I’m doing ‘the Exchange server 2007 to Exchange server 2010 migration’, and I thought of sharing this wonderful task for you guys out here..
We started our mail server in the year 2003 with Exchange server 2003…and in 2009, we migrated it to Exchange server 2007 and now we are migrating it from Exchange server 2007 to Exchange server 2010.
Our current environment of Exchange server 2007 includes,
One Edge server (virtual machine running on Hyper-v)
Two hub and cas on NLB (virtual machine running on Hyper-v)
Two mailbox server on single copy cluster (with one mailbox roll on virtual machine running on Hyper -v and another machine on the physical Dell PE2950.. Mailbox on Dell MD3000i SAN storage)
Explaining below is the live implementation – Live Cast
Links for your review before you read my blog
Exchange Server 2010 System Requirements Click here
What’s new in Exchange 2010 click here
Exchange server 2010 Downloads link (Trial version) Click here
Forefront Protection 2010 for Exchange Server is now available for download. This next generation version of Forefront Security for Exchange Server provides fast and effective detection of malware and spam, blocks out-of-policy content, and integrates with Forefront Online Protection for Exchange to offer the defense-in-depth benefits of hosted and on-premise filtering in a single solution…click here for more
Microsoft Online Services Click here
EXCHANGE SERVER 2007 to 2010 MIGRATION – CHECKLIST
Since Exchange 2010 is similar, if not almost identical to Exchange 2007 in terms of server roles (CAS, Hub Transport, Mailbox, Edge), if you have implemented Exchange 2007 in a manner that suits the needs of your organization, your transition to Exchange 2010 will be pretty straight forward. Effectively, you would add Exchange 2010 server roles to mirror the Exchange 2007 server roles you have today (ie: if you have 2 CAS/2007 servers today, you’d likely build up 2 CAS/2010 servers in the Exchange 2010 environment, etc). So in my case 2 Hub & CAS, 2 Mailbox, 1 Edge server.Step by step – for the migration
Useful tools for your migration…read my blog
The sequence for a migration from Exchange 2007 to Exchange 2010 is as follows:
- Upgrade all Exchange Servers to Exchange Server 2007 Service Pack 2.
- Bring the AD forest and domains to Windows Server 2003 Functional (or higher) levels.
- Upgrade at least one Global Catalog domain controller in each AD Site that will house Exchange Server to Windows Server 2003 SP2 or greater.
- Prepare a Windows Server 2008 (RTM or R2) x64 edition server for the first Exchange 2010 server.
- Install the AD LDIFDE tools on the new Exchange 2010 server (to upgrade the schema).
- Install any necessary prerequisites (WWW for CAS server role).
- Run setup on the Exchange 2010 server, upgrade the schema, and prepare the forest and domains. (Setup runs all in one step or separate at the command line.)
- Install CAS server role servers and configure per 2010 design. Validate function-ality.
- Transfer OWA, ActiveSync, and Outlook Anywhere traffic to new CAS servers.
- Install Hub Transport role and configure per 2010 design.
- Transfer inbound and outbound mail traffic to the 2010 H&C servers.
- Install Mailbox servers and configure Databases (DAG if needed).
- Create public folder replicas on Exchange 2010 servers using AddReplicatoPFRe-cursive.ps1 or Exchange 2010 Public Folder tool.
- Move mailboxes to Exchange 2010 using Move Mailbox Wizard or Powershell.
- Redo the Offline Address Book (OAB) generation server to Exchange Server 2010.
- Transfer all Public Folder Replicas to Exchange Server 2010 Public folder store(s).
- Delete Public and Private Information Stores from Exchange 2007 server(s).
- Uninstall all Exchange 2007 servers.
Here I’m not covering the ‘Preparation of AD and Exchange server SP2 installation’…Which is the first step for this task…after which you have to do the up to date rollup installation on all the role servers. When I started this live server of Exchange server 2007 SP2, Microsoft has released Rollup 4 (as on June 10th 2010)….. For more info, read my blog on JAN 2010 https://premnair.wordpress.com/2010/01/27/upgrading-to-exchange-2007-sp2-on-scc/
Live setup Started…June 8th 2010 @ 9.00am
Preparation of Virtual server for Migration
Two H&C on Virtual server – Windows 2008 R2 64bit Platform
Two Mailbox server role – Currently using one on the Virtual server with Drobo SAN storage another one will be on Physical Dell poweredge 2950 with Dell MD3000i SAN storage (This physical one currently I’m hosting Exchange 2007 Mailbox roll) and this task will be done later.
One Edge server on Virtual server – Windows 2008 R2 64bit platform with Hyper-V
CREATE CLUSTER MODE FOR H&C SERVERS
To install on both Hub & Cas server, do the following,
- Server manager -> Features-> Network Load Balancing
- Then on each Network port, ASSIGN IP
- But on the properties of the network, do not check mark “Network Load Balancing(NLB), This will be done automatically.
- Go to any one of the H&C server, Administrative tools–Network load balancing Manager
- Create NLB name–specify IP for this, then select the servers.
Now, if you have configured this on the Virtual server, there is a catch…Before doing NLB in Virtual machine you will have to enable spoofing for network card in Windows 2008 R2 .This one you will get in ‘Hyper -v manager’ inside the settings of NIC card of virtual machine.
In windows 2008 SP2 and SP1, there is no spoofing, so you have to set the static mac address. This mac address you will get after configuring NLB… that is NLB cluster IP mac address that you have to put it on both NLB machine as Static mac address on the Virtual machine manager.
Once you done this, publish the cluster name to the DNS server, so that the network clients/server can ping….and now the server is ready for the Exchange server 2010 installation….
Live setup started….June 9th 2010 @ 4.00pm
Preparation for live server
Install the Windows Server 2008 R2 operating system prerequisites
1.On servers that will host the Hub Transport or Mailbox server role,
Install the Microsoft Filter Pack. goto http://www.microsoft.com/downloads/details.aspx?FamilyID=60c92a37-719c-4077-b5c6-cac34f4227cc&displaylang=en
2.On the Start Menu, navigate to
All Programs->Accessories->Windows PowerShell. Open an elevated Windows PowerShell console, and run the following command:
Copy Code Import-Module ServerManager
3.Use the Add-WindowsFeature cmdlet to install the necessary operating system components:
For a server that will host the Client Access and Hub Transport server roles:
Copy Code Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
For a server that will host the Mailbox role:
Copy Code Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart
For a server that will host the Edge Transport role:
Copy Code Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS -Restart
On servers that will have the Client Access Server role installed, after the system has restarted, log on as an administrator, open an elevated Windows PowerShell console, and configure the Net.Tcp Port Sharing Service for Automatic startup by running the following command:
Copy Code Set-Service NetTcpPortSharing -StartupType Automatic
Live setup started….June 10th 2010 @ 1.00PM
Hub & CAS Preparation
Go to your First 2010 H&C prepare the live windows updates, copy the Exchange server CD to C Drive and run (This is the easiest way or else mound the ISO image or CD to the Virtual drive.)
Install the role Hub and CAS…this will take appx 50min depending on the server performance…wollaaa…ONE FINISHED, 4 MORE TO GO!!!
Backing up your certificate for installing later on other servers (TIPS)
- Select the Internet Information Service Manager within the Administrative Tools menu.
- Select the web site (host) for which the certificate was made.
- Right mouse-click and select Properties.
- Select the Directory Security tab.
- Select the Server Certificate option.
- The Welcome to the Web Server Certificate Wizard windows opens.
- Click OK.
- Select Export the current certificate to a .pfx file.
- Click Next.
- Select the path and file name. Click Next.
- Select a password. Click Next.
- View the certificate contents.
- Keep this .pfx file in a safe place
SSL Certificate Installation (TIPS)
- Select the Internet Information Service Manager within the Administrative Tools menu.
- Select the web site (host) for which the certificate was made.
- Right mouse-click and select Properties.
- Select the Directory Security tab.
- Select the Server Certificate option.
- The Welcome to the Web Server Certificate Wizard windows opens.
- Click OK.
- Select Process the pending request and install the certificate.
- Click Next.
- Browse to the location of the new certificate file at the Process a Pending Request window. The file extension may be .txt or .crt instead of .cer (Hint: search for files of type “all files”)
- After the correct certificate file is selected, click Next.
- Select Port 443 for SSL. 443 is the default; other ports can be entered.
- Verify the Certificate Summary to make sure all information is accurate.
- Click Next.
- Select Finish.
- Select Web Site tab at the site’s Properties window to edit your SSL Port 443 settings for this web server.
- Click OK.
- Test your certificate by connecting to your server. Use the https protocol directive (e.g. https://your server/) to indicate you wish to use secure HTTP.
The padlock icon on your Web browser will be displayed in the locked position if you have set up your site properly.
NOW SAN CERTIFICATION INSTALLATION …Read my blog for more info of how to create it
Goto IIS in new H&C – select server->Server certificate, From here you have an option to import the certificate…which should be *.pfx. (This has been exported from old H&C of 2007 server).
Install it. Then goto Exchange management console of new H&C of 2010, inside the server configuration, select H&C server..below you can see the certificate which you just installed. Right click the certificate and assign services (which IIS, SMTP, POP3 and IMAP).
Cool….here you will find all the entries replicated from your old Exchange 2007 H&C to this one, except the following.
Exchange 2010 Access is denied error when you want to manage the CAS role
After installing Exchange 2010 server in an Exchange 2007 server environment may get some funny error results. After the installation Exchange 2010 , open the Exchange management console, you nee to go to Microsoft Exchange On-Premises -> ServerConfiguration -> Client Access and here you will receive the following error message.
So let run the “Get-OwaVirtualDirectory” in powershell and you will get the following result
From the power Shell command prompt .. Run
An IIS directory entry couldn’t be created. The error message is Access is denied.
. HResult = -2147024891
+ CategoryInfo : NotInstalled: (<ExchangeServer2007>\Exchange (Default Web Site):ADObjectId) [Get-OwaVirtualDirectory]
+ FullyQualifiedErrorId : 4B12EB5D,Microsoft.Exchange.Management.SystemConfigurationTasks.GetOwaVirtualDirectory
Above command reads the Active Directory objects to see all the registered OWA virtual directories. The virtual directories you retrieve are the virtual directories from Exchange 2010, but also from Exchange 2007. Next it connects to these directories and needs admin rights. This is the problem. Exchange 2010 creates a few new groups and one of them is Exchange Trusted Subsystem. Exchange Trusted Subsystem is automatically added to the local administrators group of the Exchange 2010 server but not on the Exchange 2007 servers.
RESOLUTION : All you need to do is add the Exchange Trusted Subsystem to the local administrators group on the Exchange 2007 CAS servers and restart the server, including the new 2010 H&C Server.
Now run the “Get-OwaVirtualDirectory” in powershell we see:
Name Server OwaVersion
—- —— ———-
Exchange (Default Web Site) <ExchangeServer2007> Exchange2003or2000
Public (Default Web Site) <ExchangeServer2007> Exchange2003or2000
Exadmin (Default Web Site) <ExchangeServer2007> Exchange2003or2000
owa (Default Web Site) <ExchangeServer2010> Exchange2010
Ok…activate the product key..otherwise you can run it for 119 days…!!!!
To activate the same, from the Exchange Management console of 2010, right pannel, you will see “Enter Product Key”…and enter the product key which comes with it…!!
Now lets start the second h&c server for exchange server 2010….follow the same step…once it has done….
Next server for H&C already started…now the time is 7.30pm…need to have a cup of tea…going …and will be back…now its 8.15pm…2nd server H&C is installing CAS role…Hub role finished..2 service installation to go..!!
Let me confirm that till now the exchange server 2007 mail flow is normal…for owa, oma, rpc over https and autodiscovery…!
Installation completed on H&C second server..its time 8.27pm…now activate the product key and now installing the Rollup3 for Exchange server 2010 !
Let me go an eat dinner and come back to work…
Its now 9.20….rollup installation finish..and restarted the entire 2010 server. All the services working fine..
Start installation of Mailbox 1 ….9.35pm
Before starting, this Exchange server should be on Enterprise version…in order to accept Failover clustering service for DAG (Database Availablility Group)
Now enable the Failover service on the Mailbox server – Server Manager->Role->Fail over Cluster
Now starting the Exchange server 2010 Enterprise server installation for Mailbox role…!now its 9.58pm
Now it is 10.15pm…Malibox roll has finished…started Rollup 3 installation…Rollup 3 installation too has finished @ 10.29pm
By default, Database path and Log Folder path will be created on C:\ Drive. If there are not enough space, we have to mound the SAN drive on the Mailbox server. Once the SAN drive is mounted, rename the Database and Log Folder path.
To do this, Right click on the Mailbox which is mounted, type the path name and the filename extension for the database file should be Mailbox1.edb (Eg: E:\SANBOX\Mailbox1.edb) and the Log Folder should be just the path (Eg: E:\SANBOX).
When you click OK…there will be a popup which says that “To perform the move operation, database “XYZ” must be temporarily dismounted, which will make it inaccessible to all users. Do you want to continue?”..Click YES.
Now go and change the MailBox database name also from the upper area and then right click and change it as per your requirement. This has to be done before the “mailbox move “.
Don’t forget to activate the key (which is an enterprise key)…and this should activate only after the mailbox service gets restarted…
Now user mailbox move should start. Now it is 11.pm. We have to select one user (which should be a valid test user, existing in your AD) The reason for this single selection is, being a production server, and we should anticipate all the issues after the user move happen. Mailbox move for test user started…BOOM finished! How to do? Here I explain…
- Go to Exchange server 2010 Mailbox server
- Go to’ Recipient configuration’
- Select Mailbox (it should take all users list from AD).
- Select the test user, right click “New Local Move Request”.
- Target mailbox database, select Browse…
- Select the Mailbox Database (this should be your new 2010 Mailbox name) which will be listed in the next window,
- Select the move option.”If corrupted messages are found” what to do…2 options…always select “Skip the mailbox”.( This way you will come to know which user has corrupted mailbox…then you can take alternate action to that user’s mail box..by moving the OST, or convert the existing mails to PST, etc…)
- Then click “NEW”…that’s it BOOM….FINISHED!
Now the test part….
INTERNAL TESTINGS FOR THE MAIL FLOW
Check the users account setting. This should change automatically in Microsoft outlook…send internal mail and external mails…succeeded? Check OWA internally. Check Imap connection, if everything is ok…WORKING FINE!!!Cool
EXTERNAL TESTINGS FOR THE MAIL FLOW
Check the users account setting. This should change automatically in Microsoft outlook…send internal mail and external mails…succeeded? Check OWA EXTERNALLY and check Certificate. Check Imap connection, if everything is ok.
Now you are ready to go…else..Check list starts…which will be Firewall rules, NLB rules, Certificate Issue etc… now…here I’ve an issue and I’m stopping for the solution to clear it to go further…until then..Good night! Now the time reads 11 July, 2010 @ 12.45am
Here, in 2010 OWA look has been changed. Now they call it as “Mocrosoft Outlook Web Apps”…below is the login page
Today June 11, 2010 @ 9.30am
Forefront Protection for Exchange server 2010 has installed on our two Hub and CAS server and configured the Spam engine…This is a cool product compared to Forefront security for Exchange server 2007…and has now activated..Engine started downloading the data definitions
This is very important…since the architecture of the Exchange server 2010 is different from Exchange Server 2007.
Click here to see the diagram http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=6eb8c09a-6ea4-442a-9faa-de33265ceb84#filelist
Configured all the notification settings and the status can be viewed on a Dashboard, which is a new feature given for Forefront Protection for Exchange 2010.
Today June 11, 2010 @ 2.30pm
Mailbox move starts for the remaining users…Crossing the finger now…best of luck to me
Selected the highest mailbox size from here (which is 3GB in my environment).This is for Exchange server 2010 “move” time calculation, while doing a local move request for a mailbox from 2007, to 2010 mailbox database, the task will show completed…but there is a menu under Recipient configuration called “Move Request”, where you can see the status of the “move” which you have selected.
If you right click on it, and select property, you will see the status of thatparticular move, in ‘%’…This is a cool one unlike as in moving the Exchange server 2007.
Move request started for a 3GB Mailbox @ 2.45…lets see how long it will take. Simultaneously, I am moving another 1GB Mailbox too @2.45…and now the time reads 3.11pm. The 1GB one has finished 41% and 3GB one has reached 31%…will update more.
NOTE: First, be aware that mailbox databases in Exchange 2010 have a default mailbox size limit as 2 GB. If you have users with mailboxes larger than that, you’ll need to update the mailbox database limits on Exchange 2010 or set individual limits for those user’s mailboxes. Moving a mailbox will fail if it’s larger than the pre-defined mailbox database limit and the user doesn’t have an exception configured. To change the default for the mailbox database, edit the Limits tab on the mailbox database property sheet, which you accessed from the Mailbox node of the Organizational Configuration in the Exchange Management Console.
1GB mailbox move completed in 1 hour 40 minutes time (This is on a 12GB RAM on a Virtual machine connected to SAN drive)
3GB mailbox move completed in 2 hour 22 minutes time….not bad (Good to start with your boss’s mailbox..make sure that he is technically sound..I’m lucky to have one..you will get all the feedback..if he does’nt does’nt have technical knowledge…make sure he is the last one to move…or else you are gone…heee)
Lets get back to work…Now start with others move…still going on..now it is 1.30 am on the 12th of June 2010
Today 12th of June 2010 @ 6.00am
Move in progress…make sure that you switch off all the windows update for the time being…otherwise system will restart when the move is going on.
NOTE : Once you finish moving the user mailbox, make sure that he is using outlook 2007 or higher…Outlook 2003 does not support few function of the 2010 mailbox.
Now it is 10.am…added another batch…at a time, only 5 mail box are moving…
Today 14th of June 2010 @ 4.29pm
90% of mailbox has been moved to Exchange server 2010.
To tell you frankly from my experience, for a smooth migration, make sure that your users mailbox quota should not exceed 3GB, or else this will take hell lot of time.
Users, on Exchange serve 2007 mailbox, can sill access their mailbox while on moving. Be sure to instruct the user to close all the outlook, before ‘ the move progress chart’ reaches 90%, so that Exchange server can smoothly take over the configuration, or else, on a high volume mailbox, User Outlook program just hung and all you have to do is to restart the outlook (sometimes you will need to shut down the PC and restart it). If you are accessing one mailbox from multiple machines or using different connectors (IMAP, RPC over HTTPS, OWA etc), open only one at a time.
One more thing…if you are using Exchange server 2007 NLB name for the certificate to publish mail server FQDN, and Exchange server 2010 NLB name is different, make sure you either include the name inside the SAN certificate or inside the Exg 2010 H&C server, edit the IIS rule or OWA to uncheck the Request SSL part…so that the error wont be there…once you decommission it, put this check mark back and rename the NLB of Exchange server 2010 H&C.
Second thing…when you archieve the user mailbox on Exchange 2007, and try to move the mailbox…it might show the previous size (before archive size), because of the dumpster cache…not to worry…that mailbox will move faster…:)
Today 15th of June 2010 @7.45am
95% finish…Today is a big day…yesterday before leaving my office, I had put the Public folder for replication and let see if that really happened or not?
One more thing to mention here…which I faced
When you try to move a mailbox from Exchange 2007 to Exchange 2010, following error occured:
Active Directory operation failed on *DomainController*. This error is not retriable. Additional information: Insufficient access rights to perform the operation.
Active directory response: 00002098: SecErr: DSID-03150E8A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
The user has insufficient access rights.
Exchange Management Shell command attempted:
’*OUStructure*’ | New-MoveRequest -TargetDatabase ‘Mailbox Database 1985885663′ -BadItemLimit ‘-1′
To resolve this error…..by editing the Advanced Security Settings for that user,
- Open Active Directory Users and Computers
- Find the user of which the mailbox error occured
- Open the properties of the user and go to the security tab (if this is not available, choose view and then advanced features in the AD users and computers under MMC)
- Click on [Advanced]
- Check the box at the bottom which says “Include inheritable permissions from this object’s parent” and then click [OK] twice.
Then try to move it and it will work…
One thing I realized today is do not trust for a 3rd party san(other than known brand vendors) FOR MAILBOX…what a nightmare it was …but I managed to resolve it back..offffffffffffffffffff
Today 15th of June @7.00pm
All the mailbox migration is over…and now the tuning part starts..
- Important to do : first of all, when you do the migration, please clear the log from exchange server 2010 mailbox folder, where it is mounted. To do that, do a graceful dismount of the mailbox and public folder, then move the log files from that folder to a created new folder inside this folder called “old logs” and then cut and paste it. While migrating the mailbox, exchange 2010 creates a lot of log for this…and this log file will affect the performance of the mailbox.
- In my environment, I’ve created an NLB name which is not part of SAN certificate…need to fix this..so first go to your DNS server remove all the old entires of the mail server and then
- Rename the NLB name of the Exg 2007 H&C (which is part of the certificate) and give a different name.
- Now rename the NLB name of the Exg 2010 to the original name of Exg 2007 H&C NLB.
Right click onthe NLB name, Select Cluster properties, then select the cluster parameters TAB and then change the full internet name to the new one.
- Goto your ISA2006/TMG server and re-do the IP settings to point the Exchange server 2010 H&C NLB name/IP
- Enter the new DNS entry for the Exchange server 2010 and Exchange server 2007 NLB name on your DNS server
- Everything back to normal as it was…confirm all the externall connectivity which is OWA, OMA, RPC over HTTPS, ActiveSync, EWS, SMTP, IMAP etc
- you can do it on this link https://www.testexchangeconnectivity.com/
Now leave both the server for a fullnight replication.
Today 16th of June 2010 @9.am
All the connectivity and mail flows are working fine. Now try to archive the mail boxes of the users with high mailbox volume, on a PST file…this is for the preparation of DAG..Yeahhhh…DAG is there to do + De-commissioning Exchange 2007.
Now I am on the replication of Offline Address book and Public folder synchronization today before the DAG and decommissioning…Today is set for that.
TODAY 17TH OF JUNE 2010
Final preparation for the de-commissioning. Mailbox maintenance in progress. From last night, we have noticed the “slowness” of the mailbox due to unwanted entries of the old server which is 2003 and the replication not happening on the Public folder.
Microsoft Support team from Exchange server and Security is working on the “Special Task” and giving us the support for this migration.
Now I’ve taken down the mailbox since 12.00pm and expecting to finish by 4.00pm.
First time since the migration process started down time happened for 4 hours…can’t help it..for the better for all of us. Will keep you posted.
Getting ready for the server to take back online…mails have been queued on Exchange server 2010 Hub and Cas server…going to start releasing it soon…15 minutes more to go..exact down time 4 hours 40minutes…
Everything is back online, except Mail Enabled Public folder..work going on..all the queues has been deployed automatically from the H&C server to Mailbox.
Now it is 8.30pm…still working on and too tired…Tomorrow morning I’ve got my PG exam…final paper..God knows what is going to write there…
Today19th of June @10am
Public Folder replication is not happening. Now we have taken the backup of the public folder. Lets not waste time for replication. I’ve removed the entries of the Public foder.
- Go to your Exchange server 2010 Mailbox server
- Type ADSIEDIT .MSC under RUN (This process, is a risky one, and do it under your own risk)
- Under Configuration->Configuration-Doman name->Service->Microsoft Exchange->domain name->Administrative Groups->Exchange Administrative group->Databases
- Remove the entries and then
- Go to Folder Hierarchies and look for msExchOwningPFTree
- And remove the old entries (before you do that take a copy of the entry and paste it to Notepad).
Then go to EMS on the Exchange 2010, under Toolbox and select ‘Public folder management console’ and create the new folder.
If you want this folder to be mail enabled, do that as well and restart the machine, everything will work normally.
Now the offline address book needs to be synchronized back to the Exchange server 2010…
- Go to EMC of 2010 under 2010 Mailbox server
- Expand Organization configuration and click mailbox
- Then select Offline Address book tab…click on the object, right click and select move.
- Give your new Exchange 2010 server name and that’s it.. Now you are on new server.
Its not yet finished…
- Now you can see the “Generation serve name ” will be your new server name.
- Now right click on the object again and click update.
- If any error throws out, click ok…
- if error occured, then right click the object of ‘Default Offline address book’
- Select properties->Distribution tab->and uncheck the “Enable public folder distribution”.
- Click apply and click ok and then right-click and update again.
Once it is done, with the update of the Default offline address book, right-click again and select properties and then distribution and check mark the “Enable public folder distribution”.. This is used only when you are using Exchange 2010 mail server for mailbox with the Outlook 2003 client to connect. If this box is checked, outlook 2003 clients can access the Virtual directory if 2010
If you do not have any version of Outlook older than 2007, then no need to check mark this box. Also you can uncheck the Client support as Outlook 98 SP1 and SP2 is not at all supported now…its gone.
Now your offline address book is also on Exchange server 2010.
One more thing, do a Best Practise Analyser scan (Under Tools of EMC) to run on the Exchange server 2010, so that you can see the missed out configurations.
If you see an error on BPA report for Recipient update server, just ignore it, as Exchange server 2010 is not using this service.
Today 20th of June @9am
We are in the process of decommissioning Exchange server 2007 and implementing Exchange serve 2010 Edge server and DAG. Now that all the mailboxes and the public folders are on Exchange server 2010..including offline address book..now you don’t need to worry about the old server, except the mail flow. If you have any Network printers which does the email scan features enabled, make sure that you chnge the IP of the SMTP traffic to the new NLB server of Exhcnage server 2010. Today i’m just leaving the server as it is for a smooth mail traffic.
Today 21st of June @10.am
Platform preparation for Exchange server 2010 Edge server.
Installation going on and once it is finished, we will install the Forefront Protection 2010 for Exchange Server
When you are running Exchange serve 2007 Edge server with Forefront security spam engine, There is no option to upload the Blacklist IP and keywords to the Forefront Protection 2010 for Exchange. Make sure that you type what ever you can from the Exchange server 2007 list and re-do it on the Forefront Protection 2010. I hav’nt found any solution to upload it. If anyone has a work around, please let others know. This is very important to re-do it on the new spam machine, because that is an asset, which 2007 system has learned from the past years. Forefront Protection 2010 has a good engine, still this is an added protection to that.
DO NOT TURN ON YOUR NEW EDGE SERVER WITH OUT THE COMPLETE ANTIVIRUS DATA DEFENITIONS UPDATED.
Once you finish the Edge server 2010 installation, by default AntiSpam is disabled…to see if it is disabled, go to Exchange management shell and type Get-AntiSpamUpdates and if you see false, which means you need to enable it. To do that go to EMC->AntiSpam->select the Content Filter on the right hand pannel, click “Enable”.
Now I’m re-doing all the spam list and IP block list to the Forefront engine of Exchange server 2010..now the time is 4.30pm
Forefront details..to know more click here
Anti Spam/Block list Catalogue update site from Microsoft A good link to download the defenition updates for your Edge server
Feature Highlight: Multi-layer Antispam Protection..beautiful!!!!!
Forefront Protection 2010 for Exchange Server integrates both on-premise software and hosted spam filtering services to provide a multi-layered defense against the ever-increasing influx of spam. Forefront Protection 2010 for Exchange Server also draws on multiple antispam technologies to provide comprehensive protection against constantly evolving spammer tactics.
Forefront Protection 2010 for Exchange Server:
- Protects Exchange 2010 and 2007 through aggregated reputation services and SmartScreen filtering technology from Microsoft. These are enhanced with highly accurate spam-filtering technology from industry-leading partner Cloudmark.
- Offers built-in integration with Forefront Online Protection for Exchange*, a hosted filtering service that enables customers to block spam before it ever reaches their networks. From a single management console, customers can provision, configure, and report on Forefront Online Protection for Exchange reputation and connection filtering for an even stronger barrier against spam.
IMPORTANT NOTE: customers who purchase the Forefront Protection Suite, Exchange Enterprise CAL, or Enterprise CAL Suite have rights to use both Forefront Protection 2010 for Exchange Server and Forefront Online Protection for Exchange.
To know more about the product and technical video, Click here
If you want to know, whether your Public IP used for mail server has been blacklisted or not, a good tool, click here
Exchange Server 2010, anti-spam Automatic Updates functionality relies on the Microsoft Update service framework.
The Forefront Protection 2010 for Exchange Server anti-spam update service polls Microsoft Update several times a day to download updates or determine whether the opt-in status has changed. Therefore, it may take up to one hour or more for the opt-in action to be reflected in your system. If you want to verify the modified opt-in status immediately, restart the Microsoft Exchange Anti-spam Update service.
How to do on EMC to enable anti-spam updates
- In the Exchange Management Console, click Edge Transport.
- Select the server on which the Exchange Anti-spam Update service is to be configured.
- In the Action pane, click Enable Anti-spam Updates.
- In the Enable Anti-spam Updates page of the Enable Anti-spam Updates wizard, configure the following:
- Update mode
• Manual Select this option if you want to manually apply content filter updates from Microsoft Update.
• Automatic Select this option if you want anti-spam updates retrieved from Microsoft Update to be applied automatically.
• Spam signature updates Spam signature updates may be downloaded several times a day to supplement the content filter accuracy.
• IP Reputation updates IP Reputation updates may be downloaded several times a day to improve the accuracy of sender reputation information about IP addresses that are known to send spam.
- Update service Select this option to agree to enable Forefront Protection 2010 for Exchange Server anti-spam updates via Microsoft Update. Users must opt in to using Microsoft Update so that Forefront Protection 2010 for Exchange Server anti-spam updates published on Microsoft Update are visible to the Exchange server. If you don’t select this option, you cannot enable Forefront Protection 2010 for Exchange Server anti-spam updates via Microsoft Update.
- Update mode
- On the Completion page, review the following, and then click Finishto close the wizard:
- A status of Completed indicates that the wizard completed the task successfully.
- A status of Failed indicates that the task wasn’t completed. If the task fails, review the summary for an explanation, and then click Back to make any configuration changes.
How to do through Exchange Management Shell to enable anti-spam updates
To enable anti-spam Automatic Updates if the destination computer is already opted in to Microsoft Update, run the following command:
In this case,
SER1 is the server on which you want to enable anti-spam updates.
Enable-AntispamUpdates -Identity SER1 -IPReputationUpdatesEnabled $True -MicrosoftUpdate RequestedNotifyDownload -UpdateMode Automatic -SpamSignatureUpdatesEnabled $True
Now all the keywords, sender proifles, Spam list and block has manually added to Forefront engine, and it does replicated to Edgeserver EMC.
Now I’m generation the Edge subscription file…
- Go to Exchange 2010 Edgeserver
- Open Exchange Management Shell
- Type New-EdgeSubscription -Filename “C:\Edge file.xml”..Done
- Copy to any of the H&C Server
- Then Goto EMC of H&C server->Organization->Select Hub Transport->look at the right panel
- Click New Edge Subscription
- Select the file you just copied
- click next and then finish……DONE..
Best part is now starting…changing the IP of our new Exchange server 2010 to Firewall….whaoooooooooooo DONE…
An email from Exchange 2010 Edge server to the configured mail client says that the status goes to red…another mail came, says that status goes to green..
I send a test mail from my external mail account….got it…replied back to the address…got it…WELCOME TO EXCHANGE SERVER 2010.
You should really see the dashboard of the Forefront Protection 2010 engine…it really gives you all the information of what you are looking for…I loved it…
Its time to relax and tomorrow i’m starting the de-commissioning process now the time is 7.30pm
Today 22nd June 2010@ 9.am
Relaxing time now…big boss is happy so we are just going around and checking the network printer configuration to point SMTP connector settings to 2010 edge server.
Today Apple released its iOS4 to iPhone and this OS supports Exchange server 2010, multiple exchange account feature and organize mails on conversation mode…I’m upgrading my phone now to iOS4…whaoooo you should see the icon of Microsoft Exchange in iPhone iOS4…mail starts comming and organized as conversation mode..cool.
Now the time is 1.00pm…shutting down the Edge server of 2007…done..Mail flow is good on Exchange server 2010, through the Edge server and spam engine
Now its 1.30pm…shutting down all the Exchange server 2007 servers…done now…mail flow, internal and external…cool.
Will monitor till 5.00pm..
Ohhhhhhh…mail flows are ok, but when you go to H&C of Exchange server 2010, on the queue viewer, you can see a new feature called “Shadow Redundancy”…and the queue get increased…don’t be panic..mails are going out and this is a new feature in Exchange server 2010..this queue will become zero, when you go through the below task later…
Microsoft Exchange Server 2007 introduced the transport dumpster feature for the Hub Transport server role. An Exchange 2007 Hub Transport server maintains a queue of messages delivered recently to recipients whose mailboxes are on a clustered mailbox server. When a failover is experienced, the clustered mailbox server automatically requests every Hub Transport server in the Active Directory site to resubmit mail from the transport dumpster queue. This prevents mail from being lost during the time taken for the cluster to fail over. While this does provide a basic level of transport redundancy, it’s only available for message delivery in a cluster continuous replication (CCR) environment and doesn’t address potential message loss when messages are in transit between Hub Transport and Edge Transport servers.
Exchange Server 2010 introduces the shadow redundancy feature to provide redundancy for messages for the entire time they’re in transit. The solution involves a technique similar to the transport dumpster. With shadow redundancy, the deletion of a message from the transport databases is delayed until the transport server verifies that all of the next hops for that message have completed delivery. If any of the next hops fail before reporting back successful delivery, the message is resubmitted for delivery to that next hop.
To know more about the Shadow redundancy, click here
NOTE: Shadow redundancy can be enabled or disabled for the entire organization using the ShadowRedundancyEnabled parameter of the Set-TransportConfig cmdlet. This setting overrides the extended rights described in this section. If shadow redundancy is disabled for the organization, Exchange will never advertise shadow redundancy support or issue XSHADOW commands even if the necessary extended rights are granted to the SMTP session
Today 23 June @11.am
Today is the decommissioning day for exchange server 2007 roles. Lets start with Edge server of 2007…goto Add/Remove program->Exchange Sever 2007->Uninstall….oops error
ok…in order to clear the error and then decommission it, do the following
Use the Remove-EdgeSubscription cmdlet(EMS) to remove Edge Subscription from the Exchange organization and from the subscribed computer that has the 2007 Edge Transport server role installed.
Copy code Remove-EdgeSubscription -Identity <TransportServerIdParameter> [-Confirm [<SwitchParameter>]] [-DomainController <Fqdn>] [-Force <SwitchParameter>] [-WhatIf [<SwitchParameter>]]
Eg: Remove-EdgeSubscription -Identity edgeserver1 more info, click here
This process will remove the subscription from the H&C and Active Directory entries…also you can see the Shadow redundancy down to “0” on Exg 2010..this will get increase as and when mails start flowing. The message inside the Shadow redundancy, if you click on the message of the queue, and select properties, you can see the mail properties…then click on the “Receipent information” of that properties, you will see that the status is “Completed”..This has an expiry date too.
Once the subscription removal is done, then go to Edge server of 2007, Add/Remove Programs->Exchange server 2007 and click uninstall.
Once it is completed…you are ready to shut down the “Edge server of Exchange server 2007″…thats the end of this “EDGE”.
Next task – de-commissioning other roles of Exchange server 2007…. now the time is 6.30pm
- Go to one of the H&C
- Stop the service of “Microsoft Exchange Transport”.
- Go to Add/Remove program
- Select Exchange server, and click uninstall
- When you click here…it starts with the “Pre-requisites” and then will start the uninstallation process.
- Done…one H&C of 2007 is down
- Do the same to the other H&C…cool done…
Two Hub and Cas of Exchange server 2007 is out from my network…now the time is 8.00pm
—-The following steps will do only if required..Action START
Make sure that your mail flow is working fine..if not, you have to re-do the Edge syncronization from Exchange server 2010 H&C.
- First go to H&C of EXG2010
- Under EMC ->Organization->Hub Transport->Edge Sync tab
- Right click the edge server name of EXG2010
- Click delete.
- Then go to Edgeserver of EXG2010
- Do the Edge syncronization removal command from EMS and type Remove-EdgeSyncronization <Edge servername>
- The goto H&C of EXG2010
- Goto Services
- Restart Microsoft ADAM service on both H&C
- Restart Microsoft Topology service on both H&C
- Go to Edge Server of EXG2010
- Restart Microsoft ADAM service
- Restart Microsoft Topology service
- Goto EMC of Edge server
- Click New Edge Subscription from the right panel
- select the domain controller and file name
- Save the file name
- Copy this new .XML file to one of the H&C of EXG2010
- go to the H&C of EXG2010 where the file has been copied
- goto EMS and type the command New-EdgeSubscription -filename “c:\edgesubscription.xml”
- and refresh the EMC of H&C and you will see the new subscription file.
- Goto the EMS and verify it type the command Test-EdgeSyncronization
- To do the Edge Syncronization, from EMS type Start-EdgeSyncronization
—-The above steps will do only if required..Action END
Today 24 June @10am
Next … Mailbox…remember one thing…This mailbox has been configured on Single Copy Custer (SCC)..so its a bit careful task.
Cluster is a virtual mode creation where we create one sort of link between two or more computers so that if one server goes down, other server should take ownership…which is what we called “High Availability”. Its a pretty straight forward to uninstall an Exchange server 2007 on a non-clustered mode..just go to add/remove program and choose exchange server 2007 and click on uninstall. But if you want to do the de-commissioning of Exchange server 2007 in a clustered environment, it is not that easy..you have keep certain factor in mind.
Uninstall the Exchange server 2007 mailbox from the passive node
Evict the passive node
Remove the clustered mailbox from the active node
Uninstall the Exchange server from the active node
Evict the active node
Un-installing/De-commissioning Exchange server 2007 Mailbox from Passive cluster node
Open the command prompt of the Passive mailbox server..make sure you logged in as domain administrator.
Go to C:\Program Files\Microsoft\Exchange SErver\Bin
Type the command setup /mode:uninstall
Now you have successfully uninstall the Exchange server mailbox role from the passive node, but the cluster environment server information still exists, and we need to remove that as well.
To do that we need to…
- Open the Cluster Management Tool
- Expand the cluster resource name
- Expand the Nodes
- Right click the passive node server
- Click on More actions -> click on “Stop cluster service”
Once you “Stop Cluster Service”, then click on More actions again and click Evict and click the Evict Node….
Once you done this, restart the server.
Once the server is up…do the following too
- Open the Server manager console
- Click on Features and then click on Remove Features
- Uncheck Failover Clustering
- Click on Yes to reconfirm and click on NEXT
- Click on Remove.
- After the Server is restarted
- Remove any remaining files and folders from the Exchange Server program files folder and subfolders.
Thats the end of Exchange Server 2007 Mailbox de-commissioning on a Passive node….Now go to the Active mailbox server of Exchange server 2007
This process is not as same like passive node. Here we can’t go with uninstall command only, because this server holds the culstered mailbox server information and it is online. In order to remove this,
Go to the command prompt..change the directory to C:\Program files\Microsoft\Exchange Server\Bin
Type command setup.com /removeCMS /CMSName:<Clustername>
This will take the mailbox now offline from the cluster…
Now type setup /mode:uninstall
Once you finish this uninstallation, Exchange server 2007 last mail box has been remove from your domain..now do the evict
Goto command prompt (If the command prompt is open, close it and open it and then type
Cluster <mailbox cluster name> node <nodename> /force
That’s the end of the “EXCHANGE SERVER 2007 DE-COMMISSIONING PROCESS” and now the time is 1.00pm
Now you are completely depended on Exchange server 2010.
Today 25 June @9am
Remember..you have to de-activated all the Windows updates…now go to all the Exchange server 2010 and activate it back.
Exchange Server 2010
Database Availability Group [DAG] configuration
To Start the DAG process on Exchange server 2010 Mailbox
Preparation for the server started.. This is the second server for Exchange server 2010 Mailbox role and i’ve added SAN volume on iSCSI
Operating System : Windows Server 2008 R2 Enterprise edition..updates in progress
Mounting SAN volume for the mailbox database to store
Installing Microsoft Exchange Server 2010 Enterprise mailbox server role (same step as it was before)…Done.
- Change the Mailbox path and log folder
- Then go to EMC
- Click mailbox on the organization level
- Click on Database Availability Group
- On the right panel, Select New Database Availability Group…
Now i want to explain what is this Witness Directory and Witness Server…because we have faced an unusual activity which is “Witness directory folder disappeared”..finding solution
Today 26 June @10am
ohhh….what a night mare…working on the production server and the new features are just giving us a hard time first but at the end of the day..its sweet
The witness server role is an optional role used to configure database mirroring. It is used to detect failure and failover. It can be configured by using the High Availability operating mode. The witness server serves multiple mirroring pairs. Mirroring pair includes one primary and one mirror database. If the primary database fails and the failure is confirmed by the witness server, the mirror database takes the primary role to serve the users of the database.
Now you creat a folder under one of the Hub&Cas server called “c:\FSW-DAG” and then point this directory to the wizard above.
The following combinations of options and behaviors are available:
- You can specify only a name for the DAG and leave the Witness Server and Witness Directory check boxes cleared. In this scenario, the wizard will search for a Hub Transport server that doesn’t have the Mailbox server role installed. It will automatically create the default directory and share on that Hub Transport server and use that server as the witness server.
- You can specify a name for the DAG, the witness server that you want to use, and the directory you want created and shared on the witness server.
- You can specify a name for the DAG and the witness server that you want to use, and leave the Witness Directory check box cleared. In this scenario, the wizard will create the default directory on the specified witness server.
- You can specify a name for the DAG, leave the Witness Server check box cleared, and specify the directory you want created and shared on the witness server. In this scenario, the wizard will search for a Hub Transport server that doesn’t have the Mailbox server role installed, and it will automatically create the specified directory on that server, share the directory, and use that Hub Transport server as the witness server.
If the witness server you specify isn’t an Exchange 2010 server, you must add the Exchange Trusted Subsystem universal security group to the local Administrators group on the witness server. These security permissions are necessary to ensure that Exchange can create a directory and share on the witness server as needed. If the proper permissions aren’t configured, the following error is returned:
Error: An error occurred during discovery of the database availability group topology. Error: An error occurred while attempting a cluster operation. Error: Cluster API “AddClusterNode() (MaxPercentage=12) failed with 0x80070005. Error: Access is denied.”
If you specify a witness server, you must use either a host name or a fully-qualified domain name (FQDN). Using an IP address or a wildcard name isn’t supported. In addition, the witness server cannot be a member of the DAG.
Once you finish this wizard configuration, just go and see the Witness server whether the folder is there or not..it will not be there..Do not panic..the reason for this is “The file share witness directory & share will only show up on whatever server you configured it for (a hub transport is suggested since it is easy and usually fully under the Exchange admin’s control [Exchange Trusted Subsystem] ) once you start adding mailbox servers to the DAG and only when there are an even number of mailbox servers in the DAG so that the FSW can create a majority. If you have 1 server in the DAG the FSW won’t show up, but once you add the 2nd node to the DAG it will. If you add a 3rd node to the DAG you will see it disappear again. This ensures there is always an odd # of nodes in the ‘Majority Node Set’ cluster so that proper majority voting can take place and prevent split-brain cluster activation from happening”.
Today 27 June @10am
Alternatively you can create an “Alternate Witness Directory” and server..to do that goto EMS and type the following command
Set-DatabaseAvailabilityGroup -Identity <DAG name> -AlternateWitnessDirectory <Witness directory path> -AlternateWitnessServer <Alternate witness server name>
To verify these settings, go to the EMS and type Get-DatabaseAvailabilityGroup|fl
Set the IP address for the DAG, for that go to EMS and type Set-DatabaseAvailabilityGroup DAG -DatabaseAvailabilityGroupIpAddresses 10.10.10.10
To verify the settings. Type EMS command Get-DatabaseeAvailabilityGroup|fl and you will see the below portion, as per the IP assigned above.
Then go to DNS server and create the host with the name of the DAG with FQDN and the IP you just give.
Now go to EMC->Organization Configuration->Mailbox->rightclick on the DAG name from the Database Availability Group and select “Manage Database Availability Group Membership”
Click ADD..and select the Mailbox server which you just created (both of them) and then click Finish.
Now go to Database Management tab, Right click on the second mailbox you just created and select “Add Mailbox Database Copy…”
In this wizard, Type the Mailbox Database name, Select the server name where you want a copy of mailbox database, and the 3rd column, select the server that already have a copy and click add
This will start the Database copy, which called as DAG…
If you have any issues about exchange connectivity such as Auto discover, ECP, OAB, OWA, ActiveSync etc…click here for resolutions
For Exchange Server 2010 SP1 installation and/or Rollup updates installation, Click here.