In today’s dynamic business landscape, organisations continually strive to stay ahead of the curve, harnessing the latest technologies to enhance productivity and collaboration.
One significant technology shift that businesses are now considering is migrating their Exchange environment, transitioning from traditional on-premises infrastructure to cloud-based platforms.
While this shift offers numerous benefits like scalability, improved collaboration, and cost savings, it requires careful planning and execution to ensure a smooth and successful data migration.
Embarking on an Exchange migration journey can be complex and daunting. However, armed with the right knowledge and guidance, you can navigate this process with confidence and reap the rewards of a modern, efficient, and secure communication and collaboration platform.
In this comprehensive blog, our Exchange Migration specialist, Gregor Jus shares his insights into the intricacies of Exchange migration, specifically focusing on hybrid removal and the essential steps involved in achieving a seamless transition, Gregor shares some real-world examples, and offers actionable tips to ensure that your Exchange migration is not only smooth and seamless but also minimises disruptions to your business operations.
Whether you are contemplating migrating your Exchange environment to a cloud-based platform or seeking guidance on how to optimise the process, this guide will provide you with the insights and practical knowledge you need to make informed decisions and avoid potential pitfalls.
Move from Hybrid to the Cloud and Back
Exchange Server hybrid deployment presents organisations with an attractive option to migrate either fully or partially to Exchange Online. Not only does it offer a seamless and efficient transition, it is also the only approach that enables smooth onboarding and offboarding to and from Exchange Online. Beyond these advantages, a hybrid configuration presents numerous opportunities for businesses to optimise their Exchange infrastructure, reduce costs, and enhance productivity.
Apart from that, and many other productive business features, such as cross-premises availability, archive, searches, and Outlook Web App redirection or no need for profile recreation after the move, it also offers the ability to minimise the footprint of Exchange Servers on-premises. While hybrid configuration and directory synchronisation remain in place, organisations can significantly reduce hardware costs, electricity consumption, and maintenance overhead. By strategically retaining only a couple of Exchange Servers on-premises for high availability or even reducing it to a single standalone server running on a virtual machine, the workload can be shifted primarily to Exchange Online.
Let’s explore the options.
Minimise Exchange Servers footprint in a hybrid configuration.
If you are keeping the hybrid configuration in place, you must also leave the directory synchronisation in place due to being a prerequisite. The same would apply if AD FS were in use. Therefore, hybrid configuration and/or Exchange Servers on-premises cannot be fully removed, but you can reduce the footprint to a minimum. You can leave only a couple of Exchange Servers on-premises (to maintain high availability – if required) or reduce it to one standalone Exchange Server. This can then run on a virtual machine, with fewer resources since the workload is almost completely shifted to Exchange Online.
It is important to remember that with a hybrid configuration in place, the source of authority (AD objects synced to Azure AD) is defined as on-premises, and Exchange Administrative Center or Exchange Management Shell are the only supported tools for managing Exchange recipients. While other methods (e.g., ADSI Edit or Attribute editor in Active Directory) work, they are officially supported. This option is perfect for those who want to minimise Exchange Server on-premises configuration but are happy to leave one last Exchange Server for management purposes via GUI and prefer the option of keeping on-premises SMTP relays.
There you go, update your last Exchange Server to the 2019 version and use the Microsoft free hybrid license!
Reduce minimum hybrid configuration by removing the last Exchange Server.
Assuming now that all the mailboxes are migrated to Exchange Online, there are no on-premises relay dependencies, and that you are only keeping Exchange Server on-premises live for management purposes. If this is the case, you can “upgrade” or, rather saying, “downgrade” the configuration by removing the last Exchange Server from the on-premises. However, the proper process must be followed, as uninstallation is not an option, except if you like solving very complicated issues!
With that in mind, Microsoft has an extensive knowledge base of this topic; about preparing the Exchange environment, shutting down the last Exchange Server and cleaning the Active Directory afterwards. The process involves dozens of PowerShell commands (on-premises and online), but it’s best to leave the process to experienced Microsoft Professionals, such as our team at Krome, to avoid breaking anything in the process. In addition, some knowledge transfer might be required at the end, as the recipient management will only be possible via Exchange Management Shell – there is no more GUI!
So why would one want to go down the route with no GUI- difficult removal of the last Exchange Server, updating Exchange to the latest version, losing features such as RBAC and auditing, and hiring a professional to do it?
Not simply because you can, but because you should – if you don’t have specific requirements to not to! Let’s see why:
- By migrating all mailboxes to Exchange Online, there is a great chance you do not need RBAC or logging/ auditing recipient management activity anymore.
- If you use Exchange Server on-premises for SMTP relay, it is time to move on. There is a safer, better and more resilient relay via Office 365, with integrated DKIM, better EOP protection, the option of Microsoft Graph usage, etc.
- You might be afraid of using EMS (Exchange Management Shell) for management and want to keep using GUI, but at the end of the day, PS is the future, and more and more Microsoft online services use PowerShell already.
- Many are keeping the last Exchange Server on-premises because of the official requirement. But now Microsoft gave us an option to “get rid” of the Exchange Infrastructure.
- Finally, no more talks about ports and protocols about OWA, SMTP, HTTPS, ECP and exposed Exchange Server and less updating with CU and SU updates.
Exchange Online (Cloud only) configuration.
Let’s now imagine that you have moved everything to Exchange Online, you don’t have any recipient remnants on-premises, you do not need to keep Azure AD Connect (directory synchronisation), you will manage all your “objects” in Azure Active Directory, and you don’t have any required relays (or you have moved them to other SMTP servers or Exchange Online). If that’s the case, you are in luck! The directory synchronisation can safely be disabled, and the Exchange Server on-premises can be removed.
And by remove, we mean uninstall! Using some EMS cmdlets, the directory sync can be disabled, DNS records amended, SCPs (Service Connection Points), organisation sharing, OAuth authentication removed/disabled, and Exchange Server uninstalled. You will end up with an on-premises environment with no Exchange Organisation footprint, and all your recipient management moved to Azure AD/ Microsoft 365. Simple as that!
Exchange Online (Cloud only) configuration with directory synchronisation.
The title suggests a similar scenario when trying to minimise the Exchange Server on-premises footprint in a hybrid configuration. It is not completely the same (but also not dissimilar), and the path to the result is completely different. Let’s assume you have Active Directory Forest and you already have Microsoft 365 tenant. However, there is no directory synchronisation, Exchange Server has never been installed in the organisation, and users have two sets of credentials. One set for the on-premises environment and the other set for “the cloud” environment – e.g. Microsoft/Office 365. It would make sense to merge them together and improve user experience with synced passwords and usernames or even give users the ability to reset their password, with appropriate licensing, and more. How would one approach this scenario?
Bear in mind that while this solution worked very nicely, it was not (and still isn’t) fully supported by Microsoft. With that in mind, historically, companies (administrators) installed Azure AD Connect, enabled directory synchronisation, and extended AD schema with the Exchange attributes. While unsupported, this solution worked very well and managing Exchange recipients in the cloud (Exchange Online) was possible via AD Attribute Editor or ADSI Edit. But now all of that has changed. While you can still do this the “old way”, you can upgrade this configuration by installing the latest Exchange Server 2019 management tools, creating a new Exchange Organisation and finishing by running some PowerShell commands to establish hybrid and get your environment to a Microsoft supported state.
Moving back to Exchange on-premises (offboarding) and cleaning up.
There might be a reason for you to move your online mailboxes back to on-premises. Usually, this is the case with specific mailboxes only or perhaps regional mailboxes. Perhaps the broadband connection is unsuitable in remote regions, and Microsoft 365 doesn’t work fast enough – in this case, the on-premises Exchange Server is still a better solution. You might also have specific compliance regulations or requirements for keeping the mailbox on-premises. Surely there are other reasons, too; however, if this is the case, you can off-board (migrate back to Exchange Server on-premises) your mailbox, and you are good to go.
A different story is if you want to off-board your whole environment (although I have only heard it once on one of the technical forums) back to on-premises and close the Microsoft 365/ Exchange Online tenant. In this case, all the mailboxes should be migrated back to the Exchange Server on-premises, directory synchronisation (Azure AD Connect) disabled, Hybrid configuration cleaned and removed, and Microsoft 365 tenant closed with subscriptions cancelled, data deleted, etc. While I haven’t heard of an actual exercise like this, there could be a scenario where this is needed.
A word of advice, if you are thinking of doing it, with the reason behind migrating back to Exchange Organisation on-premises and establishing a new Microsoft 365 tenant connection (and migration), there is no need to do that anymore. Microsoft is rolling out an ability to do native tenant-to-tenant mailbox migration. Which is welcomed.
Last Exchange Server Removal Considerations
It makes sense that this new technology, or the ability to remove the last Exchange Server from the organisation, doesn’t come without risks or considerations. We have already covered that area under the “minimising the Exchange Server on-premises footprint in a hybrid configuration”. However, let’s look at some of the topics in a little more detail, starting with the elephant in the room…
- SMTP relay – a modern nightmare for IT administrators regarding systems, devices or applications that do not yet support modern authentication. Directing the relay via on-premises Exchange Server and forgetting about it is easy. Yes, but it doesn’t mean it’s safe and secured. If there isn’t any other way (read further), I suggest creating an IIS – SMTP relay instead of using the Exchange Server. The better way would be to use one of the three primary options in Microsoft 365. There is much more to what’s written below, but it gives you the idea…
- Authenticate device/ application directly with Exchange Online mailbox and send email using SMTP auth client submission. It’s the easiest option to configure when sending emails inside and outside your organisation from a third-party hosted application, service or device. However, it is not compatible with Microsoft Security defaults and Modern Authentication.
- Send emails directly from printer/ application to Microsoft 365 (e.g. direct send) could be another option if the environment has SMTP Auth disabled, the previous option isn’t compatible with business needs, and you only need to send emails inside the organisation. This option can also be used for sending bulk emails or newsletters; however, these emails will be subject to anti-spam protection and might end up in junk folders.
- The third option requires configuring a connector to send emails using Microsoft 365 or Office 365 SMTP relay. This is the most “difficult” option of all three. Still, there are times when option 1 and option 2 are incompatible and you can use this to relay emails on your behalf by using a connector configured with your public IP address or a TLS certificate.
- There is the fourth option though. It uses the Microsoft Graph API to send emails, but it might not be appropriate to all businesses just yet; plus, it has its very own way of configuring it. Therefore, I am only putting it to the spot, but you can read more about it on Microsoft documentation.
- RBAC and Auditing are nice-to-have (or for some a must-to-have) features in Exchange Server on-premises. However, with the workload shifting more and more to Exchange Online, there are also more and more companies that do not rely on these features anymore or do not need them at all. If not, you must keep the last Exchange Server installed, to continue auditing logs and Exchange role-based access control.
- Let’s quickly uninstall the last Exchange Server – Absolutely not! While the last Exchange Server can be deleted/ removed and the server reformatted for other purposes, it must not be uninstalled. It needs to be shut down, scripts must be used to clean the information, and it must not be uninstalled. Completing the uninstall will remove critical information from Active Directory that breaks the ability of the management tool package to manage Exchange attributes. The process involves some PowerShell knowledge and a good understanding of how things work, but it can be done.
- Removing the last Exchange Server will remove an option of managing Exchange recipients via GUI (Exchange Administrative Center). You might fear using EMS (Exchange Management Shell) for management and want to keep using GUI. But at the end of the day, PowerShell is the future, and more and more Microsoft online services use PowerShell already. There is also online documentation on all the cmdlets that can be used for management, so really, it makes no sense to stay in the past with GUI and keep the Exchange Server on-premises because of that.
- One more thing, while there is no more Exchange Server installed after this process (and, of course, no more conversations are needed on the security/ safety topics and protocols of OWA, SMTP, HTTPS, ECP, etc.), you still need to take care of management tools update. It’s easier than updating the Exchange Server, but you should keep them updated as the new CUs are released.
- Email address policy is also one of the main topics regarding Exchange Online. When in a hybrid environment, these are managed on-premises. However, when in Exchange Online only, there is no such thing as an email address policy as we know it. There were and are many speculations why that is, from security issues to difficult implementations. However, the bottom line is there isn’t any. Well, that is not entirely true – there are email address policies, but they cannot be used as we would like for mailboxes. Therefore, the solution lies in PowerShell.
Exchange Online and its Environment
Let’s now delve a bit further into the Exchange environment online. This is not the complete documentation or reference; it’s more of an introduction and scratching the surface of the topics discussed often when it comes to Exchange Online.
User and group management
A part of this was already covered when discussing hybrid and Azure AD Connect, but it’s worth mentioning again. When in hybrid or the new “hybrid” environment with Exchange management tools only or even the unsupported version of having Azure AD Connect in place for directory sync, the source of authority is on-premises. This means that any user and/ or group management (the same applies for distribution groups, contacts, shared mailboxes, etc.) that is synced from on-premises to Azure Active Directory must be (and can only be) managed on-premises. Trying to amend the alias, contact information, name of an object, etc. is impossible.
How about if there is no directory sync in place and all AD objects are in the cloud? I would hope that it’s then self-explanatory where the management happens. It’s in the cloud – in Azure, more specifically.
Mailbox management is a tricky one. The first bit imperative to understand is what kind of hybrid environment it is. If that is a true hybrid environment, then the proper process must be followed when creating mailboxes in Exchange Online. This is being, a mailbox must be created on-premises, migrated to Exchange Online, and a license must be assigned. While in a sync-only environment, the user is provisioned on-premises, synced to Azure AD, and the mailbox created online. Therefore, some attributes must be created/ amended on-premises, while others can only be configured in Exchange Online.
Exchange Online Protection (EOP) and email hygiene
Exchange Online Protection (EOP) is a cloud-based filtering service that protects your organisation against spam, malware, and other email threats. EOP is included in all Microsoft 365 organisations with Exchange Online mailboxes. However, advanced features depend on licensing. EOP runs on a worldwide network of data centres designed for the best availability, and it’s almost impossible for EOP to stop working. Should a data centre become unavailable, emails would be automatically routed to another one.
It is simply too much to talk about EOP in detail. Even scratching the surface would take a dozen of pages to start with. However, we can at least mention the features one might benefit from EOP. These are (list is not complete) anti-malware, anti-spam, anti-phishing, anti-spoofing, zero-hour auto purge, security policies, quarantines, mail flow rules, detailed monitoring, safe links, safe attachments, and many more! Oh, and don’t forget, you can benefit from EOP even if you don’t have mailboxes in the cloud.
An Exchange Online migration endpoint represents the source connection information for all supported migration types such as Remote Moves, Cutover, Staged, IMAP, and G Suite. A Hybrid Migration endpoint is an endpoint when referring to the source on-premises environment for Hybrid migrations to Exchange. Simply put, this is not science fiction, and Exchange Online uses this to connect to Exchange on-premises when on-boarding or off-boarding mailboxes. However, there is another reason why I like to mention this simple “not so very interesting” feature…
Large and enterprise businesses normally choose full classic hybrid configurations due to business needs and requirements. However, the experience doesn’t have to end here, especially regarding migration endpoints and Exchange Servers configured globally, worldwide in different regions, with different broadband connections and bandwidth or capabilities. Imagine a scenario with multiple Exchange Servers worldwide where emails are routed between them before they reach the final recipient. Add to this one single migration point, slow bandwidth, and strict firewall rules and think of a scenario where you start onboarding hundreds of users from different Exchange Servers worldwide via a single migration endpoint. I guarantee that along with your own frustration, the CEOs won’t be impressed either.
A simple solution is multiple migration points. You will need firewall knowledge, external DNS configuration of a new record and an available static IP address. Then, creating new migration endpoints is quite easy (via GUI or PowerShell), when all the prerequisites with MRS Proxy, Firewall, DNS, and user account on-premises with correct permissions are set. With some planning and configuration, you can end up with a handful, a dozen or even more multiple migration endpoints, pointing to different Exchange Server in different regions, thus increasing migration performance, speed and high availability.
Why Partner with Krome for your Exchange Migration?
As a Microsoft Partner, our team has successfully guided numerous businesses, of all sizes, through the intricate process of Exchange migration, gaining a deep understanding of the challenges and intricacies involved.
We understand that each organisation is unique, with specific requirements and complexities. Our vast experience in handling Exchange migrations equips us with the knowledge and insights to tailor our approach to meet your organisation’s specific needs. Whether you are a small business with a limited IT staff or a large enterprise with a complex infrastructure, we have the expertise to navigate the migration journey smoothly and efficiently.
Our team of technical professionals have enhanced their skills by working with diverse clients across various industries. This hands-on experience has provided us with a deep understanding of the potential hurdles and pitfalls that can arise during an Exchange migration. We leverage this knowledge to anticipate and address challenges proactively, ensuring a seamless transition with minimal disruptions to your business operations.
In addition to our technical proficiency, we also understand the importance of effective communication and collaboration throughout the migration process. We work closely with your team, keeping you informed at every step and actively involving key stakeholders. Our goal is to foster a transparent and collaborative environment, ensuring that your organisation’s unique requirements and objectives are met throughout the migration process.
When you partner with Krome for your Exchange migration, you can trust that our expertise goes beyond technical proficiency. We bring a deep understanding of the challenges, a proven track record of successful migrations, and a commitment to delivering exceptional results.
If you are ready to embark on your Exchange migration project or are seeking insights on how to optimise your ongoing Exchange migration efforts, please get in touch with us today on 01932 232345 or complete the form below.
Request More Information