Migrating to Exchange 2010 and ad 2080 r2

Uploaded on

Michael B. Smith

Michael B. Smith

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. Migrating to Exchange Server 2010 and Active Directory 2008 R2
    A Case Study - In The Real World
  • 2. Michael B. Smith – remember the B!
    Six year Exchange MVP
    Consultant in Exchange, Active Directory, and Operational Best Practices
    Author, speaker, consultant
    Exchange admin since 1996
    Who Am I?
  • 3. Steps to prepare
    Installing prerequisites
    Installing Exchange
    Configuring Exchange
    Migrating objects
    Removing Legacy Exchange Servers
    Bumping Functional Levels
    Q & A
  • 4. Exchange Deployment Assistant
    Good for basic info, doesn’t give you the “whole enchilada”
    Build a lab!
    Exchange Server 2010 Planning and Deployment guide on Technet
    This presentation!
    Getting Started
  • 5. Migration
    Move to new (higher) version
    New hardware
    Same forest
    Supports co-existence scenarios
    Different hardware
    Different forest
    Export/Import only – no co-existence
    No such thing as “upgrade”
    Core Definitions
  • 6. Single-server environment
    Process scales well
    Must do these things regardless of size
    Exchange 2003 native mode
    Windows 2000 mixed-mode
    Old boxes: Server 2003 SP2
    New boxes: Server 2008 R2
    Environment Used for Upgrade
  • 7. Exchange Organization: Clark
    Exchange Admin Group: HQ
    NetBIOS Domain: CLARK
    AD Domain: clarksupport-hq.com
    SSL certificate: mail.clarksupport.com
    Old server: CLARK2K3
    New server: CLARK2008
    Logical Environment
  • 8. Complete coverage:
    Do NOT demote or promote DC after Exchange installation
    Change of state is unsupported
    ASP.Net breaks
    Not recommended to install Exchange on DC, but fully supported (see SBS and EBS)
    Exchange on Domain Controllers
  • 9. Exchange Native Mode (remember this?)
    Exchange Prereqs #1
  • 10. If your Exchange organization is not already in native mode, see KB 272314, “XADM: Preparing a Mixed Mode Organization for Conversion to Native Mode”
    Changing to native mode is easy, but prep work may take awhile – especially if Exchange 5.5 cleanup wasn’t done completely/properly.
    Exchange Prereqs #2
  • 11. No Exchange 2000 servers installed
    No Active Directory Connector - ADC
    No Site Replication Service - SRS
    Exchange 2003 Service Pack 2
    Exchange Prereqs #3
  • 12. KB 937031 - “Event ID 1036 is logged on an Exchange 2007 server that is running the CAS role when mobile devices connect to the Exchange 2007 server to access mailboxes on an Exchange 2003 back-end server”
    Required to properly enable CAS-2-FE proxy (or CAS-2-BE if no FE exists)
    Applies to both 2007 and 2010
    Exchange Prereqs #4
  • 13. Schema master FSMO running Windows Server 2003 sp1 or higher
    At least one GC in site running Windows Server 2003 sp1 or higher
    Windows Server 2003 DFL
    Windows Server 2003 FFL
    AD Prereqs #1
  • 14. AD Domains and Trusts Console
    Right-click on domain name node and select “Raise domain functional level”
    Right-click on “Active Directory Domains & Trusts” node and select “Raise forest functional level”
    AD Prereqs #2
  • 15. Exchange 2003 and Exchange 2010 support DFL and FFL up to Windows Server 2008 R2
    You must remove all Windows 2000 DCs and NT4 BDCs prior to raising DFL/FFL to Windows Server 2003
    Can’t raise DFL/FFL above Server 2003 if Server 2003 DCs are in your AD
    AD Prereqs #3
  • 16. Primary need for 2003 DFL/FFL:
    Universal Groups
    Impact of raising DFL/FFL
    Beyond our scope
    For most SMORG: little/no impact
    See http://tinyurl.com/functionalAD
    Final thought for AD:
    Is the Exchange Server to be a DC?
    Promote it NOW
    AD Prereqs #4
  • 17. Exchange 2010 must be installed on x64
    Server 2008 SP2 or Server 2008 R2
    I recommend Server 2008 R2
    Fewer pieces of software to install
    Noticeably faster with CAS
    If you choose Server 2080 SP2
    Begin by installing PowerShell 2.0
    KB 968929 - Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0)
    Exchange Install Prep #1
  • 18. To speed things up, copy Exchange DVD to local storage
    We’ll assume D:Exchange2010
    NO SPACES IN PATH NAMES (MSIExec gets weird with spaces sometimes)
    Download most recent rollup and place in D:Exchange2010Updates
    Today: KB 981401 (Update Rollup 3)
    Exchange Install Prep #2
  • 19. Quite frankly, I don’t care that servermanagercmd is deprecated in Server 2008 R2. It still works. And scripts using it work just fine in both 2008 SP2 and 2008 R2:
    Cd Exchange2010Scripts
    Servermanagercmd –ip Exchange-All.xml -restart
    Installing Roles and Features #1
  • 20. You can use (lots more complicated):
    Deployment Image Servicing & Management (DISM)
    Next, download and install FilterPackx64.exe
    2007 Office System Converter: Microsoft Filter Pack
    Configure the ‘Net.TCP Port Sharing Service’
    Somewhat dependent on your build process
    Installing Roles & Features #2
  • 21. Logs in C:ExchangeSetupLogs
    Most important log: ExchangeSetup.log
    To update schema, you need Schema Admin and Enterprise Admin
    To update forest perms, you need Enterprise Admin
    To update domain perms, you need Domain Admin
    To install a new Exchange server, you need Local Admin (server) & Organizational Admin
    Installation – Key Concepts #1
  • 22. Using Setup GUI requires a user with:
    Schema Admin
    Enterprise Admin
    Domain Admin
    Local Admin
    That user becomes first (only) Organizational Admin
    User running “setup /PrepareAD” from cmd line becomes first Org. Admin
    Installation – Key Concepts #2
  • 23. Prepare Forest Level Permissions to support Exchange 2003 and Exchange 2010 co-existence
    Prepare/Update Schema
    Prepare Forest Level Permissions to support Exchange 2010
    Prepare Domain(s) to support Exchange 2010
    Install Exchange roles
    Installation Overview
  • 24. Requires Enterprise Admin & Domain Admin
    Installation #1
  • 25. Requires Enterprise Admin & Schema Admin
    Installation #2
  • 26. Again for Enterprise & Domain Admins
    Installation #3
  • 27. If you have multiple domains in your Active Directory forest, an Enterprise Admin should now execute:
    Setup.com /PrepareAllDomains
    An Exchange object cannot exist in a domain which has not been prepped for Exchange
    Installation #4
  • 28. Now we can install Exchange itself
    No longer any advantage to using setup.com
    If you choose to:
    setup.com /r:c
    setup.com /r:h,m
    (if using PowerShell, quote the /r parameter)
    We will continue by using GUI, required perms: Local Admin, Domain Admin, & Organizational Admin
    Installation #5 (Finally!!)
  • 29. Installation #6
  • 30. Click “Choose Exchange language option”
    Use DVD languages (11 languages)
    Download full language pack (30-odd languages)
    You will return to prior window, click “Install Microsoft Exchange”
    Accept the license agreement
    Choose whether to send error reports to MSFT
    Choose installation type (next slide)
    Installation #7
  • 31. Installation #8
  • 32. Installation #9
  • 33. Next, choose the Exchange 2003 legacy server
    Interop Routing Group Connector
    Can be a FE or BE Exchange 2003 server
    RGC to first HT in 2010 environment
    If single BE, choose that
    Next, choose whether to join CEIP
    Installation #10
  • 34. Installation #11
  • 35. Installation #12 – Completion!
  • 36. No
    We’ve just gotten started
    Let’s blaze through basic configuration
    (Easier than you might think)
    (Well, maybe not)
    Start Exchange Management Console
    Even worse on first use
    Are we done?
  • 37. Determine certificate requirements
    Generate and install SSL certificate
    Map certificate to IIS Services
    Enable Outlook Anywhere
    Move OAB generation to Exchange 2010
    Create Internet send connector
    Configure Default receive connector to accept Internet email
    Move User Public Folders to Exchange 2010
    Move System Public Folders to Exchange 2010
    Configure the OWA Virtual Directory
    Configure an IIS Redirection for Exchange 2010
    Configure FBA on Exchange 2003
    Update DNS
    Req’d Configuration Overview
  • 38. Determine whether you will use wildcard (*.example.com) or SAN cert
    Wildcard requires extra config
    Wildcard introduces possibility of MitM
    We won’t cover wildcard here
    Can you use a single name cert?
    Yes, BUT:
    Requires extra config
    Generates Outlook warnings
    We won’t cover using a single name cert here
    Basic Configuration #1
  • 39. Basic Configuration #2
  • 40. As discussed, we won’t use a wildcard certificate, just click Next
    Determine the various “namespaces” used for Exchange services:
    Incoming Email OWA
    AutoDiscover OA
    Legacy servers UM
    We aren’t using UM, POP, or IMAP. So…
    Basic Configuration #3
  • 41. Basic Configuration #4-a
  • 42. Basic Configuration #4-b
  • 43. Total list of names on UCC/SAN cert:
    Generally, you want the most used name to be the common name (shown on next slide)
    Basic Configuration #4-c
  • 44. Basic configuration #5
  • 45. Basic Configuration #6
  • 46. Confirm your choices
    Verify that the information on the “Organization and Location” dialog matches PRECISELY your domain registrar info
    Send CSR to your provider of choice:
    Many others
    When you get it back, let’s install it!
    Put the certificate into a file ending in .CER
    Basic Configuration #7
  • 47. Basic Configuration #8
  • 48. Basic Configuration #9
  • 49. Basic Configuration #10-a
  • 50. Could also have done this in PowerShell:
    Get-ExchangeCertificate |?{$_.FriendlyName -eq "All-purpose Exchange Certificate"} |Set-ExchangeCertificate –Services IIS
    Which is easier?
    Just depends on what you are used to and how often you need to execute this process.
    Basic Configuration #10-b
  • 51. Basic Configuration #11
  • 52. Basic Configuration #12-a
  • 53. Or in PowerShell (if you accept the default authentication options):
    Enable-OutlookAnywhere –Server Clark2008
    Definitely easier! 
    Basic Configuration #12-b
  • 54. Basic Configuration #13-a
  • 55. In PowerShell (if you have only one OAB, like 99.9% of Exchange installations):
    Get-OfflineAddressBook | Move-OfflineAddressBook –Server Clark2008
    The PowerShell starts to make sense?
    Basic Configuration #13-b
  • 56. Have to create a send connector
    By default, Exchange 2010 doesn’t allow you to send Internet e-mail!
    Basic Configuration #14
  • 57. Basic Configuration #15-a
  • 58. Basic Configuration # 15-b
  • 59. Basic Configuration #15-c
  • 60. Basic Configuration #15-d
  • 61. Basic Configuration # 15-e
  • 62. Or the PowerShell version:
    New-SendConnector-Name 'Internet E-mail'
    -Usage 'Custom'
    -AddressSpaces 'SMTP:*;1'
    -IsScopedConnector $false
    -DNSRoutingEnabled $true
    -UseExternalDNSServersEnabled $false
    -SourceTransportServers 'CLARK2008'
    Basic Configuration #15-f
  • 63. By default, Exchange 2010 cannot receive Internet email. You must enable “Anonymous users” on the Default receive connector
    Basic Configuration #16-a
  • 64. Or the PowerShell:
    Set-ReceiveConnector` -PermissionGroupsAnonymousUsers, ExchangeUsers, `ExchangeServers, ExchangeLegacyServers ` -Identity 'CLARK2008Default CLARK2008'
    Basic Configuration #16-b
  • 65. Move the Public Folders
    If all your users are on Outlook 2007+
    And you don’t have any other PF data
    Skip this step
    Non-system PF data first:
    cd $exscripts
    .AddReplicaToPFRecursive.ps1 –TopPublicFolder `
    -ServerToAdd $env:computername
    Basic Configuration - #17-a
  • 66. System PF data:
    cd $exscripts
    .AddReplicaToPFRecursive.ps1 `
    -ServerToAdd $env:computername
    No non-PowerShell solution shown here
    Can be done from “Public Folder Management Console” in Exchange 2010 or ESM in Exchange 2003
    Take 10 times longer. Or more.
    Basic Configuration - #17-b
  • 67. Must be done from PowerShell
    Set the redirection URL that will be used to route Exchange 2003 users during coexistence
    Must’ve loaded the new SSL certificate to the Exchange 2003 server
    Set-OWAVirtualDirectory Clark2008OWA* `
    -Exchange2003URL “https://legacy.clarksupport.com”
    Basic Configuration - #18
  • 68. Optional
    Add redirect from root of the Default Website to the OWA directory
    You can disable SSL on the root
    <meta http-equiv="refresh“ content="0;url=https://mail.clarksupport.com/owa">
    Basic Configuration - #19
  • 69. On the Exchange 2003 server:
    You MUST enable forms based authentication (FBA) for single sign-on to work
    Important to do for a good user experience during co-existence
    Basic Configuration - #20
  • 70. Change DNS
    Rubber meets the road!
    Exchange 2003 – becomes legacy.example.com
    Exchange 2010 – becomes mail.example.com
    Don’t forget to update MX (either now or later)
    If all setup is proper as described, routing between servers is automagical
    Everything should “just work”
    Basic Configuration - #21
  • 71. Be default, mailbox databases in Exchange 2010 have a 2 GB limit on their mailboxes. If you have larger mailboxes, change the mailbox database config FIRST
    You may want to consider enabling circular logging while you are doing mailbox moves (requires MSExchangeIS restart to take effect or to shut off)
    The “Move Mailbox” process has been renamed to “Move Request”
    Exchange 2003 -> 2010 moves are offline
    Exchange 2010 -> 2010 moves are online
    Moving Mailboxes
  • 72. Recipient Update Service is GONE
    Recipient Policies are now split in two:
    Retention Policies
    Managed Folder Policies in Exchange 2007
    Email Address Policies (EAP’s)
    If you have custom EAP’s, AL’s, GAL’s, OAB’s – you will need to rework into OPATH syntax (LDAP filters are GONE)
    Follow instructions at:
    Address List Management
  • 73. Quick overview:
    Move ALL mailboxes off 2003
    Remove ALL PF replicas from 2003
    Route all SMTP to Exchange 2010
    Update all GAL’s, AL’s, EAP’s, and OAB’s for OPATH
    Remove domain RUS
    Point enterprise RUS to 2010
    Remove 2003 PF database (may require whacking)
    Remove 2003 SMTP Connector (if present)
    Remove Exchange 2003 (will require installation media to complete removal)
    Retiring Exchange 2003
  • 74. Back to AD Domains & Trusts
    Both Domain Functional Level
    And Forest Function Level
    Raising Functional Levels
  • 75. Q & A