A word of warning first
With what’s almost a passing mention in the announcements for the latest Exchange Server 2019 “H1” cumulative updates on 04/20/22, there were some significant updates from Microsoft.
Yes, removing the last Exchange Server from a Hybrid environment is now possible.
It is important to note though: You must NOT uninstall it – though you remove it permanently using Microsoft’s instructions, and for many folks, you might need to keep the Exchange Server around for some time longer.
You will find a list of caveats, and a specific process documented in detail by Microsoft. Having been part of the preview program for this new feature, the requirements and steps to remove Exchange all make sense.
What to Expect Removing the Last Hybrid Exchange 2019
If you migrated all your mailboxes to the cloud some time ago, then you’ve probably dreamed about the day when you can finally (perhaps with some ceremony), remove that last Exchange 2019 Server. To be clear, you will be slightly underwhelmed, and that is absolutely fine.
What you can expect: A subset of Exchange recipient management cmdlets targeting AD objects representing cloud recipients and their supporting configuration like domains and email address policies. You’ll also receive instructions and scripts to allow you to gently remove the supporting configuration for the server and various hybrid components – after shutting down the last Exchange Server.
You will still need to manage recipient configuration on-premises for AD-mastered objects with the same boundaries you’re used to. For example, updating Email Addresses for an on-premises user, and updating mailbox settings such as recipient permissions in Exchange Online.
You won’t have the ability to change the source of authority for those objects, which is something Microsoft alluded to in the past. You also won’t have the ability to update user attributes cloud-side in Exchange Online with the AD object updated using a mechanism (similar to password change flow or HR-based provisioning from Azure AD to on-premises) which was another method shared by Microsoft as a possibility several years ago.
The solution is focused on the recipient management aspect as well. However, Microsoft isn’t specifically suggesting this is the panacea to solve the “last Exchange Server” problem for all.
Mail Relay remains the elephant in the room and while Microsoft announced that Exchange Server 2019 gets free Hybrid licenses, and that you can deploy Exchange onto Windows Server 2022 – that only applies to the core Mailbox role on a domain-joined server not an Edge Transport Server deployment.
Edge Transport as a standalone SMTP relay has the potential to be a great drop-in replacement placed into a DMZ allowing mail relay from older application servers using Receive Connector rules imported from the last Exchange Hybrid Servers you maintain. For now, at least, you’ll need to keep that last Exchange Server up to date, use a different MTA, or work on configuring your application servers to deliver to Exchange Online.
Microsoft 365’s Evolving Capabilities are Culprit
If you were expecting the perfect solution after all this time, then you shouldn’t have. In the last few years, the reality is that an increased number of organizations are actually removing their dependency on Active Directory. By the time a perfected write-back or change of authority solution arrived, you would most likely be considering going towards cloud-only identities anyway with potentially Azure AD DS being the legacy directory after you move some of those legacy servers into a Landing Zone in Azure.
Without write-back capabilities, a stale set of attributes in AD for customers that don’t have a cloud-first strategy (but extensively use Microsoft 365) is dangerous enough that any advocates for simply cutting the link between an AD attribute for Exchange and the equivalent Azure AD attributes have thankfully not experienced the pain that causes.
Many Google migrations obviously result in buyer’s remorse (and staff mutiny) and when customers come back, the mess made by whoever helped them migrate usually includes switched-off Exchange Servers, and attributes that haven’t been maintained and don’t reflect the current state for mail flow. A great deal of effort needs to be expended on remediation, and for Microsoft to enable its own customers to end in that situation would have been inexcusable.
If you truly don’t want Exchange attributes managed in a local AD, even by a set of Exchange recipient management tools, then – begin thinking about how you remove AD. It’s easily achieved by smaller organizations and regularly achieved by mid-size and smaller enterprise organizations. Any larger than a few thousand employees and yes – there will be enough reliance on commercial off-the-shelf apps that it will be more difficult and a 2–3-year journey. In such orgs, the footprint of running a couple of Exchange Servers in Azure or the datacenter is negligible though; and with the ability to upgrade to Exchange 2019; use Windows Server 2022 and perform in-place OS upgrades in the future too – it’s not a bad situation.
Widening the niche
The solution to removing the last Exchange Server is undoubtably a niche solution, for those that:
- Have no need for mail relay using Exchange
- Had only a single server remaining
- Had thankfully not tried to do it themselves already in an unsupported way, leaving attributes in an unknown state
- Are quite happy using PowerShell for ongoing management
- Are small enough to fit the above criteria, competent enough with PowerShell to use that for daily management and have no plans to get rid of AD any time soon.
The first three points are a wide cross-section of businesses – the fourth is an order of magnitude slimmer niche; a niche within a niche, if you will.
To help solve that, stay tuned for my latest open-source script, which I’ll release for Practical 365 readers in the new few weeks for removing the last Exchange server.