Hybrid Office 365 Exchange Deployment
By Dan Knowlden
Senior Systems Engineer
If you’re considering a Hybrid Office 365 deployment for your Exchange system, you have some important decisions to make regarding how to structure things. This is because there are three different ways that Office 365 Exchange can be deployed:
- Everything in Office 365, including all directories and authentication.
- Partial hybrid solution, with Active Directory (AD) synchronizations on premises and everything else in the cloud.
- Full hybrid Office 365 Exchange deployment, which means you have directory synchronization between Office 365 and an on-prem Exchange server that has the hybrid role deployed, and may have some mailboxes located on-prem and some in the cloud.
To help you determine which path is right for you, we’ll examine some of the pros and cons to the “full hybrid” option.
Advantages of a full hybrid Office 365 Exchange deployment
- Ease the migration path – A full hybrid deployment is often used as a “stepping stone” to a full Office 365 deployment. With the hybrid solution you can do a swing migration and take your time migrating mailboxes. If you start by going “all in” with Office 365 you’ll have to do a cut-over migration, which may be outside of your comfort zone.
- Gain flexibility – Be able to easily move mailboxes to and from Office 365 as needed.
- Meet security needs – With a hybrid solution you can keep some mailboxes on-prem for security reasons, where you can maintain greater control over them.
- Make account administration easier – If you are not moving to a full Office 365 deployment and you want your source of truth to be your on-prem AD, then a full hybrid deployment is the way to go. Having that on–prem hybrid Exchange server will enable you to add, delete or modify user accounts easily, from one location. In contrast, if you just have a partial hybrid solution you’ll have to use the Active Directory Attributes Editor to make these changes. Unfortunately, this Editor is very non-intuitive. You would need to know where to go and what to do in AD to change the user attributes so that they get properly synched with Office 365.
- Be able to add public folders to distribution lists – If you maintain your public folders on–premise, you’ll be able to add them to distribution lists. However, if your public folders are in Office 365 but your group source is from your on-prem Active Directory, you will not be able to add public folders to distribution lists. In fact, I recently ran into this exact issue.
Disadvantages of a full hybrid on-prem/Office 365 Exchange deployment
- Cause erroneous error messages – In a full hybrid Exchange deployment you must point your auto-discover records to your on-prem Exchange server. Unfortunately, this causes an error to be thrown into the Outlook troubleshooting tool that Microsoft provides. This tool is expecting the auto-discover records to be pointing to where the mailbox is. Because they are not, the tool spits out an error message. Although you can easily educate your helpdesk team about this issue, you need to be prepared for your end users to create tickets about this every time they run that troubleshooting tool.
- Make troubleshooting more difficult – Needless to say, a hybrid Exchange deployment is more complex than a full Office 365 deployment. This increases the complexity of your mail flow, which makes it harder to diagnose mail flow problems. Whether you have things configured so that mail initially goes through Office 365 and then flows down to your on-prem mailbox servers or vice versa, if something breaks down it will be harder to determine what went wrong.
- Make administration more complex – With the hybrid solution you will need to have, manage and maintain an on-prem Exchange server. To be supported by Microsoft, you’ll have to keep that server within two revisions of the latest release of the Exchange roll-up patch.
- Make running license reconciliation reports more difficult – You can run a license report against Office 365 and get a list of all of your licensed users. But if you’re in a hybrid deployment, you won’t know whether these people are active users, or if they’ve been disabled in your on-prem Active Directory but still have a license enabled in Office 365. Which is why in a hybrid deployment you have to run two reports. First you get that list of all of your licensed users from Office 365. Then you feed this data into a query in AD to find out if those accounts are enabled or not.
Which type of deployment do I recommend?
There really is not a “one size fits all” answer here. What is your current deployment? How big is it? What’s your go-forward plan?
If your long-term goal is to eliminate all of your on-prem servers, then moving to a full hybrid Office 365 Exchange deployment will be a priority. There are options to make administration easy when everything is in the cloud. However, this means that you’re trusting Microsoft with everything—which is both a pro and a con!
Personally, my preference is to go with a full hybrid Office 365 Exchange deployment for large organizations, and a full Office 365 deployment for smaller companies. Why? Because the large deployments typically have much stricter security requirements, while the security that’s built into Office 365 will usually meet a smaller organization’s needs.
Need help making these decisions and then making the deployment happen? Give us a call. As Microsoft Gold Certified Partners with over 20 years of experience helping enterprises make the most of Microsoft tools, we’re here for you.