Thursday, 27 September 2018

Understanding AD Attributes in an Exchange Hybrid

Scenrio: You have Active Directory which stores users with AD Connect doing password sync, all mailboxes with the exception of a few are in Office 365. Hybrid mail flow is required between the on premise mailboxes and Office 365. All the AD users were created using AD Users and Computers and not the Exchange Server.
Problem: If you have on premise user accounts with Office 365 mailboxes. If the user accounts have been created using Active Directory Users and Computers and not Exchange they will not have all the required attributes to route mail internally.
It's worth having an Exchange Server purely to do email administration, unless you know what AD attributes to manipulate manually.
Office 365 mailboxes should be created using the on premise Exchange Server, this will create the new AD object with the correct attitrbutes set.

When a new mailbox in Office 365 is created with an on premise user account Exchange populates the "targetAddress" attribute which is used to route mail from on premise to Office 365. Please note this attribute is not synced to AAD using AD Connect.
It's added in the format SMTP:username@domain.mail.onmicrosoft.com

It also populates the "proxyAddresses" attribute with a primary email set to the custom domain and another set to @domain.mail.onmicrosoft.com 

If you force AD Connect to sync the user will appear as unlicensed in the portal. 

Assign a license to it then force another AD sync.

If you return to the "proxyAddresses" attribute you will see another x500 field has been create. All of these attributes are required to ensure mail can be routed between on premise and Office 365.

If you have created a batch of users in the traditional way, synced them to Office 365, assigned licenses then allowed users to use the mailboxes. You will not be able to send mail from on premise mailboxes to them, this is because the "targetAddress" attribute is not populated by ADUC.

Comments system

Disqus Shortname