By Ashutosh GawaliIn the last article we installed Microsoft Entra Connect Sync to sync the local active directory identities to Microsoft 365, in this article I will talk about different types of Exchange environment.
If you are a support engineer or new to Exchange environment, then you should know the concept of Exchange environment, how Exchange interacts with Active directory, how EXO interacts with Microsoft Entra ID, how the changes in attribute will create a mailbox EXO.
Table of contents
- Exchange Online (Pure Cloud Environment).
- Exchange On-Premises (Single forest Exchange).
- Exchange On-Premises (Account forest – Resource forest scenario).
- Exchange Hybrid (Exchange On Premises + Exchange Online).
- Advantages of Exchange Hybrid.
- Where to keep the user mailboxes in Exchange hybrid scenario.
- (Undesired State) Same mailbox is active in EXO and active in Exchange on premises server.
- Conclusion.
Exchange Online (Pure Cloud Environment).
In this scenario, an organization is only using Microsoft 365 services.
In pure cloud setup, the organization will get Microsoft Entra ID and Exchange Online service (along with other services based on Active subscription).
Once the administrator assigns a license to the user with Microsoft Entra ID user@aashu.co.in , Exchange Online will provision the mailbox for the user.
But how would Exchange Online knows who is the user in Microsoft Entra ID for this mailbox, and how would Microsoft Entra ID know which is the mailbox for the user in Exchange Online.
The Microsoft Entra ID and Exchange Online are in sync using the attribute ExternalDirectoryObjectId of the mailbox from Exchange Online side and the attribute ObjectId of the user from Microsoft Entra ID side.
Example: If I execute the command (From Microsoft Entra ID side)
get-msoluser -all | where {$_.ProxyAddresses -eq "SMTP:user@aashu.co.in"} | fl ObjectIdI will get the output 4dd3——–cfd9, this means the ObjectId of user@aashu.co.in is 4dd3——–cfd9
If I execute the command ((From Exchange Online side.))
Get-Mailbox -Identity "user@aashu.co.in" | fl ExternalDirectoryObjectIdI will get the output 4dd3——–cfd9, this means the ExternalDirectoryObjectId of user@aashu.co.in is 4dd3——–cfd9
The mailbox in Exchange Online links to the user in Microsoft Entra ID because the value of ExternalDirectoryObjectId from EXO and ObjectId from Microsoft Entra ID are the same.
lets say the user is deleted completely from Microsoft Entra ID (user is not even present in recycle bin in Microsoft Entra ID) then the value of ExternalDirectoryObjectId for the mailbox in EXO will be 0000-0000-0000-0000, as the user associated with the mailbox is already deleted.
Exchange On-Premises (Single forest Exchange).
In this scenario, the organization is using only an on-premises Exchange server, and it internally links with the local Active Directory forest.
Local administrators in the Active Directory forest create the users locally, and the Exchange on-premises server represents the user mailbox.
The organization’s internal IT team will now handle all server infrastructure management and daily server monitoring activities, as Exchange Online (Microsoft 365) is not being utilized.
Exchange On-Premises (Account forest – Resource forest scenario).
In this scenario, the organization is using exchange on premises server and local Active Directory, but the difference is that the local Active Directory where the user object is created is in another forest (Account Forest) and it is then linked to another user object in another local Active Directory where Exchange on premises server is installed (Resource Forest).
The mailbox which is created in the resource forest is called as Linked Mailbox.
Exchange Hybrid (Exchange On Premises + Exchange Online).
In this scenario, the organization is already using Exchange On Premises server but they also want to use the features of Exchange Online, so how do the organization achieve this ?
The answer to this question is Exchange Hybrid, and Exchange Hybrid can be setup by executing the Hybrid Configuration Wizard (HCW).
After using HCW, the Exchange on-premises and Exchange Online will become one as HCW will connect the Exchange on-premises server with Exchange Online server.
Please note that once the identities are synced from local active directory to Microsoft 365, then the changes in the attribute of the identities has to be done from local active directory, and whatever changes were made will be synced from local Active directory to Microsoft Entra ID using Microsoft Entra connect sync tool.
The prerequisites to installing HCW is mentioned in the Microsoft article Hybrid deployment prerequisites
Advantages of Exchange Hybrid.
- Unified Global Address List.
- Free Busy and calendar sharing between EXO and Exchange on premises mailboxes.
- Move mailboxes from Exchange on premises to Exchange online AND vice versa.
- Cloud Archive mailbox for an Exchange on premises user mailbox.
- Mailbox attribute management from Exchange on premises.
- Secure email flow between Exchange on premises and Exchange Online.
If the administrator has selected the option of “Organization Configuration Transfer” then the configurations listed in the Microsoft article will be transferred from On Premises Exchange Server to Exchange Online.
Please note that this will be a one-time transfer of organization objects from On Premises environment to Exchange online. After the transfer, the organization will need to make changes in both locations to keep the objects in sync.
Where to keep the user mailboxes in Exchange hybrid scenario.
Option 1: Keep all the mailboxes in On Premises Exchange Server.
The organization can keep all the mailboxes in Exchange on premises Server and keep Exchange Online protection to filter all the emails for the mailboxes located in the Exchange on premises.
In the scenario, the organization has an active directory user ( user@aashu.co.in ) and the mailbox (ExchangeGUID: 1234****9101) is located on the Exchange on premises server.
When we open the properties of user@aashu.co.in in local active directory attribute editor, we get the value ExchangeGUID: 1234****9101, this confirms that the user@aashu.co.in has a mailbox with ExchangeGUID as 1234****9101.
Once the organization enables the Microsoft Entra Connect Sync, the active directory user object user@aashu.co.in ( with property ExchangeGUID: 1234****9101) will sync the Microsoft Entra ID as a user object.
Once Microsoft Entra ID receives the update, it will create a new synced user with upn user@aashu.co.in after which the same information will be sent to EXO.
EXO will create a new mail user with email address user@aashu.co.in
The value ExchangeGUID: 1234****9101 for the synced object will reflect to Microsoft Entra ID and EXO, that the mailbox is already present in the Exchange on premises server.
if the user has some value in ExchangeGUID and the admin assigns a license then the mailbox will not be created in EXO, as the ExchangeGUID already has some value.
Option 2: Keep all the mailboxes in EXO.
The organization has an option to move all the Exchange on premises mailbox to EXO using mailbox migration.
Once we move the Exchange on premises mailbox to EXO, then in on premises exchange server there will be a remote mailbox created for the mailbox which is moved to EXO.
Remote mailbox will have a property named as RemoteRoutingAddress (TargetAddress) )which has the value set to email address user@domain.mail.onmicrosoft.com
If you open the properties of the migrated mailbox in EXO, you will see the proxyaddress: user@domain.mail.onmicrosoft.com
Remote mailbox entry is just a pointer, pointing that the mailbox is not present in the Exchange on premises server, it is present in the cloud, if any new incoming email is to be sent to the remote routing address of the remote mailbox.
The advantage of moving the mailbox would be that EXO provides improvements in functionality, increased security, and reduction in cost of Exchange on premises server maintenance.
Now, why the reduction in cost of on Exchange premises server maintenance, why not total elimination of cost of on Exchange premises server maintenance.
This is because, even you move all the mailboxes from Exchange on premises to EXO, it is still recommended to keep one Exchange server in the on premises to manage the mailbox properties and attributes (recipient management).
Please refer the Microsoft article Why you may not want to decommission Exchange servers from on-premises
Option 3: Keep few mailboxes in EXO and few mailboxes in exchange on premises server.
The organization can move few mailboxes to EXO (as pilot project to use EXO services before moving the whole organization mailboxes to EXO).
As few of the mailboxes are migrated to EXO, those mailboxes and the mailboxes hosted on the exchange on premises server will be communicating with each other using Hybrid features. (GAL, Free Busy, Calendar sharing and other features).
(Undesired State) Same mailbox is active in EXO and active in Exchange on premises server.
In Exchange hybrid deployment, if the user already has a mailbox in Exchange on premises and if due to some the reason the value of ExchangeGUID: 1234****9101 is not synced to Microsoft Entra ID using Microsoft Entra Connect Sync.
For synced user in Microsoft Entra ID now the ExchangeGUID: 0000-0000-0000-0000 and if any administrator assign a license to the user, the mailbox will be created in EXO.
As there are 2 active mailboxes in EXO and Exchange on premises Environment, the organization administrators has to make a decision of which mailbox to keep and which mailbox to delete.
If the organization decides to keep the EXO mailbox, then they have to.
- Disable the on premises mailbox.
- Enable the remote mailbox in on premises.
- Set the RemoteRoutingAddress for the on premises mailbox.
- Restore the content of on premises mailbox in EXO mailbox – OR – Compare the data in both the mailboxes and decide what data to keep and what data to discard.
Detailed step to keep the mailbox in Exchange Online is described in the Microsoft article How to recover when a mailbox exists in both Exchange Online and on-premises
If the organization decides to keep the on premises mailbox, then they have to.
- Remove the Exchange Online license.
- Execute the command Set-User user@aashu.co.in -PermanentlyClearPreviousMailboxInfo.
Detailed step to keep the mailbox on Exchange on premises server is described in the Microsoft article Permanently Clear Previous Mailbox Info
Conclusion.
In this article we tried to understand different types of Exchange Environment, where can the organization host the mailbox.
Exchange Hybrid deployment is a good choice for organization with huge number of mailboxes (as they cannot move all the mailboxes from Exchange on premises to EXO in single migration batch).
The organization has to make sure that the Sync service between local AD and Microsoft Entra ID should be properly syncing the value of ExchangeGUID for all the on premises mailboxes to avoid mailbox creation in EXO.
Thank you for this insightful educational blog! The detailed descriptions provided are truly the best of the best, making the content exceptionally valuable for learners like me.