• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 392
  • Last Modified:

previous failed migration, how to cleanup AD before we try again?

Hello,

   I've got a 2003 AD domain in interim mode.  A previous install of Exchange 2003 was done on this network, but it failed.  Exchange 2003 was uninstalled from the existing Exchange 5.5 site.  My question is, do I need to do any kind of cleanup in AD before attempting the migration to Exchange 2003 again?  I'm just installing Exchange 2003 into an existing Exchange 5.5 site, using ADC and SRS.  Is there any remnant of Exchange in AD that I should cleanup before attempting the install again?  

Thanks
0
MCPJoe
Asked:
MCPJoe
  • 11
  • 7
1 Solution
 
aa230002Commented:
If its the first Exchange 2k or 2k3 in this Active Directory. I would suggest you to cleanup AD before you start again.
Install Windows Support Tools on any DC, and then launch "Adsiedit.msc" from RUN
Expand Configuration Container - Services - Microsoft Exchange and then select and delete your org name (container and all sub-containers) from there.

Now once again run Exchange setup /forestprep and Exchange setup /domainprep.
Start with your Exchange 2k3 installation in Existing 5.5 site.

Thanks,
Amit Aggarwal.
0
 
MCPJoeAuthor Commented:
Thanks, just to clarify, this information in adsiedit.msc that I'll be deleting, won't affect any of my existing Exchange 5.5 stuff right, this only applies to Exchange 2003 since exchange 5.5 doesn't integrate to AD?  I just don't want to risk messing anything up with the existing Exchange 5.5 site.  

Thanks
0
 
aa230002Commented:
Exchange 5.5 doesnt integrate with AD. As you have Active Directory Connector in place, your Exchange 5.5 directory must be replicating with your Active directory (domain partition) and every object in E5.5 directory should be appearing in AD and vice-versa.
Now, when you run Exchange setup /forestprep for the first time in AD, it extends the schema and also creates container under configuration container by a GUID (only in E2k3).
And then finally, when you introduce your first E2k3 server in your AD, it asks you, if you wanna join an existing 5.5 org or wanna create a new org, Definetely you will join an existing org and it will populate your 5.5 org information in AD and also install SRS as it would be the first 2k3 server in pure 5.5 site.

You can safely delete this container and then, run /forestprep which will again create a container by a GUID, which you can verify after /forestprep..
last is to go with E2k3 setup and it will give you an option to join an existing 5.5 org and will rename the GUID with the name of your Exchange 5.5 Org.

Take the backup of AD to be on safer side.

Thanks,
Amit Aggarwal.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
MCPJoeAuthor Commented:
Thanks for the advice.  I just just wanted to double check.  After the first migration attempt, when installing Exchange 2003 into the existing Exchange 5.5 site, we immediately noticed that something during the install had wiped out our exchange 5.5 directory information.  We lost all of our custom recipients, DLs, fax recipients, etc.  I had to restore from backup, and then fight with doing an authoritative restore of the exchange 5.5 directory.  WHAT A PAIN!!!  I just don't want to deal with that again.  Still don't know what caused that, nothing out of the ordinary was done, and no strange configuration was used, all defaults.  I have to try again, but am hesitant because I don't know if this is going to happen again.
0
 
aa230002Commented:
I do understand the problem you faced with the previous failure. What is the status of ADC right now?
is your Exchange 55 GAL and Active directory replication fine? Is your Recipient Connection Agreement and PF connection agreement is in place?
Is there any NT domain ? or you have decommissioned or did an in-place upgrade from your NT domain to AD?

Thanks,
Amit Aggarwal.
0
 
MCPJoeAuthor Commented:
Right now, exchange 2003 including the ADC and SRS have been completely removed from the domain.  We have a domain that was upgraded to AD and Server 2003, but we still have two NT4 BDCs which some internal clients still point to for authentication (using hosts files).  I do not have any ADC connection agreements setup at this time.  I will be doing that soon before I install Exchange 2003 again.  

Thanks
0
 
aa230002Commented:
Ok good.
Now, first step is to delete the org container from AD.
then, setup /forestprep from E2k3 CD.
install ADC from E2k3 CD and then, create RCA (recipient Connection Agreement) and PFCA
make sure that your E55 directory and Active Directory has started replicating.
Install Exchange 2k3 in pure 5.5 site (this will bring SRS into picture and Config_CA)

Thanks,
Amit Aggarwal.
0
 
MCPJoeAuthor Commented:
Ok, thats the same method I used the first time around.  I'll try it again and hope I don't experience disaster like I did the first time.  What about creating the connection agreements as one way agreements, rather than two way.  I could set them up so that information flows only one way, from Exchange 5.5 to AD, and not the other way around.  Would that increase my chances of avoiding the disaster I had the first go round?
0
 
aa230002Commented:
Did the disaster happen at the time of creating the Connection Agreements or at the time of E2k3 installation?
Two One-way Connection Agreements are not recommended as two-way connection agreement has in-built collission detection mechanism. But, only One One-way connection agreement (from 55 to AD) should be fine.

Thanks,
Amit Aggarwal.
0
 
MCPJoeAuthor Commented:
I'm not exactly sure, as the problem was not detected right away.  I installed the ADC and SRS, then proceeded with the Exchange 2003 install.  I was in the middle of testing internal mail flow between exchange 2003 and Exchange 5.5 users when I got a call that told me all of the DLs and recipients were gone from Exchange 5.5.  So I'm not sure at what point the problem occurred.  I had assumed that the ADC was somehow responsible for crashing the Exchange 5.5 directory, but I honestly don't know for sure what caused it.  

Not to mention now ever since I did the restore of the Exchange 5.5 directory, synchronization is not working between all the Exchange 5.5 servers.  A user mailbox created on one exchange 5.5 server replicates to the three other servers, but not on the one I did the restore on.  Also, we lost most of our public folder permissions as well, they had to be manually corrected.  I definately don't want to go through that again.  

since I have existing replication issues with exchange 5.5, will that cause any problems during the installation of Exchange 2003?
0
 
aa230002Commented:
How can you install SRS? SRS is something that gets installed automatically at the time of introducing your first E2k or E2k3 server in the pure E55 site.
Before continuing with the next step, make sure that your last step was successful.
How many Exchange 5.5 servers you have? how these servers are divided into 5.5 Sites?
To which site, you are gonna introduce your first E2k3 server? Its getting complicated now. You need to be carefull and make sure that existing environment is perfect before you continue.

Thanks,
Amit Aggarwal.
0
 
MCPJoeAuthor Commented:
I didn't mean I manually installed the SRS, I just meant I went through the server deployment and installed the ADC, SRS (automatically), then Exchange 2003.  

I have 4 total exchange 5.5 servers.  Two in the US, one in Hong Kong, and one in Switzerland.  They all belong to the same site, in the same NT domain, on the same IP subnet.  I will be installing Exchange 2003 into the only site we have, since we are using a single exchange 5.5 site.  

One other question, taking into account that our AD domain is in 2003 server interim mode (mixed mode), what will happen with public folder permissions?  I know the ADC will try to create universal groups, which aren't availble, since the domain is in mixed mode.  We have many public folders, and we have DLs listed on the client permissions on many of them.  Will that cause a problem when attempting to migrate these to Exchange 2003 in AD?  I've done this migration in a test lab several times, but I've never been able to simulate migrating our public folders.  I'm referring to article http://support.microsoft.com/?id=328801

Thanks
0
 
aa230002Commented:
Yes, you are right, Its always advisable to have a child domain in your AD. Keep your parent domain in the mixed mode.. and then convert your child domain to native mode. Then, point your RCA and PFCA to your child domain (native one) and then, you can successfully replicate your DLs in E5.5 to Universal Groups. otherwise your ACL conversion will fail and PF permissions will screw up as given in this KB article.

As all 4 5.5 boxes are in the same site and you will be introducing your first E2k3 server in this site only, that will bring SRS and create Config_CA ( A configuration connection agreement from your E5.5 directory to Configuration container of Active Directory)

Thanks,
Amit Aggarwal.
0
 
MCPJoeAuthor Commented:
So I would basically need to create a child domain in AD, set it to native mode, setup a two way trust between the domain (should be automatic since it would be a child domain), then point the connection agreements to the native mode domain.  

Question about this scenario:
1. What will be the effects of doing that, will end users have anything special they will need to do in order to view the converted distribution groups?
2. Once the parent domain is in native mode, how do I phase out the child domain and get the universal groups to be housed on the parent domin?
3. How will this effect the addressbook?  Obviously this is going to change things around, will clients on the Exchange 5.5 server be able to get mail to users on Exchange 2003 in this scenario?  

Thanks again
Joe
0
 
MCPJoeAuthor Commented:
Does the ADC actually change permissions on exchange 5.5 public folders?  Or is that handled by the SRS?  If I can't get my domain upgraded to native mode, and can't  use a child domain, could I use a one way agreement from Exchange 5.5 to AD, this way, the basic Exchange system could be setup, tested, etc, without casuing adverse effects on Exchange 5.5.  No real users would be moved to 2003 during this phase.  

once AD was converted to native mode, we could then setup two way connection agreements, and enable replication of Exchange 5.5 to AD and vice versa.  

Does that make any sense?
0
 
MCPJoeAuthor Commented:
Ok, I'm baffled.  I just tested this.  

I have a test lab setup, 3 Exchange 5.5 servers, one Exchange 2003 server, ADC and SRS are setup and running.  I have two way connection agreements configured.  Domain is in mixed mode (Server 2003 interim mode).  

I created a public folder in Exchange 5.5 (from client on exchange 5.5 server).  I assigned client permissions using a DL.  So my client permissions on this new public folder has a DL listed.  I created an item in the public folder.  

Then I replicated the public folder and the new DL into AD.  I saw the ADC create the universal distribution group, the public folder information was replicated to Exchange 2003.  I checked the client permissions on the public folder from Exchange 2003 and I still saw the DL listed.  So I think to myself, ok, the MS KB article said that Exchange would convert the group to a universal security group once a user accessed the folder.  

So I had a user setup on exchange 2003, which was a member of the DL I created on Exchange 5.5.  I had this 2003 user access the public folder, it came up right away, the user had access to the folder, and could post items and view items, based on the permission level I set for the DL.  So now I checked AD and the universal distribution group is still there, exchange did NOT convert the group to a universal security group, and I did not have any permissions problems.  

So my question is, does that article still apply to exchange 2003?  Or does exchange 2003 has a built in workaround for that problem?  If so, this would mean that I won't have any issues with public folder permissions afterall?  Can anyone comment on this?  Does the fact that the domain is in 2003 interim mode make any difference?  I really thought this test would fail, but it worked perfectly.  I can only hope that my production migration to exchange 2003 goes as smoothly.  

Thanks
0
 
MCPJoeAuthor Commented:
Could it be that these articles refer the actual security tab properties and not the client permissions?  The articles I've read do not specify if they are talking about the security tab properties, or the client permissions section?
0
 
MCPJoeAuthor Commented:
nevermind, I finally dug up a document that specifically refers to client permissions.  
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 11
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now