Exchange 2019 Modern Hybrid Installation Questions

BP-7667 136

Plan is to migrate to EOL from EOP 2016. No mailboxes or SMTP connectors will be left on site. EOP will be strictly for management.

I will need to migrate 2016 to 2019 on a temp box, then do another 2019 install on the permanent box that will also host Entra Connect Sync.

The first install on the temp box, I am guessing will be a full install and I will move the 3rd party cert before I decommission the 2016 box.

It is the installation to the permanent box I have questions about. Since it will be pretty much a management only box and the installation on the temp serve will be removed:

Can I install ex2019 with only minimal roles on the perm box?

What roles are required to maintain the modern hybrid management server EOP? Mailbox? CAS?

On the permanent server will I need to do a full install with hybrid until the temp ex2019 server is installed? Then remove the roles I don't need?

Do I really need to have a 3rd party cert for the EOP management server since NO ports will be open to the server?

Do I have a need to keep Split DNS on prem for the autodiscover. or mail. records?

I see that some people say yes and no to the cert in my research. I have not been able to find something on the minimal install of exchange required.

I want to keep the EOP hybrid for a few months to see if I really need it, then when ex2019 goes end of life next year, I can decide what I am going to do since we will likely not want to spend money on maintaining an EOP presence as well as EOL.

3 answers

Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
Xintao Qiao-MSFT 3,205 Reputation points Microsoft Vendor

2024-09-23T03:15:23.79+00:00
Hi, @BP-7667

Welcome back to the forum!

I'd like to offer some advice for you planning to migrate from EOP 2016 to EOL and install and configure Exchange 2019 on your persistent servers:

You can install only the minimum roles required for management. In order to maintain a modern hybrid management server EOP, the roles you need include mailbox roles and CAS, which are critical for managing mail flow and client connectivity. You can refer to step 8 in this article Install Exchange Mailbox servers using the Setup wizard | Microsoft Learn

On a permanent server, you need to first do a full installation with a hybrid configuration. Once a temporary Exchange 2019 server is decommissioned, while you can't selectively remove roles, you can disable or retire features that are not needed for management after the migration is stable, an approach that ensures that all necessary components are in place during the transition.

If the server does not have an open port, a third-party certificate is not required, but it is generally recommended to use a third-party certificate for secure communication and administrative purposes. Even if the server is not exposed, having a third-party certificate can help avoid potential problems in internal communication and management tasks.

If all mailboxes have been migrated to Exchange Online and no clients are connected to the on-premises Exchange server, you don't need to maintain split DNS or internal auto-discovery records that point to the on-premises server. However, autodiscovery is still used for some features in hybrid environments. We recommend that you point your autodiscover DNS records to Exchange Online to ensure that clients are connected correctly.

For detailed steps on the minimum installation of Exchange 2019, you can refer to the Exchange 2019 Build Guide. The guide provides detailed steps on how to configure the necessary roles and services Exchange Server 2019 system requirements, Exchange 2019 Requirements, Exchange 2019 Memory Requirements, Exchange 2019 Client Compatibility | Microsoft Learn

If you decide that you no longer need your on-premises Exchange server after a full migration to Exchange Online, you may consider retiring it. However, with Entra Connect Sync, recipient management becomes more complex without an on-premises Exchange server. You can try to manage it with the Exchange recipient management tool without the need for a local full Exchange server Manage recipients in Exchange Server 2019 Hybrid environments | Microsoft Learn

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Please sign in to rate this answer.
BP-7667 136 Reputation points

2024-09-23T16:02:53.4166667+00:00

@Xintao Qiao-MSFT

So during that transition from old server to temp to permanent, I will want to just go ahead and do a full install of 2019 (to include edge transport?) on the temp and permanent servers. Then I can disable the features I don't need.

Not sure how to accomplish this since I can't really find anything on this.

From what I understand, I will need to remove the hybrid connector from Ex2016, then install it on the temp EX2019 server, then do the same for 2019 when I move it to the permanent server. Is this the correct process?

As to the cert, from what is sounds like is that I will just get a cert error when I go to EAC? I can just bypass this error if I want, correct?

As to retiring EOP, I have found a guide:

https://www.alitajran.com/remove-exchange-hybrid-configuration/

However, EVERYONE is recommending pretty much to not get rid of EOP for Hybrid management, this is mostly because Entra Connect/Cloud sync relies on EOP attributes in AD to create users in Entra AD. Seems like a very messy solution and has all of the potential for on prem AD to have lots of orphaned or exploitable attributes left. Not to mention the costs of maintaining a server (extra hardware costs) and software onsite (MS Server std, and EX licensing is not cheap). Some say to just turn it off and never boot it again unless you need to, but you will have to bring it up to migrate things when software is End of Life or needs to be updated.

Would be nice to just have a feature that could be installed on a DC that would extend the AD for these attributes and allow for those fields during user creation. Or maybe have the Entra Connect/Cloud Sync extend the AD for these attributes.

From what I understand the following are the AD attributes that are used in creation of an Entra ID when syncing from on Prem:

mail (UPN+Domain configured in AD Domainst and Trusts),

mailnickname (alias),

ProxyAddress

It seems like the process of keeping the last exchange server just sets up nothing but a future headache for on prem AD users, as well as MS support trying to keep fitting a square peg in a round hole.

Xintao Qiao-MSFT 3,205 Reputation points Microsoft Vendor

2024-09-25T06:29:16.4533333+00:00

Hi, @BP-7667

This sounds like an important transition, and there are a lot of parts to consider, and I'll give some advice in turn.

1.During the transition from Exchange 2016 to Exchange 2019, it's a good idea to perform a full installation of Exchange 2019 on both temporary and permanent servers, including the roles required for edge transport. After installation, you can disable features that you don't need.

2.Regarding the transition of hybrid connectors, I think you are right. Start by removing the Hybrid Connector from Exchange 2016, install it on a temporary Exchange 2019 server, and repeat it on a permanent Exchange 2019 server after the transition is complete.

3.If the certificate is not trusted, you may encounter a certificate error while accessing the EAC, you can bypass this error, but it is highly recommended to solve the certificate problem to avoid potential security risks.

4.As you said, it is true that maintaining the last Exchange server can be tedious and expensive. Microsoft also recommends that you keep at least one Exchange server for hybrid management as needed, because Entra Connect/Cloud Sync relies on certain Exchange Online Protection (EOP) attributes in Active Directory (AD) to create users in Entra AD, which ensures that directory synchronization, mail flow, and user management continue to work seamlessly. If you remove it, it can lead to complications. However, if all of your mailboxes are on Exchange Online and you don't need to manage users locally, and you don't need directory synchronization or password synchronization, you can safely remove Exchange from your on-premises environment.

How and when to decommission your on-premises Exchange servers in a hybrid deployment | Microsoft Learn

5.We have the same desire. If there is a feature that allows Extra Connect/Cloud Sync to extend AD to include these attributes, it will simplify the process and reduce the need to maintain an on-premises exchange server.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

BP-7667 136 Reputation points

2024-09-25T17:30:27.4533333+00:00

I am guessing that when you said "Exchange Online Protection (EOP)" you meant Exchange on Premise?

Still not finding anything on how to disable features in a full exchange 2019 install. Would I just rerun the installer and remove the roles I don't need? I really am trying to reduce my attack surface as much as possible here by not running anything I don't need to run even though the server will not be accessible from the internet.

I will be following this MS Learn guide and it subsequent articles as well as several other guides for Hybrid:

https://learn.microsoft.com/en-us/exchange/exchange-hybrid

Good to know I can go without the 3rd party cert.

Looking at all the information I currently have, I should probably hold off on removing the last exchange server until I absolutely have to in hopes the MS will produce a better solution, that will not cost us a Server Std and Exchange Licensing. The onsite licensing is what management looks at and wonders why go to the cloud if we have to maintain the server software on site to make it work.

Xintao Qiao-MSFT 3,205 Reputation points Microsoft Vendor

2024-09-27T06:26:28.6366667+00:00

Hi, @BP-7667

More than happy to give you some advice.

1.I understand your confusion. When I mention Exchange Online Protection (EOP), I'm referring to cloud services that provide anti-spam and anti-malware protection. However, in the context of your question, it is more relevant to discuss the properties and features related to Exchange on-premises. Entra Connect/Cloud Sync does rely on certain attributes in Active Directory (AD), which are typically managed by Exchange on-premises. These attributes are critical for directory synchronization, mail flow, and user management.

2.To disable features in a full Exchange 2019 installation, you can indeed re-run the installer and remove the roles you don't need. You can try running the Exchange installer in unattended mode to remove specific roles. Use unattended mode in Exchange Setup | Microsoft Learn

3.Management's concerns about the cost of migrating to the cloud while still maintaining on-premises licenses are legitimate. Hybrid setups do seem a bit contradictory when the goal is to reduce on-premises infrastructure. Keeping servers down and only starting when migrations or updates are needed can help minimize costs and maintenance efforts.

There are a few main reasons to encourage people to move to the Cloud while maintaining on-premises facilities:

a. Security: Cloud providers invest heavily in protecting data and often offer greater security than many on-premise solutions.

b. Disaster recovery: Cloud services often include robust disaster recovery options to ensure that your data is backed up and can be recovered quickly in case of an emergency.

c. Innovation: Cloud platforms often provide access to the latest technologies and innovations, allowing your organization to stay competitive and take advantage of new tools and services.

d. Control and compliance: Keeping certain data or applications on-site can provide more control and help meet compliance requirements that require data to be stored locally.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Xintao Qiao-MSFT 3,205 Reputation points Microsoft Vendor

2024-09-30T09:33:35.8333333+00:00

Hi, @BP-7667

Just wanted to check if the answer shared above helped. If it helped, then would request you to please "Accept the answer" as it would be helpful to others in the community as well.
Sign in to comment

Use comments to ask for clarification, additional information, or improvements to the question.

Share via

Exchange 2019 Modern Hybrid Installation Questions

3 answers

Your answer