Krome Cast: Tech-IT-Out
Krome Cast: Tech-IT-Out
KROME CAST TECH-IT-OUT: Removing The Last Exchange Server: Decommissioning Exchange in a Hybrid Environment
In this episode of Krome Cast: Tech-IT-Out, we discuss removing the last Microsoft Exchange Server from your Hybrid Exchange environment.
Following Microsoft's recent announcement that you are now able to decommission Exchange On-Premise when running Exchange in a Hybrid Environment, we discuss the technical considerations you need to make before removing the last Exchange Server. How to prepare to decommission Exchange on-premise in order to move to a full Exchange Online environment.
This tech panel podcast features Krome's Commercial Director, Sam Mager, along with Krome's MD, Rupert Mills, along with our Exchange Specialist, Gregor Jus, and Technical Director, Ben Randall, sharing their insights into removing the last Exchange Server when decommissioning Exchange in a hybrid environment, along with the methods that can be taken when embarking on a Microsoft Exchange migration project.
► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.
► KROME WEBSITE: https://www.krome.co.uk/
► WATCH ON YOUTUBE CHANNEL: https://youtu.be/NZbXKBHITW4
► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk
► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.
► KROME WEBSITE: https://www.krome.co.uk/
► SOCIAL MEDIA
• YouTube: https://www.youtube.com/@krometechnologies
• Linkedin: https://www.linkedin.com/company/krome-technologies-ltd
• Instagram: https://www.instagram.com/krometechnologies/
• Twitter: https://twitter.com/KromeTech
• Facebook: https://www.facebook.com/KromeTechnologies/
► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk
Welcome to Krome Cast, Tech-it-Out. I'm Sam Mager, Commercial Director for Krome Technologies. We're very fortunate to be joined by our CEO, Rupert Mills. Hi Sam. Our Exchange subject matter expert, Gregor Jus. Hi Sam. and our Technical Director, Ben Randall. Hi Sam. So we're here to talk about some exciting news with Microsoft Exchange, especially around the hybrid model, and given that I'm surrounded by people that know far more than I do about this subject, it's probably best that I just chuck the technical hot potato to who wants to grab it first. Sure, I'll start because then I can leave you guys to do the real technical part. So the interesting bit is that Microsoft have announced finally, that you can remove the last Exchange server from your hybrid environment. That's been a topic of conversation for years and years, since people doing Office 365 migrations in 2013, 2016, all the way up, there's been this conversation of what do we do with this last Exchange server and you've had to keep it there to administer your environment. What they've now done is finally allowed you to remove that, they built a tool that you can install on a standalone machine, that allows you to remove the final Exchange server and use PowerShell to administer your Exchange environment going forward to your Office 365 environment going forwards. And that is a big step forward for people trying to retire things out of their estate they don't need, which is, there is some considerations, and that's where I'll let these guys step in nicely. But it's, there's, there's a lot of things that people, a lot of people that have been trying to get rid of that last Exchange over for a while. So I mean, perhaps Gregor, you can talk through some of the considerations that you'd have, because I know things like, what you're doing for SMTP relay, that sort of stuff is a big challenge and the fact that you don't just uninstall it, right? Yes, so the most important bit is that, the emphasis on the words, remove it, not uninstall it. Unfortunately, despite all the promises, you still can't just go to add/remove programs, take it out, and go on with your life. Because you might leave without your job at the end. They, so Microsoft did update their Exchange 2019 only version, in a way that you can use the management tool only now to keep your hybrid running. But get rid of your Exchange, whether it's physical, whether it's virtual, it can be in Azure, it doesn't matter. You can shut it down, and you can then gracefully, slowly remove it out of your environment by cleaning your hybrid things behind with Microsoft Help. They created some scripts. They brought the whole documentation on how to do it properly, but unfortunately, it's it's still not a solution for everyone. So there are some caveats. There are some things behind you have to consider before you just go with it, because you might end up with with some serious problems at the end. Yeah. So I understand that if you just go and uninstall that final Exchange Server, now you're thinking great, Microsoft are allowing us to do it, it will basically disconnect the hybrid and you'll end up with orphaned mailboxes in O365, and nothing works anymore, so. Yes, that at least. So uninstalling Exchange, it doesn't just remove your hybrid, it will also go into your AD, remove all of your Exchange attributes. So pretty much everything that's related to it, from your aliases, email addresses, global address lists, everything that's syncing to the Cloud, everything that's Exchange related, gone. And it's not so easy it is getting it back in the end. So yeah. The things you have to consider before going into that scenario, whether if it's appropriate to you or not. There are like three, four major things you have to consider. One, obviously, is the relays. Nowadays, we still have like 1000s and 1000s of companies using those Exchange servers on the last Exchange server for some third party applications, sending emails through Exchange, marketing communications, printers or some other devices. There's a lot of legacy apps isn't there - because most of the modern stuff is linked up to O365 Yes. So that's one of the main things that might push you back a little bit. Obviously, Microsoft did introduce a few different solutions that you can utilise 365 environment. It's not fully there yet. It's not for everyone. You can talk about limitations and that experience a bit later. The other perhaps, let's say annoying or, or problematic. Thing for engineers is if they're not used to dealing with PowerShell, If you go into the scenario of removing the last Exchange, you will end up, I mean, you will end up with the ability to manage your hybrid environment, The whole rich experience on-premises and in the Cloud through one single tool, but it's going to be PowerShell. So all those things sticking to GUI and nice interfaces, that's gone. On the other side, PowerShell is the future, so you will have to go with it sooner or later. Is it worth discussing the reasons that you might end up in a hybrid Exchange? Because there's not just that migration, if you do end up in hybrid in the first place, Obviously, you had an Exchange on-prem, and you're talking about going to Exchange online, Is it worth looking at the options that you might have had when you're at that stage when you decided you're going to do that migration? Because it's not just hybrid is it though, how does this affect when the other, there's staged and cutover migration methods, what's the implications for that and so on? So we have three, four different methods of migrating to your Exchange online. Which one you use, I'd say historically, based on what kind of environment you have, what do you use, and what's your - Kind of a scale that you're talking about, how many users. Yes, and why would you like it in the future. So if you, let's say, let's start with a simple one, if you are using Google Mail or some other mail software, you can then just use the IMAP migration to go to Office 365, and that's pretty much it. Only issue you'll will see with it, only email data is migrated, no calendars, no tasks, no contacts. If you have been using Exchange in the past, you have three options you can use or you could use. So we have cutover migration, staged migration and hybrid. Okay. The staged one, the name implies something else - I've always found this one confusing myself, in fairness. It's not a staged migration. It's kind of legacy hybrid way of migration, which is used for Exchange 2003 and 2007. Okay, so that's going to be a very small subset of.. Yes. Unless someone has done it a long time ago. Yes. The other one is cutover. The name implies literally the cutover. You go into your Exchange, take everything you have, and you just chuck it into 365. right, and so that would take quite a long time. So it's not really suitable for a large number of users, because you're going to be offline for the duration, is that right? No, not necessarily. So the cutover migration works in a way when you initiate it, the synchronisation is going on behind the scene. Users don't even know anything's happening. Oh okay. They still use their on-premises mailboxes, they send and receive emails, and email migration is just syncing behind in 365. When it's done, for the next 60 or 90 days I think, every 24 hours, there's an incremental thing happening so that you can decide what's the most appropriate time for you to cutover. So that's, there's that cutover, which is a defining moment. Yes. So you could do that in your, in a maintenance window. Most likely that would be a weekend. So that users can can get ready. They don't use that mailboxes at the time. There are some issues. I mean, I'd say some some drawbacks with with this scenario, when you migrate, when you use cutover migration, all of those mailboxes from on-premises to the Cloud, those users needs to be created in the Cloud by the process, Okay. Which means that if those users on-premises already have accounts in the Cloud for some other reasons, using Teams using SharePoint and OneDrive, they have to be deleted first. Right. So, so that wouldn't work well with something like Directory Sync, or Azure AD Connect? No. So if you have Azure AD Sync, or Azure AD Connect service, which is the new name now, you have to stop it. You can leave it installed if you want, but you have to stop the sync process, you have to clean the Office 365 tenant so that users don't exist there, and then you can initiate a migration, a cutover. And if you do that cutover it's all well and good, but if you had anything that relied on the legacy services for Exchange on, on-prem, that's going to stop working at the point you cutover because Exchange goes right? So Exchange still remains on the on-premise at that time, Okay. It's not decommissioned yet, it's not removed, you just start the process of moving more and more boxes in the Cloud. In theory, you can still then manually connect, create connectors in the Cloud and connect Exchange on-premise for some kind of mail flow if you have some mail relays and so on. Okay, so you can still do that even in the cutover process. Yes, it's not a hybrid, it's a manual solution, nothing else, but you can. Before we go in the last one, the hybrid one, it's worth mentioning the cutover, the hard limit is 2000 users. Okay. Although funny number 150 is the number that Microsoft recommends to not go above. Sorry, is that, you're saying cut off, in my mind, that's like we turn everyone off here, and everyone on there? Or are you talking about a bigger environment you do that in blocks have 150 or no more than 2000? No, so with the cutover, there's no blocks. Right okay, it is literally all or nothing. Yes, you, you initiate migrations from Exchange Online, which connects to your Exchange on-premises using Active, sorry using Outlook Anywhere technology. And it just takes up all the mailboxes that exist, put them into a batch for migration and that's it. You don't have any ability to say this group and that group is - Different OU's all that sort of stuff. It's designed for smaller businesses, basically. Yes, yeah, yes. And if you're planning or if you're not planning to use Exchange at the end at all anymore. So if you just want to go fully Office 365, forget about Exchange, and that's it. The third version is hybrid, which I'd say is most likely, widely used, not just because of the size of companies, but I would say it's also because administrators were a bit afraid, what that Cloud brings to them. Because with hybrid, you always have an option, if you go online, you can also go back. If you're migrating. You can pick and choose the mailboxes you want to do, you can exist indefinitely in that hybrid, with some on-prem, some in the Cloud can't you. It gives you an option to slowly migrate. So, let's start with our Technical Director. He's the most brilliant, the most smart one, [laughter] and let's try him, be ready to test the whole Exchange Online, if it's fine, you can continue with next batch, next batch and so on. If something's wrong, you can always just migrate them back to on-premises - Is that why we moved you first when we did us? Yes. Pretty much yes. Most brilliant, smartest, yeah. Also, hybrid is widely used just because it's the most feature rich experience users can get. It's the only, the only solution that will give all your environments, on-premises and online, it will connect them into one single environment. So your free busy and all that sort of thing. That's correct. So free busy calendar information goes through, mail teams go through, you can use Microsoft Teams, It gives you also an option for users to remain on-premises, and just utilise Online Archiving in the Cloud. You have global address listing. So pretty much it creates one single environment with a single point, single access of managing it. And it's also the only way for some companies who are highly regulated, I've had some compliance requirements to have data on-premise, to remain on-premise because obviously, Microsoft still doesn't have data centre in each country. Or alternatively, people where they are geographically in an area where they get very poor internet connection they can still use, an on-premise Exchange server. So what you're basically saying is, hybrid gives you the most options. Yeah. And the most different things you can do with it. But historically, when you've done with the hybrid, and a company that's got good internet connection, and doesn't have compliance restrictions, etc, you're still stuck with that last Exchange server, or were. Yes. So the reason behind is not fully known why Microsoft was promising for years that they will find a way how to get rid of the last Exchange server. I think - They kinda kicked it down the road, we'll work it out next year. Sort of thing. I still remember one of the conferences I've been to Microsoft, and there was a guy on the podium he was clapping and explaining, And yes, Microsoft did it at the end of this year, we can get rid of Exchange, this was like four years ago, five years ago. But, of course, the last version of Exchange has been, it's been in the pipeline for a while. Yes. 2016 was the last, 2019 is the last, was the last, now the Vnext is announced - There's another one coming. So. But yeah, if you return back to Exchange, we finally have an option to remove it. As we said, there are some things you have to consider if you're using SMTP relay, if you're using, we didn't mention role, role-based access control. Yeah okay RBAC. If you're using those and some auditing, auditing is required for your administrators, it's what they do on-premises. That's gone too, obviously, you need to have all mail boxes in the Cloud. But if you have all this ready, if your company is ready to go online, you have an option now, so yeah. Yeah. So it's interesting here, that's not, not necessarily an option for everyone, even though lots of people have been looking forward to getting rid of that Exchange server. But they, but there's also some other good news is that they changed the pricing, the, the last hybrid traditionally, in 20 - up to 2016, the last hybrid server was free, wasn't it for that management use only? Yes. But I believe that's changed for 2019 now hasn't it. It is yeah. So initially Microsoft promised or, confirmed that 2016 is the last Exchange server that will have free hybrid license, just because they were planning to retire Exchange with 2019 version and they wanted to force you to go online. Obviously, that's not the case just yet. And with Exchange 2016 going, already went into extended support, which ends in 2025. They decided with the latest Exchange 2019 CU 12 update, that they will give you a hybrid license for free for Exchange 2019. So that alone is good news, because you might have a client or somebody who's on 2019 and think oh, we don't have to keep paying for this. Yes. And but we want to get rid of it, and they have taken, taken some of the energy out of that requirement really. Yes. Well, I think that's at least a part of the reason why Microsoft decided to do that, is also, if we take a look at the last year or the last half-year, with all the issues and security bugs that came out. and have, so on, users didn't want to upgrade the Exchange, just because they would have to pay for it if they stuck with a hybrid version and Exchange. And another issue is with the amount of CU updates, quarterly released, plus all the security updates and patches and critical updates and security updates. All those Exchange servers left behind. Yes. Keeping up with those updates is quite, it's not so trivial with an Exchange server. It's such a, it's quite a, I won't say fragile, but a very particular system, you need to test things carefully. It's affects a lot of users if you take things offline. Especially if you imagine having organisations with 20, 30 Exchange servers, and quarterly, every three months, getting the new CU update that you would have to test and whether it's all working or not, and then you install it on, I don't know what, 20 servers, and then after a week you find out, Oh, there's a bug like it happened with all the CU updates, and you have to revert it, or call Microsoft for help. So I think that users stopped, administrators stopped with those updates, and the cost of going to Exchange 2019 was also too high. So they just lagged behind. And I'd say that's one of the reasons why Microsoft decided, let's give you 2019 for free as well, and with that, Microsoft thought to change the servicing model. So there is no more quarterly updates. It will now be biannual, every six months. Yeah. Which should help with more regular updates, and hopefully keeping Exchange a bit more patched up than it was in the past. I guess the security is another reason why you'd removed that final Exchange server, because then if there's any security holes in the Exchange, hopefully not going forwards, but it's one of those things. Then if you haven't got an Exchange server, then there's not going to be a security hole in it basically. Sure. If you have Exchange, I mean, you obviously have some options to secure it, by enabling OWA, disabling ECP and so on. But at the end, it's still one of the most complex systems one of the most complex applications ever written, and be rewritten and redesigned and so on. And no matter how much you try to protect it and secure it, there'll always be a hole some somewhere, someone will find it. And yes, the ability now to remove it and just use the management tool, nothing else, which doesn't even have to be installed on server now anymore. It just can be a domain joined workstation, it gives you quite a bit of - Presumably, that tool can be installed on multiple team members machines? Yes. You can. Yes. It's not like limited to one install, per site, or anything like that? No, no. So you can install it on pretty much every administrators machine if you want it, if you have a large environment to manage, or you can just have a server where all administrators connect through, and just use the management tools on it. A kind of jump box with your management tools on it? Yes, a jump box, yeah. Big step forward. Sounds like it, really sounds like it. I mean, it just thinking from my perspective, and correct me if I'm wrong, but obviously this push to get things off-premise into the Cloud and so on, Microsoft have pushed from 2016 to 2019, and further, do you think that there's, are they pushing to have everything kind of in Azure, in the Cloud, not just Exchange server, I guess, en masse, it all seem to be pushing towards that model. They're trying to push Exchange forward and actually we don't necessarily have to do it just now. And obviously, there's reasons you mentioned, you can't necessarily because of geographical reasons, and so on. But comms is getting cheaper, do you think the future will just simply be it, it's just all there, and we all plug into it? There's a lot of people building their environments now. If you, If you take it a step further than Exchange and look at Active Directory, there's a lot of people building their environments on Azure AD, and not necessarily using an on-prem AD. Yeah. If you have stuff to administer on-prem, then you can, you can do both now. And from that perspective, that whole thing of actually, in a modern, connected world, if you have good connectivity, you can build your whole infrastructure, your whole environment in the Cloud, so to speak. But there are a lot of legacy environments out there that don't do that. And I think what Microsoft are realising, is that although they want to drive people in that direction, and it makes total sense to drive people in that direction, there'll always be the outlying cases. And I guess until the R&D costs for an on-prem Exchange, outweigh the amount of money they can bring in for those outlying cases, there'll always be an outlying case for it. So I think businesses are evolving, connectivity, as you've said is evolving, I mean, people have big satellites up now to give connectivity everywhere in the world. It's all those sorts of things that are going to change how it all pans out. We don't know what the future holds in that respect. But certainly right now, there's those various outlying cases, that mean you need to be able to cater for them, but certainly what you're saying about everything being in the Cloud, is where they're going. Okay. This last question to you all, probably specific to you Gregor, let's be honest. Clearly, you obviously know a lot about the subject, we've done an awful lot of this for our customers, the standard sort of approach that we would take with customers; we've done a lot of these, customers will be doing it for their first and only time, as it were. What are the, and I do this to everyone, like your top three and all that sort of stuff. But the main gotchas, that you think you know, before you do anything, you got to consider this, this and this, kind of that sort of, that sort of ilk. Right, so we've mentioned, obviously, the main issue is if you have some applications, devices using your Exchange, you have to think of those. But you also mentioned that Office, or let's say, Microsoft now, gives you an option to start using SMTP relay in the Cloud, they have three options. Not every option is useful for everyone. The most secure one obviously is the most challenging one. It's called, it's pretty much SMTP authentication, which means that you can set up a device, application or something to authenticate against your Office 365, and then send email, whatever you have to send it, it gives you an option to send email internally and externally, but on the other side, I said it's the most secure one and the most challenging one, Microsoft introduced security defaults, they said, those security defaults secure and implement some security features in the Cloud in Azure AD, to try to protect you, your environments, your, your users, your company and themselves in the end, by using multi-factor authentication, by locking down that Exchange environment, and so on and so on. On the other side, that means that not every application or device is ready for that just yet. So if you're using, if you have those security defaults, you won't be able to just use your 10 years old multifunction printer, let's start sending emails to it. So I'm sure there's some obvious ones that you guys would know when you're looking at things like a multifunction print devices, etc. But how do we ascertain an environment? What is good or isn't, kind of red list on what will or won't work? Is that, is there a, you know, I assume there's a utility that does this all for us, Right? Or is it - No, No. So how do we, how do we approach that? A lot of it is looking at the logs, basically. So you can start migrating things away and moving things away, and then you can look at the logs and see which traffic is still flowing through your Exchange servers. And you start to pick it away and pick it away and, and ultimately end up with less and less flowing through your Exchange servers. It's a very manual, quite laborious - Unfortunately yes. So in ideal world, a company would have a list of all devices and IP's and so on. So you would just take it, we have this and you would move it. In reality, that's not the case. Sometimes it takes weeks to go through all the logs to find all the devices and applications sending emails, and even after that when you shut down your Exchange for let's say, 2, 3, 4 weeks before you decommission it, someone from behind will come and say my application doesn't work anymore. So email stopped sending from my machine so - So you need to give it at least a month then in that case to allow that sort of normal business cycle to go through - Yeah, month and accounting cycle. We email out all of our invoices at the end of the month, Oh look, all of the accounts system doesn't send email anymore. Yeah that could be a problem. So yeah. But on the other side, if that SMTP relay isn't working for you, if you want to have your environment secured, you still have an option of couple of different relays, Microsoft is trying to give you one is direct send, which is great, but it's limited only to your internal recipients. If you can't use direct send if you want to use some marketing emails to your clients, and the third one is also SMPT relay but using connectors in the Cloud, which means that you specifically set up your Exchange Online with a connector that allows your applications and devices to connect to your Exchange Online and send emails through. This one can be challenging, especially because you have to have a static IP for those devices. You can also use TLS certificate for, for the authentication. The main problem with that relay is that you, your emails are subject to anti-spam of the Microsoft. So you don't have any, any authority over that. If you use that relay, Microsoft will check those emails, if they are - So, be careful of what you're sending. Yes. So, if Microsoft decides that those emails are spam, and your IP ends up on the list, you will end up with hours and days of possible issues before they will remove you. Troublesome for marketing departments. Yeah. So, that might be one of the greatest issues while you still might want to keep your Exchange on-premises. Although Microsoft is evolving, and those relays are getting better and better. In the past, for example, they gave you like 1,000 messages per day a limit. Now it's 10,000 messages. So it just growing and growing. So it's getting better so. Eventually, it will evolve to a stage that we will go fully to the Cloud, and forget about Exchange. One day. One day. One day. There'll be plenty of other challenges around though, don't worry. Yes, it won't stop evolving. So I guess kind of in summary, and thank you, Gregor, it's been fantastically informative. We will discuss this, it's all about the kind of proper planning, the analysis, it sounds like there's an awful lot of, kind of manual stuff. There's no magic utility that can do it all for us, so takeaways will be again, as we always do, plan it properly, kind of measure twice, cut once all that sort of stuff. Definitely in this particular situation. And work with a reputable partner that knows what their doing. Brilliant. Thank you guys, it's been fantastic. Thanks for joining us for the first time Gregor, I'm sure we will have you back. Thank you for having me. You're more than welcome. Cheers, guys, thank you. Thanks. Thanks. And thank you for joining us on this episode of Krome Cast, Tech-it-Out. If there's anything you'd like us to cover on future episodes, then please leave in the comment section below. Remember to like, comment and share And join us again, next time, on Krome-Cast, Tech-IT-Out.