Off-boarding email from Office 365 to Exchange 2013 (Part 6)

If you would like to read the other parts in this article series please go to:

Introduction

The previous part of this series covered the migration of mailbox to Exchange 2013 on-premises. At this point we’ll be hoping that all our organization’s mailboxes have been successfully off-boarded and users connect to our Exchange 2013 servers to access email. In the final part of this series, we’ll cover the tasks required to successfully decommission Hybrid and possibly other Office 365 services.

Verify Mailboxes are migrated

Before removing Hybrid configuration from Office 365 it is worth double checking that no mailboxes have been forgotten and still need to be migrated. Navigate to the Office 365 Exchange Admin Center, either via the Office 365 tab of the on-premises Exchange Admin Center or via http://portal.office.com and selecting Admin>Exchange.

Under the Recipient heading, select the Mailboxes tab. We’ll expect to see the tenant administrator account, if it exists:

Image
Figure 1: Verification all Mailboxes are moved from Office 365 to on-premises Exchange

Changing Mail Exchanger (MX) Records

If you’re looking at delivering mail to an alternative solution, or directly to on-premises, then the first step we’ll need to take is to adjust the inbound MX record to direct mail away from Office 365.

As a simple example, we’ll assume we are delivering directly to on-premises Exchange 2013, which might be protected by a solution like GFI MailEssentials running on the server(s).

For any solution delivering to on-premises we’ll need to ensure we setup the following:

  • An external DNS entry for the Exchange Server or equivalent. This DNS entry should have a matching forward and reverse entry, for example:
    • An A record of the IP 1.2.3.4 set as mail.exchangelabs.co.uk
    • A PTR record for the IP address 1.2.3.4 also set to mail.exchangelabs.co.uk
    • Firewall settings to allow inbound and outbound SMTP on port 25/TCP from any host on the internet to the Exchange Server, or equivalent.

Both of the above may already have been configured to allow Exchange Online to deliver mail to on-premises in the Hybrid Configuration. If so, the switch should be straightforward – but you should test.

After ensuring the external DNS name is configured and the firewall allows mail to flow to our servers, we’ll configure the MX record for our domain:

Image
Figure 2: Editing the inbound MX record via 123-reg’s DNS manager

You may remember in part four of this series we configured our SFP record for Office 365 to also include our on-premises Exchange Servers. We’ll now edit this TXT record in DNS and remove the configuration for Office 365:

Image
Figure 3: Editing the SPF record to exclude the Office 365 mail servers.

After waiting for DNS changes to propagate, ensure you re-test inbound and outbound mail flow to ensure your changes haven’t affected mail flow. If you’ve made any mistakes you can still revert back to using Office 365 for inbound mail delivery at this point and correct any errors.

Once you are happy that all inbound and outbound mail flow is working correctly, we can now begin to remove the configuration for the Hybrid Configuration.

Removing Exchange Hybrid Settings

The Hybrid configuration wizard adds a variety of configuration settings to both Exchange Online and Exchange 2013 on-premises to allow rich co-existence between both environments. To decommission Hybrid we will need to, in particular, remove the on-premises Exchange Hybrid settings.

We won’t be able to remove everything, as the actual Hybrid Configuration object itself cannot be removed via supported methods; and we’ll also leave the Federation Trust in place as it serves for other purposes than just for Office 365. The areas we can remove configuration for are as follows:

  • Remove the tenant.mail.onmicrosoft.com domain from Email Address Policies.
  • Clear the stored configuration for the Hybrid Configuration.
  • Remove the Organization Relationship to Office 365.
  • Remove remote Domains configuration for Office 365 accepted domains.
  • Remove Accepted domains exclusive to the Office 365 tenant – i.e. the onmicrosoft.com domains.
  • Remove Send connectors for outbound mail to Office 365.
  • Remove Receive connectors for inbound mail from Office 365.
  • Disable the MRS Proxy component of Exchange Web Services.
  • Remove the Availability Address Space configuration for the Office 365 tenant.

Are you staying with Office 365 for other services?

If you are still using Skype for Business Online, SharePoint Online, OneDrive for Business, Yammer or other Office 365 and Azure Active Directory-integrated services you probably won’t want to make any further changes, apart from perhaps changes to inbound mail routing.

If you do go ahead and remove accounts from Office 365 and you’ve still got data in other services, you risk losing access to that data, so spend some time making sure your users aren’t using these services.

If you have previously licenced the desktop version of Office via Office 365 E3 or similar plans, then you’ll also need to make sure you’ve properly re-licenced using traditional licensing.

If you’re using one of the Exchange Online only plans for your users, then you’re more than likely safe to proceed as these plans do not include any services apart from Exchange.

Removing Azure Active Directory Sync

To allow us to remove unwanted users from the tenant and the associated custom domains we will disable Active Directory Synchronization. To do this, log into the Office 365 Portal at https://portal.office.com and navigate to Users>Active Users then select Deactivate:

Image
Figure 4: Disabling AD Sync in the Office 365 tenant

With the Azure AD Sync Tool no longer synchronizing objects to the cloud, we can remove it from the server it’s installed on. The tool includes a number of components including SQL Express and Forefront Identity Management. To uninstall everything open Programs and Features from the Control Panel and then select the Windows Azure Active Directory Sync tool, then choose Uninstall.

Image
Figure 5: Uninstalling DirSync from the server

The uninstallation process should cleanly remove those components. However, you may find that the SQL Server Native Client and (if you’ve installed it) the Windows Azure Active Directory Module for PowerShell must be uninstalled separately.

Removing Accepted Domains from your Office 365 tenant

To finish off our move to on-premises, we’ll need to remove unwanted users and then remove the custom domains. To re-iterate – if you are still using any Office 365 services or any other service that utilizes Azure Active Directory identity, you may wish to stop here.

After removing unwanted users we should be left with just the tenant administrator. If this uses a custom domain, update it to use the onmicrosoft.com domain.

Image
Figure 6: Ensuring remaining Azure AD accounts do not use a custom domain

Next, we’ll navigate to the Domains section and find our shared domain – in our case exchangelabs.co.uk and choose Remove:

Image
Figure 7: Removing the shared domain from the Office 365 tenant

Assuming all goes well, the domain should remove cleanly. If not, examine Groups or any other objects remaining that include email addresses in your tenant and double check the remaining admin account to verify they do not have an additional email address using the custom domain in question.

If you are at this point letting your Office 365 licences expire, then there are no further actions required to decommission the tenant; it will be removed by Microsoft at some point in the future. If you do not wish to lose your tenant name or any remaining data within it, you may wish to retain at least one licence to ensure it is not completely decommissioned. You’ll then be able to make use of it again in the future.

Summary

In this series we’ve successfully imported our accounts to on-premises Active Directory and Exchange, then successfully configured a reverse-Hybrid to offboard mailboxes from Exchange Online to Exchange 2013 on-premises. In most circumstances you’ll never need to do this – but it is useful to know it is straightforward to migrate away from Exchange Online, should you ever need to.

If you would like to read the other parts in this article series please go to:

2 thoughts on “Off-boarding email from Office 365 to Exchange 2013 (Part 6)”

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top