Removing Hybrid Exchange

Prior to Microsoft’s update to the Exchange management tools in Exchange Server 2019, it’s likely that you were locked into an Exchange hybrid deployment for recipient management. Fortunately, it’s now possible to eliminate that last on-premise Exchange server. This means you can now get rid of that last piece of infrastructure that potentially exposes you to security risks and potentially reduce the number of machines that require regular patching.

Fortunately, going entirely cloud after migrating to Microsoft 365 and particularly Exchange Online can be a fairly straight-forward process, with some guidance. Herein, we highlight the steps to follow towards this goal and the warnings to keep in mind for successful decommissioning.

Before diving into steps to follow to remove the last Exchange server, it is prudent to mention what’s required to completely offload said on-premise server.

Requirements to Remove Hybrid Exchange

Right out of the gate, note that your organization is mandated to meet the requirements of the Exchange Server 2019 management tools. Further, you are required to meet the following:

  • Your entire mailboxes and public folders are in Exchange Online
  • No mandated auditing or logging of actions pertaining to recipient management
  • Your organization must be using Active Directory for recipient management and Azure AD Connect for AD objects synchronization
  • No role-based access controls should be in use

Once you have these requirements in place, the admin can now embark on executing the Exchange setup in Exchange Server 2019 CU12 or latter. Here, they will be seeking to access the updated Exchange management tools already present on the domain-joined machine.

Note that said updated Exchange management tools require the Windows PowerShell to leverage the following management cmdlets:

  • Set-MailUser, Get-MailUser, New-MailUser, Remove-MailUser, Enable-MailUser and Disable-MailUser
  • Set-RemoteMailbox, Get-RemoteMailbox, Enable-RemoteMailbox, Disable-RemoteMailbox, Remove-RemoteMailvox
  • Get-DistributionGroupMember, Remove-DistributionGroupMember, Update-DistributionGroupMember, Add-DistributionGroupMember
  • Set-MailContact, Disable-MailContact, Enable-MailContact, Get-MailContact, New-MailContact
  • Set-User and Get-User
  • Set-EmailAddressPolicy, Remove-EmailAddressPolicy, Update-EmailAddressPolicy, New- EmailAddressPolicy

Keep in mind that these PowerShell commands can only be accessed by administrators or a security group named Recipient Management EMT. The later is created by the Exchange management tools.

Before jumping into the removal, you have to plan for the decommissioning. Part of said planning will be a discovery where the IT team will be confirming if there are any mailboxes or archives that still need to migrate or be used. Further, the team will be checking whether there are any other services that still use Exchange server as a mail relay.

In the event that either of these scenarios apply, then these need to be routed to the SMTP traffic or Exchange Online directly. There’s also the option of routing these to another server which then needs to be deployed.

Steps to Removing Hybrid Exchange

Here is a step-by-step guide to removing hybrid Exchange servers.

  1. Ensure that all of your mailboxes have already been migrated t the Microsoft cloud. You can achieve this by running the following PowerShell command:

Set-AdServerSettings -ViewEntireForest $true Get-Mailbox

  1. Verify that the Exchange Online tenant coexistence domain is set at the target delivry domain. For this you’ll run the following command:

Get-RemoteDomain Hybrid* | Format-List DomainName,TargetDeliveryDomain

  1. Install the Exchange management tools found within the Exchange Server 2019 April CU Update.
  2. Install the Remote Server Administration Tools
  3. Copy the script tagged ScriptingAgentConfig.ml from CmdletExtensionAgents folder found in the Exchange Server to the install folder of the new Exchange management tools.
  4. Run the command below:

Add-PSSnapin *RecipientManagement

  1. Run a test using the PowerShell commands listed above. As the last step, this should help you check on the status of the decommissioning. If there are no issues, then you can successfully shut off the last remaining Exchange server.

Having successfully removed the last hybrid Exchange, the next step is to remove any references to the hybrid configuration.

Removing References to the Exchange Hybrid Configuration

To remove any references to the Exchange hybrid configuration, you are going to leverage Exchange Management Shell.

To achieve said removal, you’ll need to run the following commands to remove any federation trust and certificate.

Remove-FederationTrust “Microsoft Federation Gateway”

$fedThumbprint = (Get-ExchangeCertificate | ?

{$_.Subject -eq “CN=Federation”}).Thumbprint

Remove-ExchangeCertificate -Thumbprint

$fedThumbprint

This code should successfully clean up references to the Exchange hybrid configuration. The next step is to revoke any service principal credentials leveraged by OAuth.

To achieve this, you’ll need to run the code below to obtain the OAuth credValue:

$thumbprint = (Get-AuthConfig).CurrentCertificateThumbprint

$oAuthCert = (dir Cert:\LocalMachine\My) | where {$_.Thumbprint -match $thumbprint}

$certType = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert

$certBytes = $oAuthCert.Export($certType)

$credValue = [System.Convert]::ToBase64String($certBytes)

Once you obtain the OAuth credValue, run the following code script to get KeyID. Keep in mind that the following code uses the Azure Active Directory Module for Windows PowerShell to find a mirror value for the OAuth credValue.

Install-Module -Name MSOnline

Connect-MsolService

$ServiceName = “00000002-0000-0ff1-ce00-000000000000”

$p = Get-MsolServicePrincipal -ServicePrincipalName $ServiceName

$keyId = (Get-MsolServicePrincipalCredential –

AppPrincipalId

$p.AppPrincipalId -ReturnKeyValues $true | ?

{$_.Value -eq $credValue}).KeyId

The next step is to remove the service principal credential. For this, you’ll run the following code.

Remove-MsolServicePrincipalCredential -KeyIds @($keyId) -AppPrincipalId $p.AppPrincipalId

Suppose your organization uses a modern hybrid configuration. In this case, you’ll need to remove the hybrid agent by running several commands from the hardware where the agent’s found. It is best that you leverage the Exchange Management Shell to move to the C:\Program Files\Microsoft Hybrid Service\ folder. Once in the folder, you’ll run the following code to import hybrid agent PowerShell module:

Import-Module .\HybridManagement.psm1

In there, you’ll need to find the Appld required to remove the hybrid agent. For that, you’ll run the following:

Get-MigrationEndpoint “Hybrid Migration Endpoint - EWS (Default Web Site)” | Select-Object RemoteServer

The output from the above command is the GUID which should look something like the following:

Get-MigrationEndpoint “Hybrid Migration Endpoint - EWS (Default Web Site)” | Select-Object RemoteServer

You should then proceed to use the value of the Appld that you got from the previous step to run the following command which will effectively remove the application.

Remove-HybridApplication -appId- 

Credential (Get-Credential)

You should then run the Hybrid Configuration wizard on the PC in question and select **Classic Connectivity.**This will remove the hybrid agent that you’d identified. Note that this will also unregister it from your Azure.

As the very last step, you want to make sure that all of the Mail Exchange records and Autodiscover DNS records all point to Exchange Online and not an on-premises Exchange server.

Here are the steps needed to remove directory synchronization.

  1. Run the following command to check whether there is a public folder tagged

Remote

Get-OrganizationConfig | Format-List PublicFoldersEnabled

If there are any public folders tagged Remote , you’ll need to migrate this to Exchange Online.

  1. Once all the mailboxes are in Exchange Online, you should then point the MX and Autodiscover DNS records to Exchange Online
  2. Remove any of present Service Connection Point (SCP) values from the Exchange Server. For this, run the following command:

Get-ClientAccessServer | Set- ClientAccessServer – AutoDiscoverServiceInternalUri $Null

  1. Proceed to remove the inbound and outbound connectors from the Office 365 Admin Center that had been created by the Hybrid Configuration Wizard. For this, you’ll log into your Office 365 Admin portal using your Administrator credentials. Once logged in, you’ll go to mail flow then Here, you’ll select the inbound and outbound connector and proceed to disable it.
  2. Remove the organization’s relationship from the Office 365 Admin Center created by the Hybrid Configuration Wizard. Once you are logged into your Office 365 Admin portal, you’ll go to Organization where you’ll select Sharing then proceed to selecting the value and deleting it.
  3. The final step will be to disable the directory synchronization to all the users. At this point, all the management tasks of Office 365 can now be completed from the Office 365 Admin Center. This means that you no longer need to log into the Exchange Admin Center (EAC) or the Exchange Management Console to manage the mailboxes.

Having highlighted the steps to removing hybrid Exchange, there’re some warnings that ought to be highlighted.

Warnings

  • Do not uninstall the last server

While you can shut the server down and even use a script to clean up, you should under no circumstance uninstall it. If you were to uninstall this last server, you’ll be effectively removing critical information from AD. Doing so would render the management tool package unable to manage Exchange attributes.

  • You might be able to manage your cloud mailboxes

When you move your mailboxes to Exchange Online, you might discover that you are no longer able to manage your cloud mailbox. This is often due to directory synchronization and failure to run the Hybrid Configuration Wizard.

  • Third-party management tools are not supported

A great example of a third-party management tool that you can still use but is not supported is ADSIEDIT. Essentially this means that you will be working with third-party management tools that Microsoft doesn’t necessarily validate.

Agile IT has helped thousands of organizations move to the cloud, and leave their aging on-premises infrastructure behind. The risks of removing the last of your on-premises exchange servers can greatly impact your organization. With hundreds of successful projects behind us, we can help your navigate the challenges.

Published on: .