For some customers after a migration from on-premises Exchange Server to Exchange Online there is a desire to completely decommission the on-premises Exchange servers. Whether it can actually be done will depend on a few different things.
At the beginning of an Office 365 project I like to discuss with the customer what they need for their long term identity model. I start with identity, even though some customers want to jump straight to how mailboxes and other data will be migrated, because the identity model is a big factor in determining the best migration method. The discussion usually comes down to one of two scenarios:
- The customer plans to retain the on-premises Active Directory for other requirements, and wants directory synchronization and password hash sync so that users have a single set of credentials to remember for authenticating to Office 365 cloud services
- The customer has no intention of retaining the on-premises Active Directory and doesn’t need directory synchronization
The key here is the use of directory synchronization. Microsoft has published guidance on TechNet for decommissioning on-premises Exchange in a hybrid deployment. The title is a bit misleading because it’s not the hybrid configuration that ultimately determines whether you can decommission on-premises Exchange or not.
When directory synchronization is enabled for a tenant and a user is synchronized from on-premises, most of the attributes cannot be managed from Exchange Online and must be managed from on-premises. This is not due to the hybrid configuration, but it occurs because of directory synchronization. In addition, even if you have directory synchronization in place without running the Hybrid Configuration Wizard, you still cannot manage most of the recipient tasks from the cloud.
The article links to an older blog post that was written in the Exchange 2010 era, but still applies to later versions of Exchange.
For organizations intending on keeping DirSync in place and continuing to manage user accounts from the on-premises organization, we recommend not removing the last Exchange 2010 server from the on-premises organization. If the last Exchange server is removed, you cannot make changes to the mailbox object in Exchange Online because the source of authority is defined as on-premises. The source of authority refers to the location where Active Directory directory service objects, such as users and groups, are mastered (an original source that defines copies of an object) in a hybrid deployment. If you needed to edit most mailbox settings, you would have to be sure the Active Directory schema was extended on-premises and use unsupported tools such as Active Directory Service Interfaces Editor (ADSI Edit) for common administrative tasks.
To summarize the two quotes above, if you have directory synchronization in place, then you need to manage the mail attributes of users, groups, and contacts in the on-premises Active Directory, and then allow those changes to synchronize to Azure Active Directory. And the only supported way to manage the mail attributes on-premises is using the Exchange management tools, which requires at least one Exchange server to be running.
So where does that leave customers? Here’s a few scenarios to consider:
- If you need directory synchronization, a cutover migration is not a good choice. I am no fan of cutover migrations in general, but in particular for directory sync scenarios it is very difficult to retrofit directory synchronization after completing a cutover migration. Better to choose a migration method that utilizes directory sync up front.
- If you need directory synchronization, strongly consider using a hybrid configuration to facilitate the migration to Exchange Online and the ongoing management. Hybrid requires a little more work to set up at the beginning, but offers a far better admin and end user experience during the migration of mailboxes to the cloud. Yes, you will retain the on-premises Exchange server, but you can downsize it to the minimum hardware spec or run it as a small VM.
- If you need password synchronization for ease of user login, but don’t need sync of other Active Directory attributes, then consider using the Windows Server Essentials role. Essentials supports up to 100 users and allows you to link on-premises users with Office 365 users so that on-premises password changes are automatically synced with Azure Active Directory. An on-premises Exchange server is not required for Essentials-based integration with Office 365. This solution is ideal for customers who need to retain Active Directory on-premises, perhaps for just a few requirements like a legacy app that won’t run in the cloud. I’ve migrated former SBS customers to Essentials-based solutions and it works fine.
What if you absolutely insist on removing Exchange but keeping directory synchronization running? For those scenarios you’ve probably found some third party tools, or someone who tells you that it works just fine and all you need to do is write some scripts or use ADSIEdit. Yes, from a technical perspective it’s possible. But using anything other than Exchange to manage mail attributes in Active Directory is not supported by Microsoft, and I’m not in the habit of promoting unsupported solutions.
In all of the above I haven’t gone into complex scenarios, nor have I mentioned AD FS. For customers with a lot of complexity or who have federation requirements I generally find that they have already learned and accepted the requirements for on-premises Exchange Server in certain scenarios. The advice above is mostly for the small to mid-size customer who feels the need to remove all on-premises Exchange servers to reduce their management overhead.
All is not lost though. Microsoft announced at Ignite 2016 that they were looking at ways to remove the on-premises server requirement. At Ignite 2017 they revealed some more information about their plans in this area. A hybrid connector that works in a similar fashion to Azure App Proxy and Azure AD Connect Pass-thru Authentication is being developed that will make administration of on-premises objects via the Office 365 admin tools possible. It will still require a component to be installed on-premises, but that is certainly preferable to maintaining an entire Exchange server.
Only a high level overview of this process has been provided so far, and we may not see the tool for another year or more. Hopefully we’ll receive more good news on this at Ignite 2018.
For further expert advice, download your free copy of Email Migration to Office 365.
Hi Paul
Are there any updates on this? Can we decommission Exchange Server on-premises now? All my mailboxes from Exchange 2103 have been migrated to the Exchange Online. I want to decommission the Exchange server . And I’m still syncing users from AD on-premises to Azure AD with Hybrid Azure AD Synced
Reading all the comments about ‘why can’t I remove the last Exchange server’, I think many people are missing the point… the only reason you need to manage the objects is because you still have ‘legacy’ Active Directory on-premises. You should be on a ‘journey’ to the cloud, ending in Azure AD joined devices, removal of Active Directory and Azure AD becoming your primary identity provider. The journey for many starts with migrating Exchange, but that’s a small piece of the puzzle. Then it’s files to SharePoint with OneDrive Sync, Teams for collaboration and telephony, then Azure Active Directory Domain Services to migrate any legacy services to Azure (publish these apps with AVD or Citrix cloud). Deploy and manage workstations with Intune, then you can uninstall AD Connect and convert all of your objects to cloud objects – now you don’t need the Exchange box (or to fiddle manually with attributes in ADUC or ADSIEdit) . I’m 100% behind Microsoft requiring a management server on-prem in this scenario. And it’s free, and it can be your relay, and it doesn’t have any mailboxes on it. What’s the big deal? Do we not have 4 cores and 16GB memory free on our oversized and costly virtual platform? (all said light-heartedly of course)…
There is no suitable solution at all to remove the old – and voluminous – On-Prem-Exchange, I think?
After one year with the M365-Support they told me, there wouldn’t be a solution and they can’t help me.
We have a situation with an old On-Prem-Exchange 2013 and a database of 400GB.
The migration to M365 has been done successful. But we don’t know what to do with the “old big monster”. Keeping a Server with 600GB only for AD-Attributes?
Or is it possible to unmount and delete the big database and let the On-Prem run as a VM without mounted database?
Thanks and regards,
Jan
You can absolutely remove that Exchange server, but you will need to retain “an” Exchange server to do the Exchange Admin Centre work of updating variables in AD as this is the only supported solution from MSFT (i.e. they do not support ADSIEdit for updating Exchange-related variables). And really, EAC is the only support/infrastructure team functional tool anyway.
The easiest thing to do would be, spin up an Exchange 2019 box, add it to the environment and install EAC and test you can make changes to objects.
Then you can follow scenario (2) from this link to remove all your Exchange environment attributes and get rid of the old 2013 footprint:
https://docs.microsoft.com/en-gb/exchange/decommission-on-premises-exchange?redirectedfrom=MSDN
Anyone know if Microsoft has come up with a solution yet to remove exchange completely and still use Ad Sync for password synchronization?
Waiting for this solution too…….
This has been around for a minute. They don’t recommend it because you will have to use AD User & Computers in advanced mode to edit the attributes but the functionality has been there for years.
Me also. Just need some guideline to proper decommission an 2013 exchange server with mailboxes still present (migrated with CloudiWay). The Exchange server now has no functional at all on prem. Adding aliases in the proxy attribute works fine.
cheers
M
We were running in Hybrid mode for some time while carrying out our mailbox migrations. About 6 months after completing migrations, we turned off mailbox servers and a couple of weeks after that CAS servers. Another month of two after that we have deleted them outright and gone through some cleaning up. Everything works perfectly without an on-premise Exchange server. We use Azure AD Connect to sync AD on-premise to Azure AD. We use advanced attributes for all Exchange tasks(such as hiding and address from address book/allowing or preventing an address to receive external emails/locking down Send As for a group to a number of users. We haven’t come across anything yet that hasn’t worked. We use Mimecast in the cloud as our email gateway and Fortimail on-premise as an SMTP relay.
Hi, Martin
So basically, its ok to decomission on-prem exchange server and still be able to manage users from local AD (advanced option)?
We are planning to migrate to MS365 from Exchange 2013. We have AD Connect in place already, syncing our local users and we would like to decomission on-prem exchange server right after migration.
@Janis:
If you decommision your last on-prem Exchange while keeping AD Syncronization the only way to edit Exchange attributes will be through the ADSI Editor or 3rd-Party-Tools. This usually works fine, but If you’re experiencing problems you will _not_ get any support from MS because this scenario is not supported. See also:
https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange#can-third-party-management-tools-be-used
Supported scenario:
1) Once all on-prem Mailboxes are migrated, locally install a free Exchange 2016 evaluation edition with full mailbox role. Run the new EAC and check if your mailboxes, ressources etc have been replicated from your old server.
3) Deactivate the old Exchange services & test if the 2016 EWAC works as intended.
3) If so, start start the Hybrid Configuartion Wizard (HCW). It should right at the start find the new 2016 display sthg like “Activate product”. This reduces the 2016 evaluation to a simple management console & will also license it for free through M365.
4) Keep your old Exchange shut down for some weeks and test if everything works fine with the 2016 EAC + AD Connect.
If this is the case, you can decommission the old Exchange (just don’t simply uninstall it) and you’re fine.
And yes, this means you should take care of updates for the Exchange 2016 regularly, even if it’s only a management console. It means also to still have a server / vm running it.
Regards,
Bill
Hello Martin,
I have 3 Exchange 2013 Servers, 2 backend and 1 front end.
a) What do you do about PostMaster and Discovery on-prem mailboxes?
b) I plan to shutdown the 2x backend servers for a few weeks., leaving just the front end server running (because this one is still doing internal SMTP relay.
c) I plan on adding the Exchange 2016 into the equation and run HCW to make it available side by side with the 2013 Front End server (to transfer Cert and so on to the new 2016 box, as well as slowly taking over that internal SMTP role before I remove that 2013 front end server.
Any advises? Thanks.
Hi Martin
Is what you said above working fine for you?
Is your system still running smoothly? I have a similar situation and I want to decommission my on-premises Exchange Server, but keep my on-premises AD to sync users to the cloud. Is it possible to decommission my on-premises Exchange Server?
I think that this article needs to be modified, because when you said “If you need password synchronization for ease of user login, but don’t need sync of other Active Directory attributes, then consider using the Windows Server Essentials role”, you are talking about the sync experience that had Windows Server 2016 Essentials, that it does not exist anymore on 2019 version. Microsoft says that on Windows Server 2019 Essentials, latest version of Windows Server Essentials edition, you can install AD Connect because now is supported (on earlier versions of Win Server Essentials, AD Connect was not supported) . Ok, AD Connect is supported on Win Server 2019 Essentials, Fine!!!, but remember that in oder to have AD Connect for AD sync purpose you also must have an Exchange Server on-premise for management purpose of Exchange attributes.
Hi Paul,
Just wanted to find out how to go about running the exchange 2016 server in Azure.
My client has all the mailboxes migrated to Exchange online via Hybrid setup. There is no on-premises mailbox accounts left, but they have 2 on-premises Exchange 2016 servers with mailbox roles (no DAG) running. They want to get rid of these instances.
I understand that you cannot completely remove on-prem exchange servers that are in Hybrid deployment. I want to understand what steps to take to move these servers (or create a new Exchange server instance) to Azure.
Do you have any recommendations or guides on this?
Thank you in advance.
Hi Paul,
Any progress on this matter? Can’t seem to find any thorough information on it.
Or progress on the Hybrid connector with Azure APP proxy and AD Connect pass-tru?
Would like to remove the last Exchange server, ’cause it’s still EX2010 and is getting out of support later this year.
Thanks in advance,
Ronald
still nothing on this yet huh?
I opened a case with Microsoft and got this as the solution to removing the single Exchange 2013 server but keeping AAD sync because we still need the local AD
Kindly follow the step below:
1. Remove the Office 365 connectors first from the exchange server that the hybrid wizard creates
2. Uninstall the hybrid app from the machine
3. Clear the program file from the C drive
4. Remove the license and certificate
5. Then uninstalled the exchange server.
I hope that the above information would be helpful to you and also in resolving this service request.
Thanks for the information Carol. Are you able to manage Exchange attributes that were only available in the on-prem environment – hide user from the GAL for example?
Yes thanks Carol for your information!
I had that exact same qustion in return. How do you manager the Exchange attributes on-prem?
Thanks,
Ronald
Wow! Glad I stumbled across this. I also have the same questions as Ronald and Tammy. Any info would be great! Thanks for sharing what you found.
More news: in fact that was a completely mistaken response from Microsoft. They gave me my money back.
I asked again before doing anything and a supervisor intervened and told me to stop. The re-iterated the “keep one last Exchange server”.
However I had already disabled the connectors and removed the Exchange sync components in AAD sync. Sure enough it was not possible to change any Exchange attributes on either side – there was enough synching going on that both organisations (cloud and on-prem) would not make any changes without connectivity to the other.
Looks like for the moment there is no solution – either no synching or you have to keep an on prem server.
Is it possible to have hybrid configurations so we can use our Exchange online mailboxes and keep them synced in the same time with our On-premise servers to send, receive and access them locally without internet connection in case of disconnection from our ISP
We have 9000 mailboxes within Office 365 with Exchange 2010 Hybrid Configuration.
We are looking at options to either remove the Hybrid and keep Exchange 2016 standalone server for relay and management or actually upgrading the Hybrid but it leaves additional hops for mail routing which is unneccessary.
Any ideas or guidance is much appreciated
I have a hybrid Exchange 2010 environment. We’ve moved all of our mailboxes to O365, although there are a couple of test type mailboxes still living on-premise. Originally we had an Exchange 2010 server. The consultant we used added a Hybrid 2010 Exchange server as well. I know that I need to have an Exchange server in our environment so that we can manage things on-premise so I’m totally fine with keeping the Hybrid 2010 server around. However, I’d like to decommission the original 2010 server. I’ve seen lots of articles on this, but they either don’t get very detailed or deal with removing all of the Exchange servers, which I don’t want to do. Even the ones that do cover removing some of the Exchange servers in a hybrid environment differ in how to do it. Some say to just decommission the original server and some have specific tasks about removing things like the Hybrid AD object. Any guidance is appreciated.
Hi Paul! I’ve reading a lot of this cases but I’m not able to apply any of them to the one i have.
I’ve already migrated an organization to Exchange online on O365, the Exchange 2010 on-premises they had it´s currently turned off.
They have AD connect, former DyrSync. It works with absolutely no problem as I´m writting but i want to fully uninstall the Exchange on-premises.
The server has been off from a long time now so i really don’t think i need to have a on-premises version to manage the users, currently we manage them from the AD on-premises and the changes synchronize with Exchange Online with no problem.
The question is: ¿How do i proceed to fully uninstall the Exchange 2010 on-premises?
Hi Paul, thanks for this article. Helped me a great deal in our migration. There is one question I hope you could answer: We have migrated all Exchange items to Exchange Online. However, we want to keep AAD Sync in place and use on-premises AD as identity source. Also we want to retain one Exchange server for managing e-mail attributes on-premises. Is it necessary to keep the local Exchange server in hybrid mode or can we remove the hybrid configuration?
Many thanks, Dominik
Hi Dominik,
You can remove hybrid configuration:
https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange#scenario-two
great article paul, now that ignite 2018 is over any update to this “hybrid connector”?
Any further announcements at Ignite 2018 around the hybrid solution based on azure app proxy?
Hi Paul,
My scenario is a bit complicated, but perhaps you can advise me on it either way.
My customer is using an account-resources forest topology. Right now AD Connect is installed on the AD account forest and it includes both the account+resources forests.
Exchange 2013 server is on the resource forest and I deployed a hybrid configuration and we are close to finishing migrating everyone.
Next steps will be the hybrid decommissioning and removal of the resource forest. What is the recommendation in this case? We are sure that the resource forest has to go and therefore the exchange 2013 with it.
Should I install another exchange server on the account forest and migrate all exchange roles and such?
Thank you
Hey Paul,
Great article and I have followed many of your articles regarding Meeting Room Management in O365, Permanently delete users in O365 and many others. I do not understand the need to keep even one Exchange server behind in a hybrid configuration because let me show you a scenario of how we perform our daily routine:
1. Create users in AD, set proxyaddress/targetAddr attributes
2. Sync via AADC
3. Make changes to mailAttributes via Active Directory only.
In all of these points, the Exchange Management Shell is not opened once. Nor is it required to manage meeting rooms and groups as that is done purely with the O365 powershell set. So my question is: What is the actual need of this last Transport Server…?
Do we lose the ‘exch’ attributes if we uninstall Exchange from AD? Yes, that would be really bad… but would it really? I mean we can also get by with the customAttribute fields as part of a regular AD object.
Waiting to hear back your thoughts 🙂
Cheers!
hi, i have a 2011 sbs server with exchange 2010 and 5 mail boxes. i made all the preperations for migrating to office 365. there r 5 mail boxes ready for migration, i’ve been asked to enter those 5 …onmicrosoft.com mail to forward from my exchange mail boxes. since they r not on the same domain i m haveing an issue how to do that. can you help me with that?
what steps needed for forward each AD user mailbox to the …onmicrosoft.com pre migration?
i need to do that tommorow (22/7/18) so it will b most apprichiated to get your help A.S.A.P
Hi Paul,
We are currently running Exchange 2013 on-prem and are about to begin migrating to a hybrid configuration in the coming months. My question is, do we go through the effort of upgrading our on-prem environment (4 instances) to 2016 prior to migration, or perform the migration and then upgrade the sole instance?
Thanks for asking this question Robert, I was just about to ask this same question and get Paul’s advice on this scenario. Only difference for me is I’m running Exchange 2010 (still). We have hybrid fully set up and functioning with a small pilot group, going to be making the big migration soon.
So basically, what’s the recommended order for:
adding new Exchange 2016 servers to handle this necessary hybrid/management function
migrating mailboxes
remove Exchange 2010 mailbox servers
Thanks Paul, really appreciate the article and advice. FYI we are running AzureAD premium with AAD Connect for full synchronization and need to retain our on-prem AD environment for the foreseeable future. I also will be keeping an eye out on MS Ignite 2018 sessions regarding this to see if they’re changing their tune anytime soon. 🙂 Thanks!
on August 11, 2017 you said
For downsizing, I will pull together a list of resources and post an article. But short answer, the steps are the same whether you’re doing it for a hybrid scenario or just for any other decommissioning scenario. Removing a DAG or a server is the same either way. But as I said I will pull together some notes because you are not the only person who has asked for it.
I wasn’t able to locate such an article. Was it ever posted? I ask because I have a site that went O365 with AD Sync. They have a CAS and a mailbox server. I cannot find any Microsoft documentation stating what can be removed or how to consolidate to a single server.
I never wrote the article. No plans to write it at this stage.
Having migrated dozens of companies to Office 365, I can say without a doubt that there is no need to keep an Exchange server in place when using directory synchronization. After you convert mailboxes to mail enabled users, you can manage all the email-related attributes via Active Directory Users and Computers, using the Attribute Editor tab (Attribute Editor becomes available when you select View > Advanced Features in ADUC).
That method for managing the attributes is absolutely supported by Microsoft. I’ve worked on attribute and directory sync issues numerous times with Microsoft support and they have never balked at the Exchange-less configuration. The whole point of migrating to Office 365 is to eliminate the need for any email servers on-prem.
This is bad advice and I will keep calling it out as bad advice until Microsoft releases a supported solution for removing on-premises Exchange servers in directory sync environments.
We just went through an O365 conversion from Exchange 2010 and use Azure AD Connect so passwords can sync. As like so many others, I’m very unsure about what I can get rid of in the on-premise Exchange environment. Everyone hints at the fact that you need to keep Exchange management tools around to make management easier, but I can’t seem to find any real instructions out there for this process. It just feels like so few know what to do in this circumstance so they just keep their Exchange server(s) around. The MEU process sounds promising to further disconnect on-premise Exchange from O365, but again, can’t seem to find any guides/processes for this as well.
Do you know if Microsoft is close to releasing a solution for this? Just curious.
Everything mentioned at the end of the blog post is what I know has been publicly announced about the possibility of a hybrid solution. I still think its safe to say that Ignite 2018 will be the next time we hear more about it.
The documentation for converting mailboxes to MEUs is in the below Microsoft support article. It references Exchange 2007, but it’s really for Exchange 2007 and newer. I’ve used the scripts in that article numerous times to successfully convert mailboxes to MEU. The migration.csv file referenced in the script can just be an empty csv file. It will pull all the mailbox data from Office 365 into a cloud.csv file, which the final script references for converting the mailboxes.
https://support.office.com/en-us/article/convert-exchange-2007-mailboxes-to-mail-enabled-users-a1f79f3c-4967-4a15-8b3a-f4933aac0c34
It’s 2018 and it’s time to put our big boy/girl pants on and get rid of all these pointless Exchange servers!
Hello Paul,
I have 3 Exchange 2013 Servers, 2 backend and 1 front end.
a) What do you do about PostMaster and Discovery on-prem mailboxes?
b) I plan to shutdown the 2x backend servers for a few weeks., leaving just the front end server running (because this one is still doing internal SMTP relay.
c) I plan on adding the Exchange 2016 into the equation (later keeping it for management, so do I run HCW again to make it available side by side with the 2013 Front End server (then Export / Import Certificate from 2013 to the new 2016, as well as slowly taking over that internal SMTP role before I re-run HCW to remove that 2013 front end server.
Any advises? Thanks.
Hi Paul,
I’m new to O365 and have recently migrated one of my client companies to O365. They have AZConnect in place to sync the on prem users with the cloud. We did not migrate exchange via cutover migration, we simply synced the users and let o365 create new mailboxes, then we made a PST import. Is there any reason for me not to decommision their Exchange 2007 Server/organization? Can i somehow test if it is safe to do?
Also thanks for your excellent articles, you have helped me quite a few times.:)
Best Regards
/Fredrik
Your question is actually answered in the post. Are the still running directory sync? If yes, they need an Exchange server on-prem to remain supported. If not, they are free to decom the Exchange server.
Paul,
To his point, if there are now unused on-prem mailboxes for the users who are now live in EO and distros and contacts syncing, if exchange on-prem is simply uninstalled/decommissioned on-prem, are you saying that it will not rip out or destroy the distros, contacts, and mailboxes on the EO side with azure ad sync going?
Does the decom process not remove values from the exchange attributes on prem for distros, contacts and mailboxes?
Or to the Leo’s post below, mailboxes can be converted to mail-enabled users, but what about the other object types without killing them in EO?
His scenario is like my scenario—no hybrid configuration since we have multiple tenants with their own azure ad sync servers syncing to specific domains in our single on-prem AD domain/forest.
Can’t do hybrid with multiple tenants, not supported or desired.
Thanks!
Hi Paul,
Have you seen these options before:
I found out about converting on premise mailboxes to
mail-enabled users (MEU). See this article from Microsoft and in summary the
points I took from it:
If an organization decommissions Exchange after all on-premises mailboxes are migrated to the cloud, messaging-related user information on the cloud mailbox will be lost.
The Microsoft Online Services Directory Synchronization tool (DirSync) removes data (such as proxy addresses) from the cloud mailbox object because the on-premises mailbox no longer exists and DirSync can’t match it to the corresponding cloud mailbox.
The solution is to convert the on-premises mailbox to a
mail-enabled user (MEU) in your on-premises organization after the user’s
mailbox has been migrated to the cloud. When you convert an on-premises mailbox
to an MEU:
The proxy addresses from a cloud-based mailbox are copied to
the new MEU; if you decommission Exchange, these proxy addresses are still
retained in Active Directory.
The properties of the MEU enable DirSync to match the MEU
with its corresponding cloud mailbox.
The Autodiscover service uses the MEU to connect Outlook to
the cloud mailbox after the user creates a new Outlook profile.
Thanks Paul.
Do you have a question about it?
Hi Leo,
Not sure where you found this information, but it doesn’t sound right.
When you migrate a mailbox to the cloud, that mailbox is automatically converted into a remote mailbox and a mail user when checking it from on-premises.
Also, dirsync doesn’t delete any proxy addresses from anywhere.
Although since everyone recommends to keep at least 1 exchange server onprem, it’s hard to say what actually won’t work when you decide to remove it.
You can’t modify some attributes like proxy addresses, hide from address book in a supported way, but anything else?
Hi, if answered in comments my apologies.
Currently there is a hybrid 365 deployment. The on prem consists of a pair of 2013 CAS servers, four 2013 Mail servers, and two 2016 Exchange servers, that where stood up for the hybrid. As we approach the last items, moving resource and shared mailboxes, along with Public Folders, all that would be left would be to remove the various 2013 servers. As we intend to maintain the 2016 servers, it appears to me, that we should be able to simply remove the 2013 servers without too much consideration, no?
You will need to do a normal migration of 2013 -> 2016 and a normal decommission of the 2013 servers.
Any news/info on the mentioned ‘Hybrid Connector’ or crossing our fingers for more at Ignite?
No public announcements. I expect Ignite will be the next time they share news on this.
That’s what I thought. Was hoping it was a bit sooner as found at new $WORK that they prematurely removed their on-premise Exchange box (back in the 2007 days) as still using ADFS and Azure AD Connect.
Thinking after the new Exchange box is stood up will need to run Hybrid Config Wizard (and possibly set Exchange Hybrid in AADConnect) to sync things up so can start managing/fixing Exchange related attributes.
Hi, any updates about connector, now is 2019 and still nothing? Do you know any rumorous etc, ?
Thanks for your reply Paul –
I will review the suggested article. Is it possible to retain Hybrid AD after disabling Azure AD Connect?
Hi Paul,
Thanks for the great article.
We have Hybrid Configuration for our AD and for the exchange. Now, we want to get rid of our on-premise exchange since we have migrated all our mailboxes to Office 365. I understand that we cannot decommission our on premise Exchange 2010 server until we remove Directory Synchronization.
Please kindly advise on the impact of removing of AADSync/DirSync. Once we have removed DirSync, I believe we cannot synchronize AD users between on-premise and DirSync – Does the Identity management and single sign on continue to work in this scenario? What is the advantage of retaining On-Premise AD at this point?
If you remove directory sync you will be using the cloud identity model after that. I’ve written about the different identity models here:
https://www.practical365.com/identity/planning-an-identity-model-for-office-365/
Hi Paul,
Thanks for the article and also the answer you’ve provided in the comments.
I’ve been reading this article, along with 2 of your other articles and a series of TechNet articles.
I’m not sure if what you’re suggesting is relevant to our environment.
We’ve just moved from an onprem 2013 Exchange server to O365 using SkyKick with a cutover migration. We have Azure AD Connect setup for user, group and pwd hash sync and all is working well.
However, I now want to look at decommissioning Exchange as the server as it’s taking valuable space on our VM environment (in terms of memory, disk space, backups and time management).
Are you (Microsoft) saying that we can’t get rid of the onsite Exchange server if we want to keep AD Sync?
Thanks
Jon
Jon, that question is already answered in the article above and in subsequent comments as well.
Doesn’t this change slightly if someone has done an O365 Staged Migration from Exchange 2007 and gone through the MEU process to move mailboxes previously on prem to Mail Enabled Users mailboxes? It does according to Microsoft (and I only half believe them).
Can you be more specific? I understand what a staged migration is but I don’t know what change you’re referring to.
Understood Paul. Are you saying I should try to insist with this client that they introduce an Exchange 2016 Hybrid server to facilitate Exchange management due to the Microsoft’s best practice/recommendations?
This customer never had Exchange deployed and seems like a more direct support message from Microsoft on Hybrid recommendation with on-premise AD should be written about?
One related item – do you feel Azure AD Connect installs should also be kept current with releases that are six months old or newer?
-larry
Paul,
I have what I think is a quick question and thanks for all your posts and information you provide and I love the O365 books.
I have a client using AAD to replicate objects to Office 365/Azure AD and they migrated directly from Lotus Notes so they don’t have Hybrid (yet). We installed the original Exchange 2016 RTM Schema extensions and manage attributes unsupported via ADSIEdit. Yes I know not a good practice and trying to get Hybrid serve run place.
So in the short term is it best practice in these situations to keep the Exchange schema up to date wether its Exchange 2013/2016 which the periodic schema updates provided in the Cumulative updates?
thanks in advance,
Larry
I haven’t seen any guidance on that either way. I suspect there is no best practice when you’re already not following best practice.
I have a 2010 hybrid environment and all of my mailboxes and room calendars are moved over. I’m ready to install the 2016 exchange server and add it to my network and remove my 2010 exchange servers. What roles does the 2016 server need?
Thank you.
The Mailbox server role in Exchange 2016.
Thank you Paul. Pulling the trigger soon.
Hi Paul, thank you for this article.
Do you think that removing the Exchange attributes from the AADConnect sync scope would allow them to be managed directly in the tenant ? Or would those properties remain “blocked” ?
This could be a way to have the tenant “think” that the on prem AD schema is not Exchange extended, and make it possible to completely remove any on prem Exchange components, and still be able to manage Exchange properties.
Have you tried that before ?
Thanks again for all your work.
I haven’t tried. I suspect it doesn’t work. It would be unsupported, so I don’t see the point really.
did this work for you.
Paul great explanation!
Question: We have migrated all mailboxes to o365 and have two Exch 2016 Hybrid servers on-prem we used for the migration, management still, and HA purposes. We also have Azure AD Sync in place.
We still have 4 cas and 4 dag 2010 servers on-prem and want to decommission them.
Are there any good links to step by step removal of the remaining 2010 servers?
Thanks!
Yes, TechNet has guidance on removing Exchange 2010 servers.
Hi Paul
I am trying to find some information for a customer who has successfully migrated all of their mailboxes onto Office 365 (Hybrid configuration with AAD Connect), and is now looking at decommissioning their entire On-Prem infrastructure (not just Exchange, but AD as well) in the long run.
Their AD is very simple (1 forest, 1 domain, a few file shares, and Exchange, that’s about it), so they don’t want to burden themselves to having to keep managing AD (and be charged a few thousand dollars per month by the service provider), as well as reduce hardware cost…
So in this case, they configured Exchange Online with Exchange On-Prem using Hybrid scenario… now is it even possible to get rid of Exchange + AD?
Was there something unclear about the article? You’re asking a question that I feel like I’ve already answered. But perhaps I don’t understand some part of your thinking on this matter.
Hi Paul, I think Steven’s question is about how to remove the on-premises infrastructure entirely (AD Connect + Active Directory + Exchange) after you have lived in hybrid mode for a while and thus base your whole identity management system on (and only no) Azure AD.
Short answer, remove hybrid configuration, remove directory sync. Following that you would decommission your on-prem infrastructure. But the details really depend on the environment. There’s a lot to consider when completely removing on-premises infrastructure, and every environment is unique.
Is there a reason why MS isn’t supporting full bidirectional sync in AAD Connect? I imagine that for customers that insist on maintaining onpremise AD Azure AD sync, bidirectional sync of all attributes would remove the need for an onprem Exchange server for managing object attributes. Plus this recently announced “Hybrid Backbone” solution/kludge would not be needed.
My AD is sync’ed with Azure-AD. Using my Exchange On-Prem Server, I create new users through this interface choosing to provision a Remote O365 mailbox, Distribution Group or Shared Mailbox. My email address policies are picked up from On-prem Exchange as well.
If the last Exchange server is removed, removing Exchange attributes from AD, how or will the new tool support these same on-prem provisioning practices?
Keep in mind this tool hasn’t been released, so it may work differently when they actually release it, but the basic idea is that you make changes via the O365 portals, and those are pushed to the on-prem connector which interacts with your AD to make the change there, and then syncs back to the cloud. I would assume this means our account/mailbox provisioning workflows will need to change a little, but that is a small price to pay for not having to run an Exchange server any more.
Hi Paul,
I didn’t know about the Windows essentials Scenario. It would fit a lot of our customers.
Questions :
1 – Can it be integrated in a domain where other DCs are in place?
2 – You are talking about a 100 users limit but everywhere I look, for Windows server 2016 Essentials, I see 25 users and 50 devices. Can you help me find a link to the correct information?
Thanks a lot for your blog and your book, always my reference for O365 stuff.
There’s a difference between the Essentials server *edition* and the Essentials server *role* (aka “Experience”).
https://docs.microsoft.com/en-us/windows-server-essentials/install/install-and-configure-windows-server-essentials-or-windows-server-essentials-experience
1) For 2016 the Essentials *role* can be deployed on a DC or on a member server in an existing AD.
2) The *edition* and the *role* have different limits. I have briefly looked for new guidance on whether 2016 Essentials *role* limit has changed from 2012 but can’t find anything, so for now I assume its the same limits as 2012.
Paul, we are on Exchange 2010 Hybrid with about 27,000 mailboxes and have migrated all mailboxes and public folders to O365. Do you recommend staying in Hybrid? Also, has MS come out with a solution for DL owners to manage their DLs from Outlook?
There’s an Ignite 2017 session on running hybrid for the long term that you should watch.
Paul,
Very nice article. We currently have an Exchanged 2007 on-premise but we have moved most of our mailboxes to Exchange Online/Office 365. Our Outlook and smartphones are now pointing to outlook.office365.com, everything is running fine and we are thinking of decommissioning Exchange 2007. Now we have a situation that some of our applications need an email address mailbox, my question is can we still retain the Exchange 2007 running side by side with our Exchange Online subscription just for those applications /local emails?
Thanks,
Joe
Why can’t your applications use Exchange Online mailboxes?
We can, but as much as possible we don’t want to buy licenses. Some of them also doesn’t work with Exchange Online, since they don’t have the TLS configuration on them. So the option I’m thinking is running the Exchange 2007 for this type of situation. I’ll use the Office365/Exchange Online purely for employee email purposes.
An Exchange Online license is pretty cheap. But if the TLS issue is a deal breaker then sure, run an on-prem server. Assuming they need a full mailbox and not just an SMTP server.
Keep in mind that Exchange 2007 has reached end of life too. If you’re going to keep an Exchange server running on-prem you should plan for an upgrade ASAP.
Hi Paul,
Very informative. Your website has been such a reliable and complete source of information. Thanks for that.
What do you suggest for using as SMTP server if you don’t have an on-premises Exchange anymore?
I haven’t been able to let my applications/devices send to Office 365 directly.
On a side note: I hope Microsoft will soon come up with some solution for removing the on-premises server.
A simple Linux (e.g. Ubuntu Server) install with Postfix or Sendmail would do the job. You can also use IIS as an SMTP server.
Microsoft announced at Ignite last month their plan to have a solution for removing the last Exchange server from dir synced environments, and gave a timeline of 12-18 months to deliver the capability.
Thanks for information. Those applications unfortunately either needs a mailbox or doesn’t have the TLS option. My other option is use gmail or yahoo , but since I have an Exchange server , might as well use it for now.
Paul,
I have 2012 Essentials Role running on my AD server which is integrated with a separate on-prem Exchange 2013 (both VMs). I hav decided on a cutover migration to Office 365 (email only) and would like to integrate Essentials with the O365 account for password sync, but I cannot because Essentials is currently integrated with Exchange. Must I decommission Exchange first before Essentials will allow me to integrate with Office 365.
I haven’t encountered that situation before (not sure why you would setup Essentials with an on-prem Exchange to begin with), but it sounds like it makes sense that you’d need to detach it from Exchange before you can attach it to Office 365. But I can’t say for sure.
What if the last Exchange server is uninstalled, but AD Connect is needed. Is there a way to reinstall exchange so that the hybrid exchange configuration is still in place?
If you uninstalled the last Exchange server then the hybrid configuration would have already been removed before you uninstalled the server. So if you want to re-establish the hybrid, yes you’ll need to reinstall an Exchange server. Maybe I’m misunderstanding your question.
You’re correct the hybrid configuration is removed. But because AD Connect is still being used, there no way to add new mailboxes for AD Users for example. Also only way add email aliases for AD users is by using ADSIEDIT. So there for is it possible to install a new Exchange server to make it possible to edit this on-premise?
Or do I have to break the AD Connect sync and recreate it (is that even possible)?
No you don’t need to break directory sync to reintroduce Exchange to the on-premises org.
Pingback: Decommission Exchange Server after Office 365 Migration
Hi Paul,
We are wrapping up an Exchange to O365 migration. We are not migrating all mailboxes to O365. Those not migrated will no longer be in use. Is there a way to identify which onprem mailboxes are still active? We want to be sure we didn’t miss any mailboxes that should be migrated.
Thanks!
What do you consider “active”?
Actually here’s some thoughts I put together on this topic a while ago:
https://www.practical365.com/exchange-server/find-inactive-mailboxes-exchange-server/
If you work in an organisation that moved to Office 365 using a cutover migration, and then binned the Exchange 2010 server, and uses Directory sync, do you basically just need to grin and bear it?
No?
Thank you very much, Paul!
That’s exactly what I could not find an answer anywhere.
Hi Paul!
Great article! One question about AAD connect.
We have 4 exchange servers: 2 edge servers and 2 CAS+MBX with DAG. To date, all mailboxes have migrated to office 365.
Synchronization with AAD connect is also no longer needed.
If we remove the hybrid scheme, remove the AAD connect synchronization, completely remove all exchange servers, then the mailboxes in office 365 will be fully cofigurable?
For example, will it be possible to add an additional email address for the mailbox?
At the current moment, this can only be done from the on-premises servers.
Correct. When you remove directory sync and disable it in your tenant your on-premises AD is no longer the source of authority, and you can make changes to objects and attributes in the cloud.
Paul, I’m planning an inhouse migration of 30 mailboxes off a 6 year old 2010 server and onto 365.
The server hardware is living on borrowed time, I’m thinking of a P2V migration of that server so I can retain MSX if needed. However, yesterday (13/8) I took a look at what permissions / options / attributes are available within EXO and all the options /permissions / attributes I could think of are now available (I’m no Exchange expert though).
From what I could tell, the 4 attributes listed in the image at the start of this article are now available within EXO:
https://www.practical365.com/blog/microsoft-working-solutions-remove-premises-exchange-server-requirements/
I wonder if MS may have moved forward in large steps towards solving the problem of having to retain an Exchange server on prem.
What do you think?
And, if I don’t use dirsync, do I need to retain an in house MSX server?
If you don’t use directory sync then you don’t need an Exchange server on-premises, as the on-premise AD is no longer your source of authority.
There’s been no further announcements on the work to create a solution that allows directory sync without an on-prem Exchange server.
Having moved all the mailboxes over to office365 via hybrid or third party method and have incoming mail, autodiscover etc pointing to office365, can the Exchange components be as simple as removing the on prem databases, public folders, connectors and then stopping the exchanges services (or using add/remove programs to remove the roles and just leave the admin tools behind ) to reduce the load on the box and then dropping the box requirements to a low cpu/memory usage?
No. The Exchange tools need a working Exchange server to connect to. There’s nothing to be gained from tearing down any of the default config by removing connectors or any of that.
I miss in your article some other points of interest that you could do. For example you can switch autodiscover/owa url’s to O365 when every mailbox is in O365.
Hi RKast, this article is not a “how-to” manual so it is not expected to be in here. You could use the Exchange Deployment Assistant for you question. That said, it would be interesting to have a non-Microsoft view / article on migrating to Exchange Online from an on-premises Exchange.
Hi Paul,
Great article. Can you advise when running on-prem Exc2013 and O365 using dirsync what is the process for creating shared mailboxes, dist lists and room resources? I know that I can create user mailboxes via on prem EAC and select Create O365 mailbox which will create it correctly but there is no such option for creating shared mailboxes, dist lists and room resources. Should these be created using PS on prem and sync’d as per user mailboxes or can I just create them directly in O365 EAC? Will creating them this way cause any issues as they will have no on prem AD object.
Thanks,
Paul.
Nice post Paul, thanks. Question…we are an SMB with only 40 mailboxes in a 2010 hybrid setup with O365 and ADConnect is setup. Really wanting to decommission the 2010 Exchange box as small as we are. Can we not just manage the properties of these mailboxes and groups using Active Directory advanced features? Just trying to avoid the inevitable upgrade to a later version when 2010 phases out plus all the updates that will be needed for just 40 mailboxes. Just asking…thanks
Hi Chris, I know it’s tempting to look for grey areas and edge cases, but this really is a simple supported vs non-supported situation and the info in the post already answers your question. You just need to work out a solution you’re happy with (e.g. using Essentials).
So, what about this scenario? SBS2011 to Office 365. Cutover migration with cloud identities. Then decommission SBS and Exchange. After Exchange was been uninstalled, then go back and setup AD Connect to do directory sync.
Would that work ok?
Thanks in advance!
Matt
I addressed the question of cutover and retrofitting dirsync afterwards in the post, and also recommended SBS customers consider Essentials as a solution instead of directory sync. Removing Exchange before dirsync is installed doesn’t solve any problem.
I guess I’m just not clear on what the problems are then. Lacking any prior insight that this wouldn’t work, I’ve done it at least 4 times over the last couple years without any issues (at least as far as I can tell).
And I have a half dozen other environments where a migration was done in the past and Exchange was removed afterwards. Am I to understand I can Never do DirSync in those places?
Thanks.
Sure. Take another look at the two quoted sections in the article, which come from Microsoft articles, then the paragraph where I summarize what they’re saying.
Directory sync is *possible* without an Exchange server, but it leaves you in a situation where you need to use *unsupported* methods to manage mail attributes for your users (mailboxes), distribution groups, and contacts.
I talked to a MS support engineer this past week and he was adamant about positively removing all Exchange servers from on-premises. “There’s no need!” he said. “You won’t lose User attributes from AD – it’s been extended and nothing is going to go through AD and ‘remove’ attributes. Once you decommission Exchange Server from your on-premises you will have to edit users attributes (e.g name change) using *unsupported* methods.”
The unsupported method is ADSI edit.
BUT! Does this mean 365 Support won’t help me if I open a ticket for a User issue since I don’t have an on-premises Exchange Server server?
Why even entertain the possibility?
To put it bluntly, why propose a solution to your boss/customer that you know to be unsupported? I can’t articulate every possible way that it would backfire and cause a major issue. That’s impossible.
I just wouldn’t take the risk in the first place.
Another cracker article. I’ve been pondering this one myself having just completed a 2013-2016 migration in a hybrid environment . Thanks Paul!
Post-hybrid is not a big deal because you can just “do nothing” and you’ll be fine. It’s the folks who smash through a cutover or third party tools migration and then decide to try and retrofit dirsync who often find themselves in a sticky situation.
Follow up question; if I Have to keep an exchange server on prem, should I migrate/upgrade the 2003 server to 2013? This really adds a whole new headache. This client is 250 users
2003 is well out of support, so you’ll need to get rid of it anyway. A 2003 org is eligible for the free hybrid license key (2010 in your case, since 2003 -> 2010 is the supported upgrade path). See my comments above to another person about long term considerations for 2010.
https://support.microsoft.com/en-au/help/2939261/how-to-obtain-an-exchange-hybrid-edition-product-key-for-your-on-premi
I have a client using Azure Sync and we just completed their move from exchange 2003. Does this mean I can’t remove the 2003 server if I’m needing to continue managing users and permissions from on prem AD? I was just about to start digging into the research for decommissioning the 2003 bucks, but now I’m worried that I can’t
Hi Paul,
I have clients who are quite a way off ditching AD sync and still have Exchange 2010. Would it be best to remove bring a couple of 2016 servers in for management and decom the 2010 boxes?
2016 offers the best hybrid coexistence experience but as a pure mgmt interface I don’t know of any specific issues. That said, 2010 is in mainstream support and it’s possible you’ll see issues surface as EXO evolves but 2010 isn’t updated to keep up (although MS does reserve the right to issue updates during extended support if they feel it necessary).
Short answer: if the org will be running dirsync for a long time into the future, and has the resources to upgrade to 2016, then go for it.
Hello Paul,
I have an use case (SMB) where we want to sync users and password hashes to Azure AD. Is it supported to use AAD Connect if no Exchange schema is present within AD (resp. Exchange was never installed in this environment)?
Thank you!
I am aware of using the Windows Server Essentials Experience Role with Server 2012 R2. But on 2008 R2? I think there is no alternative to AAD Connect…
Hi Martin Walder, AAD Connect works independently from Exchange so yes it is absolutely supported to use AAD Connect without Exchange.
I would love to see an article that shows how to collapse a current Exchange Server Farm down to just the one box (in a Hybrid Configuration) and then converting that to the free Hybrid License.
Items should include removing/decommissioning DAG and CAS members; putting all roles onto one box; and moving the database(s) to the one Hybrid box.
There’s no “conversion” to a free hybrid license. If you already have licensed Exchange servers then you have everything you need. The hybrid license key is just a key, it doesn’t change the functionality of the server at all.
For downsizing, I will pull together a list of resources and post an article. But short answer, the steps are the same whether you’re doing it for a hybrid scenario or just for any other decommissioning scenario. Removing a DAG or a server is the same either way. But as I said I will pull together some notes because you are not the only person who has asked for it.
Great article. I am also looking for this information. I have added the Exchange 2016 server with the hybrid license to my domain. We do federation and the most current sync methods. We understand that we will probably forever be in Hybrid mode and that is fine. We do want to retire all of our Exchange 2010 servers that include all roles. First I have to manage to get the Public Folders migrated to O365. I found the instructions for the new means to migrate Public Folders but am hung up on the PFs that have / or \ in their names and renaming them without breaking anything.
Hi Paul,
As we are small, we run a single physical Exchange 2013 server. Is it possible to do a P2V conversion of this server after doing a hybrid mode migration to Office 365 E3 with Exchange, for the management tools? Is that supported or even recommended? Any advice is welcome!
Thanks!
Running Exchange on one or several virtual servers is fine (haven’t done anything else since Ex2010), but I don’t think I would want to go with P2V to get there. I would start by building a second virtual Ex server, perhaps even upgrade to 2016, then do a proper migration of roles, mailboxes, connectors, etc., and remove the physical from the organization once complete. Excellent migration guides here, thanks to Mr. C!
Thanks Oliver!
Mike
I agree with Oliver that P2V is not ideal. A “like for like” server migration is a fairly easy process, especially if all the mailboxes are already in Exchange Online.
https://www.practical365.com/exchange-server/performing-like-like-exchange-server-migration/