Decommissioning Exchange after Cutover Migration with DirSync/ADSync is enabled

Many companies want to remove their last Exchange server once they have done a cutover migration and have everything on Office365, however the official Microsoft statement is that they don’t recommend it:

https://technet.microsoft.com/en-us/library/dn931280(v=exchg.150).aspx

Why you may not want to decommission Exchange servers from on-premises

When directory synchronization is enabled for a tenant and a user is synchronized from on-premises, most of the attributes cannot be managed from Exchange Online and must be managed from on-premises. This is not due to the hybrid configuration, but it occurs because of directory synchronization. In addition, even if you have directory synchronization in place without running the Hybrid Configuration Wizard, you still cannot manage most of the recipient tasks from the cloud. For more information, see this TechNet blog.

 

So even without hybrid deployment you are still not supposed to remove the last Exchange server on-prem, but what is the point of migrating to Office365?? For small companies it doesn’t make sense to keep additional server even if it is a virtual machine.

Some people are also concerned that once the last Exchange server is uninstalled the AD schema will change and all messaging attributes will be removed from AD, which turns out not to be true.

I’ve tested it and done it on a production environment using the following method.

After completing a Cutover/Staged migration all users will start using their O365 mailboxes however, on-prem mailboxes will remain. Once you make sure Exchange online mailflow is working, you can start removing the on-prem mailboxes.

There are five mail attributes that are stored in AD and are affecting the O365 mailbox, all these parameters will be wiped in AD if you disable the on-prem Mailbox for a user account:

Mail – email address
mailNickname – The mailbox alias
ProxyAddresses – Primary address and all aliases
ArchiveGUID – GUID for archives, it only applies if the mailbox has archive
msExchDelegateListLink – storing all automapped mailboxes, this is not used by the O365 mailbox
publicDelegates – send on Behalf permissions stored in the AD account
msExchBlockedSendersHash – this stores Blocked senders in hashed string however this is migrated and stored in Exchange Online mailbox in attribute BlockedSendersandDomains
msExchSafeSendersHash – this stores Safe  senders in hashed string however this is migrated and stored in Exchange Online mailbox in attribute TrustedSendersandDomains(Get-MailboxJunkEmailConfiguration –identity user)

 

 

Fig.1 Example of deleted attributes when a mailbox is disabled

As you can see from Fig.1 messaging attributes are deleted and the changes are synced to O365, there are some attributes on the screenshot which are not mentioned above however they are only related to the on-prem environment and don’t affect the online mailbox(i.e. msExchMailboxGuid). At this point, the O365 mailbox will keep all aliases however the Primary address will change to the onmicrosoft.com one.

Therefore, we have to convert all mailboxes to Mail enabled users that will preserve all required attributes and will allow us to uninstall Exchange.

For this purpose, I used a script ‘ConvertMEU.ps1’ obtained from the internet and slightly modified and ‘Export-MailboxPermissions.ps1’ from:

Migrate Mailbox Permissions to Office 365

 

 

 1. Convert all synced with the cloud mailboxes to mail enabled users (MEU)

 

Convert all mailboxes to mail enabled users using the ConvertMEU.ps1 script (convertMEU). You can run it while ADSync is enabled.

Input parameters:Username,Email,Domain Controller (i.e asldc01.archon.co.uk)

The script will take care of mail, mailNickname, ProxyAddresses attributes

The script will not update publicDelegates and ArchiveGUID

PublicDelegates is storing Send on Behalf permissions, it will get blanked when you convert the mailbox to MEU so you will have to manually export Send on Behalf permissions and then import them for users. You can do that using the Export-MailboxPermissions.ps1 in the same folder.

Another way is to stop this attribute from syncing is to excluded it in the ADSync Rules Editor, however Microsoft does not support this and any future ADSync updates might override the custom settings

 

After converting all mailboxes, perform a full sync, check the ADSync service manager, make sure everything is working before proceeding to the next phase, it is recommended to wait a couple of days.

  2. Uninstall Exchange

 

 

1.Make sure you have a backup

2. Stop ADSync

From Exchange Online Powershell:

Set-MsolDirSyncEnabled –EnableDirSync $false

Check the status

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

3.Verify no mailboxes exist on the Exchange Server

4. Check for Arbitration mailboxes on the Exchange Server

           Get-Mailbox –Arbitration

5 .Make sure all the mailbox databases are removed.

6. Remove the Exchange 2010 Offline address book.

7. Verify any applications are used for Email relaying in Receive Connectors

8. Uninstall Exchange

9. Using AD Users and Computers or Powershell, check if attributes are unchanged

10. If all is good, re-enable ADSync

From Exchange Online Powershell:

Set-MsolDirSyncEnabled –EnableDirSync $true

 

 

Notes:

Articles you might find useful:

Decommission Existing Exchange Servers

https://technet.microsoft.com/en-us/library/cc463439(v=ws.10).aspx

https://blogs.msdn.microsoft.com/vilath/2015/05/25/office-365-and-dirsync-why-should-you-have-at-least-one-exchange-server-on-premises/