Keep last Exchange Server in organization

After you migrate the mailboxes to Microsoft 365/Office 365 and all the SMTP relay goes through Office 365, you want to decommission all the Exchange Servers on-premises. Now, even if that would be possible and you can do that, it’s not the recommended way. In this article, you will learn why and how to keep the last Exchange Server in the organization.

Table of contents

Introduction

We have EX01-2019 and EX02-2019 running in the organization. After migrating all the mailboxes to Office 365, and the SMTP relay going through Office 365, we like to decommission the Exchange Servers. Because why would we need it?

The answer is to keep one Exchange Server on-premises and do not decommission it. Unless you don’t want to keep an Active Directory on-premises (Authority) anymore and no longer need directory synchronization or password synchronization, you can successfully disable Azure AD Connect synchronization and remove all Exchange Servers on-premises.

Important: We strongly recommend not publishing the Exchange Server anymore to the internet when all the mailboxes are in Office 365, and you don’t need to relay through Exchange on-premises. Sign in to the firewall and remove the VIPs and Exchange firewall rules with port 443/25.

Note: Even if you don’t have the Exchange Server published anymore, you still need to install Exchange Cumulative Update and Exchange Security Update. Sign up for the ALI TAJRAN newsletter, and you will get notified when these updates are out.

Suppose you have one Exchange Server running, and it’s in a supported state. You’re good to go. If not, we recommend installing an Exchange Server that’s supported. Exchange Server 2016 and Exchange Server 2019 are supported at the time of writing. Good to know is that you get a FREE Exchange Hybrid license when you use the server for Hybrid only.

When you have more than one Exchange Servers running in the organization for High Availability, you can go back to one Exchange Server, as you only need it for management purposes. Also, when an Exchange Server doesn’t boot anymore, you can follow the article recover Exchange Server.

Configure last Exchange Server for management purposes

The last Exchange Server can run with minimal requirements for management purposes. So let’s go through the below steps and configure the last Exchange Server for management purposes.

In our example, we will keep Exchange Server EX01-2019 as the last Exchange Server. The other Exchange Server, which is EX02-2019, will be decommissioned.

Remove Exchange Hybrid configuration

Read more in the article Remove Exchange Hybrid Configuration.

Go through the steps in the article and ensure that you remove the Exchange Hybrid configuration.

Create new disk on last Exchange Server

Read more in the article Configure ReFS volume Exchange 2013/2016/2019.

Create a new disk drive with the drive letter (Z:) and 10 GB in size. We will not create separate disks for the Exchange database and Exchange logs. That’s because no user mailboxes will run on the mailbox database besides the system mailboxes.

PS C:\> Get-Disk 5 | Initialize-Disk -PartitionStyle GPT -PassThru | New-Partition -UseMaximumSize -DriveLetter Z | Format-Volume -FileSystem REFS -AllocationUnitSize 65536 -NewFileSystemLabel "DBgoogol" -SetIntegrityStreams $false

That’s how the drive looks on Exchange Server EX01-2019.

Configure REFS volume

Create new mailbox database on new disk

Read more in the article Create mailbox database in Exchange Server.

It’s essential to create a new mailbox database. The new mailbox database will not take a lot of space because you will only host the arbitration mailboxes onto it.

In our example, we will give it the name DBgoogol. Googol is a large number equal to a 1 with 100 zeros following it. We use that name because it’s the last mailbox database that we will use. It’s a nice gesture to the Exchange Server engineers and the most powerful Microsoft community.

[PS] C:\>New-MailboxDatabase -Server "EX01-2019" -Name "DBgoogol" -EdbFilePath "Z:\DBgoogol\DBgoogol.edb" -logFolderPath "Z:\DBgoogol"

Name                           Server          Recovery        ReplicationType
----                           ------          --------        ---------------
DBgoogol                       EX01-2019       False           None
WARNING: Please restart the Microsoft Exchange Information Store service on server EX01-2019 after adding new mailbox
databases.

After creating the mailbox database, restart the Microsoft Exchange Information Store.

[PS] C:\>Restart-Service MSExchangeIS
WARNING: Waiting for service 'Microsoft Exchange Information Store (MSExchangeIS)' to start...

Mount the database DBgoogol.

[PS] C:\>Mount-Database -Identity "DBgoogol"
Create and mount mailbox database

If you don’t create a new mailbox database and you use one of the existing mailbox databases, a lot of disk space is required, which you don’t need. That’s because the mailbox database will not shrink automatically. Read more on that in the article clear white space in Exchange database.

Enable circular logging on new mailbox database

Read more in the article Enable circular logging in Exchange Server.

We never recommend enabling circular logging because a backup system will truncate the Exchange logs. But, because there are no user mailboxes anymore on the mailbox database, it’s safe to enable circular logging on the mailbox database.

[PS] C:\>Set-MailboxDatabase "DBgoogol" -CircularLoggingEnabled $True

[PS] C:\>Dismount-Database "DBgoogol" -Confirm:$False

[PS] C:\>Mount-Database "DBgoogol" -Confirm:$False

Move all arbitration mailboxes to new database

Read more in the article Move arbitration mailboxes in Exchange Server.

Before you run the below commands and move the arbitration mailboxes, run the Set-ADServerSettings cmdlet, including the -ViewEntireForest parameter. It will let you view the objects in the entire forest.

[PS] C:\>Set-ADServerSettings -ViewEntireForest $true

Get the arbitration mailboxes.

[PS] C:\>Get-Mailbox -Arbitration | New-MoveRequest -TargetDatabase "DBgoogol"

DisplayName                           StatusDetail        TotalMailboxSize           TotalArchiveSize PercentComplete
-----------                           ------------        ----------------           ---------------- ---------------
Microsoft Exchange Approval Assistant WaitingForJobPickup 0 B (0 bytes)                               0
Microsoft Exchange                    WaitingForJobPickup 105 KB (107,477 bytes)                      0
Microsoft Exchange                    WaitingForJobPickup 4.459 MB (4,675,919 bytes)                  0
Microsoft Exchange Migration          WaitingForJobPickup 76.13 KB (77,958 bytes)                     0
Microsoft Exchange Federation Mailbox WaitingForJobPickup 0 B (0 bytes)                               0
E4E Encryption Store - Active         WaitingForJobPickup 0 B (0 bytes)                               0
Microsoft Exchange                    WaitingForJobPickup 0 B (0 bytes)                               0

Verify that the arbitration mailboxes are moved to mailbox database DBgoogol.

[PS] C:\>Get-Mailbox -Arbitration | Format-Table Name, ServerName, Database, AdminDisplayVersion

Name                                                ServerName Database AdminDisplayVersion
----                                                ---------- -------- -------------------
SystemMailbox{1f05a927-ae78-46b1-b968-4cbcc935228e} ex01-2019  DBgoogol Version 15.2 (Build 986.5)
SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c} ex01-2019  DBgoogol Version 15.2 (Build 986.5)
SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9} ex01-2019  DBgoogol Version 15.2 (Build 986.5)
Migration.8f3e7716-2011-43e4-96b1-aba62d229136      ex01-2019  DBgoogol Version 15.2 (Build 986.5)
FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 ex01-2019  DBgoogol Version 15.2 (Build 986.5)
SystemMailbox{D0E409A0-AF9B-4720-92FE-AAC869B0D201} ex01-2019  DBgoogol Version 15.2 (Build 986.5)
SystemMailbox{2CE34405-31BE-455D-89D7-A7C7DA7A0DAA} ex01-2019  DBgoogol Version 15.2 (Build 986.5)

Move other mailboxes

Let’s move the audit log.

[PS] C:\>Get-Mailbox -AuditLog | New-MoveRequest -TargetDatabase "DBgoogol"

DisplayName                                         StatusDetail        TotalMailboxSize TotalArchiveSize PercentComplete
-----------                                         ------------        ---------------- ---------------- ---------------
SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} WaitingForJobPickup 0 B (0 bytes)                     0

Verify that the audit log mailbox is moved to the new mailbox database DBgoogol.

[PS] C:\>Get-Mailbox -AuditLog | Format-Table Name, ServerName, Database, AdminDisplayVersion

Name                                                ServerName Database AdminDisplayVersion
----                                                ---------- -------- -------------------
SystemMailbox{8cc370d3-822a-4ab8-a926-bb94bd0641a9} ex01-2019  DBgoogol Version 15.2 (Build 986.5)

Check which mailboxes are still on-premises. There should be no user mailboxes, shared mailboxes, or room mailboxes. Only the administrator mailboxes and DiscoverySearchMailbox should be present.

[PS] C:\>Get-Mailbox | Format-Table Name, ServerName, Database, AdminDisplayVersion

Name                                                          ServerName Database AdminDisplayVersion
----                                                          ---------- -------- -------------------
Administrator                                                 ex01-2019  DB01     Version 15.2 (Build 986.5)
DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852} ex01-2019  DB01     Version 15.2 (Build 986.5)

Move these mailboxes to database DBgoogol.

[PS] C:\>Get-Mailbox | New-MoveRequest -TargetDatabase "DBgoogol"

DisplayName              StatusDetail        TotalMailboxSize            TotalArchiveSize PercentComplete
-----------              ------------        ----------------            ---------------- ---------------
Administrator            WaitingForJobPickup 57.88 MB (60,690,353 bytes)                  0
Discovery Search Mailbox WaitingForJobPickup 65.74 KB (67,321 bytes)                      0

Delete mailbox databases

Read more in the article Delete mailbox database in Exchange Server.

Dismount and delete the mailbox databases. Only keep the DBgoogol mailbox database. Suppose you get an error when you want to delete a mailbox database. Read the article Cannot delete mailbox database in Exchange Server.

Keep last Exchange Server in the organization mailbox database

Remove drives

Remove the drives and only keep the (C:) and (Z:) drive.

Keep last Exchange Server in the organization two drives

Decommission all other Exchange Servers

Read more in the article Remove Exchange Server from domain.

If you don’t have more than one Exchange Server running, you can skip this step.

Suppose you have a DAG configuration, follow these steps:

  1. Remove servers from DAG
  2. Remove DAG
  3. Remove DAG witness directory
  4. Decommission Exchange Server

Go to servers > database availability groups. There will be no more database availability groups.

Keep last Exchange Server in the organization DAG empty

Go to servers > servers. Only one Exchange Server shows up.

Keep last Exchange Server in the organization mailbox server role

Don’t forget to remove other tools on the Exchange Server, for example, SCOM or the backup agent. After that, remove the IP and DNS entries. As of last, remove the AD object in ADUC (Active Directory Users and Computers).

Cleanup Exchange logs

Read more in the article Cleanup logs Exchange 2013/2016/2019.

Download the CleanupLogs.ps1 PowerShell script and save the file on the Exchange Server in path C:\scripts. Then, start Windows PowerShell and run the script.

PS C:\> cd C:\scripts
PS C:\scripts> .\CleanupLogs.ps1

Remove old Exchange OWA files

Read more in the article Remove old Exchange OWA files to free up disk space.

Find which Exchange versions are running in the organization.

$ExchangeServers = Get-ExchangeServer | Sort-Object Name
ForEach ($Server in $ExchangeServers) {
    Invoke-Command -ComputerName $Server.Name -ScriptBlock { Get-Command Exsetup.exe | ForEach-Object { $_.FileversionInfo } }
}

Remove the build numbers in the Owa\prem folder that didn’t show in the output.

C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\prem

Configure performance on last Exchange Server

Adjust the CPU, memory, and disk on the last Exchange Server. Below is how we configure the performance on the last Exchange Server for management purposes:

  • CPU: 2 – 4 cores
  • Memory: 8 GB – 16 GB
  • Disk OS and Exchange Server installation: 100 GB – 120 GB
  • Disk mailbox database and logs: 10 GB

You can always add more performance to the Exchange Server. This will help in a faster process if you need to install an Exchange Server CU or Exchange Server SU.

Keep last Exchange Server in the organization performance

Remove all Exchange Servers firewall rules

Sign in to the firewall and remove all the VIPs and firewall rules that publish the Exchange Server to the outside world. These are the Exchange firewall ports:

  • HTTP: 80/TCP
  • HTTPS: 443/TCP
  • SMTP: 25/TCP

Note: Every adjustment in Exchange Server will be synced to Azure AD with Azure AD Connect. You don’t need to publish the Exchange Server to the internet for any changes you apply.

Conclusion

You learned why you need to keep the last Exchange Server in the organization. If there are no mailboxes on-premises and you don’t need an SMTP relay from the Exchange Server, don’t publish the Exchange Server to the internet. It will sync all the changes from Azure AD Connect to Azure AD.

Don’t forget to keep the last Exchange Server up to date with the latest Exchange Cumulative Update and Exchange Security Update. Subscribe to the newsletter, and don’t miss out on the Exchange Server updates.

Did you enjoy this article? You may also like Exchange Hybrid design and planning. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 9 Comments

  1. Hello Ali, thank you very much for all your blogs and posts, I have benefited from it a few times.

    I currently have a somewhat special case, we have a customer who has a replaced Exchange 2016 CU23 on Windows Server 2012R2. When the customer was taken over, there was already an Azure (ENTRA) AD Connect, but only for the Office licenses to log in to the office. I took the users out of the OU Sync, created new M365 cloud users and migrated the mailboxes from on-prem to M365 via export/import. On the old Exchange 2016 I disabled all mailboxes, so far so good.

    However, the customer now wants to use Defender for Endpoint and keep the local AD, so the Azure(ENTRA) AD Connect must be set up again. I will dissolve the current sync and create a new one, it is currently running, but no users will be synced. The domain controllers also need to be updated, in my opinion just creating a new sync with the new DCs.

    What should I do with the old Exchange Server, just shutdown the server or uninstall? What is the clean way? In some forums I read uninstall and in others I read under no circumstances uninstall.

    Thanks in advance.

    Best regards
    Silvio

    Reply

  2. With only system mailboxes remaining on a single Exchange Server, is there a need to perform an Exchange native backup (with whatever tooling)? I.e. will a VM level backup suffice without any application-aware backups? I know the application-aware backups would normally maintain the transaction logs but with circular logging enabled, it takes care of it.

    The only concern is mailbox database recovery in the event of corruption at the mailbox or DB level:
    – Restore the VM and hope file system can recover (surely this is likely to work)
    – New DB and recreate system mailboxes
    – Schedule a Windows Backup so the DB is backed up using the native tooling, save that backup to disk on the exchange server, which would be captured at the VM level backup.

    Thoughts?

    Regards

    Reply

  3. We are in exactly this position. If we remove Hybrid configuration can i still create AD users on-prem, create a Mailbox on-prem and then Migrate them so the config matches all my previous mail objects, or once we have removed Hybrid is this last Exchange server only there to manage the objects created before Hybrid was removed, and all Mailboxes going forward have to be created direct in 365?

    Thanks

    Reply

  4. Really helpfull content on your site Ali! Been struggling with an Exchange Removal for quite some time and now i finally found some good and detailed information,

    Reply

  5. Thanks Ali, I really appreciate your site and your tips. This tutorial really answered the questions I had regarding what to do with my last exchange server.

    Thanks,

    Reply

  6. Hello,
    Can we use this method if we plan on keeping one Exchange server on-prem, not just for management purposes but for SMTP relay and to store some service account mailboxes that are not O365 compatible? We have two on-prem servers, one Exchange 2016 and one Hybrid 2019 – we want to decommission the 2016 server and stick with the new 2019 Hybrid Exchange server. There are only a handful of service mailboxes on the 2019 server and no mailboxes on the 2016 server.
    Thanks!

    Reply

    1. Definitely, and that’s the recommended approach.

      Pay close attention, and don’t remove the “Exchange Hybrid configuration” and “all Exchange Servers firewall rules” because you need that for SMTP relay and the on-premises mailboxes to function.

      Reply

  7. If we have 2 servers do we need the small database for arbitration on both , Can we put 1 server without database and other with all arbitration and audit mailboxes on second server ..

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *