Decommissioning your Exchange 2010 servers in a Hybrid Deployment

Published Dec 05 2012 12:38 PM 238K Views

Update 6/17/2014: We have gotten some questions and wanted you to know that the below article also applies to Exchange 2013.

Many organizations have chosen to configure a hybrid deployment with Exchange Online to take advantage of different features such as rich mailbox moves and cross-premises calendar free/busy sharing. This includes Exchange 2003, Exchange 2007 and Exchange 2010 organizations that require a long-term hybrid configuration with Exchange Online and organizations that are using a hybrid deployment as a stepping stone to migrating fully to Exchange Online. So, at what point should these organizations decide to get rid of their on-premises Exchange servers used for the hybrid deployment? What if they have moved all of the on-premises mailboxes to Exchange Online? Is there a benefit to keeping on-premises Exchange servers? While it may seem like a no-brainer, the decision to get rid of the on-premises Exchange servers is not simple and definitely not trivial.

Mailbox Management

Organizations that have configured a hybrid deployment for mailbox management and hybrid feature support have also configured Office 365 Active Directory synchronization (DirSync) for user and identity management. For organizations intending on keeping DirSync in place and continuing to manage user accounts from the on-premises organization, we recommend not removing the last Exchange 2010 server from the on-premises organization. If the last Exchange server is removed, you cannot make changes to the mailbox object in Exchange Online because the source of authority is defined as on-premises. The source of authority refers to the location where Active Directory directory service objects, such as users and groups, are mastered (an original source that defines copies of an object) in a hybrid deployment. If you needed to edit most mailbox settings, you would have to be sure the Active Directory schema was extended on-premises and use unsupported tools such as Active Directory Service Interfaces Editor (ADSI Edit) for common administrative tasks. For example, adding a proxy address or putting a mailbox on litigation hold when there isn’t an Exchange Management Console (EMC) or Exchange Management Shell (Shell) on-premises becomes difficult and these simple (and other more complex) tasks cannot be done in a supported way.

Note: A hybrid deployment is not required in order to manage Exchange objects from an on-premises organization. You can effectively manage Exchange objects with an on-premises Exchange server even if you do not have an organization relationship, Federation Trust, and third-party certificate in place. This Exchange server gives you a supported method for creating and managing your Exchange recipient objects. It is recommended to use Exchange Server 2010 for management tasks since this will give you the option to create objects such as remote mailboxes with the New-RemoteMailbox cmdlet. The server role needed is at least a Client Access Server (CAS) role, for management tools to work properly.

Online Organizations without On-Premises Exchange Servers

Some Exchange Online organizations may have removed all Exchange servers from their on-premises organization and have felt the user management pain mentioned above first hand. Each situation is unique, but in many cases an Exchange 2010 server can simply be added back to the organization to simplify the management process. These organizations will need to ensure that a mail-enabled user is in place for all Exchange Online mailboxes in order to properly configure the mailboxes. Assuming DirSync is still deployed in the on-premises organization, duplicate object issues shouldn’t be a problem.

Managing Users from the On-Premises Organization when Source of Authority is Online

There are some organizations that have created an Office 365 service tenant and started to use Exchange Online only to realize they want to consolidate the user management tasks. There are also some organizations that came from hosted environments or migrated from Business Productivity Online Services (BPOS) where they did not manage their users from an on-premises organization. Now that they are in Office 365 and using Exchange Online, they want to simplify the user management process. In either case, if you have DirSync deployed and you are using Exchange Online, you should have an on-premises Exchange server for user management purposes.

The process for changing the source of authority after the users are created in Office 365 would be to use the DirSync “soft match” process outlined here. This will allow organizations to manage the user account and Exchange Online mailboxes from the on-premises organization. Organizations need to verify that there was a mail-enabled user in the on-premises directory for the corresponding Exchange Online mailboxes. Organizations that haven’t had an Exchange server deployed previously will need to install an Exchange 2010 server. Office 365 for enterprises customers can obtain an Exchange Server 2010 license at no charge by contacting customer support. This license has limitations and doesn’t support hosting on-premises mailboxes.

Removing the HybridConfiguration Object created by the Hybrid Configuration Wizard

When a hybrid deployment is created using the Hybrid Configuration Wizard, the wizard creates the HybridConfiguration Active Directory object in the on-premises organization. The HybridConfiguration object is created when the New-HybridConfiguration cmdlet is called by the Hybrid Configuration Wizard. The object stores the hybrid configuration information so that the Update-HybridConfiguration cmdlet can read the settings stored in the object and use them to provision the hybrid configuration settings.

Removing the HybridConfiguration object isn’t supported in Exchange Server 2010. There isn’t a cmdlet that will remove the HybridConfiguration object and the object can reside in Active Directory without adverse effects as long as the Hybrid Configuration Wizard isn’t run again.

However, removing the HybridConfiguration object is supported in Exchange Server 2013. The new Remove-HybridConfiguration cmdlet will remove the HybridConfiguration object from the configuration container, however it will not disable or remove any existing hybrid deployment configuration settings.

Although many people want to remove the HybridConfiguration object as part of their Exchange decommissioning plan, it isn’t critical and is optional.

Removing a Hybrid Deployment

The proper way to remove a hybrid deployment is to disable it manually. The following actions should be performed to remove the objects created and configured by the Hybrid Configuration Wizard:

1. Re-point your organization’s MX record to the Office 365 service if it is pointing to the on-premises organization. If you are removing Exchange and don’t point the MX record to Office 365, inbound Internet mail flow won’t function.

2. Using the Shell in the on-premises organization, run the following commands:

Remove-OrganizationRelationship –Identity “On Premises to Exchange Online Organization Relationship”
Remove-FederationTrust –Identity “Microsoft Federation Gateway”
Remove-SendConnector “Outbound to Office 365”

3. Using EMC, you can also remove the <your organization domain>.mail.onmicrosoft.com domain that was added as part of the email address policy for your organization.

image

4. OPTIONAL - Remove the remote domains created by the Hybrid Configuration wizard in the Exchange Online organization. From the EMC, select the Hub Transport in the Exchange Online forest node and remove all remote domains starting with “Hybrid Domain” shown below:

image

5. Remove the organization relationship from the Exchange Online organization with the following command. You must use Remote PowerShell to connect to Exchange Online connected to Exchange Online. For detailed steps, see Connect Windows PowerShell

Remove-OrganizationRelationship –Identity “Exchange Online to On Premises Organization Relationship”

6. OPTIONAL - Disable the Inbound and Outbound Forefront Online Protection for Exchange (FOPE) connectors created by the Hybrid Configuration Wizard. These connectors can be disabled using the FOPE Administration Console and the release option shown below:

image

Note: Removing or modifying objects with ADSIEDIT isn’t supported.

Conclusion

Most of the time the reason for most organizations that have configured a hybrid deployment, removing the last Exchange server from the on-premises environment will have adverse effects. In most cases, we recommend that you leave at least one Exchange 2010 Server on-premises for mailbox management unless you are getting rid of the on-premises messaging and identity management dependencies all together.

Timothy Heeney

29 Comments
Not applicable

Great stuff.  Now how about the same article but focused on removing the online component and leaving the on-premise functional?  I have several clients who want to move away from 0365 and return to just on-premise.

Not applicable

What a coincidence. We were just having a conversation with a customer today about the decom proces they'll have to undertake for the hybrid environment after we leave having wrapped up the mailbox migration piece. They would like us to document the process and here you guys made this convenient guide for us to go off of. Xmas came early. Thanks!

Not applicable

At last, thank you...

Not applicable

Nice article.

Not applicable

Is the hybrid setup going to be less complicated in 2013?  It is a bit of a nightmare right now.  All we are trying to do is set up cloud-based archive mailboxes (no mailflow) and it has been quite an ordeal.  O365 support seems confused about a lot of things, and are passing around internal documents that seem difficult to find because the published stuff is either out of date, or incorrect in many places.  It's taken two weeks just to get to someone in support who knows what they are doing, then it took another 72 hours to get a test account archive working - now we are moving on to getting a real existing user functioning and it is a whole other ordeal.  Ugh.

Not applicable

Thank you for addressing this...

Not applicable

Important to point out that in many cases, the remaining Exchange server (coexistence server) is free, so its not like customers have to pay for Exchange Licenses when they are using Exchange Online.

Occasional Contributor

the article has to be updated because with Exchange 2010 going away in January 2020 it should say to leave at least one Exchange 2016 on Prem not 2010.

Senior Member

@The_Exchange_Team Any update when we will be able to manage directory synced users in the cloud...

 

It's kinda a pain in the **bleep** that this feature set is still not available :(

 

 

Occasional Contributor

Surpricingly enough i see options now on my commercial test tenant to modify proxyadresses whenever dirsync detects duplicates. This might not sound as a big improvement but it is for me as I been dealing with this dreadful issue for a good 6 years now with no alternative but to change the immutable ID to sync up the user accordingly.

Frequent Visitor

These instructions are great, however the one step that does not work on Exchange 2010, at least in the order provided is this:

"Remove-FederationTrust –Identity “Microsoft Federation Gateway”"

It gets the following error:

[PS] C:\Windows\system32>Remove-FederationTrust -Identity "Microsoft Federation Gateway"
Can't remove federation trust "Microsoft Federation Gateway". It's in use by the following organization(s): CN=Federati
on,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
+ CategoryInfo : InvalidOperation: (Microsoft Federation Gateway:ADObjectId) [Remove-FederationTrust], Or
gsStillUsingThisTrustException
+ FullyQualifiedErrorId : 7A9EB9BE,Microsoft.Exchange.Management.SystemConfigurationTasks.RemoveFederationTrust
+ PSComputerName : exchange.domain.local

Occasional Contributor

was your cert expired?

Occasional Visitor

Is the recommendation to keep a server with Exchange 2010 on premises still valid? It doesn't make too much sense since the idea is to retire old servers and move to the cloud. My company doesn't want to keep old servers, it means extra maintenance.

Occasional Contributor

you still do if you will keep an Active Directory on prem that has kept all those Exchange On Pem Attributes that the cloud doesn't know about.

I kept a 2016 after that I decommissioned the 2010 as there's no support for those any more.

New Contributor

Great Stuff here, i am decommissioning exchange for an organization, Because i dont want to remove anything i started with uninstalling exchange directly. It gave me an error saying i need to remove servers from the DAG. I did that by firstly removing all Mailbox Database copies and then removing servers from the DAG .I tried uninstalling again yet still getting the error that server is part of a DAG. Any help please.

Occasional Contributor

there is an order in which you have to remove those if you follow the sequence you'll be fine. just always remember to have migrated everything to the cloud or to the last Exchange on prem before you start removing things. follow a guide specific to your exchange version preferably such as:

 

https://tekbloq.com/2017/11/11/decommissioning-exchange-2010-mailbox-server/

Contributor

Hi All,

 

  If you need to do the smtp relay then do not remove the send connector.

 

Ta

Contributor

HI,

 

  When adding exchange 2016 to 2010 hybrid, send connectors created automatically. 

 

  So when i uninstall exchange 2010, will uninstall the Send connector too?

 

 We required for the SMTP Relay.

 

As

New Contributor

Need advice to reduce CPU load on minimal Exchange 2016 server in Hybrid Environment.

Our migration is complete. No onprem mailboxes and no mailflow from onprem so no local SMTP required.

No more migrations required.

We have Azure AD Connect so our onprem AD is the master.

Went through all the steps to decommission our last Exchange 2010 server last month.

Now have a minimal Exchange 2016 server running on Server 2016.

The sole purpose of this server is for recipient management. eg. adding new Office365 mailboxes.

Problem: The Exchange Server 2016 runs continuously at 20-25% CPU when it has nothing to do.

No mailboxes. No SMTP connectors. No mailbox store.

 

What Exchange services can be safely shutdown so it simply operates as a recipient management tool?

Occasional Contributor

@aussupport  you'll have to do this manually the good thing at this point you can do it from the 2016 EAC << Servers << Virtual Direcotries

Occasional Contributor

@Steve_Pogue how many processors? and how much memory have you assigned to this Server/VM? did you check the Requirements?

https://docs.microsoft.com/en-us/exchange/plan-and-deploy/system-requirements?view=exchserver-2019

Senior Member

Hello everyone,
if i remove hybrid configuration i will lose owa url redirect?

Senior Member

@Greg Taylor - EXCHANGE / @The_Exchange_Team / @Steve_Pogue 

Exchange Team / Greg Taylor:

Steve Pogue brings up a very valid question that I've also struggled with. I've come to terms with management server running, but I find that disk usage, ram and cpu usage is pretty unreasonable given that all I'm using the server for is ECP.

 

I have a list of things I've done to slim down my management server and I'll post them below for the community, but the reason I'm highlighting the Exchange team in my post is because I would love for them to take a look at what I've done and vet whether it's safe and sane to do it. Just because it seems to work for me and hasn't introduced any unintended side effects YET doesn't mean it's the correct approach. So if anyone is going to give this a try, please note that until the exchange team chimes in, you're doing this at your own risk.

 

Some notes:

There's a number of pages within ECP that don't work correctly now that I've done this, but none of them pertain to user management, hybrid management or server management, so I can't say I'm overly concerned about it.

 

I have not done any inbound/outbound migrations with this configuration and I'm not sure if they'd still work. I tried to avoid stopping services that seemed like they'd play a part in a migration, but I haven't tested it. My use case is solely for scenarios where I need AD Sync and where I already have 100% of my users mailboxes in Exchange Online.

 

Lastly, this was all done on an Exchange 2016 server. 

 

With that in mind, here's what I did:

1) Disable indexing, dismount all databases if you have any (we did, as we turned our old on-prem 2016 server into our management server) and set all databases to not mount at startup.

2) Stop unused IIS application pools:

MSExchangeAutodiscoverAppPool, MSExchangeMapiAddressBookAppPool, MsExchangeMapiFrontEndAppPool, MSExchangeOABAppPool, MSExchangeOWACalendarAppPool, MSExchangePushNotificationsAppPool

3) Stop and Disable the following services:

"Microsoft Exchange Anti-spam Update", "Microsoft Exchange EdgeSync", "Microsoft Exchange IMAP4", "Microsoft Exchange IMAP4 Backend", "Microsoft Exchange POP3", "Microsoft Exchange POP3 Backend", "Microsoft Exchange Transport Log Search", "Microsoft Exchange Unified Messaging", "Microsoft Exchange Unified Messaging Call Router", "Microsoft Exchange Search Host Controller", "Microsoft Exchange Compliance Audit", "Microsoft Exchange Compliance Service", "Microsoft Exchange DAG Management", "Microsoft Exchange Diagnostics", "Microsoft Exchange Search", "Microsoft Exchange Health Manager", "Microsoft Exchange Health Manager Recovery", "Microsoft Exchange Notifications Broker"

4) Every night, a scheduled task purges any files in C:\Program Files\Microsoft\Exchange Server\V15\Logging\ that are more than 2 days old.

5) I also purge everything in c:\inetpub\logs that is older than 2 days old.

 

With these tweaks, I've got the server down to almost ~50GB on C:, 0% CPU usage and about 4.8GB of Memory usage.  

@ALLFOUR_Rich - I respect the effort and intent here, but this isn't something we would ever recommend anyone do. Sorry. 

Senior Member

@Greg Taylor - EXCHANGE - With all due respect, that was a pretty quick dismissal with very little in terms of meat or rationale. Your user base has been increasingly patient in managing these hybrid scenarios. We were told a solution would be available by Q3 2020, we've been told similar things before as well.

 

I've expressed my frustration before on this forum, but it amazes me that your team never misses an opportunity to disappoint your user base.

 

It's 2021 and I'm still having to make sacrifices to deliver your product. I'm burning up a 2019 license on a downgrade so I can keep a 2016 server running, because you won't release a 2019 hybrid management license and Exchange 2016 won't install on Server 2019.

 

As a consultant, I've had a number of customers look at the project plan and question why we're installing Server 2016 because it seems like planned obsolescence and there's so many vendors out there who have decided to just nix exchange and manage the changes with ADSIEdit that I'm losing out on business opportunities because they're delivering the product, and they're using one less server to do it, even though it's wrong and unsupported. 

 

In my deployment scenarios, ECP is nothing more than an IIS site that edits the ad attributes in a supported manner, so it's a little jarring to see this Server 2016 VM demanding one full core of CPU time at idle, having it commit 15-20GB of virtual ram to keep idle application pools happy, thereby thrashing my disks for no reason, not to mention the many GB of drive space on transport/health/audit logs that bring me absolutely no value.

 

I'm sick of throwing more ram, more cpu, more disk, more money at my management server and it seems like I'm not the only one, so I took some action to minimize my footprint and shared it with the community. Sure, I can appreciate that you can't endorse all the actions I've taken to slim down my management server instance, but your response was dismissive and useless. Specifically, what can't you recommend? Can we disable indexing? Can we dismount all databases? Can some of those services and app pools be disabled safely? Is it dangerous for me to purge my logs on a daily basis? 

 

I was hoping this would be an opportunity for your team to come to the table and address a concern that we have, perhaps provide some options (maybe not the nuclear option I've come up with) - but something, anything that would alleviate the sting of how cumbersome this solution is. 

@ALLFOUR_Rich - I responded quickly as a) I got an email when you posted and wasn't in the middle of anything, and  b) I thought that you'd appreciate a quick reply rather than wait days and days. 

 

I hear and understand your frustration I really do, but we can't test or validate such an approach nor recommend customers do it. 

 

We're still working on a solution that will make this easier. 

 

New Contributor
Occasional Visitor

It is now 2021 and SBS is well into the past and now Essentials as a role is going away and Microsoft is obviously steering all SMB's to the cloud, yet there is still not an elegant and easy solution to migrate to the cloud, retire exchange on-premise, and synchronize AD user accounts.  Microsoft is blatantly telling SMB's and MSP's supporting them that they don't amount to a hill of beans unless they get rid of ALL of their servers completely and have a single point of failure that is the most common thing to fail, which is their internet connection.  If it weren't for Outlook, OutlookAnywhere, and activesync for smartphones, I would be ditching Microsoft completely as an email solution.  For all of my clients that like GMail over Outlook, it's a done deal at this point.  What is the point of having Exchange Online if I still have to have to maintain Exchange on prem?  How hard is it to develop a solution for companies with 75 or less user accounts so accounts can be seamless with exchange online?  And here's a beautiful thought, the software beautifully migrates the data from exchange on prem to the cloud like an SBS migration wizard and can be installed on a DC and stay there to sync user accounts and attributes into the future so Exchange can be uninstalled.

 

At this point, for clients that have active directory, I'm back to recommending on prem exchange only or something else that isn't Microsoft.

 

Ok, rant over.

Senior Member

Considering the wheelbarrows of money Microsoft is getting from us, it seems the least they could do is come up with a solution to allow me to stop maintaining an Exchange server.  I mean you didn't get your "A Team" to work on your buggy Hybrid Configuration Wizard, you did get even you "B Team" to work on your absolutely horrid documentation and scripts for public folder migrations for those of us paying you monies over the decades for Exchange.

Version history
Last update:
‎Dec 05 2012 12:38 PM
Updated by: