In my previous blog post I explained how to manage your Email attributes in Office 365 by directly editing the Exchange attributes in your on-premises Active Directory. This works fine, but it is not recommended nor is it supported by Microsoft.
In this blogpost I’ll discuss how to add an Exchange server on-premises (or keep the last Exchange server when you’ve moved all Mailboxes to Office 365 for that matter) and manage your Exchange Online environment properly.
Exchange Server on-premises
So, what options do you have? Add an Exchange server on-premises, or keep one of the existing (hybrid) Exchange servers for management purposes. Since this is a green field Active Directory, and there’s no Exchange server on-premises you can use the free Microsoft Hybrid License to for this management server. For additional details on this free Exchange license you can check the Microsoft knowledgebase article KB2939261: https://support.microsoft.com/en-us/kb/2939261.
When adding an Exchange server (in my lab an Exchange 2016 CU2 server) to Active Directory you get an Exchange PowerShell and Exchange Admin Center on-premises available for management purposes.
The first thing that needs to be done is configuring an Accepted Domain and an Email Address Policy. This way the locally created user accounts and Remote Mailboxes will get the appropriate Email addresses.
When a new user is created in Active Directory, only the basic attributes need to be populated. Once created, you can use the Exchange PowerShell to execute the Enable-RemoteMailbox command. This will convert the local user to a Mail-Enabled User, and create the accompanying Mailbox in Exchange Online. The -RemoteRoutingAddress option is used to set the forwarding address from the on-premises Mail-enabled User to the Mailbox in Office 365.
Enable-RemoteMailbox “Dave Heslop” -RemoteRoutingAddress DHeslop@exchangelabsnl.mail.onmicrosoft.com
Do you need a hybrid configuration for this to happen? No, since there’s no traffic between Exchange on-premises and Exchange Online you don’t need to configure the Hybrid Configuration. Even better, the Exchange server is not used for any communication, it’s only there for management purposes so the Exchange server doesn’t have to be configured at all. This includes the self-signed SSL certificate.
The only communication that takes place is the Azure AD Connect synchronization between the on-premises Active Directory and Azure Active Directory. Remember that all Exchange information is stored in Active Directory, so when creating a User account and enable a Remote Mailbox, this is only stored in Active Directory and only this information is synchronized with Azure Active Directory!
Assign the user an appropriate license in the Microsoft Online Portal et voila, your Mailbox in Office 365 is fully functional, in a fully supported scenario, and managed on-premises.
When you want to enable a Personal Archive in Exchange Online you can again use the Enable-RemoteMailbox command, but now with the -Archive option, like:
Enable-RemoteMailbox “Dave Heslop” –Archive
It is also possible to create a new user account in Active Directory and RemoteMailbox-enable the account using the New-RemoteMailbox command.
To create a new user account for ‘Kim Akers’, set the password that’s entered using the credential pop-up box and create a Mailbox in Exchange Online you can use the following Exchange PowerShell commands:
$Credentials = Get-Credential New-RemoteMailbox -Name "Kim Akers" -Password $Credentials.Password -UserPrincipalName firstname.lastname@example.org -OnPremisesOrganizationalUnit "exchangelabs.local/accounts/users" -RemoteRoutingAddress Kakers@exchangelabsnl.mail.onmicrosoft.com
And to create a new Room Mailbox for use with Exchange Online you can use the New-RemoteMailbox command with the -Room option.
$Credentials = Get-Credential New-RemoteMailbox -Name "Conference Room" -Password $Credentials.Password -UserPrincipalName email@example.com -OnPremisesOrganizationalUnit "exchangelabs.local/accounts/users" -Room -RemoteRoutingAddress firstname.lastname@example.org
Note. For a Resource Mailbox of type Equipment you can use the same command, but replace the -Room with the -Equipment option.
You can check the Exchange (online) Admin Center to see if the Room Mailbox is actually created. You can also use the EAC to set permissions on this Mailbox. This cannot be achieved on-premises.
The on-premises EAC can be used to manage most of the settings of your Mailboxes in Exchange Online. When you open the EAC on-premises the Remote Mailboxes will show up as “Office 365 Mailbox”. Dave’s remote Archive Mailbox is clearly visible:
Unfortunately, you cannot create remote Mailboxes using the on-premises EAC, this can only be achieved using the on-premises Exchange PowerShell using the New-RemoteMailbox or the Enable-RemoteMailbox commands.
As mentioned before the Exchange 2016 server in my lab is not configured. After installing the Exchange server I created an Accepted Domain and an Email Address Policy and that’s it. The only communication that takes place between the on-premises environment and Office 365 is through the Azure AD Connect server, so there’s no need to configure the Exchange server.
Can it be useful to configure the Exchange server? Well, if you do configure it, you can also configure the on-premises Exchange server to run the Hybrid Configuration Wizard.
Can it be useful to run the Hybrid Configure Wizard? Yes, even if you have all Mailboxes in Office 365 and don’t even plan to move Mailboxes to your on-premises environment (offboarding). Suppose you have these multi-functional devices like scanners that can send scanned documents directly to your Mailbox. You can send these scanned documents to your on-premises Hybrid Server and have them forwarded to the Mailboxes in Office 365.
The same is true for on-premises applications, like CRM, HR or Finance applications which send messages directly to users. Applications like this can use the on-premises Exchange Hybrid server to forward messages from the application directly to the Mailbox in Office 365.
In this blogpost and the previous two blogpost I showed you how to manage Exchange Online when you don’t have an Exchange server on-premises. This is a typical situation when you’ve moved off of a Notes or Groupwise environment, but the same can be true if you decommissioned the last Exchange server after an Exchange on-premises to Exchange Online environment.
It’s a bit of work and can be complex, but in the end it works. The problem is that it is unsupported and not recommended. One of the problems is that you never know what Microsoft will do when it comes to changes (improvements) regarding Azure AD Sync. If something changes and you’re solution stops working then you’re on your own.
I always recommend installing an Exchange server on-premises (or keep the last Exchange server when moving to Exchange Online), just for management purposes. No need to configure it using the Hybrid Configuration Wizard, although this has some advantages when it comes to relaying messages from on-premises to Exchange Online Mailboxes.