations. In all but one of the transitions to Office 365 that I’ve worked on, only one has not needed to use hybrid. In that circumstance there was no federated identity requirements and the migration of ~300 mailboxes was orchestrated through a ‘big bang’ migration approach.

Timing is key in any migration or transition to the cloud. Hybrid provides the warm blanket or comfort in that it assists in affording more time to the transition.

Can you get rid of hybrid? But, how?

Once hybrid is in place, Exchange server in a federated identity world should be kept on-premises indefinitely. If you want Microsoft support, then you’ll need Exchange Server to do the remote management goodness.

Third party tools (mentioned further down) are available, BUT, and the is but in caps for a reason; Microsoft won’t provide you support if anything breaks with that service. You’ll likely need to source expertise that could get rather expensive. Protip: don’t do it.

Looking at an example where we have migrated all on-premises mailboxes to Exchange Online and there is no need for large on-premises legacy Exchange Server servers. The on-premises footprint is reduced to a handful of servers and one has the Hybrid Configuration Wizard run on it.

There is a tidy up process (see the following checklist) to remove hybrid integration, but, allow for remote management of Exchange Online:

  • Migrate all mailboxes to Exchange Online
  • Ensure all mail flow is delegated to EXO
  • Ensure all DNS is delegated to Office 365
  • Transition public folders to EXO (if any)
    • Ensure the “Set-OrganizationConfig -PublicFoldersEnabled local” is run from Office 365 / EXO powershell
  • To stop clients from trying to contact Exchange Server on-premises for anything, disable the service connection point
    • Achieved by running “Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $Null
  • The big one, remove the hybrid config “Remove-HybridConfiguration
  • Finally, review send and receive connectors on both Exchange Online and on-premises and remove those
    • Since there won’t be any requirement for cross forest mail, deleting this connectors is recommended

For more information on the process, check out this TechNet article.

The (not so) tricky part: how do you manage remote mailboxes?

There’s two pieces of this puzzle to understand.

On-premises Exchange Server integrates with Active Directory. As all data is stored in this lovely (depends on how you look at it) database/directory, Exchange reads this and through various attributes knows that mailboxes are remote or config is associated with Office 365.

The second piece of the puzzle is powershell. Having the Azure AD and Office 365 powershell modules available additionally allows for streamlined remote management. This process can be tricky and I’ve written a quick piece (available here) should you get stuck trying to install the Online Services Sign-in Assistant.

With both of those items understood, the majority of what you need to do can be achieved just as easily without hybrid as with hybrid.

Don’t use hybrid

Let’s flip the coin and explore the wonderful (or other) world without hybrid. This world mainly consist of a “cloud first” or “born in the cloud” approach to IT. Not every organisation would want to implement a complex AADConnect, AD FS and hybrid mail environment. Well managed migrations to Office 365 can certainly be achieved without the cost and time expenditure on getting a hybrid and federated solution off the ground.

Microsoft’s recommendation around this again comes down to requirements. In a nutshell, if you don’t need any of the below features, you can quickly commence a migration to Office 365 Exchange Online without hybrid connectivity:

  • Secure mail routing between on-premises and EXO organizations.
  • Mail routing with a shared domain namespace. For example, both on-premises and EXO organizations use the @contoso.com SMTP domain.
  • A unified global address list (GAL), also called a “shared address book.”
  • Free/busy and calendar sharing between on-premises and EXO organizations.
  • Centralized control of inbound and outbound mail flow. You can configure all inbound and outbound EXO messages to be routed through the on-premises Exchange organization.
  • A single Outlook on the web URL for both the on-premises and Exchange Online organizations.
  • The ability to move existing on-premises mailboxes to the Exchange Online organization. EXO mailboxes can also be moved back to the on-premises organization if needed.
  • Centralized mailbox management using the on-premises Exchange admin center (EAC).
  • Message tracking, MailTips, and multi-mailbox search between on-premises and Exchange Online organizations.
  • Cloud-based message archiving for on-premises Exchange mailboxes. Exchange Online Archiving can be used with a hybrid deployment.

(Source: TechNet)

Non hybrid deployments can leverage a number of excellent 3rd party tools to migrate to Office 365. This is not a paid advertisement!, but, such tools as Skykick or MigrationWiz among others allows for a streamlined and managed migration.

Final words

Working in the enterprise space, it’s common that Exchange Server of some flavour is used as the prefered mail solution. Migrating to Office 365 from Exchange on-premises will most commonly leverage hybrid.

I would, for the most part, go with hybrid for the length of the migration. Thereafter though it CAN be removed. You might not need to, but, the option is. Don’t stress about it for or against though. The end result in remote mailbox management is near identical.

Cheers, Lucian

Category:
Exchange, Office 365
Tags:
,

Leave a Reply

  Subscribe  
newest oldest most voted
Notify of
Garry
Guest
Garry

So On-Prem Exchange is necessary for hybrid though, right?
I understand if you get rid of it, then no Exchange related attributes are sync’d with the user account that gets sync’d with AADC?

jquile
Guest

My understanding is that if you want to keep users sync’d with O365, since they’re likely also needing their AD credentials for on-premise resource access (computers, printers, file shares, etc.), then you have to always be in a Hybrid situation.
Because if you at all get rid of on-prem Exchange, then their Exchange/e-mail attributes are no longer part of their AD account, and AADC will sync that up to O365 and their Exchange/e-mail attributes are now null in O365.
Correct me if I am wrong though.

Stanislav Galchonkov
Guest

Lucian, with such post you confuse a lot of subscribed people. You have to outline you need Exchange on premises anyway once you have AADSync in place, large font size and bold style. If you have on premises server (like AADConnect) which integrates on premises and online world, it is called hybrid deployment anyway. And it doesn’t matter if you have Exchange Hybrid or just Exchange Server on premises with AADConnect. Overall deployment is still hybrid. People are looking for the way of Exchange Server decomissioning from on premises and you give them more confusion in this area.

David Ogborne
Guest

Two things. DNS delegation should not be set to Office 365. Just make sure that the DNS records are correct and keep the DNS zone hosted where it is.

Secondly, autodiscover should not be set to $null. It should be set to EXO directly such as https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml (Use fiddler to work out your local end point). This method optimises the autodiscover look up process using the top level choice of SCP.

Jeremy Bradshaw
Guest
Jeremy Bradshaw

I think I can one up your #2. You should go look in Office 365 Admin Center -> Settings -> Domains and check to see there what your public Autodiscover CNAME is supposed to point to. Then use that for the value of your CAS server(s)’s AutoDiscoverServiceInternalUri.
Most commonly right now, that is “autodiscover.outlook.com”. I totally agree about taking advantage of the SCP lookup.

Daniel Lynch
Guest
Daniel Lynch

Hi Lucian, we have a customer in a hybrid situation, they are now on Office 365 and we want to remove the sync. Will any exchange attributes be lost when we remove the sync and decommission the server. Is there any way of syncing passwords without the AAD sync?

Helpdesk Support
Guest
Helpdesk Support

Hi Lucian,

Many thanks for this article. We have a client using AD (including AAD/ ADFS/ ADFS Proxy (DMZ) ) and Exchange Hybrid/ CAS/ EMB on-prem with user mailboxes in O365 and legacy application mailboxes on-prem.

As an option to reduce datacentre footprint, what are your thoughts on migrating the on-prem AD (including AAD/ ADFS/ ADFS Proxy (DMZ) ) and Exchange Hybrid/ CAS/ EMB to an Azure datacentre? Is this something people generally do?

Thanks

Dustin
Guest

I am going to be pretty blunt here. This is just bad advice. The best practice exists for a reason, and they are the following: 1) The changes must come from on-premise AD if you use directory synchronization 2) The only supported interface to modify these values are those that come with having an on-premise Exchange server (EAC, EMS, etc.) 3) There are no Email Address Policies available without it and Active Directory provides no validation for these attributes, in that it doesn’t care if you have duplicate ProxyAddresses or domains that are not even in the Accepted Domains list.… Read more »

Jesper Jensen
Guest
Jesper Jensen

Interesting post! We have a single Exchange Hybrid server left, which I would really like to get rid of. All users have been migrated to EXO. The VM is powered off 99% of the time (Azure VM, cost effective) and we only use it when creating/deleting users.

We have AAD Connect and ADFS in place, so from my point of view (I’m *not* an Exchange guy) I can’t see what the Hybridserver does. It’s just an annoying part of our infrastructure, that we need to maintain 🙁

Igor O. Barinov
Guest

Why not use JumpCloud and migrate away from the Hybrid (do u really want to maintain that Exchange server), and then from the dinosaur called AD (unless all your nodeas are Windows, and all strictly on-prem)?

Andrew
Guest
Andrew

I setup our organization of 36 mailboxes plus shared mailboxes from scratch on O365 cloud. I have never had on prem Exchange, we’re running a 2012r2 domain w/ AD Sync (passwords and some distribution lists). The challenge I’m facing is because o365 is throttled and some staff have large mailboxes and most are using Outlook 2010, I’m wondering if having an on prem exchange server will cache all of the mailboxes on a local database. Our company also got bought out recently and we’re looking to download all mailboxes to PST – an on prem exchange server would greatly help… Read more »

Alex
Guest
Alex

Hi Lucian, thanks for that article. Wondering if you can help me to understand, how it could work, if I have to migrate 150 mailboxes from Ex2010 to O365, where the users location is not so good connected to internet (with reference to the new build of OST files, after a non hybrid migration). The company would get rid off the exchange infra and won’t use ADFS (only Password sync and maybe with SSO). Isn’t it correct, that you ramp down exchange, have AADConnect in place and you can use the EXO onboard mechanism to set up a mailbox (put… Read more »

Pertti Ahlgren
Guest
Pertti Ahlgren

Hi, got an interesting case here in my hands, and could really need some second opinions. Customer has 1 Forest,3 Domains and 1 Exchange organization on-premise. They are a kind of a service provider. Now we´re thinking to move to 365 world, and seperate their clients to their own tenants for certain reasons and remove their on-premise Exchange infra. Doing multitenant environment using aadconnects per tenant is not an issue, issue here is the mail migration. When the customer is large enough hybrid is by anymeans the smoothest way to migrate mail. Keeping these in mind, i tought is it… Read more »

vaughan
Guest
vaughan

Hi Lucian
Thanks for the post, very interesting and helpful. can you answer a question for me please? we have a customer who has 75 mailboxes with exchange online archiving enabled on the exchange server, is it best to do a cutover and then move the archives using the Microsoft network upload tool or should we setup a basic hybrid configuration to do the migration then remove hybrid? if yes, is AADSync a requirement in this scenario. Thank you

Justin Manship
Guest
Justin Manship

Sure, I agree it is best to keep On-Prem Exchange going in a Hybrid setup but is it a big deal if you don’t? Not really. I’ve done Dir Sync for plenty of customers who don’t have Exchange, I’ve removed final Exchange servers after migrating all mailboxes to Exchange Online, I have moved away from Hybrid after an Exchange server died. In all cases its been just fine to manage them through AD attributes. Create a user in a sync’d OU, add the proper attributes, and it syncs up just fine. I do however wish Microsoft would create an application… Read more »

Martin
Guest
Martin

Justin, what attributes are you setting?

Daniel
Guest

These are the usual culprits that are set for a *RemoteMailbox*

`proxyAddresses`,
`msExchRecipientDisplayType`,
`msExchRecipientTypeDetails`, `msExchRemoteRecipientType`,
`mailNickname`,
`mail`

Follow Us!

Kloud Solutions Blog - Follow Us!