Solved

migrate exchange 2007 to 2010

Posted on 2014-12-15
16
83 Views
Last Modified: 2015-05-12
I have a windows 2008 Enterprise server (fully updated and patched) with Exchange 2007 (all roles and services), which is also an AD PDC with all FSMO roles installed to it. I have created 3 new servers all windows 2012 standard fully patched. One server is a new DC which has AD domain and forest functional level raised to 2003 and has been added to the domain on the 2008 AD server. The other 2 servers I want to be exchange 2013 in which they are redundant to each other, providing for application fault tolerance in all exchange service areas. For now Im installing one 2012 server with exchange 2013 and the plan is to move the mailboxes to it and get it to become the main email server then build out the second server so that it is redundant to the first.

Ive been following a couple of guides and I'm not stuck pretty much right before I begin migrating mailboxes:

http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-1-step-by-step-exchange-2007-to-2013-migration.aspx

http://technet.microsoft.com/en-US/exdeploy2013/Checklist?state=2419-W-BwCEAQAAQACAAAEAAQAAAAQ~

Referencing the first guide. Im on the step/link labeled "Part 2" at the beginning of section "3. Exchange 2013 name space & virtual directories configurations". In most of those commands for the Exchange Power Shell the -Identity flag is using a path, but Im not sure what to use for this path... Im for the most part installing this default, but dont have a problem making those directories someplace standard if there is no default location.

So to restate I would like follow-up all the way to the point where I am able to connect with outlook to the exchange server 2013 as well as OWA via the web, and then how to make the second 2012 server redundant to the first.
0
Comment
Question by:Sec-Man
  • 9
  • 7
16 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
Did you install the latest cumulative update? As this is a new installation, if you haven't installed CU7 then I would do that now.

You don't have to create anything. The virtual directories will already be created.
I have a script for setting the correct FQDNs here: http://semb.ee/hostnames2013

The path is basically "servername\owa (Default Web Site)". It is the same for everyone, just changing the FQDN involved and the servername bit.

Simon.
0
 
LVL 3

Author Comment

by:Sec-Man
Comment Utility
I never received a notification that anyone ever responded to this. The answer is yes, of course. Since I posted this I went on to install 5 servers. 1 new DC, 2 transport and 2 mail ( I call these 'mail' servers because this project eventually stopped and I dont recall the actual type but these servers are the ones where the mailboxes reside. I'll call them mail servers for now). The legacy exchange 2007 server, a new transport server and a new mail server are all VMs on one physical VM box, and the new DC as well as the other transport and mail server are on the other VM box. I took the installation all the way to where I created a DAG and was trying to get OWA work with an actual SSL cert (not a self signed one) from RapidSSL, when I messed some things up to the point where I decided to punt, delete the exchange servers, and start all over again, because all of the servers were 'crashed' in some way or another. What I didnt do was delete the DAG I had created before deleting those servers, so when I went to install the new exchange servers (2 new transports and 2 new mail servers) the legacy 2007 exchange server still saw the DAG and other servers somewhere and prevented me from installing Exchange 2013 into the domain, which is where this all has stayed til now.

So what I need to do is delete the settings for the old 2013 Exchange servers (where ever those are) and re-install them from the beginning only this time I have some other resources I will be following. With that said ANY help I would appreciate along the way. Any advice at this point would be VERY MUCH appreciated!!!

PS - Great to see you are still around Simon! Im excited to work with you on this!
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
"a new transport server and a new mail server are all VMs on one physical VM box"
If you are going to do that - why bother with the roles on separate servers. That hasn't been best practises for over two years. Put all of the roles on the same server.

If you have deleted the Exchange servers then you will need to recover them to begin with.
That basically means resetting the computer accounts (DO NOT DELETE) then install Windows (Same version as they were) with the same name. Once complete, install Exchange from the command prompt using the recovery switches.
When complete, you can remove the DAG etc, then remove the servers correctly using add/remove programs. That is the only supported method to remove Exchange.

Simon.
0
 
LVL 3

Author Comment

by:Sec-Man
Comment Utility
Yeah... Thats what I meant by they were 'crashed in some way'... Basically I tried to re-install from the beginning, deleting accounts etc... Needless to say its been a mess Ive been cleaning up the last few days.

So where am I now? I have both transport servers back and patched to CU8. The mail servers are being a bit more problematic. I had to use adsiedit to remove the old versions of the mail servers and that allowed me to install the basic installation (the install without any roles), but now when I go to install the Mail and Client Access roles I am getting this error on both servers at step 4 of 8: Mailbox role: Mailbox service:

Error:
The following error was generated when "$error.Clear();
      Get-MailboxDatabase -Server $RoleFqdnOrName | Mount-Database -ErrorAction SilentlyContinue

" was run: "The Exchange server for the database object "Mailbox Database 0616346304" wasn't found in Active Directory Domain Services. The object may be corrupted.".

This is where I left off last night so I just began my research as to what the cause of this is, but I bet you have some ideas (very excited you are helping me with this)!

Anyway, to answer your question about why not put it all on one box. The answer is because I am a security engineer and its best practice to put anything thats internet facing into a DMZ, which is where the transport servers are going. I just got them both patched and CU8'd last night so their IP's are still internal, but I ll get them into the DMZ today which is where they will stay.

Talk to you soon!
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
"The answer is because I am a security engineer and its best practice to put anything thats internet facing into a DMZ, which is where the transport servers are going"

Sorry to say, but that isn't supported.
You cannot put any part of Exchange other than Edge transport in a DMZ.

Furthermore, I would doubt what you consider to be best practise. How does putting it in the DMZ improve the security of the network? It doesn't. It actually reduces it. If you put a domain member in a DMZ, you have to make your firewall in to Swiss Cheese for it to work correctly. Then an attacker compromises your server in the DMZ, and simply walks in to your network.
However if you have everything behind the firewall then you have two ports open at most (443 and 25) which is a pretty secure combination.

I have this discussion with security people all the time. I can usually end it very quickly (other than the not-supported argument) by simply asking for port 135 to be open. If they agree, then I usually tell their manager they aren't up to the job, because 135 should never be open to a least secure network. If they refuse, then it has to be done my way.

Using adsiedit was probably a mistake - as that isn't supported for removal of Exchange unless under the direction of PSS. You will find instructions on the process around the internet, but non of them on Microsoft domains. The add/remove programs method is the only supported method.
The error you are getting is because there is a trace of the database left somewhere. You will need to find it and remove it before you can continue.

Simon.
0
 
LVL 3

Author Comment

by:Sec-Man
Comment Utility
Hey Simon!

I am talking about edge transport going into the DMZ. As for port 135 its ok to open that port from the DMZ to Internal. The only thing thats going to make connections to the transport servers externally are other mail servers, and I have never seen anything get compromised at port 25. I suppose its possible to take down a transport server at port 25 through some sort of DOS attack, but thats about as much as someone can do at port 25. Theres no RPC connectors listening at port 25 so the security is fine at that port, and Checkpoint is at the perimeter, which is known to be a pretty decent firewall. Pretty sure that as far as industry best practices go, putting anything thats internet facing in the DMZ is the only way to go. What I cant imagine is putting your transport servers internally. Thats an even worse architecture as now those same transport servers are sitting inside rather than a DMZ... That just makes me shudder...

Add/remove programs didnt work, as you are implying, that is the first step, which I tried and it was erroring out unable to un-install Exchange. With regards to adsiedit, other people were having the same error I was and the fix was adiedit, which also fixed my issue, so Im not sure why that was bad? It fixed the problem!  The only way forward was to remove those objects and the installation completed.

So any ideas where to start looking for what else needs to be removed? I got a little side tracked, so I'm back to troubleshooting this now.
0
 
LVL 3

Author Comment

by:Sec-Man
Comment Utility
Hey Simon!

Ok. I went back to ADSIEDIT (yeah yeah I know, bad me...) but I found another area where the old exchange 2013 mail servers were at (for those who might be following along Configuration - Services - Microsoft Exchange - <what ever org you setup for me it was 'First Orgnaization') - Administrative Groups - Databases - inside are 4 databases with the old exchange 2013  servers inside those... So I deleted the servers and one of my new exchange 2013 mail servers was able to install Exchange and is now in the process of installing CU8, however the other, and Im really scratching my head over this because the server that is installing CU8 is a clone of the one that cant install exchange 2013...

One of the old transport servers was able to complete CU8 and the other had some troubles, but is now also installing CU8. So the transport servers, and one of the mail servers should be all set shortly. I'm hopeful for the last mail server but I may have to punt and re-install (again)...

If you are interested this is the error the mail server is having:

Error:
The following error was generated when "$error.Clear();
          $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
          $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
          $dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
          if( $dismbx -ne $null)
          {
          $srvname = $dismbx.ServerName;
          if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like "$srvname.*" )
          {
          Write-ExchangeSetupLog -info "Setup DiscoverySearchMailbox Permission.";
          $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
          if( $mountedMdb -eq $null )
          {
          Write-ExchangeSetupLog -info "Mounting database before stamp DiscoverySearchMailbox Permission...";
          mount-database $dismbx.Database;
          }

          $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
          if( $mountedMdb -ne $null )
          {
          $dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagement_InitInfo.WellKnownGuid;
          $dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
          if( $dmRoleGroup -ne $null )
          {
            trap [Exception]
            {
              Add-MailboxPermission $dismbx -User $dmRoleGroup.Name -AccessRights FullAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue;
              continue;
            }
           
            Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
          }
          }
          }
          }
        " was run: "The Exchange server for the database object "Mailbox Database 0136850960" wasn't found in Active Directory Domain Services. The object may be corrupted.".

Error:
The following error was generated when "$error.Clear();
          $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
          $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
          $dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
          if( $dismbx -ne $null)
          {
          $srvname = $dismbx.ServerName;
          if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like "$srvname.*" )
          {
          Write-ExchangeSetupLog -info "Setup DiscoverySearchMailbox Permission.";
          $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
          if( $mountedMdb -eq $null )
          {
          Write-ExchangeSetupLog -info "Mounting database before stamp DiscoverySearchMailbox Permission...";
          mount-database $dismbx.Database;
          }

          $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
          if( $mountedMdb -ne $null )
          {
          $dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagement_InitInfo.WellKnownGuid;
          $dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
          if( $dmRoleGroup -ne $null )
          {
            trap [Exception]
            {
              Add-MailboxPermission $dismbx -User $dmRoleGroup.Name -AccessRights FullAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue;
              continue;
            }
           
            Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
          }
          }
          }
          }
        " was run: "The database object 'Mailbox Database 0136850960' in Active Directory has been corrupted and is in an inconsistent state. Unable to find any server hosting a copy of this database.".

Error:
The following error was generated when "$error.Clear();
          $name = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxUniqueName;
          $dispname = [Microsoft.Exchange.Management.RecipientTasks.EnableMailbox]::DiscoveryMailboxDisplayName;
          $dismbx = get-mailbox -Filter {name -eq $name} -IgnoreDefaultScope -resultSize 1;
          if( $dismbx -ne $null)
          {
          $srvname = $dismbx.ServerName;
          if( $dismbx.Database -ne $null -and $RoleFqdnOrName -like "$srvname.*" )
          {
          Write-ExchangeSetupLog -info "Setup DiscoverySearchMailbox Permission.";
          $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
          if( $mountedMdb -eq $null )
          {
          Write-ExchangeSetupLog -info "Mounting database before stamp DiscoverySearchMailbox Permission...";
          mount-database $dismbx.Database;
          }

          $mountedMdb = get-mailboxdatabase $dismbx.Database -status | where { $_.Mounted -eq $true };
          if( $mountedMdb -ne $null )
          {
          $dmRoleGroupGuid = [Microsoft.Exchange.Data.Directory.Management.RoleGroup]::DiscoveryManagement_InitInfo.WellKnownGuid;
          $dmRoleGroup = Get-RoleGroup -Identity $dmRoleGroupGuid -DomainController $RoleDomainController -ErrorAction:SilentlyContinue;
          if( $dmRoleGroup -ne $null )
          {
            trap [Exception]
            {
              Add-MailboxPermission $dismbx -User $dmRoleGroup.Name -AccessRights FullAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue;
              continue;
            }
           
            Add-MailboxPermission $dismbx -User $dmRoleGroup.Identity -AccessRights FullAccess -DomainController $RoleDomainController -WarningAction SilentlyContinue;
          }
          }
          }
          }
        " was run: "The Exchange server for the database object "Mailbox Database 0136850960" wasn't found in Active Directory Domain Services. The object may be corrupted.".
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
That error means it is looking for the Discovery mailbox on one of the databases that you have probably removed.

Recreate the discovery mailbox using these instructions from Microsoft.
https://technet.microsoft.com/en-GB/library/gg588318(v=exchg.150).aspx

Simon.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 3

Author Comment

by:Sec-Man
Comment Utility
Hey Simon!

Yeah - Made a fair amount of progress yesterday. I should have kept updating each time I overcame an issue. That issue somewhere in all of the errors I found it said permission denied so I took a look at the Exchange account permissions and found that they were really badly setup so I (Exchange Admins were in a group - I forget which - and that group was in the Exchange View Only group...) set it up correctly and that got Exchange installed, but now the error is:

Error:
The following error was generated when "$error.Clear();
          if ($RoleIsDatacenter -ne $true -and $RoleIsDatacenterDedicated -ne $true)
          {
          if (Test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue)
          {
          $sysMbx = $null;
          $name = "SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}";
          $dispName = "Microsoft Exchange";
          Write-ExchangeSetupLog -Info ("Retrieving mailboxes with Name=$name.");
          $mbxs = @(Get-Mailbox -Arbitration -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1 );
          if ($mbxs.Length -eq 0)
          {
          Write-ExchangeSetupLog -Info ("Retrieving mailbox databases on Server=$RoleFqdnOrName.");
          $dbs = @(Get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController);
          if ($dbs.Length -ne 0)
          {
          Write-ExchangeSetupLog -Info ("Retrieving users with Name=$name.");
          $arbUsers = @(Get-User -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1);
          if ($arbUsers.Length -ne 0)
          {
          Write-ExchangeSetupLog -Info ("Enabling mailbox $name.");
          $sysMbx = Enable-Mailbox -Arbitration -Identity $arbUsers[0] -DisplayName $dispName -database $dbs[0].Identity;
          }
          }
          }
          else
          {
          if ($mbxs[0].DisplayName -ne $dispName )
          {
          Write-ExchangeSetupLog -Info ("Setting DisplayName=$dispName.");
          Set-Mailbox -Arbitration -Identity $mbxs[0] -DisplayName $dispName -Force;
          }
          $sysMbx = $mbxs[0];
          }

          # Set the Organization Capabilities needed for this mailbox
          if ($sysMbx -ne $null)
          {
          # We need 1 GB for uploading large OAB files to the organization mailbox
          Write-ExchangeSetupLog -Info ("Setting mailbox properties.");
          set-mailbox -Arbitration -identity $sysMbx -UMGrammar:$true -OABGen:$true -GMGen:$true -ClientExtensions:$true -MailRouting:$true -MessageTracking:$true -PstProvider:$true -MaxSendSize 1GB -Force;

          Write-ExchangeSetupLog -Info ("Configuring offline address book(s) for this mailbox");
          Get-OfflineAddressBook | where {$_.ExchangeVersion.CompareTo([Microsoft.Exchange.Data.ExchangeObjectVersion]::Exchange2012) -ge 0 -and $_.GeneratingMailbox -eq $null} | Set-OfflineAddressBook -GeneratingMailbox $sysMbx.Identity;
          }
          else
          {
          Write-ExchangeSetupLog -Info ("Cannot find arbitration mailbox with name=$name.");
          }
          }
          else
          {
          Write-ExchangeSetupLog -Info "Skipping creating E15 System Mailbox because of insufficient permission."
          }
          }
        " was run: "Microsoft.Exchange.Data.DataValidationException: Database is mandatory on UserMailbox.".

Error:
The following error was generated when "$error.Clear();
          if ($RoleIsDatacenter -ne $true -and $RoleIsDatacenterDedicated -ne $true)
          {
          if (Test-ExchangeServersWriteAccess -DomainController $RoleDomainController -ErrorAction SilentlyContinue)
          {
          $sysMbx = $null;
          $name = "SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}";
          $dispName = "Microsoft Exchange";
          Write-ExchangeSetupLog -Info ("Retrieving mailboxes with Name=$name.");
          $mbxs = @(Get-Mailbox -Arbitration -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1 );
          if ($mbxs.Length -eq 0)
          {
          Write-ExchangeSetupLog -Info ("Retrieving mailbox databases on Server=$RoleFqdnOrName.");
          $dbs = @(Get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController);
          if ($dbs.Length -ne 0)
          {
          Write-ExchangeSetupLog -Info ("Retrieving users with Name=$name.");
          $arbUsers = @(Get-User -Filter {name -eq $name} -IgnoreDefaultScope -ResultSize 1);
          if ($arbUsers.Length -ne 0)
          {
          Write-ExchangeSetupLog -Info ("Enabling mailbox $name.");
          $sysMbx = Enable-Mailbox -Arbitration -Identity $arbUsers[0] -DisplayName $dispName -database $dbs[0].Identity;
          }
          }
          }
          else
          {
          if ($mbxs[0].DisplayName -ne $dispName )
          {
          Write-ExchangeSetupLog -Info ("Setting DisplayName=$dispName.");
          Set-Mailbox -Arbitration -Identity $mbxs[0] -DisplayName $dispName -Force;
          }
          $sysMbx = $mbxs[0];
          }

          # Set the Organization Capabilities needed for this mailbox
          if ($sysMbx -ne $null)
          {
          # We need 1 GB for uploading large OAB files to the organization mailbox
          Write-ExchangeSetupLog -Info ("Setting mailbox properties.");
          set-mailbox -Arbitration -identity $sysMbx -UMGrammar:$true -OABGen:$true -GMGen:$true -ClientExtensions:$true -MailRouting:$true -MessageTracking:$true -PstProvider:$true -MaxSendSize 1GB -Force;

          Write-ExchangeSetupLog -Info ("Configuring offline address book(s) for this mailbox");
          Get-OfflineAddressBook | where {$_.ExchangeVersion.CompareTo([Microsoft.Exchange.Data.ExchangeObjectVersion]::Exchange2012) -ge 0 -and $_.GeneratingMailbox -eq $null} | Set-OfflineAddressBook -GeneratingMailbox $sysMbx.Identity;
          }
          else
          {
          Write-ExchangeSetupLog -Info ("Cannot find arbitration mailbox with name=$name.");
          }
          }
          else
          {
          Write-ExchangeSetupLog -Info "Skipping creating E15 System Mailbox because of insufficient permission."
          }
          }
        " was run: "Microsoft.Exchange.Data.DataValidationException: Database is mandatory on UserMailbox.
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow, String helpUrl)
   at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target, Boolean reThrow)
   at Microsoft.Exchange.Configuration.Tasks.DataAccessTask`1.Validate(TDataObject dataObject)
   at Microsoft.Exchange.Configuration.Tasks.SetTaskBase`1.InternalValidate()
   at Microsoft.Exchange.Configuration.Tasks.SetRecipientObjectTask`3.InternalValidate()
   at Microsoft.Exchange.Management.Common.SetMailEnabledRecipientObjectTask`3.InternalValidate()
   at Microsoft.Exchange.Management.RecipientTasks.SetUserBase`2.InternalValidate()
   at Microsoft.Exchange.Management.RecipientTasks.SetMailboxBase`2.InternalValidate()
   at Microsoft.Exchange.Management.RecipientTasks.SetMailbox.InternalValidate()
   at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
   at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)".

and after some research I found this:

https://social.technet.microsoft.com/Forums/exchange/en-US/eff5615b-d84d-4e51-a9d2-4b8315470141/error-during-exchange-2013-mailbox-transport-role-install-on-server-2012?forum=exchangesvrdeploy

What Im a smidge hesitant on are these steps:

Delete the affected FederatedEmail and both SystemMailbox accounts from Users container using Active Directory User and Computers mmc or ADSIEdit.

Uninstall Exchange server with setup /m:uninstall .

Run setup /PrepareAD to get the deleted accounts re-created.

pretty sure it has something to do with this:

I then had to go into ADUC - delete the 3 accounts and then use PS to recreate them using the following syntax:
a. New-Mailbox -Arbitration -Name FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042 -UserPrincipalName FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042@<Default_Accepted_Domain>
b. New-Mailbox -Arbitration -Name "SystemMailbox{1f05a927-6a9b-4101-abd2-70838d0c8e86}" -UserPrincipalName "SystemMailbox{1f05a927-6a9b-4101-abd2-70838d0c8e86}@<Default_Accepted_Domain>"
c. New-Mailbox -Arbitration -Name "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" -UserPrincipalName "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}@<Default_Accepted_Domain>"

Any insights would be appreciated!

Thanks!
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
I have read twice and I have lost track of what you are actually asking.
It looks like you simply have traces of the old server still in the environment - primary reason not to use adsiedit to hack out a server.

Simon.
0
 
LVL 3

Author Comment

by:Sec-Man
Comment Utility
Hey Simon!

The issue I'm having is that the FederatedEmail account as well as the SystemMailbox accounts were all corrupted. According to the above solution it says to delete them in ADUC, uninstall exchange, and then use PS to recreate them. I deleted the accounts in ADUC, but I cannot uninstall exchange... When I try to do so it is looking for the FederatedEmail account that was deleted, fails and errors out. I'm tempted to just start this process all over. This feels like what I ran into originally but I did get further this time in installing Exchange 2013 and CU8.

Since I cant uninstall Exchange - I'll just re-install windows and start all over, use ADSIEDIT to delete these exchange servers (again) and do it all over. I'll wait for your response before I begin, but I just dont see a way right now to make any progress with the way these servers are behaving.
0
 
LVL 3

Author Comment

by:Sec-Man
Comment Utility
Hey Simon!

Its been a few days, but I have been hard at work. I have everything installed and setup where it needs to be, but the last hurdle is that I cant get mail to send or receive.

So what does all that mean. I have two Edge Transport servers in the DMZ and from the internet I have created a Load Balancing virtual server for SMTP pointing at the two edge servers with persistence using the source address. Those transport servers are subscribed to the two MB servers located internally. The edge transport servers are not in the domain, but they are communicating with the MB servers evidenced by logging and the Exchange Powershell saying so.

I have both CA servers in the DMZ as well with a load balancing virtual server setup for 443 pointed at both of them as well as an http to https redirect virtual server. I will eventually do SSL offload but Im not there yet. OWA is verified to work, so theres not really anything else to do with those, except get my actual SSL cert working and do SSL offload.

I have migrated a user mailbox from 2007 to 2013 successfully. So I have a test account that I can send and receive mail from.

My current and pretty much last issue is that Im not real sure how I configure the edge transport servers to send and receive mail.

The subscription has been executed with no errors, as well as the command to sync (Start-EdgeSynchronization). With that said some default send and receive connectors were created, but I have to use a smart host to send mail through to. It "seems" like its setup correctly yet nothing gets sent. As well as the receive connectors. They "seem" setup correctly, but nothing is getting received.

Soooooooooo, when I make a configuration change in EAC do I need to restart the information store like in Exchange 2007? Do I need to reset up the subscription and execute the sync command? No idea what to do at this point.

Any insights would be very appreciated.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
Comment Utility
"I have both CA servers in the DMZ as well with a load balancing virtual server setup for 443 pointed at both of them as well as an http to https redirect virtual server"

That is an unsupported configuration.

To use the Edge servers, you should probably create new subscriptions, going through the new servers.

Simon.
0
 
LVL 3

Author Comment

by:Sec-Man
Comment Utility
I will re-subscribe and restart all services. Anything else?

As far as the CA servers being int he DMZ - yeah I know MS wants you to use their form of an application FW (I forget what its called) and forward the OWA traffic to the CA servers internally. Personally I think thats a huge waste and also introducing yet another layer that isnt necessary. I have a checkpoint FW at the edge. I dont need 2 firewalls... Simply putting the CA servers in the DMZ (keeping in mind they arent just behind a firewall they are also behind an F5 cluster which is also secure) and giving them access to the MB servers internally isnt just efficient its secure. Im very ok with this architecture.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
Comment Utility
You may be ok with the architecture it will be unsupported and therefore untested.

Not much more else I can suggest.

Simon.
0
 
LVL 3

Author Comment

by:Sec-Man
Comment Utility
Hey Simon!

Ok - Send and receive are now working fine. My next problem is I just migrated a user's mailbox from 2007 to 2013. When that user goes to OWA and authenticates we get a 400 error - page cannot be found.  Any ideas?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now