Historically, if you had a hybrid Active Directory environment with Exchange Online, where all your user identities are synchronised with Azure AD Connect, you would not be able to manage user recipient attributes in Exchange online or on-premise, unless you had a full Exchange server in your environment.
Now (on 20/04/2022) Microsoft have released an update that will allow you to only have install the Exchange PowerShell Management tools on-premise, allowing you to manage all Exchange online user attributes without having to install a full Exchange server on-premise.
Install Exchange Management Tools to Manage Exchange Online
Let us take a look a how we can install the new Exchange Management tools. There are 2 different scenarios that you may be in:
- You still have an Exchange server running.
- You never had an Exchange server, or you have already decommissioned your last Exchange server.
If you still have an Exchange server
Before you do anything, you need to ensure all of your mailboxes are running in the cloud. If you shut down your last Exchange server while mailboxes are still host on it, they will not work. So ensure you have already migrated all of your mailboxes to the cloud. You can check the status of the mailboxes in Exchange Management Shell.
Set-AdServerSettings -ViewEntireForest $true
Get-Mailbox
Verify that the Exchange Online tenant coexistence domain (your “company.mail.onmicrosoft.com” domain) is configured as target delivery domain with the following:
Get-RemoteDomain Hybrid* | Format-List DomainName,TargetDeliveryDomain
If the TargetDeliveryDomain is not configured, configure it with the following: (replace ‘company’ with your own domain)
New-RemoteDomain -Name 'Hybrid - company.mail.onmicrosoft.com'
-DomainName 'company.mail.onmicrosoft.com'
Run Set-RemoteDelivery domain to configure the TargetDeliveryDomain:
Set-RemoteDomain -TargetDeliveryDomain:$true -Identity
'Hybrid - company.mail.onmicrosoft.com'
If you no longer or have never had an Exchange server
The TargetDeliveryDomain will not be configured. You can access the New-RemoteDomain and Set-RemoteDomain cmdlets from PowerShell on any domain-joined Windows server by installing the following PowerShell snap-in.
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn
Click HERE, to scroll back up to set the TargetDeliveryDomain.
Installing the Exchange Management Tools
The Exchange Management Tools can be installed on any domain joined workstation in an Exchange environment, 2013 and up.
1. Now we need to install the Exchange Management Tools on a server that is not the Exchange server you wish to shut down. On your management server, download the latest Exchanger server ISO and mount it. You can download the ISO from your Volume Licensing Server Center.
2. Run setup.exe and select Don’t check for updates right now.
3. Click Next until you reach the Server Role Selection page. On this page, only select the Management Tools checkbox and select Automatically install Windows Server roles and features that are required to install Exchange Server.
4. If you have never had an Exchange Server before, you will reach the Exchange Organisation page, where you will be asked to specify the name for this Exchange Organisation.
Specify a name for your Exchange organisation, leave the checkbox unticked for Apply Active Directory split permissions security model to the Exchange Organisation and click Next.
5. On the Readiness Checks page, the installer will check your system to ensure you are ready to install Exchange.
These checks are done as a few things happen when you install Exchange server.
- Your Active Directory schema is extended by adding and updating classes, attributes and other items that are needed so Exchange can create and store information about your organisation.
- Once the scheme is extended, then Exchange will create all of its containers, objects and attributes. This includes; Exchange security groups, management groups, permission changes and a lot more.
- Lastly your domains and prepared within Active Directory. Again this includes additional object containers, groups and permissions to be added and updated.
It is likely that you will encounter an error on this page. Ensure you read the errors and apply any changes that are required.
Then you can click Install then Finish.
6. Now the Exchange Management Tools are installed, you need to install the Windows RSAT tools (Remote Server Administrators Tools). Follow this guide here.
7. If you are using the Exchange Scripting Agent, copy the ScriptingAgentConfig.xml file from following page on the Exchange server:
$env:ExchangeInstallPath\Bin\CmdletExtensionAgents
And copy it to the same path on the management server. The scripting agent allows you to run some of your own scripts or scripting logic into the execution of some commands.
8. Now run the provided script Add-PermissionForEMT.ps1 script in PowerShell to create the group ‘Recipient Management EMT’ which grants users the ability to manage recipients without the need for domain admin rights. You can find the script in the following folder: $env:ExchangeInstallPath\Scripts
Test the Exchange management tools are working
- Login to your management server as a domain admin, or a user who is a member of the Recipient Management EMT group and open PowerShell.
2. Load the recipient management plugin with the following command:
Add-PSSnapin *RecipientManagement
3. Test some recipient management cmdlets to ensure they are working.
4. If you are still running an Exchange Server, shut it down.
5. Test some recipient management cmdlets to ensure they still work after the server is shutdown.
You must NOT uninstall Exchange server, as it will remove the necessary configuration from Active Directory. Instead leave your Exchange server powered off.
Summary
There you have it! You have now shutdown your Exchange server and are able to management recipients on your management server. It is worth noting that you will only be able to use PowerShell to manage your recipients with the plugin, so make sure you brush up on them PowerShell skills!