After successfully migrating to Office 365, you'll need to manage Exchange mailboxes in the cloud. Microsoft will...
manage the underlying servers, but you're still in charge of user accounts and associated mailboxes.
Your AD is (mostly) still the master for managing Office 365
If you use the Windows Azure Directory Sync Tool known as DirSync, then you've linked your local Active Directory to Office 365. This means you can't edit much in an Office 365 mailbox within Office 365; you need to edit the attributes in Active Directory and then let them sync up.
This is good news for day-to-day operations. If someone's name is incorrect, edit the details in AD. And if someone's group memberships are updated in Active Directory, these changes will flow through to the cloud.
But if you've already uninstalled your Exchange Servers, you may be in for a shock when you need to create a mailbox or alter certain mailbox details, such as a user's email addresses. These attributes are managed within the local Active Directory; by removing your Exchange servers and their management tools, you may inadvertently remove the ability to edit the Exchange-specific attributes in Active Directory. Adding new email addresses via ADSI Edit or Active Directory Users and Computers Attribute Editor isn't something to look forward to -- unless you're looking for a challenge.
Managing Office 365 and Exchange Online attributes in the local AD
Microsoft recommends using the free hybrid server license for ongoing Office 365 management in AD. This allows you to install a copy of Exchange solely to provide the use of management tools.
If you're a current Office 365 customer, you can request a free hybrid license code from the Office 365 portal by raising a support request. You'll first need to decide which version of Exchange you'd prefer to use with the management tools.
Exchange 2013 lets you use the same Web-based management interface you use in Exchange Online and it integrates the two together. If you choose an Exchange 2013 hybrid license, you need to install the Mailbox and Client Access roles.
On the other hand, Exchange 2010 SP3 offers the same management capabilities, but using the more familiar Exchange Management Console. You only need to install one Exchange 2010 role, and the Hub Transport role will do everything else. The latter options suit many organizations because of the minimal requirements. If you want, you can install the Exchange 2010 Management Server on the server that runs DirSync.
After installation, create accepted domains that match your Office 365 tenant, along with a remote domain matching your Office 365 tenant domain, such as contoso.mail.microsoft.com. After creating the remote domain, configure it as your Office 365 tenant domain.
If you performed a hybrid migration, you'll probably find all this is in place and you can continue to remotely manage your mailboxes. You don't need to run the Hybrid Configuration Wizard because all they're doing is letting you manage what's already in your Active Directory.
When you create a new mailbox in Office 365, remember these tips:
- You don't create a new mailbox; you create a Remote Mailbox. Here's how you'll find this option:
- In the Exchange 2013 Admin Center, within Recipients > Mailboxes as New Office 365 Mailbox.
- In the Exchange 2010 Management Console, within Recipient Configuration > Contacts as New Remote Mailbox. You'll also manage the attributes for those users within Contacts.
- From the Exchange Management Shell as New-RemoteMailbox and Enable-RemoteMailbox.
- After creating a new remote mailbox using your Exchange management tools, DirSync will create it in Office 365. There's a grace period with this, so don't forget to assign an appropriate license as soon as possible.
- When creating the new user for the remote mailbox, make sure you set the correct user principal name (UPN). The UPN sets the Microsoft Online Services ID and will typically match the Primary Simple Mail Transfer Protocol (SMTP) address of your new user.
- Local Exchange management tools sometimes will set the new remote mailbox's reply address to the wrong domain. Edit the user properties and unselect the option to use the Email Address Policy and then change the Primary SMTP address to the one you intended.
What if you don't want to install a copy of Exchange? What if you just want to manage those AD attributes? Microsoft doesn't provide a method to just install the Exchange Management Tools, but those savvy with PowerShell can do this. Over at 365lab.com, Andreas Lindhal wrote a PowerShell module to allow easy management of many Exchange-Online related attributes.
What AD won't manage in Office 365
The local Active Directory manages most aspects of an Office 365 mailbox, but not all of them. All of the general user details are synced -- this includes name, company details, group memberships, email addresses, phone number, manager details, custom attributes, AD photo and login name. Many under-the-hood Exchange attributes that define it's a mailbox (and not just a mail-enabled user) also sync. For a complete list of attributes that synchronize, visit the Microsoft support site.
By comparison, what isn't synced is minimal because certain Exchange features don't live in your local Active Directory. For example, enabling or disabling Unified Messaging or access to OWA, ActiveSync, IMAP, POP3 or Outlook for Devices is managed in Office 365 via the Exchange Admin Center or Exchange Online PowerShell.
A small subset of other attributes that you'd expect to be managed within your local Active Directory aren't if you set a forwarding address or wish to convert the mailbox to a shared mailbox. Head to the cloud to manage these attributes.
About the author:
Steve Goodman is an Exchange MVP and works as a technical architect for one of the U.K.'s leading Microsoft Gold partners. Goodman has worked extensively with Microsoft Exchange since version 5.5 and Office 365 since its origins in Exchange Labs and [email protected]