This document provides an overview and agenda for migrating from Exchange Server 2003 and Active Directory 2008 to Exchange Server 2010 and Active Directory 2008 R2. The key steps include installing prerequisites, installing Exchange 2010, configuring Exchange 2010, migrating mailboxes and public folders from Exchange 2003, updating DNS, and removing the legacy Exchange 2003 servers once the migration is complete. PowerShell commands are provided as alternatives to the graphical user interface for many configuration tasks.
1. Migrating to Exchange Server 2010 and Active Directory 2008 R2 A Case Study - In The Real World
2. Michael B. Smith – remember the B! Six year Exchange MVP Consultant in Exchange, Active Directory, and Operational Best Practices http://TheEssentialExchange.com/ Author, speaker, consultant Exchange admin since 1996 Who Am I?
4. Exchange Deployment Assistant http://technet.microsoft.com/exdeploy2010 Good for basic info, doesn’t give you the “whole enchilada” Build a lab! Exchange Server 2010 Planning and Deployment guide on Technet This presentation! Getting Started
5. Migration Move to new (higher) version New hardware Same forest Supports co-existence scenarios Transition Different hardware Different forest Export/Import only – no co-existence No such thing as “upgrade” Core Definitions
6. Single-server environment Process scales well Must do these things regardless of size Exchange 2003 native mode Windows 2000 mixed-mode Old boxes: Server 2003 SP2 New boxes: Server 2008 R2 Environment Used for Upgrade
7. Exchange Organization: Clark Exchange Admin Group: HQ NetBIOS Domain: CLARK AD Domain: clarksupport-hq.com SSL certificate: mail.clarksupport.com Old server: CLARK2K3 New server: CLARK2008 Logical Environment
8. Complete coverage: http://tinyurl.com/exchangeDC Do NOT demote or promote DC after Exchange installation Change of state is unsupported ASP.Net breaks Not recommended to install Exchange on DC, but fully supported (see SBS and EBS) Exchange on Domain Controllers
10. If your Exchange organization is not already in native mode, see KB 272314, “XADM: Preparing a Mixed Mode Organization for Conversion to Native Mode” Changing to native mode is easy, but prep work may take awhile – especially if Exchange 5.5 cleanup wasn’t done completely/properly. Exchange Prereqs #2
11. No Exchange 2000 servers installed No Active Directory Connector - ADC No Site Replication Service - SRS Exchange 2003 Service Pack 2 Exchange Prereqs #3
12. KB 937031 - “Event ID 1036 is logged on an Exchange 2007 server that is running the CAS role when mobile devices connect to the Exchange 2007 server to access mailboxes on an Exchange 2003 back-end server” Required to properly enable CAS-2-FE proxy (or CAS-2-BE if no FE exists) Applies to both 2007 and 2010 Exchange Prereqs #4
13. Schema master FSMO running Windows Server 2003 sp1 or higher At least one GC in site running Windows Server 2003 sp1 or higher Windows Server 2003 DFL Windows Server 2003 FFL AD Prereqs #1
14. AD Domains and Trusts Console Right-click on domain name node and select “Raise domain functional level” Right-click on “Active Directory Domains & Trusts” node and select “Raise forest functional level” AD Prereqs #2
15. Exchange 2003 and Exchange 2010 support DFL and FFL up to Windows Server 2008 R2 You must remove all Windows 2000 DCs and NT4 BDCs prior to raising DFL/FFL to Windows Server 2003 Can’t raise DFL/FFL above Server 2003 if Server 2003 DCs are in your AD AD Prereqs #3
16. Primary need for 2003 DFL/FFL: Universal Groups Impact of raising DFL/FFL Beyond our scope For most SMORG: little/no impact See http://tinyurl.com/functionalAD Final thought for AD: Is the Exchange Server to be a DC? Promote it NOW AD Prereqs #4
17. Exchange 2010 must be installed on x64 Server 2008 SP2 or Server 2008 R2 I recommend Server 2008 R2 Fewer pieces of software to install Noticeably faster with CAS If you choose Server 2080 SP2 Begin by installing PowerShell 2.0 KB 968929 - Windows Management Framework (Windows PowerShell 2.0, WinRM 2.0, and BITS 4.0) Exchange Install Prep #1
18. To speed things up, copy Exchange DVD to local storage We’ll assume D:xchange2010 NO SPACES IN PATH NAMES (MSIExec gets weird with spaces sometimes) Download most recent rollup and place in D:xchange2010pdates Today: KB 981401 (Update Rollup 3) http://support.microsoft.com/kb/981401 Exchange Install Prep #2
19. Quite frankly, I don’t care that servermanagercmd is deprecated in Server 2008 R2. It still works. And scripts using it work just fine in both 2008 SP2 and 2008 R2: D: Cd xchange2010cripts Servermanagercmd –ip Exchange-All.xml -restart Installing Roles and Features #1
20. You can use (lots more complicated): Deployment Image Servicing & Management (DISM) Add-WindowsFeature Next, download and install FilterPackx64.exe 2007 Office System Converter: Microsoft Filter Pack Configure the ‘Net.TCP Port Sharing Service’ Somewhat dependent on your build process Installing Roles & Features #2
21. Logs in C:xchangeSetupLogs Most important log: ExchangeSetup.log To update schema, you need Schema Admin and Enterprise Admin To update forest perms, you need Enterprise Admin To update domain perms, you need Domain Admin To install a new Exchange server, you need Local Admin (server) & Organizational Admin Installation – Key Concepts #1
22. Using Setup GUI requires a user with: Schema Admin Enterprise Admin Domain Admin Local Admin That user becomes first (only) Organizational Admin User running “setup /PrepareAD” from cmd line becomes first Org. Admin Installation – Key Concepts #2
23. Prepare Forest Level Permissions to support Exchange 2003 and Exchange 2010 co-existence Prepare/Update Schema Prepare Forest Level Permissions to support Exchange 2010 Prepare Domain(s) to support Exchange 2010 Install Exchange roles Installation Overview
27. If you have multiple domains in your Active Directory forest, an Enterprise Admin should now execute: Setup.com /PrepareAllDomains An Exchange object cannot exist in a domain which has not been prepped for Exchange Installation #4
28. Now we can install Exchange itself No longer any advantage to using setup.com If you choose to: setup.com /r:c setup.com /r:h,m (if using PowerShell, quote the /r parameter) We will continue by using GUI, required perms: Local Admin, Domain Admin, & Organizational Admin Installation #5 (Finally!!)
30. Click “Choose Exchange language option” Use DVD languages (11 languages) Download full language pack (30-odd languages) You will return to prior window, click “Install Microsoft Exchange” Accept the license agreement Choose whether to send error reports to MSFT Choose installation type (next slide) Installation #7
33. Next, choose the Exchange 2003 legacy server Interop Routing Group Connector Can be a FE or BE Exchange 2003 server RGC to first HT in 2010 environment If single BE, choose that Next, choose whether to join CEIP Installation #10
36. No We’ve just gotten started Let’s blaze through basic configuration (Easier than you might think) (Well, maybe not) Start Exchange Management Console Slow Even worse on first use Are we done?
37. Determine certificate requirements Generate and install SSL certificate Map certificate to IIS Services Enable Outlook Anywhere Move OAB generation to Exchange 2010 Create Internet send connector Configure Default receive connector to accept Internet email Move User Public Folders to Exchange 2010 Move System Public Folders to Exchange 2010 Configure the OWA Virtual Directory Configure an IIS Redirection for Exchange 2010 Configure FBA on Exchange 2003 Update DNS Req’d Configuration Overview
38. Determine whether you will use wildcard (*.example.com) or SAN cert Wildcard requires extra config Wildcard introduces possibility of MitM We won’t cover wildcard here Can you use a single name cert? Yes, BUT: Requires extra config Generates Outlook warnings We won’t cover using a single name cert here Basic Configuration #1
40. As discussed, we won’t use a wildcard certificate, just click Next Determine the various “namespaces” used for Exchange services: Incoming Email OWA ECP EWS AutoDiscover OA POP IMAP Legacy servers UM We aren’t using UM, POP, or IMAP. So… Basic Configuration #3
43. Total list of names on UCC/SAN cert: clarksupport.com mail.clarksupport.com autodiscover.clarksupport.com legacy.clarksupport.com Generally, you want the most used name to be the common name (shown on next slide) Basic Configuration #4-c
46. Confirm your choices Verify that the information on the “Organization and Location” dialog matches PRECISELY your domain registrar info Send CSR to your provider of choice: CertificatesForExchange.com GoDaddy.com VeriSign.com Entrust.com DigiCert.com Many others When you get it back, let’s install it! Put the certificate into a file ending in .CER Basic Configuration #7
50. Could also have done this in PowerShell: Get-ExchangeCertificate |?{$_.FriendlyName -eq "All-purpose Exchange Certificate"} |Set-ExchangeCertificate –Services IIS Which is easier? Just depends on what you are used to and how often you need to execute this process. Basic Configuration #10-b
53. Or in PowerShell (if you accept the default authentication options): Enable-OutlookAnywhere –Server Clark2008 Definitely easier! Basic Configuration #12-b
55. In PowerShell (if you have only one OAB, like 99.9% of Exchange installations): Get-OfflineAddressBook | Move-OfflineAddressBook –Server Clark2008 The PowerShell starts to make sense? Basic Configuration #13-b
56. Have to create a send connector By default, Exchange 2010 doesn’t allow you to send Internet e-mail! Basic Configuration #14
63. By default, Exchange 2010 cannot receive Internet email. You must enable “Anonymous users” on the Default receive connector Basic Configuration #16-a
64. Or the PowerShell: Set-ReceiveConnector` -PermissionGroupsAnonymousUsers, ExchangeUsers, `ExchangeServers, ExchangeLegacyServers ` -Identity 'CLARK2008efault CLARK2008' Basic Configuration #16-b
65. Move the Public Folders If all your users are on Outlook 2007+ And you don’t have any other PF data Skip this step Non-system PF data first: cd $exscripts .ddReplicaToPFRecursive.ps1 –TopPublicFolder ` -ServerToAdd $env:computername Basic Configuration - #17-a
66. System PF data: cd $exscripts .ddReplicaToPFRecursive.ps1 ` –TopPublicFolderon_IPM_Subtree` -ServerToAdd $env:computername No non-PowerShell solution shown here Can be done from “Public Folder Management Console” in Exchange 2010 or ESM in Exchange 2003 Take 10 times longer. Or more. Basic Configuration - #17-b
67. Must be done from PowerShell Set the redirection URL that will be used to route Exchange 2003 users during coexistence Must’ve loaded the new SSL certificate to the Exchange 2003 server Set-OWAVirtualDirectory Clark2008WA* ` -Exchange2003URL “https://legacy.clarksupport.com” Basic Configuration - #18
68. Optional Add redirect from root of the Default Website to the OWA directory You can disable SSL on the root C:netpubwwrootefault.html <html> <head> <meta http-equiv="refresh“ content="0;url=https://mail.clarksupport.com/owa"> </head> </html> Basic Configuration - #19
69. On the Exchange 2003 server: You MUST enable forms based authentication (FBA) for single sign-on to work Important to do for a good user experience during co-existence Basic Configuration - #20
70. Change DNS Rubber meets the road! Exchange 2003 – becomes legacy.example.com Exchange 2010 – becomes mail.example.com Don’t forget to update MX (either now or later) If all setup is proper as described, routing between servers is automagical Everything should “just work” Basic Configuration - #21
71. Be default, mailbox databases in Exchange 2010 have a 2 GB limit on their mailboxes. If you have larger mailboxes, change the mailbox database config FIRST You may want to consider enabling circular logging while you are doing mailbox moves (requires MSExchangeIS restart to take effect or to shut off) The “Move Mailbox” process has been renamed to “Move Request” Exchange 2003 -> 2010 moves are offline Exchange 2010 -> 2010 moves are online Moving Mailboxes
72. Recipient Update Service is GONE Recipient Policies are now split in two: Retention Policies Managed Folder Policies in Exchange 2007 Email Address Policies (EAP’s) If you have custom EAP’s, AL’s, GAL’s, OAB’s – you will need to rework into OPATH syntax (LDAP filters are GONE) Follow instructions at: http://msexchangeteam.com/archive/2007/01/11/432158.aspx Address List Management
73. Quick overview: Move ALL mailboxes off 2003 Remove ALL PF replicas from 2003 Route all SMTP to Exchange 2010 Update all GAL’s, AL’s, EAP’s, and OAB’s for OPATH Remove domain RUS Point enterprise RUS to 2010 Remove 2003 PF database (may require whacking) Remove 2003 SMTP Connector (if present) Remove Exchange 2003 (will require installation media to complete removal) Retiring Exchange 2003
74. Back to AD Domains & Trusts Both Domain Functional Level And Forest Function Level Raising Functional Levels