Remove On-Prem Exchange From Hybrid Environment

Decommission last Exchange server from hybrid environment

You migrated all your mailboxes to Office 365 and want to get rid of the last on-premises Exchange server. Now what?

First, you should ask yourself if you want to continue synchronizing your on-premises AD with Office 365/Azure AD.

If you want to break synchronization, you can remove Azure AD Connect and your on-premises Exchange.

The steps to get rid of on-premises Exchange involves removing it from the mail flow, removing the Service Connection Point from on-premises Exchange, removing inbound and outbound connectors from Exchange Online, etc.

For a complete walk-through of needed steps, jump to the last part of this article – but I highly recommend reading the next section before you do that!

Staying in Sync

Many organizations will prefer to keep directory synchronization in place. For example, you probably still need on-premises user accounts to access local resources like file and print.

Keeping your Office 365 accounts in sync with the on-prem user accounts saves you from maintaining dual identities for each user. This makes good sense to most, if not all. Also, components like ADFS depend on Azure AD Connect.

This is where things get a little complicated. With directory synchronization in place, the on-prem user object is authoritative for all user attributes – including mailbox-related user attributes, like proxyAddresses. Any change to email attributes must happen locally on the on-prem object, and from there, it gets replicated to Azure/Office 365.

If you try to change the attributes in Office 365, you will see something like this:

The operation on mailbox failed because it's out of the current user's write scope. The action Set-Mailbox EmailAddresses can't be performed on the object because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

How to Manage Email Attributes?

Microsoft recommends that you use a dedicated on-premises Exchange server to manage email attributes in a hybrid setup. But running an on-premises Exchange server isn’t exactly free.

Although the Exchange license is complimentary from Microsoft, you still need a license for the OS and any third party antivirus, monitoring, and backup software the server is running.

On top of this comes the time spent on patch management and troubleshooting.

Also, Exchange on-premises has been a target of zero-day exploits that have ruined entire businesses.

So there are lots of good reasons you’d want to get rid of on-premises Exchange.

Without on-premises Exchange, you have two basic options to manage your on-premises mail attributes:

  1. Direct attribute editing using ADSIEdit or AD Users & Computers
  2. Easy365Manager

The first option requires you to be a die-hard expert in AD attributes and is quite error-prone.

If you only make simple changes, this might be OK. But if you’re not a straight shooter on the finer details of proxyAddresses, you’re likely setting yourself up for trouble.

If you have distribution groups and want to configure something like owners or delegation, it gets really crazy.

If you choose to use ADSIEdit or the Active Directory management console, this will be your interface:

Editing email attributes with ADSIEdit
Attribute editor in ADSIEdit
Editing msExchHideFromAddressLists using AD Users & Computers
Attribute editor in AD Users & Computers

Attribute names are non-descriptive and there’s no sanity check on the values you enter by hand.

Using Easy365Manager

Easy365Manager is a snap-in for the Active Directory Users & Computers management console. Easy365Manager adds two new tabs to user properties (“Office 365” and “Mailbox”), one new tab to group properties (“Office 365”), and one new tab to contact properties (“Office 365”).

With Easy365Manager, the management of mail attributes becomes an integrated part of your regular AD management.

You can see the new tabs in the following screenshots taken from user and group properties:

User Properties Tycho Brahe License Management
Click to enlarge
User Properties Tycho Brahe Mailbox Management
Click to enlarge

The new tabs match the existing design of user and group properties, making it easy for any level admin to start using them.

You now have direct access to configure email attributes like proxyAddresses, hide recipients from address lists, configure send-as and send-on-behalf delegation, and much more.

You can even configure calendar delegation, which otherwise require complex PowerShell scripting:

Easy365Manager also lets you configure Office 365 licenses and Exchange Online mailbox properties. This enables you to handle all daily Office 365 management directly from your Active Directory Users & Computers management console.

To summarize, Easy365Manager will provide you with the following benefits:

  • Remove your on-premises Exchange server
  • Integrates mail attribute management with standard AD user management
  • Integrates Office 365 license and mailbox management with standard AD user management

The complete feature list is available here.

When you feel confident about on-premises email attribute management using either ADSIEdit, AD Users & Computers, or Easy365Manager, you can start the process of removing your hybrid Exchange.

Prepare Your Office 365 Environment for the Removal of the Last Exchange On-Premises Server

Follow these steps to remove dependencies from your on-prem Exchange environment:

  • Confirm you have no public folders on your on-prem Exchange server (move them to Office 365 if they exist)
  • Confirm you have no more mailboxes on your on-prem Exchange server
  • Confirm that no scan-to-mail devices, applications, etc. are using your on-premises Exchange server to relay emails
  • Make sure MX and autodiscover DNS records are pointing to Exchange Online
  • Remove the Service Connection Point values from Exchange:
    Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $Null
  • Remove (or disable) Exchange on-prem inbound and outbound connectors from your Office 365 environment (done via the Connectors page in the EAC – the connectors created by the Hybrid Connection Wizard are named “Inbound from ” and “Outbound to “)
  • Remove the Organization Relationship from Office 365 using the Office 365 Portal (the Organization Relationship created by the Hybrid Connection Wizard is named “O365 to On-Premises – “
  • If OAuth is enabled make sure to disable it on both on-prem and in Exchange Online:
    Get-IntraorganizationConnector -Identity ExchangeHybridOnPremisesToOnline | Set-IntraOrganizationConnector -Enabled $False
    Get-IntraorganizationConnector -Identity ExchangeHybridOnlineToOnPremises | Set-IntraOrganizationConnector -Enabled $False

Once these steps are completed you can remove the on-prem Exchange server.

Clean Removal of the Last On-Premises Exchange Server

Although we don’t recommend it, it’s possible to remove Exchange completely from your AD.

The Exchange configuration in the AD configuration partition does not do any harm, and it’s simply not worth the risk to remove it.

The clean removal is started simply by uninstalling Exchange from the last Exchange server in your organization (make sure you completed the steps in the previous section to prepare for the removal).

Launching the Exchange uninstaller (from Add/Remove Programs) will trigger a readiness check that checks for any remaining mailboxes, any remaining mailbox databases, etc. Make sure to get rid of your arbitration mailboxes to complete the uninstall:

Get-Mailbox -Arbitration -Database [DB] | Remove-Mailbox -Arbitration -RemoveLastArbitrationMailboxAllowed

Once the readiness check is successful, the Exchange configuration is removed from AD, and the Exchange binaries are removed from the server.

Dirty Removal of the Last On-Premises Exchange Server

Clean removal is not always possible.

One such special case would be if you’re using security-enabled moderated distribution lists. Moderated distribution lists are tied up to arbitration mailboxes, blocking the removal of the arbitration mailboxes. If your groups are also used to control access to on-premises objects, you can’t delete them, and you’re not going to make it past the Exchange removal pre-check.

The dirty removal of the Exchange server is to shut down the server (for good) and then remove the Exchange server object from the Exchange administrative group in the configuration partition using ADSIEdit. It’s a simple task but if you don’t know your way around ADSIEdit you should consider asking a specialist for help. Deleting the wrong object from your AD configuration partition can severely impact your infrastructure.

Should you need to go back you can re-install Exchange, but hopefully that shouldn’t be necessary.

Summary

Once you complete the above steps, you can enjoy a nice Exchange-less infrastructure!

And if you’re using Easy365Manager, you can enjoy the added benefits of easy, intuitive, and integrated user and Office 365 mailbox management.

Download the fully functional 30-day trial here.

You can install Easy365Manager in just a few minutes:

Easy365Manager is fully supported by email or phone – also during the trial period.