The Mystery Begins:
There seems to be a common misconception with Office 365 migrations that once the final mailbox has been migrated to Exchange Online, you simply decommission and remove all the on-premise Exchange servers including the Hybrid Exchange server. While this is technically very possible, in most cases you would want to leave at least one Hybrid Exchange server on-premise for managing the users.
The reason for this is simply Active Directory synchronization (DirSync). If you plan to keep AD synchronization running so you do not have to manage users and passwords on-premise and in O365, then keeping and Exchange Hybrid server on-premise is necessary to manage the mailboxes.
When DirSync is enabled for a tenant and a user is synced from the on-premise environment, you cannot manage many of the attributes from Exchange Online. If you try to edit a user’s email address setting in Exchange Online, you will get an error message like the one below:
Figure 1: Error when attempting to change email address of synced user in O365
The correct method would be to simply make the adjustment to the user’s email address in the on-premise Exchange Hybrid server. Then the change will synchronize to O365 to make the adjustment in Exchange Online.
In this section, we will look at a couple of common O365 Hybrid deployments and explain why they would or would not keep their on-premise Hybrid Exchange server.
Scenario One: Migrations Complete & No Need for DirSync
This organization has completed their mailbox migration to Exchange Online and they no longer need to synchronize their on-premise users/passwords with O365.
Scenario One Conclusion: Decommission Exchange Hybrid
With all users migrated to Exchange Online and no need for DirSync moving forward, you can safely decommission Exchange Online and disable DirSync.
Figure 2 All users migrated to O365 and no need for DirSync
Scenario Two: Migrations Complete & Keeping ADFS and DirSync
In this scenario, the user migrations to O365 have been completed and they want to decommission all of the on-premise Exchange servers, including the Hybrid servers. However, the organization plans to keep ADFS in place for SSO.
Scenario Two Conclusion: Keep Exchange Hybrid
Since the organization is planning to keep ADFS in place, they will also have to keep DirSync. With directory synchronization enabled, they will not be able to manage Exchange objects exclusively in Exchange Online and will need to keep at least one on-premise Exchange Hybrid server for management of the mailboxes.
Figure 3: All users migrated to O365, but plan to keep ADFS which requires DirSync
Scenario Three: Migrations Complete & Using Hybrid for SMTP relay
In this scenario, the user migrations to O365 are complete but the Hybrid Exchange server is still being used by applications, printers and other objects for SMTP relay.
Scenario Three Conclusion: Keep Exchange Hybrid
With the on-premise Hybrid Exchange server in place, you can still leverage it for SMTP relay without having to setup separate IIS/SMTP relays and take up more O365 licenses. This scenario would also assume that directory synchronization would stay in place, eliminating the need to manage user accounts and passwords in two locations.
Conclusion & Recommendations:
Most of the time organizations would want to keep Exchange Hybrid since DirSync and ADFS will remain in the environments. So, unless you are planning to move away from managing user credentials and SSO from on-premise, you will want to keep a Hybrid Exchange server. However, this does not mean you must keep all Exchange servers active in your environment. You can decommission all on-premise Exchange servers except the Hybrid Exchange server. Keep in mind the Hybrid Exchange server does not have to be given a lot of CPU, memory or HDD resources if all users have been migrated to O365. Also, the server license required for the on-premise Hybrid Exchange server is included with E1 and above licensing.
About the Author
Microsoft Solutions ConsultantMore Content by Travis Hall
Travis Hall is a Microsoft Solutions Consultant at Arrow Systems Integration with specific focuses in Windows Server Infrastructure, Exchange, Active Directory, Direct Access, Office 365 and much more.
Travis has over 10 years of experience in the IT industry helping customers solve technical and business problems with technology. He has experience in a variety of roles including sales, web development, systems engineering and consulting. His experience in IT environments ranges anywhere from small-midsize business (SMB) to large enterprise.