Can I place my Exchange hybrid management server in Azure and use Azure Domain Services?

Reading Time: 2 minutes

As some might know (although I and others have to repeat this regularly…), if you enable directory synchronization from your on-premises Active Directory (AD) and you migrate all you Exchange mailboxes to Exchange Online you still require an Exchange server to manage mail(box) objects. It is the only supported solution, even though some use third party tooling or ADSIedit. Luckily this managing Exchange server doesn’t require the same amount of resources compared to Exchange serves hosting actual production mailboxes. In certain cases you can get a free “hybrid” license limiting costs. But still, it’s still a bit of operational overhead that a lot of organization want to minimize. While Microsoft has indicated that it is actively working on removing this requirement (see PowerPoint slide 36), it will probably take a long time before we can enjoy that new reality.

What to do in the mean time? In some cases organization are looking at Microsoft Azure to host that specific Exchange management server.  That has the benefit of not requiring resources in the organizations (n-premises) datacenters. So, is that a viable solution?

Exchange VMs have been supported in Azure for a while now, with the express support statement that storage for databases, transactions and transport logs  require Azure Premium Storage. As this Exchange server won’t host mailboxes or act as an relay server, you probably don’t need that pricey option making it potentially financially attractive (compared to a full fledged Exchange on Azure hosting mailboxes).

Azure VMs can also benefit from Azure Active Directory Domain Services. What is Domain Services? In short, your Azure AD will support LDAP/Kerberos/NTLM authentication requests, especially useful when you have Azure VMs. Could you domain join that Exchange Azure VM via Domain Services, with the potential ultimate goal to completely remove your on-premises AD environment?

Unfortunately, the answer is no.While you can domain join a Windows VM to Azure Domain Services, adding (or updating an existing Exchange server) will require an AD Schema Update and Enterprise/Domain Administrator permissions. Azure AD Domain Services does not provide those options as it is an managed service and not a full featured AD instance. Actually, this limitation is explicitly mentioned in  a small note in the  Exchange 2016 dev/test environment in Azure article. This means you would have to add a Domain Controller VM next to the Exchange server or create a VPN between Azure VMs and your on-premises (AD) servers. Remember, Exchange requires a writeable Global Catalog in the same AD site.

 

TL;DR:  No. You would still require a domain controller.

 

P.S. The Exchange Hybrid server doesn’t exist as a separate role, it’s still a full featured Exchange server. But in this scenario it’s only used to maintain a Hybrid Exchange environment and used for management. Hence my use of the term Hybrid management server. I know some readers who have a pet peeve regarding the use of “Exchange Hybrid Server”. You know who you are Winking smile

10 comments

  • OK but what when we have Exchange 2010 on-premises and all mailboxes are in the cloud. We set AutodiscoverSCP to $null and set autodiscover DNS to O365 with a CNAME. Then we remove the hybrid configuration with Remove-hybridconfig and disable IntraOrgConnectors and remove the Send/Receive Connectors (as per https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx). What if we want to upgrade the on-premises server to Exchange 2016 ?

    Reply
    • Dave Stork

      It would basically be the same as every 2010->2016 migration. You would have to set the SCP to $null again and re-run the O365 HCW again, perhaps with minimal Hybrid as configuration option. Then manually adjust again to your desired state.

      Reply
  • Rick

    I have heard that Azure is generally blacklisted and, if you needed to use this server for routing mail to/from Office365, it will not work. We have a need to route all e-mail to an Exhange server to process corporate e-mail signatures on all internal and external (internet-bound) e-mails and wanted to use an Azure-based hybrid server for this and for management activities. So, our server would need to send e-mail back to our Office 365 tenant but may not be able to due to the blacklisting of Azure servers.

    Reply
    • Paul

      You can get around this by using EOP or another smart host/filtering service such as websense/mimecast

      Reply
  • David Sampson

    If we want an Azure Exchange 2016 server to service client access requests (AutoDiscover, EWS, OWA etc) for on-premises mailboxes whilst migrating to Exchange Online what could we use to reverse proxy these endpoints to the internet? I can't find any mention of using either Azure app gateway or AD App proxy to do this so guess they aren't supported but may work? I know MS's guidance is just to sit Exchange on the internet but this doesn't sit well with security standards.

    Reply
  • Ronald McVicar

    So basically the requirement to have a in Domain "Exchange Management Server", then therefore can be a Azure VM? We are running out of vertex disk space and pulling enough disk space together for the on-premise Exchange Management Server mean upgrading Vertex, but if we can spin up a Azure VM connected to the on-premise Domain and leverage the Azure VM "Exchange Management Server" this would be more ideal. Moving using 3rd party tools from Exchange 2003 to Office 365

    Reply
    • Yes, the Exchange server can be an Azure VM. As long as it's fully domain joined, so either via a Azure VM DC or a Site-2-site connection to your on-prem AD. Basically you only need it to edit AD attributes, but the Exchange tools are currently the only supported way.
      If the Exchange server isn't used for SMTP relay, you probably can lower the CPU/Memory requirements quite a lot. But be prepared to at least get it to a minimum supported configuration when issues arise.
      Unfortunately, during Ignite 2019 Microsoft couldn't give a timeline on when we can get rid of that last Exchange server…

      Reply
  • Dave

    Thanks this is a great post!

    How accurate is this article today? It's Mid-2020 now, and this was written in 2017. Any updates to Azure/O365/Ex2016/Ex2019 that would make this a little more friendly? I've got an on-prem Ex2010 environment I need to get rid of now that the mailboxes have been moved to O365.

    One thing you didn't address is fault tolerance. Normally, I'm against doing a single server for anything as it provides no fault tolerance, but Is there a need for more than 1 Exchange server to manage mailboxes if that is all it's doing? I don't need highly available from an uptime perspective. I'm more concerned about someone accidently deleting the VM (for example). How difficult would it be to stand up a replacement server??

    You have to love that MS is all about pushing you to the cloud, but really offers very little for published guidance on how to upgrade the mess left behind on-prem that they still require. Thanks again!

    Reply
    • Hi Dave, thanks for the kind words!

      Unfortunately, you still need an Exchange server when you have directory synchronization in place. It's the only supported way to managed synced mail objects. Microsoft is still working on removing this requirement, but it's proven to be technically challenging. We will possibly learn the status during the upcoming Microsoft Ignite (virtual and possibly free?)

      The basic premise of the post is still valid; you still need an Exchange server for object management and you cannot use Azure Domain Services for just an Exchange server in Azure. A domain controller VM is still required. And unfortunately, when directory synchronization is enabled an on-prem (or the technical equivalent in Azure) is the only supported way to manage synced mail objects.

      Regarding fault tolerance: It depends on your environment, if you need to manage objects within the time period you are able recover that Exchange server (example: your org need changes every hour, but it takes your org 2 hours to fully restore the server). In those cases, a second one is a business need you need to fill.
      Do remember that there is a recovery install mode that recovers most (important) settings from Active Directory, DO NOT RESTORE A VM SNAPSHOT! Take that recovery time into account in these requirements; probably best to train yourself in Exchange recovery installs. Easy to do in a lab with an DC and an Exchange server (don't combine those, makes recovery immensely more difficult)

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.