How to Remove a Legacy Hybrid Exchange Server and migrate to Windows Server Essentials Office 365 Integration
If you performed a Remote Move migration from a legacy system such as SBS 2011 or Exchange 2010, and now you want to remove your hybrid server without losing the ability to sync passwords to Office 365, I have some good news for you: it’s totally possible.
Update: This is no longer a recommended solution. If you want password synchronization or Pass Through Authentication, stick to Azure AD Connect.
The problem
Microsoft’s official stance on removing your legacy hybrid Exchange server is that you must also disable Directory Synchronization, and move to a “cloud-only” scenario. The reason being: having no on-premises Exchange server changes how you manage certain mailbox attributes–e.g. without the Exchange server in place, you must use ADSIedit or a third-party tool to do simple tasks like add alias addresses–and these methods are technically unsupported. Here are some references on this topic:
- Decommissioning your Exchange 2010 servers in a Hybrid Deployment (also applies to 2013)
- How and when to decommission your on-premises Exchange servers in a hybrid deployment
In fact, Microsoft even suggests that smaller-sized organizations consider cutover, staged or IMAP migrations instead of Remote Move, so that the hybrid complexity can be avoided to begin with.
What? And lose the incredibly smooth migration experience? Ick. No thank you. It’s not that I mind doing a cutover migration, but… no wait, I do mind. Sorry to be the one to say it, but the cutover experience totally sucks–so stick with Remote Move if you want to–I certainly do.
Now when an organization wants to keep Directory Synchronization but remove the legacy hybrid Exchange server, the workaround is typically one of the following two choices:
- Run unsupported: Directory Synchronization enabled without a hybrid Exchange server (not recommended)
- Remove the legacy hybrid Exchange server, but add back a newer (and free) hybrid Exchange server (e.g. 2013) for management purposes (supported)
Question: But wait: what do most small organizations really want at the end of the day?
Answer: Less servers, simple management, and password synchronization.
The solution
Enter the Windows Server Essentials Experience role. This solution has all of the attributes that most small organizations actually want, and none of the complexity of a hybrid deployment. The best part: it is not a true Directory Synchronization with Office 365, so from the perspective of your Office 365 tenant, the user accounts will be viewed as residing in the cloud only, and common mailbox attributes such as alias addresses will be “editable” in the cloud (as well as in the Essentials Dashboard). And best of all, it will be 100% supported.
Yes, you will be able to add new user accounts and assign Office 365 licenses. Yes you will be able to edit alias addresses. Yes, you will be able to synchronize your passwords. What else could a small business or branch office admin wish for?
Here is the process:
- Remove Hybrid Configuration
- Remove Directory Synchronization
- Add SMTP relay connector (optional)
- Remove Exchange on-premises
- Add the Windows Server Essentials Experience Role
- Enable Online Services Integration to Azure AD and Office 365
- Assign Microsoft Cloud accounts
Step 1. Remove Hybrid Configuration
This first step basically follows the process for scenario one, as outlined in this TechNet article.
A. Check Public folders
Get-OrganizationConfig | fl PublicFoldersEnabled
If this returns a value of “Remote,” then you will need to migrate public folders to Exchange Online first.
B. Check MX & Autodiscover in DNS
Be sure DNS mail records are set for Office 365, rather than the local Exchange hybrid server, as described in this post.
C. Remove the service connection point (SCP)
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $Null
D. Remove the hybrid connectors
In the Office 365 portal, go to Admin Centers > Exchange. In the Exchange Admin Center, find Mail flow > Connectors. In here, you can disable or delete the inbound/outbound connectors that were created by the Hybrid Connection Wizard. Do not remove other ones that may be in use.
E. Remove Organization Relationship
Again from the Office 365 Exchange Admin Center, browse to Organization, and remove the the relationship to on-premises Exchange.
The PowerShell command for removing the organization relationship is:
Get-OrganizationRelationship | Remove-OrganizationRelationship
Step 2. Remove Directory Synchronization
Now you can safely remove DirSync or Azure AD Connect. Just navigate to Programs & Features on the server hosting Directory Synchronization, and uninstall whichever sync utility you are using.
Also be sure to deactivate Directory Synchronization in the cloud. Start by connecting to your MSOL tenant:
$UserCredential = Get-Credential Connect-MsolService -Credential $UserCredential
Next, you can disable the Directory Synchronization as follows:
Set-MsolDirSyncEnabled -EnableDirSync $false
Be aware that new user creation & password changes to existing users will not be reflected in Office 365 until you enable Online Services Integration later (Step 6).
Step 3. Add SMTP relay connector (optional)
Before you proceed to uninstall Exchange, you might also want to add an SMTP relay connector to Office 365, if you were previously using your hybrid server to relay mail from on-premises LOB apps, or from scan-to-email devices, etc. Office 365 can provide a relay connector to replace this functionality.
1. From the Exchange Online admin portal, go to Exchange Admin Center > Mail flow > Connectors. Use the “plus” symbol to add a new connector, choose From: Your organization’s email server and To: Office 365. Step through the wizard, specifying the external IP address(es) of your organization under By verifying that the IP address… and clicking the “plus” symbol. You can leave default values in the rest of the wizard.
2. Ensure that your spf record in DNS includes spf.protection.outlook.com as well as ip4:<YourExternalIp>:
v=spf1 ip4:[ExternalIPAddress] include:spf.protection.outlook.com -all
3. Check that your firewall allows SMTP (25) outbound from the device(s) that require access to the connector.
4. On the device itself, you will need to change the SMTP or smarthost address from the internal Exchange server’s IP to the host of your MX record (e.g. companyinc-com.mail.protection.outlook.com). You can ping this address to obtain an IP if the device only accepts inputs of IP rather than hostnames (note these can also change, however).
Step 4. Remove Legacy Exchange Server
Now you are ready to remove legacy Exchange servers from your environment. Not before steps 1, 2 and 3–only now. You will need to run several PowerShell commands to help prepare your server for uninstall. Warning: this assumes all data has been migrated to Office 365, and you have no further need of Exchange data / services on-premises. Proceed at your own risk.
Open the Exchange Management Shell as Administrator, and run the following PoSH snippets in this order, answering prompts for confirmation in the affirmative for all (A).
#Remove default Public folders Get-PublicFolder "\" -Recurse -ResultSize:Unlimited | Remove-PublicFolder -Recurse -ErrorAction:SilentlyContinue #Remove system Public folders Get-PublicFolder "\Non_Ipm_Subtree" -Recurse -ResultSize:Unlimited | Remove-PublicFolder -Recurse -ErrorAction:SilentlyContinue #Remove Offline Address Book Get-OfflineAddressBook | Remove-OfflineAddressBook #Remove send connectors Get-SendConnector | Remove-SendConnector #Remove Public Folder database Get-PublicFolderDatabase | Remove-PublicFolderDatabase #Remove arbitration mailboxes Get-Mailbox -Arbitration | Disable-Mailbox -Arbitration -DisableLastArbitrationMailboxAllowed #Remove mailboxes Get-Mailbox | Disable-Mailbox
At last, you are ready to run the uninstaller. From an elevated command prompt, navigate to the directory “C:\Program Files\Microsoft\Exchange Server\v14\Bin” and run:
setup.com /mode:uninstall
Step 5. Add the Windows Server Essentials Experience Role
When 2012 R2 and the Essentials Experience role first came on the scene, it was only supported to have the Online integration features enabled from a single domain controller environment where the Essentials Experience role was installed. This limitation has since been lifted. Now you can enable the Online Services integration even on member servers, and where multiple domain controllers are present in the environment.
The quickest way to enable this role on a server is using PowerShell:
Add-WindowsFeature ServerEssentialsRole
After the installation is complete, you can find a link to configure the role in Server Manager. The role can be configured as a member server or as a Domain controller (if enabled on a DC).
Step 6. Enable Online Services Integration
From the Windows Server Essentials Dashboard go to Home > Get Started > Services. The wizard-driven experience is very simple–you will just need to input admin credentials for managing your Azure AD / Office 365 tenant. If you enable the Office 365 integration, then the Azure Active Directory integration will also be enabled. You must restart the server before password sync can take effect.
Step 7. Assign Microsoft cloud accounts
By default, all of your user accounts will be listed in the Essentials Dashboard, however, the user accounts will not be associated with their corresponding Microsoft Online identities. Therefore, you will need to assign Microsoft Cloud accounts from the Windows Server Essentials Dashboard (one at a time, unfortunately).
From Users, click each user, then click Assign a Microsoft Cloud Account. Simply choose the option to Assign an existing Microsoft Cloud Services account to this user account. Note: users will be required to reset their passwords on next login, which will trigger a sync of the new password to the cloud.
Conclusion
Now you will have an easy method for managing on-premise and cloud accounts simultaneously, and achieving password synchronization. Open a user account in the Windows Server Essentials Dashboard and find the Microsoft Cloud tab available for making common edits such as adding alias addresses.
When you make changes to user accounts through the Essentials Dashboard, they are also written into the Office 365 tenant using a background service–right at the time you modify them. So there is no waiting for a sync to occur or manually forcing a sync with PowerShell, either–these mechanisms do not exist in the Essentials Experience.
You can read more about the differences between Directory Synchronization and the Essentials integration here.
Comments (91)
If I’m going to use the “Windows Server Essentials Experience Role” method then when a user will change password on his machine will it be replicated to 365 ?
I mean I understand that if an admin will change password for a user or make any other changes using Windows Server Essentials Dashboard the change will be made in both places, but when the password will be changed by the end user ..?
This is a good question, and the answer is yes, it does sync this password change to the cloud when it is a user-initiated change. There is a group policy attached to the domain when this integration is enabled, and there is a script that runs based on this policy to sweep these changes up. I have another article on the differences between these two solutions.
This was a great help to me many thanks.
Was stuck after reading that I had to keep last exchange server because for hybrid. Not really viable for a small business.
Hard to find this kind of info on the web.
It’s my pleasure to be of help, thanks for the comment!
This is great! Been searching for days and days!
One question, if I wanted to follow this but retain ADFS function, do you know if there any additional steps of things I need to look out for ?
As it stands I have Azure AD connect running with ADFS all working and exchange in hybrid.
I want to end with no local exchange as you say here but to retain the ADFS functionality for our on-prem MS CRM
Thanks
Ah yes, the unfortunate thing about hybrid is that it is not easy to retire it while keeping Azure AD Connect in place. MS support, so far, has explicitly said that Azure AD Connect must also be removed in these instances. There are other third party federated service providers out there, but I don’t have much experience with them. Your other option is to upgrade the hybrid exchange server to 2016 (you can get a free license with a qualifying “E” plan), and retire the 2010 server afterward. It can be installed on any management server, and it is technically even supported for this role to live on a Domain Controller (though not necessarily recommended). I have several clients doing this as they need to keep the management interface around, even though it is hardly used, since they intend to remain on Azure AD Connect–for AD FS or otherwise.
Thanks,
Would I be installing a full ‘mailbox’ EX2016 or is there some ‘cloud only’ option that will give the manageability only ?
Seems like MS suffered from a lack of conviction here.. it should be their goal to have you AD + AFDS + Exchange Online I would have thought!
Agreed, and yes, it is the full mailbox role. You can attain a free hybrid license for 2013 or 2016 at http://aka.ms/hybridkey
In my experience: Always use AD Connect as synchronization tool.
I worked with some third party sync providers, but they (probably not all) simply use PowerShell scripts to create new users/groups etc. Mostly causing a lot of pain in missing mandatory attributes and lots of troubleshooting sessions.
Also many consulting hours for the third party for changing the tool to have it all working. And for new features like syncing Windows 10 clients(workplace join)etc. to Azure is again another big bill for customizing where AD connect is free..
Use AD Connect at least for synchronizing. Sometimes for authentication the third party tool can have additional (mostly for internal legacy apps) features in comparison with ADFS.
Agreed, Azure AD Connect is usually the way to go. The issue is that many people don’t want to maintain an on-premises Exchange server for management, which is technically required for Exchange Online if you’re doing directory synchronization. Adding the Essentials experience console to an existing server is one way around that, and it isn’t a third party (but yes, it just uses PowerShell in the background to make modifications on-prem and in the cloud simultaneously). This is the best “supported” way I know of to get there, if the requirement is to get rid of your last legacy Exchange server, but still retain password sync.
Nice work Mr. Fields, good to see you’re still out there “delivering Awesome”. I’ll be implementing this solution in a customer environment soon!
Hey, look who it is, good to hear from you, sir!
Hi Alexander,
Many thanks for this write up. It is a life saver.
I do have a question though. What server do you install the Essentials integration role?
Can it be any domain member?
Thanks,
John
Yes–member server or Domain Controller, either is supported.
Hi Alexander,
You mentioned in step 2 that you need to disable “Directory Syncronization” in Azure AD Directory integration. If this wasn’t setup to start with, what are the steps to disable directory sync with AD Connect?
Thanks,
John
Hi John! If you have a hybrid Exchange environment with Office 365, then a pre-requisite of that is Directory Synchronization, e.g. Azure AD Connect. If you do not have a hybrid environment, then this article would not apply to your situation. If you do however, then you must already have the Azure AD Connect (or, formerly DirSync) utility installed somewhere in your environment. In the admin portal, you can go to Health > Directory Sync status to see whether it is enabled, and, you can deduce which server in your environment is responsible for the function, because it will be embedded in the name of the “Directory Sync Service account” attribute on this page. You would uninstall the utility, as described here, and turn off Directory Sync from Azure AD admin portal, under Admin Centers. Go to the directory and find the tab for “Directory Integration.”
Hi Alexander,
We do use Azure AD Connect utility, but what I wasn’t sure of is the Admin Portal Directory Sync, as when I goto Azure AD, it prompts me to setup one up as though one hasn’t been setup before.
I can see all the sync happening from Azure AD Connect utility on the Office Admin center and in the Azure portal but I have no option in the Azure AD admin portal to turn off Directory Sync.
Thanks,
John
Hm, interesting. I’d say you’re probably good to go then. You could check this status in PowerShell too, just to be safe. Here is a link that describes how to disable it using PoSH. Set-MsolDirSyncEnabled -EnableDirSync $false
Thanks Alexander. I did see this too and seems to be the only way to disable Directory Sync without access to the GUI.
Used this to get the information too:
Get-MsolCompanyInformation
Kind regards,
John
Great article! But, assign the users one at a time? Are we not lazy?
Quick ‘n dirty Powershell, just the way I like it:
$o365users = Get-WssMsoUser
foreach ($user in ($o365users | where {!$_.LocalUserName})) {
if ($(Get-ADUSer -Identity $($user.UserPrincipalName -split “@”)[0])) {
Set-O365AssignedUser -LocalAccountName $($user.UserPrincipalName -split “@”)[0] -O365AccountUPN $($user.UserPrincipalName)
}
}
If your local user’s alias is the same as the Office 365 UPN before the @ sign, this will assign most users. Just glance over the userlist afterwards to add any users the script missed.
YMMV!
Sweet. Thank you for that contribution!
Hey Alexander,
When trying to enable O365 integration, I get an error when configuring the server saying “PcnsCfg has stopped working”.
Seems to be some sort of APPCRASH, just wondering if you have seen this issue before?
Thanks,
John
Found out what the issue was. There is an issue on Windows Server 2012 R2 with how the Password Change Notification Service is configured. Microsoft have released a good copy of the PCNS folder in “C:\Program Files\Windows Server\Bin”.
If you get the error in this file “C:\ProgramData\Microsoft\Windows Server\Logs\OIMGettingStartedWizard.log”: “Microsoft.WindowsServerSolutions.O365Integration.O365ConfigureException: Failed to activate password sync”
You will need to download this copy: https://onedrive.live.com/redir?resid=6E84C374A8A088DD!21292&authkey=!AHNUTF3D-yIDNCw&ithint=file%2czip
Once downloaded you need to prefix the existing PCNS folder with “old_” (do not delete it), copy the PCNS.zip to this folder and extract into a new PCNS folder and re-run the O365 integration within the dashboard. IMPORTANT: you must use the first account used to setup O365 as the account to setup the integration. Any other Global administrators will not work.
Hi John, it has been a while since I’ve run into this issue, as it was corrected in an update a while back, see here for more details. However, you are not the first person in the past couple of weeks to report this to me… so now I’m wondering if it has been broken once again by some other recent update… We will keep our eyes out and see. Luckily, the fix you describe is still working.
Hi Alexander
Thanks for this amazing post. But i still got a question. When i activate this integration and connect the users, are this tool going to sync their current password or only passwords set after this implementation?
Regards,
Alain
This is a great question, Alain, and the answer is that the tool can only sync up passwords that are set after enabling it–it will not sync already-set passwords. The tool will write the password into Azure AD at the time the password is set on the local AD.
I thought Essentials was limited to 25 Users or less? So what do you do if you have 25 Users plus and want to get rid of Hybrid and maintain password sync?
Thanks
Actually the Essentials license does include 25 user CAL’s by default. Of course it is possible to buy additional CAL’s. But it is also possible to enable the Essentials Experience role on any Windows Server Standard server, and just have however many CAL’s you like. The Essentials Experience role, in Windows Server 2016, now supports up to 500 users!
Great article. A recent hybrid with a very old on prem 2010 and the idea of hanging on to it was disturbing to say the least.
Essentials question: i have 180 users. So turning on essentials on my 2012 R2 DC is not an option ( due to 2012 limitations? )…. i have to have a 2016 server ?
Thank you for your time and service to the community.
I’d probably opt for a new 2016 hybrid instead, with that many users.
Hi Alexander, what a great article. Thanks! One question, we have set up dirsync to filter msExchMailboxGuid attribute. Will this be a problem if following your article? Thanks a lot, Jens
The msExchMailboxGuid attribute is typically used in hybrid migrations. If you filter this attribute, then it would be possible to use a third-party migration tool instead of the native Microsoft Remote Move method. Reason being, the tools typically create a new mailbox in the cloud, and copy items from the on-prem mailbox into the cloud mailbox. However, the Microsoft native method would treat the cloud mailbox as the same mailbox you had on-premises, and truly migrate the mailbox (guid and all). That having been said, I believe you would not have issues following this article, since the goal of this procedure is simply to remove any trace of hybrid connectivity, decom Exchange, and be able to use this other method for password sync. Whether you had the guid attribute in place does not matter if you are going to be removing hybrid anyway.
From having the hybrid configuration before, the primary domain is domainexample.onmicrosoft.com and the email domain domainexample.com is federated. Is it safe to convert the federated domain back to standard after removing the hybrid configuration? The problem I am having is when creating a new mailbox from Office 365 or the Essentials Dashboard, the new mailbox can only be setup with user name of [email protected].
Once hybrid is eliminated there should no longer be a need for Exchange Federation. Also, your default domain should be set to the email domain (not the onmicrosoft one). Last, your on-premises accounts should have the UPN suffix set to the internet email address (not the @domainexample.local one). That way, you should be able to login to the domain or to the cloud resources using your email address.
Everything went good by following your article. Thanks again. One thing i can not solve: In Essentials Dashboards -> Users -> Microsoft Online -> There are the correct mail adresses shown using our external (primary) domain. But i can not add new mail adresses, the field @domain.de only shows the onmicrosoft-domain. Do you have any idea here? So it is also impossible to add new users. Already followed many articles on this.
In Active Directory Domains and Trusts, right-click on the root of the MMC console tree at the top left, and be sure to add the UPN suffix for your external domain name.
Hi Alexander, thanks for the quick reply. The adress was already in the list. Any other idea?
Hard to say–maybe I don’t understand the issue well enough from your description. You can also email me via the contact form. But, with the UPN suffix present, you should be able to see that as an option, either via the Dashboard, or via the ADUC console. In the cloud, the accounts will likewise have both suffixes available, provided you have verified the external domain already (so that it is an “accepted” domain in EAC–that process usually involves creating a TXT record in DNS). Can you create the account on-prem in ADUC with this suffix, then use the Dashboard to assign a cloud mailbox? What if you create it in Office 365 first? Are you then able to get the corresponding on-prem account made? I’m not clear on what isn’t working, but as I said you can email me as well–use the Contact page.
Reading the post about the CAL’s, does that mean if you want to use this method if you have more than 25 users, you either have to buy CAL’s or upgrade to windows 2016 server? We have 2012 Server only at this time.
Essentials is unique in that the server license includes, not CAL’s, but the rights to use it with up to 25 users. However it is also possible to use Windows Server Standard and CAL’s instead of Essentials Server. It is more expensive, this is true, but using the Essentials Experience (a role you can install in Server Standard editions), allows you to scale up to 75 users with Server 2012, 100 users with 2012 R2 and 500 users with 2016. Here is an old technet blog from the 2012 days on this topic.
I’m in the process of my first remote move “Express” migration. I am reading ahead about removing the on-prem Exchange. The connectors and organizational relationships are not present in the O365 tenant account in my case. I did not think I had to create these manually, and the hybrid configuration wizard would have done this, if it was necessary. Is this expected because I choose the minimal hybrid “Express” option? Can I safely skip over those steps in this guide?
Yes, the minimal hybrid configuration makes fewer changes, it is okay.
Hey all,
For anyone out there who may be in a situation where they can’t use the server essential role, but still need to keep AD Connect in place, unsupported of course. A colleague of mine came up with a handy way of exporting all the proxy SMTP address attributes from AD and then re-importing them via powershell after Exchange is gone.
http://www.bwya77.com/knowledge-base/export-users-proxyaddresses-attribute-csv-re-import-proxyaddresses-information/
Thanks to Alex for all his feedback and articles he creates for the community!
Hi Alex,
I’m trying to roll out the Essentials Experience on a client site but the dashboard keeps telling me to reboot two of their domain controllers. Even after I’ve rebooted them several times and turned off the AD and 365 Integration and turned it on again. The Essentials Experience role is installed on a 2012 R2 DC but the other DCs are 2008 and 2003. Is it just not going to work with the domain set to 2003 level and these old domain controllers?
Thanks,
Scott
Hm, why would you want to keep the other two DC’s around? Especially that 2003 one?! Yikes! Get rid of that beast, man! I’d focus on moving forward. Migrate off the legacy stuff.
Some of the show step are no longer available in 365
exaplme deactivate dirsync, i know i can be done in powershell, but is it safe to do
i heard from a microsoft empolye thet if i do this the 365 accounts will get a wrong stamp and will no longe work, is this coorect ?
i’m in the process of migration from SBS 2011 to office 365
If you deactivate Directory Synchronization first using POSH, then you have nothing to worry about.
Hi Alex,
This is a great article.
We have Hybrid Configuration for our AD and for the exchange. And we want to get rid of our on-premise exchange since we have migrated all our mailboxes to Office 365. I understand that we cannot decommission our on-premise Exchange 2010 server until we have Directory Synchronization enabled in Azure AD. In this scenario, can I just follow your Steps 1 to 4 and skip the steps 5 to 7? And is there a possibility to get rid of our On-Premise AD Server (Domain Controller) as well?
Thanks & Regards,
Vennila
Right, you have to disable DirSync if you’re going to remove Exchange–steps 1-4 will get you there. As for the on-prem AD server–if you have a means of replacing your security boundary and identity management for those devices, then yes. But if you don’t have something that will replace the ability to centrally manage user accounts, device policy, etc., then I’d hold off. Check out Microsoft 365 Business subscription as an alternative to on-premises AD join (you can join devices to Azure AD and gain some policy/control over them, as well as the ability to remote wipe). This subscription requires Fall Creator’s update for Windows 10 Pro.
Thanks very much Alex for your reply with suggestions/directions.
We will have to retain our On-premise AD server for now since we have our PCs joined to the on-premise Domain and we have VPN server for enabling remote login to our PCs, file servers that are connected to on-premise domain.
In this scenario, I believe we need to perform steps 5 to 7 as well. I read your article on differences between Windows Server Essentials and AAD Connect – https://www.itpromentor.com/essentials-vs-aadconnect/ == So, from the Essentials dashboard, I believe I will be able to manage the AD user accounts and the email aliases for Office 365.
Hi Alex,
Awesome article.
I’ve just finished migrating approx. 250 mailboxes from SBS2011 with Ex2010. And I’m looking to remove the hybrid component as I want to free up Port 443 for my RD Gateway.
I didn’t quite understand that other comment around the CALs for Essentials.
We are still wanting to keep password sync for our AD accounts.
Our technical team has some doubts about removing Exchange from SBS. Is it possible to do the above steps without uninstalling exchange?
Because I have 250 users will I need more CALs?
We only have the single SBS DC onsite and will eventually decommission it with a new DC being built.
Regards
Michael Daven
It is possible to remove Exchange from SBS, and is regularly done during decom or migration project, whether moving to 365 or another Exchange server on-premises. If you remove DirSync and other dependencies for hybrid in advance, then removing Exchange should have no adverse effect, assuming you 100% rely on the 365 cloud for email services. Since you have Windows Server Standard licensing, presumably (or datacenter), you need one CAL for every user in the org. The essentials license is only meant for small businesses with 25 users or less. You can install the essentials features on any Standard or Datacenter server, but it is still subject to the requirement for CAL’s–activating the role isn’t like the Essentials SKU which includes 25 CALs. For that number of users, you require Standard or Datacenter + CAL.
Thanks for this excellent article. Helped me a lot.
Hi Alex,
first off all thx for the great tip. We have a few customers with a hybrid exchange and really wanted to decommission the old exchange server without losing the ad attributes and password sync. Up to now we would remove the connectors so there is no more communication between the onsite and the office365 tenant. If we then just shutdown the exchange without properly uninstalling the exchange roles then the AD Sync keeps working fine and allowing updates as before. But off course we realise this isn’t the most elegant solution.
We have setup a test environment and as far as the setup went everything went very smoothly.
But still we ran into a few issues.
One off the first is that apparently multi-factor authentication can’t be used for the admin account used in the Server Essentials Experience which is supprising considering the current gdpr laws. This als implies a lower Office365 Secure score. Then we wanted to use a 50 character auto generated password but 16 characters is the limit.
Second is the fact that we can only sync distribution groups and not security groups. When creating users in AD we add them to the requested security groups. Each group has access to certain mailboxes and thus its members can access those mailboxes.
Any ideas?
Kind regards,
Dushan
It should sync mail-enabled security groups (universal). Convert to universal then mail-enable them.
Many people don’t get the message to change their password
So how do you enable editing aliases and such when using SBS2011? The instructions at the end for Online Integration don’t work for SBS2011 leaving you with no ability to make such changes. Are there any alternatives?
Why would you keep SBS 2011 in place with Office 365? Insert newer version of Windows server, and use Azure AD Connect–that’s what I recommend for most customers now, assuming they need to keep on-premises servers around for other apps, etc. The Essentials integration has been flakey lately, anyway.
Because the client won’t talk about that yet. They pay on time and buy what we recommend but do it on their timetable. They had a bad experience with an IT company and they needed to get email and servers upgraded but you have to take baby steps and email was the biggest issue. They also work with time restricted engineering contracts so ever transition or upgrade has to be precisely timed with minimal downtime or they get fined. So, until they are ready to talk about the next round of transitions that’s the way it is.
Found a solution to this issue at https://cbudde.com/microsoft/office365/add-or-remove-e-mail-aliases-in-on-premises-active-directory-office-365/ for those who have my particular issue.
Ah, you mean this: https://www.itpromentor.com/dirsync-no-hybrid/
yes it is possible to manage using ADSI edit or advanced features view in ADUC, but note also NOT supported by Microsoft.
Note that Azure AD Connect is not supported officially with SBS server. So you can run it that way, but just know that if you get into a tight predicament in the future with that setup, Microsoft may not be able to help you out of it. If the company you are working with doesn’t like having/spending $ on on-premises server infrastructure, then it may be possible to get them off of it entirely, depending. The big limiting factor there tends to be LOB apps–if they have some they are married to ones which require an on-prem server, then they are stuck. But for basic document sharing, intranet, communication platform, etc.–then 365 probably would be adequate now–especially since we can now join and manage devices directly to Azure AD.
Unfortunately in my experience Microsoft tends to create a lot of unsupported configuration scenarios. It can make your day interesting while also testing your sanity. Back in the BPOS days and even Office 365 Microsoft didn’t even officially support SBS to Office 365 migrations.
At this point, the client’s SBS server has been trimmed down to be essentially a standalone AD, DNS, and File Server so risk of potential issues is greatly diminished. They do have a roadmap to go to traditional servers next year so eventually the mess will be cleaned up and better formalized.
As for going full cloud, we had a conversation with Microsoft just two months ago they said it is not support at this time. They said Azure AD is not AD. It is AD only for cloud apps integrated with Office 365. You can join Windows 10 machines but management is limited. We verified with a partner company that deals with global multi-million dollar contracts and they said the only way to do it would be place a Windows Server on Azure and do a site to site VPN. They said they had done it and recommended not to.
Of course if you could go full cloud with business apps in the cloud that would be fine. In this case it is unlikely the company that makes the engineering software would ever transition their software to run on Azure with integration into Office 365 but who knows. The real challenge would be dealing with the file sizes that often near or exceed 1GB.
For now, they work locally only direct through local files the old fashioned way and so we are sorting through a roadmap to get them modernized as much as possible, as quickly as possible, with as little downtime as possible, without losing the trust we have built working against their bad experiences. For this client who had been price gouged and still had their network crippled have a new MSP come in and immediately push for modernize their routers, switches, backup, email, and replace all their servers would feel like a play for more gouging. Granted, they actually need all of that but we must tread carefully for a client who has had such bad experiences.
I am familiar with this situation. But note: I have verified with other partners around the world successful implementations of Microsoft 365 Business as a “fully cloud hosted” solution, and it is not only supported but recommended by Microsoft to join your Windows 10 Pro devices to Azure AD, which gets you the upgrade to Windows 10 Business edition. It is true that it does not have “everything” like Group Policy, but it has the most important policies, and even ability to remotely wipe the device (or just corporate data), which you do not have with traditional server.
Check this out – Jack’s Diving in Hawaii uses M365 Business
And this, getting started with Microsoft 365
And this, setting up devices for Microsoft 365 Business
I have a single 2008R2 running Exchange 2010 and the sucker is dying (older hardware starting to fail). I need to have some Remote Desktop and VPN clients, so I was thinking of upgrading to Windows Standard 2016. Will your guid work?
Don’t see why not. Good luck!
I’ve tried almost everything I can think of to configure the Windows Essentials role on a member server or secondary DC and it fails the configuration steps every time via GUI or powershell stating only to retry. The 7000 or 7041 system log errors referenced in most solutions online don’t exist, but in the Essentials-Server specific log I get:
Unexpected error occured: System.Management.Automation.CmdletInvocationException: Value cannot be null.
Via powershell I get:
Start-WssConfigurationService : Value cannot be null.
Parameter name: container
At line:1 char:1
Originally the Managed Service Accounts OU in our AD structure was missing, but I was able to recreate it properly with ADSI edits and adprep /domainprep, however the service account(s) mentioned for Windows Essentials Experience ServerAdmin$ and MediaAdmin$ are not created even when removing and readding the role. I created ServerAdmin$ manually (added to needed groups) and in both default domain policy and default domain controller policy allowed it logon as service, but still no luck.
We have almost 90 users and are in the middle of an O365 migration. I don’t want any form of exchange still in the environment when its done but need to sync passwords in a supported way so this is my only method and I’m basically out of ideas for the essentials experience configuration.
Yeah, I hear you. There have been enough quirky things with the Essentials integration with 365 that I have just stopped recommending it altogether. In fact, they don’t even support it in Windows Server 2019 edition of Essentials (the LAST edition of WSE). However, they do support the use of Azure AD Connect on WSE right now. If you decide to use Azure AD Connect, as I now recommend for all my customers, just know that it is okay to install an Exchange instance simply for management UI, even on a domain controller. It does not need any external access like 443, 25, etc. open from the outside, it is literally just a management interface. Also, know that a lot of people choose to run it “unsupported” without Exchange on-premises. I don’t necessarily recommend it, but it is very common place practice out there in the wild. I am not certain if MS is going to have another solution for us anytime soon though…
Hi Alex,
I have migrated our Exchange 2010 running on a SBS2011 box to Office 365 and am using AzureAD Connect with ADSI to make changes. I am getting ready to decommision the Exchange on SBS. I got 2 Server 2016 Standard boxes out of which, I will make 1 as the DC/DHCP/DNS and other as a print server. I got CALs for DC. If I install the Essentials role on the DC, does that mean it will behave like an SBS server? I mean can I not install Essentials role and continue using Azure AD Connect with ADSI to manage the users? Sorry but my knowledge of Essentials role is limited. Also, I am worried if I enable the Essentials role on the new DC, it will trigger the 21-days timer on SBS2011. Can you please advise? THANKS ALEX!
I should add a note to this post–MS is taking a step away from Essentials, and I would not recommend using the Essentials integration w/ 365. If you will have two 2016 standard role servers, I would add hybrid Exchange to one of them for management purposes, and continue to use Azure AD Connect in conjunction with that.
Thanks for the quick reply, We actually want to have emails only in Office 365. The only reason its Hybrid right now is because I used Hybrid migration. Honestly, I don’t want to have an on-prem Exchange. Is there a way I can use only the Azure AD Connect? Will that change the way I will decommision Exchange on SBS2011 since going by this guide I need Essentials if I have a Hybrid exchange?
MS does not officially support using Exchange Online with Azure AD Connect without an on-premises Exchange server. So to keep Azure AD Connect your best bet is to install a “hybrid only” Exchange server, which is free with any qualifying Enterprise plan.
Sir, you are my hero – thank you for this, worked brilliantly.
Finally got to drop out SBS completely (removed AD function too).
Great how-to, Alex!
We have a hybrid setup, but without local Exchange stuff, this is all in the cloud. But we have two domain controllers and two federation proxies for our ADFS setup.
Maintenance costs too much work, we want to get rid of this.
So it looks like with your approach I can disable the DirSync, add the ServerEssentialsRole to some other Windows server, and easily manage the AD users with both that and in the O365 admin interface? And the Windows server is just for convenience, to make editing AD properties more easy? Because once I disable the DirSync, I can edit the properties in the AAD portal as well?
Sorry if these are stupid questions – the more I read about this the more confused I get :)
I don’t recommend this tool anymore. Deprecated. Azure AD Connect if you want identities to be in sync. You should get off AD FS. Check out either PHS or PTA.
Thanks for the prompt reply! Hey, how about an update that this is not so relevant any more? :)
Looking into this now, especially PTA. And into your other articles. Highly interesting, I must say! We really need device management…
I am planning to migrate all users from on-premises Exchange server to Office 365, but have not establish ADD connect synchronization or Exchange hybrid mode yet.
Can I use this tool (Windows Server Essentials Experience Role) start from the beginning for the migration so I don’t even need to install ADD connect ?
I would not use that tool, no. It doesn’t enable true hybrid. If you don’t want to go AAD Connect route, you can consider a third party like BitTitan to migrate mail, and just leave everything cloud-only with no hybrid back to on-prem. That may even be preferred for many SMB’s.
Hello again Alex, thanks as always for your valuable information. I know this topic has been brought up a few times but still seems to be a problem. I completed a migration of Exchange on SBS 2011 to Office 365 using the minimal Hybrid configuration wizard. The mailboxes have all been moved. I removed the directory sync using your powershell command and removed AD Connect. I still have the same issue however when I try to use the Windows Server 2012 R2 Essential role to integrate with Office 365. The error when I try to integrate is “There is an issue configuring the integration” Make sure that the computer is connected to the Internet. I know a lot of people have had the same message and I have looked at the possible resolutions including the PCNS reconfig but nothing seems to work. Any further information that you can add.
Thanks
Yeah this has been so flakey and so widely experienced that I don’t even recommend it anymore. Cloud only is an option, or, you’re back to AAD Connect for best password sync experience.
Wonderful workflow, thanks for this.
One little caveat: in step 4, after running the PS scriptlets. If everything went okay, EXIT the shell, STOP all exchange services, open standard PS admin shell and proceed. Otherwise, you wont get your uninstall running without errors, some services/connections will remain open.
Cheers and thanks!
I have not had to do that, but in case it helps others, great tip!
Hello, thanks for your article.
I can’t remove or disable my Arbitration Mailbox on my Exchange 2019 (Hybrid Configuration with O365)
When I type : Disable-Mailbox “SystemMailbox{xxxx} -Arbitration -DisableArbitrationMailboxAllowed I have this error : impossible to desactivate arbitration mailbox, because it’s being used for the approval workflow for existing recipients that have either membership restrictions or moderation enabled
It’s the last mailbox on my on-premise Exchange 2019, so I can’t safely remove the Exchange for now.
Do you have an idea?
Thank you very much
Sorry, I do not.
Found the solution by deleting the active directory object with the name of the arbitration mailbox. After that I could safely delete database and uninstall exchange
Great content – thanks
Having an issue with an existing setup that was jacked before my time.
Used to be SBS, but appears to have been successfully removed, aside from some AD OU’s still residing.
Hybrid Exchange/365, however, the hybrid was not properly removed. Exchange was uninstalled, but nothing else was done.
Now users that were created prior to hybrid, cannot do things such as turn on online archives. Alias/proxy can be modified in AD, but ADSI edits don’t appear to be allowing online archive to be enabled – thoughts?
Keep in mind that it is NOT supported to remove Exchange while Azure AD Connect is still in play. You must remove sync if you do not keep a hybrid Exchange server. Assuming you have the Exchange attributes/schema extensions installed, but no Exchange server, then you must modify these values in ADSI edit to enable an online archive:
– msExchArchiveName = (give this any name like “Personal Archive – Username“)
– msExchRemoteRecipientType = (change the value to 3)
We’ll be moving from SBS 2011 to Windows Server 2019 (40 users) and moving Exchange to the cloud. With 2019 vs earlier versions, are there any ‘gotchyas’ to be aware of or process differences I should be aware of? Thanks.
I don’t move anyone to 2019–I stopped with 2016 and started going to cloud-only. There are some engineers at my company who still do “server work” (where it is necessary) but I’m not one of them. Sorry!
We performed a hybrid migration and your articles on it were invaluable to us so thank you very much for your expertise. We had been hoping to be able to eliminate having a local Exchange Server completely and were interested in using the Essentials Experience Role on our Server 2016 to do so. If instead we use a hybrid only Exchange 2016 what limitations, if any, are there on what else can be on the server it’s installed on? I would assume that it would not go on a domain controller but would there be any problem with it running on our second server which is primarily a file server that also is used for RDS? We are a small business with only 30 users and very few of those ever use RDS.
The Essentials Experience is no longer being updated so I can’t recommend it. The best is still Azure AD Connect with Hybrid to keep accounts/passwords in sync (if that is important). Many are starting to just go cloud-only accounts/separate from AD. But, you can definitely install on a DC. Now in that case, it is also recommended not to publish the web access externally, since it exposes the DC in a unique way (there are some Exchange-specific security principles deposited into the builtin groups for instance). But anyway, after you finish the hybrid config, you don’t really need it published externally anymore, anyway; it’s just there for management purposes.