back to article In Microsoft's world, cloud email still often requires on-premises Exchange. Why?

Microsoft customers who use Exchange Online for all their email still often have to run on-premises Exchange to be supported – and that is a burden they could do without as new vulnerabilities appear. "This past week, security researchers discussed several ProxyShell vulnerabilities, including those which might be exploited on …

  1. Anonymous Coward
    Anonymous Coward

    Confused.com

    We run Office 365 in the cloud. And no on-premise Exchange. And we have AD-Connect.

    If we need to provision mailboxes, distribution lists, etc, we just do it via the Office 365 Exchange Admin center. (Or via APIs into the Office 365 cloud)

    We also have a Microsoft support agreement and they're perfectly happy with our setup with no on-prem Exchange.

    1. gryphon

      Re: Confused.com

      Interesting.

      However are you giving mailboxes to on-premises AD accounts or only to ones that are Azure AD only?

      In the former circumstance you can certainly provision a mailbox but then you won't be able to manage it properly.

      1. Anonymous Coward
        Anonymous Coward

        Re: Confused.com

        99% of accounts are synced from on-prem to AAD so this isn't an issue. The only accounts that aren't synced to AAD are local administrator-type accounts.

        1. martyn.hare

          Re: Confused.com

          If an account is synced from on-prem (from ADDS to Azure AD) then the attributes for the user account still have to be modified in AD and someone is either going to have to edit stuff by hand (unsupported but very doable) or they’re going to use an Exchange server which exists only for management reasons (supported).

          Unless Microsoft has added full two-way multi-master sync recently (have they?) AD is still authoritative, preventing a lot of management being done via Exchange Online.

          1. DavidYorkshire Bronze badge

            Re: Confused.com

            No two-way sync so far as I am aware. As you say, the local AD is authoritative.

    2. Pirate Dave Silver badge
      Pirate

      Re: Confused.com

      Same confusion here. My current employer is an O365 shop, but we have no Exchange servers anywhere (although we apparently did until a few years before I started there), and use AADsync (or whatever they're calling DirSync now). We do have one query-based distribution group that's a PITA to edit and has to be done in ADSI, but we usually only change that at most once a year. Most normal stuff is just ADUC or Powershell, and I've never known it to be considered "unsupported".

      My previous employer was a Novell/Groupwise shop and we migrated to O365 back in 2015. We never, ever had an Exchange server (and would have laughed heartily at the thought) before or after the migration. I did have to run the Exchange installer to extend the schema though. I remember doing that, hoping it wouldn't screw up my shiny new AD. But that's the closest we ever got to having an Exchange server.

      1. bombastic bob Silver badge
        Devil

        Re: Confused.com

        I don't use Exchange at all but I do engineering work (mostly remote) for a company that apparently uses the cloudy version. Recently they were having trouble receiving e-mail from me for some reason. I never did find out exactly why except that for about a week, the outlook servers wouldn't respond to regular SMTP protocol. Now that it's working again, I was wondering if someone had turned OFF the machine running Exchange (assuming there had been one) and maybe THAT caused the e-mail to stop working. It didn't help that their MX settings appeared to be wrong (2 backup SMTP servers that do not recognize any of their company e-mail addresses when I checked them). So for a little over a week, I'd send them mail, it would go to a backup server, and then bounce back. Frustrating.

        Their IT stuff is handled by a contractor that's apparently more of a B.S. artist than an IT pro. He doesn't seem to know basic networking very well (but apparently knows the right buttons to push to set up a new user's e-mail account). Unfortunately I'm not in Simon the BOFH's position and can't simply invite him to take a look out of the 3rd floor window...

        In any case the company's e-mail is "working" now. Nobody ever told me why it wasn't. It might not be my department but I hate to see things like that happen, especially when I have a "clever" setup on my own LAN (been running since mid 2000's) that involves sendmail and an IMAP server and forwarding that I set up through one of those inexpensive "rent a shared Linux server" services.

        And I wonder just how much of that was caused by Exchange...

    3. steviebuk Silver badge

      Re: Confused.com

      Same as us. No on prem and all working fine.

  2. Mike 137 Silver badge

    Admission

    'Microsoft's Exchange team [warned] yesterday. "It is critical to keep your Exchange servers updated with latest available Cumulative Update (CU) and Security Update (SU)."'

    translation: "after all this time, we still can't get it right"

  3. FiRem00

    We use Exchange On-Prem like this for management and to be still in support, but to also act as a mail relay from on-prem application servers

    1. J. Cook Silver badge

      That'll be one of two reasons why we will be keeping an On-Prem exchange server, the other being that we have it connected to Call Manager for voicemail and a few other things that Unity would have otherwise provided if we were to license it again.

  4. Charlie Clark Silver badge

    Need to get away from Exchange altogether

    Exchange is rapidly becoming the next Flash due to the monoculture. The arms race is hotting up and Microsoft has thus far not demonstrated that it can keep ahead of the hackes and, once Exchange is hacked, the hackers usually have the keys to the kingdom.

    It may be interesting to see how liability due to software flaws changes in the move to SaaS (Microsoft is pushing this because of lock-in, CIOs because of costs). Thus far software companies have been largely exempt of liability as long as they can provide an update for customers. It will be interesting to see the jurisprudence in an SaaS world.

    1. nijam Silver badge

      Re: Need to get away from Exchange altogether

      Whenever I find people having trouble getting their email to behave properly, it is almost ivariably because they're using Exchange and Outlook, neither of which seems able to handle email (as opposed to all the MS stuff wedged into them) properly.

      1. big_D Silver badge

        Re: Need to get away from Exchange altogether

        I worked for a security company and the CIO is a well known security researcher and well published. He was always swearing at the email, because external people would use Exchange and the DKIM and DMARC information was usually garbled/not correctly formatted and caused problems when our mail server rejected the emails.

        1. Charlie Clark Silver badge

          Re: Need to get away from Exchange altogether

          format/flowed is another thing Outlook can't get right.

  5. DavidYorkshire Bronze badge

    "Microsoft will let customers have an on-premises Exchange licence for free if this scenario applies."

    It's a while since I checked, but so far as I am aware this only applies to Exchange 2016, not 2019, so if you want to use 2019 then you need to buy a license for it. Also, if you use 2016 then you are also stuck with Windows Server 2016 as the host OS, because Exchange 2019 requires Windows Server 2019.

    In addition, Exchange 2019 has a ridiculously high RAM requirement (128GB).

    For that reason we still have our Exchange server (which doesn't host the mailboxes - they are all on 365) on the 2016 versions of both, despute having upgraded nearly all other VMs to 2019 now.

    I expect that various bodges might work such as unsupported OS / Exchange version combinations, and lower than the official minimum of RAM, but we don't really want to risk it with something like this, given that if there are problems the response from Microsoft is likely to be to point out that it's an unsupported configuration.

    The whole hybrid AD / Exchange is an absolute mess - some things have to be configured in local AD, some in the 365 admin portal, some in local Exchange, some in 365 Exchange. Plus Azure AD connect, and Intune Connector (if you use Intune) have to be set up and kept an eye on. Why can't they come up with a unified, coherent management and syncing system for all of it? Far more worthwhile and useful than rounded window corners and default-centred taskbar icons...

    1. nijam Silver badge

      > Why can't they come up with a unified, coherent management and syncing system

      Because then users and administrators could actually control it, and therefore be able to turn off all the "features" they don't need. And after that, realise that they been sold (or at least sold on) complete overkill for their needs.

    2. Pascal Monett Silver badge

      Re: The whole hybrid AD / Exchange is an absolute mess

      Well, it's Microsoft. What did you expect ?

    3. cb7

      128GB?

      Running Exchange 2019 on a VM with 28GB RAM just fine here. Admitedly it's for a small shop with less than half a dozen employees.

      The owner prefers paying up front to ongoing subs. Which if nothing goes wrong, does work out cheaper in the long run.

      The more interesting question I have is, how come On-Premises Exchange was vulnerable to the zero days discovered earlier this year whilst Exchange Online wasn't?

  6. FourCandles

    Filter msExchMailboxGuid?

    Is it OK to filter the msExchMailboxGuid attribute in AD Connect so that the synced email accounts are managed completely in O365?

  7. WShelt0n

    Screw 'em

    We got sick of this at a previous stop. Just downloaded the exchange media, used it to extend the schema, and wrote PS scripts to update AD when we needed. AD connect was happy, I didn't have exchange on prem, and MS support never batted an eye the very few times we ever called them

    1. Anonymous Coward
      Anonymous Coward

      Re: Screw 'em

      If you have ever extended the schema with the Exchange installer, make sure you read this even if you no longer have on premises Exchange server(s).

      https://techcommunity.microsoft.com/t5/exchange-team-blog/how-to-update-ad-schema-to-address-cve-2021-34470-if-exchange-is/ba-p/2617083

  8. SleepGuy

    Typical Microsoft, take something relatively simple like email and weave it so tightly into every fiber of your platform that managing it is a nightmare. Oh, and because it's so huge and unmanageable, it also gets hacked constantly. Sounds like a great email platform to me. /s

    1. A Non e-mouse Silver badge
      Mushroom

      take something relatively simple like email

      It must be nice having a Raspberry PI sat in the corner of your home office running your personal email server (with probably just one account).

      Those of us in the real world, however, who deal with very large volumes of emails, clients, servers, storage, etc. know that email is not simple.

      1. bombastic bob Silver badge
        Devil

        Those of us in the real world ... know that email is not simple.

        I could certainly replicate MOST of what I've done on an RPi but i don't think I'd want to. My setup uses FreeBSD and is based on a config I originally set up back in the mid-2000's, has DNS, IMAP, shared host mail forwarded in and received by sendmail, etc. etc.. Not 'simple' (but not so impossible either). ZFS replication is nice, as well as cron for daily backups. A bit much for an RPi. Still is kinda nice having daily cron job results and Fail2Ban output sent to a specific IMAP folder so I can look at it if I want.

        As for the ability to handle large volumes of e-mail, that would depend on my internet connection, Cyrus IMAPD, the shared host that forwards mail to my LAN server, and sendmail. (My internet connection is probably the weakest link)

        in any case, I can't claim to be any kind of network guru unless I can manage to set all that up...

    2. A Non e-mouse Silver badge

      BTW - Novell did the same when the aquired the Groupwise product: They tightly weaved Groupwise into their directory product (NDS/eDirectory). Speaking as an ex-Novell sysadmin that integration worked really well.

      1. Pirate Dave Silver badge
        Pirate

        I second that. I ran a Groupwise system for a long time, and it was always solid as a rock, other than the occasional GWIA barfing on a weird email. We eventually moved to O365 because Microsoft included the licenses free for academic Volume Licensing Customers, so that was three less servers I had to keep running. (although the spark that convinced us to move was Novell selling itself off).

        I still consider Groupwise to be the better email system from an admin's standpoint. We (very) briefly considered moving to Exchange in 2011, until we found out MS had removed single-instance storage. When MS came out with O365 a year or two later, we started planning our move. I wouldn't wish a Groupwise to O365 migration on my worst enemy. What a freaking nightmare.

  9. This post has been deleted by its author

  10. Anonymous Coward
    Anonymous Coward

    Can CNCF please shepherd through an open source AD equivalent?

    This sort of key business capability should not be in the hands of crazy people.

    1. bombastic bob Silver badge
      Meh

      Re: Can CNCF please shepherd through an open source AD equivalent?

      I think it would depend on your needs. AD (from my viewpoint) has a lot of tentacles...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like