What is a Hybrid Exchange Server and Can You Get Rid of It?
We frequently get asked by customers that have moved all mailboxes to Office 365 about decommissioning their last Exchange server, which is usually just an Exchange Hybrid server at that point. Here’s an overview of the purpose of the Hybrid Exchange Server and some of the ramifications of removing it.
The purpose of a Hybrid Exchange Server is really to facilitate making changes as needed to the environment. Think of it as a toolset for managing Exchange attributes synchronized from on-premises. Mail does not flow through it, so if it goes down, mail flow is not impacted. Microsoft does not recommend having any mailboxes located on the Hybrid Exchange Server. In fact, through O365, Microsoft will actually provide an Hybrid Exchange Server license that can be used for this role providing no mailboxes are located on the Hybrid Exchange Server. You can verify eligibility by logging into your O365 and then browsing to https://configure.office.com/Scenario.aspx?sid=13. See the screenshot below.
Most changes to objects initially created in on-premises Exchange and synchronized from on-premises will need to be made in ADSI Edit. (This will require Domain Admin credentials and a very careful knowledge about the task being performed). Some tasks can be done via PowerShell. Think of it this way. AD is replicated to O365, but you still have to have a way to edit those Exchange attributes. Attributes for objects created in O365 can be edited in the O365 web interface or PowerShell by users with granular O365 permissions applied. Here’s a quote from this TechNet article confirming this:
Why you may not want to decommission Exchange servers from on-premises
Customers with a hybrid configuration often find after a period of time that all of their mailboxes have been moved to Exchange Online. At this point, they may decide to remove the Exchange servers from on-premises. However, they discover that they can no longer manage their cloud mailboxes.
When directory synchronization is enabled for a tenant and a user is synchronized from on-premises, most of the attributes cannot be managed from Exchange Online and must be managed from on-premises. This is not due to the hybrid configuration, but it occurs because of directory synchronization. In addition, even if you have directory synchronization in place without running the Hybrid Configuration Wizard, you still cannot manage most of the recipient tasks from the cloud. For more information, see this TechNet blog.
Can third-party management tools be used?
The question of whether a third-party management tool or ADSIEDIT can be used is often asked. The answer is you can use them, but they are not supported. The Exchange Management Console, the Exchange Administration Center (EAC), and the Exchange Management Shell are the only supported tools that are available to manage Exchange recipients and objects. If you decide to use third-party management tools, it would be at your own risk. Third-party management tools often work fine, but Microsoft does not validate these tools.
Ramifications of Removing the Server
What this means for you, if you choose to proceed, is that either all the normally basic changes that can be accomplished by lower level IT support staff will in most cases have to be performed by someone more senior with domain admin rights, which will likely add to that person(s)’ workload, or you will have to take the security risk of having lower level support staff have elevated Domain Admin credentials and making changes in ADSI Edit.
Lucus Guth, PEI
Since the on-prem server is probably configured as it was for hosting databases and mail routing, what are your thoughts on installing a new hybrid server as a minimal VM, then removing the last pre-migration server? Often the last server isn’t on the latest version either, so this is an opportunity to do that as a clean install and maintain all the configuration management options you note in the article above.
Here’s an answer from the post’s author:
You are correct. Rarely is this last Exchange server the latest version. It would definitely be best to install a new vm with the latest version of Exchange to only function as the Hybrid server. Maintaining an Exchange Hybrid server will keep management of Exchange attributes much easier as well as reducing the security and “oops” risks from changes made within ADSI.
Will the new hybrid server require certificates and is there still a point to enabling remote mailboxes?
Thanks for reading! Here’s a response from the post’s author:
As long as the new Exchange Hybrid is not acting as a SMTP mail relay, then it should be fine with a SSL certificate from an internal CA. Applying a certificate for the mail.domain.com is helpful in avoiding the security warnings for the Exchange Admin Center (ECP). Depending on your environment, there may still be some situations which will require a 3rd party SSL certificate.
Here’s some more information about this: https://docs.microsoft.com/en-us/exchange/certificate-requirements
Enable-RemoteMailbox is still used to enable a mailbox for a user that is synced from on-premise. This is in effect enabling the mailbox attributes for the synced account.
Here’s some more information about this: https://docs.microsoft.com/en-us/powershell/module/exchange/federation-and-hybrid/enable-remotemailbox?view=exchange-ps