Removing The Last Exchange Server: Decommissioning Exchange in a Hybrid Environment
technologies we're very fortunate to meet with them by our ceo rupert mills hi sam our exchange subject matter expert gregor zhu hi sam el tech's director ben randall hi dan so here talk about some exciting news with microsoft exchange uh especially around the hybrid model and given that i'm surrounded by people know far more than i do about this subject and it's probably best that i just chuck the technical hot potato if you want to grab it first sure um i'll start because then i can leave you guys to do the real team so the interesting bit is that microsoft have announced finally that you can remove the last exchange server from your hybrid environment that's been a topic of conversation for years and years since people doing office 365 migrations in 2013 2016 all the way up there's been this conversation what do we do with this last exchange ever and you've had to keep it there to administer your environment what they've now done is finally allowed you to remove that they've built a tool that you can install on a standalone machine allows you to remove the final exchange server and use powershell to administer your exchange environment going forwards or your office 365 environment going forwards and that is a big step forward to people trying to retire things out of their estate they don't need um which is uh there's some considerations and that's where i'll let these guys um step in nicely but it's uh there's a lot of things that people a lot of people have been trying to get rid of that last exchange over for a while so um i mean perhaps great where you can talk through some of the considerations that you'd have because i know things like what you're doing for smtp relay that sort of stuff is a big challenge and the fact that you don't just uninstall it right yes so the most important bit is that the emphasis on the words remove it not uninstall it um unfortunately despite all the promises you still can't just go into editorial programs take it out and go on with your life um because you might sleep without your job at the end um they so microsoft did update um their exchange 2019 only version in a way that you can use the management tool only now to keep your hybrids running but get rid of your exchange whether it's physical whether it's virtual it can be usual it doesn't matter you can shut it down and you can then gracefully slowly remove it out of your environment by cleaning your hybrid thing is behind with microsoft help they created some scripts they brought the whole documentation how to do it properly but unfortunately it's it's still not a solution for everyone so there are some candidates there are some things behind you have to consider before you just go with it uh because you might end up with with some serious problems at the end yeah um so i understand that if you just go and uninstall that final exchange server now you're thinking great microsoft allowing us to do it it'll basically disconnect the hybrid and you'll end up with orphaned mailbox in a365 and nothing works anymore so yes that at least so uninstall an exchange it doesn't just remove your hybrid it also go into your id removes all your exchange attributes uh so pretty much everything that's related to it from your aliases email addresses global ledgers list everything that's syncing to the cloud everything that's exchange related gone and it's not so easy at getting it back at the end so yeah um the the things you have to consider before going into that scenario whether if it's appropriate to you or not um there are like three four major things you have to consider one obviously is the relays um nowadays we still have like thousands and thousands of companies using those exchange servers of the last exchange so far some third-party applications sending emails to exchange uh marketing communications uh printers or some other devices um there's a lot of legacy apps in there because most of the mods yes 365 yes so that's one of the main things that might push you back a little bit um obviously microsoft did introduce a few different um solutions to that that you can utilize 365 environment it's not fully there yet it's not for everyone you can talk about limitations and that experience a bit later um the other perhaps let's say annoying or or or problematic i think for engineers if they're not used to deal with powershell yeah um if you go into scenario of removing the last exchange you will end up i mean you will end up with ability to manage your hybrid environment um the whole reach experience on premises and in the cloud through one single tool but it's going to be powershell yeah so all those still sticking to gooey and nice interfaces that's gone but on the other side i mean powershell is the future so you will have to go with it sooner or later um is it worth discussing the reasons that you might end up in a hybrid exchange because there's not just that migration if you to end up in hybrid in the first place obviously you had an exchange on prem and you're talking about going to exchange online is it worth looking at the the options that you might have had when you at that stage when you decided you were going to do that migration because it's not just hybrid is there how does this affect when the other or if there's staged and cut over migration methods what's the implications for that and so so we have three four different methods of migrating to exchange online which one you use i'd say historically based on what kind of environment you have what you use and what's your kind of the scale that you're talking about yes and what would you like to do in the future so if you let's say let's start with the simple one if you are using google mail or some other mail software you can then just use the imac migration go to office 365 that's pretty much it all of these you will see with it um only email data is migrated no calendars no tasks no contacts yeah if you have been using exchange in the past you have three options you can use or you could use so we have cutover migration stage migration and hybrid okay the staged one their name implies something else so i've always found this one confusing myself it's not a staged migration it's a kind of legacy hybrid way of migration which is used for exchange 2003 in 2007. okay so that's that's going to be a very small subset of yes so hopefully someone's done it a long time ago yes but not so much the other one is cut over the name implies literally the cut over you're going to exchange you take everything you have and you just chuck it in the 365 right and so that would take quite a long time so it's not really suitable for a large number of users because you're going to be offline for the duration no not necessarily so the cut or migration works in a way when you initiate it um the synchronization is going behind the scene users don't even know anything's happening okay they still use their own premises mailboxes they send and receive emails and the migration is just sinking behind in 365. right when it's done for the next 60 or 90 days i think every 24 hours there's an incremental sync happening so that you can decide what's the most appropriate time for you to okay so that's that's that's there's that cutter which is a defined moment so you could do that and you're in wayne's window yes most likely that would be a weekend um [Music] so that users can can get ready they don't use that mailboxes uh at the time um there are some issues i mean i'd say some some drawbacks with with this scenario when you migrate when you use cut over migration all those mailboxes from on premises to the cloud those users needs to be created in the cloud by the process okay which means that if those users on premises already have accounts in the cloud for some other reasons using teams using sharepoint and onedrive they have to be deleted first right so so that wouldn't work well with something like um a directory sync or azure id connect no so if you have azure adsync or azure ad connect service which is the dna you have to stop it you can leave it installed if you want but you have to stop the sync process you have to clean the office 365 tenant so that users don't exist there and then you can initiate the migration okay and if you do that cut over it's all well and good but if you had anything that relied on the legacy services for exchange on on-prem that's going to stop working at the point you cut over because exchange goes right so exchange still remains on the on-premise at that time it's not decommissioned yet it's not removed you just start the process of moving on by boxes in the cloud in theory you can still learn manually connect and create connectors in the cloud and connect exchange on-premise for some kind of mail flow if you have some mail relays and so on okay so you can still do that even in a category yes it's not a hybrid it's a manual solution nothing else but you can um before we go in the last one the hybrid one it's worth mentioning the cutover the the heart limit is 2 000 users okay although a funny number 150 is the number that microsoft recommends to not go above all right sorry is that you're saying cut off my mind that's like we turn everyone off here and everyone on there or are you talking about a bigger environment you do that in blocks of 150 or no more than 2 000. no so with the cat tower there's no blocks right okay it is literally all or nothing yes you you initiate migrations from exchange online which connects to your exchange on premises using active uh sorry using outlook anywhere technology and it just takes out all the mailboxes that exist put them into a base for migration electives you don't have any ability to save this group and that group is different designed for smaller businesses basically yes yeah yes and if you are planning or if you are not planning to use exchange at the end at all anymore so if you just want to go fully office 365 forget about exchange and that's it um the third version is hybrid which i'd say is most likely widely used not just because of the the size of companies but i would say it's also because administrators were a bit afraid of what that cloud uh brings to them um because with the hybrid you always have an option if you go online you can also go back yeah yeah if you might you can pick and choose the mailboxes you're going to do and you'd exist yes indefinitely in in that hybrid with someone from some in the cloud can't you it gives you an option to slowly migrate so let's start with our technical director he's the most brilliant the most smart one and let's try him be a rabbit to test the whole exchange online if it's fine you can continue with next patch and next batch and so on if something's wrong you can always just migrate them back on premises and is that why we moved you first when we did us yes brilliant also hybrid is widely used just because it's the most feature-rich experience uh users can get uh it's the only the only um solution that will give you your environments on premises and online it will connect them into one single environment so it's like you're free busy and all that sort of thing that's correct so freebies are calendar informations go through mail tips go through um you can use microsoft themes uh it gives you also an option for users remain on premises and just utilize online archiving in the cloud you have global address listing so pretty much it creates one single environment with a single point single axis of managing it yeah and it's also the only way for some companies who are highly regulated or had some compliance the requirements to have data on premise to remain on premise because obviously microsoft still doesn't have data centered in each country yeah or alternatively people where they are geographically in an area where they get very poor internet connection they can still use that's correct so what you're basically saying is hybrid gives you the most options yeah and the most different things you can do with it but historically when you've done with the hybrid you know in a company that's got good internet connection and doesn't have compliance restrictions et cetera you're still stuck with that last exchange server or work yes so the reason behind is not fully known why microsoft was promising for years that they will find a way how to get rid of the last exchange server i still remember one of the conferences i've been to microsoft and there was a guy on podium he was clapping and explaining and yes microsoft did it at the end of this year we can get through the exchange it's like four years ago five years ago um of course of course the last version of exchange has been has been in the pipeline yeah yes 2016 was the last 2019 is the last was the last now the v next is announced that's another one coming so but yeah if you return back to exchange um we finally now have an option to remove it as we said there are some things you have to consider if you're using smtp relay if you're using um we didn't mention uh roles by role based access controller yeah okay if you're using those and some auditing if all you think is required for your administrators what do they do on premises that's going to obviously you need to have mailboxes in the cloud but if you have all this ready if your company is ready to go online you have an option now um so yeah yeah so it's interesting here that's not not necessarily an option for everyone even though lots of people have been looking forward to getting rid of that exchange server but they but there's also some other good news is that they change the pricing the the uh the the last hybrid traditionally in 20 up to 2016 the last hybrid server was free wasn't it for that management use only yes but i believe that's changed for 2019 now isn't it it is yes so initially microsoft promised i've confirmed that 2016 is the last exchange server that will have free hybrid license just because they were planning to be tired exchange with 2019 version and they wanted you to force to go online obviously that's not the case just yet and with exchange 2016 going already went into extended support which ends in 2025 they decided with the latest exchange 2019 cu 12 update that they will give you a hybrid license for free for exchange 29k so that alone is good news because you might have a client somebody who's on 2019 and think oh we're going to keep paying for this yes and but we want to get rid of it and they've taken some of the energy out of that requirement yes well i think that at least a part of the reason why microsoft decided to do that um is also if we take a look at the last year or the last half year with all the issues and security parts that came out yes and halfway and so on um users didn't want to upgrade exchange just because they would have to pay for it they stuck with a hybrid version in exchange and another issue is with the amount of ceo updates quarterly released plus all the security updates and patches and critical updates and security updates all those 16 servers lagged behind yes um keeping up with those updates is quite it is it's not so trivial with an exchange server it's such a it's quite a i won't say fragile but a very particular system you need to test things carefully it affects a lot of users if you take things offline well especially if you imagine having organizations with 20 30 exchange servers and quarterly every three months getting the new cr day that you would have to test and whether it's all working or not and then you install it on i don't know all 20 servers and then after a week you find out there's a bug like he did happen with one of c updates um and you have to revert it for microsoft help so i think that users stopped administrators stopped with those updates and the cost of going to exchange 2019 was also too high so they just left behind um and i'd say that's one of the reasons why microsoft decided let's give you 2019 for free as well and with that microsoft ought to change the servicing model so there's no more quarterly updates it will now be biannual every six months yeah okay which should help with more regular updates uh and hopefully keeping exchange a bit more patched up than it was in the past i guess the security is another reason why you'd remove that final exchange server because if there's any if there's any security holes in the exchange hopefully not going forwards but it's one of those things then if you haven't got an exchange server then there's not going to be a security hole in it basically sure um if you have exchange i mean you obviously have some options to secure it by disabling over disabling ecp and so on but at the end it's still one of the most complex systems one of the most complex applications ever written and re-written and pre-designed and so on and no matter how much you try to protect it and secure it there's always be a host some somewhere someone will find it and yes the ability now to remove it and just use the management tool nothing else which doesn't even have to be installed on server now anymore it just can be a domain joint workstation yeah it gives you quite a bit of and presumably that tool can be installed on multiple youtube members machines it's not like limited to one install per person or anything no no so you can install it on pretty much every administrator's machine if you want it um if you have a large environment to manage or you can just have a server where all administrators connect to it and just use the management tools yes yes kind of jump box with with your management tools on it yes okay yeah a jam box yeah yeah it's very straightforward yeah sounds like it really sounds like it i mean just thinking from my perspective i know correct me from wrong but also this push to get things off premise into the cloud and so on microsoft to push from 2016 to 2019 and and further do you think that there's are they pushing to have everything kind of integer in the cloud not just the exchange i guess on mass they all seem to be just pushing towards that model they're trying to push exchange forward unless you don't necessarily have to do it just now and obviously there's a reason as you mentioned you can't necessarily just geographical reasons and so on but comms is getting cheaper yeah do you think the future will just simply be like it's just all there and we all plug into it there's a lot of people building their environments now if you if you take it a step further in exchange and look at active directory there's a lot of people building their environments on azure id and not necessarily using an on-prem id yeah if you have stuff to administer on-prem then you can you can do both now um and from that perspective that whole thing of actually in a modern connected world if you have good connectivity you can build your whole infrastructure your whole environment in the cloud so to speak um but there are a lot of legacy environments out there that don't do that and i think what microsoft are realizing is that although they want to drive people in that direction and it makes total sense to drive people in that direction they'll always be the outlying cases yeah and i guess until the r d costs for an on-prem exchange outweigh the amount of money they can bring in for those outlying cases they'll always be an outlying a case for it so i think businesses are evolving connectivity is evolving yeah i mean people are putting satellites up now to give connectivity everywhere in the world um it's all those sorts of things that are going to change how it all pans out we don't know what the future holds in that respect yeah but certainly right now there's those various outlying cases that mean you need to be able to cater for them but certainly what you're saying about everything being in the cloud it's where they're going yeah okay this last question to you all probably specifically to you great let's be honest um clearly you obviously know a lot about subjects we've done awful lot of this for our customers um the standard sort of approach that we take with customers but we've done a lot of these customers will be doing it for their first and your only time as it were what are the and i'd do this to everyone like your top three or what sort of stuff um but the main gotchas that you think you know before you do anything you've got to consider this this and this uh kind of that sort of that's all right so we did mention um obviously the main issue is if you have some applications devices using your exchange you have to think of those but we also mentioned that office or let's say microsoft now gives you an option to start using sntp relay in the cloud they have three options not every option is useful for everyone the most secure one obviously is the most challenging one um it's uh called it's pretty much snp authentication which means that you can set up your device application of something to authenticate against your office 365 and then send email whatever you have to send it it gives you an option to send email internally and externally but on the other side i said it's the most secure and the most challenging one microsoft introduced security defaults they say it those security defaults secure and implement some security features in the cloud in azure id to try to protect you your environment your your users your company and themselves at the end uh by using multi-fact authentication by locking down their exchange environment and so on and so on on the other side it means that not every application device is ready for that just yet so if you are using if you have those security defaults you won't be able to just use your 10 years old multi-function printer let's start sending emails to them so i'm sure there's some obvious ones that you guys would know when you're looking at things like function print devices etc but how do we ascertain an environment what is good or isn't a kind of red listing so what will it won't work is that is there you know obviously there's a utility that's all for us all right or is it like how do you know how do we how do we approach that a lot of it is looking at the logs basically so you can start migrating things away moving things away and then you can look at the logs and see which traffic is still flowing through your exchange service and you start to pick it away and pick it away and and ultimately end up with less and less flowing through your very manual quite laborious unfortunately yes in ideal world a company would have a list of all devices and ips and so on so you just take it we have this and you would move it in reality that's not the case uh sometimes it takes weeks to go through all the logs to find all the devices and applications sending emails and even after that when you shout on your exchange for let's say two three four weeks before you decommission it someone from behind will come and say my application doesn't work anymore so emails stopped sending from my machine so so you need to give it at least a month then in that case to allow that normal business cycle to go through month end accounting cycle we email out all our invoices at the end of the month oh look the account system doesn't send email anymore yeah so yeah um on the other side if that sntp relay isn't working for you if you want to have environment secured you still have an option of a couple of different relays microsoft is trying to give you one is direct send which is great but it's limited only to your internal recipient you can't use direct sent if you want to use some marketing emails to your clients and the third option it's also called sntp relay but using connectors in the cloud which means that you specifically set up your exchange online with a connector that allows your applications your devices to connect to your exchange online and send emails through this one can be challenging especially because you have to have a static ip for those devices you can also use tls certificate for for the authentication the main problem with with that relay is that you your emails are subject to um anti-spam of the microsoft no okay so you don't have any any authority over that if you use that relay microsoft will check those emails be careful what you're sending yes so if microsoft decides that those emails are spam and your ip ends up on the list you will end up with hours and days of possible issues before they remove you troublesome for marketing departments yes so that that might be one of the the greatest issues why you still might want to keep your exchange on premises although microsoft is evolving and those relays are getting better and better uh in the past for example they they gave you like a thousand messages per day a limit now it's 10 000 messages so it's just growing and growing so it's getting better so eventually it will evolve to a stage that we will go fully to the clouds um and forget about exchange yeah cool one day one day one day one day there'll be plenty of other challenges around there don't worry yes yes we won't stop evolving so i guess kind of in summary and thank you greg it's been fantastically informative um it's all about the kind of proper planning the analysis it sounds like there's an awful lot of kind of manual stuff there's no magic utility that can do it all for us so takeaways will be again as we always do plan it properly yeah kind of measure twice cut once all that sort of definitely in this particular situation absolutely and work with a reputable partner that knows what they're doing yep brilliant thank you guys it's been fantastic thank you for joining us the first time greg i'm sure we'll thank you having me more welcome cheers guys thank you thank you and thank you for joining us on this episode of chromecast check it out if there if you'd like to cover on future episodes then please leave that in the comment section below like subscribe and share join us again next time for chromecast check it out [Music]
2022-06-01 16:35