One of the primary reasons we see our clients moving to Office 365 is so that they no longer have to manage Exchange. So when they find out that their new Office 365 tenant still requires a local Exchange server for administration, the reaction is often surprise and sometimes even disgust. But there are good reasons to keep (or build) a local Exchange server on-prem with Office 365 and it’s actually a very small operational burden. Administrators are no longer “managing Exchange,” but rather simply managing an Exchange server.
The Problem: Synchronized AD Accounts
When local AD accounts are synchronized using Azure AD Connect, the local AD account becomes the authoritative source for all AD attributes. So when editing an attribute like a user’s name in Office 365, one will get the following error:
Unfortunately, the local AD accounts are authoritative for ALL attributes, including those of Exchange. So in order to perform Exchange management tasks such as hide a user from all Address Lists or enable an Online Archive, one must edit the on-premises attribute which controls these settings. But if the local schema isn’t extended for Exchange, these attributes will not be available and these settings will be impossible to change.
Even basic things like a user’s primary SMTP address, which is controlled by the proxyAddresses attribute, must be changed manually with the Active Directory attribute editor by changing the “smtp:” of the new email address to all caps (“SMTP:”). This is unintuitive, prone to administrator error, and not supported by Microsoft.
This leads me into my next point: simply extending the schema for Exchange is not good enough. Yes, this would create the necessary attributes on-prem and allow administrators to change settings like Group delivery restrictions. But these settings would have to be changed via attribute editor which, although functional, is prone to error and strictly unsupported. The only supported method to change these settings is to use a local Exchange server.
The Solution: An Exchange Management Server
The Exchange “management server” is not to be feared; It hosts zero mailboxes, provides no client access services, requires no High Availability features like load balancing or database availability groups, requires a minimal hardware footprint, and can safely go offline without impacting email services. It is simply an administrative server which allows admins to open the Exchange Control Panel and make changes to users and groups via the supported GUI. Even better, the hybrid license needed for this management server comes free with any Office 365 subscription.
As a bonus, an on-prem Exchange server makes an excellent SMTP relay for those devices which can’t relay directly to Office 365. The hybrid license allows for this SMTP relay service so long as the mail is relayed directly to Office 365 (which you’d likely want to do anyway for outbound encryption or other transport rules).
Administrators who want to synchronize their AD accounts with Office 365 via Azure AD Connect must plan to operate an Exchange management server in order to manage all Exchange Online settings via a supported method. However, this server can be licensed for free and requires minimal hardware resources or day-to-day management. For those cloud-centric organizations who don’t have a good place for Exchange on-premises, this Exchange management server can also be built in Azure or Amazon Web Services. Look for more details on how that can be achieved in an upcoming blog post.