asked on
Properly Remove Exchange 2010 After Successful O365 Cut-Over Migration
On February 3rd, I disabled the Azure AD sync with O365, so now all mailboxes Sync Status shows the "Cloud" instead of "Sync with AD". I left the Azure AD Connect Tool installed on one of our DC, and will remove it in the near future.
On February 6th, I powered down our Exchange 2010 server and then powered it back up yesterday, February 13th. I just wanted to make sure any mail related services were not pointing to the Exchange 2010 server. One week with the server off-line should be sufficient for this need.
Now I want to start removing the Exchange 2010 completely. All O365 mailbox management will be done in the O365 console. and I simply do not want to have any exchange services within our local network. I want to properly remove the exchange server so that all the Exchange AD attributes are properly removed in case we decide to install another on-prem exchange server in the future.
I first want to know if I need to remove all the mailboxes before removing mailbox databases, etc. I am using the following article to assist me remove Exchange:
https://tekbloq.com/2017/1
I tried deleting my mailbox within the Exchange 2010 console, by right clicking on my mailbox located within Recipient Group\Mailbox, and selected Remove. However, after completing this task it actually deleted my AD User Profile of which I did not want, and also placed the mailbox within Disconnected Mailbox container\folder. I was able to restore my AD User Account, and my mailbox reappeared in the Recipient Configuration\Mailbox list, but I have not been able to reconnect the disconnected mailbox since my user account does not appear in the list of existing users. Not sure it matters at this point, but I want to make sure I do not have any issues properly removing Exchange.
I need to know if its necessary to delete all the exchange mailboxes before removing exchange databases, etc.
If so, how can I remove each mailbox without deleting the associated AD user account.
Finally, I want to know if the above link used as reference to remove exchange 2010 is recommended for my need or not. I want to remove everything before going to add/remove programs and features, and actually removing Microsoft Exchange 2010 Standard.
1. Convert all mailboxes to mail enabled users using the ConvertMEU.ps1 script
If you have done a cut-over migration, then before you decommission your exchange 2010 on premise server you need to convert the user mailboxes to mail-enabled users. The reason is because of below:
A user has an on-premises mailbox and a cloud mailbox.
Mail sent to the user's on-premises mailbox is forwarded to their cloud mailbox. This happens because during the migration process, the TargetAddress property on the on-premises mailbox is populated with the remote routing address of the cloud mailbox. This means that users need to connect to their cloud mailboxes to access their e-mail.
This behaviour results in two issues:
If a person uses Microsoft Outlook to open their mailbox, the Autodiscover service still tries to connect to the on-premises mailbox, and the user won't be able to connect to their cloud mailbox. If there are users that haven't been migrated to the cloud, you can't point your Autodiscover CNAME record to the cloud until all users are migrated.
If an organisation decommissions Exchange after all on-premises mailboxes are migrated to the cloud, messaging-related user information on the cloud mailbox will be lost. The Microsoft Online Services Directory Synchronisation tool (DirSync) removes data (such as proxy addresses) from the cloud mailbox object because the on-premises mailbox no longer exists and DirSync can't match it to the corresponding cloud mailbox.
The solution is to convert the on-premises mailbox to a mail-enabled user (MEU) in your on-premises organization after the user's mailbox has been migrated to the cloud. When you convert an on-premises mailbox to an MEU:
The proxy addresses from a cloud-based mailbox are copied to the new MEU; if you decommission Exchange, these proxy addresses are still retained in Active Directory.
The properties of the MEU enable DirSync to match the MEU with its corresponding cloud mailbox.
The Autodiscover service uses the MEU to connect Outlook to the cloud mailbox after the user creates a new Outlook profile.
Also Note:
==========
There are five mail attributes that are stored in AD and are affecting the O365 mailbox, all these parameters will be wiped in AD if you disable the on-prem Mailbox for a user account:
Mail – email address
mailNickname – The mailbox alias
ProxyAddresses – Primary address and all aliases
ArchiveGUID – GUID for archives, it only applies if the mailbox has archive
msExchDelegateListLink – storing all automapped mailboxes, this is not used by the O365 mailbox
publicDelegates – send on Behalf permissions stored in the AD account
msExchBlockedSendersHash – this stores Blocked senders in hashed string however this is migrated and stored in Exchange Online mailbox in attribute BlockedSendersandDomains
msExchSafeSendersHash – this stores Safe senders in hashed string however this is migrated and stored in Exchange Online mailbox in attribute TrustedSendersandDomains(Get-MailboxJunkEmailConfiguration –identity user)
Convert all mailboxes to mail enabled users using the ConvertMEU.ps1 script (convertMEU) (Please see attachment). You can run it while ADSync is enabled.
Input parameters:Username,Email,Domain Controller (i.e asldc01.archon.co.uk)
The script will take care of mail, mailNickname, ProxyAddresses attributes
The script will not update publicDelegates and ArchiveGUID
After converting all mailboxes, perform a full sync, check the ADSync service manager, make sure everything is working before proceeding to the next phase, it is recommended to wait a couple of days.
2. Uninstall Exchange
1.Make sure you have a backup
2. Stop ADSync
From Exchange Online Powershell:
Set-MsolDirSyncEnabled –EnableDirSync $false
Check the status
(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled
3.Verify no mailboxes exist on the Exchange Server
4. Check for Arbitration mailboxes on the Exchange Server
Get-Mailbox –Arbitration
5 .Make sure all the mailbox databases are removed.
6. Remove the Exchange 2010 Offline address book.
7. Verify any applications are used for Email relaying in Receive Connectors
8. Uninstall Exchange
9. Using AD Users and Computers or Powershell, check if attributes are unchanged
10. If all is good, re-enable ADSync
From Exchange Online Powershell:
Set-MsolDirSyncEnabled –EnableDirSync $true
ASKER
We only used the Azura AD Sync tool to create the O365 mailboxes and sync all mail. Once all mail completely synced to all mailboxes, we disabled the Azure Sync tool. So all O365 mailboxes are now managed on the Cloud (O365).
We do not need the on-prem exchange server at all, and I will be removing it soon.
Referencing the below statement from Ibrahim Benna:
Please note that once you uninstall Exchange from your organization and you have AD Connect it means you can only manage the users from ADSIedit by updating their attributes manually. For example, to add an email alias to a user, you would have to go into the PROXYADDRESSES attribute on the user and modify it from there. Microsoft does not support this type of update and they usually recommend using a hybrid server to remain in the organization so you can manage your accounts that way.
I disabled AD Connect sync in O365, so all mailbox sync status indicate "Cloud" instead of "Exchange Sync". All mail now resides on O365 and the on-prem exchange server is no longer needed and will be removed. I do not understand why you're saying in order to manage any AD user account I will have to use ADSIedit. Once I remove the exchange server it should automatically remove all exchange attributes, so why would that be a problem when all mail will be managed within O365?
My understanding is as long as I disable syncing via the Azure AD Connect Sync tool I should be able to safely remove the exchange server and be able to manage all O365 via their Admin Console without issue moving forward, and I should be able to properly manage all AD Domain user accounts without issue. At this time, I do not see why there would be a need to add an email alias, etc.
Maybe I am not understanding your responses, or maybe reading too much into it or something.
Actually Ibrahim was telling you about the pros and cons of keeping the last exchange server in the org to manage AD objects since one you decomission exchange and if you still like to use the Azure AD Connect to sync users then for any attribute level changes you will have to do it manually.
As you said that you have disabled the Azure AD Connect and all users are now showing incloud so most probably you will not use Azure AD connect right, then in this case it's fine its up to you.
So you are also going to decomission the AD domain correct .
ASKER
The AD domain will remain intact. I will manage all AD user accounts using the existing AD domain as usual. If I need to add new AD users, I will do so as usual and then also acquire O365 mailboxes license as necessary.
"If I need to add new AD users, I will do so as usual and then also acquire O365 mailboxes license as necessary."
If you create AD user only and if you have dirsync in place and hybrid working, then you need to run enable remote mailbox command to enable/provision a new mailbox in cloud for this new user in local AD.
Enable-RemoteMailbox -Identity "user1@mydomain.com" -RemoteRoutingAddress "user1@mydomain.onmicrosoft.com"
But you need to be in hybrid. So as I said earlier if you don't want to use AD sync to sync all on premise objects then you dont have any option but to create a new AD user in Azure AD instead of local AD since there is nothing left to sync this local AD user to Office 365.
create a new AD user in Azure AD and assign license directly from portal for the mailbox to get provisioned. Your Azure AD user password will also work with Azure AD password policy and not with local AD password policy.
And sync your dirsync is disabled you cannot even soft match or hard match the user if in case you decide to user synchronised identity model.
ASKER
Have you migrated all PF to Office 365 or you do not use PF at all. Then you can delete the PF database from ADSIEDIT.MSC
ASKER
ASKER
Navigate to this path:
CN=Configuration,DC=DOMAIN,DC=LOCAL
CN=Services
CN=Microsoft Exchange
CN=EXCHANGE_ORG
CN=Administrative Groups
CN=Exchange Administrative Group (FYDIBOHF23SPDLT)
CN=Databases
CN=PUBLIC_FOLDER_DATABASE
Now you can delete the PF-Database you want to get rid off.
ASKER
Once its removed via ADSIEditor will it disappear from within Exchange Console as well. Do I need to restart services or server, etc? I need to know what to expect, etc.
Yes it will disappear from EMC and no need to restart any services. if it does not disappear then force AD replication if you have multiple domain controllers.
From any one DC open CMD in elevated mode and run below command:
Repadmin /syncall /AdeP
ASKER
ASKER
ASKER
"Delete" will delete the mailbox and associated user account in AD - "Disable" will remove all exchange attributes from the AD account (https://docs.microsoft.com/en-us/exchange/recipients/disconnected-mailboxes/disable-or-delete-mailboxes?view=exchserver-2019).
Please note that once you uninstall Exchange from your organization and you have AD Connect it means you can only manage the users from ADSIedit by updating their attributes manually. For example, to add an email alias to a user, you would have to go into the PROXYADDRESSES attribute on the user and modify it from there. Microsoft does not support this type of update and they usually recommend using a hybrid server to remain in the organization so you can manage your accounts that way.
Hope this helps - https://techcommunity.microsoft.com/t5/exchange-team-blog/decommissioning-your-exchange-2010-servers-in-a-hybrid/ba-p/597185