Migrating to Exchange 2010 and ad 2080 r2

Migrating to Exchange Server 2010 and Active Directory 2008 R2A Case Study - In The Real World

Michael B. Smith – remember the B!Six year Exchange MVPConsultant in Exchange, Active Directory, and Operational Best Practiceshttp://TheEssentialExchange.com/Author, speaker, consultantExchange admin since 1996Who Am I?

Steps to prepareInstalling prerequisitesInstalling ExchangeConfiguring ExchangeMigrating objectsRemoving Legacy Exchange ServersBumping Functional LevelsQ & AAgenda

Exchange Deployment Assistanthttp://technet.microsoft.com/exdeploy2010Good for basic info, doesn’t give you the “whole enchilada”Build a lab!Exchange Server 2010 Planning and Deployment guide on TechnetThis presentation!Getting Started

MigrationMove to new (higher) versionNew hardwareSame forestSupports co-existence scenariosTransitionDifferent hardwareDifferent forestExport/Import only – no co-existenceNo such thing as “upgrade”Core Definitions

Single-server environmentProcess scales wellMust do these things regardless of sizeExchange 2003 native modeWindows 2000 mixed-modeOld boxes: Server 2003 SP2New boxes: Server 2008 R2Environment Used for Upgrade

Exchange Organization: ClarkExchange Admin Group: HQNetBIOS Domain: CLARKAD Domain: clarksupport-hq.comSSL certificate: mail.clarksupport.comOld server: CLARK2K3New server: CLARK2008Logical Environment

Complete coverage:http://tinyurl.com/exchangeDCDo NOT demote or promote DC after Exchange installationChange of state is unsupportedASP.Net breaksNot recommended to install Exchange on DC, but fully supported (see SBS and EBS)Exchange on Domain Controllers

Exchange Native Mode (remember this?)Exchange Prereqs #1

If your Exchange organization is not already in native mode, see KB 272314, “XADM: Preparing a Mixed Mode Organization for Conversion to Native Mode”Changing to native mode is easy, but prep work may take awhile – especially if Exchange 5.5 cleanup wasn’t done completely/properly.Exchange Prereqs #2

No Exchange 2000 servers installedNo Active Directory Connector - ADCNo Site Replication Service - SRSExchange 2003 Service Pack 2Exchange Prereqs #3

KB 937031 - “Event ID 1036 is logged on an Exchange 2007 server that is running the CAS role when mobile devices connect to the Exchange 2007 server to access mailboxes on an Exchange 2003 back-end server” Required to properly enable CAS-2-FE proxy (or CAS-2-BE if no FE exists)Applies to both 2007 and 2010Exchange Prereqs #4

Schema master FSMO running Windows Server 2003 sp1 or higherAt least one GC in site running Windows Server 2003 sp1 or higherWindows Server 2003 DFLWindows Server 2003 FFLAD Prereqs #1

AD Domains and Trusts ConsoleRight-click on domain name node and select “Raise domain functional level”Right-click on “Active Directory Domains & Trusts” node and select “Raise forest functional level”AD Prereqs #2

Exchange 2003 and Exchange 2010 support DFL and FFL up to Windows Server 2008 R2You must remove all Windows 2000 DCs and NT4 BDCs prior to raising DFL/FFL to Windows Server 2003Can’t raise DFL/FFL above Server 2003 if Server 2003 DCs are in your ADAD Prereqs #3

Primary need for 2003 DFL/FFL:Universal GroupsImpact of raising DFL/FFLBeyond our scopeFor most SMORG: little/no impactSee http://tinyurl.com/functionalADFinal thought for AD:Is the Exchange Server to be a DC?Promote it NOWAD Prereqs #4

Exchange 2010 must be installed on x64Server 2008 SP2 or Server 2008 R2I recommend Server 2008 R2Fewer pieces of software to installNoticeably faster with CASIf you choose Server 2080 SP2Begin by installing PowerShell 2.0KB 968929 - Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0)Exchange Install Prep #1

To speed things up, copy Exchange DVD to local storage We’ll assume D:\Exchange2010NO SPACES IN PATH NAMES (MSIExec gets weird with spaces sometimes)Download most recent rollup and place in D:\Exchange2010\UpdatesToday: KB 981401 (Update Rollup 3)http://support.microsoft.com/kb/981401Exchange Install Prep #2

Quite frankly, I don’t care that servermanagercmd is deprecated in Server 2008 R2. It still works. And scripts using it work just fine in both 2008 SP2 and 2008 R2:D:Cd \Exchange2010\ScriptsServermanagercmd –ip Exchange-All.xml -restartInstalling Roles and Features #1

You can use (lots more complicated):Deployment Image Servicing & Management (DISM)Add-WindowsFeatureNext, download and install FilterPackx64.exe2007 Office System Converter: Microsoft Filter PackConfigure the ‘Net.TCP Port Sharing Service’Somewhat dependent on your build processInstalling Roles & Features #2

Logs in C:\ExchangeSetupLogsMost important log: ExchangeSetup.logTo update schema, you need Schema Admin and Enterprise AdminTo update forest perms, you need Enterprise AdminTo update domain perms, you need Domain AdminTo install a new Exchange server, you need Local Admin (server) & Organizational AdminInstallation – Key Concepts #1

Using Setup GUI requires a user with:Schema AdminEnterprise AdminDomain AdminLocal AdminThat user becomes first (only) Organizational AdminUser running “setup /PrepareAD” from cmd line becomes first Org. AdminInstallation – Key Concepts #2

Prepare Forest Level Permissions to support Exchange 2003 and Exchange 2010 co-existencePrepare/Update SchemaPrepare Forest Level Permissions to support Exchange 2010Prepare Domain(s) to support Exchange 2010Install Exchange rolesInstallation Overview

Requires Enterprise Admin & Domain AdminInstallation #1

Requires Enterprise Admin & Schema AdminInstallation #2

Again for Enterprise & Domain AdminsInstallation #3

If you have multiple domains in your Active Directory forest, an Enterprise Admin should now execute: Setup.com /PrepareAllDomainsAn Exchange object cannot exist in a domain which has not been prepped for ExchangeInstallation #4

Now we can install Exchange itselfNo longer any advantage to using setup.comIf you choose to:setup.com /r:csetup.com /r:h,m(if using PowerShell, quote the /r parameter)We will continue by using GUI, required perms: Local Admin, Domain Admin, & Organizational AdminInstallation #5 (Finally!!)

Click “Choose Exchange language option”Use DVD languages (11 languages)Download full language pack (30-odd languages)You will return to prior window, click “Install Microsoft Exchange”Accept the license agreementChoose whether to send error reports to MSFTChoose installation type (next slide)Installation #7

Next, choose the Exchange 2003 legacy serverInterop Routing Group ConnectorCan be a FE or BE Exchange 2003 serverRGC to first HT in 2010 environmentIf single BE, choose thatNext, choose whether to join CEIPInstallation #10

Installation #12 – Completion!

NoWe’ve just gotten startedLet’s blaze through basic configuration(Easier than you might think)(Well, maybe not)Start Exchange Management ConsoleSlowEven worse on first useAre we done?

Determine certificate requirementsGenerate and install SSL certificateMap certificate to IIS ServicesEnable Outlook AnywhereMove OAB generation to Exchange 2010Create Internet send connectorConfigure Default receive connector to accept Internet emailMove User Public Folders to Exchange 2010Move System Public Folders to Exchange 2010Configure the OWA Virtual DirectoryConfigure an IIS Redirection for Exchange 2010Configure FBA on Exchange 2003Update DNSReq’d Configuration Overview

Determine whether you will use wildcard (*.example.com) or SAN certWildcard requires extra configWildcard introduces possibility of MitMWe won’t cover wildcard hereCan you use a single name cert?Yes, BUT:Requires extra configGenerates Outlook warningsWe won’t cover using a single name cert hereBasic Configuration #1

As discussed, we won’t use a wildcard certificate, just click NextDetermine the various “namespaces” used for Exchange services:Incoming Email OWAECP EWSAutoDiscover OAPOP IMAPLegacy servers UMWe aren’t using UM, POP, or IMAP. So…Basic Configuration #3

Total list of names on UCC/SAN cert:clarksupport.commail.clarksupport.comautodiscover.clarksupport.comlegacy.clarksupport.comGenerally, you want the most used name to be the common name (shown on next slide)Basic Configuration #4-c

Confirm your choicesVerify that the information on the “Organization and Location” dialog matches PRECISELY your domain registrar infoSend CSR to your provider of choice:CertificatesForExchange.comGoDaddy.comVeriSign.comEntrust.comDigiCert.comMany othersWhen you get it back, let’s install it!Put the certificate into a file ending in .CERBasic Configuration #7

Could also have done this in PowerShell:Get-ExchangeCertificate |?{$_.FriendlyName -eq "All-purpose Exchange Certificate"} |Set-ExchangeCertificate –Services IISWhich is easier?Just depends on what you are used to and how often you need to execute this process.Basic Configuration #10-b

Or in PowerShell (if you accept the default authentication options): Enable-OutlookAnywhere –Server Clark2008Definitely easier! Basic Configuration #12-b

In PowerShell (if you have only one OAB, like 99.9% of Exchange installations): Get-OfflineAddressBook | Move-OfflineAddressBook –Server Clark2008The PowerShell starts to make sense?Basic Configuration #13-b

Have to create a send connectorBy default, Exchange 2010 doesn’t allow you to send Internet e-mail!Basic Configuration #14

Or the PowerShell version:New-SendConnector-Name 'Internet E-mail' -Usage 'Custom' -AddressSpaces 'SMTP:*;1' -IsScopedConnector $false -DNSRoutingEnabled $true -UseExternalDNSServersEnabled $false -SourceTransportServers 'CLARK2008'Basic Configuration #15-f

By default, Exchange 2010 cannot receive Internet email. You must enable “Anonymous users” on the Default receive connectorBasic Configuration #16-a

Or the PowerShell:Set-ReceiveConnector` -PermissionGroupsAnonymousUsers, ExchangeUsers, `ExchangeServers, ExchangeLegacyServers ` -Identity 'CLARK2008\Default CLARK2008'Basic Configuration #16-b

Move the Public FoldersIf all your users are on Outlook 2007+And you don’t have any other PF dataSkip this stepNon-system PF data first:cd $exscripts.\AddReplicaToPFRecursive.ps1 –TopPublicFolder \ ` -ServerToAdd $env:computernameBasic Configuration - #17-a

System PF data:cd $exscripts.\AddReplicaToPFRecursive.ps1 ` –TopPublicFolder\Non_IPM_Subtree` -ServerToAdd $env:computernameNo non-PowerShell solution shown hereCan be done from “Public Folder Management Console” in Exchange 2010 or ESM in Exchange 2003Take 10 times longer. Or more.Basic Configuration - #17-b

Must be done from PowerShellSet the redirection URL that will be used to route Exchange 2003 users during coexistenceMust’ve loaded the new SSL certificate to the Exchange 2003 serverSet-OWAVirtualDirectory Clark2008\OWA* ` -Exchange2003URL “https://legacy.clarksupport.com”Basic Configuration - #18

OptionalAdd redirect from root of the Default Website to the OWA directoryYou can disable SSL on the rootC:\Inetpub\wwwroot\Default.html <html> <head> <meta http-equiv="refresh“ content="0;url=https://mail.clarksupport.com/owa"> </head> </html>Basic Configuration - #19

On the Exchange 2003 server:You MUST enable forms based authentication (FBA) for single sign-on to workImportant to do for a good user experience during co-existenceBasic Configuration - #20

Change DNSRubber meets the road!Exchange 2003 – becomes legacy.example.comExchange 2010 – becomes mail.example.comDon’t forget to update MX (either now or later)If all setup is proper as described, routing between servers is automagicalEverything should “just work”Basic Configuration - #21

Be default, mailbox databases in Exchange 2010 have a 2 GB limit on their mailboxes. If you have larger mailboxes, change the mailbox database config FIRSTYou may want to consider enabling circular logging while you are doing mailbox moves (requires MSExchangeIS restart to take effect or to shut off)The “Move Mailbox” process has been renamed to “Move Request”Exchange 2003 -> 2010 moves are offline Exchange 2010 -> 2010 moves are onlineMoving Mailboxes

Recipient Update Service is GONERecipient Policies are now split in two:Retention PoliciesManaged Folder Policies in Exchange 2007Email Address Policies (EAP’s)If you have custom EAP’s, AL’s, GAL’s, OAB’s – you will need to rework into OPATH syntax (LDAP filters are GONE)Follow instructions at:http://msexchangeteam.com/archive/2007/01/11/432158.aspxAddress List Management

Quick overview:Move ALL mailboxes off 2003Remove ALL PF replicas from 2003Route all SMTP to Exchange 2010Update all GAL’s, AL’s, EAP’s, and OAB’s for OPATHRemove domain RUSPoint enterprise RUS to 2010Remove 2003 PF database (may require whacking)Remove 2003 SMTP Connector (if present)Remove Exchange 2003 (will require installation media to complete removal)Retiring Exchange 2003

Back to AD Domains & TrustsBoth Domain Functional LevelAnd Forest Function LevelRaising Functional Levels

Migrating to Exchange 2010 and ad 2080 r2

More Related Content

What's hot (20)

Viewers also liked (14)

Similar to Migrating to Exchange 2010 and ad 2080 r2 (20)

More from Nathan Winters (20)

Recently uploaded (20)

Migrating to Exchange 2010 and ad 2080 r2

Editor's Notes