Remove On-Prem Exchange From Hybrid Environment

Decommission last Exchange server from hybrid environment

You migrated all your mailboxes to Office 365 and want to get rid of the last on-premises Exchange server. Now what?

If you plan to do all future user management entirely in Office 365 and have no future directory synchronization requirements you can safely disable your DirSync/Azure AD Connect configuration and then remove your last on-premises Exchange server. The necessary steps include pointing your MX record to Exchange Online, removing the Service Connection Point from on-premises Exchange, removing inbound and outbound connectors from Exchange Online and more. For a complete walk-through of needed steps jump to the last part of this article.

However, many organizations will prefer to keep directory synchronization in place. On-premises user accounts are still needed to access local resources and keeping your Office 365 accounts in sync with the on-prem users makes good sense to most, if not all. Also, components like ADFS depends on Azure AD Connect.

This is where things get a little complicated. With directory synchronization in place the on-prem user object becomes authoritative for all user attributes – including mailbox related user attributes. Any attribute change must happen locally on the on-prem object and are then replicated to Azure/Office 365. If you try to change the attributes in Office 365 you get hit by something like this:

The operation on mailbox failed because it's out of the current user's write scope. The action Set-Mailbox EmailAddresses can't be performed on the object because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

The Three Mailbox Management Options

To manage the mailbox related user attributes in your on-premises environment you basically have three options:

  1. Exchange Control Panel (ECP)
  2. Direct attribute editing using ADSIEdit or AD Users & Computers attribute editor
  3. Third party tool like Easy365Manager or similar

To use the first option you need a running Exchange server. The obvious disadvantage is that you’re stuck with your on-premises Exchange server and the cost associated with running and managing it. All with the sole purpose of performing mailbox management.

The second option requires you to be a die-hard expert in AD attributes and is very error prone. If you only make simple changes this might be OK. For anything else but the most simple configuration changes you’re likely to get yourself in trouble. So, in general, don’t go there.

The third option requires you to use a third party tool which serves as an interface to the mailbox attributes of users in your on-premises environment. The main disadvantage here is potential license cost and ease of use.

Since we set out to remove the last Exchange on-premises server and keep our Azure AD Connect intact we opt for the third option. In this post we’ll be using Easy365Manager as our third party tool – let’s have a closer look at the steps needed to reach our goal.

Set Up Your Third Party Tool to Prepare for On-Premises Exchange Removal

Start by installing Easy365Manager (or any other third party tool you prefer). To use Easy365Manager you need a system with AD Users & Computers and PowerShell 5.1 or later. Then download and install Easy365Manager and verify that the AD Users & Computers tool has been updated with two new tabs for Office 365 mailbox management:

Office 365 Mailbox Management

You then configure Easy365Manager with your Azure AD Connect server to allow immediate synchronization of any changes you make in AD Users & Computers. Finally you should make a few changes and verify that changes successfully replicate to Office 365, e.g. by adding an additional mail alias.

Easy365Manager Configure Azure AD Connect for immediate synchronization of changes
SMTP proxyAddress configuration using Easy365Manager

When you have confirmed your third party tool allows you to successfully manage Office 365 mailbox related properties in your on-premises AD it’s finally time…

Prepare Your Office 365 Environment for the Removal of the Last Exchange On-Premises Server

Follow these steps to remove dependencies on your on-prem Exchange environment:

  • Confirm you have no public folders on your on-prem Exchange server (move them to Office 365 if they exist)
  • Confirm you have no more mailboxes on your on-prem Exchange server
  • Confirm that no scan-to-mail devices, applications, etc. are using your on-premises Exchange server to relay emails
  • Make sure MX and autodiscover DNS records are pointing to Exchange Online
  • Remove the Service Connection Point values from Exchange:
    Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $Null
  • Remove (or disable) Exchange on-prem inbound and outbound connectors from your Office 365 environment (done via the Connectors page in the EAC – the connectors created by the Hybrid Connection Wizard are named “Inbound from ” and “Outbound to “)
  • Remove the Organization Relationship from Office 365 using the Office 365 Portal (the Organization Relationship created by the Hybrid Connection Wizard is named “O365 to On-Premises – “
  • If OAuth is enabled make sure to disable it on both on-prem and in Exchange Online:
    Get-IntraorganizationConnector -Identity ExchangeHybridOnPremisesToOnline | Set-IntraOrganizationConnector -Enabled $False
    Get-IntraorganizationConnector -Identity ExchangeHybridOnlineToOnPremises | Set-IntraOrganizationConnector -Enabled $False

Once these steps are completed you can remove the on-prem Exchange server.

Clean Removal of the Last On-Premises Exchange Server

A clean removal of Exchange is the preferred solution. This will ensure relevant Active Directory objects are removed properly. The clean removal is started simply by uninstalling Exchange from the last Exchange server in your organization (make sure you completed the steps in the previous section to prepare for the removal).

Launching the Exchange uninstaller (from Add/Remove Programs) will trigger a readiness check which checks for any remaining mailboxes, any remaining mailbox databases, etc. Make sure to get rid of your arbitration mailboxes to complete the uninstall:

Get-Mailbox -Arbitration -Database [DB] | Remove-Mailbox -Arbitration -RemoveLastArbitrationMailboxAllowed

Once the readiness check is successful it will remove the Exchange configuration from AD and remove Exchange binaries from the server.

Dirty Removal of the Last On-Premises Exchange Server

Unfortunately clean removal is not always possible. One such special case would be if you’re using security enabled moderated distribution lists. Moderated distribution lists are tied up to arbitration mailboxes, blocking the removal of the arbitration mailboxes. If your groups are also used to control access to on-premises objects you can’t delete them and you’re not going to make it past the Exchange removal pre-check.

The dirty removal of the Exchange server is to shut down the server (for good) and then remove the Exchange server object from the Exchange administrative group in the configuration partition using ADSIEdit. It’s a simple task but if you don’t know your way around ADSIEdit you should consider asking a specialist for help. Deleting the wrong object from your AD configuration partition can severely impact your infrastructure. Should you need to go back you can re-install Exchange, but hopefully that shouldn’t be necessary.

Once completed, enjoy your clean Exchange-less infrastructure! And if using Easy365Manager enjoy the added benefits of easy, intuitive and integrated user and mailbox management. Free trial available from here.

Did you like this post? Maybe your friends will too!