You moved your mailboxes to Office 365 – good for you!
But now you’re starting to realize what it means to have a hybrid Office 365 environment with AD users synchronized with Office 365.
Some attributes are still managed via your on-premises AD user object, e.g.:
- Email addresses (stored in the proxyAddresses attribute).
- Mail alias (stored in the mailNickname property).
- Hiding users from the Global Address Lists (stored in the msExchHideFromAddressLists property).
And at the same time, you’ll have to manage other attributes in Exchange Online, e.g.:
- Mail forwarding.
- Mailbox delegation.
What’s up with that?
The most crucial step in decommissioning your last Exchange Server is to plan how you will manage recipients post Exchange.
Before you actually decommission Exchange (last section), you must create that plan.
What is Attribute Authority?
Attribute authority is a term used to denote that some attributes are maintained in on-premises Active Directory, others are maintained in Azure AD, and again some are managed via Exchange Online.
This causes a lot of confusion, especially with first-level supporters or single-admin operations that cannot work full-time with Office 365.
Due to attribute authority, Microsoft encourages you to keep your on-premises Exchange Server for the sole purpose of on-premises attribute management – even though all your mailboxes are migrated.
But what are the costs of maintaining a local on-premises Exchange Server?
- You need dedicated hardware (or a VM).
- You need an OS license (the Exchange license is free).
- You need to spend time patching, monitoring, and backing up.
- You need a constant power supply for the system.
- You’re at risk from the increasing number of state-sponsored zero-day exploits specifically targeting Exchange on-premises.
Maintaining an on-premises Exchange Server is unacceptable to many, if not most.
But how can we manage the on-premises email attributes without Exchange?
Decommission the Last Exchange Server With Third-Party Tools
One way to solve this problem, which has gathered a huge following in recent years, is using Easy365Manager.
Easy365Manager is a unique and simple solution to a very complex problem.
Easy365Manager is a snap-in to AD Users & Computers that extends user properties with two new tabs:
With the Easy365Manager snap-in, not only can you manage the on-premises email attributes. You can also perform all daily management of Exchange Online attributes.
This completely eliminates the problem of attribute authority:
You manage everything in one place, and Easy365Manager will ensure configuration changes are written to the proper attributes and objects.
Some of the available configurations in Easy365Manager even cover settings that are normally only available via PowerShell, like calendar delegation:
Easy365Manager installs on any system running AD Users & Computers and requires no infrastructure changes.
Use the fully functional 30-day trial to check if the software meets your needs. You can download, install, and configure it in less than three minutes.
The only downside of using a third-party tool like Easy365Manager is the per-tenant license cost and the fact that Microsoft doesn’t support configuration changes made by third-party tools. So in case of issues, you’ll have to rely on the vendor’s support.
Decommission the Last Exchange Server With Exchange Server 2019 CU12
In April 2022, Microsoft finally devised a solution to the attribute authority problem by releasing Exchange Server 2019 CU12.
Unfortunately, this solution is somewhat complex and will only satisfy the savviest PowerShell-minded admins.
Exchange Server 2019 CU12 includes a PowerShell snapin that enables you to manage email properties in your on-premises AD, and Microsoft will support any issues coming from their own tool.
There are several steps to decommission the last Exchange Server using Exchange Server 2019 CU12:
- You need to upgrade to Exchange Server 2019 CU12.
- If your current setup is Exchange 2010 or earlier, you need to upgrade to Exchange Server 2013 or 2016 before moving on to 2019.
- You must install the Exchange Management tools out of the 5.8 GB installer.
- There are a lot of system prerequisites that must be met.
(For more details on the prerequisites and installation procedure, look at this).
When you finally succeed with the Exchange upgrade and the installation of the Exchange Management Tools, you will get your hands even dirtier:
Any configuration changes to mail recipients are PowerShell only from now on!
PowerShell is great for automating stuff. But it’s just not great for first-level support, and for most organizations, this approach will cause more work to move from first-level support to senior admins.
Another thing to consider is that you’ll still need the Exchange Admin Center and the Exchange Online PowerShell module to finish the job.
Decommission the Last Exchange Server With Direct Attribute Editing
For completion’s sake, we’ll also mention a third possibility: Editing raw AD attributes using ADSIEdit or the AD Users & Computers attributes tab.
This option requires extensive knowledge of AD attributes. Especially the proxyAddresses attribute is tricky with some rules that are not enforced via direct editing.
Also, Microsoft does not support direct editing of attributes, so you’re on your own if problems arise.
How to Decommission the Last Exchange Server
OK. You’ve got a plan for attribute authority and management of your environment post-Exchange.
Now you need to check the following before we decommission the last Exchange Server:
- Verify all mailboxes are migrated.
- Verify no public folders are present.
- Verify that no applications or scan-to-email devices are using the server.
- Finally, verify that no inbound and outbound mail flow is present.
If those are all green check marks, let’s move on.
These are the steps to decommission your last Exchange Server:
- Shut down the server (don’t uninstall Exchange or clean up AD).
- Leave it off for a week or two to verify your selected strategy for ongoing recipient management.
- Remove service connection point values.
- Remove inbound and outbound connectors.
- Remove the organization relationship.
For technical details on how to perform these steps, look at this.
And that’s basically it. Do not try to clean up the Exchange configuration from the AD configuration partition. There’s no realized benefit in this effort, but the risks are plenty.
Enjoy life without on-premises Exchange and a well-managed hybrid Office 365 environment!