question

ThomasBluhmeAndersen-2681 avatar image
0 Votes"
ThomasBluhmeAndersen-2681 asked ·

Azure AD Connect and removal of on-prem Exchange 2010 server

Hi

We have been running Azure AD Connect for a while now syncing users to O365 mainly for password syncing reasons. The sync is scoped so that only members of a specific AD security group gets synced. We only sync one-way meaning on-prem to Office365.

We are now about to migrate all mailboxes on the old on-prem Exchange 2010 server to O365. We are not running a hybrid environment, so migration will be made using a 3rd party tool. This will be done later this week.

Now I am getting a little concerned regarding the decommission of the old Exchange 2010 server after all mailboxes have been migrated. Azure AD Connect is running just fine with pretty much default settings, so I believe that it is also syncing a lot of Exchange attributes from the On-Prem AD and I am concerned that when I decommission the Exchange 2010 server I also remove the Exchange attributes from the local AD and it's users. I suspect this as I get the error message when trying to hide a user from O365 address book.

The operation on mailbox "USERNAME REMOVED" failed because it's out of the current user's write scope. The operation on mailbox failed because it’s out of the current users’s write scope. The action ‘Set-Mailbox’, ‘HiddenFromAddressListsEnabled’, can’t be performed on the object because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization. I also get a similar error while trying to edit one of the users email addresses.

So I am concerned that when I decommission the old Exchange 2010 server, a lot of Exchange attributes are removed on-prem (which is fine), but I fear that these removals will be synced to Office 365 thereby removing them there too...for example email addresses and such.

Can anyone please tell me if I need to be careful here and take some kind of action before I decommission the on-prem Exchange server or if my concerns are without reason.

Best
Thomas

azure-ad-connect
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

RieglerWolfgang-3560 avatar image
1 Vote"
RieglerWolfgang-3560 answered ·

If you have synced identities, an Exchange Management Server should remain on premise. The clean way to do object changes is to do the changes on premise and let AAD connct sync the changes to Azure.

https://techcommunity.microsoft.com/t5/exchange-team-blog/decommissioning-your-exchange-2010-servers-in-a-hybrid/ba-p/597185

Full cloud management will come in future (hopefully)

· 1 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Wolfgang and thanks for your quick answer.

I would still like to manage AD users on-prem but the Exchange features of the synced uswrs I would like to control in O365. My concern is that when i decommission the Exchange 2010 server on-prem thereby removing the Exchange attributes in the on-prem AD schema and from the on-prem users, what will then happen to the synced users in O365? Will I thereby also delete some settings from them? For example emailaddresses or other settings that might have been synced from the on-prem AD. Or the "hide from address book" I wrote about in my inital post.

I have actively chosen that this is not a hybrid setup as you can see below as I didn't want that to happen but .


3022-setup.jpg



0 Votes 0 ·
setup.jpg (133.9 KiB)
michev avatar image
1 Vote"
michev answered ·

If you want to decommission the Exchange server, you need to remove AAD Connect first. Since the link to the On-Prem AD will then be broken, the objects will be manageable directly in O365 and any changes made to attributes after removing the Exchange server wont impact them. If you still want to use AAD Connect, you must keep at least one Exchange server for management purposes.

· 3 ·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

That's not necessarily true. Many organizations have identity management systems that can handle setting the Exchange attributes in AD, eliminating the need for the exchange server on prem. As long as you're okay with managing the exchange attributes through AD management, there's no reason you can't decom exchange and keep AADC in place.

0 Votes 0 ·
michev avatar image michev DavidHartForsyte-8724 ·

The reason is staying in a supported configuration. As clearly stated in the documentation: https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange?redirectedfrom=MSDN

Can third-party management tools be used?

The question of whether a third-party management tool or ADSIEDIT can be used is often asked. The answer is you can use them, but they are not supported. The Exchange Management Console, the Exchange admin center (EAC), and the Exchange Management Shell are the only supported tools that are available to manage Exchange recipients and objects. If you decide to use third-party management tools, it would be at your own risk. Third-party management tools often work fine, but Microsoft does not validate these tools.
0 Votes 0 ·

I'm aware of the 'supportability' issue. I've done dozens of MIM implementations where we used that to provision exchange settings, and I've never once had MSFT deny support for Exchange Online. Calling it 'unsupported' gives them a copout if someone messes with ADSIedit.msc and ruins their exchange online users, but it doesn't mean you can't or shouldn't manage those attributes independently.

0 Votes 0 ·
ThomasBluhmeAndersen-2681 avatar image
0 Votes"
ThomasBluhmeAndersen-2681 answered ·

Hi, after a lot of "deep thinking" I ended up pulling the plug on the Exchange 2010 servers and crossing my fingers. Almost everything worked as it should (not messing much up), but I needed to manually add emailadress and smtpproxyaddresses for all users in AD afterwards, as they had been blanked when Exchange 2010 was removed. Not a big problem as it was only 60-70 users, so an hour of manual input and everything was good. Probably more settings was deleted when Exch2010 was removed but this being a pretty simple setup nothing that was being used :)

And yes Exchange attributes such as "hide from addressbook" I have to manage locally in AD attribute editor so that they are synced from AD to 365.... or use a third party tool......found one that actually plugs into ADUC and adds an extra tab but I haven't decided yet if I need it as I'm used to the attribute editor.

So many thanks for all the input, over and out :)

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.