Upgrading to Exchange Server 2007: Part 2

Jaap completes his series on the necessary steps to migrate an existing installation of Exchange to Exchange Server 2007. He deals with the problems of installing the Hub Transport server, moving policies and mailboxes and decommissioning the old servers

In my previous article I explained how to upgrade an existing Exchange Server 2003 environment to a new Exchange Server 2007 environment. Two new servers were introduced, a combined Client Access Server / Hub Transport Server and a dedicated Mailbox server. The Client Access Server is supplied with a new Subject Alternate Name (SAN) certificate. Since the Exchange Server 2007 Mailbox server is in the same Exchange organization this server has a Public Folder database next to the Mailbox database. After introduction of the Exchange Server 2007 servers the environment will look like this:

678-image002.jpg

Figure1. A combined Exchange Server 2003 / Exchange Server 2007 environment

Since we have introduced Exchange Server 2007 into the environment and it is fully up-and-running it’s time to start moving resources from Exchange Server 2003 to Exchange Server 2007. This includes:

  • Changing the Internet e-mail acceptance;
  • Changing the Internet facing Client Access;
  • Replicate Public Folders and System Folders to Exchange Server 2007;
  • Moving the Recipient policies;
  • Moving Mailboxes;
  • Remove the Exchange Server 2003 servers;

Changing the Internet e-mail acceptance

During the installation of the Exchange Server 2007 Hub Transport server a Routing Group connector is automatically created between the Hub Transport Server and the Exchange Server 2003 Front-End Server. Messages between both versions of Exchange server flow via the Routing Group Connector. Before the inbound SMTP flow (from the Internet) can be changed there are two configuration issues that need to be solved. Please note that the Routing Group Connector is only created when the Hub Transport Server is installed using the GUI. If the Hub Transport Server is installed using the command prompt the Routing Group Connector is not created automatically.

By default the Hub Transport Server does not accept anonymous connections. This means that inbound SMTP connections from the Internet are not accepted. This can be changed by adding “Anonymous users” to the Permissions Groups of the default receive connector on the Hub Transport Server.

678-image004.jpg

Figure2. Add the anonymous users to the Permission Groups

The reasons for this is in the potential implementation of an Exchange Server 2007 Edge Transport server. This server, that’s typically installed in the network’s Demilitarized Zone (DMZ) does accept anonymous connections by default. The connection between the Edge Transport and the Hub Transport server is not anonymous, but of the type “Exchange Servers”.

Depending on your companies anti-spam policies and solution you might want to enable the anti-spam services on the Hub Transport Server. Microsoft supplies a script that enables all anti-spam functionality. The scripts is called ‘install-AntiSpamAgents.ps1’ and is located in C:\Program Files\Microsoft\Exchange Server\Scripts. Open an Exchange Management Shell command window, go to this directory and execute the script to enable the anti-spam agents on this Hub Transport Server.

Note. The default installation is in C:\Program Files\Microsoft\Exchange Server Scripts. It is possible to install Exchange Server 2007 on another location. It is also possible to use a default variable called $exscripts, just open the Exchange Management Shell en type CD $Exscripts.

 Do not forget to restart the Transport Service on this Hub Transport Server after running the Install-AntiSpamAgents.ps1 script.

When opening the Exchange Management Console and selecting the Hub Transport under the Organization Configuration, a new tab will appear in the results pane with Anti-Spam. Here you can change the anti-spam settings like Content Filtering, IP Allow list, IP Block list, Recipient Filtering etc.

678-image006.jpg

Figure3. The new anti-spam tab after enabling the anti-spam options

After making these changes the inbound SMTP mail flow can be changed. Depending on the infrastructure, you have to change the IP number of the MX record on the public DNS or change the port forwarding on your firewall. In either case you have to change it to the IP number of the Exchange Server 2007 Hub Transport Server. After the change you can check new messages in Outlook by looking at the Internet message header. It will show clearly the name and IP number of the new Hub Transport Server.

By default Exchange Server 2007 does not allow internal clients such as web servers, printers or applications to relay SMTP traffic. If you want to implement an anonymous connector for relaying SMTP traffic please visit the following Microsoft article: http://technet.microsoft.com/en-us/library/bb232021.aspx

Changing the Internet facing Client Access

You always have to remember that an Exchange Server 2003 front-end server is not compatible with an Exchange Server 2007 mailbox server. This means that you have to move to the Exchange Server 2007 Client Access Server before you move any mailboxes to Exchange Server 2007.

In the previous article a new certificate for the Client Access Server was already requested and installed. The certificate that needs to be used is an “Unified Communications” Certificate, also known as a SAN (Subject Alternate Name) certificate or an Exchange 2007 Certificate. A certificate like this can contain multiple Fully Qualified Domain Names.

678-image008.gif

Figure 4. A Unified Communications Certificate from Digicert containing multiple names

The certificate used for this environment is from Digicert (www.digicert.com) and is supported by most of the clients like Windows (Internet Explorer), Windows Mobile (for ActiveSync) and Outlook (for Outlook Anywhere).

Now that the certificate is right for usage with Exchange Server 2007 the following services have to be configured correctly on the Exchange Server 2007 Client Access Server:

  • Outlook Web Access;
  • ActiveSync;
  • Outlook Anywhere.

To configure the client setting navigate to Client Access under the Servers Configuration in the console tree in the Exchange Management Console. When you open the properties of the OWA virtual directory on the Client Access Server, on the General tab you can set the Internal URL as well as the External URL.  On the Authentication tab you can select how users have to logon. Using forms based authentication you can choose between Domain \ UserName, User Principal Name (for example jaapw@inframan.nl)  or using the UserName only. In this case you have to enter the logon domain.

The next step is to edit the properties of the Microsoft-Server-ActiveSync virtual directory. This virtual directory is used by Windows Mobile clients for accessing the e-mail information. Like the OWA Virtual directory you have to enter both the Internal URL as well as the External URL. The External URL, in this example https://webmail.inframan.nl/Microsoft-Server-ActiveSync should have a valid certificate that is recognized by the PDA.

There is an issue though with the certificates, even with real certificates. When requesting the certificate using the New-ExchangeCertificate commandlet you have to enter the domain name (“webmail.inframan.nl”) in the -SubjectName option, but you also have to use it in the -DomainName option. This will result in the FQDN in both the SubjectName as well as the Subject Alternative Names (see  Figure 3) and this will cost you an extra credit when requesting the certificate with your provider. It should also be the first name in the Subject Alternative Names field. If you fail to do so the Windows Mobile devices will contact the Client Access Server but will not recognize the certificate. This will lead to error 0x80072f06 on the Windows Mobile device.

Note. If you have an interim situation where PDA’s access the Exchange Server 2007 Client Access Server but where the user’s mailbox is still on Exchange Server 2003, then you have to change the authentication on the Microsoft-Server-ActiveSync Virtual Directory on the Exchange Server 2003 mailbox server. By default only ‘Basic Authentication’ is selected on the Virtual Directory, but in the interim scenario you also have to select ‘Windows Integrated’ authentication.

Outlook Anywhere, previously known as RPC over HTTP has to be enabled on the Exchange Server 2007 Client Access Server. In the actions pane (on the right side) of the Exchange Management Console you can select “Enable Outlook Anywhere”, the button to enable this is somewhat hidden. Enter the external hostname (i.e. webmail.inframan.nl) and select the method of authentication. You have to remember this setting in case you want to manually configure the Outlook 2003 or 2007 clients. In the Outlook profile you also have to select the method of authentication. If these setting don’t match the client’s settings the client will not be authenticated and the user will not be able to connect to his or her mailbox.

If you have changed all the settings mentioned above according to your own situation and company policy you can change the firewall settings so that external clients can access the new Exchange Server 2007 Client Access Server. All requests will now be accepted by the Exchange Server 2007 Client Access Server and be forwarded to the old Exchange Server 2003 mailbox server successfully.

Replicate Public Folders System Folders to Exchange Server 2007

The next step in the migration process is to move the Public Folders from Exchange Server 2003 to Exchange Server 2007. If you are using only the System Folders in the Public Folders, i.e. the Free/Busy information and the Offline Address Book distribution you can follow the standard Microsoft approach by replication these folders from Exchange Server 2003 to Exchange Server 2007

The Exchange Server 2003 Public Folder Database has to replicate its information to the Exchange Server 2007 Public Folder Database and vice versa. In a coexistence scenario where mailboxes reside both in Exchange Server 2003 as well as in Exchange Server 2007 everybody will be able to see each others free/busy information.

To start replicating the Free/Busy information from Exchange Server 2003 logon to this server using the administrator credentials and open the Exchange System Manager. Navigate to the Public Folder Database and under Public Folders open the properties of the “Schedule+ Free Busy Information”. Select the Replication tab and using the Add button add the Exchange 2007 Public Folder Database to the replication list. Repeat the same steps for the Offline Address Book folders to Add the Exchange 2007 Public Folder Database to the replication list.

678-image010.jpg

Figure5. On the Exchange 2003 server add the Exchange Server 2007 Public Folder database to the replication list

The Public Folder information has to be replicated from Exchange Server 2007 to the Exchange Server 2003 Public Folder database as well. To do this logon to the Exchange Server 2007 using the administrator credentials and open the Exchange Management Console. In the console tree select the Toolbox and in the results pane select the Public Folder Management Console. If no default server is selected then select the Exchange 2007 Mailbox server as the default server.

In the Public Folders tree navigate to the System Public Folders and navigate down the tree to the Schedule+ Free Busy Information. Open the properties of this folder, select the Replication tab and add the Exchange 2003 Public Folder to the replication list.

678-image012.jpg

Figure6. Add the Exchange 2003 Public Folder Database to the replication list

During the replication you will see that the free/busy information from the “other” server will appear in the System Public Folder list. This can take some time to complete though. To improve the replication speed change the Public Folder replication interval to “always” and the “replication message priority” to high.

If you are using “normal” Public Folders you have to replicate the Public Folder hierarchy from Exchange Server 2003 to Exchange Server 2007 as well as the actual content of the Public Folders that your users are using. To achieve this you can use the Public Folder Migration Tool which is available from the Microsoft download site. You can use the Migration Tool to replicate Public Folders from Exchange Server 2003 to Exchange Server 2007.

The latest version of the Deployment Tools is available on the Microsoft download site: Microsoft Exchange Server Deployment Tools. (Editor’s note: the tools have been deprecated and replaced with the Exchange Server Deployment Assistant).

Move the Recipient Policies

In Exchange Server 2003 there’s a service called “Recipient Update Service” or RUS that’s responsible for setting Exchange related information on users when they are mailbox enabled. In Exchange Server 2007 the RUS no longer exists and its functionality is now delivered by a “E-mail Address Policy”. This policy is responsible for setting E-mail addresses on Exchange recipients like mailboxes. The Recipient Update Service needs to be upgraded to an Email Address Policy. Only after an upgrade you are able to manage this using the Exchange Management Console and if not upgraded an alert will be shown when trying to open an E-mail Address Policy using the Exchange Management Console:

678-image014.jpg

Figure7. Error message when a Recipient Policy is opened on an Exchange Server 2007 Management Console

Before you continue with changing the Recipient Policies it’s a good time to run the Exchange Best Practices Analyzer to see if your environment is in good shape. The following steps are one way only, there’s no way back so you have to make sure everything is running fine!

You have to change all Recipient policies using the Exchange Management Shell. This is one example of an action that cannot be performed with the Exchange Management Console. You can retrieve a list of all Recipient Policies in your Exchange environment using this command in an Exchange Management Shell window:

This output can be used as input for the Set-EmailAddressPolicy commandlet using the PIPE functionality in the Exchange Management Shell. This results in the following command:

The last things that need to be converted are the Address Lists. Exchange Server 2003 Address Lists cannot be managed by the Exchange Server 2007 Management Console and vice versa. Like the Recipient Policies the Address Lists can only be converted using the Exchange Management Shell. In an Exchange Management Shell windows enter the following commands:

For each command a confirmation needs to be given and the object will be upgraded. After the upgrade it won’t be possible anymore to manage the Address Lists from an Exchange Server 2003 System Manager.

For more detailed information regarding the upgrade of Recipient Policies and Address Lists visit the blog of the Microsoft Exchange product team: http://msexchangeteam.com/archive/2007/01/11/432158.aspx – Address List and EAP filter upgrades with Exchange Server 2007

Moving Mailboxes from 2003 to 2007

Now that everything is in place and working correctly it’s time to start moving mailboxes from Exchange Server 2003 to Exchange Server 2007. This can only be done on the Exchange Server 2007 side using the Exchange Management Console or the Exchange Management Shell. The latter one can be very useful if you want to write scripts to move mailboxes from Exchange Server 2003 to Exchange Server 2007 in bulk.

In the Exchange Server 2007 Management Console select the mailboxes you want to move, right click your selection and choose “Move Mailbox”. After selecting the appropriate Mailbox Database (if you have multiple) the Move Mailbox process starts. This is usually not a very fast process and for large mailboxes it can take a serious amount of time. Currently I’m working on a project where we are moving approximately 25.000 mailboxes with around 12TB of data. This will take weeks and weeks to finish…

It is also possible to move mailboxes using the Exchange Management Shell. With the Shell it is possible to make custom queries and use this output as the input for the actual move-mailbox commandlet. To move my own mailbox the following command is used:

This will select my mailbox (on the Exchange Server 2003 mailbox server) and move it to the Mailbox Database on the Exchange Server 2007 mailbox server.

678-image016.jpg

Figure8. Moving my own mailbox using the Exchange Management Shell to Exchange Server 2007

The last this that has to be moved to the new Exchange Server 2007 environment is the Offline Address Book generation. To do this open the Exchange Management Console on an Exchange Server 2007 server and navigate to the Mailbox section in the Organization Configuration. Select the Offline Address Book tab and right click on the Default Offline Address Book. The second option gives the possibility to select a new Offline Address Book generation server, which should be the Exchange Server 2007 mailbox server.

Note. For several steps in this article you have to wait for replication to finish. This can be for Active Directory replication as well as for Public Folder replication. It is also possible, like the Offline Address Book generation that a process occurs only once a day, for example in the middle of the night. If you’re too fast with the several steps you can miss some actions which can result in erratic behavior.

Removing the Exchange Server 2003 servers

Before decommissioning the Exchange Server 2003 mailbox server the Public Folders have to be moved.  Logon to the Exchange Server 2003 server and start the Exchange System Manager. Select the Public Folder database on this server and right click the object. Select “move all replicas” to have everything replicated to an Exchange Server 2007 Public Folder database in your Exchange Server organization. This can take several hours to complete! If not complete you are not able to remove the Public Folder database from the server.

The Public Folder tree itself should also be moved to the new Exchange Server 2007 Public Folder database. Logon to the Exchange Server 2003 server and open the Exchange Service Manager. Expand the Administrative Groups and right click the “Exchange Administrative Group (FYDIBOHF23SPDLT)”, select “New” and select “Public Folders Container”.

Then expand the old “First Administrative Group”, expand “Folders” and move the Public Folders tree to the Public Folders container you created in the previous step.

The next step in our process it to remove the Routing Group Connector that connect both Exchange versions. This can only be done after the Public Folders are removed from Exchange Server 2003 since the replication process uses this connector! Make sure that the queues for this connector are empty so no messages gets lost.

You can remove the Routing Group Connector either with the Exchange Server Manager on Exchange Server 2003 or with the Exchange Management Shell (Remove-RoutingGroupConnector) on Exchange Server 2007. Removing the Routing Group Connector is also an example of something that can only be achieved using the Exchange Management Shell! Since all protocols were already targeted towards the Hub Transport Server or the Client Access Server we can uninstall the Exchange Server 2003 front-end server. Go to the Control Panel, select Add/Remove Programs and remove Exchange Server 2003. Please note that you need the installation media to finish the removal of the Exchange Server!

The Recipient Update Service is the next to remove from the Exchange Server 2003 server. Open the Exchange System Manager and in the Recipients Container select the Recipients Update Service (domain). Right click this Recipient Update Service and select “Delete”. To remove the Enterprise Recipient Update Service it’s not possible to use the Exchange System Manager. To remove this you have to use ADSIEdit.

Open ADSIEdit and open the Configuration Container in Active Directory. Navigate to the “CN=Recipient Update Services,CN=Address Lists Container,CN=Inframan,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=inframan,DC=local" container. There you’ll find the Recipient Update Server (Enterprise) object. Right click this object and select “Delete”.

Note. Using ADSIEdit can be very disastrous if not being used properly. You can move the above mentioned object temporarily to the Exchange Server 2007 server until you’re finished with the complete process and then deleted. If something goes wrong and you have it deleted you’re in trouble.

The Exchange Server 2003 mailbox server is now the last Exchange 2003 server in our organization and ready to be removed. Open Control Panel, select “Add/Remove Programs” and remove Exchange Server 2003 from this server. Again make sure that you have the installation media available during the remove process.

The last step is to remove the Write DACL right for the Exchange Servers group should be removed from the root of the domain. This can be achieved by running the following command on an Exchange Server 2007 management shell:

All legacy Exchange Domain Servers and Exchange Enterprise Servers security groups can now be deleted from Active Directory. Please make sure that they are empty and not in use for other purposes!

Note. When you check Active Directory with ADSIEdit you’ll notice that the old Exchange Server 2003 Administrative Group is still available, although empty. Do not remove this Administrative Group unless you’re absolutely sure there’s no object in Active Directory referencing this Administrative Group in the ExchangeLegacyDN attribute.

My personal opinion would be just to leave it there and not touch it. Nobody will see this Administrative Group and will bother nothing else, don’t touch it.

More information regarding the removal of the last legacy Exchange Server can be found on the Microsoft website: http://technet.microsoft.com/en-us/library/bb288905.aspx –  How to Remove the Last Legacy Exchange Server from an Organization