Finally! A Way to Remove the Last Exchange Server

Have you completed your migration to Exchange Online?  Many years ago…good for you.  But you are still running and Exchange Server on-premises, why?  Recipient Management, ok, seems a bit overkill to me. Well up until now, it was the only way to manage recipients in Exchange Online while running Azure AD Connect and be in a supported model in the eyes of Microsoft.   

Azure AD Connect prevents attributes it syncs to be updated anywhere except on-premises.  There are some non-Microsoft tools and some Microsoft tools (ADSI Edit) that could do the job but would be an unsupported means of recipient management.  This was very frustrating for organizations who thought moving to Exchange Online would allow them to eliminate any presence of Exchange servers.  Not only is it resources being taken up on a virtual platform, or worse a physical server, but Exchange has been a constant source for security vulnerabilities. 

With the latest Exchange Server 2019 Cumulative updates (April 2022, CU12), we now have an option to install Exchange Management tools separate from a full Exchange server and eliminate that last Exchange Server.  However, before you jump for joy, there are a few things to consider. 

  • If you are using your Exchange server for any other function other than recipient management, such as SMTP relay, then do not shut it down and remove it. 
  • There are several options to move SMTP relay directly to Exchange Online 
  • All mailboxes and public folders must be migrated to Exchange Online 
  • No local journaling mailboxes can exist either 
  • There is no GUI available for management, just PowerShell 
  • Email attributes still cannot be modified directly in Azure AD or Exchange Online 
  • You will not be able to use built-in or custom RBAC groups 
  • There is no auditing or logging of management activity 

 

If all this still sounds good to you, you can proceed with the following steps to remove the last Exchange Server from your environment. 

Install Exchange Management Tools

  1. Verify all mailboxes are homed in Exchange Online: 
    1. Set-AdServerSettings -ViewEntireForest $true
    2. Get-Mailbox 
  2. Verify Exchange Online tenant coexistence domain (i.e. domain.mail.onmicrosoft.com):
    1. Get-RemoteDomain Hybrid* | fl DomainName,TargetDeliveryDomain
  3. If either verification fails
    1. Move mailboxes to Exchange Online
    2. Create new Remote domain using your domain.mail.onmicrosoft.com
  4. Install Exchange Management tools by running the Exchange Server April 2022 Cumulative Update setup.
    1. The management tools can be installed on any domain-joined client or server in the environment
    2. The management tools can be used for any environments running Exchange Server 2013, 2016, or 2019
  5. Install the Windows Remote Server Administration Tools
  6. If you have the Scripting Agent enabled, copy ScriptingAgentConfig.xml from $env:ExchangeInstallPath\Bin\CmdletExtensionAgents on the Exchange Server, to the same folder on the computer with the Management Tools update installed
  7. Login to the computer with the Management tools installed as a Domain Admin and run a script that creates a security group (Recipient                   Management EMT) to grant permissions for users to manage recipients:
    1. Add-PSSnapin *RecipientManagement.
    2. $env:ExchangeInstallPath\Scripts\Add-PermissionForEMT.ps1
  8. Test all recipient management commands
  9. Shut down last Exchange server (DO NOT UNINSTALL)

Shutdown, Do Not Uninstall!

Do not uninstall Exchange Server on your last server.  I repeat, do NOT uninstall if this is your last Exchange Server.  You can either leave it running or shutdown the server.  Uninstalling your last Exchange Server will remove key Active Directory Schema information and will prevent the management tools from working.  So, we need to shut down the server and perform manual clean up tasks for both AD and Exchange, which will still result in the Exchange Server being permanently removed. 

 Also be aware that once you do shut down the last Exchange server, all the various built-in and custom Role Based Access Control groups, such as Organization Management, will no longer work.  Only domain admins and those added to the Recipient Management EMT group will be able to manage recipients using these tools. 

 If you do intend to permanently shut down and eliminate your last Exchange server, Microsoft recommends some clean up tasks to improve the security posture of your environment and not leave behind stale references. 

Exchange Server Clean Up

To perform the manual cleanup of your Exchange Organization, follow these steps:

  1. Turn on your Exchange server, if currently shut down
  2. Clean up any remaining hybrid configurations
    1. In Exchange Management Shell
      1. Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null
      2. Remove-HybridConfiguration
      3. Get-IntraorganizationConnector -Identity ExchangeHybridOnPremisesToOnline | Set-IntraOrganizationConnector -Enabled $False
    2. In Exchange Online PowerShell
      1. Get-IntraorganizationConnector -Identity ExchangeHybridOnlineToOnPremises | Set-IntraOrganizationConnector -Enabled $False
    3. In Exchange Online Admin Center
      1. Remove any Inbound and Outbound Connectors
      2. Remove any Organization Sharing configurations
  3. Remove the Federated Trust
    1. Remove-FederationTrust “Microsoft Federation Gateway”
  4. Remove the Federation Certificate
    1. $fedThumbprint = (Get-ExchangeCertificate | ?{$_.Subject -eq “CN=Federation”}).Thumbprint
    2. Remove-ExchangeCertificate –Thumbprint $fedThumbprint
  5. Remove the OAuth service principal credentials
    1. Find OAuth credValue in Exchange Management Shell
      1. $thumbprint = (Get-AuthConfig).CurrentCertificateThumbprint
      2. $oAuthCert = (dir Cert:\LocalMachine\My) | where {$_.Thumbprint -match $thumbprint}
      3. $certType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
      4. $certBytes = $oAuthCert.Export($certType)
      5. $credValue = [System.Convert]::ToBase64String($certBytes)
    2. Find KeyID in Azure AD PowerShell
      1. Install-Module -Name MSOnline
      2. Connect-MsolService
      3. $ServiceName = “00000002-0000-0ff1-ce00-000000000000”
      4. $p = Get-MsolServicePrincipal -ServicePrincipalName $ServiceName
      5. $keyId = (Get-MsolServicePrincipalCredential -AppPrincipalId $p.AppPrincipalId -ReturnKeyValues $true | ?{$_.Value -eq $credValue}).KeyId
    3. Remove service principal in Azure AD PowerShell
      1. Remove-MsolServicePrincipalCredential –KeyIds @($keyId) -AppPrincipalId $p.AppPrincipalId
  6. If you were using the Hybrid Agent, uninstall the agent
  7. Ensure no DNS entries, internal or public, such as MX or Autodiscover, are resolving to the Exchange Server
  8. Shut down the Exchange server (Do not uninstall)

AD Clean Up

Once you have performed the Exchange Server cleanup tasks, you can now cleanup Active Directory. This step is much simpler as Microsoft has provided a script to do the cleanup for you.  The script is available at $env:ExchangeInstallPath\Scripts\CleanupActiveDirectoryEMT.ps1 

 You need to be a domain admin to run the script. Only run this script if you are 100% certain you will never run Exchange Server on-premises again.  This step cannot be undone.  This script removes any system mailboxes, unnecessary Exchange containers, and other various Exchange configurations within Active Directory.   

 After you performed the AD Cleanup, you can now proceed to delete your Exchange server.  If it is a physical server, reformat it.  If it was virtual, simply delete the VM and Disk.  But again, do not uninstall the Exchange Server software.  Hopefully I have said it enough throughout this post.

Other Options

While some may still argue this is not entirely ideal or what they desired for post-hybrid recipient management, it is a step in the right direction.  This gives organizations a path to eliminate the last Exchange Server that may be a hinderance to their infrastructure.  However, this is by no means the final solution.  There are other ways and methods being developed that will provide alternative means of eliminating the final Exchange Server.  One option available today is Azure AD Connect Cloud Sync.  Cloud Sync uses an Azure AD cloud provisioning agent instead of the Azure AD Connect application.  This allows for management directly in Azure AD or Exchange Online.  However, this solution is not yet up to feature parity with Azure AD Connect.  But note that this is a solution Microsoft is developing heavily and rapidly and will replace Azure AD Connect in the near future.

eGroup | Enabling Technologies can help you properly prepare for moving to the cloud based on Microsoft Best Practices and utilizing a secure and productive environment. Work with our team of Cloud Computing Consultants who have done this so many times they know all of the “minefields” to prevent missteps.

Last updated on July 31st, 2023 at 01:31 pm