Office 365….the journey continues

By Emily Coates

Emily Coates is a Premier Field Engineer at Microsoft UK. She specialises in Messaging and Business Productivity, and is the proprietor ofMissTech, a tech blog for all things cloud.

The quiet after the storm has come… either you’ve gone big bang and migrated all your mailboxes to Office 365 in one hit, or you’ve slowly but surely moved your mailboxes over to the Microsoft Cloud. Time to make a cup of tea and bask in your awesomeness.

With any project, once the work is over and the dust has settled, there are still tasks to complete, loose ends to tie up and servers to be decommissioned from use. The bits and bobs are, in my opinion, just as important as the project itself. I have included some of my own key decision points and notes from working on Office 365 projects here for your perusal. This is not an exhaustive list as every environment is different, but hopefully it will help you once you get to the end of your rollout.

SMTP Relaying

A big decision which needs to be made is regarding SMTP relay. Most companies use some form of relaying, be it scan to email on multi-function devices, or your anti-virus console sending alerts and notifications. Any system which sends mail will likely be connecting to your on premise Exchange server at present. There are various options available to customers with regards to relaying, but for the SMB or Enterprise environment, I believe the most easily manageable options are:

  • A dedicated IIS SMTP Virtual Server. This is configured to connect to an Exchange Online licensed mailbox. This option does require that you pay for an Exchange Online license just for the purposes of relaying, and you will also need to reconfigure your relay devices to point at your IIS SMTP server. If you don’t have an on premise Exchange box, then it is a great option as it is a very secure and manageable way to control relaying. You can find a great guide for settings this up here.
  • Making use of your Exchange Hybrid server as a Relay. If this server is going to stick around anyway for the purposes of user management, why not leave the Hub Transport role installed and make use of it? No additional licenses are required, there is a minimal footprint and no setup changes to your devices or Exchange setup are needed. The Hybrid deployment will do the hard work for you, namely through Remote Domains, the Outbound Hybrid Connector and your Email Address Policy.
  • Custom Inbound connector in Office 365. This involves creating an inbound connector in Office 365 which allows mail to be received from your public IP addresses (this will already exist in some form if you have a hybrid deployment). You can then configure your relay devices to point to your Office 365 MX hostname and configure the appropriate firewall rule/s to allow these devices outbound on port 25. No additional licenses are needed for this, and it has a very small footprint. This setup option is great if you have a single office and no on premise Exchange server, but if you have multiple branch offices then it can become rather complicated to manage.

All of these options help to decrease the attack surface of your network by limiting traffic outbound on port 25. They allow for all relaying situations; authenticated, unauthenticated, external relay and internal relay. You can also use different email addresses as the sending address, so your scanner can still send from iamaprinter@domain.com and your anti-virus console can still send from youvegotavirus@domain.com.

The other options for relaying are direct send and SMTP client submission. However both of these have some kind of limitation, and using a mix of solutions to get around this seems, to me anyway, to be confusing and counter intuitive. Microsoft have published a very useful TechNet article about SMTP Relaying options which may help you decide which is the best option for you. 

Post Migration Tidy Up

First thing is first, make sure that all DNS records are pointed to Office 365 if they are not already. A few months back I wrote a long and hugely entertaining blog post of the subject of Office 365 DNS configuration which you may like to take a gander at

Lock down your firewall. Make sure that SMTP traffic on port 25/587 can only go outbound from your relay devices or central relay point, and block port 25/587 inbound completely. You will also want to remove any rules you had for port 443 inbound to your Exchange server, as this will no longer be used for remote access. Any reverse proxy functionality and/or SSL Offloading will also become irrelevant at this stage and can be removed.

Ensure your Outlook clients are streamlined by configuring Group Policy to only look for autodiscover.domain.com records. This will make sure that your autodiscover lookups complete quickly and that your Outlook clients do not accidentally go looking for an On Premise Exchange Server. I usually disable every option here except for the autodiscover domain and HTTP redirect.

If you use additional Mail Hygiene services above and beyond the Office 365 hygiene service, Exchange Online Protection (such as Mimecast or MessageLabs), you may have already decided to lock down inbound mail flow to only allow mail from these services to come into Exchange Online. This is done by using a custom Inbound Connector in Exchange Online, although there is some extra configuration required if you also use SharePoint Online.

The Last Exchange Server

There are various articles on removing the last Exchange server in your environment scattered around the internet, the most useful one being: Configuring your Exchange Server in a Hybrid Deployment. I won’t add too much to the argument here, however what I would say is that if you have migrated from Exchange 2003 and still want to use some kind of Exchange Management tools to manage your email addresses, then please, please, please don’t leave the Exchange 2003 server there! It is no longer supported, and the Server 2003 OS which it is installed on isn’t either! Install an Exchange 2010 server, you can get a free ‘Hybrid edition’ product key for this purpose and if you want to you can even install 2013 using your free key once you’ve migrated to 2010 and cleanly uninstalled your 2003 server. Exchange Server 2013 is by far the best software to use to manage Office 365 mailboxes. There are licensing based limitations as to what you can do with a Hybrid server (for example, you cannot host mailboxes), but you can manage user objects and use it for relaying, which is more than sufficient.

The tasks which become cumbersome if you remove your last Exchange server are; adding/removing email addresses for users, enabling an Archive mailbox and changing the Owner of a Distribution List. In addition to this, Exchange Online has no capability at present to create an Email Address Policy. This means that if you have multiple SMTP domains and aliases and no Exchange Server on premise, you will need to add all aliases manually every time you create a new user or change SMTP aliases. This is all done via ADSIEdit, which can be a dangerous place to be if you don’t know what you are doing. Generally I would advise that you keep an Exchange Server of some form installed just for management purposes, unless you rarely change email aliases.

My checklist for cleaning up an Exchange environment post-migration goes something like this, but please don’t take it as an exhaustive list as every environment is different!

Cutover/Staged (2003/2007)

  • Convert mailboxes to Mail Enabled Users using the guide below, from the Office 365 Wiki. This removes the mailbox whilst leaving the proxy addresses in place, and then adds a target address to the user, allowing you to manage your Exchange Online mailbox users without using ADSIEdit.
  • Remove or export to PST any remaining mailboxes (Staged migration only)
  • Ensure Public Folders are migrated to Exchange Online or moved into SharePoint Online
  • If required, install Exchange 2010 Management Tools/Hub Transport using your Hybrid edition product key
    • Configure relaying
    • Test management/creation of Exchange Online mailboxes
  • Decommission Exchange 2003
  • Install Exchange 2013 Management Tools/Hub Transport
    • Configure relaying
    • Test management/creation of Exchange Online mailboxes
    • Decommission 2010

Hybrid (2010/2013)

  • Remove or export to PST any remaining mailboxes
  • Ensure Public Folders are migrated to Exchange Online or moved into SharePoint Online
  • Ensure transport rules and/or journaling configuration have been copied over
  • Slim down Exchange server
    • Remove all but single Exchange 2010/2013 Server
    • Remove Mailbox/CAS roles
    • Remove drives used for Mailbox role (Database & Logs)
    • Dismantle Hybrid configuration objects, leaving in place:
      • Outbound Hybrid Connector (if using Exchange Hybrid as Relay)
      • Relay Receive Connector (if using Exchange Hybrid as Relay)
      • Email Address Policies
      • Accepted and Remote Domains
        • Remove resources from remaining Exchange server. I usually go down to 1 vCPU and 8GB RAM

Life goes on

Once all this wizardry is complete, either by your own hands or by the hands of a trusted Microsoft Partner such as EACS, you can sit back and take it easy, safe in the knowledge that you have no more maintenance windows or refresh cycles to worry about. If you have left your hybrid server in place, as most customers do, you still need to treat it as a production server. Patch it and keep it in good shape as you would any other server. Many customers migrate AADSync and Office 365 PowerShell to the hybrid server at this stage and treat it as the Office 365 management server.

But what to do with all this free time? If you haven’t already rolled out Skype for Business, OneDrive and SharePoint Online, now is the time to get stuck in and enable your users to be more mobile and more collaborative! Remember, Exchange Online is just one part of the Office 365 product suite. The fantastic thing about Office 365 is that new services and features are constantly being added to keep you on your toes and make your workplace more modern and productive.

Personally, I always like to keep my eye on the Office 365 Roadmap and the Office 365 Blog so I can learn about the new, shiny nuts and bolts which are planned or in the process of being released. In the Office 365 Admin console, under Service Settings>Updates, you can opt particular users in to the First Release program, giving you and your businesses technology champions the bells and whistles before anybody else!

Resources