DEVHIDE
Login Or Sign up

What is the minimum functional level of forrest for managing hybrid 365 deployments

167 Views Asked by At

We have a hybrid deployment and have run into some troubles managing mail settings from the on-prem DCs. I believe the solution is to raise the functional level of the forrest to 2016, but I want to confirm before migrating.

Domain controllers run on Windows Server 2012 R2 Datacentre and current functional level matches. We use a mail-enabled security group for all staff. ([email protected]) We need to restrict which internal users can send mail to all staff. Exchange admin keeps telling us to make the change on-prem. Our DCs seem to have no idea that this type of group is possible, and we cant find any way to manage the group on-prem.

Am I correct in thinking we need to raise the functional level to 2016? Is there an update we can apply to get this functionality from a forrest at 2012 level, or are we out of luck?

Tried to manage a group in the usual way (AD Users and Computers), on-prem AD thinks it's a security group and NOT a distribution group - Azure AD knows it's a mail-enabled security group.

azure-active-directory active-directory windows-server-2012-r2 azure-hybrid-connections
Original Q&A
2

There are 2 best solutions below

3
SoySolisCarlos On

The functional level of the DCs is not related to your current situation.

If you migrated the emails and removed any Exchange Server of on your On-premises, you must edit your mail-enabled security group at the attributes tab in your Local DC.

Here you can find more information about the attributes.

UPDATED

In your Domain controller, you can add a user to your mail enabled group via PowerShell

$GroupIdentity = "GROUPNAME"
$User = Get-ADUser -Filter 'Name -like "USER-NAME"'
Set-ADGroup $GroupIdentity -Add @{authOrig=$User.DistinguishedName} 
# Get the user who can send emails to the Distribution Group
Get-ADGroup -Identity $GroupIdentity -Property "authOrig"  | ForEach-Object {$_.authoring}

After the execution of the command, you must force a synchronization in your Azure AD Connect.

Hope this helps!

1
Specialist-Stand7592 On

Couple of points.

  1. With Windows 2012 R2 domain controllers, you cannot raise the functional level straight away. You need to introduce new domain controllers which are either 2016 or 2019, remove the 2012 R2 ones completely before the functional levels can be raised. This is something you need to plan for as all support for Windows 2012 R2 servers are ending soon.

  2. Raising the functional level has nothing to do with your issue.

  3. If you want to restrict users from emailing this mail enabled group, you need to make the change in Exchange Online (assuming that it is synchronized and Exchange Online sees it correctly). You can either create a transport rule or edit the properties of the group in Exchange Online (message restrictions options & stick in who can send to that group).

Hope this helps.

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in ACTIVE-DIRECTORY

Related Questions in WINDOWS-SERVER-2012-R2

Related Questions in AZURE-HYBRID-CONNECTIONS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.