Can I place my Exchange hybrid management server in Azure and use Azure Domain Services?

As some might know (although I and others have to repeat this regularly…), if you enable directory synchronization from your on-premises Active Directory (AD) and you migrate all you Exchange mailboxes to Exchange Online you still require an Exchange server to manage mail(box) objects. It is the only supported solution, even though some use third party tooling or ADSIedit. Luckily this managing Exchange server doesn’t require the same amount of resources compared to Exchange serves hosting actual production mailboxes. In certain cases you can get a free “hybrid” license limiting costs. But still, it’s still a bit of operational overhead that a lot of organization want to minimize. While Microsoft has indicated that it is actively working on removing this requirement (see PowerPoint slide 36), it will probably take a long time before we can enjoy that new reality.

What to do in the mean time? In some cases organization are looking at Microsoft Azure to host that specific Exchange management server.  That has the benefit of not requiring resources in the organizations (n-premises) datacenters. So, is that a viable solution?

Exchange VMs have been supported in Azure for a while now, with the express support statement that storage for databases, transactions and transport logs  require Azure Premium Storage. As this Exchange server won’t host mailboxes or act as an relay server, you probably don’t need that pricey option making it potentially financially attractive (compared to a full fledged Exchange on Azure hosting mailboxes).

Azure VMs can also benefit from Azure Active Directory Domain Services. What is Domain Services? In short, your Azure AD will support LDAP/Kerberos/NTLM authentication requests, especially useful when you have Azure VMs. Could you domain join that Exchange Azure VM via Domain Services, with the potential ultimate goal to completely remove your on-premises AD environment?

Unfortunately, the answer is no.While you can domain join a Windows VM to Azure Domain Services, adding (or updating an existing Exchange server) will require an AD Schema Update and Enterprise/Domain Administrator permissions. Azure AD Domain Services does not provide those options as it is an managed service and not a full featured AD instance. Actually, this limitation is explicitly mentioned in  a small note in the  Exchange 2016 dev/test environment in Azure article. This means you would have to add a Domain Controller VM next to the Exchange server or create a VPN between Azure VMs and your on-premises (AD) servers. Remember, Exchange requires a writeable Global Catalog in the same AD site.

 

TL;DR:  No. You would still require a domain controller.

 

P.S. The Exchange Hybrid server doesn’t exist as a separate role, it’s still a full featured Exchange server. But in this scenario it’s only used to maintain a Hybrid Exchange environment and used for management. Hence my use of the term Hybrid management server. I know some readers who have a pet peeve regarding the use of “Exchange Hybrid Server”. You know who you are Winking smile

3 comments

  • OK but what when we have Exchange 2010 on-premises and all mailboxes are in the cloud. We set AutodiscoverSCP to $null and set autodiscover DNS to O365 with a CNAME. Then we remove the hybrid configuration with Remove-hybridconfig and disable IntraOrgConnectors and remove the Send/Receive Connectors (as per https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx). What if we want to upgrade the on-premises server to Exchange 2016 ?

    Reply
    • Dave Stork

      It would basically be the same as every 2010->2016 migration. You would have to set the SCP to $null again and re-run the O365 HCW again, perhaps with minimal Hybrid as configuration option. Then manually adjust again to your desired state.

      Reply
  • Rick

    I have heard that Azure is generally blacklisted and, if you needed to use this server for routing mail to/from Office365, it will not work. We have a need to route all e-mail to an Exhange server to process corporate e-mail signatures on all internal and external (internet-bound) e-mails and wanted to use an Azure-based hybrid server for this and for management activities. So, our server would need to send e-mail back to our Office 365 tenant but may not be able to due to the blacklisting of Azure servers.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *