After migrating all your mailboxes to Office 365, you may want to remove your last on-premises Exchange Server.
Exchange on-premises requires a decent amount of hardware resources even though it’s only used to manage AD mail attributes.
Additionally, it’s a very popular target for zero-day exploits like Hafnium.
This is a subject of much controversy, and many admins end up being stuck with their on-premises Exchange Server. Don’t be one of those guys!
This guide assumes that you have a hybrid setup with Active Directory to Azure/Office 365 synchronization.
Prerequisites to Remove On-Premises Exchange Server
To verify if you’re ready to remove your last Exchange Server, make sure to complete the following five tasks:
- Make a plan on how to manage mail attributes after removing your Exchange Server.
- Verify that you have migrated all mailboxes to Office 365.
- Verify you don’t have any public folders.
- Verify that no applications or scan-to-email devices are using your local Exchange Server.
- Verify that your inbound and outbound mail flow doesn’t involve your on-premises Exchange Server.
Complete all tasks precisely to avoid issues later down the road.
You’ll find more details about these steps in the following sections.
1. Make a Plan on How to Manage Mail Attributes After Removing Your Exchange Server
This is one of the biggest headaches related to removing the on-premises Exchange Server.
A lot of the mailbox attributes are authoritatively stored in your local Active Directory. These include:
- Email addresses, aliases, hide from address lists, and more (for user mailboxes).
- Owners, allow-external-senders, send-on-behalf permissions, and more (for distribution groups).
Unfortunately, the AD management tool “AD Users & Computers” doesn’t support managing these attributes – except for raw editing.
For easy management of your user and group mail attributes, use Easy365Manager.
Easy365Manager is a snap-in to AD Users & Computers that allows you to manage AD mail attributes as well as Office 365 licenses and mailboxes.
Once Easy365Manager is installed, you’ll see two new tabs in user properties:
With Easy365Manager, your first-level supporters no longer need to log in to the Microsoft 365 Admin Center, Exchange Online Admin Center, or use PowerShell to perform daily management like Azure AD Connect synchronization.
Easy365Manager can save you a lot of work hours, frustrations, and googling PowerShell commands.
As an example, you can even manage calendar delegation, which otherwise require semi-complex PowerShell scripting:
2. Verify That You Have Migrated All Mailboxes to Office 365
Log in to your on-premises Exchange Server and start the Exchange Management Shell.
Run the following command to check if there are any mailboxes left on your local Exchange Server:
Get-Mailbox | ft
If there are any mailboxes on your on-premises Exchange Server, you must either migrate them to Office 365 or delete them.
3. Verify You Don’t Have Any Public Folders
Log in to your on-premises Exchange Server and start the Exchange Management Shell.
Run the following command to check if there are any public folders left on your local Exchange Server:
Get-PublicFolder | ft
If you find any, make sure to migrate or remove them.
4. Verify That No Applications Or Scan-to-Email Devices Are Using Your Local Exchange Server
If any devices or applications send emails through your local Exchange Server, you need to reconfigure them to use Office 365.
If you have a small environment, you can go through your applications and multi-function office devices manually.
In larger environments, you should enable SMTP logging on your Exchange Server, let it run for a few days, and scan the log files.
To enable logging on your Exchange Server, run the following command from the Exchange Management Shell:
Get-ReceiveConnector | Set-ReceiveConnector -ProtocolLogging Verbose
After some days or a week, you can scan the log files for all IPs that have connected to your Exchange Server.
Run the following script from the Exchange Management Shell. It will check log files that are no more than one week old:
$Clients = @{}
$ClientList = @()
$LogPaths = Get-FrontendTransportService | Select-Object ReceiveProtocolLogPath
ForEach ($LogPath In $LogPaths) {
$LogFiles = Get-Item ($LogPath.ReceiveProtocolLogPath.PathName + "\*.log") | ? { $_.LastWriteTime -gt (Get-Date).AddDays(-7) }
ForEach ($LogFile In $LogFiles) {
$Lines = Get-Content $LogFile | Select-Object -Skip 5
ForEach ($Line In $Lines) {
$SrcIp = ($Line.Split(",")[5]).Split(":")[0]
$TgtPort = ($Line.Split(",")[4]).Split(":")[1]
If (-Not ($Clients.ContainsKey($SrcIp + ":" + $TgtPort))) {
$Client = $SrcIp + ":" + $TgtPort
Try {
$DNS = [System.Net.Dns]::GetHostByAddress($SrcIp).Hostname
}
Catch {
$DNS = ""
}
$obj = New-Object PSObject -Property @{
ClientIP = $SrcIp
ClientName = $DNS
TargetPort = $TgtPort
}
$Clients.Add($Client, $DNS)
$ClientList += $obj
Write-Host $Client `t $DNS
}
}
}
}
Write-Output $ClientList
The output might look similar to this:
ClientName TargetPort ClientIP ---------- ---------- -------- mymail1.company.com 25 172.16.1.223 mymail1.company.com 25 127.0.0.1 mymail1.company.com 717 172.16.1.223 25 172.16.20.1 mymail2.company.com 25 172.16.1.227 avserver.company.com 25 172.16.1.70 scanner2.company.com 25 172.16.1.23 mymail1.company.com 587 172.16.1.223 25 10.0.2.193 backend1.company.com 25 10.32.77.202 backend2.company.com 25 10.32.77.201 scanner4.company.com 25 172.16.14.30 document.company.com 25 10.32.65.238 scanner1.company.com 25 172.16.14.29
Make sure to review the output carefully and reconfigure any devices/hosts that appear in the list.
To send emails from your devices or applications directly via Office 365, follow the instructions in this article.
5. Verify That Your Inbound and Outbound Mail Flow Doesn’t Involve Your On-Premises Exchange Server
Before removing your on-premises Exchange Server, you must ensure that emails are sent directly to and from Office 365.
You can verify this by analyzing the mail header of emails sent to and from your Office 365 domain.
Send an email from your Office 365 mailbox to an external email. Then, open the mail header of the email received externally and review if your local Exchange Server participates in the mail flow.
This article will show you step-by-step how to view the mail header in Outlook and analyze it with an online mail header analyzer.
Do the same for inbound email by sending an email from an external sender to your Office 365 mailbox.
If your local Exchange Server appears in either the inbound or outbound mail flow, you must change your mail flow. This may involve updating your MX records in DNS and reconfiguring external 3rd party relay services and Office 365 connectors.
How to Remove Exchange
Regardless of whether you opt for a third-party solution or if you decide to take the risk and edit the raw attributes directly, you should test how it works out for you.
Spend at least two weeks working server-less (Easy365Manager is available as a free, fully functional 30-day trial).
Only when you feel confident managing your setup without the on-premises Exchange Server should you continue to the next section.
When you have completed all steps listed in the prerequisites, you are ready to remove Exchange.
Removing Exchange consists of the following four steps:
- Remove service connection point values.
- Remove inbound and outbound connectors.
- Remove the organization relationship.
- Shut down the Exchange Server.
The four steps are covered in more detail below:
1. Remove Service Connection Point Values
Use the following command to remove the service connection point values from your on-premises Exchange:
Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null
2. Remove Inbound and Outbound Connectors
The easiest way to remove the inbound and outbound connectors is via the Exchange on-premises admin center (EAC).
Go to the Connectors page to locate the connectors. The Office 365 connectors were created by the Hybrid Connection Wizard (HCW) and will be named “inbound from …” and “Outbound to …”, like so:
3. Remove the Organization Relationship
To remove the organization relationship, go to the Exchange Online admin center.
Navigate to Organization and remove the relationship created by the Hybrid Connection Wizard. The name of the relationship will be similar to “O365 to On-Premises – …”, like so:
4. Shut Down the Exchange Server
As the final clean-up step, you should simply shut down the server. Nothing else.
We highly recommend against cleaning up the Exchange configuration from Active Directory by uninstalling Exchange from the server or manually editing the AD configuration partition.
There is practically no benefit in removing the Exchange configuration from AD. But there are a lot of risks.
Summary
If you follow the above steps, you should have a smooth removal of your last on-premises Exchange Server.
This step will save you a lot of time and money and protect you from hackers specifically targeting on-premises Exchange Server, as seen in the Hafnium attack in March 2021, the remote code execution vulnerability in November 2021, and the remote code execution vulnerability in September 2022.
Getting rid of your on-premises Exchange Server could save your company from the next large-scale ransomware attack.