Questions[exchange-hybrid](server)

We are running Exchange Hybrid Mode with remote mailbox and archive in M365. One of our employees left many months ago and so their mailbox went to soft deletion/retention. Their AD object was only disabled (never deleted), so when it got restored and synced back through Entra Connect, a new M365 user with same alias but (empty) mailbox was created (which was fine).

Our issue is that the AD user still has the prior msExchArchiveGUID for the user, and this archive is still soft deleted in EOL, but again, the user in M365 is a different version of the user. I need to figure out how to tell AD to create a new (empty) archive for the M365 user now active.

Details:

In EAC:

If I run: Get-RemoteMailbox returningUser | fl displayname, ArchiveGuid it reports from the msExchArchiveGUID property in AD.:

ArchiveGuid : some-legit-archive-guid-number

In EOL:

If I run: Get-Mailbox returningUser | fl archiveguid I get:

ArchiveGuid : 00000000-0000-0000-0000-000000000000

However, if I run: Get-EXOMailbox -SoftDeletedMailbox -Archive | where { $_.alias -eq 'returningUser' } | select Guid

I get:

Guid 
---
some-legit-archive-guid-number

What I've tried: Deleting the Hybrid-based archive, syncing, then re-adding:

In EAC: Disable-RemoteMailbox returningUser -Archive, run Entra Connect, everything looks good. msExchArchiveGUID in AD is empty. When I run Enable-RemoteMailbox returningUser -Archive the pesky prior msExchArchiveGUID returns.

I've read a lot of examples of mismatches where the solution is telling EAC to use the EOL version of the Archive GUID, but in this case it seems to be that EOL can't use the EAC version of the GUID because it's soft deleted and tied to a prior artifact user.

If anyone knows how to tell EAC to stop looking (wherever it is looking) for that prior ArchiveGUID and just issue a new archive, I'd be grateful!

Thanks!

Last note: If I run this:

Get-MsolUser -HasErrorsOnly | fl DisplayName,UserPrincipalName,@{Name="Error";Expression={($_.errors[0].ErrorDetail.objecterrors.errorrecord.ErrorDescription)}}

The error is:

{The value "some-legit-archive-guid-number" of 
property "ArchiveGuid" is used by another recipient object. 
Please specify a unique value.}

(aka same soft deleted GUID)

If you use Exchange 2016 Hybrid, but only for cloud mailbox management and outbound relay, is it "worth" swapping in an Exchange 2019 Hybrid host instead?

More details: A while back, someone helped us initially set up Azure AD Connect and an Exchange 2016 Hybrid, used for cloud mailbox setup and relay outbound from copiers and legacy apps. No clients or services have ever accessed the hybrid host except for SMTP Auth (and again it is all internal outbound to EXO). We have no public folders or anything else that someone coming from prior on-prem Exchange hosting might have. (We do manage distribution lists internally, but that syncs through AADConnect). That person is gone, and I have been keeping up the Cumulative Updates and keeping both AADConnect and EX2016 hybrid running smoothly, as is.

Exchange 2016 extended support ends October 2025. Now that Exchange 2019 CU12 has a free hybrid license and supports Windows 2022 Server, I cannot tell if it is worth the risk of swapping this in for future-proofing protection.

Since I did not directly set up the initial environment, I'm concerned I'm over-simplifying what would be needed. My understanding of the process is as follows:

1. Leave EX2016 alone: On a separate host, install Windows 2022 and Exchange 2019 CU12 - this process obviously involves extending the AD schema for EX2019
2. Run the latest online Hybrid Configuration Wizard ("HCW") just long enough to get the free license
3. Configure 3rd party SSL cert, (re)create receive connectors, test relay out from internal apps
4. Re-run HCW, continue through to transfer the connection to this new EX2019 host versus EX2016 one

Things I don't know:

• Whether we must export the certificate(s) from 2016 and import to 2019 manually, or does HCW handle using the current cert on the 2019 box
• Whether HCW pulls in prior receive connector or any other useful settings from EX2016 to EX2019
• Whether we need to re-run the separate AADConnect setup again after the hybrid host changes
• Which MS entity handles support? Exchange Online support does not include Hybrid questions (even though we are only using a Hybrid box for EXO relay and cloud mailbox connectivity). Since we don't host on-prem Exchange, that team also does not handle support.

If anyone has performed "the swap" from 2016 to 2019, please let me know how far off base I am.

I know I have time - and the other obvious plan is to reduce any need for internal relay over the next two years while more and more legacy apps and devices start to catch up with changes to SMTP Auth (e.g. OAuth). Thanks!

The Microsoft documentation for the Disable-RemoteMailbox powershell cmdlet states:

Note: If you are deprovisioning a cloud mailbox and its associated online archive, you must first disable the online archive with the command Disable-RemoteMailbox -Archive and then perform a directory synchronization prior to disabling the remote mailbox. Attempting to disable both the online archive and cloud mailbox without a sync between them may result in an ArchiveGuid mismatch and validation error.

So 3 steps are required to deprovision a mailbox correctly:

1. Call Disable-RemoteMailbox "David Strome" -Archive
2. Wait for the AD Connect directory synchronization
3. Disable-RemoteMailbox "David Strome"

Is step #2 necessary if you also disable the on-premise AD user and you exclude disabled users from the directory synchronization, effectively deleting the AAD user and eventually the user and archive mailboxes?

If the person comes back for a new work period, the on-premise AD user is enabled. That may happen within the 30 days retention period for the mailboxes.

I have a customer that wants to migrate their users primary mailboxes from Exchange 2016 to Office 365-Exchange Online but leave their archive mailboxes on-prem.

I haven't been able to decipher what little I've found on this topic into a clear answer. Anyone know for certain whether this is a supported scenario?

To be clear this customer has not yet migrated, when they do they will be syncing AD and in a Hybrid relationship.

Thanks in advance for help!!!

I have been battling with Office365 support on this case for a little while, as what they have been telling me is/isn't possible, contradicts the documentation they have directed me to.

Some info:

• We have a 365 subscription with E3 licenses.
• We use ADFS and Azure AD connect, to provide single sign on and sync user objects from AD to Office365
• We wanted to extend our schema to include Exchange attributes to allow control of certain features currently not available to us
• We wanted to install Exchange on premise to allow proper supported management of Exchange attributes

I found Microsoft will provide a free Hybrid edition license key for Exchange 2016, so I decided we would be able to install and deploy an Exchange server in Hybrid mode. We have the server installed, and are preparing to deploy the Hybrid configuration.

The support rep advised me that all mail flow must go through Exchange on prem, and cannot go via 365. Essentially I think this is nonsense, as the on prem license does not allow us to host mailboxes, so this server should not be involved in mail flow at all. All it should do is act as the bridge between Exchange online and Active Directory.

He also said wildcard certificates are not supported in a Hybrid configuration, but couldn't tell me why.

Am I wrong in thinking that this scenario should be really straight forward and should work? We simply want all mail to continue going to 365, and it should not even touch our Exchange. All Exchange does is provide attributes, management tools and the organisational trust between AD and Exchange Online.