Hiya,

The HCW will connect outbound from the machine it’s ran on, and won’t require a connection inbound from the internet simply to make sure the configuration is updated (e.g. if you make changes or Microsoft need you to re-run it to update, say, Send Connectors after a cert update).

Steve

If we remove https/https from the internet as the article suggest, do we even need to install/maintain the hybrid configuration (other than just keeping an exchange server running for the above mentioned reasons). I don’t see how they hybrid configuration wizard would even connect if the hybrid server is not accessible form the internet on http/https.

Thank you
Pete

Well, yes – that’s what New-RemoteMailbox and Enable-RemoteMailbox do. The UI in the EAC runs those commands.

Installing the fairly dated Windows Server IIS SMTP component will indeed work – and if you are familiar with Exchange 2003 management, it will be a breeze. Why you’ll do that instead of an Exchange 2016 server – mailbox or Edge role – is debatable. Personally, knowing the Microsoft will be coming with a solution here when the time is right – I’d go with a solution that is generally agreed to be the right one – so that anyone with Exchange skills can pick it up and manage it.

I’ll stand by “Need”. “Fully supported” isn’t 100% correct, it’s that doing another way is to quote Microsoft “not supported”. I’d agree that if you buy a tool where the vendor will commit to supporting that aspect can offset the risk, but managing attributes for Mailboxes via ADUC attribute edit or ADSIEdit is not a good strategy unless you are willing to fully take on that support burden yourself and ensure you always ensure every attribute that Exchange would have managed is managed *identically*.

I’ve never struggled to justify why it’s a good idea to remain supported by Microsoft, and customers too small to run an single server for management, should be looking towards going full into Azure AD and removing AD.

Every time this is stated, there’s always debate. But unfortunately it isn’t a debate that has any other answers than:
– Use a server for management, and remain supported
– Carefully select a vendor of a third-party tool to manage attributes, including understanding what their support process will be, should they (for example) miss a change Microsoft make, or implement something incorrectly. – Take on the personal risk of managing the attributes manually (i.e. by hand, or custom script) if it’s you as an IT pro, or as an MSP, if you do that as a service.
In the last two cases, you might need to, at some point, re-install Exchange 2016 (or start the server again) and perform an update from Microsoft to decommission in a specific way. Therefore I or you should be able to, at any point install an Exchange server and manage those recipients without causing any issue or risk. If that’s a worry then the last two options aren’t viable.

Or create the new user and remote mailbox directly within the on-prem Exchange Admin Center assuming you have Exch 2016 (or maybe 2013).

One option is to use the Windows Server IIS SMTP component. You can configure it with some restrictions and then have that one server go through the firewall to the receive connector at Exch Online. Your mileage may very.

“you still need an Exchange Server on premises to manage attributes”

“Need” is a strong word. To be fully supported, per Microsoft, you need the Exchange Server. https://docs.microsoft.com/en-us/exchange/decommission-on-premises-exchange#can-third-party-management-tools-be-used

In reality you can use ADUC’s Attribute Editor tab, PowerShell against AD, or a third-party tool such as Easy365Manager to achieve what you need.

We continue to struggle with justifying to customers the need to have a separate Exchange server, and pay any associated costs with it (e.g., MSP management fees). We have spent many hours debating the supported solution vs the best solution for our customers.