Migrating to Exchange 2010 and ad 2080 r2

Migrating to Exchange Server 2010 and Active Directory 2008 R2
A Case Study - In The Real World

Michael B. Smith – remember the B!
Six year Exchange MVP
Consultant in Exchange, Active Directory, and Operational Best Practices
http://TheEssentialExchange.com/
Author, speaker, consultant
Exchange admin since 1996
Who Am I?

Steps to prepare
Installing prerequisites
Installing Exchange
Configuring Exchange
Migrating objects
Removing Legacy Exchange Servers
Bumping Functional Levels
Q & A
Agenda

Exchange Deployment Assistant
http://technet.microsoft.com/exdeploy2010
Good for basic info, doesn’t give you the “whole enchilada”
Build a lab!
Exchange Server 2010 Planning and Deployment guide on Technet
This presentation!
Getting Started

Migration
Move to new (higher) version
New hardware
Same forest
Supports co-existence scenarios
Transition
Different hardware
Different forest
Export/Import only – no co-existence
No such thing as “upgrade”
Core Definitions

Single-server environment
Process scales well
Must do these things regardless of size
Exchange 2003 native mode
Windows 2000 mixed-mode
Old boxes: Server 2003 SP2
New boxes: Server 2008 R2
Environment Used for Upgrade

Exchange Organization: Clark
Exchange Admin Group: HQ
NetBIOS Domain: CLARK
AD Domain: clarksupport-hq.com
SSL certificate: mail.clarksupport.com
Old server: CLARK2K3
New server: CLARK2008
Logical Environment

Complete coverage:
http://tinyurl.com/exchangeDC
Do NOT demote or promote DC after Exchange installation
Change of state is unsupported
ASP.Net breaks
Not recommended to install Exchange on DC, but fully supported (see SBS and EBS)
Exchange on Domain Controllers

Exchange Native Mode (remember this?)
Exchange Prereqs #1

If your Exchange organization is not already in native mode, see KB 272314, “XADM: Preparing a Mixed Mode Organization for Conversion to Native Mode”
Changing to native mode is easy, but prep work may take awhile – especially if Exchange 5.5 cleanup wasn’t done completely/properly.
Exchange Prereqs #2

No Exchange 2000 servers installed
No Active Directory Connector - ADC
No Site Replication Service - SRS
Exchange 2003 Service Pack 2
Exchange Prereqs #3

KB 937031 - “Event ID 1036 is logged on an Exchange 2007 server that is running the CAS role when mobile devices connect to the Exchange 2007 server to access mailboxes on an Exchange 2003 back-end server”
Required to properly enable CAS-2-FE proxy (or CAS-2-BE if no FE exists)
Applies to both 2007 and 2010
Exchange Prereqs #4

Schema master FSMO running Windows Server 2003 sp1 or higher
At least one GC in site running Windows Server 2003 sp1 or higher
Windows Server 2003 DFL
Windows Server 2003 FFL
AD Prereqs #1

AD Domains and Trusts Console
Right-click on domain name node and select “Raise domain functional level”
Right-click on “Active Directory Domains & Trusts” node and select “Raise forest functional level”
AD Prereqs #2

Exchange 2003 and Exchange 2010 support DFL and FFL up to Windows Server 2008 R2
You must remove all Windows 2000 DCs and NT4 BDCs prior to raising DFL/FFL to Windows Server 2003
Can’t raise DFL/FFL above Server 2003 if Server 2003 DCs are in your AD
AD Prereqs #3

Primary need for 2003 DFL/FFL:
Universal Groups
Impact of raising DFL/FFL
Beyond our scope
For most SMORG: little/no impact
See http://tinyurl.com/functionalAD
Final thought for AD:
Is the Exchange Server to be a DC?
Promote it NOW
AD Prereqs #4

Exchange 2010 must be installed on x64
Server 2008 SP2 or Server 2008 R2
I recommend Server 2008 R2
Fewer pieces of software to install
Noticeably faster with CAS
If you choose Server 2080 SP2
Begin by installing PowerShell 2.0
KB 968929 - Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0)
Exchange Install Prep #1

To speed things up, copy Exchange DVD to local storage
We’ll assume D:Exchange2010
NO SPACES IN PATH NAMES (MSIExec gets weird with spaces sometimes)
Download most recent rollup and place in D:Exchange2010Updates
Today: KB 981401 (Update Rollup 3)
http://support.microsoft.com/kb/981401
Exchange Install Prep #2

Quite frankly, I don’t care that servermanagercmd is deprecated in Server 2008 R2. It still works. And scripts using it work just fine in both 2008 SP2 and 2008 R2:
D:
Cd Exchange2010Scripts
Servermanagercmd –ip Exchange-All.xml -restart
Installing Roles and Features #1

You can use (lots more complicated):
Deployment Image Servicing & Management (DISM)
Add-WindowsFeature
Next, download and install FilterPackx64.exe
2007 Office System Converter: Microsoft Filter Pack
Configure the ‘Net.TCP Port Sharing Service’
Somewhat dependent on your build process
Installing Roles & Features #2

Logs in C:ExchangeSetupLogs
Most important log: ExchangeSetup.log
To update schema, you need Schema Admin and Enterprise Admin
To update forest perms, you need Enterprise Admin
To update domain perms, you need Domain Admin
To install a new Exchange server, you need Local Admin (server) & Organizational Admin
Installation – Key Concepts #1

Using Setup GUI requires a user with:
Schema Admin
Enterprise Admin
Domain Admin
Local Admin
That user becomes first (only) Organizational Admin
User running “setup /PrepareAD” from cmd line becomes first Org. Admin
Installation – Key Concepts #2

Prepare Forest Level Permissions to support Exchange 2003 and Exchange 2010 co-existence
Prepare/Update Schema
Prepare Forest Level Permissions to support Exchange 2010
Prepare Domain(s) to support Exchange 2010
Install Exchange roles
Installation Overview

Requires Enterprise Admin & Domain Admin
Installation #1

Requires Enterprise Admin & Schema Admin
Installation #2

Again for Enterprise & Domain Admins
Installation #3

If you have multiple domains in your Active Directory forest, an Enterprise Admin should now execute:
Setup.com /PrepareAllDomains
An Exchange object cannot exist in a domain which has not been prepped for Exchange
Installation #4

Now we can install Exchange itself
No longer any advantage to using setup.com
If you choose to:
setup.com /r:c
setup.com /r:h,m
(if using PowerShell, quote the /r parameter)
We will continue by using GUI, required perms: Local Admin, Domain Admin, & Organizational Admin
Installation #5 (Finally!!)

Installation #6

Click “Choose Exchange language option”
Use DVD languages (11 languages)
Download full language pack (30-odd languages)
You will return to prior window, click “Install Microsoft Exchange”
Accept the license agreement
Choose whether to send error reports to MSFT
Choose installation type (next slide)
Installation #7

Installation #8

Installation #9

Next, choose the Exchange 2003 legacy server
Interop Routing Group Connector
Can be a FE or BE Exchange 2003 server
RGC to first HT in 2010 environment
If single BE, choose that
Next, choose whether to join CEIP
Installation #10

Installation #11

Installation #12 – Completion!

No
We’ve just gotten started
Let’s blaze through basic configuration
(Easier than you might think)
(Well, maybe not)
Start Exchange Management Console
Slow
Even worse on first use
Are we done?

Determine certificate requirements
Generate and install SSL certificate
Map certificate to IIS Services
Enable Outlook Anywhere
Move OAB generation to Exchange 2010
Create Internet send connector
Configure Default receive connector to accept Internet email
Move User Public Folders to Exchange 2010
Move System Public Folders to Exchange 2010
Configure the OWA Virtual Directory
Configure an IIS Redirection for Exchange 2010
Configure FBA on Exchange 2003
Update DNS
Req’d Configuration Overview

Determine whether you will use wildcard (*.example.com) or SAN cert
Wildcard requires extra config
Wildcard introduces possibility of MitM
We won’t cover wildcard here
Can you use a single name cert?
Yes, BUT:
Requires extra config
Generates Outlook warnings
We won’t cover using a single name cert here
Basic Configuration #1

As discussed, we won’t use a wildcard certificate, just click Next
Determine the various “namespaces” used for Exchange services:
Incoming Email OWA
ECP EWS
AutoDiscover OA
POP IMAP
Legacy servers UM
We aren’t using UM, POP, or IMAP. So…

Basic Configuration #4-a

Basic Configuration #4-b

Total list of names on UCC/SAN cert:
clarksupport.com
mail.clarksupport.com
autodiscover.clarksupport.com
legacy.clarksupport.com
Generally, you want the most used name to be the common name (shown on next slide)
Basic Configuration #4-c

Basic configuration #5

Confirm your choices
Verify that the information on the “Organization and Location” dialog matches PRECISELY your domain registrar info
Send CSR to your provider of choice:
CertificatesForExchange.com
GoDaddy.com
VeriSign.com
Entrust.com
DigiCert.com
Many others
When you get it back, let’s install it!
Put the certificate into a file ending in .CER

Could also have done this in PowerShell:
Get-ExchangeCertificate |?{$_.FriendlyName -eq "All-purpose Exchange Certificate"} |Set-ExchangeCertificate –Services IIS
Which is easier?
Just depends on what you are used to and how often you need to execute this process.

Or in PowerShell (if you accept the default authentication options):
Enable-OutlookAnywhere –Server Clark2008
Definitely easier! 

In PowerShell (if you have only one OAB, like 99.9% of Exchange installations):
Get-OfflineAddressBook | Move-OfflineAddressBook –Server Clark2008
The PowerShell starts to make sense?

Have to create a send connector
By default, Exchange 2010 doesn’t allow you to send Internet e-mail!

Basic Configuration # 15-b

Basic Configuration #15-c

Basic Configuration #15-d

Basic Configuration # 15-e

Or the PowerShell version:
New-SendConnector-Name 'Internet E-mail'
-Usage 'Custom'
-AddressSpaces 'SMTP:*;1'
-IsScopedConnector $false
-DNSRoutingEnabled $true
-UseExternalDNSServersEnabled $false
-SourceTransportServers 'CLARK2008'
Basic Configuration #15-f

By default, Exchange 2010 cannot receive Internet email. You must enable “Anonymous users” on the Default receive connector

Or the PowerShell:
Set-ReceiveConnector` -PermissionGroupsAnonymousUsers, ExchangeUsers, `ExchangeServers, ExchangeLegacyServers ` -Identity 'CLARK2008Default CLARK2008'

Move the Public Folders
If all your users are on Outlook 2007+
And you don’t have any other PF data
Skip this step
Non-system PF data first:
cd $exscripts
.AddReplicaToPFRecursive.ps1 –TopPublicFolder `
-ServerToAdd $env:computername
Basic Configuration - #17-a

System PF data:
cd $exscripts
.AddReplicaToPFRecursive.ps1 `
–TopPublicFolderNon_IPM_Subtree`
-ServerToAdd $env:computername
No non-PowerShell solution shown here
Can be done from “Public Folder Management Console” in Exchange 2010 or ESM in Exchange 2003
Take 10 times longer. Or more.
Basic Configuration - #17-b

Must be done from PowerShell
Set the redirection URL that will be used to route Exchange 2003 users during coexistence
Must’ve loaded the new SSL certificate to the Exchange 2003 server
Set-OWAVirtualDirectory Clark2008OWA* `
-Exchange2003URL “https://legacy.clarksupport.com”
Basic Configuration - #18

Optional
Add redirect from root of the Default Website to the OWA directory
You can disable SSL on the root
C:InetpubwwwrootDefault.html
<html>
<head>
<meta http-equiv="refresh“ content="0;url=https://mail.clarksupport.com/owa">
</head>
</html>

On the Exchange 2003 server:
You MUST enable forms based authentication (FBA) for single sign-on to work
Important to do for a good user experience during co-existence

Change DNS
Rubber meets the road!
Exchange 2003 – becomes legacy.example.com
Exchange 2010 – becomes mail.example.com
Don’t forget to update MX (either now or later)
If all setup is proper as described, routing between servers is automagical
Everything should “just work”

Be default, mailbox databases in Exchange 2010 have a 2 GB limit on their mailboxes. If you have larger mailboxes, change the mailbox database config FIRST
You may want to consider enabling circular logging while you are doing mailbox moves (requires MSExchangeIS restart to take effect or to shut off)
The “Move Mailbox” process has been renamed to “Move Request”
Exchange 2003 -> 2010 moves are offline
Exchange 2010 -> 2010 moves are online
Moving Mailboxes

Recipient Update Service is GONE
Recipient Policies are now split in two:
Retention Policies
Managed Folder Policies in Exchange 2007
Email Address Policies (EAP’s)
If you have custom EAP’s, AL’s, GAL’s, OAB’s – you will need to rework into OPATH syntax (LDAP filters are GONE)
Follow instructions at:
http://msexchangeteam.com/archive/2007/01/11/432158.aspx
Address List Management

Quick overview:
Move ALL mailboxes off 2003
Remove ALL PF replicas from 2003
Route all SMTP to Exchange 2010
Update all GAL’s, AL’s, EAP’s, and OAB’s for OPATH
Remove domain RUS
Point enterprise RUS to 2010
Remove 2003 PF database (may require whacking)
Remove 2003 SMTP Connector (if present)
Remove Exchange 2003 (will require installation media to complete removal)
Retiring Exchange 2003

Back to AD Domains & Trusts
Both Domain Functional Level
And Forest Function Level
Raising Functional Levels

Migrating to Exchange 2010 and ad 2080 r2

by Nathan Winters

Accessibility

Categories

Upload Details

Usage Rights

2 Embeds 47

Statistics

Migrating to Exchange 2010 and ad 2080 r2 Presentation Transcript

http://www.slideshare.net	46
http://webcache.googleusercontent.com	1