MVP - Most Valuable Professional
rss

Just can't get enough of IT

This blog is about mostly anything in IT. But the primary focuses are Microsoft technologies like Exchange Server, Microsoft 365, Microsoft Teams, and Cloud Security.
Last updated: 2020-03-28
First posted: 2020-04-01


Exchange Server 2016Exchange Server 2019Once upon a time at an Exchange Conference near you, a member of the Exchange Product Group (PG) announced that the very last Exchange Server will go away when having an active Exchange hybrid setup.

This was a hot topic for discussions at the Microsoft Exchange Conferences (MEC, @IamMEC) in 2012 and 2014, already. Since then the Exchange PG came up with a number of reasons why this is not possible. The question on when we will finally be able to remove the very last Exchange Server from the on-premises Exchange organization was asked every year at the Ignite Conference. 

 

Current Situation

Currently, the supported scenario for hybrid configurations between your on-premises Exchange organization and Exchange Online requires that you keep the last Exchange Server for creating, and managing Exchange related objects, even if those objects are located in Exchange Online. 

The following diagram illustrates the current requirements:

  • Domain Controller Servers, with the most recent Active Directory Schema Update for a supported Exchange Server version, and stored Exchange-extended AD objects.
  • DirSync Server, with AAD Connect, synchronizing Exchange-extended AD objects stored in on-premises Active Directory with Azure AD.
  • Last Exchange Server, running a supported version of Exchange Server, managing the objects stored in on-premises Active Directory.

 

Exchange Classic Hybrid Configuration Model

 

 

NOTE
The last Exchange server requires that you keep it updated in regard to monthly Windows Server updates, and quarterly Exchange Server Cumulative Updates. Keep in mind that the Exchange Server follows a strict N-2 approach, to remain in a supported operational state. This means that only the most current Cumulative Update (CU) for modern Exchange versions, or Update Rollup (UR) for the good ole legacy version Exchange Server 2010, keep your on-premises Exchange organization on a supported state.

 

Interim solutions

In the past, there was communication on certain interim solutions that were supposed to support you in removing the last Exchange Server from your Exchange organization. Such interim solutions were:

  • ADSI Edit
  • Identity Management Solutions (IDM)
  • PowerShell

At Ignite those solutions even made it into the official session catalog:

 

All those interim solutions leave your on-premises Exchange organization and the Active Directory configuration in an uncomfortable twilight-zone. It was still something that worked somehow, but you knew it was officially not supported, and the secure and stable operation of the hybrid configuration was at risk.

 

But wait...

Removing the last Exchange Server is supported!

(at least when all components are released)

 

 

Solution

Exchange Server 2019The new approach for managing your Exchange Online tenancy after migrating your on-premises Exchange organization to Exchange Online does not require an on-premises Exchange Server. 

The new mode of operation reduces your on-premises requirements to:

  • Domain Controller Servers, running the most recent release Windows Server 2019 with the most recent Active Directory Schema Update for Exchange Server 2019 CU 5. This updates the Exchange-extended AD objects and the hybrid configuration object to support modern EXO management. Also, you must enable the Windows Feature "Exchange Online Remote Features" as described below.
     
  • DirSync Server, with AAD Connect, synchronizing Exchange-extended AD objects stored in on-premises Active Directory with Azure AD. You must run the most recent release of Azure AD Connect (1.4.38.0) and have Exchange Hybrid enabled in AAD Connect.
    See release notes for Azure AD Connect
     
  • Administrative PC, running the most recent version of the Exchange Online PowerShell v2 (aka ExchangeOnlineManagement)

 

The following diagram illustrates the new modern Exchange Online Management experience:

 

Modern Exchange Management Experience

 

Simply you remove the requirement to use on-premises Exchange Server to write to your on-premises Active Directory. Instead, Azure AD Connect uses a new synchronization capability to handle the new Exchange Management experience in the AAD Connect MetaVerse. The on-premises AD-connector writes the changes to Active Directory which keeps the Active Directory up-to-date for all other on-premises solutions that require identities to have a proper state.

You execute all Exchange-related actions using the new Exchange Online Management PowerShell module, or, if needed, the new Modern Exchange Admin Center (EAC, which was announced at Ignite 2019.

 

Enable Modern Exchange Admin Experience (MEAE)

WARNING
The following actions might interfere with the current configuration of your Exchange organization and Active Directory forest. Therefore, I highly recommend that you put yourself in a comfortable position and apply the changes described below in a test/lab environment before you deploy the changes into the production environment.


Before you uninstall the last Exchange Server from your on-premises Exchange organization, ensure that you

  • Updated the Active Directory Schema Version to Exchange Server 2019 CU5
  • Prepare the Active Directory and all domains in the Active Directory Forest that contain Exchange objects
  • Ensure that there are not pre-Windows 2019 domain controller in use, and patch all domain controller to the March 2020 release
  • Install the new EXORemote Windows Feature 
PS C:\> Get-WindowsFeature

Display Name                                            Name                       Install State
------------                                            ----                       -------------
[ ] Active Directory Certificate Services               AD-Certificate                 Available
    [ ] Certification Authority                         ADCS-Cert-Authority            Available
    [ ] Certificate Enrollment Policy Web Service       ADCS-Enroll-Web-Pol            Available
    [ ] Certificate Enrollment Web Service              ADCS-Enroll-Web-Svc            Available
    [ ] Certification Authority Web Enrollment          ADCS-Web-Enrollment            Available
    [ ] Network Device Enrollment Service               ADCS-Device-Enrollment         Available
    [ ] Online Responder                                ADCS-Online-Cert               Available
[ ] Active Directory Domain Services                    AD-Domain-Services             Available
[ ] Active Directory Federation Services                ADFS-Federation                Available
[ ] Active Directory Lightweight Directory Services     ADLDS                          Available
[ ] Active Directory Rights Management Services         ADRMS                          Available
    [ ] Active Directory Rights Management Server       ADRMS-Server                   Available
    [ ] Identity Federation Support                     ADRMS-Identity                 Available
[ ] Device Health Attestation                           DeviceHealthAttestat...        Available
[ ] DHCP Server                                         DHCP                           Available
[ ] DNS Server                                          DNS                            Available
[ ] Exchange Online Remote Features                     EXORemote                      Available
[ ] Fax Server                                          Fax                            Available
[X] File and Storage Services                           FileAndStorage-Services        Installed
    [X] File and iSCSI Services                         File-Services                  Installed
        [X] File Server                                 FS-FileServer                  Installed
        [ ] BranchCache for Network Files               FS-BranchCache                 Available
[...]

 

PS C:\> Install-WindowsFeature -Name EXORemote

Display Name                                            Name                       Install State
------------                                            ----                       -------------
[ ] Active Directory Certificate Services               AD-Certificate                 Available
    [ ] Certification Authority                         ADCS-Cert-Authority            Available
    [ ] Certificate Enrollment Policy Web Service       ADCS-Enroll-Web-Pol            Available
    [ ] Certificate Enrollment Web Service              ADCS-Enroll-Web-Svc            Available
    [ ] Certification Authority Web Enrollment          ADCS-Web-Enrollment            Available
    [ ] Network Device Enrollment Service               ADCS-Device-Enrollment         Available
    [ ] Online Responder                                ADCS-Online-Cert               Available
[ ] Active Directory Domain Services                    AD-Domain-Services             Available
[ ] Active Directory Federation Services                ADFS-Federation                Available
[ ] Active Directory Lightweight Directory Services     ADLDS                          Available
[ ] Active Directory Rights Management Services         ADRMS                          Available
    [ ] Active Directory Rights Management Server       ADRMS-Server                   Available
    [ ] Identity Federation Support                     ADRMS-Identity                 Available
[ ] Device Health Attestation                           DeviceHealthAttestat...        Available
[ ] DHCP Server                                         DHCP                           Available
[ ] DNS Server                                          DNS                            Available
[X] Exchange Online Remote Features                     EXORemote                      Installed
[ ] Fax Server                                          Fax                            Available
[X] File and Storage Services                           FileAndStorage-Services        Installed
    [X] File and iSCSI Services                         File-Services                  Installed
        [X] File Server                                 FS-FileServer                  Installed
        [ ] BranchCache for Network Files               FS-BranchCache                 Available
[...]

 

Even though not explicitly stated, you should restart the server after installing the Windows feature.

 

Modern EXO Exchange Admin Center - New Management Server

 

As part of the next AAD Connect synchronization cycle, the magic happens.

  • The added EXO modern management server is validated
    • You'll see an error sign in Modern Exchange Admin Center if the validation has failed
  •  Azure AD removes the "on-premises"-lock from the Exchange related attributes, so you can start managing these attributes in EXO
  • The Exchange hybrid configuration object is set to "Modern Coexistence", ensuring that a newly added on-premises Exchange Server will not interfere with the setup

 

Verify that you can edit the Exchange related attributes of synchronized Active Directory objects in Exchange Online or Azure AD before you remove your last Exchange Server. 

Whey ready to uninstall the last Exchange Server you must use the following command line parameters to remove the server as intended. Otherwise, you'll leave the Exchange organization in an inchoate state. Ensure that you use an administrative PowerShell session. 

./Setup.exe /mode:uninstall /SwitchToMEMA /IAcceptExchangeOnlineLicenseTerms

Normally, you do not have to accept license terms when uninstalling Exchange Server, but in this case, you have to accept the Exchange Online license terms.

 

Prerequisites

  • Windows Server 2019 Desktop Experience Editon or Core Edition, March 2020 Update
    Core Edition recommended
  • Azure AD Connect, release 1.4.38.0
  • Exchange Server 2019 CU5, as the last Exchange Server

 

Links

 

Enjoy the modern experience and management options of Exchange Online!

 


Exchange Conferences

Read More »

Logo Azure ADAzure AD Pass-through authentication (PTA) recommends that you run at least three authentication agents to provide high availability for authentication. 

When you download and install the PTA agent, registering the PTA agent to Azure AD might fail. This happens most of the time when the network connectivity to Azure AD requires the use of a proxy server. In such a network setup you normally encounter configuration errors only, if the proxy server is misconfigured or the Internet Explorer zone configuration is missing required entries for trusted sites.

When you encounter an error during installation and registration of the dedicated PTA agent I recommend to separate these two steps. You need the credentials of an Azure AD account that is a member of the Global Administrator management group.

  1. Download the most current release of the PTA agent: https://aka.ms/getauthagent
  2. Copy the downloaded file to the server that will serve as a PTA agent
  3. Open an administrative command prompt and install the PTA agent software in silent mode without registering the agent:
AADConnectAuthAgentSetup.exe REGISTERCONNECTOR="false" /q
  1. Open an administrative PowerShell session, navigate to the default installation location and register the PTA agent manually
# navigate to the default installation location
cd "C:\Program Files\Microsoft Azure AD Connect Authentication Agent"

# enter the global admin credentials
$cred = Get-Credential

# register the PTA agent using the RegisterConnector.ps1 script
# multiline example
.\RegisterConnector.ps1 `
-ModulePath "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\" `
-ModuleName "PassthroughAuthPSModule" `
-AuthenticationMode Credentials ` 
-UserCredentials $cred `
-Feature PassthroughAuthentication

# single line example
.\RegisterConnector.ps1 -ModulePath "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\" -ModuleName "PassthroughAuthPSModule" -AuthenticationMode Credentials -UserCredentials $cred -Feature PassthroughAuthentication

 

The Azure AD Pass-through agent Quickstart documentation has an example for automating the installation of the PTA agent as part of a server provisioning process. The current example references the wrong PowerShell module named AppProxyPSModule. The most recent release of the PTA agent does not contain a PowerShell module by that name. Use the PowerShell module PassthroughAuthPSModule, as shown in the PowerShell example shown above.

 

Links

 

Enjoy Azure AD!

 

 

Read More »

On May 11th, the SharePoint Saturday Cologne took place at the new Microsoft Office in Cologne. 

My session covered the migration of legacy public folders from Exchange Server 2010 to modern public folders hosted on-premises or Exchange Online. Additionally, I've talked about the pros and cons of a migration to Office 365 Groups and Microsoft Teams.

The slide deck is available on SlideShare.

 

 

 

Enjoy Exchange Server and do not forget about the end of support for Exchange Server 2010 on January 14th, 2010.

 

 

 

Read More »

Exchange Server 2016Exchange Server 2013Description

This script connects either to Exchange Online or to a dedicated on-premises Exchange Server to export configured mailbox delegates and SMTP forwarding configurations.

The SMTP forwarding configurations are gathered from inbox rules and from mailbox forwarding settings.

 

Requirements

  • Exchange Server 2016 or newer
  • Cretenials to logon to Exchange Online and Office 365 when querying EXO mailboxes
  • Utilizes GlobalFunctions PowerShell Module --> http://bit.ly/GlobalFunctions

 

Examples

# Example 1
# Connect to the on-premises Exchange Server mx01.varunagroup.de and export delegation and SMTP forwarding information
 
.\Get-DelegatesAndForwardingRules.ps1 -ExchangeHost mx01.varunagroup.de

# Example 2
# Connect to the on-premises Exchange Server mx01.varunagroup.de, export delegation and SMTP forwarding information and get verbose information on the objects worked on

 .\Get-DelegatesAndForwardingRules.ps1 -ExchangeHost mx01.varunagroup.de -Verbose 

# Example 3
# Connect to Exchange Online and export delegation and SMTP forwarding information

 .\Get-DelegatesAndForwardingRules.ps1 -ExchangeOnline

 

Version History

  • 1.0, Initial community release

 

Links

Use GitHub Issues to leave comments, requests, end even bugs or issues.

 

Additional Credits

The script is based on the O365-InvestigationTooling script DumpDelegatesandForwardingRules.ps1 by Brandon Koeller
Find more Office 365 investigation tooling scripts at https://github.com/OfficeDev/O365-InvestigationTooling.

 

Follow

 

Read More »

SharePoint Saturday Cologne | 2019-05-11On Saturday, May 11th, the SharePoint Saturday Cologne will take place at Microsoft Office.

My session covers the migration of legacy public folders to modern public folders in the cloud.

Migrating from legacy public folders to modern public folders in Exchange Online is an error-prone process. Especially for Exchange organizations using legacy public folders since the early days. Real world examples from the field will show you how to determine the right migration approach. Additional information will help you to avoid the most common errors when migrating to modern public folders to the cloud. But what about after migrating to the? There is more. Prepare for decommissioning Public Folders by moving content to Microsoft Teams.

 

Links

 

See you in Cologne.

Read More »