What is a Hybrid Exchange Server and Can You Get Rid of It?
We frequently get asked by customers that have moved all mailboxes to Office 365 about decommissioning their last Exchange server, which is usually just an Exchange Hybrid server at that point. Here’s an overview of the purpose of the Hybrid Exchange Server and some of the ramifications of removing it.
The purpose of a Hybrid Exchange Server is really to facilitate making changes as needed to the environment. Think of it as a toolset for managing Exchange attributes synchronized from on-premises. Mail does not flow through it, so if it goes down, mail flow is not impacted. Microsoft does not recommend having any mailboxes located on the Hybrid Exchange Server. In fact, through O365, Microsoft will actually provide an Hybrid Exchange Server license that can be used for this role providing no mailboxes are located on the Hybrid Exchange Server. You can verify eligibility by logging into your O365 and then browsing to https://configure.office.com/Scenario.aspx?sid=13. See the screenshot below.
Most changes to objects initially created in on-premises Exchange and synchronized from on-premises will need to be made in ADSI Edit. (This will require Domain Admin credentials and a very careful knowledge about the task being performed). Some tasks can be done via PowerShell. Think of it this way. AD is replicated to O365, but you still have to have a way to edit those Exchange attributes. Attributes for objects created in O365 can be edited in the O365 web interface or PowerShell by users with granular O365 permissions applied. Here’s a quote from this TechNet article confirming this:
Why you may not want to decommission Exchange servers from on-premises
Customers with a hybrid configuration often find after a period of time that all of their mailboxes have been moved to Exchange Online. At this point, they may decide to remove the Exchange servers from on-premises. However, they discover that they can no longer manage their cloud mailboxes.
When directory synchronization is enabled for a tenant and a user is synchronized from on-premises, most of the attributes cannot be managed from Exchange Online and must be managed from on-premises. This is not due to the hybrid configuration, but it occurs because of directory synchronization. In addition, even if you have directory synchronization in place without running the Hybrid Configuration Wizard, you still cannot manage most of the recipient tasks from the cloud. For more information, see this TechNet blog.
Can third-party management tools be used?
The question of whether a third-party management tool or ADSIEDIT can be used is often asked. The answer is you can use them, but they are not supported. The Exchange Management Console, the Exchange Administration Center (EAC), and the Exchange Management Shell are the only supported tools that are available to manage Exchange recipients and objects. If you decide to use third-party management tools, it would be at your own risk. Third-party management tools often work fine, but Microsoft does not validate these tools.
Ramifications of Removing the Server
What this means for you, if you choose to proceed, is that either all the normally basic changes that can be accomplished by lower level IT support staff will in most cases have to be performed by someone more senior with domain admin rights, which will likely add to that person(s)’ workload, or you will have to take the security risk of having lower level support staff have elevated Domain Admin credentials and making changes in ADSI Edit.
Lucus Guth, PEI