2

Have a site that needs to keep a local Windows 2016 file server due to legacy LOB applications.

Have migrated Exchange from SBS 2011 to Office365. Running in Hybrid mode which handles AD Sync for passwords etc between on premises and cloud.

My question is how to maintain local Active Directory for computer accounts and logons and keep passwords in sync with Office365?

Matt
  • 53
  • 6

1 Answers1

2

My question is how to maintain local Active Directory for computer accounts and logons and keep passwords in sync with Office 365?

If you're already using Azure AD Connect then you don't need to do anything, you're already doing it. Keep using Azure AD Connect like you are now. If you're using password hash sync then the password hash for each user account will sync to the Azure AD/Office 365 user account. If you're using passthrough authentication than your Office 365 users will authenticate directly with your AD.

A couple of points, based on your comment:

You probably want to install Azure AD Connect on the new server in staging mode. That way it's ready to take over once you decommission the old server. You can find more information about staging mode in Microsoft's online documentation.

The Hybrid option is used/needed for when you are going to use the Exchange Hybrid configuration to migrate mailboxes from an on premises Exchange Server to Office 365 and you're going to have mailboxes on both sides for some period of time. After your on premises mailboxes have been migrated to Office 365 you will need to maintain a small footprint Exchange server on premises for managing Exchange related attributes for your users, groups, and contacts.

Azure Active Directory (AAD) comes in a number of editions. Azure AD Basic comes with Office 365 and is the "free" edition of Azure AD. So... you already have Azure AD. You don't need to pay anything additional for it. If you want more advanced Azure AD features you can purchase one of the other Azure AD editions.

Azure AD DS (Azure Active Directory Domain Services) is another animal altogether. For now, you should ignore anything related to Azure AD DS.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Thanks! For some reason I thought the Hybrid configuration was a temporary one. I do need decommission the SBS box and transfer needed AD roles to the new Windows Server, will I be able to do that and install AAD Sync on new server and carry on Infinitum? Much cheaper than AAD purchase. – Matt Jun 27 '19 at 02:27
  • Thanks again Joe! You say _After your on premises mailboxes have been migrated to Office 365 you will need to maintain a small footprint Exchange server on premises for managing Exchange related attributes for your users, groups, and contacts._ I was hoping I could have a Server 2016 File Server hosting their data and O365 doing the mail. If I ditch the soon to be EOL SBS, how could I maintain that _small footprint Exchange Server_ you mention? Thanks again. – Matt Jun 27 '19 at 09:45
  • When using Azure AD Connect to sync your on premises users to Office 365, the on premises AD is the source of authority for those users and their attributes. Because of that, you can only manage those attributes from on premises, including Exchange attributes (email addresses, etc,). You'll want to install Exchange server (2016 or 2019) on the new server so that you can manage the Exchange attributes of your Office 365 users. You won't have any on premises mailboxes so the Exchange is just for adding, modifying, etc. email addresses, etc. – joeqwerty Jun 27 '19 at 11:59
  • Again thank you. So I guess the licensing question for Exchange comes up, do you know if that will be the same cost as purchasing Exchange Server and CAL’s as well? – Matt Jun 28 '19 at 03:21
  • Microsoft provides a free Exchange Server Hybrid license for this purpose. When you install the small footprint Exchange server you can run the Hybrid configuration wizard, which will automatically install the free license. – joeqwerty Jun 28 '19 at 03:23