Office 365 and Dirsync: Why should you have at least one Exchange Server on-premises

Office 365 and Dirsync: Why should you have at least one Exchange Server on-premises

For those of you involved in Office 365 migrations, the following question should sound familiar:

“Once all users are on Office 365, can we decommission all Exchange on-premises servers?”

I am writing this post. A few days ago We published an excellent article on Technet, describing several scenarios and explaining when should you keep an Exchange Server on premises: “How and when to decommission your on-premises Exchange Servers in a hybrid deployment”

I highly recommend that you read the entire article, to better understand the several scenarios, but I will give you also my personal insight on this.

Do you need an Exchange on-premises? Yes.. you should have one.

Why? Because you have Dirsync and your objects are being synced from on-premises to Office 365 - Directory synchronization and source of authority

What challenges will you face if you don’t have an Exchange on-premises?

Several, and it will depend on two factors. The first thing you need is to have your active directory schema on-premises extended for Exchange. Meaning that if you cannot edit the Exchange attributes off an object, on Office 365, because that object is being synced from the on-premises AD, you will need those attributes to exist on the on-premises AD so that you can edit them there. Makes sense? Have a look at this article describing one of the issues you might face. The second thing you need is a supported way to edit those attributes on premises. Probably some of you thought “Why can’t i use ADSIEdit to edit those attributes on premises?”. Well the answer is simple: It’s NOT SUPPORTED!

In the TechNet article you can read this:

“The question of whether a third-party management tool or ADSIEDIT can be used is often asked. The answer is you can use them, but they are not supported. The Exchange Management Console, the Exchange Administration Center (EAC), and the Exchange Management Shell are the only supported tools that are available to manage Exchange recipients and objects.”

So there’s your reason to have an Exchange on-premises. TechNet describes several scenarios on the article, for you to better understand what your requirements are. But basically it all comes down to:

Is Dirsync a requirement? If yes then you need Exchange on-premises.

Is ADFS a requirement? If yes then you also need dirsync, so same answer as above.

The key here is to understand if the Office 365 objects depend and are synced from the on-premises Active Directory,and if they are you need to have your on-premises Active Directory extended and you need to have a supported tool to edit those objects on-premises. It’s as simple as that! 🙂

The article also describes how to disable dirsync, if it’s not a requirement anymore, and with it you can also remove all your Exchange on-premises server.

What about the Exchange on-premises Server license? Do you need one?

Well if the following conditions apply you can request an Exchange Hybrid Server product key, with no additional costs:

  • You have an existing, non-trial,Office 365 Enterprise subscription
  • You currently do not have a licensed Exchange 2013 or Exchange 2010 SP3 server in your on-premises organization.
  • You will not host any on-premises mailboxes on the Exchange 2013 or Exchange 2010 SP3 server on which you apply the Hybrid Edition product key.

See this article for more details.

To summarize this post, when and why to keep Exchange servers on-premises after moving to Office 365, is an excellent resource you can use, provided that you fully understand the reasons behind it.

Hope this post was helpful! Thanks!


Comments (30)

  1. Doug says:

    For many, folks moving to Office 365 will be doing so from Exchange 2010, or even Exchange 2007. For small shops (read: less than 25 employees) it may be as easy as exporting each user to PST, killing off Exchange on-prem, installing DirSync, activating 365 services, then importing PSTs to each mailbox. Circumstances such as these would also be necessary if the on-prem AD domain ends in .local or something other than the actual live domain name, as it is required to match for DirSync. In these situations I see no reason to keep an Exchange box on-prem post-migration.

    1. jerryn says:

      I would submit that the issue of Exchange Online not having the Start of Authority on the Exchange attributes from a user object that lives on prem- still exists- regardless of the size of the organization. The circumstance of having a non-routable domain suffix does not necessitate keeping Exchange on-premises (if I am understanding your port correctly), and can easily be fixed by adding a routable domain suffix to the domain, and changing the User Principal Name of the user object that you are wanting to synchronize to the cloud with DirSync (Azure AD Connect). I do agree that there are other alternatives to using migration tools for small organizations; PST migration is definitely one method, however it requires manual steps at each workstation.
      I find that deploying an updated version of exchange with minimal hardware specifications, and a FREE Exchange hybrid license (available through the Office365 support portal) is plenty easy even for a small organization. It is unfortunate that the issue with start of authority exists, but it is not a show stopper by any means.

  2. Doug says:

    Also forgot to mention those who want/need to rename their AD name using Rendom to match their real-world domain, in order to do this one must remove Exchange from the organization, as Rendom will break Exchange.

    1. Jerryn says:

      Rendom seems like a pretty interesting utility for renaming your entire domain. As an alternative to the entire domain, you can, for the purpose of using DirSync, simply add a new domain suffix to your domain. Once added you can change the UPN of the objects that you would like to sync to the new, routable domain.

  3. Nathan says:

    Is there a way to bypass this requirement using Azure AD services? This must be something Microsoft is working on because the primary reason we are looking to migrate our smaller clients is to rid them of SBS boxes they keep primarily for the "Free" (we all know nothing with SBS is free).

    There must be some way to keep passwords in sync, create users on prem and have them created in office 365 without having an on prem exchange server…

    1. Jerryn says:

      You don’t really HAVE to keep an Exchange server on premises. The problem that occurs when you remove it, is that you have to then edit your exchange attributes in ADSI.edit, which is the least fun way to do so. There are other products out there that can integrate with Active Directory to control those Exchange attributes without necessitating having an Exchange Server on premises.

      I have deployed this 365 Command in the past for a customer, and it was well received. This product is a licensed product, but adds value in the features that it brings with automation, and monitoring. I am not affiliated with them BTW, I have just seen it be successful in some smaller deployments of Exchange Hybrid where the customer removed Exchange to find they could no longer easily control Exchange attributes.

  4. iVinayak says:

    The article refers specifically to hybrid deployments, the dilemma of keeping on-premises Exchange servers or not, also applies to other scenarios, such as cutover or staged migrations, migrations from Notes or GMail, etc

  5. Anku says:

    Collaborate in real time with friends and family with Office Online. Use your browser to create, edit, and share Word, Excel, PowerPoint, and OneNote documents from any device. For details check

  6. Thank you for sharing this. Not so much official documentation why you should stay with Exchange On Prem. What about Skype for Business? Should I stay with On Prem if my AD schema already extended with S4B (Lync) attributes?

  7. Neil says:

    Vinayak, what about the case where the O365 tenant exists already but there is no existing on-premise exchange servers. Is it supported/possible to add a completely new on-premise exchange server to allow for supported management of objects. It's not so much a case of keeping an existing server, but installing one to avoid managing objects via ADSI.

    1. Kevin White says:

      Did you ever resolve this issue? We decommissioned our Exchange server(lost due to crash) and would prefer not to use ADSIEdit.

  8. Thomas Jakobsen says:

    I think this is an absolutely ridiculously approach. People are moving towards the cloud to avoid having on-prem services. If you are running in a shared environment like Azure, this extra Exchange server is generating unnecessary cost.

    Vi have multiple customers where we are using the ADSEDIT method. The reason here is that when these customers was implemented the ADSEDIT the recommended way to go. Now this has changed. But we have never experienced any problem with this method.

    One thing that would be very interesting is to know what exactly is not supported, if you use ADSEDIT? Is it it all services on the tenant, or is it “just” issues according to the user sync? Can you enlighten on this?

  9. Rickie Calliou says:

    Does this apply to Azure AD Sync?

  10. iVinayak says:

    Rickie – Yes, Does apply to AADSync as well

  11. Mike says:

    The whole point of Office 365, especially for the small/medium business sector is to no longer have an on-prem Exchange server. There is nothing in Microsoft’s Office 365 documentation that says you need an on-prem Exchange server when using Dirsync (or Azure AD Connect, as it is now called). If you’ve migrated from Exchange to 365, then your AD will already have the Exchange schema extensions. And modifying the Exchange-related AD attributes with either ADSIEdit or ADUC (via Attribute tab with Advanced Features checked) are perfectly valid ways of managing the mail attributes in AD. And Exchange schema can be applied without actually installing Exchange, if necessary. I’ve worked with Microsoft support on a number of Dirsync issues (all using ADUC or ADSIEdit to manage mail attributes) and never once have they recommended having Exchange on-prem to manage those. Nor did they refuse to work on it because it is “unsupported”. I get that the Exchange Management Console is an easy way to manage mail attributes, but I could never justify keeping an Exchange server around just for that purpose.

    1. Aaron says:

      We have a similar situation in a school environment, but we haven’t found any specific guidance from MS or the web. We have previously migrated ~700 student mailboxes to O365 and now we’re ready to complete the ~170 faculty/staff mailboxes. The goal is to have all mailboxes in the cloud but retain local accounts and password sync. We don’t mind having the hybrid Exchange server on-premises for management, but we don’t want the campus connection and ADFS as the weak links.

      We’re hoping to decommission ADFS and only use AADSync/dirsync to keep passwords and AD objects synchronized. This would be similar to scenario #2 in the article referenced above. If the campus link, hybrid server, or AADSync were to go offline, at least the users should be able to continue receiving mail (not so if ADFS is still in the loop). Does anyone here have any ideas or guidance if it’s possible to remove ADFS and use AADSync only, without converting the domain from Federated Authentication to Standard Authentication?

    2. Gilberto says:

      I agree with you Mike, there is no reason to keep Exchange onPrem, being using ADSIEdit for several years since DirSync and had no problem with that.

  12. Matt says:

    Hi Vinayak,
    Looking at your post and all the MS documentation I have come to the conclusion that if you enable Directory Synchronisation you need Exchange.
    If you do not have Exchange does this mean you have to buy Exchange Server just to get the approved management tools?
    The free license request seems to say that you need an existing Exchange 2003 or 2007 server license to qualify. Are you able to confirm?
    Many Thanks

    1. iVinayak says:

      You can request a Hybrid Edition product key if all the following conditions apply to you: •You have an existing, non-trial, Office 365 subscription.
      •You currently do not have a licensed Exchange 2013 or Exchange 2010 SP3 server in your on-premises organization.
      •You will not host any on-premises mailboxes on the Exchange 2013 or Exchange 2010 SP3 server on which you apply the Hybrid Edition product key.
      To obtain a Hybrid Edition product key for your Exchange 2013 server or Exchange 2010 SP3 server, go to the Exchange hybrid product key distribution wizard.

      1. Carl says:

        Hi, We are using an Exchange 2013 server for management only, as all mailboxes are located in Office 365. However, the option for New Office 365 mailbox is not visible in EAC. Is there away to make this option visible without running the HCW. We can use New-RemoteMailbox but would also like the GUI option. Many Thanks

        1. verocab says:

          Same as Carl here, anyone has an answer?

          May 14, 2016 at 12:06 am
          Hi, We are using an Exchange 2013 server for management only, as all mailboxes are located in Office 365. However, the option for New Office 365 mailbox is not visible in EAC. Is there away to make this option visible without running the HCW. We can use New-RemoteMailbox but would also like the GUI option. Many Thanks

        2. Me says:

          I opened up a case with Microsoft support to ask whether there’s a way to enable the option to create an “Office 365 Mailbox” without running the HCW. They indicated there was not, but after installing HCW features of the tool can be disabled by running…
          Set-HybridConfiguration -Features $null

          It would be nice if there were an option to enable this capability without installing HCW!

  13. michael hinckley says:

    You say you need to have Exchange on prem but in this article it states all you need is to install Exchange schema extension on-premise AD server. Is that correct?

    1. iVinayak says:

      Our recommendation for SSO environment is having at least one Exchange Server on-premises but the customer only have one Exchange Server. If they remain the server, they can’t get cost benefit…
      (They have only 500 users and I don’t know why they chose hybrid migration.) In my understanding, if they remove on-premises, they will never change several attributes with supported way and the scope is depends on whether the user is hybrid migration user or not.
      For example, administrator can enable/disable archive mailbox for regular federated mailbox on admin portal/shell but can’t do it for hybrid migrated mailbox.

      I think it’s easy to edit proxyAddresses or other text-base attributes with something like ADSIEdit but it’s not easy to enable/disable archive without powershell.

  14. Sandro Alves says:


    I know I need AD Connect (Dirsync) and if you want, ADFS to enable SSO. It is clear to me.

    We have Exchange Online with 200 mailboxes.

    We want to enable password synchronization active directory with Office 365.

    According to what I study and talked to friends, I need an Exchange Onpremises.

    I got this. Perfect.

    My question:

    – I need to install Exchange Onpremises first before enabling password synchronization? I understand that yes.

    – What Exchange version should I use as a recommendation? I know I can use Exchange 2010, 2013 or 2016, but I want to know what the most appropriate.

    – Being either version, when we install Exchange, the expansion of the schema is performed.

    – How will I see the Office 365 mailboxes in my Exchange Onpremises? When the boxes will appear on the Exchange Onpremises? After synchronization?

    When we install Exchange Onpremises, the user mail atributes appear only when I create a mail box in Exchange Onpremises.

    As I will not create mailbox for users because they already exist in Exchange Online. I want to know at what time they will appear on my Exchange Onpremises.

    They will appear in “recipients” of “Exchange Admin Center” after synchronization as “Remote user”?

    Thank you.

  15. Ivan Bakran says:

    We are running a Windows 2008 domain with an Exchange 2010 server on-premise and are using DirSync to sync user-accounts and passwords to Office 365. All mailboxes have been moved to Office 365 and to get them going I’ve had to create a Mail User for every user account with a mailbox in the cloud.
    Now, we don’t have any problem with keeping the Exchange 2010 server running on-prem, but my question is what you can do to “shrink” the server to its minimum regarding to running services and roles. Can I for instance do something to get rid of the mailbox database?

    Kindest regards
    Ivan Bakran

  16. Allister says:

    This article and the ones you link to deal with a completely different world than the real world the majority of your partners deal with day to day. Most of our customers are just on SBS or at most customers with separated Client Access and Mailbox roles.

    For those on SBS where we’re moving them to 2012 R2 + O365 for email but wanting to keep their passwords synced you expect us to then make what should be a simple as anything environment into something way over complex having to setup another Hub Transport role Exchange server and have this setup as a Hybrid Connection and the ongoing maintenance of this connection and setup?

    You guys are so out of touch with reality it is a joke. Extend the current AD UC console with an O365 tab for managing the couple of actually required attributes? Oh no that would make sense lets make our partners go setup Exchange + Hybrid Setup just to manage some attributes correctly.

    The only issue with the Attribute tab in AD the Microsoft staff can find issue with is again features that only really large corporate customers are going to care about – archiving? Jeez I moved customers to O365 so I don’t have to hear that word again. Everything for your small to medium customers is manageable and to say the Attributes Tab in AD is unsupported is a joke, all the Exchange Console is doing is providing a GUI for these fields. Joke Joke Joke.

    1. iVinayak says:

      Keep Exchange and Hybrid – this is the best option if you intend on continuing to use ANY on-premises Exchange service or data
      Keep Exchange but remove Hybrid – This is the best option if you are just using Exchange for Recipient Management purposes ONLY
      Remove Exchange and Hybrid – this is the best option if you have moved all Mailboxes and have Directory Synchronization deactivated

      What are we considering ??? Few options to address this situation This is still being actively worked, for now keep Your Exchange Server

    2. Ben Harris says:

      We came up against this problem again and again – “Why do I need an Exch box, I want to move AWAY from on prem!”

      Our solution for smaller customers was the “Essentials Experience” in 2012R2. – Install the role, which gives you the ability to connect to 365, Sync passwords without ADconnect, manage licenses, email addresses etc. but keep the ability to edit in 365 too – from what I could see, it was simply running PowerShell commands behind the scenes and there was no requirement for Exchange or Hybrid.

  17. Carl Meyer says:

    I have run into this problem, my partner talked me into using Skykick with a “cutover” migration and using dirsync to provide same sign on. Now I have an exchange 2010 box with the information store stopped. and no way to do anything with it,

    I wish I could delete exchange but my partner did not know better when starting my migration. So it looks like I need a hybrid exchange environment, but I don’t know how to get there since my email has been in the cloud for a month now.

Skip to main content