Remove Exchange Server

On-Premise Exchange Removal

After migrating all your mailboxes to Office 365, you may want to remove your last on-premise Exchange Server.

This is a subject of much controversy, and many admins end up being stuck with their on-premise Exchange Server. Don’t be one of those guys!

In this article, we’ll show you how to get rid of Exchange on-premise with a fail-proof step-by-step guide.

Additionally, we’ll reveal how you can make your Office 365 administration much more manageable. Sounds too good to be true? Not at all!

This guide assumes that you have a hybrid setup with Active Directory to Azure/Office 365 synchronization.

Prerequisites to Remove On-Premise Exchange Server

To verify if you’re ready to remove your last Exchange Server, make sure to complete the following five tasks:

  1. Verify that you have migrated all mailboxes to Office 365
  2. Verify you don’t have any public folders
  3. Verify that no applications or scan-to-email devices are using your local Exchange Server
  4. Verify that your inbound and outbound mail flow doesn’t involve your on-premise Exchange Server
  5. Make a plan on how to manage mail attributes after removing your Exchange Server

Complete all tasks precisely to avoid issues later down the road.

You’ll find more details about these steps in the following sections.

1. Verify That You Have Migrated All Mailboxes to Office 365

Log in to your on-premise Exchange Server and start the Exchange Management Shell.

Run the following command to check if there are any mailboxes left on your local Exchange Server:

Get-Mailbox | ft

If there are any mailboxes on your on-premise Exchange Server, you must either migrate them to Office 365 or delete them.

2. Verify You Don’t Have Any Public Folders

Log in to your on-premise Exchange Server and start the Exchange Management Shell.

Run the following command to check if there are any public folders left on your local Exchange Server:

Get-PublicFolder | ft

If you find any, make sure to migrate or remove them.

3. Verify That No Applications Or Scan-to-Email Devices Are Using Your Local Exchange Server

If any devices or applications send emails through your local Exchange Server, you need to reconfigure them to use Office 365.

If you have a small environment, you can go through your applications and multi-function office devices manually.

In larger environments, you should enable SMTP logging on your Exchange Server, let it run for a few days, and scan the log files.

To enable logging on your Exchange Server, run the following command from the Exchange Management Shell:

Get-ReceiveConnector |  Set-ReceiveConnector -ProtocolLogging Verbose

After some days or a week, you can scan the log files for all IPs that have connected to your Exchange Server.

Run the following script from the Exchange Management Shell. It will check log files that are no more than one week old:

$LogPath = (Get-FrontendTransportService).ReceiveProtocolLogPath.PathName
$LogFiles = Get-Item ($LogPath + "\*.log") | ? {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}
$Clients = @{}
ForEach ($LogFile In $LogFiles){
  $Lines = Get-Content $LogFile | Select-Object -Skip 5
  ForEach ($Line In $Lines){
    $SrcIp = ($Line.Split(",")[5]).Split(":")[0]
    $TgtPort = ($Line.Split(",")[4]).Split(":")[1]
    If (-Not $Clients.ContainsKey($SrcIp)){
      $Clients.Add($SrcIp, $TgtPort)
    }
  }
}
Write-Output $Clients

Make sure to review the output carefully and reconfigure any devices/hosts that appear in the list.

To send emails from your devices or applications directly via Office 365, follow the instructions in this article.

4. Verify That Your Inbound and Outbound Mail Flow Doesn’t Involve Your On-Premise Exchange Server

Before removing your on-premise Exchange Server, you must ensure that emails are sent directly to and from Office 365.

You can verify this by analyzing the mail header of emails sent to and from your Office 365 domain.

Send an email from your Office 365 mailbox to an external email. Then, open the mail header of the email received externally and review if your local Exchange Server participates in the mail flow.

This article will show you step-by-step how to view the mail header in Outlook and analyze it with an online mail header analyzer.

Do the same for inbound email by sending an email from an external sender to your Office 365 mailbox.

If your local Exchange Server appears in either the inbound or outbound mail flow, you must change your mail flow. This may involve updating your MX records in DNS and reconfiguring external 3rd party relay services and Office 365 connectors.

5. Make a Plan on How to Manage Mail Attributes After Removing Your Exchange Server

This is one of the biggest headaches related to removing the on-premise Exchange Server.

You configure a lot of essential mail attributes via your local Active Directory. These include:

  • Email addresses, aliases, hide from address lists, and more (for user mailboxes)
  • Owners, allow-external-senders, send-on-behalf permissions, and more (for distribution groups)

Traditionally these attributes are configured using the on-premise Exchange Server. Unfortunately, the AD tool “AD Users & Computers” doesn’t have any user interface that supports these attributes – except for raw editing.

For easy management of your user and group mail attributes, you can use a third-party tool like Easy365Manager.

Easy365Manager is a snap-in to the “AD Users & Computers” tool that gives you access to manage all the mail attributes. Additionally, it allows you to manage Office 365 licenses and Office 365 mailboxes directly from “AD Users & Computers”.

Once Easy365Manager is installed, you’ll see two new tabs in user properties and one new tab in group properties:

easy365manager ui
User properties - Office 365 tab
easy365manager ui
User properties - Mailbox tab
easy365manager marketing
Group properties - Office 365 tab

With Easy365Manager, you no longer have to log in to the Office 365 web console, Exchange Online Admin Center, or use PowerShell to perform daily management. This can save you a lot of work hours and frustrations.

Regardless if you opt for a third-party solution or if you decide to take the risk and edit the raw attributes directly, you should test how it works out for you. Spend at least two weeks working server-less (Easy365Manager is available as a free, fully functional 30-day trial).

Only when you feel confident managing your setup without the on-premise Exchange Server should you continue to the next section.

How to Remove Exchange

When you have completed all steps listed in the prerequisites, you are ready to remove Exchange.

Removing Exchange consists of the following four steps:

  1. Remove service connection point values
  2. Remove inbound and outbound connectors
  3. Remove the organization relationship
  4. Remove Exchange from your Active Directory

The four steps are covered in more detail below:

1. Remove Service Connection Point Values

Use the following command to remove the service connection point values from your on-premise Exchange:

Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null

2. Remove Inbound and Outbound Connectors

The easiest way to remove the inbound and outbound connectors is via the Exchange on-premise admin center (EAC).

Go to the Connectors page to locate the connectors. The Office 365 connectors were created by the Hybrid Connection Wizard (HCW) and will be named “inbound from …” and “Outbound to …”.

3. Remove the Organization Relationship

To remove the organization relationship, go to the Exchange Online admin center.

Navigate to Organization and remove the relationship created by the Hybrid Connection Wizard. The name of the relationship will be similar to “O365 to On-Premises – …”.

4. Remove Exchange From Your Active Directory

Finally, it’s time to remove Exchange from your AD. This is done by uninstalling the last Exchange Server.

During the uninstall, the Exchange configuration is removed from the AD configuration partition.

If the uninstall fails and you cannot solve the issue, you can simply shut down Exchange and remove the Exchange configuration manually using ADSIEdit. This step requires that you’re confident doing manual editing of Active Directory.

Alternatively, you can leave the configuration in AD as it will do no harm.

Summary

If you follow the above steps, you should have a smooth removal of your last on-premise Exchange Server.

This step will save you a lot of time and money and keep you protected from hackers specifically targeting on-premise Exchange Server, as seen in the Hafnium attack in March 2021.

Did you like this post? Maybe your friends will too!