Managing Hybrid Exchange Online Without Installing an Exchange Server


In April 2022 Microsoft finally released the ability to manage Active Directory synced attributes (Hybrid Identity) to Azure Active Directory for Exchange without a full Exchange Server installation.

Instead, you install the Exchange Management Tools (EMT). You need to install Exchange Server 2019 CU12 or later to do this, and you either uninstall your existing Exchange Server (once you have met the prerequisites for all mailboxes in the cloud and PowerShell only administration) or you install the Exchange Management Tools into your Active Directory if you have not done this before (no existing Exchange Server organization deployed).

This blog covers the very simple steps needed to do this. It is based on a few items mentioned in Install the Exchange management tools where Microsoft document how to uninstall Exchange Server to get to this point. Here we will look at how to install Exchange Server and then configure it for management to get to this point.

In brief there are two sets of steps. The first is done the first time only, and you need to prep the Active Directory to support Exchange Server, install only the Management tools (so not the server) and then remove some configuration that the installer creates in Active Directory by default. The second set of steps is to install the management tools on other machines in your Active Directory forest, as there is no remote PowerShell, so it needs installing locally on the systems you will use. The only difference with the second type of deployment is that you have no Active Directory schema or configuration to put in place first of all.

Once your installation of the Exchange Management Tools is complete, if you have existing synced objects in your directory that are mailboxes etc. in Exchange Online there are a few steps to complete as well, and these are covered at the end of the article under the title “Updating Synced Objects“.

First Installation

This can be done from any Windows 10/11 client or supported Windows Server that is Active Directory domain joined and where you are logged in as an Enterprise Admin, Schema Admin and local device admin.

  1. Ensure you have all the latest updates on the client and also the following two pieces of software:
    1. .NET Framework 4.8
    2. Visual C++ 2012 Runtime
  2. Install the Active Directory Directory Service remote server administration tools (RSAT) with Install-WindowsFeature RSAT-ADDS on a Windows Server or Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 on Windows 10/11
  3. Reboot to ensure the updates are installed and to remove any pending updates that Windows may have. The Exchange Server install will fail if you have a pending reboot required.
  4. Download the Exchange Server 2019 CU12 release (April 2022) or later. Reboot the client again if some time has gone by!
  5. Double click this file to mount it as a CD under a spare drive letter
  6. Navigate to this drive letter from an administrator cmd prompt (not PowerShell).
  7. If Exchange Server was never installed in your Active Directory then run the following Setup /PrepareAD /OrganizationName:"MyOrganization" /IAcceptExchangeServerLicenseTerms_DiagnosticDataON. Change “MyOrganization” for a suitable name if you want.
  8. If Exchange Server was installed in the past, but is no-more then just install the Exchange Management Tools with Setup /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /role:managementtools /installwindowscomponents.
  9. If the previous Exchange Install was so long ago the schema and other directory components are out of date or if Exchange Server was cleaned up badly, then run both the previous commands instead – you might need to ignore the “OrganizationName” property as that might already be set in your directory configuration.
  10. If finally, you still cannot get Exchange Server install running and have solved all the errors about reboots and required components, but need to resolve the “Couldn’t find the Enterprise Organization” error then delete “CN=Microsoft Exchange” and the child object “CN=Active Directory Connections” under the Configuration Partition (under CN=Services) using ADSI Edit and run both commands above.
  11. Wait whilst Exchange Server Management Tools and if appropriate the directory and schema updates are installed.
  12. Log off and back in again once the install successfully completes. This is important so that environment variables and permissions are updated.
  13. Add your hybrid domain to Active Directory with the following steps using PowerShell.
    1. Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
    2. Replace the domain in the following with your remote routing domain from Microsoft 365. It will be the tenantname.mail.onmicrosoft.com domain: New-RemoteDomain -Name 'Hybrid Domain - tenant.mail.onmicrosoft.com' -DomainName 'tenant.mail.onmicrosoft.com'
    3. Use the same value for “tenant” in this cmdlet as well: Set-RemoteDomain -Identity 'Hybrid Domain - tenant.mail.onmicrosoft.com' -TargetDeliveryDomain: $true
  14. Only Domain Administrators and those users added to a new group called “Recipient Management EMT” can manage Exchange attributes for users using the Exchange Server Management Tools. This new group needs to be created by running these following cmdlets from an administrative PowerShell session:
    1. Add-PSSnapin *RecipientManagement
    2. cd $env:ExchangeInstallPath\Scripts\
    3. .\Add-PermissionForEMT.ps1
  15. Add users to the “Exchange Management EMT” group (in the Users container in Active Directory) who need to be recipient administrators. Do not move this group to the Exchange Security Groups OU.
  16. Remove some of the configuration that the installer adds to your directory that is now not needed (including other administration groups, OUs and permissions) with:
    1. cd $env:ExchangeInstallPath\Scripts\
    2. .\CleanupActiveDirectoryEMT.ps1.
  17. Only domain admins and users who are assigned permission using Add-PermissionForEMT.ps1 script referenced above will be able to perform recipient management.
  18. Ensure that your email domains are added to Exchange Management Tools using New-AcceptedDomain domain.org.uk -DomainName domain.org.uk. Add the Hybrid domain as well in the same way (tenantname.mail.onmicrosoft.com).
  19. Ensure that the domains you use for email are added to the email address policy. This will default to alias@activedirectory.domain and so may not be what you want. Run Get-EmailAddressPolicy | fl name,*template* to see the current settings. You will see EnabledPrimarySMTPAddressTemplate as @activedirectory.domain and EnabledEmailAddressTemplates as SMTP:@activedirectory.domain. Change this, if needed, to any of the following to suit your current configuration in Active Directory:
    1. If you have set the alias (mailNickname) attribute to the same as the local part of all email addresses (that is, the bit before the @ symbol) then Set-EmailAddressPolicy "Default Policy" -EnabledEmailAddressTemplates "SMTP:@domain.com","smtp:@tenant.mail.onmicrosoft.com" where domain.com is your email domain and tenant.mail.onmicrosoft.com is your hybrid routing domain. If you do not have hybrid installed in this forest you need to include this domain, but if you don’t have hybrid for Exchange Server ever configured then you do not have this domain and do not need it here or in RemoteDomain above.
    2. If you would like your automatic email address generation based on first and last names (and all objects have these values) then run Set-EmailAddressPolicy "Default Policy" -EnabledEmailAddressTemplates "SMTP:%g.%s@domain.com","smtp:@tenant.mail.onmicrosoft.com"
  20. Finally, add a shortcut to the Exchange Management Tools by creating a new shortcut in the c:\users\public\desktop folder for C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "Add-PSSnapin *RecipientManagement". Use [Environment]::GetFolderPath('CommonDesktopDirectory') in PowerShell to find out the shared desktop folder path if the default is not working for you.
  21. You are nearly ready – you need to update the Schema on Azure AD Connect so that Azure AD Connect knows that your directory now supports Exchange attributes. If you do not do this the attributes you add to Active Directory are not synced to Azure AD.
  22. You are now ready to correctly manage your recipients for hybrid identity (synced) users/groups using cmdlets such as New-RemoteMailbox, New-DistributionGroup etc. and this is covered below under “Updating Synced Objects“.

Second Installation

This can be done from any Windows 10/11 client or supported Windows Server that is Active Directory domain joined and where you are logged in as the local device admin. The Active Directory schema, configuration installation, management group and cleanup are all already done once in your directory using the “First Installation” steps above:

  1. Ensure you have all the latest updates on the client and also the following two pieces of software:
    1. .NET Framework 4.8
    2. Visual C++ 2012 Runtime
  2. Install the Active Directory Directory Service remote server administration tools (RSAT) with Install-WindowsFeature RSAT-ADDS on a Windows Server or Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 on Windows 10/11
  3. Reboot to ensure the updates are installed and to remove any pending updates that Windows may have. The Exchange Server install will fail if you have a pending reboot required.
  4. Download the Exchange Server 2019 CU12 release (April 2022) or later. Reboot the client again if some time has gone by!
  5. Double click this file to mount it as a CD under a spare drive letter
  6. Navigate to this drive letter from an administrator cmd prompt (not PowerShell).
  7. Run the following Setup /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /role:managementtools /installwindowscomponents
  8. Wait whilst Exchange Server Management Tools and directory and schema updates are installed.
  9. Log off and back in again. This is important so that environment variables and permissions are updated.
  10. Finally, add a shortcut to the Exchange Management Tools by creating a new shortcut in the c:\users\public\desktop folder for C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "Add-PSSnapin *RecipientManagement". Use [Environment]::GetFolderPath('CommonDesktopDirectory') in PowerShell to find out the shared desktop folder path if the default is not working for you.
  11. You are now ready to correctly manage your recipients for hybrid identity (synced) users/groups using cmdlets such as New-RemoteMailbox, New-DistributionGroup etc.

Security and Patching

When Microsoft release security updates for Exchange Server monthly and new Cumulative Updates twice a year, you do not need to update your installations for Exchange Management Tools unless Microsoft specifically calls this out in the update release notes. It would only be the case that new cmdlet support and security bugs in the management DLL would require this – all other updates for Exchange Server would not be valid for the management machines.

Updating Synced Objects

Once you have installed the Exchange Management Tools, if you have any objects that you have already updated the attributes against then you might find that the Exchange Management Tools set different attribute values against these objects when you update them. For example you might have an email address policy of %m@domain.com, which means alias@domain.com and a user with an alias of mpatel but a manually configured email address of manoj.patel@domain.com. If you now use the Exchange Management Tools to update any attribute the email address policy will take effect and the primary email address will change to mpatel@domain.com (and the original address of manoj.patel@domain.com becomes a secondary address automatically).

This can be a big issue – no one wants their email address changed and the possibility exists that you could do this in bulk! Therefore, I recommend that you intentionally update a user to see what happens having grabbed a copy of all the attributes (Get-User etc) or a screenshot from Azure AD Connect metaverse search and then compare the changes made with running the Exchange Management Tools – Azure AD Connect will show what changes are synced on the export row of the application.

Ensure that the changes are not unexpected – for example in the above you would want to check everyone’s alias value against the first part of their email address and make sure they match. And manually fix the alias of all mismatched users before using the Exchange Management Tools.

Photo by Tima Miroshnichenko from Pexels: https://www.pexels.com/photo/focused-professional-man-using-laptop-7567529/


Posted

in

, , , ,

by

Comments

6 responses to “Managing Hybrid Exchange Online Without Installing an Exchange Server”

  1. Vinny avatar
    Vinny

    Hi Brian,

    Thanks for the great explanation !

    We have a slightly different scenario of two on premises AD forests, Forest A & B and both are in sync with same Azure AD. Forest B has Exchange servers which are planned to migrate to 0365 and thus onpremises Exchange and forest B will be decom but we need exchange attributes to forest A which does not have any exchange server. would you know how this can be supported.

    Thanks,
    Vinny

    1. Brian Reid avatar

      There is an on-premises Exchange Server migration script called Prepare-MoveRequest.ps1. Schema prep Forest A for Exchange Server and then use this script to copy attributes from Forest B to Forest A. As both users in A and B are synced to AAD and the attribute copying is the same there is no change for the user in the cloud, but now you can take the user in Forest B out of scope of sync and only User in A syncs and nothing appears to have changed. Repeat for all users.

      Note that Prepare-MoveRequest.ps1 only does some Exchange Server attributes. You need your own script or to modify this one to sync other attributes you also need in Forest A. https://learn.microsoft.com/en-us/exchange/prepare-mailboxes-for-cross-forest-moves-using-the-prepare-moverequest-ps1-script-in-the-shell-exchange-2013-help

  2. Marco Freund avatar
    Marco Freund

    Hi Brian,

    thanks for the Documentation which helped us a lot.
    I was sure I posted a comment yesterday. However, it seems it’s not here.

    Could you explain under First Installation Points 21 and 22 a bit more. Especially what is meant with Shema Extension. Do I have to do something ? It’s not clear to me. Thanks Marco

    1. Brian Reid avatar

      Comments are read and approved before being published on this blog – which is why you did not see your comment from the day before.

      AADConnect has rules that control what is synced to and from the cloud. AADConnect will not sync Exchange Attributes if it not aware that the matching attributes exist in Active Directory. Therefore you need to tell AADConnect via the configuration wizard to refresh the schema so that it is aware Exchange Server schema exists in Active Directory. This is what is meant by #21 on the list.

      #22 on the list is an example of the correct cmdlets to modify objects in Active Directory that are recipient objects in Exchange Online.

  3. Liam Stratford avatar
    Liam Stratford

    Hi Brian,

    This is a great read, thank you!

    I am looking to implement this for an organisation that is going to run this on a VM in Azure for supportability. They are already using Exchange Online. Do I need to run the hybrid connection wizard to configure a Modern Minimal hybrid? I’m trying to get around the requirement to use an SSL certificate on the Exchange server if possible.

    Many thanks,
    Liam

    1. Brian Reid avatar

      Thanks Liam. No you do not need to create Exchange Hybrid (any flavour) if you have Active Directory synced identities (aka Hybrid Identity) and Exchange Online mailboxes. This is for the scenario where identities (users) are synced from Active Directory and you do not have an Exchange Server to supportedly create/update the attributes in Active Directory for Exchange recipients. If you do not have Active Directory you do not need to do this.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.