How and when to decommission your on-premises Exchange servers in a hybrid deployment (2023)

  • Article
  • 13 minutes to read

Note

Currently, if you keep an Exchange server running just for recipient management, you may be able to shut down your last Exchange server and manage recipients using Windows PowerShell. For more information, see Manage recipients in Exchange Hybrid environments using Management tools.

Read this article if you're ready to move from an Exchange hybrid deployment to a full cloud implementation.

Exchange Server hybrid deployments describes one of the most attractive options for getting a company to Exchange Online. This method is the only option that allows you to easily on-board and off-board mailboxes (all other native options are on-board only). In addition to the ability to off-board, a hybrid configuration has the following key options.

This topic will help you understand the options for decommissioning Exchange hybrid, and when each of those options should be implemented. There are many variances in when and how to decommission Exchange hybrid servers. Taking the time to understand the implications and properly plan the full or partial decommissioning of on-premises servers is important.

  • Cross-premises availability: Allows you to see a user's free/busy information while scheduling a meeting, regardless of their mailbox premises.

  • Cross-premises archive: Allows a customer to move only a user's archive mailbox to the cloud. This move is often the first step for customers to try Microsoft 365 and Office 365, and, more specifically, Exchange Online.

  • Cross-premises discovery searches: Allows a customer to perform an e-discovery search that will crawl mailboxes and archives in both premises (this feature requires you to configure OAuth authentication).

  • Outlook Web App URL redirection: Allows for users to be redirected to the proper premises for Outlook Web App access.

  • No profile recreation after move: Unlike other migration options, the mailbox GUID doesn't change. In other words, you don't have to recreate your profile or redownload the OST after a mailbox move.

Depending on your organization's needs, a hybrid deployment is the best option for providing the most seamless user and coexistence experience.

Other methods to migrate to Exchange Online

A hybrid deployment isn't for everyone; in fact there are usually better options. Many of the tenants that have chosen to deploy a hybrid configuration are under 50 seats. While the list of advantages of a hybrid deployment may sound attractive, it comes with a hefty price, regarding complexity. Some smaller tenants require the features of a hybrid deployment. But most tenant would use either a cutover, staged, or IMAP migration option. There's a program called FastTrack you can use when deciding on the migration approach to take. Information on FastTrack is described on the Microsoft 365 FastTrack page.

Use the following table to decide what type of migration works for your organization. (For more information, see Ways to migrate multiple email accounts to Microsoft 365 or Office 365.)

Existing organizationNumber of mailboxes to migrateDo you want to manage user accounts in your on-premises organization?Migration type
Exchange 2003 or laterLess than 2,000 mailboxesNoCutover Exchange migration
Exchange 2007 or Exchange 2003Less than 2,000 mailboxesNoStaged Exchange migration
Exchange 2007 or Exchange 2003More than 2,000 mailboxes*YesStaged Exchange migration or remote move migration in an Exchange hybrid deployment
Exchange 2010 or laterMore than 2,000 mailboxes*YesRemote move migration in an Exchange hybrid deployment
Exchange 2000 Server or earlier versionsNo maximumYesIMAP migration
Non-Exchange on-premises messaging systemNo maximumYesIMAP migration

*Some organizations with fewer than 2,000 mailboxes may benefit from features and capabilities that are only available with a hybrid deployment. It's important to carefully consider the benefits of a hybrid deployment with the complexity that introduces. We strongly recommend that customers with fewer than 2,000 mailboxes consider cutover or staged migration before proceeding with a hybrid deployment.

Why you may not want to decommission Exchange servers from on-premises

Customers with a hybrid configuration often find after a period of time that all of their mailboxes have been moved to Exchange Online. At this point, they may decide to remove the Exchange servers from on-premises. However, they discover that they can no longer manage their cloud mailboxes.

When directory synchronization is enabled for a tenant and a user is synchronized from on-premises, you can't manage most attributes from Exchange Online. Instead, you must manage those attributes from on-premises. This requirement isn't due to the hybrid configuration, but it occurs because of directory synchronization. In addition, even if you have directory synchronization in place without running the Hybrid Configuration Wizard, you still cannot manage most of the recipient tasks from the cloud. For more information, see this blog article.

The question of whether a third-party management tool or ADSIEDIT can be used is often asked. The answer is you can use them, but they aren't supported. The Exchange Management Console, the Exchange admin center (EAC), and the Exchange Management Shell are the only supported tools that are available to manage Exchange recipients and objects. If you decide to use third-party management tools, it would be at your own risk. Third-party management tools often work fine, but Microsoft doesn't validate these tools.

Common scenarios

It isn't simple to move from a hybrid configuration to the cloud. The process for getting into a hybrid configuration is one that we've taken a lot of time to get right. While there are issues, we feel we've done a pretty good job of making the almost impossible task of going hybrid a fairly easy wizard-based process.

Depending on your immediate goals, however, getting from a hybrid configuration to the cloud only can be a fairly straight-forward process, with some guidance. The following are three common hybrid scenarios along with our recommendation for how to properly achieve the end goal of the customer.

Since the hybrid customer base is very diverse, trying to fit all of them into "common" scenarios is difficult. We attempted to provide some high-level scenarios for on-premises Exchange Server decommissioning below, so as you read through these scenarios and formulate a plan to decommission, you'll need to determine the scenario that best fits your needs.

Scenario one

Issue: My organization has been running in a hybrid configuration and I have all of my mailboxes in Exchange Online. I don't need to manage my users from on-premises and no longer have a need for directory synchronization or password synchronization.

Solution: Since all of the users will be managed in Microsoft 365 or Office 365, and there are no additional directory synchronization requirements, you can safely disable directory synchronization and remove Exchange from the on-premises environment.

How and when to decommission your on-premises Exchange servers in a hybrid deployment (1)

To disable directory synchronization and uninstall Exchange hybrid

  1. Run Get-OrganizationConfig | Format-List PublicFoldersEnabled and ensure that it isn't set to Remote. If it is set to Remote, and the public folders are something you want to continue to access, you would need to migrate them to Exchange Online. For more information, see Use batch migration to migrate legacy public folders to Microsoft 365, Office 365, and Exchange Online.

  2. Assuming that you have already moved all of the mailboxes to Exchange Online, you can point the MX and Autodiscover DNS records to Exchange Online, instead of to on-premises. For more information, see External Domain Name System records for Office 365.

    Important

    Make sure to update both the internal and external DNS, or you may have inconsistent client connectivity behavior.

  3. Next, you should remove the Service Connection Point (SCP) values on your Exchange servers. This step ensures that no SCPs are returned, and the client will instead use the DNS method for Autodiscover. Some examples are shown below:

    Exchange Server 2010 or 2013:

    Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $Null

    Exchange Server 2016 or later:

    Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null

    Note

    If you have Exchange 2007 servers in the environment, you'll have to run a similar command on your Exchange 2007 servers to change these settings.

  4. There are inbound and outbound connectors created by the Hybrid Configuration Wizard that you'll want to delete. Use the following steps to do this:

    1. Log in to the Microsoft 365 admin center and sign in as the Tenant Administrator.

    2. Select the option to manage Exchange.

    3. Navigate to Mail Flow -> Connectors.

    4. You can now disable or delete the inbound and outbound connectors. The HCW creates connectors with unique namespace inbound from <unique identifier> and outbound from <unique identifier> as shown in the graphic below.

      How and when to decommission your on-premises Exchange servers in a hybrid deployment (2)

  5. Remove the organization relationship created by the Hybrid Configuration Wizard. Use the following steps to do this:

    1. Log in to the Microsoft 365 admin center and sign in as the Tenant Administrator.

    2. Select the option to manage Exchange.

    3. Navigate to Organization.

    4. Under Organization Sharing, remove the organization named O365 to On-Premises - <unique identifier> as shown in the graphic below.

      How and when to decommission your on-premises Exchange servers in a hybrid deployment (3)

  6. If OAuth is configured for an Exchange hybrid deployment, you'll want to disable the configuration from both on-premises and Microsoft 365 or Office 365. In most environments, you can skip these steps because only a small number of customers have OAuth configured.

    To disable the on-premises configuration:

    1. From an Exchange server, open the Exchange Management Shell.

    2. Run the following command:

      Get-IntraorganizationConnector -Identity ExchangeHybridOnPremisesToOnline | Set-IntraOrganizationConnector -Enabled $False

    To disable the Exchange Online configuration:

    1. Connect Windows PowerShell to Exchange Online.

    2. Run the following command:

      Get-IntraorganizationConnector -Identity ExchangeHybridOnlineToOnPremises | Set-IntraOrganizationConnector -Enabled $False

    Note: The Identity parameter assumes that you used the Hybrid Configuration Wizard to configure OAuth. If not, you may need to adjust the value you specified for the identity of the connectors.

  7. Disable directory synchronization for your tenants. When this step is completed, all user management tasks will be done from the Microsoft 365 or Office 365 management tools. In other words, you'll no longer use the Exchange Management Console or Exchange admin center (EAC). For more information on how to disable directory synchronization, see Turn off directory synchronization for Microsoft 365 or Office 365.

  8. You can now safely uninstall Exchange from the on-premises servers.

Scenario two

Issue: My organization has been running in a hybrid configuration for about a year now and has finally moved my last mailbox to the cloud. I plan to keep Active Directory Federation Services (AD FS) for user authentication of my Exchange Online mailboxes.

Important

This scenario applies to any customer who is planning to keep directory synchronization.

Solution: Since the customer is planning on keeping AD FS, they will also have to keep directory synchronization since it is a prerequisite. Because of that, they cannot fully remove the Exchange servers from the on-premises environment. However, they can decommission most of the Exchange servers, but leave a couple of servers behind for user management. Keep in mind that the servers that are left running can be run on virtual machines since the workload is almost completely shifted to Exchange Online.

The graphic below describes the desired end state:

How and when to decommission your on-premises Exchange servers in a hybrid deployment (4)

The graphic below describes the actual end state:

How and when to decommission your on-premises Exchange servers in a hybrid deployment (5)

Tip

If you choose to remove ADFS from your infrastructure, Azure AD Connect will synchronize your on-premises credentials with the cloud. Each service will authenticate users independently:

  • Microsoft 365 identity services will manage online requests.
  • Active directory will manage the internal authentication.

If you don't have any on-premises mailbox(es), you can safely decommission most of your exchange server(s), leaving one or more for user management purposes, because the source of authority is still defined as on-premises.

To keep AD FS and directory synchronization and decommission most of the Exchange servers

  1. Run Get-OrganizationConfig |fl PublicFoldersEnabled and ensure that it isn't set to remote. If it is set to remote and you want to continue to access the public folders, you would need to migrate them to Exchange Online. For information on how to do this, see Use batch migration to migrate legacy public folders to Microsoft 365, Office 365, and Exchange Online.

    Important

    If migrating public folders to Exchange Online isn't an option, and you still need them for your users, you should not move forward.

  2. After you have moved all of the mailboxes to Exchange Online, the first step in decommissioning most of your Exchange servers is to point the MX and Autodiscover DNS records to Exchange Online instead of to your on-premises email organization. For more information, see External Domain Name System records for Office 365.

    Important

    Make sure to update both the internal and external DNS, or you may have inconsistent client connectivity and mail flow behaviors.

  3. Next, you should remove the Service Connection Point (SCP) values on your Exchange servers. This step ensures that no SCPs are returned, and the client will instead use the DNS method for Autodiscover. An example is shown below:

    Exchange Server 2010 or 2013:

    Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri $Null

    Exchange Server 2016 or later:

    Get-ClientAccessService | Set-ClientAccessService -AutoDiscoverServiceInternalUri $Null

    Note

    If you have Exchange 2007 servers in the environment, you'll have to run a similar command on your Exchange 2007 servers to null out the settings

  4. To prevent the hybrid configuration objects from being recreated in the future, you should remove the hybrid configuration object from Active Directory. To do this, open the Exchange Management Shell and run the following:

    Remove-HybridConfiguration
  5. Remove all Exchange servers with the exception of the servers you'll retain for user management and creation. Two servers should be sufficient for user management, although you could possibly get by with one server. In addition, there's no need to have a Database Availability Group or any other high availability options.

  6. If OAuth is configured for an Exchange hybrid deployment, you'll want to disable the configuration from both on-premises and Microsoft 365 or Office 365. In most environments, you can skip these steps because only a small number of customers have OAuth configured.

    To disable the on-premises configuration:

    1. Open the Exchange Management Shell from an Exchange server.

    2. Run the following command:

      Get-IntraorganizationConnector -Identity ExchangeHybridOnPremisesToOnline | Set-IntraOrganizationConnector -Enabled $False

    To disable the Exchange Online configuration:

    1. Connect Windows PowerShell to Exchange Online.

    2. Run the following command:

      Get-IntraorganizationConnector -Identity ExchangeHybridOnlineToOnPremises | Set-IntraOrganizationConnector -Enabled $False

    Note: The Identity parameter assumes that you used the Hybrid Configuration Wizard to configure OAuth. If not, you may need to adjust the value you specified for the identity of the connectors.

  7. There are inbound and outbound connectors created by the Hybrid Configuration Wizard that you'll want to delete. Use the following steps to do this:

    1. Log in to the Microsoft 365 admin center and sign in as the Tenant Administrator.

    2. Select the option to manage Exchange.

    3. Navigate to Mail Flow -> Connectors.

    4. You can now disable or delete the inbound and outbound connectors. The HCW creates connectors with unique namespace inbound from <unique identifier> and outbound from <unique identifier> as shown in the graphic below.

      How and when to decommission your on-premises Exchange servers in a hybrid deployment (6)

  8. Remove the organization relationship created by the Hybrid Configuration Wizard. Use the following steps to do this:

    1. Log in to the Microsoft 365 admin center and sign in as the Tenant Administrator.

    2. Select the option to manage Exchange.

    3. Navigate to Organization.

    4. Under Organization Sharing, remove the organization named O365 to On-Premises - <unique identifier> as shown in the graphic below.

      How and when to decommission your on-premises Exchange servers in a hybrid deployment (7)

Note

It's recommended that you leave the Exchange Hybrid Deployment feature enabled in Azure AD Connect.

Scenario three

Issue: I want to remove my Exchange servers on-premises after moving all of my mailboxes to Exchange Online. However, we discovered that they are using Exchange for other purposes, such as for a Simple Mail Transfer Protocol (SMTP) relay for an application or for access to public folders. If you have a need for Exchange servers on-premises to meet the current needs of your organization, it may not be in your best interest to remove the on-premises servers.

Solution: We recommend against removing Exchange and the hybrid configuration at this point. If you were to even start the process by pointing the Autodiscover Records to Exchange Online, you would immediately break some features like hybrid public folder access. You could change the MX record to point to Exchange Online Protection if it isn't already, you could even remove some of the on-premises Exchange servers. However, you would need to keep enough in place to handle the remaining hybrid functions. Usually, this action would lead to a very small on-premises footprint. Exchange-only services and features, such as public folders, will require you to either maintain your on-premises Exchange servers or migrate those services to Exchange Online. Per scenarios one and two, if you maintain identity synchronization from Active Directory, you'll need to continue to maintain at least one Exchange server on-premises.

Top Articles
Latest Posts
Article information

Author: Madonna Wisozk

Last Updated: 01/31/2023

Views: 6007

Rating: 4.8 / 5 (48 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Madonna Wisozk

Birthday: 2001-02-23

Address: 656 Gerhold Summit, Sidneyberg, FL 78179-2512

Phone: +6742282696652

Job: Customer Banking Liaison

Hobby: Flower arranging, Yo-yoing, Tai chi, Rowing, Macrame, Urban exploration, Knife making

Introduction: My name is Madonna Wisozk, I am a attractive, healthy, thoughtful, faithful, open, vivacious, zany person who loves writing and wants to share my knowledge and understanding with you.