Why you shouldn't install an Exchange Hybrid Server

It may surprise you to hear that if you are running a supported version of Exchange Server, you don’t need to install an Exchange Hybrid Server. Sure – many of your reading this will be wondering why I’m even stating the obvious, but a significant number of consultants and IT professionals configuring Hybrid for an Exchange migration to Office 365 install an additional server (or two) to support a Hybrid migration. To clear things up, here’s five reasons why you shouldn’t do this.

Exchange 2010 and newer already have Hybrid baked in

The most clear and obvious reason for not installing an Exchange Hybrid server is that you already have one – or probably, more than one! Exchange Server 2010 was built for Office 365, and served as the foundations for Office 365 in it’s earlier form, Live@Edu and the launched version of Exchange Online. By Exchange 2010 Service Pack 3, Hybrid was – and is – similar to what you see and use today.

The Office 365 Hybrid Configuration Wizard supports Exchange Server 2010 and works well to support migrations to Exchange Online. Millions upon millions of mailboxes have been migrated straight for Exchange 2010 to Exchange Online without additional “Hybrid Servers”.

The same goes for newer versions – whether you run Exchange Server 2013, 2016 or 2019 – you won’t see additional benefits from adding a newer version of Exchange Server. Areas like Microsoft Teams integration with Exchange 2016 and 2019 won’t become available to your mailboxes on Exchange 2013 – you’d need to move all mailboxes to the newer version of Exchange – so installing a newer version with the hope of seeing additional benefits will provide a fruitless task.

Installing an Exchange Hybrid Server won’t provide you better performance or flexibility

If you’ve got issues with your current Exchange implementation, then fix those issues if you don’t believe it will survive a migration. That might mean adding additional capacity if it already has far too little – but it might actually be the case that migration to Exchange Online will relieve stress on the current environment. Expanding the environment on-premises will involve mailbox moves, so potentially your better option might be migrating them straight to Exchange Online rather than to a so-called staging server first.

Additionally, if the hope is to offload migration load to “Hybrid Servers” by putting these as the egress point for migrations, you might be disappointed. Supposing you add an Exchange 2016 server in front of your Exchange 2010 Client Access Servers and DAG? The mailbox moves will still reach back to the Exchange 2010 servers, and naturally pull mailboxes from their storage, providing little or no benefit. You should not see any difference in user impact compared to a direct migration – and Exchange 2010 will throttle the Mailbox Replication Service to ensure that user access remains the highest priority.

From a networking perspective, sometimes people suggest that adding an Exchange 2016 server to publish services to the internet will provide them the flexibility they demand. In nearly every single situation this isn’t the case. Exchange Servers – whether these are your existing Exchange 2010 servers or additional “Hybrid” servers must have no firewall rules blocking communications between other Exchange Servers or Active Directory domain controllers. There isn’t a particular use-case for being able to install Exchange Servers within a DMZ. Instead, consider revisiting your load-balancer or reverse proxy configuration to publish the existing servers correctly. You’ll no-doubt need to do this if you install Exchange 2016 servers, anyway.

Adding a newer version of Exchange is quite complex

I know that for the purposes of “installing a Hybrid Server” you can get away with installing a newer version of Exchange Server into the environment, and then carefully avoid this from being accessed by clients, so that they access the current version of Exchange.

However, the correct way to install a newer version of Exchange includes moving your client access namespaces across to the newer version of Exchange. This generally means that you’ll see external client access, such as Outlook on the web, Outlook Anywhere, ActiveSync and Exchange Web Services – as well as AutoDiscover – reach your Exchange “Hybrid” servers and either respond to requests, or proxy them back to your older servers.

By adding a newer version of Exchange Server to your organization properly you are effectively preparing for coexistence prior to an Exchange upgrade. Granted – you haven’t had to size servers to host mailboxes, but effectively you should be in a position where everything – be it client access, or mail flow, is moved to touch your Exchange “Hybrid” servers first. This adds risk to client access and additional testing steps in line with an on-premises upgrade.

You don’t need to do this if you use your existing Exchange Servers to configure Hybrid – so why put yourself through it?

You’ll provide yourself with more areas to troubleshoot

It goes without saying that the more moving parts – the more components there are that can go wrong. With a normal Hybrid migration, you will more than likely perform some troubleshooting. You will most likely check the Migration Batch logs in Exchange Online, you will most likely check and investigate potential issues with free/busy or mail flow. During the migration itself, you might need to troubleshoot issues.

In most migrations, that might mean that you need to troubleshoot firewall configuration, load balancer configuration or NAT rules, view IIS and event logs – even with a single Exchange 2010 server. It goes without saying that your steps for troubleshooting almost every issue will involve an extra step. Most requests will eventually be received by your existing Exchange Servers – so you will need to troubleshoot issues within the Exchange “Hybrid” environment and trace those back through to corresponding older Exchange Servers. Don’t make life harder for yourself.

By the time you’ve installed your “Hybrid Server” you could have been moving your first mailbox

I hate stating this because it’s not true in every situation. There are many organizations that spend so long thinking about how they might move mailboxes that you could have moved them to a newer version of Exchange, let alone installed a few Exchange “Hybrid” servers. They are few and far between though and the issues are primarily down to the organization and not technical reasons.

For most organizations, the technical aspects of moving from not being able to migrate a mailbox to Exchange online to actually being able to move a mailbox are actually pretty straightforward. Forgetting Outlook versions, client access, and mail flow (which you’ll deal with “Hybrid” server or not) technically moving a mailbox from Exchange on-premises to Exchange Online isn’t all that complicated.

At a real push, enabling and publishing the MRSProxy service an stamping a few objects in Exchange Online and on-premises correctly is enough to grease the wheels to move a mailbox. And once the pre-requisites are configured correctly, executing the Hybrid Configuration Wizard and implementing the correct configuration to your Exchange Online environment to support your needs isn’t much of a stretch.

The majority of the complex supporting work in regulated industries or customers with complex compliance requirements is near identical and still needs to be done whether they installed an Exchange “Hybrid” server or not – except that work to add in a newer version of Exchange to “support Hybrid” could have been avoided if they realised what they had already was good enough to support their migration.

What happens when you decommission Exchange?

At the time of writing, May 2020, after your migration it is unlikely you will decommission Exchange Server entirely. Most organizations will use Azure AD Connect to synchronize their on-premises identities to Azure AD & Office 365. This means they have Hybrid Identity, which means they need to keep at least one Hybrid-enabled Exchange Server.

Microsoft are planning, later this year, to release capabilities to allow you to remove the last Exchange Server, but even if you could, you still might need an Exchange Server on-premises. If you need to relay email from application servers, photocopiers or other systems, then you might want to keep an Exchange Server (or two) on-premises to server as an unauthenticated SMTP relay into Office 365.

Therefore, once you have migrated all your mailboxes there is an excellent case to replace older Exchange 2010 or 2013 servers with one or more Exchange 2016 servers (there’s no free Exchange 2019 “Hybrid” licence), enabled for Exchange Hybrid. These servers will not need to serve clients, but will serve as a management server – the place you’ll enable new Office 365 mailboxes and change details such as email addresses that are mastered within the on-premises Active Directory. Some people suggest that it’s somehow easier to implement “Exchange Hybrid” servers at the beginning of the migration due to this. They are wrong. It’s much easier to implement a newer version of Exchange into your environment for longer term management once clients no longer access the environment and all the mailboxes have been migrated!

About the Author

Steve Goodman

Technology Writer and Chief Editor for AV Content at Practical 365, focused on Microsoft 365. A 12-time Microsoft MVP, author of several technology books and regular Microsoft conference speaker. Steve works at Advania in the UK as Field Chief Technology Officer, advising business and IT on the best way to get the most from Microsoft Cloud technology.


  1. Julian

    Your article is absolutely right. I was going down the rabbit hole, adding an Exchange 2019 to my Exchange 2013 at the begininning of migration.
    I’ve got a question. In the end I want to keep Hybrid, with Exchange 2019 for management and device SMTP relay.
    Will the HCW give me an hybrid license for the EX2019 without doing the full wizard?

  2. chris claydon

    Question please..

    We have on Prem Exchange 2016 and office 2013 on our clients.

    If we migrate to Exchange online and O365 for clients… What is the best way to do it.. ? Setup hybrid exchange, migrate email and then update clients to O365?

    Or what is the recommended way…?

    Thxs Chris

  3. Fred

    I am setting up a hybrid environment with my Exchange 2010 server (no other exchange servers). I have the hybrid setup and have successfully migrated a mailbox. However, I no longer see the mailbox in the on-prem server (Console). Do I need to install Exchange 2013 or 2016 in order to manage the 365 mailboxes on-prem?

  4. Joe

    Steve, thanks for the article. In my situation, I have SBS 2011 which runs Exchange 2010 (patched to its last one available). Can I still follow your guidance to migrate directly from Exchange 2010 on SBS to 365? I did stand up a new member server where I can run the migration wizard and AD Connect. I had planned to install Exchange 2016 on it and run hybrid from there but got caught up in a scenario where users have Outlook 2007 (which I assume doesn’t work anymore if I install Exchange 2016 in the environment). So, I found your article and wanted to confirm I can go ahead with the direct migration to my current 2010 one. (I will have to quickly install new Office from 365 then for all users. I’m guessing the 2007 Outlook will not work with 365 after migration). Any input is appreciated.

  5. Floyd

    Hi Steve,

    I wonder why I need to keep an exchange server. I set up a SMTP virtual server that relays device emails to SMTP.office365.com. My mx record points to office 365 too. I believe that the antique 2010 Exchange server is there just to torture me. I only have less than a 100 users. I also may have more than one server running AD connect… my exchange 2010 fails on some tasks for office365..

    1. Tony Brock

      If you are using AD Connect to synchronize identity with O365 then you will not be able to properly modify many attributes from the cloud (such as primary SMTP address). You will need to use ADSI edit (not recommended) OR allow Exchange to properly update these attributes on-prem.

  6. Tom

    Good Article…
    There are reasons where you DO want hybrid servers…

    One of them is when your entire environment is protected from attacks like Hafnium by being isolated with firewalls and VPNs. Being isolated certainly saved us from the attack but added complexities getting hybrid enabled. We had to stand up servers straddling the DMZ and internal networks to be able to meet MS requirements of end-to-end connectivity without the traffic being inspected.

  7. Rich

    Great article and discussion, thanks for this.

    Fairly related setup – inherited an environment with no local Exchange, AD Synch, no hybrid connectors in Office365. The existing exchange must have been completely decommissioned.

    Customer would like the benefits of local Exchange recipient management. Can an Exchange server be introduced safety into this environment? Not clear if they Exchange setup will make impacts, been searching for a long time and have not come across this scenario.


  8. MJ

    Hi I would like inquire if it’s possible to upgrade an Exchange 2010 Server to Exchange 2016 while it’s currently configured as a Hybrid Exchange server to an O365 tenant. Thanks

    1. Steve Goodman

      Yes, and you should plan to do this.

      1. MJ

        Forgot to add that there are still users on 2010, not everyone is migrated yet.

        1. Gary Smith

          Thats the whole point of hybrid, mailboxes on prem and in 365.

      2. Tony Brock

        I think he is asking if you can directly upgrade from Ex2010 to Ex2016. In that case, I don’t think the answer is “yes.”

  9. Chris

    Any update on the option to completely remove exchange from your On-premise environment ?

  10. Eddie

    Hi Steve,

    Good article, really worth to read.

    I’m going to migrate my on-premises exchange online 2013 to office 365 exchange online. Should I keep the on-premises exchange server for making it as hybrid with exchange online? Or decommission my on-premises server after migration?

    would appreciate if you could reply.


    1. Steve Goodman


      After migration, you can keep the Exchange 2013 server as-is for the time being. It remains in extended support until 11th April 2023

      After migration though, you can use that opportunity to replace the server with an Exchange 2016 server using the free Hybrid licence.

      The main reasons to do this will be if you wish to decommission the legacy Exchange 2013 hardware (for example, you might have CAS and Mailbox Roles setup separately, with an expensive to maintain DAG) or – and this is the primary reason – you wish to eventually *remove* Exchange entirely from on-premises.

      In the former scenario, one option could be to consolidate roles onto a single or two server for HA and keep Exchange 2013 until end of support.

      In the latter scenario, Microsoft stated the following here which indicates you are likely to need Exchange 2016 with a future update to make the final decommission of Exchange possible:

      “When we have a solution available to allow any management-only servers to be removed, it may require an update to Exchange Server 2016, and in that case we may release a future CU or patch. Currently there is no plan to release future updates for Exchange 2016, but we want to assure our customers that if we need to do this to support the removal of these ‘management only’ servers, we will. ”


      Hope this helps,


  11. Richard Sargeant

    Hi Steve,

    Slightly off-piste, but relating to carrying out a Minimal Express Hybrid set-up etc…

    I think I’ve just about got my head around this…just! If I go for a ‘one time sync’ Express
    Hybrid migration where both the AD Connect tool (On-Prem) & DS sync (on the tenant) get
    disabled after the migration, plus the Hybrid configure completely removed, I definitely
    don’t need to retain an On-Prem Exchange server to manage the ‘Cloud only’ mailboxes? My
    understanding is, by disabling DS Sync makes the mailboxes ‘Cloud only’. Is that correct?

    Also, if I then want to re-enable or re-install AD connect and DS sync at a later date (mainly
    for Password Hash syncing) this then re-introduces the problem of needing an On-Prem Exchange server for managing the cloud only mailboxes (or managing them in a supported Microsoft fashion)?

    And lastly, if the answer is ‘Yes it does re-introduce the problem’, what are my other options
    for syncing Active Directory passwords to the OF365 mailboxes….third party offerings maybe?


    1. Steve Goodman

      Hi Richard,

      Sorry for the delay in replying, I missed your message.

      Yes, your understanding is correct – it does re-introduce the problem.

      I would say that even with my customers who have a smaller environment to manage, most of the time running a small VM for Exchange management isn’t a big issue, especially as it sounds like it wouldn’t be needed for mail relay or anything that, should the server fail, could cause an outage.

      Although third-party options are available (I don’t have a specific recommendation) the benefit of the Exchange 2016 option is that Microsoft have suggested that there will be a clear path to removing it, and that will require an update for Exchange 2016.


  12. Vegard

    Hello Steve

    You write “Microsoft are planning, later this year, to release capabilities to allow you to remove the last Exchange Server”.

    I’ve been trying to find news or even any sources for this. Do you have an update regarding this?

  13. Pavan

    Hello Steve,
    We have already build up exchange 2016 with multirole but did not run the HCW. We have near about 30k mailboxes hosted on Onpremises now we are planning to migrate to O365. Is it fine just run HCW 2-3 servers and start migration or we can build up new server with MRs proxy endpoint for those and start the same ( note we need to use Edge server for future routing too ). any input or suggestions.

    – if I built up new server of Hybrid 2016 do I need to point Namespace new server or still continues with existing ?

    – if I run HCW I guess all existing connectors will overwritten am I right ?

  14. johnnyyao

    Hi Sir

    Good article.

    We’re running Exchange 2016 with about 8000 mailboxes and plan to deploy Exchange Hybrid currently.

    Our IT management decided not to migrate all users from Exchange 2016 to EXO immediately.
    They just want to migrate a few users to EXO for pilot purpose and keep the Exchange Hybrid mode for a long long time….. at least until 2025 I guess.

    (I’ve followed that Exchange 2016 may no longer support for Exchange Hybrid in the near future. That’s ok. We can migrate to Exchange 2019.)

    And our IT policy are not allow to modify current Exchange servers.

    So I’ll prepare two additional hybrid servers and certificate names for the long time hybrid configuration. Why two hybrid servers because we’ve two major sites and we need plan for site resilience.

    Need you advise how to plan the best practice for Exchange Hybrid – HA & site resilience for coexistence with EXO very long time?


  15. Aussupport


    We are upgrading the Ex 2010 to 2016 in hybrid. All our mailboxes are in O365. So what is the rollback plan if exchange 2010 migration failed? I believed clients do not require connecting to this server.


  16. Tristan

    Not found a straight answer to this but do you need to migrate system mailboxes (arbitration and discovery) from 2010 to 2016 if the 2016 server is just used for Hybrid? 2016 creates its own set. I know this is a must if you are migrating and using on-premise, but doesnt seem so for Hybrid.

    You cant remove 2010 from the environment if these system mailboxes are still present on 2010 so its just a case of a) migrate them to 2016 b) delete them as they arent needed anyway.

  17. Josh

    Hey Steve, Great Read! We’re looking at moving to a hybrid environment to stage our mailbox migrations. Currently we have a 2016 server installed in the domain and it appears to be working correctly, as in I can login to the management site and see the 2010 servers (2 CAS, 2 MBX) and the users. However, the last time we tried to switch our namespace mail.domain.org to point to the 2016 server for client access, while DNS was resolving correctly, I was unable to login through outlook client to any mailboxes on the 2010 servers.. I feel like I’m missing something super simple but all of my digging has been for naught, any suggestions?

    1. Tristan

      Hey Josh,
      Do you successfully connect to these 2010 mailboxes in OWA? If so this suggests the authentication for Outlook connections needs to be checked on your 2016 server (no longer using MAPI/RPC for Exchange 2016 as it did with 2010).

  18. Taryel

    But what about MX record which points to let’s say to Cisco ESA.
    As i now SMTP endpoint on on-prem servers must be Exchange Server or Exchange Server with Edge role. Other SMTP gateways not supported as i now.

    1. Steve Goodman

      Before or during a migration you don’t need to change this. After the migration, should you wish to keep Exchange on-premises (which you will for management, and SMTP relay, for example), this would be the part to replace them with a newer version of Exchange. The key part in this article is that you don’t need to and usually shouldn’t add additional Exchange Servers alongside your existing Exchange Servers for the purposes of a Hybrid coexistence or migration.

      1. Dave

        Is there a good primer around for upgrading your Exchange 2016 Hybrid server, which you use for management and a couple of mailboxes you haven’t migrated yet, to Exchange 2019 hybrid? I’d like to move the existing 2016 server off the current hardware and onto the new servers – may as well upgrade Exchange at the same time 😉

  19. Admin

    Anyone else struggle with public folder migrations? The MS way for legacy PF is so convoluted and doesn’t always work. Find myself manually copying across PFs…

    Wondered if anyone else had similar experiences?

    1. Steve Goodman

      It has improved over the last few years, both in speed and reliability.

      However for success you are right, it takes a lot of planning and remediation to ensure a successful migration, a lot of scripting and a little luck..

    2. Kieran

      we audited and completely deprecated PF’s in our environment because of this, went from 300 PF to about 25 shared mailboxes.

      So 275 PF’s were redundant and not in use, whilst a time consuming excersise, it was definitly worth it as we don’t have to manage PF’s any more and the business is more efficient as less places to go looking etc.

  20. Terry

    Great article.

    Can I ask, with a Hybrid license whereby you can’t have a mailbox database, how can you access the Exchange app for management if you don’t have an admin account with a mailbox’s on the server? Does an admin account with Enterrise admins still log into Exchange 2016?

    1. Steve Goodman

      Yes, admins still login to the server – it’s purpose is for management.

      I would have to double check the licensing wording, but off the top of my head, it is hosting mailboxes that is prohibited, not hosting a mailbox database.

      1. Terry

        Thanks Steve.

        So would my admin account be able to access the EAC in Exchange 2016 without having a mailbox present as with previous versions of Exchange (i recall in 2013 i had to have a mailbox attached to the admin account else i couldnt log into EAC).

        1. Terry

          Just cloned my admin account with one without a mailbox and tested – i can access EAC fine without a mailbox 🙂

  21. Manuel

    Great article. Thank you, Steve!

    We have fully migrated to Exchange Online and have one on-prem Exchange Server 2016 still running with all its unused connectors, certificates and former databases. I don’t like that server as I have taken it over from my predecessor and it used to be our productive Exchange server before our O365 migration.

    I wonder what’s the minimum required set up for hybrid Exchange environment to stay supported? I know that MS requires you to have still one Exchange server for management if using AD connect. But what if I want to throw away the existing Exchange server and install it from scratch? Is there anything I need to concern about?

    Running the HCW creates some connectors and the Exchange federation (On-Prem to Exchange Online) with self-signed certificates by default. Isn’t there any smaller (but still supported) solution that does not create certificates etc and only serves for management?

    Haven’t found any article in the Internet that takes care of that topic (“setting up a minimum Exchange hybrid management server once you have completed the migration”). Would love to get a response.


    1. Steve Goodman

      If you wish to do this, then you would add a new server, move the Hybrid configuration (and relevant certificates, connectors) across, then decommission the older server.

  22. Tristan

    Great read, thanks Steve.

    We have a similar situation as you describe with a blank 2016 Exchange server being installed and everything pointing to it (all mailboxes are on the 2010 box). Want to move to O365.

    When configuring the HCW, should we point and use 2010 because the mailboxes reside there or select 2016 as this is effectively the CAS and proxy now – even though its empty.

    1. Steve Goodman

      If you’ve went as far as installing the a 2016 box and moving all client access across, then it’s probably not worth undoing that effort now. Obviously with hindsight it would have made more sense to Hybrid-enable 2010, move mailboxes and then replace with a 2016 “management server” post-migration.

      But if it’s already installed, then I think you’ll only further complicate matters by configuring Hybrid on 2010.

      1. Tristan

        Yeah sadly, as the story goes, this was in place before i picked it up to work on! Hate picking up the work of others.

        Configure HCW for the 2016 even though there are no mailboxes on it then rather than remove and repoint to 2010 seems the order of the day?

        1. Steve Goodman

          Whilst it goes entirely against the point of the article.. given the position you are in, then that’s what I would do – I wouldn’t plan to decommission the Exchange 2016 box only the then need to re-install it post-migration and then move the HCW configuration across. As you mentioned it’s just one Exchange 2010 server then the limitations of having one 2016 server as a bottleneck for a migration (for example) don’t really apply here.

      2. Harvey Hayes

        Hi Steve,

        A Great Read for sure. We have migrated 600,000 users to Office 365 from Exchange 2010. We learned a great deal during that adventure. Thank you for the great technical assistance you all provide all of us. Regards

  23. Mike Donovan

    I think one of the biggest reasons to steer clear of any hybrid exchange server is the patching. Every quarter a new CU comes out. Every 5-6 revs it seems like a schema extension is required. Extending the schema is a maintenance ordeal I just assume skip the patching altogether. We have eliminated all of our hybrid servers and have a different way of handling the few the new email addresses and other operations normally used by the hybrid servers. I don’t miss the patching at all!

    1. Steve Goodman

      Technically at the moment you should keep the last Exchange Server to manage recipients. I hear you though, and if I’m personally the one managing the environment, then I would do similar to you; often I am not – and most of my customers need mail relay anyway, so I recommend keeping the last Exchange Server for the time being if you don’t want to be responsible for managing those attributes yourself.

    2. Tristan

      Hey Mike

      Hybrid is the only supported method though whilst i sympathise with the admin overhead – if you are managing attributes with ADSI or in AD, that takes you out of a supported set up…

      Hopefully MS will release something to allow “last server” to be removed soon.

      1. Steve Goodman

        In January this year, Greg Taylor told me (on my All About 365 podcast) and in a session at Ignite the Tour London that we should expect something such as a preview of it at Ignite 2020

        1. Tristan

          That would be huge!!

          Would kill a ton of consultancy days and opportunities though that Hybrid presents…

          1. Steve Goodman

            Hybrid will still be required to *do* the migration, and today on the engagements I am involved with we aren’t installing “Hybrid Servers” at the outset.

            On one project for example I would estimate the 2016 management servers install and moving over connectors will only consume about half a day of effort to a day, with the majority of the time over a few days being the clean decom of Exchange 2010. So not a big difference, but a better result if no Exchange Server is needed for something such as mail relay.

  24. Tony

    Hi Steve

    Thanks for the great write up, I’m one of the engineers who pestered you to do it as there arent many solid articles stating the reasons not to install additional hybrid servers before a migration yet so many people do it which always baffled me.

    Excellent points made.


    1. Steve Goodman

      Yes! I promised I would, good topic.

  25. Karl

    I have exchange 2013 and getting pressure to install a server 2016 exchange for Ms Teams Callander availability / integration. Seems silly since 2013 has hybrid built in.

    1. Steve Goodman

      Are you planning on moving all mailboxes to Exchange 2016 ?


    2. Lee


      Users can still schedule Teams meetings and view them in their on-prem calendar by using the outlook addin. My client is in a similar situation due to wanting a rapid deployment of teams, but we have no intention of implementing a later version of Exchange for this, but will be for SMTP relaying and recipient management.

      Paul, you mentioned that 2019 will not be getting a free hybrid license. Is there any official documentation on this?


        1. Moe

          Free Hybrid License is only for EX 2016 ( Win Server 2016 only )

Leave a Reply