Upgrading to Exchange Server 2007

Jaap starts a series on the necessary steps to migrate an existing installation of Exchange to Exchange Server 2007. Of course it's simple! Everybody says so, but it is in the detail where you can get caught out.

There are several reasons to migrate an existing Exchange Server 2003 setup to Exchange Server 2007. Beside the benefit of the the new features you get when Outlook 2007 is used in combination with Exchange Server, some of the most compelling business cases for doing so are

  • the availability options of the mailbox servers
  • the scalability of  the 64-bit architecture
  • the option to connect your PABX infrastructure to your messaging infrastructure.

Currently, I’m involved in consolidating and centralizing  a 25.000-mailbox Exchange system and upgrading it to Exchange Server 2007. The customer intends that this new Exchange Server 2007 environment should be the foundation for their Unified Messaging infrastructure.

There are several papers available on the Internet about making the transition to  Exchange Server 2007 that imply  that it is a simple operation: But is it really that simple?

Exchange Server 2003 environment

Suppose we have an existing Exchange Server 2003 setup that consists of several mailbox servers in different places. There are also two Exchange servers configured as ‘front-end servers’. These servers are basically the same as the mailbox servers, but they are configured as protocol proxy servers.

SMTP, Outlook Web Access, and Activesync traffic originating from Windows Mobile devices, all enter the Exchange organization on the front-end servers. The front-end servers do not host mailboxes or public folders. To provide a higher scalability the front-end servers can be placed into a Network Load Balancing (NLB) cluster where the load from all clients can be spread across several front-end servers. These servers then use one common namespace, for example webmail.inframan.nl.

The Exchange Server 2003 environment is running on a Windows Server 2003 environment in a single forest, single domain configuration. The Active Directory domain is running in Windows Server 2000 native mode.


Figure   1. The existing Windows Server 2003 and Exchange Server 2003 infrastructure

Internal Outlook 2003 clients connect directly to the Exchange Server 2003 mailbox server using the default MAPI protocol. The server that is hosting the user’s mailbox is configured in the profile that Outlook 2003 is using. Laptop users can either use a VPN connection to connect to the internal network or use the ‘RPC over HTTPS’ functionality in Outlook 2003. A couple of clients are also using Outlook 2007, but, because only Exchange Server 2003 is used in the company, any additional new functionality such as ‘Autodiscover’ or the new ‘Exchange Web Services for free/busy or Out-of-Office functionality’ are not available. Home PC’s can use the Exchange Server 2003 Outlook Web Access. PDAs use the company’s preferred mobile carrier to access the Exchange Server Activesync service.


Figure   2. Windows Mobile 6 working with an Exchange Server 2003

To provide a secure connection from all outside clients, an SSL connection is used for all clients. This is a simple SSL certificate with a single name: https://webmail.inframan.nl. If you are using Windows Mobile for Activesync in your Exchange environment, please make sure that the certificate you’re using is a supported one. Some vendors offer certificates that are working fine with websites and are fully supported by all kinds of browsers, but have issues with Outlook RPC over HTTPS and Windows Mobile. But if you’re using a known certificate, in this example from Digicert, RPC over HTTPS and Windows Mobile work great.

Note: If you want to test your connectivity for Windows Mobile you can download the Windows Mobile emulator from Microsoft. This emulator can be run on any Windows computer and as long as you have network connectivity you can use the emulator. Figure 2 is a screenshot from my laptop running at home, while the Exchange 2003 environment is running in a datacenter 100 miles from my home, just over an ADSL connection. You can download the Windows Mobile emulator at Microsoft Device Emulator 3.0 — Standalone Release

In the Exchange 2003 organization there’s one Administrative Group. An Administrative Group is a management boundary. With Administrative Groups you can use ‘delegation of control’. Suppose there are multiple messaging departments in your organization, and each department has control over its own Exchange Servers. In this case you can use multiple Administrative Groups, one for each department. Every messaging administrator in a department has full control over his own Exchange Servers, and not over other departments’ Exchange Servers.

Upgrading to Exchange Server 2007

Exchange Server 2007 offer all kinds of new functionality:

  • Support for 64-bit hardware for better scalability
  • Autodiscover functionality for automatically configuring Outlook 2007 clients
  • Availability Services and webbased Offline Address Book distribution as a replacement for the Free/Busy and Offline Address Book downloads in Public Folders for Outlook 2007 and higher
  • Unified Messaging server role to connect your phone system (PABX) to your Exchange environment
  • Multiple server roles to separate functionality and better scalability

Exchange Server 2007 also uses a different administration model and uses a different routing model. This means that Exchange Server 2007 can cooperate with Exchange Server 2003, but it may require some significant changes to your environment.

The following steps need to be performed to prepare your Exchange Server 2003 environment for the implementation of Exchange Server 2007:

  • The Domain Controllers and Global Catalog server need to be on Windows Server 2003 SP1 level or higher
  • The Active Directory domain functional level needs to be ‘Windows 2000 native mode’
  • No Exchange Server 5.5 may exist in your Exchange organization. To enforce this requirement the Exchange organization needs to be running in ‘native mode’
  • The Active Directory Schema needs to be updated to support Exchange Server 2007
  • The Active Directory organization needs to be upgraded to include Exchange Server 2007 permissions and system objects
  • The Active Directory domain needs to be upgraded to include Exchange Server 2007 permissions and system objects.

When you have performed these steps it is a common best practice to run the Exchange Best Practices Analyzer (ExBPA) and perform an ‘Exchange 2007 Readiness Check’. This will check the current infrastructure for its readiness for Exchange Server 2007. ExBPA can be downloaded from the Microsoft website or from Microsoft Exchange Analyzers. When ExBPA confirms the readiness you can proceed with the actual configuration changes and installation of Exchange Server 2007.


Figure   3. Exchange Best Practices Analyzer – Exchange 2007 Readiness Check

Upgrading the Active Directory

The first step in changing the configuration for Exchange Server 2007 is upgrading the Active Directory schema to Exchange Server 2007 SP1. You can achieve this by running the following commands on a command prompt on the Active Directory schema master from the Exchange Server 2007 installation media:

The first command with the /PrepareLegacyExchangePermissions ensures that the Recipient Update Service in Exchange Server 2003 continuous to run correctly after the schema change to Exchange Server 2007 by granting new permissions. This must be performed before the actual upgrade of the Schema, which is done with the second command.

To check what version your schema is or to check if the upgrade was successful you can check the Schema by using a tool like ADSIEDIT or LDP.EXE and check the CN=ms-Exch-Schema-Version-Pt object. Its property ‘rangeUpper’ should have the value 11116 after the schema change. The property can have the following values:


Corresponding Exchange version


Exchange Server 2000 RTM


Exchange Server 2000 service pack 3


Exchange Server 2003 RTM


Exchange Server 2003 service pack 2


Exchange Server 2007


Exchange Server 2007 service pack 1

Note. If you have multiple domain controllers in your Exchange Server environment you have wait for the Domain Controller replication to finish.


Figure   4. Check the schema version. This schema is on the Exchange Server 2007 SP1 level

After upgrading the Schema the current Exchange Server 2003 organization can be upgraded to Exchange Server 2007. This is achieved by running the following command from the Exchange Server 2007 installation media:

Running this command wil configure the global Exchange objects in Active Directory (residing in the Configuration container of Active Directory), creates the Exchange Universal Security Groups in the root of the domain and it prepares the current inframan.local domain for Exchange Server 2007.

This command also creates the Exchange 2007 Administrative Group called ‘Exchange Administrative Group (FYDIBOHF23SPDLT)’ and it creates the Exchange 2007 Routing Group called ‘Exchange Routing Group (DWBGZMFD01QNBJR)’.

Note. For those wondering where FYDIBOHF23SPDLT and DWBGZMFD01QNBJR come from: take the string EXCHANGE12ROCKS and increase all individual letters with one (E becomes F, X becomes Y, etc) or decrease all individual letters (E becomes D, X becomes W, etc.)

To verify that this step completed successfully, make sure that there is a new organizational unit (OU) in the root domain called Microsoft Exchange Security Groups. This OU should contain the following new Exchange USGs:


  • Exchange Organization Administrators
  • Exchange Recipient Administrators
  • Exchange View-Only Administrators
  • Exchange Servers
  • ExchangeLegacyInterop


After performing this step the new Administrative Group will show up in the Exchange System Manager on an ‘old’ Exchange Server 2003 machine (Figure 5).


Figure   5. An additional Administrative Group appears after preparing the Exchange 2003 organization

The last step in preparing your environment for the implementation of Exchange Server 2007 is to prepare the Active Directory domain or domains for Exchange Server 2007. The domain is prepared by running the following command from the Exchange Server 2007 installation media:

 This step sets permission on the Exchange Server container in Active Directory and  it creates a new Global Group called ‘Exchange install domain servers’ in the domain where the command is run. It also assigns permissions for the Exchange Servers Universal Security Group (USG).

After performing these steps the Active Directory and Exchange Server environment is fully prepared for the installation of the first Exchange Server 2007 server.

Installing the first Exchange Server 2007 server

Installing the first Exchange Server 2007 server should be done carefully since Exchange Server 2007 is fully compatible with Exchange Server 2003, but not vice versa. This means that Exchange Server 2007 CAS and Hub Server can work with Exchange Server 2003 mailbox servers, but Exchange Server 2003 front-end servers cannot work with Exchange Server 2007 mailbox servers.

This automatically means that when installing multiple Exchange Server 2007 servers in the Exchange Server 2003 environment the first Exchange Server 2007 server that will be installed needs to be a Client Access Server and a Hub Transport Server. In our scenario we will also install a dedicated Mailbox Server role as depicted in Figure 6.


Figure   6. The Infrastructure with the Exchange Server 2007 coexistence.

The first server that will be installed will be a combined Hub Transport and a Client Access Server. The prerequisites for running an Exchange Server 2007 server are:

  • An X64 version of Windows Server 2003 or Windows Server 2008. There is an X86 version of Exchange Server 2007 available, but this is only for test- and development purposes. The X86 version is not supported in a production environment
  • .NET Framework 2.0
  • PowerShell 1.0
  • IIS 6.0 for the Client Access Server role. If only a Hub Transport Server is installed the IIS6 component isn’t needed, although installing it is useful for management purposes.


During the installation the setup program will ask where to connect to the existing infrastructure. A little background: Exchange Server 2007 will be installed in a separate Administrative Group in the Exchange organization. Exchange Server 2007 does not use the routing infrastructure that Exchange Server 2000 and Exchange Server 2003 used for routing messages; instead it relies on Active Directory Sites and Services. This is the same routing infrastructure Windows uses for Active Directory replication traffic. The Exchange Server 2007 routing model and the Exchange Server 2003 routing model are not compatible, so Exchange Server 2007 has a legacy Routing Group, just for connecting with an existing Exchange Server 2003 Routing Group. When this question is presented the answer is used for creating the legacy Routing Group Connector between Exchange Server 2003 and Exchange Server 2007. Using this connector messages will be routed between Exchange Server 2003 and Exchange Server 2007.

After installation of the Exchange Server 2007 Hub Transport and Client Access Server inbound messages will arrive on the new Hub Transport Server. Since all mailboxes still reside on the Exchange Server 2003 mailbox server all messages will be relayed to this server via the legacy Routing Group Connector.

Outlook Web Access (OWA), RPC over HTTPS (now called Outlook Anywhere) and Exchange ActiveSync can also be transferred to the new Client Access Server. But… there a couple of caveats that you need to be aware of:

  1. As soon as you implement Exchange 2007 and start migrating mailboxes to the new mailbox server, Outlook 2007 will notice immediately. Outlook 2007 has new functionality called autodiscover and Exchange Web Services. When starting Outlook 2007 it will query Active Directory for a Client Access Server object called the Service Connection Point (SCP). You have to be very carefull about the order in which to install the various server roles.
  2. The services mentioned in point 1 are all HTTPS based services. Even when you don’t use RPC over HTTPS (aka Outlook Anywhere) at all, Outlook 2007 will use these services over HTTPS.


  3. When clients are domain joined this should not be a problem since Outlook will use the default FQDN’s as used during the installation (i.e. 2007CASHUB.inframan.local). If clients are not domain joined Outlook 2007 will try connecting using the domain part of an e-mail address, i.e. @inframan.nl. Since no certificates are installed yet and the external DNS is not registered yet this will fail and users will start noticing errors like ‘Outlook not able to download the Offline Address Book.’


So, the first server that we are going to install is a combined Hub Transport Server and Client Access Server. There are two ways to install an Exchange Server 2007, via the command line or using the GUI setup. Both can be started from the root of the installation media. The advantage of the command line is that you can script it, which makes it possible to install a larger number of servers in an identical manner.

The Exchange Server can be installed by starting the setup application (setup.exe) from the Exchange Server 2007 installation media. This will check for the prerequisites to be installed and will show a graphical interface where the roles to be installed can be selected:


Figure   7. The setup program with only Hub Transport and Client Access selected

When the installation is finished the first Exchange Server 2007 is installed and the server object is configured in the Active Directory.  Outlook 2007 will immediately notice this and start using the Client Access Server.


The next step is to configure certificates for the Client Access Server. The name of the certificate can be webmail.inframan.nl, just like the Exchange Server 2003 front-end server. But Outlook 2007 and Windows Mobile 6 can also use the autodiscover functionality. Outlook 2007 will setup an additional connection to the Client Access Server via autodiscover.inframan.nl. This is an HTTPS connection, so it needs a certificate. To use the same Client Access Server a so called ‘Unified Communications’ or SAN (Subject Alternate Name) certificate needs to be used. This type of certificate can have multiple names. Besides the external names you should also register its internal name. When clients connect to the Client Access Server from the internal network the name of the Client Access Server can be resolved to its internal name, like 2007CASHUB.inframan.local.

The names that should be used in this case should be:


  • Webmail.inframan.nl
  • Autodiscover.inframan.nl
  • 2007cashub.inframan.local
  • Mail.inframan.nl (for SMTP)


A certificate in Exchange Server 2007 can be requested by using the New-ExchangeCertificate commandlet in the Exchange Management Shell on the Client Access Server:

This command will generate a certificate request file that can be submitted at your own certificate authority.

After approval by the DNS manager a certificate will be sent by your certificate authority that can be imported on the Client Access Server by using the Import-ExchangeCertificate commandlet in the Exchange Management Shell. The output of this commandlet can be piped into the Enable-ExchangeCertificate to enable the certificate after importing it:

Note. If needed this certificate can also be used for POP3, IMAP4 and Unified Messaging usage. In this case you can add these services on the command-line by typing -Services “IIS,SMTP,POP,IMAP,UM”

The Mailbox Server Role

After installing the Hub Transport Server and Client Access Server the Mailbox Server can be installed. When all prerequisites are met the installation can be started by entering the following command from the installation media on the 2007MBX server:

This will automatically install only the Mailbox Server role on the particular server. The setup will automatically detect the existing Exchange 2003 environment and configure itself accordingly. When the setup is finished there will be a fully functional Exchange Server 2007 environment integrated in the Exchange Server 2003 environment.

Please note that Exchange Server 2003 as well as Exchange Server 2007 need to be managed with their own management tools. Exchange Server 2003 need to be managed with the Exchange System Manager, the Exchange Server 2007 need to be managed with the Exchange Management Console or the Exchange Management Shell.

In my next article I will explain a bit more on the coexistence phase with the two versions of Exchange, how to move mailboxes from Exchange Server 2003 to Exchange Server 2007 and how to decommission the Exchange Server 2003 environment.