trying to build a server standard 2012 R2 with three VMs including Exchange 2012 to replace SBS 2008

I'm pretty skilled with SBS and am now needing to replace a bunch of SBS machines with Standard/Exchange combos. Local Exchange is a must and I'm trying to find a way to knock these systems out so the new high cost is as low as possible. It's already about $2500 to $3000 more just in licenses and clearly setting up 4 Windows installs is not very easy. I'm building a test bed trying to figure out the best way to do this. Details follow.

I have a number of clients with SBS 2008 systems reaching the end of their supported, warranted life. The question is whether I've made a fatal mistake in my test machine or if it's just configuration mistakes which can be fixed. The goal is to come up with a process to deliver and install a Server Standard 2012r2/Exchange 2013/Hyper-V setup where the entire switchover is done over a weekend with everything working on Tuesday morning. I bought a test server, two copies of Standard 2012 R2 on the plan that the old server will become a BDC and the source of a third guest OS in addition to the two that come with Standard. The three VMs will be on their own partitions on the theory that the disk fragmentation difference is worth the hassle. I don't have clear guidance here but it seems to make sense. I'm open to being told I'm wrong. The next thing is that I am using three guest OSes with the host doing nothing but host. There will be a BDC on the old box currently running SBS so the host could also be the file server but the file server is also an app server and I've been advised not to have the host do anything but host.

So, Host, and thee guest OSes, Domain controller, Exchange 2013 and file/print/app server.

Issue 1: can the same instance of IIS run both Remote Web App and OWA if Essentials is not installed on the Exchange VM. I thought that Essentials should be installed on the DC as it's a pseudo domain enabling remote access, desktop backup and the like. I need to have a single external IP address and a single certificate for both RWA and OWA. Can the IIS on Exchange VM also run RWA on the default web site as it does on SBS if Essentials is on the DC? Or does Essentials need to be on the Exchange server? And if it needs to be on the Exchange server, is it too late and I need to start over?

Second question is that I don't understand disjoint namespace or something else which has resulted in my Exchange server sending as subdomain.domainname.com instead of domainname.com. There are two receive connectors, one for subdomain.domainname.com and the other just as domainname.com but I don't see a way to make the send connector send to the internet as domainname.com.

The DC is setup by defaults I could not figure out how to change as "INTERNAL".domainnname.com with no obvious way to prevent the subdomaining nor a way to change the NetBIOS name as INTERNAL. INTERNAL is the NetBIOS name and users are at internal<username>.  I tried to eliminate it for DNS so that Exchange would be at domainnane.com but I fumble-fingered something so that DNS name is "int" not INTERNAL. So the Exchange server is trying to send as int.domainname.com.

I tried to name sense of disjoint namespace but thought that if the domainname after the NetBIOS subdomain was the DNS name, I was OK and it was not disjoint. Is the Exchange problem the "int" or that I have not figured out how to make the Internet send connector send as "domainname.com"? SBS had a "connect to the Internet Wizard" which let you define the Internet domain that Exchange was authoritative for.

I'm combining these questions because the underlying question is whether I can change some settings or need to do the DC and then Exchange over. I understand that little can be changed on the DC at this point.

Thanks for any help. I'm stumped.
Bob_SimonsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Scott ThomsonCommented:
What sort of hardware are you putting this onto?
You want a physical domain controller and virtual file/print/exchange?
0
Bob_SimonsAuthor Commented:
Thanks for answering.

The actual machines will be a higher grade than my test machine but they are similar. Dell tower Posweredges with good raid cards, dual power supplies, iDRACs, SATA RAID 10s, at least 48 gigs, on Standard 2012 R2 with Exchange 2013.

My test machine is a Dell PowerEdge T320 with 48 gigs and a RAID 10 on a PERC H710, with a single virtual disk formatted into 5 partitions, (a) host, (b) DC, (c) exchange, (d) fileserver and (e) swap. For the test, all OS partitions are 300 gigs except file server and swap. Swap gets 100 gigs and file server gets the rest.

The actual machines will be T430s with dual six core CPUs on SAS 2TB 7200 RPM drives in a RAID 10 with 64 gigs. I thought the T320 was a sufficient test mule for my one-person company. The clients are 10 to 20 person law firms typically running a few line of business apps often with SQL back ends. The need local Exchange, Remote Web and OWA, ActiveSync, Client Server QuickBooks, a client management system, a billing system, and often a document management system. There'll be antivirus with Information Store scanning, a backup system which backs up to local drives and an Rsync host, usually at a principal's house. There are usually two servers, with the other running print tracking/cost recovery and voicemail to email programs. Sometimes the antivirus console gets moved there.

There is often a desktop running a document indexer pointed to the file server.

I've been specializing in these small law firms for several years and the death of SBS means a huge jump in costs for systems with a supported life of seven years tops. If I cant get the install down to say 30 hours including all the desktops and 4 OS installs and 100 gigs of email migration, then I['m really screwed given the huge increase in Microsoft licensing costs and the increased hardware capacity. And of course, Dell wont deliver a box with Exchange installed, nor will hey deliver a box with Open License Windows which is needed to get the two hyper-v instances per copy of Windows.

So I get an empty box and a deadline.

thanks again.

Those may get a pair of 300 gig SAS 15K drives for the databases if the raid 10 is not good enough.  but I think my test box similar to what I'd been using for my SBS 2011 boxes except for more RAM. Small companies got the singe socket 320 and the bigger companies got the dual socket 420s which are now getting replaced with he 13th gen boxes so that's what the clients will be getting.

Still, the big thing is learning how to knock these setups out because there wont be time for mistakes. So I'm trying test runs replacing my internal SBS 2011 system with this thing. Once I get it running right then I want to know if it should be a single partition instead of several, if it should be two VMs instead of 3, if the resources like RAM should be auto instead of fixed, how do the tuning and BPAs, etc. But that's down the road. I'm not understanding the IIS/RWA/OWA part and the namespace stuff. My test email went out user@subdomain.domainname.com and I'm stuck at the send connector, not understanding what to search on, feeling dumber than I want to be.

To me, the big issues are whether I did right by creating a DC with a machine name of domaincontroller, controlling a subdomain of the external DNS name so that users are on INTERNAL.domainname.com. At least I
0
Bob_SimonsAuthor Commented:
I forgot to answer:

the new box is a hardware host, and three VMs, DC, Exchange and File Server. Host will be a domainmmember unless I must be talked out of it.

There will be another box as a DC, favoring a VM DC so the other box could be a hyper-v host to allow moving a guest OS if there was a crisis. Everyone says don't make a host a DC so I favor taking the old, out of warranty but high level box and putting a second copy of Server Stadnard 2012R2 on it, and using one guest OS for the BDC and use the second guest OS for the new server which needs three VMs and comes with 3.
0
Bob_SimonsAuthor Commented:
fixed the send as problem with exchange admin center->mail flow->email address policies->new policy. It appears the act of creating it changed the level to 1 and made the default policy "lowest." Not sure if I should remove the default policy, which is incorrect.
0
Bob_SimonsAuthor Commented:
I found fhis but still cant make sense of it:

https://technet.microsoft.com/en-us/library/jj200172.aspx
0
Scott ThomsonCommented:
generally exchange and sql need their own drives. Its the best practice.

Or at least run in cache mode i think.
0
Steve KnightIT ConsultancyCommented:
To I feel for you here.. SBS installs are messy to upgrade at the best of times as you know and listening here for any useful bits...

I had a customer on SBS 4.5 still until not that long ago and still have some 2000 and 2003 - two annoyingly now in the same building but kept separate but many users overlapping - horribly messy until i can get them to agree to replace with one or the other ideally.

Have taken various approaches of moving away from SBS generally coinciding with losing internal exchange and or sql simplifying things. With the full sbs quota of facilities actually used... Too much dosh and time required normally for people to see why they should bother.

Good luck with it!

Steve
0
Aaron TomoskySD-WAN SimplifiedCommented:
At those small mails tore requirements, I'd really think about some SSDs. Top of the line are Intel s3700 but their new dc s3500 line is much cheaper and still a solid choice for your use. That would free up your 2tb drives for the file storage.
0
Bob_SimonsAuthor Commented:
Probability not a bad idea and I'm partial to SSDs like the Samsung 850 Pro So.  But I need to be clear that this is not in any way my problem.  The problem is how to get the Essentials role's Remote Web Access to share IIS and certs and IP addresses with Exchange's OWA. It's on figuring how to allocate processors between three guests and one host.  It's in whether to let windows allocate resources ir doing it manually.  It's in whether to put each VM om it's own partition to try to minimize fragmentation.  It's in how to make the file server answer calls for the old server so I don't even touch the desktops by using Cname entries,  WINS servers and multiple IP addresses on the new file server   Most of all its in how to do this job over a weekend with no loss of functionality.  It's in how to make OWA work if split the job into two weekends and move the mailboxes first.

I hope you understand where I'm coming from. I absolutely must have everything working on Monday or possibly Tuesday morning if I get lucky and get a three day weekend.  No room at all for any problems.  So it will likely be a two new server,  three guest OS Jon done over two weekends dove in such a way as to make it a "touch none" job except possibly fir moving the antivirus clients.  

I've now concluded the exchange mailbox move must be first,  the DC must be an SBS to Standard migration job and the three big issues are (a) the RWA/OWA Cert/IIS/IP address thing: (b) the new file server answering calls for the old server: (c) and the migration of all roles in one day. There's no room for anything to go wrong.

I think you can tell by how I'm talking how much of this I don't fully understand. I've done this several times before but it has often felt like a very near thing, a shaky process and not a sure thing.  I'd really appreciate someone to say these are the essential aspects and these things must be done in a specific order and theses ate the essential dependencies they might not be apparent and here is where you can find the Technet piece on the process. Once again,  thanks in advance for any help.
0
Aaron TomoskySD-WAN SimplifiedCommented:
I was addressing the fragmentation and performance problem, those would go away with SSDs. Sorry if that isn't helpful.

I can't help with the other stuff because I don't setup exchange anymore, especially for 20 person offices with a 100gb mailstore. I help those people migrate to office365 or another cloud, not a new exchange server.

Anyway sorry for the distraction, I'll let others help with your specific issues.
0
Bob_SimonsAuthor Commented:
I appreciate your help.  I agree those are good ideas.  My clients are all small law firms who distrust cloud services and dislike multiple actors or vendors in chains of responsibility.  SBS was perfect for them even with all the performance and reliability issues because it was a single thing,  easy to grasp. Every time there is a publicized security breach they are glad they have no customer facing systems.  The American Land Title Association has just published a list of best practices needed to get listing as a third party vendors on house closings which is what closing attorneys are. You basically cant meet the rules if you don't know everyone who has potential access to your data. You could ignore these best practices to be sure but you'd have to litigate to show you were not responsible if there were problems.  They still want their data in the building and n it even at a colo.
0
Aaron TomoskySD-WAN SimplifiedCommented:
That makes sense. Most of my suggestions are outside the box types so if they don't apply feel free to ignore me :)

Have you thought about Kerio or another mail server instead of exchange? None of them are perfect and it really depends on the mail client they prefer and which of the advanced features they use. But I've had good success with em client replacing outlook and kerio/smarter mail/ice warp/etc... Instead of exchange, especially with OS X clients as the OS X outlook is horrid.
0
Bob_SimonsAuthor Commented:
They want 24x7 4 hour response 60 month pro support where it is a supported 5 year asset. Nothing weird even if it's better.  Nothing that smells to a cynic of an attempt to create job security through obscurity.  Do you know the British expression too clever by half? Can't have any of that.  What I'm trying to do is to replicate SBS with current technology so closely that they'd never even know unless they looked at the web site. And it has to happen without them even knowing at least until the bill comes.  They need to know that they could fire me and they would not be in trouble.  That's how I keep my job
0
masnrockCommented:
If you really wanted to try to replicate SBS, you *could* try a product like Zentyal Server, but I do not know anyone who has actually used it. It's Linux based and basically does the same functions as SBS. They licensed the MS protocols for AD and Exchange, so you could literally have put it in as an AD controller and the like. Should also be a lower cost point. Check it out, might be the all in one solution for you.
0
Bob_SimonsAuthor Commented:
I'm pretty sure it's not a Windows application server so it wont do. But thanks for mentioning it. I'd never seen it before.

In the end, I have to find a way to do what I described in the question(s).
0
tigermattCommented:
This is a pretty chunky question, and an even more chunky problem space you are trying to solve, with apparently limited scope for downtime etc, but I'll see if I can address your specific points:

can the same instance of IIS run both Remote Web App and OWA if Essentials is not installed on the Exchange VM
For starters, you cannot install Exchange on the Essentials VM, period. So the answer is "no". TechNet says as much:
Microsoft does not support installing Exchange Server on a server that is running Windows Server Essentials.
This twists your hand into having a "Standard" VM in addition to any Essentials VMs you might install. I've no idea why Microsoft doesn't support some setups which technically should work with minimal consequences; there are obviously commercial reasons for their doing so, and they have the market power to enforce such requirements.

If you want to use the remote access functions of Essentials, you are not going to be able to host these on the same box; you will EITHER need two IP addresses (one for the Essentials box, one for the Exchange access) OR you will need to run one service on a different, non-standard port number; then you have to direct traffic to the new port and either use Port Address Translation at a gateway device to map new port -> original (443) port, or change the listening port on the server hosting the service.

Of the two, multiple IP addresses is the option I would strongly recommend.

If you absolutely do not have the option due to issues beyond your control with the ISP, then you are limited to one IP address. I really don't like the non-standardism with multiple port numbers, and that's going to break something in either the RWW or OWA (of all the different types of mobile operating system these days, there's bound to be one with a dodgy ActiveSync implementation which doesn't want to connect to a non-standard port number). You could install RDS Gateway on the Exchange Server to provide gateway services there, but this is just a generic gateway; you lose the fancy front-end and wizard configuration you are after.

Have you considered using a VPN? This could be run on the Exchange VM (not recommended) or another VM (since it'll run on a different port as standard, so NAT can be used) or on a dedicated gateway device, and started by clients whenever they need to log in to their workstation. i.e. start VPN -> browse (internally now) to the RWW -> log in as normal.
It's a departure from the standard RWW way of working and one extra step, but would allow you to deliver both services on a single IP (using NAT to open ports to the Exchange Server). With some effort you should be able to configure either Microsoft's VPN environment or find a third-party technology so it works across all platforms; most support mobile OSes too, if your clients are partial to using a tablet to remote in at any time.


Looks like you solved the Exchange mailing issue. By default, Exchange will send mail with the same name as the AD domain name; you have to instruct it to mail out otherwise.


The migration process is something you will come across later on; it does need careful thought due to the complexities of jumping off an SBS box (order of migration). If you can complete a migration in a weekend, you shouldn't ever trigger any of SBS's EULA violation detection routines so it shouldn't be an issue. Remember: I wouldn't recommend keeping the OS on the SBS box as an additional Domain Controller, you would need to reinstall with a standard WinServer license to do that. Remember these are additional DCs, not BDCs (that is an NT-era concept that went away with Windows 2000's introduction).
0
Bob_SimonsAuthor Commented:
thanks for answering such a convoluted question. I may have misstated or been too ambiguous regarding the IIS part. What I meant was that I was going to install the essentials role on a DC guest OS. That will be the IIS instance which handles requests for RWA. There will be an other guest OS with Exchange and Microsoft has more or less strongly recommended granting it its own box, even if the hyper-v would allow you to temporarily put other guest OSes on it. The Exchange machine would by default be the IIS server for OWA.

So we take ZA hypothetical user with a single external IP and a standard cert, ,and what's more, it's an SBS domain with ".local" addressing. I've asked Microsoft and they have answered but not documented any of the following. First off, they say that I can ignore the .local issue as there is no need to refer to .local and they say that SBS always included an internal ID but that standard does not, and using the external addressing typical of "outlook anywhere" or of ActiveSync, I don't need an internal name. Second, they say to get a UCC cert and put the external name on the cert, an autodiscovername on it and a wildcard name on it.
Third, they to use the IIS on the DC (Essentials role) as the machine that traffic is routed to. By something similar ot magic, all traffic related to Exchange (ActiveSync, Outlook an where both internal and external) will be sent to the exchange server. Fourth this means that I will, have two active IIS instance with a single cderft installed on two servers with all external traffic pointed to the DC and it will just work.

The SBS box will be wiped and I'll put an available 2008 R2 non-virtualized copy as a back up domain controller.

The second new server will be set up to have an Exchange "replica" VHD running 15 minutes behind so IO have a near backup server.

The StorageCraft backup can load the backup as an Oracle Virtual Machine right on the backup box itself so IO have an emergency file server, ,no more than an hour behind. So between the BDC, the Exchange replica and the StorageCraft, while I don't have redundant or clustering, I have pretty reasonable emergency capabilities.

The final thing is that the new file server guest OS has to replace the SBS box as the application server, the file server and the print server hopefully without even touching the desktops. I was planning to use a bunch of tricks so the new server answers calls for the old server at least as regards SMB shares. I did it before but didn't keep good enough notes to remember all of it so I know it actually works. I create a CName entry in DNS for the old server pointing to the new one. I have to bind the old server's IP address to the new server, too. I set up WINS  so that NetBIOS names point to the new server. And there's a fourth thing I cant recall. This way, \\<old IP address\<share> will work; \\<netbiosname\<share> will work; \\<internal DNS name\<share" will work; old mapped drives will work, etc.

I think, but am not sure, that the missing piece is that I need to advertise the old machine name so you can browse to the old server but not get the new. I just don't remember what I did last time. I know it works because the users didn't even know I'd replaced it.
0
Aaron TomoskySD-WAN SimplifiedCommented:
if they are domain joined, say computer name.domain.com, you can use \\computername as the .domain.com will be automatically appended. So it looks like netbios but it's really DNS. That way you can just add cnames for aliases. This works for everything but printing. There is an additional registry entry you have to add to a print server to allow the cname to work.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/741d87c5-dbbb-4949-b3fd-ada0c109a470/forum-faq-cannot-connect-and-print-to-printers-via-cname-alias-of-printer-server?forum=winserverprint
0
tigermattCommented:
Bob,

What I meant was that I was going to install the essentials role on a DC guest OS. That will be the IIS instance which handles requests for RWA.
Okay, I think I understand: host hypervisor, 3 VMs (DC, Exchange, File/App/Print) and you plan to do the RWW on the DC VM. If I were building this out from scratch, I would probably choose to put that role elsewhere, since there would be a (negligible, but non existent) security benefit to not exposing the DC to the Internet directly. But given no choice, the DC is perhaps a good location, and certainly supported.

Microsoft has more or less strongly recommended granting it its own box
By "its own box", I am assuming you mean "its own VM" -- I read that as "its own physical server", and I just wrote a paragraph about that before realising what (I think) you meant. I would go along with Microsoft's suggestion to put Exchange in its own VM; Exchange touches lots of parts of the operating system, and co-locating other roles can lead to difficulties when you start playing with other roles on the same box. Diagnostics and troubleshooting in particular are difficult. Your preferred search engine will turn up plenty of articles for why Exchange on a DC is not a good idea, too. :-)

it's an SBS domain with ".local" addressing
If you are migrating off the SBS environment, the .local shouldn't be a problem -- in fact it is an extremely commonplace arrangement. You just need to configure Exchange slightly differently with split DNS for the public DNS namespace and to always use the company's publicly registered DNS name when accessing internal resources. This is largely forced upon you because the code of practice which SSL certificate vendors follow no longer allows certificates to be issued in the name of non-Internet registered TLDs such as .local.

I can ignore the .local issue as there is no need to refer to .local and they say that SBS always included an internal ID but that standard does not
Not sure what the "internal ID" they refer to is. A .local domain is perfectly acceptable in a standard (non-SBS) environment. As long as the implications of split DNS are understood, it's fine. In fact, in small businesses I generally prefer to deploy .local domains; I find they change their public facing domain too frequently to bind their long-term AD environment to their .com and then find it's changed a year or two later. Too much hassle.

they say to get a UCC cert and put the external name on the cert, an autodiscovername on it and a wildcard name on it
Wildcard certificates with Exchange can be problematic, unless you obtain a certificate from a vendor which allows you to list specific names in the SAN field; Digicert does this.

A wildcard is useful if you will have lots of records you wish to secure without the overhead of purchasing and managing a certificate for each. If you just want to publish RWW and OWA then you can probably get away with a cheaper 5-name UCC certificate, listing RWW hostname, OWA hostname and Autodiscover.

As I say above, you cannot list .local names anymore, but this is just a matter of Exchange configuration so that it always accesses resources internally using secured connections via the public names in the certificate.

Third, they to use the IIS on the DC (Essentials role) as the machine that traffic is routed to. By something similar ot magic, all traffic related to Exchange (ActiveSync, Outlook an where both internal and external) will be sent to the exchange server.
My inexperience with Essentials must be showing here, but I now realise what you are alluding to: Essentials automates the configuration of IIS on the Essentials box as a reverse proxy (using Application Request Routing), so you can do precisely as you describe. The install page contains more detail: https://technet.microsoft.com/en-gb/library/jj200172.aspx.

So yes, you'll set it up as you describe (disregard my last post) and following the Essentials wizards will do most of this for you.

Fourth this means that I will, have two active IIS instance with a single cderft installed on two servers with all external traffic pointed to the DC and it will just work.
Correct; apologies for misunderstanding earlier.

while I don't have redundant or clustering, I have pretty reasonable emergency capabilities
Remember: backups are taken for the purposes of doing a restore, so regardless of technology used, make sure they are suitable for that purpose by testing them regularly! As these are law firms, I am sure you are well aware of the retention requirements and recovery point objectives you are required to adhere to. Real-time high-availability clustering and failover can get extremely expensive to get right and protect against all foreseeable eventualities, especially when you start considering the multi-site replication scenarios.

The final thing is that the new file server guest OS has to replace the SBS box as the application server, the file server and the print server hopefully without even touching the desktops.
There's a lot of guidance online for this, but Aaron has addressed the point above.
0
Bob_SimonsAuthor Commented:
I want to be clear: two hardware servers,  both running 2012 R2 Standard, both physical boxes only hosts, and the first one only 1 guest OS, that being the one running exchange. MS says there are recoverability advantages of virtualizing exchange but it's such a hog that it should get its own machine, whether as the only guest OS as a physical server. So, a guest OIS but the only one, with 100% of the resources given to Exchange unless the host cant get enough resources.

The VHD replica capability  is enough reason to go thro9ugh the extra work to virtualize Exchange

The only time there'd be more than one guest OS on this is temporarily during an emergency. But equally, Exchange might be moved to the other server with the DC and file server.

So last two questions, and a few statements. The clients are all law firms and it's sufficiently difficult to renamed them with all the licensing issues that you generally try to builds the boxes to last 5 years, put pro support on them and rep0alce them when the warranty runs out as they cant have any exposure to a problem without an active service contract. I'm hoping this hyper-v setup will greatly improve the recoverability of the system and the move off SBS should greatly improve the options (like being able to build and introduce a replacement system if needed).

I've only had one change their name in the years I've been doing it.

So my biggest issue is that the roll out has to have essentially zero down time but they wont pay extra for that either. So it seems to make the most sense to set up the two physical boxes and the two host OSes, get them updated, stable etc. and then make the three guest OSes with all the initially available updates. There will be two guests on one system and one on the other. The system with one guest gets added to the SBS domain as A member server, Exchange 2013 gets installed and one mailbox, one that does not matter like the admin account) is moved. Then I see if ActiveSync and OWA work, and if not, fix it. Then unless this is a problem, that cant be fixed, I move all the other mailboxes. I've now done the most time consuming part with no disruption.

Next I put the DC guest OS on the domain and run DC promo but don't move any roles until the weekend. On the weekend, I move all the roles and set up the file server to substitute over the weekend. I intend to do the first one of these on Memorial day weekend to have a third day.

I also have a test box which I will use to practice this=, moving my SBS 2011 network to the test server. Performance will be worse running three guest OSes on a single socket server but it should suffice for my one person company.

So question 1 is do you agree with this timeline, and question 2 is how should I give points for the assistance on this question?

Thanks again for all your help.
0
tigermattCommented:
two hardware servers,  both running 2012 R2 Standard, both physical boxes only hosts, and the first one only 1 guest OS, that being the one running exchange. MS says there are recoverability advantages of virtualizing exchange but it's such a hog that it should get its own machine, whether as the only guest OS as a physical server. So, a guest OIS but the only one, with 100% of the resources given to Exchange unless the host cant get enough resources.
Understood. In my opinion, a dedicated box for Exchange is overkill in this circumstance, when the box could be used to get you some cheap failover tolerance with Hyper-V replica, but who am I to question Microsoft and the powers that be? :-)

The VHD replica capability  is enough reason to go thro9ugh the extra work to virtualize Exchange
The only point I would make -- which I should have made earlier in the thread -- is to be careful with backup software that manipulates the disk at the lowest level, such as interfacing with VHD files directly. For servers containing databases (which Active Directory Domain Controllers and Exchange do), you need to use the Volume Shadow service to interface directly with those databases and perform an "application-aware" backup -- Exchange has to co-operate in the backup process. Either that, or the VMs must be shut down before the copies of the VHDs are made. Hyper-V snapshots nor any other "snapshotting" technology from a third-party are absolutely not to be used on a DC or Exchange Server unless they talk to the application in the VM which they are backing up, and co-operate with it, since snapshots alone are not stateful.

So double check your backup software will collaborate via VSS with the applications in each VM and supports backing up DCs and Exchange in this way. (A question for the vendor, I'm afraid, as I've never used the software).

So question 1 is do you agree with this timeline
On the whole, yes. Some commentary:

Then I see if ActiveSync and OWA work, and if not, fix it. Then unless this is a problem, that cant be fixed, I move all the other mailboxes. I've now done the most time consuming part with no disruption.
Remember you only only have one IP, and that goes at the start of the process to the SBS box for remote access purposes. At some point you will have to swap that over to the Client Access role on the new Exchange Server; you can do this before you move mailboxes, during or after, but the mailbox move process is not atomic, so you will necessarily have to cut some users off from accessing their mailboxes depending on when the IP switchover is made -- unless you take special precautions.

Exchange 2010 cannot proxy client access requests to a newer (Exchange 2013) version of Exchange Server, but you might want to look at Exchange 2013 transparently proxying client access requests back to an SBS 2011 (i.e. make the change ahead of moving the mailboxes). c.f. this article: http://blogs.technet.com/b/exchange/archive/2014/03/12/client-connectivity-in-an-exchange-2013-coexistence-environment.aspx This also has to play ball with the RWW -- although that's just a reverse proxy on the Essentials box so no big deal.

But then you have to deal with the RWW situation by switching the IP to the Essentials box so that it proxies traffic to Exchange 2013, with the flow to mailboxes still on the SBS being external <--> essentials <-reverse proxy-> Exchange 2013 <--internal Exchange proxy--> Exchange 2010. So you might have to do the DC promotion and configuration of Essentials ahead of the Exchange work to ensure this system is available and there is no loss of any service for remote access.

question 2 is how should I give points for the assistance on this question?
Entirely how you wish! You can evaluate how much each expert assisted, and then award experts a fraction of the points according to your value weighting of their answers in the close process, bearing in mind EE's mantra of "points for solutions, not effort". But it would be inappropriate for anybody contributing here to guide you on that process and precisely how the points should be awarded, so if unsure I would recommend you hit "request attention" above and ask for some impartial advice from the moderators.
0
tigermattCommented:
Oooops, hit "submit" too early; I've edited the post above to finish off the last few points.
0
Bob_SimonsAuthor Commented:
(a) it will be exchange 2013, and the plan is to use the old IP ultimately on the file server DM as a secondary IP. the IP of exchange should not matter as AD will point them to the mailbox server. I'[m first moving the mailboxes, then completing the migration from 2007 to 2013, although I freely admit I don't know the steps for doing it I presume there's is fairly simple process for making the 2013 hold all the roles beyond the initial role as a secondary mailbox server.

At present there are three licensed VSS-aware backup programs available. I'm clear that the VSS writers and providers would conflict so I must pick one. I tend to deeply distrust Acronis as a Windows backup program but have always loved it as an offline imaging program and IO keep it around just for that. Before doing something risky like changing partition boundaries, I'll take it offline and imagine it with Acronis so I can be close to sure I could always go back. It would take a very long time to tell you all the evidence that I should not use it as a backup program but I expect you could do the same, so I wont.

I have a complete setup for SBS backup using StorageCraft ShadowCopy and ImageManager. It would need some license upgrades for multiple VMs and two hosts, which I've already priced. I'm toying with replacing it with the hugely simpler Backup Assist which uses the Microsoft VSS writers and providers and is reliable at a level very few backup programs. It does local, network and Rsync backups and it has only one major disadvantage, which is that it poorly tolerates other 3rd party VSS writers or providers, as it sees the MS providers as its own. It can do "system restore" backups which create VHD files and have the now well known restrictions on hard drive block sizes which have been around since server 2008 but I think 2012rw2 has no problem with 4k blocks (I need to check that).

Backup Assist is very expensive to buy and very cheap to run and it uses a pair of very souped up desktops, one locally and one remotely, the latter being a replica of the former. It's major unusual trick was perfect for SBS but it leaves something to be desired here with the 5 Windows instances. Tnhbe trick is that the backup data file can be moungted as a VM in a hyupervisor which is part of trhe backup software. As it comes up wioth the IP address of the host server, the souirce sever needs to be disconnected to do this. With SBS, with ionly one instance, it meant that we had a low performance clone server onlyt 15 minutes =behind thesour4ce server as an amergency backuip. It's pretty amazing but the process of switching back from the backup which isa noiw a pseudo production server, back to the reeal source server is both poorly documented and ugliuer than one might hope. But it's quite the amazing hail marfy pass to load up the machup, which runs at leasty hourly and coljld run quarterly and have it stand in for the server.

My incliknation is to keep the StorageCraft and use it to be an emergency faoilvoer for the file server. I'm going to have Acronis (and Microsdoft) images of the hosts and will have a backup domain controller sol it could be updated from a daily backup after restorking from the images. There will be daily or better backups of Exchange as well as the replica. This wouild take well to Backup Assisdt and the MS VSS Exchange writers and their native Rsync agents. And the replica would be mo more than 15 moniutes behind, and if I used the exchange litigation hold with some agreed upon retention period, I could recover the 1t5 minuites once I had time to look at it,m after the crisis had passed.

But only StorageCraft has the trick for covering for the file server,  and it could be pointed at the data file of Backup Assissrt making a copy of the Backup Assist at a nearby principal's home as well as at the principal's home.

I'm still working out how much complexity I want in the backup top cover for various likely scenarios. Other than the stadnbyt server trick, KI favor Backup Assist because it's fairly simple and it works. But they own the two desktops with 32 gigs and quad i7s and fast huge drives and so on and I'd only need to upgrade the agents to get a magic warm spare file server.
0
Bob_SimonsAuthor Commented:
BTW, I'm not sure if this is clear but the source server is SBS 2008, not 2011. So it's Exchange 2007, not 2010. In about a year I'll be doing this with SBS 2011 and Exchange 2010 but I first have many of these 2008/2007 systems to do.
0
tigermattCommented:
it will be exchange 2013, and the plan is to use the old IP ultimately on the file server DM as a secondary IP. the IP of exchange should not matter as AD will point them to the mailbox server.
I was referring to the single external IP which you have available to service OWA and RWW traffic -- correct me if I have misunderstood. (The internal IP is stipulated and as you rightly say, it doesn't matter much what that is set to.)

However, on the basis of a single public IP: an older Exchange version cannot handle Outlook Anywhere/OWA/Activesync requests for mailboxes hosted on a newer version, meaning there will be at least some downtime when you move the mailboxes from Exchange 2007 to Exchange 2013.

If you change the external IP <--> server association BEFORE moving mailboxes, all mailboxes which are not moved will not be accessible externally. If you change it AFTER moving mailboxes, mailboxes will become unavailable after they have moved off the SBS and before you change the external IP association over.

This leads to an interesting scheduling conflict with the RWW role; your current plan is to deal with Exchange first, then Essentials (and remote connectivity via Essentials) second. I assume you will want to maintain external access to Exchange mailboxes, which means moving the IP after the mailboxes move, rendering RWW on the SBS 2008 box inaccessible. Hence my suggestion that you are going to need to consider Essentials first, and then mailbox moves second.

With Exchange 2010, you could configure the new Exchange 2013 environment to proxy traffic to the Exchange 2010 mailboxes, requiring only one public name (owa.company.com) and not interrupting any external access to mailboxes. This is not possible with Exchange 2007, so whatever you do, there will be some downtime for mailbox access from outside.

My recommended timeline would invert stages 1 and 2: install Exchange but do not move mailboxes, configure Essentials, get RWW / OWA up and running on Essentials and tested internally, change the external IP from SBS -> Essentials (mailboxes on SBS 2008/Exchange 2007 lose external access at this point, but RWW is maintained), move mailboxes immediately thereafter, decommission SBS.

(Edit: I meant to post this link, which has more details about client connectivity co-existence between Exchanges 2007/2010/2013: http://blogs.technet.com/b/exchange/archive/2014/03/12/client-connectivity-in-an-exchange-2013-coexistence-environment.aspx)
0
Bob_SimonsAuthor Commented:
There are three services actually if you include ActiveSync.  Does it live and die with OWA, so j have a choice of losing either RWW or the remote exchange services,? I tho j I could have external email down for one day if I moved th ed mailboxes on a Thursday day and then did the rest of the job over the weekend and tried to do the rest quickly.  Ate you saying to do the essentials/fsmo move first and keep sbs up  during the countdown as I only need three days tops?  Is this approach documented?
0
tigermattCommented:
There are three services actually if you include ActiveSync.  Does it live and die with OWA
I take OWA, Activesync and Outlook Anywhere to all be synonymous for the purposes of this discussion, as they are all client access roles served by an Exchange Client Access Server.

Does it live and die with OWA, so j have a choice of losing either RWW or the remote exchange services,?
Basically, yes. Without a second IP and creating a legacy namespace, you won't be able to run both sets of Exchange services (old and new) for external access side-by-side. And the hassle of establishing a legacy namespace is not worth the effort when it will only co-exist for a handful of days.

I tho j I could have external email down for one day if I moved th ed mailboxes on a Thursday day and then did the rest of the job over the weekend and tried to do the rest quickly.
That would work according to your original schedule outlined above. There would be downtime for remote access to email, as you rightly indicate, but that is not avoidable, and users could temporarily use the RWW via the old server to log in to their workstation and read mail if necessary -- until the external IP is swapped over and remote mail access is restored.

Ate you saying to do the essentials/fsmo move first and keep sbs up  during the countdown as I only need three days tops?  Is this approach documented?
If you were moving off SBS 2011 (with Exchange 2010) then I would do it this way around, yes. This is because an Exchange 2013 can proxy client traffic for Ex2010 mailboxes to an Ex2010 client access server. The traffic first hits the Exchange 2013 CAS, which has first refusal on service -- it will serve mailboxes it hosts directly, and will silently proxy traffic to the Exchange 2010 CAS for any 2010 hosted mailboxes. (N.B. see commentary below for the Exchange 2007 case). The link I posted earlier contains diagrams, a more thorough explanation and details of how you must configure the virtual directories on Exchange 2010 to support this set up.

Hence, for a 2010 -> 2013 move, doing the Essentials role first solves several problems:
You maintain access to the RWW throughout, as you simply cut over users from using RWW on SBS to RWW on Essentials.
You maintain access to Exchange client services throughout, except for the short window when a mailbox is physically moved -- Exchange will take the client offline for a few seconds at the end of the move process, when the mailbox move undertakes the final synchronisation and AD attributes are updated to indicate it is now hosted on the 2013 server.

The IP would be moved to Essentials, which would already be integrated with Exchange 2013 (but hosting zero mailboxes initially). Hence Essentials is providing the reverse proxy for OWA to Ex2013, and Ex2013 will further proxy Ex2010 traffic onward to the Ex2010 server.

For Exchange 2007 moves, as noted, this won't work as you must expose both the Exchange 2013 CAS to the internet, and the Exchange 2007 CAS; proxying won't happen so there's no need to follow this approach until you get on to migrating an SBS 2011 environment later on. With Exchange 2007 -> 2013 and your pre-existing constraints, some downtime is inevitable and must be expected as we cannot play these scheduling tricks in that case.
0
Bob_SimonsAuthor Commented:
Well, I do have 2007 and I need to offer them the least disruption for the least time. If for example I can move the mailboxes that don't use OWA/ActiveSync first and then put off those for the day before the move, then remote email is down for one day. Probably something like that is what I'll hve to tell them. Maybe for one day they forward their e4mail to a personal address or the like.

So you'd do essentials firs but not move the fsmo roles, hen move the mailboxes and then on the weekend, remove exchange 2007, then demote sbs then remove sbs and then see if AD cleanup is needed?
Or am I misunderstanding things or leaving out steps?
0
tigermattCommented:
So you'd do essentials firs but not move the fsmo roles, hen move the mailboxes and then on the weekend, remove exchange 2007, then demote sbs then remove sbs and then see if AD cleanup is needed?
Yes, something like that.

Really depends how long the mailbox data takes to move; depending on how large and the number of mailboxes there are, they could move over a long evening & night so it could be done going into the weekend. That's installation specific though, so you would have to get a feel when you moved the first few mailboxes which are not used remotely.

However, you MUST accept downtime of external mail if moving 2007 -> 2013, so in those circumstances it doesn't really matter what order; whatever you feel comfortable with.

What I was trying to convey is that for your later 2010 -> 2013 moves, of which you said you had a few, there is an alternative: install Essentials first, and get the Exchange integration to 2013 working before you move any IP addresses or any mailboxes. Since the 2013 Exchange can (if properly configured) proxy OWA traffic to 2010 Exchange (see the earlier links for details) this should (if done properly) lead to very little downtime of remote access.

Or am I misunderstanding things or leaving out steps?
There's obviously many more steps involved, but the general picture is as you describe, I believe, yes.

Maybe for one day they forward their e4mail to a personal address or the like.
Or they remote in via Remote Desktop or VPN to read mail on Outlook on their workstation. This is what I was trying to allude to earlier: no matter which way you do it, they can always access RWW to read mail on their local workstation, either via the old SBS or via the new Essentials.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hyper-V

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.