Remove Exchange Server

On-Premise Exchange Removal

After migrating all your mailboxes to Office 365, you may want to remove your last on-premises Exchange Server.

This is a subject of much controversy, and many admins end up being stuck with their on-premises Exchange Server. Don’t be one of those guys!

In this article, we’ll show you how to get rid of Exchange on-premises with a fail-proof step-by-step guide.

Additionally, we’ll reveal how you can make your Office 365 administration much more manageable. Sounds too good to be true? Not at all!

This guide assumes that you have a hybrid setup with Active Directory to Azure/Office 365 synchronization.

Prerequisites to Remove On-Premises Exchange Server

To verify if you’re ready to remove your last Exchange Server, make sure to complete the following five tasks:

  1. Verify that you have migrated all mailboxes to Office 365
  2. Verify you don’t have any public folders
  3. Verify that no applications or scan-to-email devices are using your local Exchange Server
  4. Verify that your inbound and outbound mail flow doesn’t involve your on-premises Exchange Server
  5. Make a plan on how to manage mail attributes after removing your Exchange Server

Complete all tasks precisely to avoid issues later down the road.

You’ll find more details about these steps in the following sections.

1. Verify That You Have Migrated All Mailboxes to Office 365

Log in to your on-premises Exchange Server and start the Exchange Management Shell.

Run the following command to check if there are any mailboxes left on your local Exchange Server:

Get-Mailbox | ft

If there are any mailboxes on your on-premises Exchange Server, you must either migrate them to Office 365 or delete them.

2. Verify You Don’t Have Any Public Folders

Log in to your on-premises Exchange Server and start the Exchange Management Shell.

Run the following command to check if there are any public folders left on your local Exchange Server:

Get-PublicFolder | ft

If you find any, make sure to migrate or remove them.

3. Verify That No Applications Or Scan-to-Email Devices Are Using Your Local Exchange Server

If any devices or applications send emails through your local Exchange Server, you need to reconfigure them to use Office 365.

If you have a small environment, you can go through your applications and multi-function office devices manually.

In larger environments, you should enable SMTP logging on your Exchange Server, let it run for a few days, and scan the log files.

To enable logging on your Exchange Server, run the following command from the Exchange Management Shell:

Get-ReceiveConnector |  Set-ReceiveConnector -ProtocolLogging Verbose

After some days or a week, you can scan the log files for all IPs that have connected to your Exchange Server.

Run the following script from the Exchange Management Shell. It will check log files that are no more than one week old:

$LogPath = (Get-FrontendTransportService).ReceiveProtocolLogPath.PathName
$LogFiles = Get-Item ($LogPath[0] + "\*.log") | ? {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}
$Clients = @{}
$ClientList = @()
ForEach ($LogFile In $LogFiles){
  $Lines = Get-Content $LogFile | Select-Object -Skip 5
  ForEach ($Line In $Lines){
    $SrcIp = ($Line.Split(",")[5]).Split(":")[0]
    $TgtPort = ($Line.Split(",")[4]).Split(":")[1]
    If (-Not ($Clients.ContainsKey($SrcIp + ":" + $TgtPort))){
        $Client = $SrcIp + ":" + $TgtPort
        Try{
            $DNS = [System.Net.Dns]::GetHostByAddress($SrcIp).Hostname
        }
        Catch{
            $DNS = ""
        }
        $obj = New-Object PSObject -Property @{
            ClientIP = $SrcIp
            ClientName = $DNS
            TargetPort = $TgtPort
        }
      $Clients.Add($Client, $DNS)
      $ClientList += $obj
      Write-Host $Client `t $DNS
    }
  }
}
Write-Output $ClientList

The output might look similar to this:

ClientName           TargetPort ClientIP
----------           ---------- --------
mymail1.company.com  25         172.16.1.223
mymail1.company.com  25         127.0.0.1
mymail1.company.com  717        172.16.1.223
                     25         172.16.20.1
mymail2.company.com  25         172.16.1.227
avserver.company.com 25         172.16.1.70
scanner2.company.com 25         172.16.1.23
mymail1.company.com  587        172.16.1.223
                     25         10.0.2.193
backend1.company.com 25         10.32.77.202
backend2.company.com 25         10.32.77.201
scanner4.company.com 25         172.16.14.30
document.company.com 25         10.32.65.238
scanner1.company.com 25         172.16.14.29

Make sure to review the output carefully and reconfigure any devices/hosts that appear in the list.

To send emails from your devices or applications directly via Office 365, follow the instructions in this article.

4. Verify That Your Inbound and Outbound Mail Flow Doesn’t Involve Your On-Premises Exchange Server

Before removing your on-premises Exchange Server, you must ensure that emails are sent directly to and from Office 365.

You can verify this by analyzing the mail header of emails sent to and from your Office 365 domain.

Send an email from your Office 365 mailbox to an external email. Then, open the mail header of the email received externally and review if your local Exchange Server participates in the mail flow.

This article will show you step-by-step how to view the mail header in Outlook and analyze it with an online mail header analyzer.

Do the same for inbound email by sending an email from an external sender to your Office 365 mailbox.

If your local Exchange Server appears in either the inbound or outbound mail flow, you must change your mail flow. This may involve updating your MX records in DNS and reconfiguring external 3rd party relay services and Office 365 connectors.

5. Make a Plan on How to Manage Mail Attributes After Removing Your Exchange Server

This is one of the biggest headaches related to removing the on-premises Exchange Server.

A lot of the mailbox attributes are authoritatively stored in your local Active Directory. These include:

  • Email addresses, aliases, hide from address lists, and more (for user mailboxes)
  • Owners, allow-external-senders, send-on-behalf permissions, and more (for distribution groups)

Unfortunately, the AD management tool “AD Users & Computers” doesn’t support managing these attributes – except for raw editing.

For easy management of your user and group mail attributes, use Easy365Manager.

Easy365Manager is a snap-in to AD Users & Computers that allows you to manage all the mail attributes.

Once Easy365Manager is installed, you’ll see two new tabs in user properties and one new tab in group properties:

Easy365Manager Office 365 user properties
User properties - Office 365 tab
User properties - Mailbox tab
Easy365Manager group properties
Group properties - Office 365 tab

With Easy365Manager, you no longer have to log in to the Office 365 web console, Exchange Online Admin Center, or use PowerShell to perform daily management. This can save you a lot of work hours, frustrations, and googling PowerShell commands.

Additionally, Easy365Manager also allows you to manage a lot of the Office 365 configurations used for daily operation.

As an example, you can assign Office 365 license straight from user properties in Active Directory:

Create an Office 365 mailbox using Easy365Manager

Regardless if you opt for a third-party solution or if you decide to take the risk and edit the raw attributes directly, you should test how it works out for you.

Spend at least two weeks working server-less (Easy365Manager is available as a free, fully functional 30-day trial).

Only when you feel confident managing your setup without the on-premises Exchange Server should you continue to the next section.

How to Remove Exchange

When you have completed all steps listed in the prerequisites, you are ready to remove Exchange.

Removing Exchange consists of the following four steps:

  1. Remove service connection point values
  2. Remove inbound and outbound connectors
  3. Remove the organization relationship
  4. Remove Exchange from your Active Directory

The four steps are covered in more detail below:

1. Remove Service Connection Point Values

Use the following command to remove the service connection point values from your on-premises Exchange:

Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null

2. Remove Inbound and Outbound Connectors

The easiest way to remove the inbound and outbound connectors is via the Exchange on-premises admin center (EAC).

Go to the Connectors page to locate the connectors. The Office 365 connectors were created by the Hybrid Connection Wizard (HCW) and will be named “inbound from …” and “Outbound to …”.

3. Remove the Organization Relationship

To remove the organization relationship, go to the Exchange Online admin center.

Navigate to Organization and remove the relationship created by the Hybrid Connection Wizard. The name of the relationship will be similar to “O365 to On-Premises – …”.

4. Remove Exchange From Your Active Directory

Finally, it’s time to remove Exchange from your AD. This is done most easily by simply shutting down the server.

Alternatively, you can try to actually uninstall it, but we don’t recommend it.

During the uninstall, the Exchange configuration is removed from the AD configuration partition. This doesn’t modify mail properties by itself, but you could accidentally risk running email address policies that affect your proxyAddresses configuration. You should definitely consider making a backup of proxyAddresses before progressing.

If the uninstall fails and you cannot solve the issue, you can simply shut down Exchange and remove the Exchange configuration manually using ADSIEdit. This step requires that you’re confident doing manual editing of Active Directory.

Alternatively, you can leave the configuration in AD as it will do no harm.

Summary

If you follow the above steps, you should have a smooth removal of your last on-premises Exchange Server.

This step will save you a lot of time and money and keep you protected from hackers specifically targeting on-premises Exchange Server, as seen in the Hafnium attack in March 2021 and the remote code execution vulnerability in November 2021.

Getting rid of your on-premises Exchange Server could potentially save your company from the next large scale ransomware attack.

Did you like this post? Maybe your friends will too!