Home » Exchange Server » Removing On-Premises Exchange Servers after Migrating to Office 365

Removing On-Premises Exchange Servers after Migrating to Office 365

For some customers after a migration from on-premises Exchange Server to Exchange Online there is a desire to completely decommission the on-premises Exchange servers. Whether it can actually be done will depend on a few different things.

At the beginning of an Office 365 project I like to discuss with the customer what they need for their long term identity model. I start with identity, even though some customers want to jump straight to how mailboxes and other data will be migrated, because the identity model is a big factor in determining the best migration method. The discussion usually comes down to one of two scenarios:

  • The customer plans to retain the on-premises Active Directory for other requirements, and wants directory synchronization and password hash sync so that users have a single set of credentials to remember for authenticating to Office 365 cloud services
  • The customer has no intention of retaining the on-premises Active Directory and doesn't need directory synchronization

The key here is the use of directory synchronization. Microsoft has published guidance on TechNet for decommissioning on-premises Exchange in a hybrid deployment. The title is a bit misleading because it's not the hybrid configuration that ultimately determines whether you can decommission on-premises Exchange or not.

When directory synchronization is enabled for a tenant and a user is synchronized from on-premises, most of the attributes cannot be managed from Exchange Online and must be managed from on-premises. This is not due to the hybrid configuration, but it occurs because of directory synchronization. In addition, even if you have directory synchronization in place without running the Hybrid Configuration Wizard, you still cannot manage most of the recipient tasks from the cloud.

The article links to an older blog post that was written in the Exchange 2010 era, but still applies to later versions of Exchange.

For organizations intending on keeping DirSync in place and continuing to manage user accounts from the on-premises organization, we recommend not removing the last Exchange 2010 server from the on-premises organization. If the last Exchange server is removed, you cannot make changes to the mailbox object in Exchange Online because the source of authority is defined as on-premises. The source of authority refers to the location where Active Directory directory service objects, such as users and groups, are mastered (an original source that defines copies of an object) in a hybrid deployment. If you needed to edit most mailbox settings, you would have to be sure the Active Directory schema was extended on-premises and use unsupported tools such as Active Directory Service Interfaces Editor (ADSI Edit) for common administrative tasks.

To summarize the two quotes above, if you have directory synchronization in place, then you need to manage the mail attributes of users, groups, and contacts in the on-premises Active Directory, and then allow those changes to synchronize to Azure Active Directory. And the only supported way to manage the mail attributes on-premises is using the Exchange management tools, which requires at least one Exchange server to be running.

So where does that leave customers? Here's a few scenarios to consider:

  • If you need directory synchronization, a cutover migration is not a good choice. I am no fan of cutover migrations in general, but in particular for directory sync scenarios it is very difficult to retrofit directory synchronization after completing a cutover migration. Better to choose a migration method that utilizes directory sync up front.
  • If you need directory synchronization, strongly consider using a hybrid configuration to facilitate the migration to Exchange Online and the ongoing management. Hybrid requires a little more work to set up at the beginning, but offers a far better admin and end user experience during the migration of mailboxes to the cloud. Yes, you will retain the on-premises Exchange server, but you can downsize it to the minimum hardware spec or run it as a small VM.
  • If you need password synchronization for ease of user login, but don't need sync of other Active Directory attributes, then consider using the Windows Server Essentials role. Essentials supports up to 100 users and allows you to link on-premises users with Office 365 users so that on-premises password changes are automatically synced with Azure Active Directory. An on-premises Exchange server is not required for Essentials-based integration with Office 365. This solution is ideal for customers who need to retain Active Directory on-premises, perhaps for just a few requirements like a legacy app that won't run in the cloud. I've migrated former SBS customers to Essentials-based solutions and it works fine.

What if you absolutely insist on removing Exchange but keeping directory synchronization running? For those scenarios you've probably found some third party tools, or someone who tells you that it works just fine and all you need to do is write some scripts or use ADSIEdit. Yes, from a technical perspective it's possible. But using anything other than Exchange to manage mail attributes in Active Directory is not supported by Microsoft, and I'm not in the habit of promoting unsupported solutions.

In all of the above I haven't gone into complex scenarios, nor have I mentioned AD FS. For customers with a lot of complexity or who have federation requirements I generally find that they have already learned and accepted the requirements for on-premises Exchange Server in certain scenarios. The advice above is mostly for the small to mid-size customer who feels the need to remove all on-premises Exchange servers to reduce their management overhead.

Maybe one day it will be possible, but not for now.

Paul is a Microsoft MVP for Office Servers and Services. He works as a consultant, writer, and trainer specializing in Office 365 and Exchange Server. Paul is a co-author of Office 365 for IT Pros and several other books, and is also a Pluralsight author.
Category: Exchange Server

34 comments

  1. Mike says:

    Hi Paul,
    As we are small, we run a single physical Exchange 2013 server. Is it possible to do a P2V conversion of this server after doing a hybrid mode migration to Office 365 E3 with Exchange, for the management tools? Is that supported or even recommended? Any advice is welcome!
    Thanks!

  2. OfftheGrid says:

    I would love to see an article that shows how to collapse a current Exchange Server Farm down to just the one box (in a Hybrid Configuration) and then converting that to the free Hybrid License.
    Items should include removing/decommissioning DAG and CAS members; putting all roles onto one box; and moving the database(s) to the one Hybrid box.

    • There’s no “conversion” to a free hybrid license. If you already have licensed Exchange servers then you have everything you need. The hybrid license key is just a key, it doesn’t change the functionality of the server at all.

      For downsizing, I will pull together a list of resources and post an article. But short answer, the steps are the same whether you’re doing it for a hybrid scenario or just for any other decommissioning scenario. Removing a DAG or a server is the same either way. But as I said I will pull together some notes because you are not the only person who has asked for it.

      • Dana White says:

        Great article. I am also looking for this information. I have added the Exchange 2016 server with the hybrid license to my domain. We do federation and the most current sync methods. We understand that we will probably forever be in Hybrid mode and that is fine. We do want to retire all of our Exchange 2010 servers that include all roles. First I have to manage to get the Public Folders migrated to O365. I found the instructions for the new means to migrate Public Folders but am hung up on the PFs that have / or \ in their names and renaming them without breaking anything.

  3. Martin Walder says:

    Hello Paul,

    I have an use case (SMB) where we want to sync users and password hashes to Azure AD. Is it supported to use AAD Connect if no Exchange schema is present within AD (resp. Exchange was never installed in this environment)?

    Thank you!

    • Martin Walder says:

      I am aware of using the Windows Server Essentials Experience Role with Server 2012 R2. But on 2008 R2? I think there is no alternative to AAD Connect…

    • Jozef Woo says:

      Hi Martin Walder, AAD Connect works independently from Exchange so yes it is absolutely supported to use AAD Connect without Exchange.

  4. Ian Wright says:

    Hi Paul,

    I have clients who are quite a way off ditching AD sync and still have Exchange 2010. Would it be best to remove bring a couple of 2016 servers in for management and decom the 2010 boxes?

    • 2016 offers the best hybrid coexistence experience but as a pure mgmt interface I don’t know of any specific issues. That said, 2010 is in mainstream support and it’s possible you’ll see issues surface as EXO evolves but 2010 isn’t updated to keep up (although MS does reserve the right to issue updates during extended support if they feel it necessary).

      Short answer: if the org will be running dirsync for a long time into the future, and has the resources to upgrade to 2016, then go for it.

  5. Chad markley says:

    I have a client using Azure Sync and we just completed their move from exchange 2003. Does this mean I can’t remove the 2003 server if I’m needing to continue managing users and permissions from on prem AD? I was just about to start digging into the research for decommissioning the 2003 bucks, but now I’m worried that I can’t

  6. Chad markley says:

    Follow up question; if I Have to keep an exchange server on prem, should I migrate/upgrade the 2003 server to 2013? This really adds a whole new headache. This client is 250 users

  7. tony holdgate says:

    Another cracker article. I’ve been pondering this one myself having just completed a 2013-2016 migration in a hybrid environment . Thanks Paul!

    • Post-hybrid is not a big deal because you can just “do nothing” and you’ll be fine. It’s the folks who smash through a cutover or third party tools migration and then decide to try and retrofit dirsync who often find themselves in a sticky situation.

  8. Matt Bryan says:

    So, what about this scenario? SBS2011 to Office 365. Cutover migration with cloud identities. Then decommission SBS and Exchange. After Exchange was been uninstalled, then go back and setup AD Connect to do directory sync.
    Would that work ok?
    Thanks in advance!
    Matt

    • I addressed the question of cutover and retrofitting dirsync afterwards in the post, and also recommended SBS customers consider Essentials as a solution instead of directory sync. Removing Exchange before dirsync is installed doesn’t solve any problem.

      • Matt Bryan says:

        I guess I’m just not clear on what the problems are then. Lacking any prior insight that this wouldn’t work, I’ve done it at least 4 times over the last couple years without any issues (at least as far as I can tell).
        And I have a half dozen other environments where a migration was done in the past and Exchange was removed afterwards. Am I to understand I can Never do DirSync in those places?
        Thanks.

        • Sure. Take another look at the two quoted sections in the article, which come from Microsoft articles, then the paragraph where I summarize what they’re saying.

          Directory sync is *possible* without an Exchange server, but it leaves you in a situation where you need to use *unsupported* methods to manage mail attributes for your users (mailboxes), distribution groups, and contacts.

  9. Chris says:

    Nice post Paul, thanks. Question…we are an SMB with only 40 mailboxes in a 2010 hybrid setup with O365 and ADConnect is setup. Really wanting to decommission the 2010 Exchange box as small as we are. Can we not just manage the properties of these mailboxes and groups using Active Directory advanced features? Just trying to avoid the inevitable upgrade to a later version when 2010 phases out plus all the updates that will be needed for just 40 mailboxes. Just asking…thanks

    • Hi Chris, I know it’s tempting to look for grey areas and edge cases, but this really is a simple supported vs non-supported situation and the info in the post already answers your question. You just need to work out a solution you’re happy with (e.g. using Essentials).

  10. Paul Slade says:

    Hi Paul,
    Great article. Can you advise when running on-prem Exc2013 and O365 using dirsync what is the process for creating shared mailboxes, dist lists and room resources? I know that I can create user mailboxes via on prem EAC and select Create O365 mailbox which will create it correctly but there is no such option for creating shared mailboxes, dist lists and room resources. Should these be created using PS on prem and sync’d as per user mailboxes or can I just create them directly in O365 EAC? Will creating them this way cause any issues as they will have no on prem AD object.
    Thanks,
    Paul.

  11. RKast says:

    I miss in your article some other points of interest that you could do. For example you can switch autodiscover/owa url’s to O365 when every mailbox is in O365.

  12. Andy says:

    Having moved all the mailboxes over to office365 via hybrid or third party method and have incoming mail, autodiscover etc pointing to office365, can the Exchange components be as simple as removing the on prem databases, public folders, connectors and then stopping the exchanges services (or using add/remove programs to remove the roles and just leave the admin tools behind ) to reduce the load on the box and then dropping the box requirements to a low cpu/memory usage?

  13. Matt says:

    Paul, I’m planning an inhouse migration of 30 mailboxes off a 6 year old 2010 server and onto 365.

    The server hardware is living on borrowed time, I’m thinking of a P2V migration of that server so I can retain MSX if needed. However, yesterday (13/8) I took a look at what permissions / options / attributes are available within EXO and all the options /permissions / attributes I could think of are now available (I’m no Exchange expert though).

    From what I could tell, the 4 attributes listed in the image at the start of this article are now available within EXO:
    https://practical365.com/blog/microsoft-working-solutions-remove-premises-exchange-server-requirements/

    I wonder if MS may have moved forward in large steps towards solving the problem of having to retain an Exchange server on prem.

    What do you think?

    And, if I don’t use dirsync, do I need to retain an in house MSX server?

    • If you don’t use directory sync then you don’t need an Exchange server on-premises, as the on-premise AD is no longer your source of authority.

      There’s been no further announcements on the work to create a solution that allows directory sync without an on-prem Exchange server.

  14. Oleg says:

    Hi Paul!
    Great article! One question about AAD connect.
    We have 4 exchange servers: 2 edge servers and 2 CAS+MBX with DAG. To date, all mailboxes have migrated to office 365.

    Synchronization with AAD connect is also no longer needed.

    If we remove the hybrid scheme, remove the AAD connect synchronization, completely remove all exchange servers, then the mailboxes in office 365 will be fully cofigurable?

    For example, will it be possible to add an additional email address for the mailbox?

    At the current moment, this can only be done from the on-premises servers.

    • Correct. When you remove directory sync and disable it in your tenant your on-premises AD is no longer the source of authority, and you can make changes to objects and attributes in the cloud.

  15. Noel says:

    If you work in an organisation that moved to Office 365 using a cutover migration, and then binned the Exchange 2010 server, and uses Directory sync, do you basically just need to grin and bear it?

Leave a Reply

Your email address will not be published. Required fields are marked *