Solved

Windows/Exchange 2000 to Windows 2008/Exchange 2007 Upgrade

Posted on 2008-10-12
9
2,248 Views
Last Modified: 2013-12-05
Hi,

I am planning my AD and Exchange upgrade and would like some help fine-tuning/critiquing the steps to reduce the probability of screwing up.
I have read many questions on this site as well as others and although some scenarios are similar they are obviously not exactly the same.

Current setup is as follows:
* Windows 2000 AD (DC1, DC2 & XMAIL)
* Exchange 2000 BE (XMAIL)
* Exchange 2003 FE (OWA - in DMZ)

By the end of the process I would like the following:
* DC1 will have been upgraded to 2008 Server
* XMAIL will have been transitioned to 2007 on a new 2008 server
* DC2 will be replaced by a new 2008 server down the track.
* FE to be moved to a new 2008 server as legacy apps also run on this.

We are in the same site as 3 other offices each with separate domains. All DNS is AD integrated except one primary zone held by our Head Office. We also

have bulk email software which uses OWA to send out through.

Things I'm unsure about:
* The damn 2007 server roles. Not exactly sure what configuration to go with. Ideally I would like a similar scenario (FE/CAS in dmz and BE/Mailbox inside if

possible).
* How to allow bulk emails to send out through CAS server.

I am worried about coming into trouble with rights due to FSMO roles, replication (between 2000 and 2008 AD), and the public folder move.

Any help is greatly appreciated.

Steps planned thus far:

AD UPGRADE
1.      Ensure Exchange server skips the discovery process by hard-coding DSAccess (to look at itself).
2.      Ensure AD replication is running correctly (Replmon).
3.      Make sure AD backups ran successfully.
4.      Prep domain for 2008 (2008 dvd; \Sources folder). Should be run on DC1, hopefully we dont have trouble due to not owning the schema master role.
a.      Adprep /forestprep
b.      Adprep / domainprep
c.      Adprep /gpprep
5.      Install Windows Server 2008 on new server (MAIL) and join to domain as member server
6.      Promote MAIL to domain controller
7.      Make MAIL a GC
8.      Install DNS on MAIL (have HEAD OFFICE add new DC to zone transfer list for the primary zone they host)
9.      Make sure AD and DNS replicate correctly
10.      Test DNS through MAIL
11.      Change DCHP scope settings on DC2 (as well as NICs on all servers) to point to MAIL for DNS
12.      Transfer FSMO roles to MAIL.
a.      Transfer RID, PDC and Infrastructure roles via AD Users and Computers
b.      Wait 24 hours for replication
13.      Demote DC1 via DCPROMO
14.      Install Windows Server 2008 on DC1 and join to domain as additional DC
15.      Install DNS and DHCP on DC1, set up DHCP scope and Authorize DC1 as a DHCP server
16.      De-activate DHCP on DC2 and unplug from the network
17.      Activate DHCP scope on DC1
18.      If DHCP is working correctly; demote DC2 via DCPROMO



EXCHANGE UPGRADE
1.      Install Windows Server 2008 on new 64bit server (CAS)
2.      Run the Exchange Best Practices Analyzer to verify the environment is ready
3.      Prepare legacy Exchange permissions
a.      Run setup.com /PrepareLegacyExchangePermissions
4.      Prepare the Schema
a.      Run setup.com /PrepareSchema
5.      Prepare Active Directory
a.      Run setup.com /PrepareAD
6.      Prepare the Domain
a.      Run setup.com /PrepareDomain
7.      Install the following software/updates:
a.      Microsoft .NET Framework V2.0
b.      MMC 3.0
c.      Windows PowerShell V1.0
8.      Make sure the following are enabled:
a.      WWW Service
b.      ASP.NET V2.0
9.      Run setup.exe and being installation
a.      Enable error reporting
b.      Configure Mail Flow Settings to point to XMAIL
c.      Select the custom installation and choose Client Access and Hub Transport
d.      Review logs once setup has completed
10.      Run the Exchange Best Practices Analyzer to verify the environment is ready
11.      Enter license key
12.      Configure Client Access on Exchange 2007
13.      Configure firewall for correct port forwarding/opening
14.      Test OWA access, if successful redirect OWA traffic to CAS
15.      Configure SMTP relay for bulk emails by setting up a receiver connector (http://technet.microsoft.com/en-us/library/bb232021(EXCHG.80).aspx)
16.      Test bulk emails, if successful remove Exchange from OWA
17.      Log on to MAIL and run the Exchange Best Practices Analyzer to verify the environment is ready
18.      Install the following software/updates:
a.      Microsoft .NET Framework V2.0
b.      MMC 3.0
c.      Windows PowerShell V1.0
19.      Make sure the following are enabled:
a.      WWW Service
b.      ASP.NET V2.0
20.      Install Exchange on MAIL
a.      Enable error reporting
b.      Configure Mail Flow Settings to point to XMAIL
c.      Select typical installation
d.      Review logs once setup has completed
21.      Enter license key
22.      Configure accept smtp domains:
a.      Organization Configuration  Hub Transport  New Accepted Domain
23.      Replicate Public Folders:
a.      On XMAIL go to the Replication tab of the Public Folder properties and add MAIL to the replica list.
24.      Move public folders:
a.      On XMAIL go to FirstAdministrativeGroup->Folders->Public Folders->Our Public Folders, right-click->Properties->add MAIL to replication tab

I'm not sure at this point whether this will work or if I need to use the migration script; ttp://technet.microsoft.com/en-us/library/bb331970(EXCHG.80).aspx

25.      Move the OAB
a.      In Exchange 2007 go to Organization Configuration->Mailbox->Offline Address Book, Right-click->Default Offline Address List->Move
26.     Move Mailboxes to Exchange 2007 server
a.      In Exchange 2007 go to Recipient Configuration->Mailbox, highlight the mailboxes and click on Move Mailbox...
b.      Follow the steps and once it has completed check the mail flow
27.      Redirect all mail traffic to MAIL
28.      Decommission XMAIL
a.      Assign Recipient Update Service to MAIL->Recipient Update Service (domain)->Properties->Browse->Exchange 2007 Server
a.      Remove from XMAIL via add/remove programs

network.jpg
0
Comment
Question by:padiap
  • 5
  • 4
9 Comments
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility
Hi,

> The damn 2007 server roles. Not exactly sure what configuration to go with. Ideally I would like a similar scenario (FE/CAS in dmz and BE/Mailbox inside if possible).

How many mailboxes do you have which will be running on this mail system? If it is say 50 - 100, and the Exchange 2007 Server exceeds the minimum requirements in CPU power and RAM, I would probably be inclined to put the CAS, Hub Transport and Mailbox Roles on one server. Alternatively, if you do want two servers, you're probably going to want the CAS and Hub Transport on one server, and leave Mailbox Store to the other server.

I would recommend against putting any Exchange Server in the DMZ. It really is a horrible configuration which puts you open for more attack than if it is on the internal LAN. It is probably better - now you are planning a new infrastructure - to put the CAS and Hub Transport server on the LAN and just open ports 443 (for OWA) and 25 (for SMTP) to the server.

Other than that, it looks like your procedure is pretty good. Do remember you will need one DC at at least Server 2003 SP1 / 2008 before Exchange 2007 will install, though. http://technet.microsoft.com/en-us/library/aa996719.aspx

-tigermatt
0
 

Author Comment

by:padiap
Comment Utility
Cheers for the info Tigermatt. Your right, I probably should put it on the one server.
Yeah, we're sweet when it comes to the requirements.

Do you think Exchange Upgrade step 24 will replicate and keep the data on the 2007 box once the 2000 server has been removed? Or would I be better off attempting to use the infamous script?

Also, do you think Exchange Upgrade Step 15 will allow me to send out through the server?

Tim
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

You are going to need to replicate EVERY public folder to the new Exchange Server, including the system folders. Personally I would attempt to do it using the script you have linked to, but one thing I can tell you for sure is that whatever you do, Public Folder replication off of Exchange 2000 is VERY slow - it can sometimes take weeks, so be prepared for a long wait.

Setting up a receive connector in step 15 is not going to enable you to receive email. A Receive connector Receives email into the Exchange Organization. You would need to configure a Send Connector in the Management Console and configure it as appropriate, so email is sent via a smart host or using DNS. http://technet.microsoft.com/en-us/library/aa998662(EXCHG.80).aspx   http://www.petri.co.il/configuring-exchange-2007-send-external-email.htm

-tigermatt
0
 

Author Comment

by:padiap
Comment Utility
I'll make sure I set plenty of time aside for the replication then!
That's true, not sure why I linked that now. Thanks for the correct links.

I've gone through with the AD upgrade (took some time due to waiting on another office to run the forestprep as well as some some dns changes). Everything seems great aside from a couple hiccups (a dns issue that has since been fixed, and the fact that my new 2008 dhcp server is leasing addresses but not listing them).
I'm almost ready for the Exchange install but I've run into an issue with step 3; Preparing legacy Exchange permissions. I am receiving the following error:
* Setup cannot contact the primary DNS server (server ip) using TCP port 53.
* Exchange 2007 cannot be used with the version of Windows operating system running on this computer. - As you know I'm running Server 2008.
* Cannot find at least one domain controller running Widnows Server 2003 Service Pack 1 or later in domain (my domain).

Any ideas on the Exchange install errors?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Ah - the notorious Exchange 2007 and Server 2008 issue. Basically Exchange 2007 was released long before Server 2008 was, so they had to release a Service Pack for Exchange so it would co-operate with Server 2008. If you are not installing the Exchange 2007 with SP1 slipstreamed (you can get the files from Microsoft) then it won't detect your 2008 Server and setup won't run.

So, you'll need to:

-Matt
-tigermatt
0
 

Author Comment

by:padiap
Comment Utility
That link was a godsend! Thanks Matt!!
Now I've just got to wait for our head office to fix up their end before continuing (more delays).

I'm thinking again of going down the path of having 2 exchange boxes.
Can I run HT on the Mailbox server as well as the CAS/HT server? I'm wanting mail sent out by staff to be sent from the Mailbox/HT server (and therefore its external ip address), and mail sent by our mass mailing software would be sent via the send connector on the CAS/HT server (using its external ip address).
Reason being if we're blacklisted (which has happened before) I'm hoping for only the ip of the CAS/HT box to be affected.

Do you think this would be at all possible?

Cheers,

Tim
0
 
LVL 58

Accepted Solution

by:
tigermatt earned 500 total points
Comment Utility

Yes, you can have any role on one or more servers - just install it through the Exchange interface. Exchange 2007 is designed to be modular, so if you want two HT servers, just put the role on two, and if you want 3 mailbox servers, you just install the role on them. There is no issue with having two Hub Transport servers on a network.

The approach you mention is plausible - and one I highly recommend. Keeping your mass-mailing software away from your main IP used for sending and receiving regular email is always a good approach, since you can protect yourself as much as you like, but can guarantee with mass-mails that somehow you will be blacklisted (and of course, if it is unsolicited, you will instantly get blacklisted, but I hope it isn't spam!). This way, regular mail still works and it is just mass-mailing which will be down.

Don't forget: if your new Exchange 2007 server is powerful enough, you could always virtualise the second HT / CAS role in a virtual machine on that same hardware, rather than purchase more hardware when its power really won't be used to the full extent that it could be. If all it is doing is CAS and a bit of HT for mass-mailing, that's not much load or RAM required, so there's no reason why it couldn't be virtualised.

-Matt
0
 

Author Comment

by:padiap
Comment Utility
Still waiting on our Head Office to finish their transition so I'm closing this question. Will open another if I run in to any troubles.
You were a massive help as always Tigermatt. Thanks again!
0
 
LVL 58

Expert Comment

by:tigermatt
Comment Utility

Thanks! Good luck.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now