skip to Main Content

How to remove Exchange from Active Directory

Today’s article will show how to remove Exchange from Active Directory. We are going to force remove Exchange Server with ADSI Edit. Why with ADSI Edit and not from the default Exchange uninstallation wizard? Sometimes the Exchange uninstallation is not finishing or the Exchange Server can’t start anymore. This is one of the reasons when we remove Exchange Server from Active Directory with ADSI Edit. Let’s get started and look at how to remove Exchange from Active Directory.

Information

Some of these problems that can occur why we would use ADSI Edit:

  • Exchange Server is offline and does not start anymore
  • Removing previous Exchange Servers that did not uninstall properly
  • The uninstallation of the Exchange Server is not finishing and is in a corrupt state
  • Exchange Server is not uninstalled but turned off and removed from Active Directory

Note: It’s not recommended to use ADSI Edit for Exchange tasks. There are situations where ADSI Edit is your last option.

Remove Exchange Server with ADSI Edit

Sign in to the Domain Controller and navigate to the Start menu. Open Administrative Tools and start ADSI Edit.

Remove Exchange Active Directory

Remove Exchange Server attributes

Once opened, right-click ADSI Edit and click Connect to…

Select Configuration and click OK.

Remove Exchange Server from Active Directory ADSI Edit configuration

Expand CN=Configuration, DC=exoip, DC=local and expand CN=Services. Right-click on CN=Microsoft Exchange and click delete. A warning will show if you are sure to delete this object, confirm with Yes. Do the same with CN=Microsoft Exchange Autodiscover, right-click and click delete.

Remove Exchange Server from Active Directory ADSI Edit remove Exchange

After removing both the objects in ADSI Edit. The screen will look like the following.

Remove Exchange Server from Active Directory ADSI Edit after removing

Fold the connection Configuration in ADSI Edit. We don’t need it anymore.

Remove Exchange Server security groups and system objects attributes

Start Active Directory Users and Computers (ADUC). Expand the domain and verify that the Organizational Unit (OU) Microsoft Exchange Security Groups and Microsoft Exchange System Objects are present. We can remove it from here or from ADSI Edit. We are going to use ADSI Edit.

Remove Exchange Server from Active Directory ADUC before

Right-click ADSI Edit and click Connect to…

Select Default naming context and click OK.

Remove Exchange Server from Active Directory ADSI Edit default naming context

Expand DC=exoip, DC=local. Right-click on OU=Microsoft Exchange Security Groups and click delete. A warning will show if you are sure to delete this object, confirm with Yes. Do the same with CN=Microsoft Exchange System Object, right-click and click delete.

Remove Exchange Server from Active Directory ADSI Edit remove Exchange groups and objects

We can confirm in ADUC that both the OUs are deleted.

We are going to remove Exchange Server from Active Directory in the next step.

Remove Exchange from Active Directory

Remove the Exchange Server if it’s showing in Active Directory Users and Computers (ADUC). Right-click the Exchange Server and click Delete.

Remove Exchange Server from Active Directory ADUC remove Exchange computer

A warning is showing if you are sure to delete the Exchange Server, click Yes.

Remove automatically generated Exchange user accounts

There are a few Active Directory users that are generated automatically by Exchange. Some serve as Discovery services, others are used to monitor the health of the Exchange system. These will no longer be needed if you have permanently removed Exchange from your organization.

Go to Active Directory Users and Computers and open the Users container. Right-click the following users and click delete.

  • DiscoverySearch Mailbox{GUID}
  • Exchange Online-ApplicationAccount
  • FederatedEmail.GUID
  • Migration.GUID
  • SystemMailbox{GUID}
Remove Exchange Server from Active Directory ADUC remove users

After removing it will show like the following.

Remove Exchange Server from DNS

Remove the Exchange Server from the DNS Forward Lookup Zones. Click the default zone and search in the list for the Exchange Server. Right-click the Exchange Server and click Delete.

Remove Exchange Server from Active Directory DNS remove record

Remove the forward lookup zones if you have any configured for Exchange Server. Right-click and click Delete.

Remove Exchange Server from Active Directory remove DNS forward lookup zones

After removing the zones, it will look like the following screen.

Remove the static IP from DHCP and any other places that you have the IP or DNS name configured. For example, the firewall and Public DNS.

Conclusion

In this article, you learned how to remove Exchange from Active Directory. Always uninstall Exchange Server with the uninstall wizard or in unattended mode. This will remove Exchange from the server and removes the server’s Exchange configuration from Active Directory. It’s important to know that removing Exchange Server with ADSI Edit is your last option to use.

Did you enjoy this article? You may also like the article Exchange database best practices. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

This Post Has 22 Comments

  1. We had a single Exchange 2016 running on Windows Server 2016.
    We made a mistake of doing an in-place OS upgrade to server 2022. All worked with no issues.

    We’ve now built a second exchange server 2019 running on windows server 2022. We migrated everything from exchange server 2016 to 2019 and the 2016 server is ready to be decommissioned. I tried uninstalling exchange 2016 from control panel but getting: Error:
    An unsupported operating system was detected. Exchange Server 2016 Mailbox and Edge Transport server roles support Windows Server 2012 or later.

    Any idea how to remove the 2016 server? Thanks!

  2. So, my mail is hosted in o365 and my users are managed in my local AD and synced using ADConnect. If I remove the old Exchange environment from active directory, will I still have the msExch… attributes in the user attribute editor to modify Proxy addresses and to Hide mailboxes from Global address list?

  3. Thanks, ALI.
    I had installed Exchange 2016 on a VM in our domain, and it was a bad setup. So we will go next with Exchange 2019 in hopes of a better setup experience.
    I wondered what all needed to be removed from the DC, and I think you covered it all.
    Take care, and keep up the excellent work.

    Wayne Barron

  4. This is a great article. Thank you. Question, I have all these attributes in AD as your articles describes despite uninstalling Exchange successfully years ago. Now, we currently use Azure AD Connect with Office 365 since we migrated after removing Exchange. With this being said, should I leave all these attributes in AD alone or is it safe to remove them like your article illustrates? Thanks!

    1. If you remove the last Exchange Server, only the system mailboxes will stay in Active Directory, but they are disabled. Other than that, the removal should remove everything else.

      When you have Azure AD Connect, you should not have uninstalled Exchange Server. Your source of authority is AD on-premises, and you need to keep an Exchange Server for management purposes.

      You can go through the article and safely remove Exchange Server leftovers.

      Good to know is that the Exchange schema extensions will remain part of your schema forever.

  5. Hi, I completely ran the step to remove an Exchange 2019 from domain AD2016. After that I installed a new server Exchange 2019 with the same IP address and hostname. The installation passed without errors. But when I try to open https://localhost/ecp , after login, display error about certificate (ASSERT: HMACProvider.GetCertificates:protectionCertificates.Length<1). Checked the certificate, its is OK. I installed last service pack – 03.2022 . No changed. Can you help me. Thank's

  6. Hi
    Thanks very much for this detailed describtion.
    I need to start all over with my setup after an updated corruped one of the servers. I tried to rebuild but it didnot help. As it is a new setup there are no mails in the servers. So I would like to start with a new installation. But it is a DAG installation with 3 servers. Will your describtion also let me remove all DAG settings in the AD and DNS?

  7. I am trying to correct a corrupted install and have uninstalled and reinstalled exchange but keep running into an error with the mailbox role and one of the accounts. I’d like to clean up the new corrrupted server but this install needs to co-exist with Exchange 2010 as part of a migration project. How do I go about removing JUST the newer server from the install? Is it valid to remove the autodiscover pieces? I somehow doubt it.

  8. Hi!
    I uninstall exchange 2019 . I passed all the steps written below, now i get this error when i am trying to install it again Error:
    The following error was generated when “$error.Clear();
    initialize-ExchangeUniversalGroups -DomainController $RoleDomainController -ActiveDirectorySplitPermissions $RoleActiveDirectorySplitPermissions

    ” was run: “Microsoft.Exchange.Data.Directory.ADRemoveContainerException: Active Directory operation failed on adc.***.bg. You cannot remove the object ‘OU=Microsoft Exchange Protected Groups,DC=***,DC=bg’ which contains some children. —> System.DirectoryServices.Protocols.DirectoryOperationException: This operation is not allowed on a non-leaf object.
    at System.DirectoryServices.Protocols.LdapConnection.ConstructResponse(Int32 messageId, LdapOperation operation, ResultAll resultType, TimeSpan requestTimeOut, Boolean exceptionOnTimeOut)
    at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
    at Microsoft.Exchange.Data.Directory.GuardedDirectoryExecution.Execute[T](String bucketName, Func`1 action, Int64& concurrency)
    at Microsoft.Exchange.Data.Directory.PooledLdapConnection.GuardedSendRequest(String forestName, GuardedDirectoryExecution guardedDirectoryExecution, DirectoryRequest request, TimeSpan timeout, Func`3 sendRequestDelegate, Int64& concurrency)
    at Microsoft.Exchange.Data.Directory.PooledLdapConnection.SendRequest(DirectoryRequest request, LdapOperation ldapOperation, Nullable`1 clientSideSearchTimeout, IADLogContext logContext, Boolean shouldLogLastFilter)
    at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
    — End of inner exception stack trace —
    at Microsoft.Exchange.Data.Directory.ADDataSession.AnalyzeDirectoryError(PooledLdapConnection connection, DirectoryRequest request, DirectoryException de, Int32 totalRetries, Int32 retriesOnServer, String callerFilePath, Int32 callerFileLine, String memberName)
    at Microsoft.Exchange.Data.Directory.ADDataSession.ExecuteModificationRequest(ADObject entry, DirectoryRequest request, ADObjectId originalId, Boolean emptyObjectSessionOnException, Boolean isSync)
    at Microsoft.Exchange.Data.Directory.ADDataSession.Delete(ADObject instanceToDelete, Boolean enableTreeDelete)
    at Microsoft.Exchange.Data.Directory.SystemConfiguration.ADConfigurationSession.Microsoft.Exchange.Data.IConfigDataProvider.Delete(IConfigurable instance, String callerFilePath, Int32 callerFileLine, String memberName)
    at Microsoft.Exchange.Management.Tasks.InitializeExchangeUniversalGroups.InternalProcessRecord()
    at Microsoft.Exchange.Configuration.Tasks.Task.b__91_1()
    at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.

    I think that the Exchange server is looking for the stuff i delete from AD. Can you assist 🙂

  9. Hello,

    Great article!
    I was able to go through an proper uninstall on our old exchange server, but I still see the Exchange schema in AD. The computer object is still in AD, just disabled, together with some older exchange servers as well. Should I delete these now, or should that have happened automatically during the uninstall?

    Thank you,

    1. Exchange Server integrates with the Active Directory schema. If you remove Exchange Server, the Exchange schema extensions will stay and be a part of your schema forever. That’s completely fine.

      That’s why it’s important to keep up to date with security fixes and patch them, even if you don’t have an Exchange Server running anymore in the environment. Here is an example: Update AD schema to address CVE-2021-34470 vulnerability.

      Uninstalling Exchange Server will not automatically remove the AD computer object. You have to manually remove the AD computer object, just like you have to remove the IP/DNS entries.

Leave a Reply

Your email address will not be published. Required fields are marked *