In some environments, these customers are having to manage user accounts and groups in both AD and Azure AD. This leads to confusion since accounts and passwords are not synced, so usernames and passwords can be different. Those customers may be looking for a way to master accounts, groups, and mailboxes from AD on-prem so they have a single source of authority, similar to the way that hybrid customers do.
In other environments, customers are using Azure AD Connect to sync users from AD on-premises to the cloud. Here, user accounts and groups are managed on-premises, but mailboxes are managed in Exchange Online. These customers may be looking for a way to manage mailboxes and groups from AD, so they also have a single source of authority.
The following steps will let you install the Exchange 2019 Exchange Management Tools (EMT) in an AD environment without having to install Exchange Server.
Keep in mind that this solution is not supported by Microsoft, since manual configurations must be made in AD using ADSI Edit. The Microsoft supported way to do this is to install an Exchange Server in the org. The solution below does not require this.
- Active Directory is installed and the Forest Functional Level is Windows Server 2012 R2 or higher.
- The Exchange Management Tools (EMT) must be installed on a domain-joined computer. Azure AD-joined by itself is not enough, since we need to be able to update Active Directory.
- EMT can be installed on Windows 10, Windows 11, or any Windows Server 2016+ server.
- You will need the Exchange Server 2019 CU12 or later media.
- The AD schema will be updated during EMT installation. These procedures assume the installation is being performed by a Domain Admin.
Steps for Installing the Exchange Management Tools
- Logon to the domain-joined computer or server where you want to install the EMT as a Domain Admin. For ease of installation, it is recommended that this computer be in the same AD site as the AD Schema Master.
- Install the .NET Framework 4.8.
- Install the Visual C++ 2012 Runtime.
- Install Windows Remote Server Administration Tools (RSAT) for Windows 10 or Windows 11. On Windows Server add the AD DS Tools from Server Manager.
- Install the IIS 6 Metabase Compatibility component using the following command:
- dism /online /Enable-Feature /FeatureName:IIS-IIS6ManagementCompatibility /all
- Restart the management computer twice to ensure all files and installations are up-to-date.
- Run Setup from the Exchange 2019 CU12+ media
- Select only Management Tools in the Server Role Selection
- You will be prompted to add the Exchange Organization Name (i.e., Contoso)
- Restart the computer after EMT installation
- Run the C:\Program Files\Microsoft\Exchange Server\V15\Scripts\ExchangeAdd-PermissionForEMT.ps1 script from an elevated PowerShell prompt to create the Recipient Management EMT security group in the Users container.
- Add admin accounts to the new Recipient Management EMT group. Domain Admins already have rights to run the EMT and do not need to be added.
- Create a shortcut on the Desktop to the EMT:
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "Add-PSSnapin *RecipientManagement"
- Configure the shortcut to run as Administrator
Microsoft Exchange System Objects (MESO) Configuration
- Begin by getting your Microsoft 365 tenant's remote routing domain.
- Open Exchange Admin Center
- Navigate to Mail Flow > Accepted Domains
- Record the accepted domain of the domain that looks like domain.mail.onmicrosoft.com
- Open ADSIEdit.msc from the management computer. This was installed when you installed the Windows Remote Server Administration Tools (RSAT).
- Connect to the Configuration Naming Context.
- Navigate to CN=Configuration > CN=Services > CN=Microsoft Exchange > CN=domain > CN=Global Settings > CN=Internet Message Formats
- Right-click CN=Internet Message Formats and select New > Object...
- Select the class msExchDomainContentConfig and click Next
- Enter Hybrid Domain - domain.mail.onmicrosoft.com for the value, using the value recorded above. Click Next and Finish.
- Edit the Hybrid Domain you just created and set the following values:
- contentType: 0
- domainName: domain.mail.onmicrosoft.com, using the value recorded above
- msExchContentByteEncoderTypeFor7BitCharsets: 15
- msExchContentPreferredInternetCodePageForShiftJis: 0
- msExchDomainContentConfigFlags: 1
- msExchMinAdminVersion: -2147453113
- msExchResolveP2: 2147483647
- msExchRoutingAcceptMessageType: 351
- msExchRoutingDisplaySenderEnabled: True
- msExchVersion: 4535486012416
- sendTNEF: True
- Close ADSI Edit.
- Run the following from an elevated EMT prompt, using the value you recorded above:
- New-AcceptedDomain domain.mail.onmicrosoft.com -DomainName domain.mail.onmicrosoft.com
- Run the following from an elevated EMT prompt:
- Get-EmailAddressPolicy | Set-EmailAddressPolicy -EnabledEmailAddressTemplates "SMTP:@domain.com","smtp:@domain.mail.onmicrosoft.com"
- Replace the domains with the correct values.
- SMTP:@domain.com (SMTP in all caps) is the primary SMTP address for your organization.
- smtp:@domain.mail.onmicrosoft.com is the remote routing domain that you recorded above.