Hi,

I am looking to do DirSync of passwords between local and office365 domain.  I have migrated all exchange services to office365 a couple of years ago, but still have old exchange 2003 server. 

I plan to completely decommission and remove the exchange organization.

Question is once that is done, is there any concern about using DirSync?  I thought that all attributes will sync during this process, so not sure if I could possibly be removing attributes that are needed as the exchange 2003 organization is removed, which in turn can maybe cause sync issues with my current office365 production environment.

I do not run any type of hybrid setup, and not looking to do Single-Sign-On, I am only attempting to sync passwords with specific accounts.

Can I safely uninstall and remove my exchange 2003 organization (a single 2003 exchange server)?

Thank you

The problem you're going to have is that you'll have to use ADSI Edit or Attribute Editor to modify mail attributes like EmailAddresses (proxyAddresses), PrimarySmtpAddress, Alias (mailNickname) and myriad settings attributes unless you have some sort of automated provisioning system.  I strongly recommend that you either remove Exchange 2003 and then install an Exchange 2013 server, or install an Exchange 2010 server and then remove the Exchange 2003 server.  You should be able to qualify for a free hybrid license; you're free to consult the resource.

https://support.microsoft.com/en-us/kb/29392

Ed's answer is the official guidance from Microsoft. If you're not a big shop, an annoying, but possible workaround for your scenario is:

1. Create the user directly in Office 365, basic attributes (just make sure you get the user name right).
2. License the user in the cloud.
3. Create the user in dsa.msc with all the proper attributes, especially the UPN and E-mail field.  When AADSync runs, it will match the on-prem user with the cloud user (based on email address), and flow all the on-prem attributes to the cloud object, including password.  AADSync runs every 3 hours by default, but if youre in a hurry, you can force it (DirectorySyncClientCmd.exe delta). It is assumed that you installed aadsync without the exchange option.

If possible set the desired aliases and exchange attributes before step 3 or you're back to adsiedit like Ed said.

Hi and thank you

As I am trying to simplify things, I don't believe I will setup a exchange server.

In my questions below, I will address sync with AAD sync rather than DirSync, since I understand DirSync is the old application, and I don't expect I would use it.

1. Could you confirm that there are NO "Exchange Attributes" needed for using AAD or DirSync?  I assume that mail, proxyAddresse are all part of the ActiveDirectory without the Exchange additions.  (note I will be removing any trace of my exchange organization, by removing the only 2003 exchange server I have in the domain/forest).

2. Is it correct that AAD sync's only one way in general - unless I specifically choosing to sync back from Azure?  If so, I assume that AAD Sync could not possibly mess up or remove any attributes in Office365?

Thank you

Hi,

This sounds like an ok method, (my one helpdesk technician does not manage my AD apart from password reset), since I am the only tech really to handle the AD - create users etc..

1. You mention setting exchange attributes, could you elaborate on what exchange attributes?  Since I am removing my exchange organization locally (single exchange 2003 server) I assume there will no longer be any exchange specific attributes.  By removing the exchange 2003 server org, will I be missing any attributes in order to use AAD Sync?

2. Also, do you know how difficult or easy it is to remove AAD Sync, if I choose to simply keeping cloud authoritative?  Any concerns or potential issues you can think of?

Tha

Hi and thank you

As I am trying to simplify things, I don't believe I will setup a exchange server.

In my questions below, I will address sync with AAD sync rather than DirSync, since I understand DirSync is the old application, and I don't expect I would use it.

1. Could you confirm that there are NO "Exchange Attributes" needed for using AAD or DirSync?  I assume that mail, proxyAddresse are all part of the ActiveDirectory without the Exchange additions.  (note I will be removing any trace of my exchange organization, by removing the only 2003 exchange server I have in the domain/forest).

2. Is it correct that AAD sync's only one way in general - unless I specifically choosing to sync back from Azure?  If so, I assume that AAD Sync could not possibly mess up or remove any attributes in Office365?

Tha

Hi,

This sounds like an ok method, (my one helpdesk technician does not manage my AD apart from password reset), since I am the only tech really to handle the AD - create users etc..

1. You mention setting exchange attributes, could you elaborate on what exchange attributes?  Since I am removing my exchange organization locally (single exchange 2003 server) I assume there will no longer be any exchange specific attributes.  By removing the exchange 2003 server org, will I be missing any attributes in order to use AAD Sync?

2. Also, do you know how difficult or easy it is to remove AAD Sync, if I choose to simply keeping cloud authoritative?  Any concerns or potential issues you can think of?

Tha

Great, clarifies for me.

Regarding attributes; when I remove the only exchange server I have (version 2003) I recall there is an option to check specifying that its the last exchange server in the organization.

1. with my exchange server being the last one I have, are you saying that attributes like msEx..... will not be removed from AD?

2. attributes like mail and proxyAddresses, were these part of 2003 domain upgrade or exchange upgrade?  Just thinking if I never introduced exchange would these not be part of AD?  Trying to understand really what is happening once I remove my exchange 2003 organization by selecting the - last exchange server in my exchange organization - option.

***************

Another question little off topic regarding removing exchange completely (let me know if I should open new thread/question):

I read in article "https://technet.microsoft.com/en-us/library/bb125110%28v=exchg.65%29.aspx" -- 

"You cannot uninstall Exchange Server 2003 from a server if it is the only server in your organization running the Recipient Update Service. Instead, you must first use Exchange System Manager to enable the Recipient Update Service on another server. For more information on how to create a new Recipient Update Service, seeHow to Create a New Recipient Update Service"

Is the recipient update service anything needed when NOT running exchange?

Thank you

For accuracy, I'd prefer using the word "clear" or "nullify".  The attributes themselves will remain forever, as they are now part of the user class object (see schema extension comment).  

Exchange will not allow you to uninstall the product until all mailboxes have been removed, or moved to Exchange Online.  I've not moved Exchange 2003 directly to Exchange Online before (I use a 2010 or 2013 hybrid server), so I'm not sure how this works, with respect to these uninstallation safety checks.  

NOTE: Deleting exchange mailboxes does clear all Exchange attributes.

proxyAddresses is used by used by Exchange, yes.

Ok, couple of other questions 

1. you say proxyAddresses is used by exchange, but was it added to Active Directory when exchange was introduced, or when the domain was upgraded previously to 2003?

2. If exchange was never introduced/installed in my local environment, would that mean that proxyAddress attribute would NOT be present?  How would someone being use of Office365 using AAD if exchange was never in a local environment?

Thank you

It doesn't matter how the attributes got there.  When the Active Directory schema is extended, the new attributes are no different than previous attribute definitions.  Exchange uses many pre-existing attributes as well as the new attributes it brings as part of the schema extension.  proxyAddresses happens to be one introduced by Windows itself, but this has nothing to do with any of the advice I'm giving you.

Again, before we take too many more forks off the path here, Microsoft's official recommendation is to keep an Exchange Hybrid server around indefinitely, for the purpose of recipient management in Exchange Online.

Ok, 

Since I will likely keep it simple, I may not implement a sync currently with Office365.  So I am then thinking to completely remove the exchange organization now, and then if I find the need later to introduce exchange again it appears that I can easily introduce that back in the organization.  Would you agree? in light that upgrading from 2003 to 2013 I believe I would have to first do 2010 before 2013 upgrade.

With that I believe I will close this thread, as all answers should be complete

Thank you for your feedback

If you want to later (after Exchange is completely removed) add AADSync for the purpose of Password Sync, this should be fine.  

Adding Exchange back after it was completely removed however may be tricky.  There are reports of a "clean uninstall" of Exchange leaving the Exchange System Object container and other objects as well.  Prior to re-introducing Exchange ___ in the future, you might want to manually clean up:

4) possibly re-run legacy Exchange's setup /PrepareAD.

Long story short, see the official guidance I've mentioned a few times now.  It is the only way you can guarantee a healthy environment.

My understanding from you and when you say "official guidance" - I am understanding that keeping an exchange server in the environment, is both what you and Microsoft is suggesting, correct?

I prefer to stay within common practice and best practices, so if that is the best practice, I believe I will go the route of upgrading exchange to 2010, then I believe I will do domain from the current 2003 up to 2012, and then do exchange 2013.  Regardless how those steps go, I will likely go with keeping exchange.

Thank you

Keeping an up-to-date hybrid server is the beaten path, and will position you best for whatever new "Best Practice" comes along.  I also just remembered, they published this new article on Decomissioning Exchange Hybrid, which would be a relevant read for you:

(see: Why you may not want to decommission Exchange servers from on-premises)

https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx

Having said all this, if it were me, i'd make a judgement call.  How annoying is it to keep this extra server vs the likelihood you'll want to re-introduce Exchange in the future, and even if you DO introduce it, so what, you have to figure out some manual steps at that time. &n

Ok, thank you Mike.

I will close this thread, read your link, and likely begin path for upgrading exchange along with my domain.  Any questions during the upgrade, ill open new thread.

Thanks again for your consistency in answering.  Blessings.

I forgot one question,

Is it any issues in turning on an exchange server that has been off for a year or so, in terms of tombstone timeframe.  I don't believe exchange is related to that, but wanted to confirm.

Thanks

ok, great, thank you

I will probably actually go for an upgrade to exchange 2010 then 2013, in order to keep a single exchange in my organization for future possibilities.

Thanks again

Hi Ed, Thank you.

Could you elaborate on what functions you are referring to, since I am solely in the cloud for all email, and I only utilize authentication for files in local domain?

Thanks

Ok.

I am little uncertain of one item still, if I may.

I have gotten other response outside of this post, that attributes can sync and practically disable my office365 environment.

For example if I have attributes that are blank in my local environment, and I enable DirSync, would that blank field then replicate/sync with the cloud and make the cloud blank, like proxyAddresses for example?

Thank you

The only attribute "flows" are those selected. If you don't select Exchange, Exchange-related attributes won't be replicated (including null values.)  see these two pictures from this article:

Right,

so definitely I would want to select the objects AND attributes very carefully, and making sure that all match what I currently have in the Cloud, so when Sync/Replication is activated it would not disable-potentially destroy my online email functionality.

To me it seems rather easy to potentially really mess up ones online environment by simply activating this sync??  (especially if a company has been running the cloud separate from local environment).  Seems an un-experienced admin (With the notion that Office365 seems to want to be easy to admin) could really wipe all email attributes if setting up sync with a local environment that has not been managed in correlation with the Cloud.

Possibly the warnings in the setup are very clear and repetitive so this would not happen.

Thank you

@Ed

Ok, I assume (as I understand the term hybrid) that when you refer to hybrid-configuration you are not referring to DirSync.  And I understand that Exchange would become useful when using a tool such as DirSync or AAD Sync.  Otherwise Exchange would not have any use locally, unless I am utilizing exchange manager to manually match my cloud attributes for a possible connection in the future with local and Cloud environments, like for example using DirSync of AAD.

Thank you