Finally! A Way to Remove the Last Exchange Server
Have you completed your migration to Exchange Online? Many years ago…good for you. But you are still running and Exchange Server on-premises, why? Recipient Management, ok, seems a bit overkill to me. Well up until now, it was the only way to manage recipients in Exchange Online while running Azure AD Connect and be in a supported model in the eyes of Microsoft.
Azure AD Connect prevents attributes it syncs to be updated anywhere except on-premises. There are some non-Microsoft tools and some Microsoft tools (ADSI Edit) that could do the job but would be an unsupported means of recipient management. This was very frustrating for organizations who thought moving to Exchange Online would allow them to eliminate any presence of Exchange servers. Not only is it resources being taken up on a virtual platform, or worse a physical server, but Exchange has been a constant source for security vulnerabilities.
With the latest Exchange Server 2019 Cumulative updates (April 2022, CU12), we now have an option to install Exchange Management tools separate from a full Exchange server and eliminate that last Exchange Server. However, before you jump for joy, there are a few things to consider.
If all this still sounds good to you, you can proceed with the following steps to remove the last Exchange Server from your environment.
Install Exchange Management Tools
Shutdown, Do Not Uninstall!
Do not uninstall Exchange Server on your last server. I repeat, do NOT uninstall if this is your last Exchange Server. You can either leave it running or shutdown the server. Uninstalling your last Exchange Server will remove key Active Directory Schema information and will prevent the management tools from working. So, we need to shut down the server and perform manual clean up tasks for both AD and Exchange, which will still result in the Exchange Server being permanently removed.
Also be aware that once you do shut down the last Exchange server, all the various built-in and custom Role Based Access Control groups, such as Organization Management, will no longer work. Only domain admins and those added to the Recipient Management EMT group will be able to manage recipients using these tools.
If you do intend to permanently shut down and eliminate your last Exchange server, Microsoft recommends some clean up tasks to improve the security posture of your environment and not leave behind stale references.
Exchange Server Clean Up
To perform the manual cleanup of your Exchange Organization, follow these steps:
AD Clean Up
Once you have performed the Exchange Server cleanup tasks, you can now cleanup Active Directory. This step is much simpler as Microsoft has provided a script to do the cleanup for you. The script is available at $env:ExchangeInstallPath\Scripts\CleanupActiveDirectoryEMT.ps1
You need to be a domain admin to run the script. Only run this script if you are 100% certain you will never run Exchange Server on-premises again. This step cannot be undone. This script removes any system mailboxes, unnecessary Exchange containers, and other various Exchange configurations within Active Directory.
After you performed the AD Cleanup, you can now proceed to delete your Exchange server. If it is a physical server, reformat it. If it was virtual, simply delete the VM and Disk. But again, do not uninstall the Exchange Server software. Hopefully I have said it enough throughout this post.
While some may still argue this is not entirely ideal or what they desired for post-hybrid recipient management, it is a step in the right direction. This gives organizations a path to eliminate the last Exchange Server that may be a hinderance to their infrastructure. However, this is by no means the final solution. There are other ways and methods being developed that will provide alternative means of eliminating the final Exchange Server. One option available today is Azure AD Connect Cloud Sync. Cloud Sync uses an Azure AD cloud provisioning agent instead of the Azure AD Connect application. This allows for management directly in Azure AD or Exchange Online. However, this solution is not yet up to feature parity with Azure AD Connect. But note that this is a solution Microsoft is developing heavily and rapidly and will replace Azure AD Connect in the near future.
eGroup | Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.