Table of Contents
What was released?
With 2022 H1 there came some significant update to how You manage and license your Exchange-servers in a Hybrid setup.
Exchange Management Tools Update
You don’t anymore need Exchange Server for management purposes (Management Hybrid) you can just install the tools to a domain joined Workstation, how cool is that! Finally Microsoft, Finally!
Hybrid Experience Updates
Microsoft ended Hybrid licensing for Exchange servers to Exchange 2016. Exchange 2019 didn’t anymore allow you to use HCW (Hybrid Configuration wizard) to generate a key for the Exchange server when it was a Hybrid, you needed a license for it. This was a silly choice in my opinion, people wanted a new servers version for the Hybrid connectivity but didn’t want to pay for it, especially the Small and Midsize clients.
But now Exchange 2019 in Hybrid is free!
The history with pictures and some notes
Explaining the backstory for the problems this update fixes.
Architecture
Let’s imagine the following situation.
You have an on-premises AD named AD.LOCAL and inside that AD you have Exchange 2013 having mailboxes.
Then You decide to build a a new Hybrid server with Exchange 2019 because the 2013 or even older doesn’t have all the features you would need or it cannot be update etc.
So You end up with this. You will have two Exchange servers and Azure AD connect to sync the attributes. Of course you could make the two servers have the Service Connect Point names but if you had clients connecting to mail.something.fi and you change it to email.something.fi, the client could be unhappy, depending on the original autodiscovery config.
Migrating to the cloud
Now you have moved the SCP’s to the new Hybrid server and fixed all the issues with permissions from Shared, Resource and User mailboxes, don’t forget the calendar and Public folders and Rules and Mail forwarders, Relay connectors for internal devices and and and.
The list goes on and on. Really if You haven’t taken good care of your Exchange environments, it will be a mess no matter the reasons.
Public folders
You still have them, most of you do but Microsoft 365 groups could be a solution for you.
New glorious server
So, now you have this. All the clients will connect thru the new servers and it will re-direct the request for the users inside the old Exchange because there mailboxes are still there.
Migration
You start the migration, move users in batches to the cloud. All the devices (Except really old tablets) will be happy and changing their setting with autodisocvery service to the cloud after TargetAddress attribute changes to point towards EXO.
This will happen in the last 5% of the migration, to best practice will be NOT to automatically complete the batches, check for errors (they will be errors, believe me) fix them and finish the batch.
The worst stuff happening in my opinion are old SID’s inside mailboxes, if there will be old SID’s that cannot be translated to UserPrincipalName’s the object having them, will not be migrated. So they gotta be fixed.
Here is script for this job
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 |
#Please, run this script first without -AuditOnly parameter and check the Logfile that it will remove only permissions that you wish #Syntax Fix-LegacyPerm.ps1 -auditonly $false -import c:\users.csv #Use -import parameter to import from .csv file default is get-mailbox -resultsize unlimted #\NEW-Fix-LegacyPerm.ps1 -Auditonly:$false Param ( $import= (get-mailbox -resultsize unlimited), [bool]$Auditonly = $true ) #where do you want your logfiles $Logfile="C:\temp\Logs\PermFIX\Removed-FolderPerm.txt" $Logfile2="C:\temp\Logs\PermFIX\LIST_AllFolderPerm.txt" $Logfile3="C:\temp\Logs\PermFIX\PROGRESS_FolderPer.txt" Write-host "Getting info, please wait ... " Switch -wildcard ($import) { "*.csv" {$Mailboxes= import-csv $import;Write-host " $import file selected" ; Break} "*@*" {$Mailboxes=(get-mailbox -identity $import); Write-host "$import selected";Break} default {$Mailboxes=(get-mailbox -resultsize unlimited); Write-host "all Mailboxes selected";break} } Write-host "......" # Geting Users Foreach ( $Mailbox in $Mailboxes ) { IF ($mailboxes.count -gt "1"){ # PROGRESS BAR $i=$i+1 Write-Progress ` -Activity ("Scanning " + $Mailboxes.Count + " Mailboxes for folder permissions.") ` -Status ("Currently Scanning..." + $i.ToString() + "> " + $_.EmailAddress ) ` -PercentComplete ($i/$Mailboxes.Count*100) } Else { Write-host "Skip Progress bar, only one mailbox" } # Getting folders $UPN=$Mailbox.userprincipalname $Folders = get-mailbox $UPN | Get-MailboxFolderStatistics Foreach ($folder in $folders) { #$folderpath=$folder.folderpath #$directory = Get-MailboxFolderStatistics -Identity "$UPN" | Where {$_.Folderpath -eq "$folderpath"} #Foreach ($Dir in $directory.folderpath) { If ($folder.folderpath -eq $null ) { Write-host "Folder $Dir not found for user $UPN" -foreground "Red" continue } # converting Folderpath to righ format Else { $Dirpath = $folder.folderpath -Replace "/" , "\" $FP="$UPN"+":"+"$Dirpath" # Write all permission to log Add-content $Logfile2 "----------------------" Add-content $Logfile2 "$FP" $Perm = (Get-MailboxfolderPermission -Identity $FP -ErrorAction "silentlycontinue" ) add-content $Logfile2 $perm.user # Getting Permission $Oldusers= Get-MailboxfolderPermission -Identity $FP -ErrorAction "silentlycontinue" | where { $_.user -match "mikon.testi" -or $_.user -match "NT:S-" -or $_.user -match "NT USER:S-" -or $_.user -match "NT-käyttäjä:S-" -or $_.user -match "NT-användare:S-" } Foreach ($user in $oldusers) { If ( $User -eq $null ) { write-host $User "why this?" #Mikä tämä on? continue } # Remove legacy permissions and write these to log ElseIf ($AuditOnly -eq $false) { $UPN = $user.user Add-content $Logfile "Folder $FP" Add-content $Logfile "Remove $UPN" Add-content $Logfile "----------------------" Write-host "Remove $UPN from: $FP " -foreground "Darkmagenta" Write-host "audit FALSE removing $upn" Remove-MailboxFolderPermission -Identity $FP -User $UPN -Confirm:$false } Else { Write-host "auditonly is TRUE, $UPN writen to log only" continue } } } } #} } # Write Progress to log $Count= $Mailboxes.count $completePercent= "$i/$Count" Add-content $Logfile3 "$completePercent $UPN" |
Users are in the cloud
When you finally get there, you could use Dynamic groups to automatically populate licenses, Conditional Access etc. And right after the users TargetAddress has been changed inside On-premises AD.
Empty server with a purpose
All users are in the cloud but because you have Azure AD connect and the source authority AD is the on-premises, you have to manage the users from there when you have an Hybrid setup.
You could think that I will handle the attributes with Adsiedit or from Advanced features, you could but it was never supported by Microsoft.
So you need the Management Hybrid Exchange server for handling the Attributes for users and Cloud mailboxes.
But wait, not anymore!
How it changes?
Move MX-records to cloud
If you used Centralized mail flow until this point, move your mail exchanger records towards the cloud.
Why, you ask?
First and most of all because soon you will put the last Exchange server to sleep and you will loose any means to receive mail to on-premises.
But also because it’s a recommended approach and EOP is an excellent forefront for the mails.
What is EOP?
- EOP uses several URL block lists that help detect known malicious links within messages.
- EOP uses a vast list of domains that are known to send spam.
- EOP uses multiple anti-malware engines help to automatically protect our customers at all times.
- EOP inspects the active payload in the message body and all message attachments for malware.
- For recommended values for protection policies, see Recommended settings for EOP and Microsoft Defender for Office 365 security.
- For quick instructions to configure protection policies, see Protect against threats.
See more info on MSFT https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/exchange-online-protection-overview?view=o365-worldwide#eop-features
One of my favorites is ZAP (Zero-Hour Auto purge) It is an detonation chamber for the message, it will initiate and Sandbox environment for testing and when analyzing is done the sandbox is removed completely. When the next message comes, the process will start all over again.
ZAP in actually part of Defender for Office 365 that contains all the security features with Exchange Online Plan 2, but the same sandbox is used for Defender for Endpoints also.
Time to remove the last server
But You Can’t
But you can’t, you will just shut it down, not uninstall and not remove.
Why, you ask?
At Install Exchange will extend AD Schema with it’s own attributes, yes there is a lot of them.
If you remove them, you will loose control for the mailbox attributes that you need to manage with that Shiny new Domain joined workstation (which has the Exchange Management Tools) that you now have.
And when you finally do demote the last Exchange server, please uninstall, don’t just remove, you will only cause problems for your self or others.
When no Exchange attributes are needed, you should also unextend the AD schema.
Microsoft official instructions
The final architecture
Finally you will this or at least similar design.
Update today!
I will make your life a lot easier as an Exchange admin.
And If you weren’t yet convinced, now Exchange 2019 supports Windows Server 2022
CU12 also introduces support for running Exchange Server 2019 on Windows Server 2022 and in environments that use Windows Server 2022 Active Directory servers.
Support for Exchange Server and Windows Server 2022 is detailed below and documented in the Exchange Server supportability matrix along with details on other Exchange Server operating system support.
| Exchange Server Version | Windows Server 2022 OS | Windows Server 2022 AD |
| Exchange Server 2019 | Supported | Supported |
Download here
- Exchange Server 2019 Cumulative Update 12 (KB5011156), VLSC Download, Download
- Exchange Server 2016 Cumulative Update 23 (KB5011155), Download, UM Lang Packs
And even more info here
RSS - Posts