Remove Exchange Server

On-Premise Exchange Removal

After migrating all your mailboxes to Office 365, you may want to remove your last on-premises Exchange Server.

Exchange on-premises requires a decent amount of hardware resources even though it’s only used to manage AD mail attributes.

Additionally, it’s a very popular target for zero-day exploits like Hafnium.

This is a subject of much controversy, and many admins end up being stuck with their on-premises Exchange Server. Don’t be one of those guys!

This guide assumes that you have a hybrid setup with Active Directory to Azure/Office 365 synchronization.

Prerequisites to Remove On-Premises Exchange Server

To verify if you’re ready to remove your last Exchange Server, make sure to complete the following five tasks:

  1. Make a plan on how to manage mail attributes after removing your Exchange Server
  2. Verify that you have migrated all mailboxes to Office 365
  3. Verify you don’t have any public folders
  4. Verify that no applications or scan-to-email devices are using your local Exchange Server
  5. Verify that your inbound and outbound mail flow doesn’t involve your on-premises Exchange Server

Complete all tasks precisely to avoid issues later down the road.

You’ll find more details about these steps in the following sections.

1. Make a Plan on How to Manage Mail Attributes After Removing Your Exchange Server

This is one of the biggest headaches related to removing the on-premises Exchange Server.

A lot of the mailbox attributes are authoritatively stored in your local Active Directory. These include:

  • Email addresses, aliases, hide from address lists, and more (for user mailboxes)
  • Owners, allow-external-senders, send-on-behalf permissions, and more (for distribution groups)

Unfortunately, the AD management tool “AD Users & Computers” doesn’t support managing these attributes – except for raw editing.

For easy management of your user and group mail attributes, use Easy365Manager.

Easy365Manager is a snap-in to AD Users & Computers that allows you to manage AD mail attributes as well as Office 365 licenses and mailboxes.

Once Easy365Manager is installed, you’ll see two new tabs in user properties:

Easy365Manager Office 365 user properties
User properties - Office 365 tab
Easy365Manager user properties, Office 365 mailbox management inside Active Directory
User properties - Mailbox tab

With Easy365Manager, you no longer have to log in to the Office 365 web console, Exchange Online Admin Center, or use PowerShell to perform daily management like Azure AD Connect synchronization.

Easy365Manager can save you a lot of work hours, frustrations, and googling PowerShell commands.

As an example, you can assign Office 365 license straight from user properties in Active Directory:

2. Verify That You Have Migrated All Mailboxes to Office 365

Log in to your on-premises Exchange Server and start the Exchange Management Shell.

Run the following command to check if there are any mailboxes left on your local Exchange Server:

Get-Mailbox | ft

If there are any mailboxes on your on-premises Exchange Server, you must either migrate them to Office 365 or delete them.

3. Verify You Don’t Have Any Public Folders

Log in to your on-premises Exchange Server and start the Exchange Management Shell.

Run the following command to check if there are any public folders left on your local Exchange Server:

Get-PublicFolder | ft

If you find any, make sure to migrate or remove them.

4. Verify That No Applications Or Scan-to-Email Devices Are Using Your Local Exchange Server

If any devices or applications send emails through your local Exchange Server, you need to reconfigure them to use Office 365.

If you have a small environment, you can go through your applications and multi-function office devices manually.

In larger environments, you should enable SMTP logging on your Exchange Server, let it run for a few days, and scan the log files.

To enable logging on your Exchange Server, run the following command from the Exchange Management Shell:

Get-ReceiveConnector |  Set-ReceiveConnector -ProtocolLogging Verbose

After some days or a week, you can scan the log files for all IPs that have connected to your Exchange Server.

Run the following script from the Exchange Management Shell. It will check log files that are no more than one week old:

$LogPath = (Get-FrontendTransportService).ReceiveProtocolLogPath.PathName
$LogFiles = Get-Item ($LogPath[0] + "\*.log") | ? {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}
$Clients = @{}
$ClientList = @()
ForEach ($LogFile In $LogFiles){
  $Lines = Get-Content $LogFile | Select-Object -Skip 5
  ForEach ($Line In $Lines){
    $SrcIp = ($Line.Split(",")[5]).Split(":")[0]
    $TgtPort = ($Line.Split(",")[4]).Split(":")[1]
    If (-Not ($Clients.ContainsKey($SrcIp + ":" + $TgtPort))){
        $Client = $SrcIp + ":" + $TgtPort
            $DNS = [System.Net.Dns]::GetHostByAddress($SrcIp).Hostname
            $DNS = ""
        $obj = New-Object PSObject -Property @{
            ClientIP = $SrcIp
            ClientName = $DNS
            TargetPort = $TgtPort
      $Clients.Add($Client, $DNS)
      $ClientList += $obj
      Write-Host $Client `t $DNS
Write-Output $ClientList

The output might look similar to this:

ClientName           TargetPort ClientIP
----------           ---------- --------  25  25  717
                     25  25 25 25  587
                     25 25 25 25 25 25

Make sure to review the output carefully and reconfigure any devices/hosts that appear in the list.

To send emails from your devices or applications directly via Office 365, follow the instructions in this article.

5. Verify That Your Inbound and Outbound Mail Flow Doesn’t Involve Your On-Premises Exchange Server

Before removing your on-premises Exchange Server, you must ensure that emails are sent directly to and from Office 365.

You can verify this by analyzing the mail header of emails sent to and from your Office 365 domain.

Send an email from your Office 365 mailbox to an external email. Then, open the mail header of the email received externally and review if your local Exchange Server participates in the mail flow.

This article will show you step-by-step how to view the mail header in Outlook and analyze it with an online mail header analyzer.

Do the same for inbound email by sending an email from an external sender to your Office 365 mailbox.

If your local Exchange Server appears in either the inbound or outbound mail flow, you must change your mail flow. This may involve updating your MX records in DNS and reconfiguring external 3rd party relay services and Office 365 connectors.

How to Remove Exchange

Regardless of whether you opt for a third-party solution or if you decide to take the risk and edit the raw attributes directly, you should test how it works out for you.

Spend at least two weeks working server-less (Easy365Manager is available as a free, fully functional 30-day trial).

Only when you feel confident managing your setup without the on-premises Exchange Server should you continue to the next section.

When you have completed all steps listed in the prerequisites, you are ready to remove Exchange.

Removing Exchange consists of the following four steps:

  1. Remove service connection point values
  2. Remove inbound and outbound connectors
  3. Remove the organization relationship
  4. Remove Exchange from your Active Directory

The four steps are covered in more detail below:

1. Remove Service Connection Point Values

Use the following command to remove the service connection point values from your on-premises Exchange:

Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null

2. Remove Inbound and Outbound Connectors

The easiest way to remove the inbound and outbound connectors is via the Exchange on-premises admin center (EAC).

Go to the Connectors page to locate the connectors. The Office 365 connectors were created by the Hybrid Connection Wizard (HCW) and will be named “inbound from …” and “Outbound to …”.

3. Remove the Organization Relationship

To remove the organization relationship, go to the Exchange Online admin center.

Navigate to Organization and remove the relationship created by the Hybrid Connection Wizard. The name of the relationship will be similar to “O365 to On-Premises – …”.

4. Remove Exchange From Your Active Directory

Finally, it’s time to remove Exchange from your AD. This is done most easily by simply shutting down the server.

Alternatively, you can try to actually uninstall it, but we don’t recommend it.

During the uninstall, the Exchange configuration is removed from the AD configuration partition. This doesn’t modify mail properties by itself, but you could accidentally risk running email address policies that affect your proxyAddresses configuration. You should definitely consider making a backup of proxyAddresses before progressing.

If the uninstall fails and you cannot solve the issue, you can simply shut down Exchange and remove the Exchange configuration manually using ADSIEdit. This step requires that you’re confident doing manual editing of Active Directory.

Alternatively, you can leave the configuration in AD as it will do no harm.


If you follow the above steps, you should have a smooth removal of your last on-premises Exchange Server.

This step will save you a lot of time and money and keep you protected from hackers specifically targeting on-premises Exchange Server, as seen in the Hafnium attack in March 2021 and the remote code execution vulnerability in November 2021.

Getting rid of your on-premises Exchange Server could potentially save your company from the next large scale ransomware attack.