Getty Images/iStockphoto

Tip

Follow these steps to remove the last Exchange Server

Organizations that were unable to uninstall their last Exchange Server from the on-premises environment can now do so if they fulfill the requirements.

A problem that has been years in the fixing finally got resolved this year when Microsoft gave organizations that moved to Office 365 a way to remove their last on-premises Exchange Server.

For customers locked into an Exchange hybrid deployment for recipient management, Microsoft addressed their needs and issued an update to the Exchange management tools in Exchange Server 2019 that lets organizations remove this server. With this move, administrators without special requirements do not need to retain a management instance of Exchange on-premises to synchronize data from Active Directory to Azure Active Directory. Eliminating that nagging piece of infrastructure removes a potential security issue and reduces the number of machines requiring regular patching.

Why some organizations need an Exchange hybrid configuration

The need for an on-premises Exchange Server while on Office 365 was mostly due to requiring access to management tools that were on the Exchange admin portal on the local server. These management features included Exchange PowerShell and the Exchange admin center that supported the creation of distribution lists, management of recipients, administration of public folders and supervision of many of the Exchange hybrid configurations.

For organizations that moved on to Microsoft 365, this last Exchange Server was always a big concern. Patching, backing up and securing this remaining Exchange Server was a burden for a workload that was not needed to host mailboxes after the organization moved its users to Exchange Online. The occasional alerts about Exchange zero-days were painful reminders that the server needed immediate mitigation attention because it is internet-facing. With the release of the updated management tools in Exchange Server 2019 in April, organizations can now connect and sync with AD and manage email recipients without the need of an on-premises Exchange Server.

For some organizations that shifted most workloads to the cloud, this option could be the last step to completely offload their on-premises servers. Administrators who no longer require the on-premises server can focus on Exchange Online administration and avoid worrying about the local install, which requires hardware and software to maintain.

What's required to remove the last Exchange Server?

Organizations must meet the requirements of the Exchange Server 2019 management tools, the applications installed on Windows Server 2019 or higher.

The first step during a plan to remove the last Exchange Server from the hybrid environment is to meet the following:

  • All mailboxes and public folders are in Exchange Online.
  • Organization uses Active Directory for recipient management and Azure AD Connect for synchronization of Active Directory objects.
  • Role-based access control is not in use.
  • No required auditing or logging of actions related to recipient managementz

With these requirements in place, the administrator can execute the Exchange setup in Exchange Server 2019 CU12 or later to access the updated Exchange management tools installed on a domain-joined machine.

Administrators cannot uninstall the last server yet. Microsoft provides scripts to clean up Active Directory of any leftovers from the last standing Exchange Server.

The updated Exchange management tools require Windows PowerShell to use the following management cmdlets:

  • Set-MailUser, Get-MailUser, New-MailUser, Remove-MailUser, Disable-MailUser and Enable-MailUser.
  • Set-MailContact, Get-MailContact, New-MailContact, Remove-MailContact, Disable-MailContact and Enable-MailContact.
  • Set-RemoteMailbox, Get-RemoteMailbox, New-RemoteMailbox, Remove-RemoteMailbox, Disable-RemoteMailbox and Enable-RemoteMailbox.
  • Set-DistributionGroup, Get-DistributionGroup, New-DistributionGroup, Remove-DistributionGroup, Disable-DistributionGroup and Enable-DistributionGroup (excluding Upgrade-DistributionGroup).
  • Get-DistributionGroupMember, Add-DistributionGroupMember, Remove-DistributionGroupMember and Update-DistributionGroupMember.
  • Set-EmailAddressPolicy, Get-EmailAddressPolicy, New-EmailAddressPolicy, Remove-EmailAddressPolicy and Update-EmailAddressPolicy.
  • Set-User and Get-User.

These PowerShell commands are only available to domain admins and a security group called Recipient Management EMT that a script from the Exchange management tools creates.

How to execute the Exchange Server removal process

First, verify that all mailboxes are in the Microsoft cloud with these PowerShell commands:

Set-AdServerSettings -ViewEntireForest $true
Get-Mailbox

Check that the Exchange Online tenant coexistence domain is set as the target delivery domain:

Get-RemoteDomain Hybrid* | Format-List DomainName,TargetDeliveryDomain

Install the Exchange management tools from the Exchange Server 2019 April 2022 CU update.

Install the Remote Server Administration Tools.

Copy the script named ScriptingAgentConfig.ml from the CmdletExtensionAgents folder in the Exchange Server to the install folder of the new Exchange management tools.

Run the following command:

Add-PSSnapin *RecipientManagement

Run a test using the PowerShell commands listed to check the status. If there are no issues, then shut off the last remaining Exchange server.

Clean up references to the Exchange hybrid configuration

The next steps explain how to remove references to the hybrid configuration through the Exchange Management Shell.

Run the following commands to remove the federation trust and certificate from the last Exchange Server:

Remove-FederationTrust "Microsoft Federation Gateway"
$fedThumbprint = (Get-ExchangeCertificate | ?{$_.Subject -eq "CN=Federation"}).Thumbprint
Remove-ExchangeCertificate -Thumbprint $fedThumbprint

The next stage revokes the service principal credential used by OAuth. Run the following commands to get the OAuth credValue:

$thumbprint = (Get-AuthConfig).CurrentCertificateThumbprint
$oAuthCert = (dir Cert:\LocalMachine\My) | where {$_.Thumbprint -match $thumbprint}
$certType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
$certBytes = $oAuthCert.Export($certType)
$credValue = [System.Convert]::ToBase64String($certBytes)

Run the following script to get KeyId. The code uses the Azure Active Directory Module for Windows PowerShell to find the match for the OAuth credValue:

Install-Module -Name MSOnline
Connect-MsolService
$ServiceName = "00000002-0000-0ff1-ce00-000000000000"
$p = Get-MsolServicePrincipal -ServicePrincipalName $ServiceName
$keyId = (Get-MsolServicePrincipalCredential -AppPrincipalId
$p.AppPrincipalId -ReturnKeyValues $true | ?{$_.Value -eq $credValue}).KeyId

Run the following command to remove the service principal credential:

Remove-MsolServicePrincipalCredential -KeyIds @($keyId) -AppPrincipalId $p.AppPrincipalId

Organizations that use a modern hybrid configuration will need to remove the hybrid agent by running several commands from the machine where the agent resides. Use the Exchange Management Shell to move to the C:\Program Files\Microsoft Hybrid Service\ folder then run the following command to import the hybrid agent PowerShell module:

Import-Module .\HybridManagement.psm1

Find the AppId needed to remove the hybrid agent with the following command:

Get-MigrationEndpoint "Hybrid Migration Endpoint - EWS (Default Web Site)" | Select-Object RemoteServer

The AppId is the GUID in the output as shown in the following example:

<GUID>.resource.mailboxmigration.his.msappproxy.net

Use the value of the AppId found in the previous step and run the following command to remove the application:

Remove-HybridApplication -appId <GUID> -Credential (Get-Credential)

Run the Hybrid Configuration wizard on the machine with the hybrid agent and choose Classic Connectivity to remove the hybrid agent, which also unregisters it from Azure.

As a last bit of housekeeping, ensure that all the Mail Exchange records and Autodiscover DNS records point to Exchange Online, not the on-premises Exchange Server external IP address.

Some organizations might still require Exchange Server

While it is a small celebration for many in IT to finally eliminate the last on-premises Exchange Server and all the required maintenance and upkeep in security, some companies might need to keep that server online.

For example, there might be compliance requirements that keep some mailboxes in an on-premises server. For many organizations, this supported option from Microsoft is one way to reduce the burden on the IT staff.

Dig Deeper on Microsoft messaging and collaboration

Cloud Computing
Enterprise Desktop
Virtual Desktop
Close