Pages

Friday, October 14, 2022

How to Setup Exchange Management Tools in Environments without Exchange Server

Some Exchange Online customers have an Active Directory on-premises, but never had Exchange Server on-prem. For example, customers who migrated their email from an Exchange hosted environment or from a different email system, such as Notes.

In some environments, these customers are having to manage user accounts and groups in both AD and Azure AD. This leads to confusion since accounts and passwords are not synced, so usernames and passwords can be different. Those customers may be looking for a way to master accounts, groups, and mailboxes from AD on-prem so they have a single source of authority, similar to the way that hybrid customers do.

In other environments, customers are using Azure AD Connect to sync users from AD on-premises to the cloud. Here, user accounts and groups are managed on-premises, but mailboxes are managed in Exchange Online. These customers may be looking for a way to manage mailboxes and groups from AD, so they also have a single source of authority.

The following steps will let you install the Exchange 2019 Exchange Management Tools (EMT) in an AD environment without having to install Exchange Server. 

Keep in mind that this solution is not supported by Microsoft, since manual configurations must be made in AD using ADSI Edit. The Microsoft supported way to do this is to install an Exchange Server in the org. The solution below does not require this.

Prerequisites

  • Active Directory is installed and the Forest Functional Level is Windows Server 2012 R2 or higher.
  • The Exchange Management Tools (EMT) must be installed on a domain-joined computer. Azure AD-joined by itself is not enough, since we need to be able to update Active Directory.
  • EMT can be installed on Windows 10, Windows 11, or any Windows Server 2016+ server.
  • You will need the Exchange Server 2019 CU12 or later media.
  • The AD schema will be updated during EMT installation. These procedures assume the installation is being performed by a Domain Admin.

Steps for Installing the Exchange Management Tools

  • Logon to the domain-joined computer or server where you want to install the EMT as a Domain Admin. For ease of installation, it is recommended that this computer be in the same AD site as the AD Schema Master.
  • Install the .NET Framework 4.8.
  • Install the Visual C++ 2012 Runtime.
  • Install Windows Remote Server Administration Tools (RSAT) for Windows 10 or Windows 11. On Windows Server add the AD DS Tools from Server Manager.
  • Install the IIS 6 Metabase Compatibility component using the following command:
    • dism /online /Enable-Feature /FeatureName:IIS-IIS6ManagementCompatibility /all
  • Restart the management computer twice to ensure all files and installations are up-to-date.
  • Run Setup from the Exchange 2019 CU12+ media
    • Select only Management Tools in the Server Role Selection
    • You will be prompted to add the Exchange Organization Name (i.e., Contoso)
    • Restart the computer after EMT installation
  • Run the C:\Program Files\Microsoft\Exchange Server\V15\Scripts\Add-PermissionForEMT.ps1 script from an elevated PowerShell prompt to create the Recipient Management EMT security group in the Users container.
  • Add admin accounts to the new Recipient Management EMT group. Domain Admins already have rights to run the EMT and do not need to be added.
  • Create a shortcut on the Desktop to the EMT:
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "Add-PSSnapin *RecipientManagement"
    • Configure the shortcut to run as Administrator
Note:
All mailbox management will be done using the EMT PowerShell cmdlets. The Exchange Management Shell (EMS) will also be installed, but you will never use it because you have no Exchange Server to connect to.

There is no built-in GUI for EMT recipient management, but fellow Office Apps & Services MVP Steve Goodman wrote one on GitHub. You may want to check it out. 

Also, be aware that the EMT does not support roles based access controls (RBAC) and there is no auditing available. For complete Microsoft EMT documentation see Install the Exchange management tools | Microsoft Learn.

Microsoft Exchange System Objects (MESO) Configuration

In order for admins to create remote mailboxes, you need to add a remote domain to the Exchange configuration partition in Active Directory. This is done using ADSI Edit. The usual disclaimer applies - Don't use this tool unless you know what you're doing. I accept no responsibility. Yada yada yada.
  • Begin by getting your Microsoft 365 tenant's remote routing domain.
    • Open Exchange Admin Center
    • Navigate to Mail Flow > Accepted Domains
    • Record the accepted domain of the domain that looks like domain.mail.onmicrosoft.com
  • Open ADSIEdit.msc from the management computer. This was installed when you installed the Windows Remote Server Administration Tools (RSAT).
  • Connect to the Configuration Naming Context.
  • Navigate to CN=Configuration > CN=Services > CN=Microsoft Exchange > CN=domain > CN=Global Settings > CN=Internet Message Formats
  • Right-click CN=Internet Message Formats and select New > Object...
  • Select the class msExchDomainContentConfig and click Next
  • Enter Hybrid Domain - domain.mail.onmicrosoft.com for the value, using the value recorded above. Click Next and Finish.
  • Edit the Hybrid Domain you just created and set the following values:
    • contentType: 0
    • domainName: domain.mail.onmicrosoft.com, using the value recorded above
    • msExchContentByteEncoderTypeFor7BitCharsets: 15
    • msExchContentPreferredInternetCodePageForShiftJis: 0
    • msExchDomainContentConfigFlags: 1
    • msExchMinAdminVersion: -2147453113
    • msExchResolveP2: 2147483647
    • msExchRoutingAcceptMessageType: 351
    • msExchRoutingDisplaySenderEnabled: True
    • msExchVersion: 4535486012416
    • sendTNEF: True
  • Close ADSI Edit.

Add the remote routing domain as an accepted domain.
  • Run the following from an elevated EMT prompt, using the value you recorded above:
    • New-AcceptedDomain domain.mail.onmicrosoft.com -DomainName domain.mail.onmicrosoft.com

Update the email address policy that was created when the EMT was installed.
  • Run the following from an elevated EMT prompt:
    • Get-EmailAddressPolicy | Set-EmailAddressPolicy -EnabledEmailAddressTemplates "SMTP:@domain.com","smtp:@domain.mail.onmicrosoft.com"
    • Replace the domains with the correct values.
      • SMTP:@domain.com (SMTP in all caps) is the primary SMTP address for your organization.
      • smtp:@domain.mail.onmicrosoft.com is the remote routing domain that you recorded above.

Now you can run all the EMT cmdlets to update your on-prem user accounts, mailboxes, and groups.

Configure AD Synchronization with Azure AD

Now that you have a way to update Exchange attributes in AD, the final step is to configure Azure AD Connect to sync the AD objects with Azure AD. 

If your environment already has AAD Connect installed and configured, you only need to update the AAD Connect configuration to use Exchange Hybrid Deployment in Optional Features.



If your environment doesn't already have Azure AD Connect installed and configured, you will need to do so and perform a soft match of the AD accounts to Azure AD. That's beyond the scope of this article. 

If you need help please reach out to me at EXPTA Consulting.

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.