Managing Hybrid Exchange Online Without Installing an Exchange Server

In April 2022 Microsoft finally released the ability to manage Active Directory synced attributes (Hybrid Identity) to Azure Active Directory for Exchange without a full Exchange Server installation.

You have instead an install of the Exchange Management Tools. You need to be Exchange Server 2019 CU12 to do this, and you either uninstall your existing Exchange Server (once you have met the prerequisites for all mailboxes in the cloud and PowerShell only administration) or you install the Exchange Management Tools into your Active Directory if you have not done this before (no existing Exchange Server organization deployed).

This blog covers the very simple steps needed to do this. It is based on a few items mentioned in Install the Exchange management tools where Microsoft document how to uninstall Exchange Server to get to this point. Here we will look at how to install Exchange Server and then configure it for management to get to this point.

In brief there are two sets of steps. The first is done the first time only, and you need to prep the Active Directory to support Exchange Server, install only the Management tools (so not the server) and then remove some configuration that the installer creates in Active Directory by default. The second set of steps is to install the management tools on other machines in your Active Directory forest, as there is no remote PowerShell, so it needs installing locally on the systems you will use. The only difference with the second type of deployment is that you have no Active Directory schema or configuration to put in place first of all.

Once your installation of the Exchange Management Tools is complete, if you have existing synced objects in your directory that are mailboxes etc. in Exchange Online there are a few steps to complete as well, and these are covered at the end of the article under the title “Updating Synced Objects“.

First Installation

This can be done from any Windows 10/11 client or supported Windows Server that is Active Directory domain joined and where you are logged in as an Enterprise Admin, Schema Admin and local device admin.

  1. Ensure you have all the latest updates on the client and also the following two pieces of software:
    1. .NET Framework 4.8
    2. Visual C++ 2012 Runtime
  2. Install the Active Directory Directory Service remote server administration tools (RSAT) with Install-WindowsFeature RSAT-ADDS on a Windows Server or Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 on Windows 10/11
  3. Reboot to ensure the updates are installed and to remove any pending updates that Windows may have. The Exchange Server install will fail if you have a pending reboot required.
  4. Download the Exchange Server 2019 CU12 release (April 2022) or later. Reboot the client again if some time has gone by!
  5. Double click this file to mount it as a CD under a spare drive letter
  6. Navigate to this drive letter from an administrator cmd prompt (not PowerShell).
  7. Run the following Setup /PrepareAD /OrganizationName:"MyOrganization" /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /role:managementtools /installwindowscomponents
    If you are just prepping Active Directory and not installing the management tools, miss out the last two parameters of the cmd line. Change “MyOrganization” for a suitable name if you want.
  8. Wait whilst Exchange Server Management Tools and directory and schema updates are installed.
  9. Log off and back in again. This is important so that environment variables and permissions are updated.
  10. Add your hybrid domain to Active Directory with the following steps.
    1. Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
    2. Replace the domain in the following with your remote routing domain from Microsoft 365. It will be the tenantname.mail.onmicrosoft.com domain: New-RemoteDomain -Name 'Hybrid Domain - tenant.mail.onmicrosoft.com' -DomainName 'tenant.mail.onmicrosoft.com'
    3. Use the same value for “tenant” in this cmdlet as well: Set-RemoteDomain -TargetDeliveryDomain: $true -Identity 'Hybrid Domain - tenant.mail.onmicrosoft.com'
  11. Only Domain Administrators and those users added to a new group called “Recipient Management EMT” can manage Exchange attributes for users using the Exchange Server Management Tools. This new group needs to be created by running these two cmdlets from an administrative PowerShell session:
    1. Add-PSSnapin *RecipientManagement
    2. cd $env:ExchangeInstallPath\Scripts\Add-PermissionForEMT.ps1
  12. Add users to the “Exchange Management EMT” group (in the Users container in Active Directory) who need to be recipient administrators. Do not move this group to the Exchange Security Groups OU.
  13. Remove some of the configuration that the installer adds to your directory that is now not needed (including other administration groups, OUs and permissions) with $env:ExchangeInstallPath\Scripts\CleanupActiveDirectoryEMT.ps1. Only domain admins and users who are assigned permission using Add-PermissionForEMT.ps1 script referenced above will be able to perform recipient management.
  14. Ensure that the domains you use for email are added to the email address policy. This will default to alias@activedirectory.domain and so may not be what you want. Run Get-EmailAddressPolicy | fl *template* to see the current settings. You will see EnabledPrimarySMTPAddressTemplate as @activedirectory.domain and EnabledEmailAddressTemplates as SMTP:@activedirectory.domain. Change this, if needed, to any of the following to suit your current configuration in Active Directory:
    1. If you have set the alias (mailNickname) attribute to the same as the local part of all email addresses (that is, the bit before the @ symbol) then Set-EmailAddressPolicy "Default Policy" -EnabledEmailAddressTemplates "SMTP:@domain.com","smtp:@tenant.mail.onmicrosoft.com" where domain.com is your email domain and tenant.mail.onmicrosoft.com is your hybrid routing domain. If you do not have hybrid installed in this forest you need to include this domain, but if you don’t have hybrid for Exchange Server ever configured then you do not have this domain and do not need it here or in RemoteDomain above.
    2. If you would like your automatic email address generation based on first and last names (and all objects have these values) then run Set-EmailAddressPolicy "Default Policy" -EnabledEmailAddressTemplates "SMTP:%g.%s@domain.com","smtp:@tenant.mail.onmicrosoft.com"
  15. Finally, add a shortcut to the Exchange Management Tools by creating a new shortcut in the c:\users\public\desktop folder for C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "Add-PSSnapin *RecipientManagement". Use [Environment]::GetFolderPath('CommonDesktopDirectory') in PowerShell to find out the shared desktop folder path if the default is not working for you.
  16. You are nearly ready – you need to update the Schema on Azure AD Correct so that Azure AD Correct knows that your directory now supports Exchange attributes. If you do not do this the attributes you add to Active Directory are not synced to Azure AD.
  17. You are now ready to correctly manage your recipients for hybrid identity (synced) users/groups using cmdlets such as New-RemoteMailbox, New-DistributionGroup etc. and this is covered below under “Updating Synced Objects“.

Second Installation

This can be done from any Windows 10/11 client or supported Windows Server that is Active Directory domain joined and where you are logged in as the local device admin. The Active Directory schema, configuration installation, management group and cleanup are all already done once in your directory using the “First Installation” steps above:

  1. Ensure you have all the latest updates on the client and also the following two pieces of software:
    1. .NET Framework 4.8
    2. Visual C++ 2012 Runtime
  2. Install the Active Directory Directory Service remote server administration tools (RSAT) with Install-WindowsFeature RSAT-ADDS on a Windows Server or Add-WindowsCapability –online –Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 on Windows 10/11
  3. Reboot to ensure the updates are installed and to remove any pending updates that Windows may have. The Exchange Server install will fail if you have a pending reboot required.
  4. Download the Exchange Server 2019 CU12 release (April 2022) or later. Reboot the client again if some time has gone by!
  5. Double click this file to mount it as a CD under a spare drive letter
  6. Navigate to this drive letter from an administrator cmd prompt (not PowerShell).
  7. Run the following Setup /IAcceptExchangeServerLicenseTerms_DiagnosticDataON /role:managementtools /installwindowscomponents
  8. Wait whilst Exchange Server Management Tools and directory and schema updates are installed.
  9. Log off and back in again. This is important so that environment variables and permissions are updated.
  10. Finally, add a shortcut to the Exchange Management Tools by creating a new shortcut in the c:\users\public\desktop folder for C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "Add-PSSnapin *RecipientManagement". Use [Environment]::GetFolderPath('CommonDesktopDirectory') in PowerShell to find out the shared desktop folder path if the default is not working for you.
  11. You are now ready to correctly manage your recipients for hybrid identity (synced) users/groups using cmdlets such as New-RemoteMailbox, New-DistributionGroup etc.

Security and Patching

When Microsoft release security updates for Exchange Server monthly and new Cumulative Updates twice a year, you do not need to update your installations for Exchange Management Tools unless Microsoft specifically calls this out in the update release notes. It would only be the case that new cmdlet support and security bugs in the management DLL would require this – all other updates for Exchange Server would not be valid for the management machines.

Updating Synced Objects

Once you have installed the Exchange Management Tools, if you have any objects that you have already updated the attributes against then you might find that the Exchange Management Tools set different attribute values against these objects when you update them. For example you might have an email address policy of %m@domain.com, which means alias@domain.com and a user with an alias of mpatel but a manually configured email address of manoj.patel@domain.com. If you now use the Exchange Management Tools to update any attribute the email address policy will take effect and the primary email address will change to mpatel@domain.com (and the original address of manoj.patel@domain.com becomes a secondary address automatically).

This can be a big issue – no one wants their email address changed and the possibility exists that you could do this in bulk! Therefore, I recommend that you intentionally update a user to see what happens having grabbed a copy of all the attributes (Get-User etc) or a screenshot from Azure AD Connect metaverse search and then compare the changes made with running the Exchange Management Tools – Azure AD Connect will show what changes are synced on the export row of the application.

Ensure that the changes are not unexpected – for example in the above you would want to check everyone’s alias value against the first part of their email address and make sure they match. And manually fix the alias of all mismatched users before using the Exchange Management Tools.

Leave a comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.