Decommissioning your last on-premises Exchange Server in a Hybrid Deployment
On April 20, Microsoft announced the release of cumulative updates (CU) for Exchange Server 2016 and Exchange Server 2019 with several new features and updates, especially, for the Exchange Server 2019 version. One could argue that these updates are years behind, however, knowing that Exchange Server is one of the most complicated applications written, re-written, re-designed and packed with tonnes of security, it might not all be so “black and white”.
What are the new Exchange Updates?
Diving into the first new update, or more of a change, is the new servicing model which Microsoft states is in response to customer feedback that testing and deploying new CUs every 3 months just isn’t possible and sensible. There’s also evidence suggesting that customers’ inability to cope with so many CU releases, is the reason for so many Exchange on-premises servers lagging behind the desired state of having the latest or latest -1 update installed. An arguable case could be made, that if Microsoft changed the servicing model earlier, there wouldn’t be so many gaps exploited in the Hafnium exploit last year. From now, there will be no more quarterly CUs but rather biyearly (in H1-March and in H2-September/October).
Before focusing on the major announcement about the Hybrid and the last Exchange Server, it is also worth mentioning a couple of small wins that will bring joy to many of the Microsoft customers; but this is more of an Exchange 2019 Server thing now. This makes sense as Exchange Server 2016 already entered the extended support (Mainstream Support ended in 2020) that is planned to end in October 2025. The latest (and the last quarterly) CU12 for Exchange 2019 brings not only very much desired support for Windows Server 2022 but also an update to licensing in a hybrid model. This was very much criticised by many who wanted to update/upgrade their last Exchange Server to the 2019 version, however, a free hybrid license for Exchange Server 2019 did not exist, as it did for the 2016 version. The Exchange Server 2019 CU12 addresses this issue too! Unfortunately, while Windows Server 2022 supports TLS 1.3 out of the box, we still cannot say the same for Exchange Server 2019. Microsoft promises for this to be added in 2023.
The Big Announcement – The Last Exchange Server Update
Exploring the all-awaited solution to the great last Exchange Server Issue brings joy and happiness to many but also some frustration to others. No one likes being forced into anything. Companies who are “forced” to keep the last Exchange on-premises Server in a hybrid environment because of the on-premises & Azure AD design were frustrated for years. The reason behind this is that only the last Exchange server is capable (at least officially supported) of managing mail-enabled recipient properties (although for years, we have all been using the “unsupported” solution of attributes tab in Active Directory and some PowerShell that worked like a charm) Well, Microsoft says this frustration is now over or very much close to the end – but is it?
The latest Exchange 2019 CU12 comes packed with an updated Exchange Management Tools role; this can now be installed on a server or even domain-joined workstation to allow recipient management through PowerShell and no other Exchange component is necessary.
How to remove your last Exchange Server
But wait, whilst you can now “remove” the last Exchange server in your environment, you can’t remove it by uninstalling it. Do that and you are in a whole lot of new problems. The long story short is that you can shut down the server and send it to recycle, but what does that mean?
In Exchange Hybrid environments, the last installed Exchange Server is not just an application and GUI to manage recipient attributes and mail-enabled objects that are synced using directory synchronisation. Apart from holding other possibly critical roles for your organisation (that are discussed later – such as relays), It is also holding the Exchange organisation and Hybrid configuration. Therefore, uninstalling the last Exchange Server via PowerShell or an easy uninstall button in “Add and Remove Programs” would remove the Exchange organisation and the Hybrid environment would cease to exist. Most likely Microsoft will update its documentation more in the next few weeks, but the following is what we know for sure, now.
Key considerations before removing the last Exchange Server
The most important bit is to examine and find out whether we can even use that solution and if the company is prepared for it. There are several things (possible issues) that the Exchange Administrator must consider before removing the last Exchange Server. There could be more but the most pressing are:
- SMTP relays – Many companies are using Exchange Servers to relay emails from on-premises to Exchange Online, relay emails for other domains/companies or using a widely approved solution of relaying messages from 3rd party applications, systems, printers & devices, marketing emails, etc. There are few possibilities of moving those to Exchange Online, however, not every scenario can be used just yet due to limitations of a maximum number of emails sent or limitation of who can be a recipient, etc.
- RBAC on-premises – Role-Based Access Control is an amazing feature of delegating permissions to Exchange Administrators. Unfortunately, removing the last Exchange Server removes that option, too, as RBAC on-premises are not available with Management Tools on-premises, only. In such cases, the delegation of permission would have to be moved to Exchange Online (Office 365) and managed differently on-premises.
- PowerShell – Yes, removing the last Exchange Server and using only Management Tools for managing mail-enabled objects and recipients will leave you GUI-less or GUI-free. This might be a good way to start learning and using PowerShell more and more (after all, it’s more and more used in Office 365 / Exchange Online), however, if you are uncomfortable, don’t go there just yet. Managing Exchange attributes is only possible via EMS (Exchange Management Shell) – there is no more GUI.
If, however, none of the above applies to you/your company or your Exchange Server, then you might be the lucky one to be able to proceed with removing the last Exchange Server from your organisation.
Let’s start with some expectations and caveats. Apart from the list above, no mailboxes or public folders should exist on-premises anymore (all migrated to Exchange Online), there is no way of changing the source of authority for synced objects or updating those objects solely in the cloud and there is one last Exchange Server in your organisation, and last but not least, auditing or logging of recipient management activity is not required (as management tools only do not support that).
To follow the most up to date documentation regarding the removal of the last Exchange server from Microsoft please visit: Manage recipients in Exchange Server 2019 Hybrid environments | Microsoft Docs
If you require any Exchange consultancy, advice or assistance of any kind with the removal of the last exchange server within your current hybrid environment, or require any support with the migration of your on-premises environment to the cloud, please get in touch with us on 01932 232345 or complete the form below.