So, today I found out that outbound mail from my jaapwesselius.com did not have a DKIM signature (after mail was blocked by prodigy.net). I have my jaapwesselius.com running on WordPress.com. To do this, WordPress requires to have DNS hosted with them. No problem, but adding a DKIM record in WordPress DNS is not possible, it fails with a TXT records may not exceed 255 characters error message as shown below:
The solution is relatively simple. You can add a CNAME record for the original DKIM record. For example, have safemail._domainkey.jaapwesselius.com point to something like safemailhop.exchangelabs.nl (I own that domain too, and DNS is hosted at my provider Argeweb).
While installing the Exchange 2019 Management Tools (only the Management Tools) on a server, I ran into the error message “A reboot from a previous installation is pending. Please restart the system and then rerun Setup”
Normally a reboot fixes this problem, but unfortunately this time it did not fix it.
The option to reboot is also logged in the registry of the server. There is a key called PendingFileRenameOperations located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager which in this case has a certain data that was not cleaned up previously:
When you check the data you can even see which process did not clean up. Remove the data from the key (or remove the entire key) and continue with the installation.
On Tuesday December 15, 2020 Microsoft has released its quarterly updates for Exchange server, specifically Exchange 2019 CU19 and Exchange 2019 CU8.
Nothing special, but a few remarks:
In contrast to earlier communication from Microsoft, CU19 is not the last CU released by Microsoft. The final CU for Exchange 2016 will be released in March 2021.
When running a hybrid deployment or when using Exchange Online Archiving in combination with Exchange on-premises, make sure you run the latest CU or one version older (i.e. Exchange 2013 CU23, Exchange 2016 CU18/CU19 or Exchange 2019 CU7/CU8)
No schema changes in these CUs but there are changes to AD, so make sure you run the Setup.exe /PrepareAD command
And as always, test thoroughly in your lab environment, and when deploying make sure your servers are in maintenance mode (especially the DAG).
After decommissioning the Resource Forest I still have an Exchange 2016 environment on-premises, but all my mailboxes are in Office 365. Users are provisioned in Active Directory, Remote Mailboxes are provisioned in Exchange 2016 and everything is synchronized to Office 365 using Azure AD Connect.
Do I still need an Exchange Hybrid Configuration? Unless there are plans to move resources back to Exchange on-premises there’s no need for a Hybrid Configuration. To stay in a supported configuration, an Exchange server on-premises is still needed for management purposes, but only Azure AD Connect is needed and not a full hybrid configuration.
Note. If you want to use the on-premises Exchange server for SMTP relay purposes you don’t need the Hybrid configuration either. Just make sure you have a SMTP Send Connector that points to Exchange Online Protection and you’re good.
Removing the Hybrid configuration consists of the following steps:
Disable Autodiscover SCP in Exchange
Remove the Hybrid Configuration from Active Directory
Remove Connectors in Exchange Online
Remove the Organization Sharing from Exchange Online
Disable OAuth
Disable Autodiscover SCP in Exchange
When all Exchange resources are in Exchange Online you no longer need the on-premises Service Connection Points (SCP) for Autodiscover. But make sure you have the correct CNAME records for Autodiscover that point to Autodiscover.outlook.com.
To disable the SCP records in Active Directory, execute the following command in Exchange Management Shell:
Remove the Hybrid Configuration from Active Directory
Removing the Hybrid Configuration from Active Directory is just one PowerShell command in Exchange Management Shell:
Remove-HybridConfiguration -Confirm:$false
There’s one pitfall here, this will also remove the outbound to Office 365 Send Connector from Exchange. If you want to keep SMTP relay from on-premises to your mailboxes in Exchange Online you have to manually recreate this connector (use yourdomain-com.mail.protection.outlook.com as a smarthost for this)
Remove Connectors in Exchange Online
In the Exchange Online Admin Center, remove the outbound SMTP connectors that point from Exchange Online to your on-premises Exchange organization. If you want to keep SMTP routing, keep the inbound SMTP connector, otherwise you can remove this as well.
Remove the Organization Sharing from Exchange Online To remove the Hybrid Organization Sharing from Exchange Online navigate to Organization | Sharing in the Exchange Admin Center and remove the organization sharing.
Disable OAuth on-premises
When used before you can disable the OAuth configuration as well from Exchange on-premises and Exchange Online.
In Exchange on-premises Management Shell, execute the following command:
These are the steps needed to remove the Hybrid Configuration from your Exchange environment.
Note. Microsoft recommends to leave the Exchange Hybrid option in Azure AD Connect.
Summary
In this blogpost I explained how to remove the Hybrid Configuration from your Exchange environment after you have moved all resources to Exchange Online.
The on-premises Exchange server is still needed for management purposes. After removing the Hybrid Configuration you can still manage your recipient Exchange Online using the on-premises Exchange server, all changes are replicated through Azure Active Directory.
Is that last Exchange server on-premises still needed? Yes, you need it for managing your recipients in Exchange Online. When you have Azure AD Connect running in your environment, the objects are managed in on-premises Active Directory. The source of authority is Active Directory. As long as Microsoft hasn’t fixed the source of authority problem, an Exchange server on-premises is still needed.
On December 8, 2020 Microsoft released a number of security updates for Exchange server. Despite the fact that Exchange 2010 is out of support at all, an important security update for Exchange 2010 was released as well.
