In my previous blog post I explained how to manage your Email attributes in Office 365 by directly editing the Exchange attributes in your on-premises Active Directory. This works fine, but it is not recommended nor is it supported by Microsoft.
In this blogpost I’ll discuss how to add an Exchange server on-premises (or keep the last Exchange server when you’ve moved all Mailboxes to Office 365 for that matter) and manage your Exchange Online environment properly.
Exchange Server on-premises
So, what options do you have? Add an Exchange server on-premises, or keep one of the existing (hybrid) Exchange servers for management purposes. Since this is a green field Active Directory, and there’s no Exchange server on-premises you can use the free Microsoft Hybrid License to for this management server. For additional details on this free Exchange license you can check the Microsoft knowledgebase article KB2939261: https://support.microsoft.com/en-us/kb/2939261.
When adding an Exchange server (in my lab an Exchange 2016 CU2 server) to Active Directory you get an Exchange PowerShell and Exchange Admin Center on-premises available for management purposes.
The first thing that needs to be done is configuring an Accepted Domain and an Email Address Policy. This way the locally created user accounts and Remote Mailboxes will get the appropriate Email addresses.
When a new user is created in Active Directory, only the basic attributes need to be populated. Once created, you can use the Exchange PowerShell to execute the Enable-RemoteMailbox command. This will convert the local user to a Mail-Enabled User, and create the accompanying Mailbox in Exchange Online. The -RemoteRoutingAddress option is used to set the forwarding address from the on-premises Mail-enabled User to the Mailbox in Office 365.
Enable-RemoteMailbox “Dave Heslop” -RemoteRoutingAddress DHeslop@exchangelabsnl.mail.onmicrosoft.com
Do you need a hybrid configuration for this to happen? No, since there’s no traffic between Exchange on-premises and Exchange Online you don’t need to configure the Hybrid Configuration. Even better, the Exchange server is not used for any communication, it’s only there for management purposes so the Exchange server doesn’t have to be configured at all. This includes the self-signed SSL certificate.
The only communication that takes place is the Azure AD Connect synchronization between the on-premises Active Directory and Azure Active Directory. Remember that all Exchange information is stored in Active Directory, so when creating a User account and enable a Remote Mailbox, this is only stored in Active Directory and only this information is synchronized with Azure Active Directory!
Assign the user an appropriate license in the Microsoft Online Portal et voila, your Mailbox in Office 365 is fully functional, in a fully supported scenario, and managed on-premises.
When you want to enable a Personal Archive in Exchange Online you can again use the Enable-RemoteMailbox command, but now with the -Archive option, like:
Enable-RemoteMailbox “Dave Heslop” –Archive
It is also possible to create a new user account in Active Directory and RemoteMailbox-enable the account using the New-RemoteMailbox command.
To create a new user account for ‘Kim Akers’, set the password that’s entered using the credential pop-up box and create a Mailbox in Exchange Online you can use the following Exchange PowerShell commands:
$Credentials = Get-Credential New-RemoteMailbox -Name "Kim Akers" -Password $Credentials.Password -UserPrincipalName kakers@exchangelabs.nl -OnPremisesOrganizationalUnit "exchangelabs.local/accounts/users" -RemoteRoutingAddress Kakers@exchangelabsnl.mail.onmicrosoft.com
And to create a new Room Mailbox for use with Exchange Online you can use the New-RemoteMailbox command with the -Room option.
$Credentials = Get-Credential New-RemoteMailbox -Name "Conference Room" -Password $Credentials.Password -UserPrincipalName confroom@exchangelabs.nl -OnPremisesOrganizationalUnit "exchangelabs.local/accounts/users" -Room -RemoteRoutingAddress confroom@exchangelabsnl.mail.onmicrosoft.com
Note. For a Resource Mailbox of type Equipment you can use the same command, but replace the -Room with the -Equipment option.
You can check the Exchange (online) Admin Center to see if the Room Mailbox is actually created. You can also use the EAC to set permissions on this Mailbox. This cannot be achieved on-premises.
The on-premises EAC can be used to manage most of the settings of your Mailboxes in Exchange Online. When you open the EAC on-premises the Remote Mailboxes will show up as “Office 365 Mailbox”. Dave’s remote Archive Mailbox is clearly visible:
Unfortunately, you cannot create remote Mailboxes using the on-premises EAC, this can only be achieved using the on-premises Exchange PowerShell using the New-RemoteMailbox or the Enable-RemoteMailbox commands.
As mentioned before the Exchange 2016 server in my lab is not configured. After installing the Exchange server I created an Accepted Domain and an Email Address Policy and that’s it. The only communication that takes place between the on-premises environment and Office 365 is through the Azure AD Connect server, so there’s no need to configure the Exchange server.
Can it be useful to configure the Exchange server? Well, if you do configure it, you can also configure the on-premises Exchange server to run the Hybrid Configuration Wizard.
Can it be useful to run the Hybrid Configure Wizard? Yes, even if you have all Mailboxes in Office 365 and don’t even plan to move Mailboxes to your on-premises environment (offboarding). Suppose you have these multi-functional devices like scanners that can send scanned documents directly to your Mailbox. You can send these scanned documents to your on-premises Hybrid Server and have them forwarded to the Mailboxes in Office 365.
The same is true for on-premises applications, like CRM, HR or Finance applications which send messages directly to users. Applications like this can use the on-premises Exchange Hybrid server to forward messages from the application directly to the Mailbox in Office 365.
Summary
In this blogpost and the previous two blogpost I showed you how to manage Exchange Online when you don’t have an Exchange server on-premises. This is a typical situation when you’ve moved off of a Notes or Groupwise environment, but the same can be true if you decommissioned the last Exchange server after an Exchange on-premises to Exchange Online environment.
It’s a bit of work and can be complex, but in the end it works. The problem is that it is unsupported and not recommended. One of the problems is that you never know what Microsoft will do when it comes to changes (improvements) regarding Azure AD Sync. If something changes and you’re solution stops working then you’re on your own.
I always recommend installing an Exchange server on-premises (or keep the last Exchange server when moving to Exchange Online), just for management purposes. No need to configure it using the Hybrid Configuration Wizard, although this has some advantages when it comes to relaying messages from on-premises to Exchange Online Mailboxes.
Jaap Wesselius 
And we even can point autodiscover to O365 right?.
So for a new user in AD that has mailbox in O365 we just run new-remotemailbox? Do we not need run dirsync first cause the user is not synced from AD?
And if we have user provisioning system in AD that creates the user, we only run enable-remotemailbox, and not run dirsync first?
BTW you need to set license offcourse 🙂
LikeLike
Yes, autodiscover points to Office 365 since, not much to retrieve on-premises.
You can just run New-RemoteMailbox, everything will be synchronized with Office 365 in just one run.
And i’m not a license officer, i’m a techie 😉
LikeLiked by 1 person
Take a look at these two articles for a reference. The first goes through what I believe you are asking with the process of creating a new AD user and mailbox in O365, and basic license assignment. The second gets a bit more granular on the license assignments.
Have fun!
LikeLike
This is what I discussed in the next blog (part III), except for the license stuff. The licensing was discussed last year (https://jaapwesselius.com/2014/09/04/assign-office-365-license-via-powershell/ and https://jaapwesselius.com/2015/05/08/manage-users-in-office-365-using-powershell/) but this is changing at such a rapid pace…. but it is fun to play with 😉
LikeLiked by 1 person
OK sweet.
BTW as per MS support we need to run hybrid Exchange n-2. Is this also applicable in this sccenario? I know it’s always best-practise to keep up though 🙂
And let’s say we have an on-prem distribution group synced to O365 and is managed by ‘Kim Akers’ she can’t manage it anymore. How do we solve these things? (create pure cloud group or setup the ECP vdir in the hybrid exchange server, so Kim can logon on-premise and edit the group via ecp?
LikeLike
when it comes to N-2, opinions differ. Is that Exchange 2016 CU1 and RTM, or Exchange 2013 CU12 and CU11, or Exchange 2010 SP3 UR13 and UR12? IMHO opinion Microsoft is not very clear about this either. When it’s Exchange 2016 only for hybrid, then why would they release a downloadable version of the HCW for Exchange 2010? Personally I don’t really care about the major version, but do care about the latest patches.
About Kim and her distribution groups, I’ll ask her 😉
LikeLike
What suggestion do you have with the “last Exchange server” on premise is SBS2008 (with Exchange 2007)? Another member DC currently exists on the network and is running AD Sync. Can the unlicensed Exchange 2016 be installed on the DC? And if so, presumably it needs to be installed first, then Exchange 2007 uninstalled from the SBS server?
LikeLike
Exchange can be installed on the 2nd DC, but I do not recommend this since you cannot upgrade the DC later on. Please be aware that Exchange 2016 cannot be installed in an Exchange 2007 scenario. You need to install Exchange 2013 first, decommission Exchange 2007 and then install Exchange 2016 (or keep it running on Exchange 2013 if you want, as long as you keep it up-to-date with CUs you’re fine)
LikeLike
So Clean AD, Exchange never installed. I need to Install Exchange 2016 to extend AD and get EMC ?
LikeLike
EMC does not exist anymore, you need Exchange PowerShell or EAC, but these are only available if you install an Exchange 2016 server. But you get a free hybrid license for this, as long as you don’t install mailboxes on it.
LikeLiked by 1 person
Would you comment on what you setup for your email address policy, such as secondary for .mail.onmicrosoft.com, and whether you dismount your automatically created database?
LikeLike
I never change the default settings, so in this example the primary SMTP address would be user@exchangelabs.nl, which is set by the email address policy. The hybrid configuration wizard will create a secondary address like user@exchangelabsnl.mail.onmicrosoft.com. If you don’t use the HCW I would configure this the same way to establish routing between on-premises and Exchange Online (for multi-functional devices for example).
As for the default database, I leave it running, but enable circular logging.
LikeLike
Great article thanks! Two questions:
1. Are you certain that the SMTP functionality can be used on the hybrid server without licensing violation?
2. Is there anyway to get the existing directory objects in AD to show up in the new Exchange server as Office 365 mailboxes-if you install Exchange after already setting up AD Connect and your O365 tenant?
LikeLike
Hi, Thanks for your response.
1. What license violation are you referring to? If you are using the ‘hybrid license’ you can use the SMTP functionality, you are not allowed to move Mailboxes to this server.
2. If you install a new Exchange server if you already have directory synchronization and Mailboxes in Exchange Online you can use the Enable-RemoteMailbox command to achieve this.
Thanks, Jaap
LikeLike
Hi Jaap,
I don’t have on-prem exchange but already extended on-prem AD schema with Exchange extensions. is there any way to create Synced equipment mailboxes without HCW?
LikeLike
Ouch…. I have no idea (yet) to be honest, I’m sorry
LikeLike
Thanks for reply, I just found this post today.
LikeLike
Thanks for letting me know, much appreciated!
LikeLike
Hi Jaap,
I installed on-prem Exchange 2016 and ran HCW and got the free license. when I create a “Conference Room” using above PS script, I can see the object in AD, in On-prem EAC under mailboxes, and it synchronizes to AAD, I can see it in Office 365 Admin center under active users and it’s unlicensed, but it doesn’t appear in O365 EAC under resources tab or mailboxes…
Thanks,
LikeLike
What happens if you create a new user account in Active Directory, and then use Get-User | Enable-RemoteMailbox -Room -RemoteRoutingAddress room@tenant.mail.onmicrosoft.com?
I was about to try, but dirsync stopped a couple of days ago (password I guess) so I’ll have a closer look tomorrow.
LikeLike
Just tried, same, Thx.
LikeLike
That’s weird. Just tried the same (with the Enable-RemoteMailbox) and it does show up in Office 365 EAC under Resources.
Are you able to create an on-premises user mailbox, and does it show up in Office 365 EAC under Contacts?
It looks like your user account is created, but the Exchange properties are synchronized properly.
LikeLike
I can create mailbox in on-prem AD, after sync to AAD It shows up in office 365 Admin Center under Users\Active users, but in Office 365 EAC doesn’t show up at all, either resources or contacts.
BTW, I didn’t license it as well.
LikeLike
I checked my room object attributes in on-prem AD :
seems ok.
my msExchRecipientDisplayType = -2147481850
(SyncedConferenceRoomMailbox)
ref:
https://blogs.technet.microsoft.com/johnbai/2013/09/11/o365-exchange-and-ad-how-msexchrecipientdisplaytype-and-msexchangerecipienttypedetails-relate-to-your-on-premises/
my msExchRecipientTypeDetails = 8589934592
(Remote Room Mailbox)
ref:
https://blogs.technet.microsoft.com/dkegg/2014/05/09/msexchrecipienttypedetails/
LikeLike
Did you make some changes which attributes are synchronized to Azure AD? It looks like Azure AD is missing information here.
LikeLike
Can you point me to a resource with more in-depth information about setting up a limited setup of Exchange for management?
Currently running Exchange 2010, would like to avoid a hybrid deployment and go completely over to O365 with Azure AD Connect, but install Exchange 2016 just for user management. I see that we just have to set up the accepted domain and email address policy, but do you know of any more documentation on this process or can you offer some tips?
TIA.
LikeLike
Hi,
Well, installing an Exchange 2016 server, configure the Accepted Domains and Email Address Policy (they are already configured since you have Exchange 2010 installed) and you’re good to go. I always recommend keeping a full hybrid configuration, just to keep an offboarding scenario, just in case.
I have to admit, it’s a nice topic for a (future) blog post.
Thanks,
Jaap
LikeLike
Wow, it’s like you were constructed in a lab to answer my exact problem/concern. Expanding a school communications program (it’s a school, so ‘from Google’ of course) to incorporate some basic O365 functionality at the behest of front office folk; I said “Hey Exchange online! One less server role!” Having beaten my head against the wall (only briefly) I struck on the thought of expanding the AD schema as a band-aid but wanted to see what the community consensus was and if someone had already bird-dogged the landmines. I happily found your blog (part II) and it offered a friendly ‘it’ll work, don’t try it’ but clarification that keeping a skeleton, unconfigured role running was fine. Many, many thanks and I look forward to watching for future postings… as well as digging through the archive pile for things I should know, but missed. In lighter news, your blog shows up high on a search that included mild, but frustrated, profanity. I don’t know the reason for the MS choice to limit certain functionality, nor is it fruitful to grip. I’ll just stay grateful that people are kind enough to highlight the path.
LikeLike
Thanks for the feedback 🙂
LikeLike
So effectively, Microsoft is requiring smaller organizations to continue running Exchange on-premises, just to manage objects in AD? This seems unnecessarily complicated.
LikeLike
you can remove “smaller” in your comment, everyone with Azure AD Connect is required to have an Exchange server on-premises, just for management purposes. Microsoft is working on that (announced at Ignite 2017) but status is unknown.
LikeLike
Can you specify the exchange roles needed to accomplish this? I am doing a green AD and tenant just like your lab. I already have AD installed, new tenant installed and configured, Azure AD connect and ADFS are configured and working. Exchange online is configured and working. I wasn’t going to have an on premise Exchange server, but decided to put one in because of the SMTP relaying. I just installed exchange 2016 CU9, but only installed the management tools. When I look for EAC it is not there, and management console says “no exchange servers are available in any Active Directory sites. I am doing a green setup because we are changing our company name and are moving to a new internal domain and a brand new O365 tenant. Mailboxes are 100% exchange online. Just want the on prem server to have the most minimal setup needed. Thank you for any help.
LikeLike
Hi,
It’s a common misunderstanding that you only need to install the management tools I’m afraid. The management tools is just a web interface, used to communicate with (other) Exchange servers in the organization and as such it’s useless in a situation like this. You have to install an Exchange 2016 Mailbox server and configure it accordingly. Accepted Domains, Email Address Policies etc. If you do not setup a hybrid configuration there’s no real need to install a SSL certificate, but because of the low cost of a SSL cert these days I recommend installing it. BTW, installing an Exchange server on-premises in a situation like this is the only (by Microsoft) supported solution.
LikeLike
Ah ok, got it. Thank you so much for the information. I have one other question. Do I need to go into Azure AD Connect and check the “hybrid exchange” option in the sync configuration as well?
LikeLike
sorry for my late reply, have been away for a couple of days. As long as you don’t deploy a hybrid configuration (i.e. run the Hybrid Configuration Wizard) there’s no need to check this option, even if you install an on-premises Exchange server
LikeLike
When creating a 3rd Party Certificate for an Exchange2016 Hybrid Server, what services do you need? Do you still recommend using namespaces like mail.domain.com? All mailboxes are in the cloud.
LikeLike
You need this Exchange 2016 server on-premises for management purposes, creating remote mailboxes etc. No direct need for running the HCW is all services are in the cloud. Otherwise you need IIS and SMTP to work with this certificate.
LikeLike
We are doing a cross forest migration from Forest A(Exchange) to Forest B(Only O365 with AADconnect), I have installed Exchange 2016 CU9 for management purpose and configure the Primary SMTP domain as Accepted domain and add the email address policy firstname.lastname@domain.com.
But i have some confusion. If you can clarify those?
1- Do i need to add all primary and secondary domain as an accepted domain in new forest Exchange 2k16?
2-Do i need to add those to email address policy as well?
If yes- What will happen to their existing email addresses (firstname@domain.com,firstname.lastname@domain.com) they are carrying from source organization?
LikeLiked by 1 person
In Exchange you can add email addresses with SMTP domains that are not accepted domains. You can also add these to the existing Email Address Policy, and new mailboxes will automatically received the new email addresses with the other SMTP domain. As long as you configure these addresses as secondary addresses in your Email Address Policy you primary address (firstname.lastname@domain.com) will not be impacted. Beware that if you add additional domains to your on-premises Exchange environment you add them to your O365 tenant as well (otherwise, what’s the use of these domain?)
LikeLike
Thank you for this very informative series of posts!
KB2939261 seems to have been taken down. I think the current recommendation is to use Microsoft’s Hybrid Configuration Wizard. It appears to have fewer restrictions than the KB2939261 requirements (it only verifies Global Admin credentials in an Azure/O365 tenant) although I haven’t tried it yet: https://blogs.technet.microsoft.com/exchange/2018/07/20/hybrid-configuration-wizard-and-licensing-of-your-on-premises-server-used-for-hybrid/
LikeLike
Have you considered removing Hybrid Configuration selection from AADConnect after removed the hybrid config from on-prem and left the last Exchange Server for Recipient Management purposes only (after hybrid—based move to online)?
LikeLike
Yes, but what benefits does it bring?
LikeLike
Hi Jaap, thanks for all your great articles. My manager is wondering why you need to use the enable-remotemailbox command, and not create an on-prem AD user and later on create a Office 365 mailbox in EXO for this synced user. It seems to work, when you’re no longer use a on-prem Exchange environment. Now all articles I find on this topic tell you that you need the remotemailbox command in a hybrid env, but not why this is required. And what happens if you don’t. Do you know what issues can arise when the mailbox is created in EXO and not via the remotemailbox command? The reason for my question is that we use a user provisioning tool and it can create a O365 mailbox, but there’s no support for the remotemailbox command. Thanks.
LikeLike
Hello Hatsikidee 🙂
This is easy, by using the Enable-RemoteMailbox command you can manage the Mailbox in EXO from your own Exchange environment. This is needed when you also have mailboxes on-premises (otherwise they don’t appear in the GAL on-premises) but using the on-premises Exchange environment is also the only supported way of managing EXO mailboxes.
Yes, you can do it using other ways, ADSI Edit, or a 3rd party tool and this works fine (when treated carefully) but officially it’s not supported.
LikeLike
Hi Jaap, your articles are great. Thanks for helping us all out!! We have this scenario in part III of your article and I wonder how you would order the steps. We have AD on premise with no Exchange and no AD Connect (yet). We have O365 users for office licensing only that are setup the same as our AD users (just not actually synchronized). Our email is hosted by a third party Exchange hosting company and is not synchronized either….. So, we want to move the email from the third party hoster to O365 and start synchronizing our on-premise AD to O365. We planned to use a third-party migration tool just to get the email from the hoster to O365. On-premise, what should we do first? Should we install AD Connect, synchronize and then install the local Exchange server or Exchange, then AD Connect, and then synchronize? I know we have a weird situation…. Thanks for any advice.
LikeLike
I your scenario I would first make sure all accounts match (UPN), install Exchange 2016 (free hybrid license!), configure it with Accepted Domain and Email Address Policy and then configure Azure AD Connect. Once in place, use Enable-RemoteMailbox to give all users a mailbox in Exchange Online, assign license and your good to migrate.
No worries, it’s not a weird scenario, not different than for example a Lotus Notes to Exchange Online migration 🙂
LikeLike
Thanks for your 3 part series, it’s great stuff. I’ve found myself supporting an environment where we are managing AD attributes as mentioned in part II. I’m prepping to install a hybrid server. AD is 2012 R2 std.
Any issues that you know of going with Server 2019 std and Exchange 2019? Any steps that are different?
LikeLike
Exchange 2019 is similar to Exchange 2016
LikeLike
Hi Jaap, Reading through your article, I have a question regarding accepted domains and address policy. I have an environment that’s been migrated from notes using a 3rd party tool, which is still being used to sync the notes directory with the on prem AD. Will an exchange management server still work if the default address policy is disabled?
LikeLike
Hi Alex,
My first reaction is “yes, the Exchange Management Server still works”, but the email addresses are coming from the Notes directory.
Thanks, Jaap
LikeLike