Remove the last legacy Exchange 2003 Server from an Exchange 2010 Organization
I’ve done quite a few Exchange 2003 -> Exchange 2010 migrations the last few months (yes, skipping the 2007 version) and I always read the Microsoft’s guide: Remove the Last Legacy Exchange Server from an Exchange 2010 Organization. But I always end thinking: “I know there was something more…” and I hate leaving decomissions half-way. Have in mind that Exchange 2003 has been around for 10 years and you could suspect that the environment has more than the default groups and if they have had Exchange 5.5 – then even more.
And gosh, I’ve seen so many customers where someone just shutdown and formatted the Exchange 2003 server without getting rid of anything. If you feel you’re not up to the task of removing Exchange 2003 the correct way – don’t do it but hire someone to do it for you (like me :))
These are my notes from the field!
Word of caution! Spread out the changes over time and always make note of what you did and when and make sure to monitor the logs for errors so you can map the error to a specific change. Also, I suggest not to start this before you have successfullt removed all Exchange 2003 servers in all domains if you’re running Exchange 2003 in child domains.
So following the Microsoft guide, you’ve moved everything away from Exchange 2003; mailboxes, PF content, removed the databases and stores, moved OAB generation, moved inbound and outbound Connectors, removed Routing Group connectors, handles the e-mail address policies, deleted the Recipient Update Services aaaand uninstalled Exchange 2003 from the last server.
So last step, according to Microsoft, is: After the last Exchange 2003 server has been removed from the Exchange 2010 organization, you can also remove the legacy Exchange Domain Servers and Exchange Enterprise Servers security groups.
Really? Well, here are my notes on additional things to do BEFORE that…
Remove the members of default Exchange 2003 groups
There are some default Exchange 2003 groups that we will remove later in this article. But before we go ahead and go wild we should check the membership of these groups. They should be empty before we continue because otherwise the groups might be used for something else. By emptying the groups first and waiting to make sure everything is working, we can verify they are not being used. The groups are:
- Exchange Enterprise Servers
- Exchange Domain Servers
- Exchange Services
Remove Delegated Control using ESM (Exchange System Manager) in Configuration partition
Use the old ESM in 2003 to check if there are some specific Delegated Control. Check both the root of the Organization and the Administrative Groups and remove them.
This will remove the permissions set in AD on the Configuration partition (CN=OrgName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local). You could do it with ADSIEdit.msc but this is soo much easier.
Maybe you will find some non-default groups here which has been used to delegate Exchange access? If they aren’t used for anything else, these groups can be removed (I suggest you start with emptying these groups, waiting to make sure something else doesn’t stop working before removing the groups).
Remove the old Exchange 2003 AD group permissions in Default Naming Context partition
There are some default Exchange groups that are no longer needed if you’re running Exchange 2010 only but before you go ahead with this, make sure the groups are empty since maybe they are used for something else?
- Exchange Enterprise Servers
- Exchange Domain Servers
It’s mentioned in the How to Remove the Last Legacy Exchange Server from an Organization (that is, the 2003 -> 2007 guide) but it’s missing in the Remove the Last Legacy Exchange Server from an Exchange 2010 Organization and I don’t really know why. Now, there seems to be some confusion regarding this topic. Also in the MS article, people comment on the differences. So before you run the below PowerShell commands, you might want to check what the actual settings are today by using adsiedit.msc -> Connect to the Default Naming Context and checking the Security settings of the root. Do you see Exchange Enterprise Servers there?
Microsoft mentions that the following should be run:
Remove-ADPermission “dc=domain,dc=local” -user “DOMAIN\Exchange Enterprise Servers” -AccessRights WriteDACL -InheritedObjectType Group
Remove-ADPermission “dc=domain,dc=local” -user “DOMAIN\Exchange Domain Servers” -AccessRights WriteDACL
But for me, that doesn’t remove the permissions completely but only the WriteDacl entry. Since we will remove the groups later, it would become “Unknown Account” so I used ADSIEdit.msc to remove the DOMAIN\Exchange Enterprise Servers manually.
Now, while you’re at it. Take a look at the permissions and you might, as in the above example, find some “Account Unknown” which are old accounts which has been deleted. Maybe this is a good time to clear those out too?
Remove the old Exchange 2003 AD group permissions in Configuration partition
Using ADSIEdit.msc, there are two places where you should look at security:
- CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
- CN=OrgName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Here you might also find the groups:
- Exchange Enterprise Servers
- Exchange Domain Servers
- Exchange Services (which could be some leftover from pre-Exchange 2003 installations)
Remove the old Exchange 2003 AD groups
Once you have removed the permissions of all the groups, you can remove the groups from all domains:
- Exchange Enterprise Servers
- Exchange Domain Servers
- Exchange Services
What about the empty old Administrative Groups from Exchange 2003?
So you might have that First Administrative Group and maybe even additional administrative groups created for Exchange 2003? Microsoft recommends to just leave them as is: “We recommend you leave the old admin groups around, simply because there’s no reason to remove them. Also, it’s possible your free/busy folder could go missing at some point, and then you either have to recreate the admin group or change the legacyExchangeDN on the users.”
What else?
Not mentioned at all in the articles are other common things that you probably have left around:
- Domain Users – There might be some dedicated users created that have been used for Exchange. Maybe someone for some reason created a dedicated Exchange service account? Search for *Exchange* and *Mail* accounts. Make sure to first disable and later delete. Also, maybe these accounts have some permissions set directly in the Configuration or Default Naming Context partition?
- Domain Groups – As mentioned earlier, there might be some old Domain Groups that has been used to delegate control in Exchange or local admins on the servers that are no longer in use? Check for permissions in the Configuration and Default Naming Context partition, empty the groups and delete.
- Computer accounts – The old Exchange 2003 servers had computer accounts in AD.
- GPO – Maybe the Exchange 2003 servers had their specific GPO:s applied?
- OU – Maybe the Exchange 2003 servers had dedicated Organizational Units?
- Internal DNS entries – The Exchange 2003 computers had DNS-records that should be deleted. Remember to look for DNS aliases (CNAME) like “smtp”, “mail” etc.
- External DNS entries – During migration, you might have used the legacy.domain.com entry?
- Firewall Rules – Traffic from Internet was probably allowed to the Exchange 2003 Front-End.
- Physical/VMs – Don’t forget to shutdown, remove them physically from the rack, remove the VM, remove them from lists like IP-plan etc.