Best Practices for Removing the Last Exchange Server

Introduction

Have you migrated all your services from Microsoft Exchange server (s) to Microsoft 365? Are you comfortable using Windows PowerShell to manage recipients without the Exchange Admin Centre or Exchange PowerShell? Are you planning to remove the last Exchange server from your estate?

You’ve come to the perfect place. I’m excited to share with you all the information you need in this article. So, sit back, relax, and let’s dive in!

Why should we remove it?

Imagine a company has recently launched a new project aimed at getting rid of all on-premises infrastructure and completely moving to a cloud-based platform. M365 Architect following the journey closely and have noticed that all administrators are familiar with using Windows PowerShell to manage recipients. Additionally, he has discovered that most of the Exchange servers were decommissioned years ago and all Exchange services have migrated to Exchange Online. Only one Exchange Hybrid server is currently being used for recipient management through the Exchange Admin Centre and Exchange Management Shell. This means, organisations have:

• Already migrated all mailboxes and public folders to Exchange Online.
• No Exchange recipients in on-premises.
• Not used Exchange Server for relaying emails.
• Been using Active Directory for recipient management and Microsoft Entra Connect or Entra Cloud Sync for synchronisation.
• Don’t need to use on-premises Exchange admin center or Exchange role-based access control.
• Already redirected MX and Autodiscover DNS record to Exchange online.
• Already removed Service Connection Point value.
• No need for auditing or logging of recipient management activity.
• Decided to shut down the Exchange Hybrid server permanently.
• Planned never to rerun an on-premises Exchange server.
• Finally decided to leverage Windows PowerShell to manage recipients without Exchange servers.

What is the solution for this?

In this case, they can permanently remove the last Exchange server by installing the Exchange 2019 Management Tool on the domain-joined computer. This way, they can continue to perform recipient management through Windows PowerShell.

This feature is available from Exchange 2019 Cumulative Update 12 or later. Additionally, they can perform cleanup tasks in Exchange and Active Directory to improve their organisation’s security posture.

It is possible to turn off directory synchronisation if there is no longer a need to manage users from on-premises. However, the current article does not address this topic.

Do not uninstall the last server. This removes critical information from Active Directory and breaks the management tool package’s ability to manage Exchange attributes. Instead, shut down the server and use a script to clean up.

Practical Example

In this example, we will remove the last Exchange server and leave the Entra Connect Sync in place for synchronisation for a certain period of time. Remember that the last Exchange server will not be uninstalled. Rather, we will remove the Exchange Hybrid configuration, shut down the server, and purge the unnecessary Exchange objects from the Active Directory.

To facilitate this demonstration, I have already set up an Exchange 2016 Hybrid environment for you to see in action. This setup is configured with Passthrough Authentication and Password Hash Synchronisation with Password Writeback feature.

The Exchange Hybrid state at this high level is depicted in the figure below.

The final state of our infrastructure after we removed the exchange server is shown in the figure below.

Implementation Steps

This implementation section has three phases. In each phase, we will follow a series of steps, which I will demonstrate later.

• Install the Exchange management Tool
• Cleanup and Shut down the last Exchange server
• Active Directory cleanup

Phase 1:Install the Exchange management Tool

To begin with, we will install the Exchange Management Tool for recipient Management. So that this can be used once we shut down the last Exchange server. Follow the steps below to install the Exchange Management Tool.

1. Login to the domain- joined computer with an Domain Admin account.
2. Download the latest Exchange 2019 Cumulative Update from the Microsoft website.
3. You can refer to the link to verify the system requirements for installing the Exchange 2019 Management tool.
4. Install the Windows Remote Server Administration Tools.
5. In my case, I installed the Exchange 2019 Management Tool in the Windows 2019 Datacentre Edition.
6. Follow the instructions presented in the screenshot in order to install the Management Tool.

6. Once installed, enable the Exchange SnapIn by running the command Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn in the Windows PowerShell.
7. Next,load the Recipient Management snap-in by running the command Add-PSSnapin *RecipientManagement
8. Run the script Add-PermissionForEMT.ps1 to create the Recipient Management EMT, security group.
9. Add a user account to the Recipient Management EMT group for which you wish to perform recipient management.
10. Ensure all recipient management cmdlets work by shutting down the last Exchange server. In this demo, I have tested some of them.

For steps 6 to 10, watch the instructions provided in the video if you need more guidance. Check it out!

Phase 2: Cleanup and Shut down the last Exchange server

To boost security, we will clean up the Exchange Hybrid Configuration and shut down the last Exchange Server. To proceed, complete the following clean-up tasks on the Exchange 2016 server.

1. Remove inbound and outbound connectors in Microsoft 365 & Send Connector in On-Premise Exchange created by the Hybrid Configuration Wizard.
2. Remove the organization relationship created by the Hybrid Configuration Wizard.
3. Remove the SCP value (if you haven’t already).
4. Remove Hybrid Configuration.
5. Disable the Exchange Hybrid OAuth configuration from on-premises.
6. Disable the Exchange Hybrid OAuth configuration from Microsoft 365.

Follow the instructions in the video to complete the steps from 1 to 6.

7. Uninstall the Hybrid agent App.
8. Uninstall the Hybrid agent software.
9. Remove the Federation Trust and the certificate.
10. Shut down last Exchange server.

To finish steps 7-10, follow the instructions given in the video.

Phase 3: Active Directory cleanup

Finally, we must run the script CleanupActiveDirectoryEMT.ps1. This script is located in the Exchange Server installation path. In my case, it is located at C:\Program Files\Microsoft\Exchange Server\V15\Scripts\CleanupActiveDirectoryEMT.ps1.

This action can’t be undone. Proceed only if you intend to permanently stop the Exchange Server.

The script removes system mailboxes, unnecessary Exchange containers, and permissions for Exchange Security Groups on the domain and configuration partitions and Exchange Security Groups. It would be best if you ran this script with domain admin credentials.

The video below demonstrates how to run this script.

Thank you for taking the time to read the article. I trust that you found it informative and engaging. Please do not hesitate to reach out if you have any questions or require further assistance.