Office 365 Directory Synchronization without Exchange server Part III

In my previous blog post I explained how to manage your Email attributes in Office 365 by directly editing the Exchange attributes in your on-premises Active Directory. This works fine, but it is not recommended nor is it supported by Microsoft.

In this blogpost I’ll discuss how to add an Exchange server on-premises (or keep the last Exchange server when you’ve moved all Mailboxes to Office 365 for that matter) and manage your Exchange Online environment properly.

Exchange Server on-premises

So, what options do you have? Add an Exchange server on-premises, or keep one of the existing (hybrid) Exchange servers for management purposes. Since this is a green field Active Directory, and there’s no Exchange server on-premises you can use the free Microsoft Hybrid License to for this management server. For additional details on this free Exchange license you can check the Microsoft knowledgebase article KB2939261: https://support.microsoft.com/en-us/kb/2939261.

When adding an Exchange server (in my lab an Exchange 2016 CU2 server) to Active Directory you get an Exchange PowerShell and Exchange Admin Center on-premises available for management purposes.

The first thing that needs to be done is configuring an Accepted Domain and an Email Address Policy. This way the locally created user accounts and Remote Mailboxes will get the appropriate Email addresses.

When a new user is created in Active Directory, only the basic attributes need to be populated. Once created, you can use the Exchange PowerShell to execute the Enable-RemoteMailbox command. This will convert the local user to a Mail-Enabled User, and create the accompanying Mailbox in Exchange Online. The -RemoteRoutingAddress option is used to set the forwarding address from the on-premises Mail-enabled User to the Mailbox in Office 365.

Enable-RemoteMailbox “Dave Heslop” -RemoteRoutingAddress DHeslop@exchangelabsnl.mail.onmicrosoft.com

image

Do you need a hybrid configuration for this to happen? No, since there’s no traffic between Exchange on-premises and Exchange Online you don’t need to configure the Hybrid Configuration. Even better, the Exchange server is not used for any communication, it’s only there for management purposes so the Exchange server doesn’t have to be configured at all. This includes the self-signed SSL certificate.

The only communication that takes place is the Azure AD Connect synchronization between the on-premises Active Directory and Azure Active Directory. Remember that all Exchange information is stored in Active Directory, so when creating a User account and enable a Remote Mailbox, this is only stored in Active Directory and only this information is synchronized with Azure Active Directory!

Assign the user an appropriate license in the Microsoft Online Portal et voila, your Mailbox in Office 365 is fully functional, in a fully supported scenario, and managed on-premises.

When you want to enable a Personal Archive in Exchange Online you can again use the Enable-RemoteMailbox command, but now with the -Archive option, like:

Enable-RemoteMailbox “Dave Heslop” –Archive

image

It is also possible to create a new user account in Active Directory and RemoteMailbox-enable the account using the New-RemoteMailbox command.

To create a new user account for ‘Kim Akers’, set the password that’s entered using the credential pop-up box and create a Mailbox in Exchange Online you can use the following Exchange PowerShell commands:

$Credentials = Get-Credential

New-RemoteMailbox -Name "Kim Akers" -Password $Credentials.Password -UserPrincipalName kakers@exchangelabs.nl -OnPremisesOrganizationalUnit "exchangelabs.local/accounts/users" -RemoteRoutingAddress Kakers@exchangelabsnl.mail.onmicrosoft.com

image

And to create a new Room Mailbox for use with Exchange Online you can use the New-RemoteMailbox command with the -Room option.

$Credentials = Get-Credential

New-RemoteMailbox -Name "Conference Room" -Password $Credentials.Password -UserPrincipalName confroom@exchangelabs.nl -OnPremisesOrganizationalUnit "exchangelabs.local/accounts/users" -Room -RemoteRoutingAddress confroom@exchangelabsnl.mail.onmicrosoft.com

image

Note. For a Resource Mailbox of type Equipment you can use the same command, but replace the -Room with the -Equipment option.

You can check the Exchange (online) Admin Center to see if the Room Mailbox is actually created. You can also use the EAC to set permissions on this Mailbox. This cannot be achieved on-premises.

image

The on-premises EAC can be used to manage most of the settings of your Mailboxes in Exchange Online. When you open the EAC on-premises the Remote Mailboxes will show up as “Office 365 Mailbox”. Dave’s remote Archive Mailbox is clearly visible:

image

Unfortunately, you cannot create remote Mailboxes using the on-premises EAC, this can only be achieved using the on-premises Exchange PowerShell using the New-RemoteMailbox or the Enable-RemoteMailbox commands.

As mentioned before the Exchange 2016 server in my lab is not configured. After installing the Exchange server I created an Accepted Domain and an Email Address Policy and that’s it. The only communication that takes place between the on-premises environment and Office 365 is through the Azure AD Connect server, so there’s no need to configure the Exchange server.

Can it be useful to configure the Exchange server? Well, if you do configure it, you can also configure the on-premises Exchange server to run the Hybrid Configuration Wizard.

Can it be useful to run the Hybrid Configure Wizard? Yes, even if you have all Mailboxes in Office 365 and don’t even plan to move Mailboxes to your on-premises environment (offboarding). Suppose you have these multi-functional devices like scanners that can send scanned documents directly to your Mailbox. You can send these scanned documents to your on-premises Hybrid Server and have them forwarded to the Mailboxes in Office 365.

The same is true for on-premises applications, like CRM, HR or Finance applications which send messages directly to users. Applications like this can use the on-premises Exchange Hybrid server to forward messages from the application directly to the Mailbox in Office 365.

Summary

In this blogpost and the previous two blogpost I showed you how to manage Exchange Online when you don’t have an Exchange server on-premises. This is a typical situation when you’ve moved off of a Notes or Groupwise environment, but the same can be true if you decommissioned the last Exchange server after an Exchange on-premises to Exchange Online environment.

It’s a bit of work and can be complex, but in the end it works. The problem is that it is unsupported and not recommended. One of the problems is that you never know what Microsoft will do when it comes to changes (improvements) regarding Azure AD Sync. If something changes and you’re solution stops working then you’re on your own.

I always recommend installing an Exchange server on-premises (or keep the last Exchange server when moving to Exchange Online), just for management purposes. No need to configure it using the Hybrid Configuration Wizard, although this has some advantages when it comes to relaying messages from on-premises to Exchange Online Mailboxes.

18 thoughts on “Office 365 Directory Synchronization without Exchange server Part III”

  1. And we even can point autodiscover to O365 right?.
    So for a new user in AD that has mailbox in O365 we just run new-remotemailbox? Do we not need run dirsync first cause the user is not synced from AD?

    And if we have user provisioning system in AD that creates the user, we only run enable-remotemailbox, and not run dirsync first?

    BTW you need to set license offcourse 🙂

    Like

    1. Yes, autodiscover points to Office 365 since, not much to retrieve on-premises.
      You can just run New-RemoteMailbox, everything will be synchronized with Office 365 in just one run.
      And i’m not a license officer, i’m a techie 😉

      Liked by 1 person

    2. Take a look at these two articles for a reference. The first goes through what I believe you are asking with the process of creating a new AD user and mailbox in O365, and basic license assignment. The second gets a bit more granular on the license assignments.

      https://oddytee.wordpress.com/2016/05/05/provision-new-office-365-user-and-mailbox-from-exchange-hybrid-via-powershell/

      https://oddytee.wordpress.com/2016/06/28/assign-subscription-licenses-and-license-options-to-office-365-users/

      Have fun!

      Like

  2. OK sweet.
    BTW as per MS support we need to run hybrid Exchange n-2. Is this also applicable in this sccenario? I know it’s always best-practise to keep up though 🙂

    And let’s say we have an on-prem distribution group synced to O365 and is managed by ‘Kim Akers’ she can’t manage it anymore. How do we solve these things? (create pure cloud group or setup the ECP vdir in the hybrid exchange server, so Kim can logon on-premise and edit the group via ecp?

    Like

    1. when it comes to N-2, opinions differ. Is that Exchange 2016 CU1 and RTM, or Exchange 2013 CU12 and CU11, or Exchange 2010 SP3 UR13 and UR12? IMHO opinion Microsoft is not very clear about this either. When it’s Exchange 2016 only for hybrid, then why would they release a downloadable version of the HCW for Exchange 2010? Personally I don’t really care about the major version, but do care about the latest patches.

      About Kim and her distribution groups, I’ll ask her 😉

      Like

  3. What suggestion do you have with the “last Exchange server” on premise is SBS2008 (with Exchange 2007)? Another member DC currently exists on the network and is running AD Sync. Can the unlicensed Exchange 2016 be installed on the DC? And if so, presumably it needs to be installed first, then Exchange 2007 uninstalled from the SBS server?

    Like

    1. Exchange can be installed on the 2nd DC, but I do not recommend this since you cannot upgrade the DC later on. Please be aware that Exchange 2016 cannot be installed in an Exchange 2007 scenario. You need to install Exchange 2013 first, decommission Exchange 2007 and then install Exchange 2016 (or keep it running on Exchange 2013 if you want, as long as you keep it up-to-date with CUs you’re fine)

      Like

    1. EMC does not exist anymore, you need Exchange PowerShell or EAC, but these are only available if you install an Exchange 2016 server. But you get a free hybrid license for this, as long as you don’t install mailboxes on it.

      Liked by 1 person

  4. Would you comment on what you setup for your email address policy, such as secondary for .mail.onmicrosoft.com, and whether you dismount your automatically created database?

    Like

    1. I never change the default settings, so in this example the primary SMTP address would be user@exchangelabs.nl, which is set by the email address policy. The hybrid configuration wizard will create a secondary address like user@exchangelabsnl.mail.onmicrosoft.com. If you don’t use the HCW I would configure this the same way to establish routing between on-premises and Exchange Online (for multi-functional devices for example).
      As for the default database, I leave it running, but enable circular logging.

      Like

  5. Great article thanks! Two questions:
    1. Are you certain that the SMTP functionality can be used on the hybrid server without licensing violation?
    2. Is there anyway to get the existing directory objects in AD to show up in the new Exchange server as Office 365 mailboxes-if you install Exchange after already setting up AD Connect and your O365 tenant?

    Like

    1. Hi, Thanks for your response.
      1. What license violation are you referring to? If you are using the ‘hybrid license’ you can use the SMTP functionality, you are not allowed to move Mailboxes to this server.
      2. If you install a new Exchange server if you already have directory synchronization and Mailboxes in Exchange Online you can use the Enable-RemoteMailbox command to achieve this.
      Thanks, Jaap

      Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s