Remove Exchange Server

On-Premise Exchange Removal

After migrating all your mailboxes to Office 365, you may want to remove your last on-premises Exchange Server.

Exchange on-premises requires a decent amount of hardware resources even though it’s only used to manage AD mail attributes.

Additionally, it’s a very popular target for zero-day exploits like Hafnium.

This is a subject of much controversy, and many admins end up being stuck with their on-premises Exchange Server. Don’t be one of those guys!

This guide assumes that you have a hybrid setup with Active Directory to Azure/Office 365 synchronization.

Prerequisites to Remove On-Premises Exchange Server

To verify if you’re ready to remove your last Exchange Server, make sure to complete the following five tasks:

  1. Make a plan on how to manage mail attributes after removing your Exchange Server.
  2. Verify that you have migrated all mailboxes to Office 365.
  3. Verify you don’t have any public folders.
  4. Verify that no applications or scan-to-email devices are using your local Exchange Server.
  5. Verify that your inbound and outbound mail flow doesn’t involve your on-premises Exchange Server.

Complete all tasks precisely to avoid issues later down the road.

You’ll find more details about these steps in the following sections.

1. Make a Plan on How to Manage Mail Attributes After Removing Your Exchange Server

This is one of the biggest headaches related to removing the on-premises Exchange Server.

A lot of the mailbox attributes are authoritatively stored in your local Active Directory. These include:

  • Email addresses, aliases, hide from address lists, and more (for user mailboxes).
  • Owners, allow-external-senders, send-on-behalf permissions, and more (for distribution groups).

Unfortunately, the AD management tool “AD Users & Computers” doesn’t support managing these attributes – except for raw editing.

For easy management of your user and group mail attributes, use Easy365Manager.

Easy365Manager is a snap-in to AD Users & Computers that allows you to manage AD mail attributes as well as Office 365 licenses and mailboxes.

Once Easy365Manager is installed, you’ll see two new tabs in user properties:

User Properties Tycho Brahe License Management
Click to enlarge
User Properties Tycho Brahe Mailbox Management
Click to enlarge

With Easy365Manager, your first-level supporters no longer need to log in to the Microsoft 365 Admin Center, Exchange Online Admin Center, or use PowerShell to perform daily management like Azure AD Connect synchronization.

Easy365Manager can save you a lot of work hours, frustrations, and googling PowerShell commands.

As an example, you can even manage calendar delegation, which otherwise require semi-complex PowerShell scripting:

2. Verify That You Have Migrated All Mailboxes to Office 365

Log in to your on-premises Exchange Server and start the Exchange Management Shell.

Run the following command to check if there are any mailboxes left on your local Exchange Server:

Get-Mailbox | ft

If there are any mailboxes on your on-premises Exchange Server, you must either migrate them to Office 365 or delete them.

3. Verify You Don’t Have Any Public Folders

Log in to your on-premises Exchange Server and start the Exchange Management Shell.

Run the following command to check if there are any public folders left on your local Exchange Server:

Get-PublicFolder | ft

If you find any, make sure to migrate or remove them.

4. Verify That No Applications Or Scan-to-Email Devices Are Using Your Local Exchange Server

If any devices or applications send emails through your local Exchange Server, you need to reconfigure them to use Office 365.

If you have a small environment, you can go through your applications and multi-function office devices manually.

In larger environments, you should enable SMTP logging on your Exchange Server, let it run for a few days, and scan the log files.

To enable logging on your Exchange Server, run the following command from the Exchange Management Shell:

Get-ReceiveConnector |  Set-ReceiveConnector -ProtocolLogging Verbose

After some days or a week, you can scan the log files for all IPs that have connected to your Exchange Server.

Run the following script from the Exchange Management Shell. It will check log files that are no more than one week old:

$Clients = @{}
$ClientList = @()
$LogPaths = Get-FrontendTransportService | Select-Object ReceiveProtocolLogPath
ForEach ($LogPath In $LogPaths) {
  $LogFiles = Get-Item ($LogPath.ReceiveProtocolLogPath.PathName + "\*.log") | ? { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
  ForEach ($LogFile In $LogFiles) {
    $Lines = Get-Content $LogFile | Select-Object -Skip 5
    ForEach ($Line In $Lines) {
      $SrcIp = ($Line.Split(",")[5]).Split(":")[0]
      $TgtPort = ($Line.Split(",")[4]).Split(":")[1]
      If (-Not ($Clients.ContainsKey($SrcIp + ":" + $TgtPort))) {
        $Client = $SrcIp + ":" + $TgtPort
        Try {
          $DNS = [System.Net.Dns]::GetHostByAddress($SrcIp).Hostname
        }
        Catch {
          $DNS = ""
        }
        $obj = New-Object PSObject -Property @{
          ClientIP   = $SrcIp
          ClientName = $DNS
          TargetPort = $TgtPort
        }
        $Clients.Add($Client, $DNS)
        $ClientList += $obj
        Write-Host $Client `t $DNS
      }
    }
  }
}
Write-Output $ClientList

The output might look similar to this:

ClientName           TargetPort ClientIP
----------           ---------- --------
mymail1.company.com  25         172.16.1.223
mymail1.company.com  25         127.0.0.1
mymail1.company.com  717        172.16.1.223
                     25         172.16.20.1
mymail2.company.com  25         172.16.1.227
avserver.company.com 25         172.16.1.70
scanner2.company.com 25         172.16.1.23
mymail1.company.com  587        172.16.1.223
                     25         10.0.2.193
backend1.company.com 25         10.32.77.202
backend2.company.com 25         10.32.77.201
scanner4.company.com 25         172.16.14.30
document.company.com 25         10.32.65.238
scanner1.company.com 25         172.16.14.29

Make sure to review the output carefully and reconfigure any devices/hosts that appear in the list.

To send emails from your devices or applications directly via Office 365, follow the instructions in this article.

5. Verify That Your Inbound and Outbound Mail Flow Doesn’t Involve Your On-Premises Exchange Server

Before removing your on-premises Exchange Server, you must ensure that emails are sent directly to and from Office 365.

You can verify this by analyzing the mail header of emails sent to and from your Office 365 domain.

Send an email from your Office 365 mailbox to an external email. Then, open the mail header of the email received externally and review if your local Exchange Server participates in the mail flow.

This article will show you step-by-step how to view the mail header in Outlook and analyze it with an online mail header analyzer.

Do the same for inbound email by sending an email from an external sender to your Office 365 mailbox.

If your local Exchange Server appears in either the inbound or outbound mail flow, you must change your mail flow. This may involve updating your MX records in DNS and reconfiguring external 3rd party relay services and Office 365 connectors.

How to Remove Exchange

Regardless of whether you opt for a third-party solution or if you decide to take the risk and edit the raw attributes directly, you should test how it works out for you.

Spend at least two weeks working server-less (Easy365Manager is available as a free, fully functional 30-day trial).

Only when you feel confident managing your setup without the on-premises Exchange Server should you continue to the next section.

When you have completed all steps listed in the prerequisites, you are ready to remove Exchange.

Removing Exchange consists of the following four steps:

  1. Remove service connection point values.
  2. Remove inbound and outbound connectors.
  3. Remove the organization relationship.
  4. Shut down the Exchange Server.

The four steps are covered in more detail below:

1. Remove Service Connection Point Values

Use the following command to remove the service connection point values from your on-premises Exchange:

Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null

2. Remove Inbound and Outbound Connectors

The easiest way to remove the inbound and outbound connectors is via the Exchange on-premises admin center (EAC).

Go to the Connectors page to locate the connectors. The Office 365 connectors were created by the Hybrid Connection Wizard (HCW) and will be named “inbound from …” and “Outbound to …”, like so:

Click to enlarge

3. Remove the Organization Relationship

To remove the organization relationship, go to the Exchange Online admin center.

Navigate to Organization and remove the relationship created by the Hybrid Connection Wizard. The name of the relationship will be similar to “O365 to On-Premises – …”, like so:

Exchange Admin Center - remove organizational relationship
Click to enlarge

4. Shut Down the Exchange Server

As the final clean-up step, you should simply shut down the server. Nothing else.

We highly recommend against cleaning up the Exchange configuration from Active Directory by uninstalling Exchange from the server or manually editing the AD configuration partition.

There is practically no benefit in removing the Exchange configuration from AD. But there are a lot of risks.

Summary

If you follow the above steps, you should have a smooth removal of your last on-premises Exchange Server.

This step will save you a lot of time and money and protect you from hackers specifically targeting on-premises Exchange Server, as seen in the Hafnium attack in March 2021, the remote code execution vulnerability in November 2021, and the remote code execution vulnerability in September 2022.

Getting rid of your on-premises Exchange Server could save your company from the next large-scale ransomware attack.