Exchange Hybrid Post Migration – Benefits of keeping the hybrid server
You have finally made it! You are at the end of the tunnel and the sun is shining bright. All of your mailboxes have been successfully migrated to Exchange Online. Now what? Can I decommission my on-premises Exchange environment? This is a very common question asked once an Exchange Online Migration has been fully completed. And the answer is…most likely no. Here are some of the reasons and benefits of keeping and maintaining an on-premises Exchange server.
Directory Synchronization to Office 365, whether it be Azure Active Directory Connect (AAD Connect) or a 3rd party cloud solution, will be a continued need for most Office 365 tenants unless the entire Active Directory infrastructure was migrated to Office 365 as well. That means the source of authority will continue to be on-premises. Source of authority refers to where the Active Directory objects were initially created and authenticate to.
Because Directory Synchronization will continue to be enabled well after all mailboxes are migrated there is a need to be able to administer mailboxes from an on-premises solution. The only supported solutions to administer Exchange-based mailboxes is using Exchange Management Console, Exchange Admin Center, or Exchange Management Shell. ADSIEdit and other 3rd party tools are not a supported solution to modify Exchange mailbox attributes. Without a supported tool it would be difficult to perform common exchange tasks such as email address changes.
Maintaining an on-premises exchange server for a cloud based solution is not ideal, but it is highly recommended. The server does not have to have a large amount of resources (CPU, Memory, and Storage). Also it does not need to maintain the hybrid configuration, public certificates, or public IP addresses if there is just a need for ongoing mailbox administration.
Since installing a basic Exchange 2016 or 2019 server has become very easy there is almost no need to even consider any form of High Availability (HA) or Disaster Recovery (DR) options for this server if it is just intended for mailbox administration. If the on-premises server is intended for additional functionality it is best to weigh each functionality individual to determine if HA or DR is necessary.
A common request is to install the latest Exchange Server available and supported to act as the administrative server and decommission the legacy environment. This gives the opportunity to completely clean up the legacy environment and start fresh with a simple Exchange server.
In most scenarios, Microsoft provides a free exchange hybrid license for this server role. If the following conditions apply you can request an Exchange Hybrid Server product key, with no additional costs:
- You have an existing, non-trial, Office 365 subscription
- You cannot use the hybrid server to
- Host on-premises mailboxes
- Enable calendar sharing with other organizations (except for calendar sharing with Exchange Online users)
- Perform email filtering
- Any other functionality that is not required for hybrid deployment
If you meet these requirements you can obtain a Free Exchange Server Hybrid License by going to http://aka.ms/HybridWizard running the initial steps of the Hybrid Configuration Wizard to acquire a license.
An on-premises Exchange hybrid server provides a centralized administration point. This will allow administrators to access a single Exchange Admin Center from their on-premises environment to access both the on-premises and Exchange Online Admin Center from a single browser.
Exchange Online New User Administration
A common misconception post-migration is how to administer new users. Some organizations still create the mailbox on-premises and then migrate them to Office 365. Mailboxes no longer need to be created on-premises. They can be created directly in Office 365. However, the user still needs to show up in the on-premises Exchange server in order to properly administer the user. The following steps describe the process for a new user mailbox creation:
Step 1: Create new user in Active Directory
Step 2: Synchronize the new user to Office 365 with Directory Synchronization
Step 3: Assign an Exchange Online license to the new user
Step 4: Using Exchange Management Shell run the following command:
New-RemoteMailbox –Identity <username> - RemoteRoutingAddress <user>@domain.mail.onmicrosoft.com
The user will show as an Office 365 mailbox type in the On-Premise Exchange Admin Center. This is where any future updates to the mailbox should occur.
Another benefit to consider is SMTP needs of devices and applications. Both require some way to communicate with Exchange Online Mailboxes. There are a few options to configure both devices and applications to use Office 365 for SMTP; however, an existing Exchange server can be used as an SMTP Relay server.
Active Directory Schema
Even if you move forward and decommission all on-premises exchange server the AD Schema for Exchange needs to be maintained for these attributes to properly sync to Office 365.
Additional Functionality options
There are other specific scenarios that an on-premises Exchange server would be beneficial for.
Public Folders – Many organizations still use and maintain public folders. There are newer and more modern options available, such as Shared Mailboxes or Office 365 Groups, but in some cases Public Folders need to be maintained for continuity. The process to migrate public folders to Exchange Online is fairly complex and doesn’t always succeed. Having an on-premises Exchange server allows for public folders to be hosted and maintained on-premises. This scenario would be ideal for organizations that wish to slowly transition from public folders to newer technology.
Internal relays – Not to be confused with SMTP relay, Internal relay is a mail strategy for non-routable and non-public domain namespaces. Non-routable domains, such as domain.local, can be used for internal applications for email addresses. Non-public domains are commonly used for other major applications, such as SharePoint (sp.domain.com). Neither of these types of domains can be added to an Office 365 tenant. Having an on-premises exchange server is the only way to route email for these domains.
Journaling – Journaling is a company-wide retention and archival strategy. The most common issue with journaling is the requirement for an offsite mailbox. You cannot use an Exchange Online mailbox for this feature. There are plenty of 3rd party options available, but to avoid that additional cost you can use a mailbox from the on-premises Exchange server. This would require a full featured Exchange server license.
Host mailboxes on-premises – In some scenarios organizations wish to continue to host a small amount of mailboxes on-premises. Keeping the hybrid server would allow for this. These are a few reasons an organization may require to host mailboxes on-premises:
- Ability to migrate (Off boarding) from Office 365 to On-premises – This provides more flexibility and greater control over your data. This will allow you to easily migrate all users back on-premises for various reasons including:
- Roll back to full on-premises solution
- company acquisitions/mergers
- Terminated employees – Exchange Online only keeps mailbox data from a deleted user for 30 days. If you need to maintain the data for a longer period of time you can place a legal hold on the mailbox, but this requires the account to continue to use a license. Migrating the mailbox back on-premises allows the ability to keep the data for as long as required.
- Internet access – Its very rare to see a business location without Internet capabilities. Office 365 requires Internet access to utilize its services. If an organization has a location that has no Internet access, only access to the internal network, then they would only be able to host those user mailboxes on-premises.