Migrate Exchange 2007 to Exchange 2010

I work in the SMB market, so when we do a migration from one Exchange version to another, the number of users is usually low enough that all the mailboxes get moved in one fell swoop – either over an evening or over a weekend. However, we occasionally have a client where we need to keep both versions up for awhile. If they are heavily using OWA (Outlook Web Access/App), this means some additional configuration. I struggled with this since most references were assuming you had an Exchange infrastructure consisting of multiple servers, edge transport server/TMG, etc. We got it all working, but wanted to put it down as a reference in case we need it again.

Setup of Network Prior to Migration

  • The setup had all roles (Hub, CAS, Mailbox, management) on one server for Exchange 2007 and will be the same for Exchange 2010.
  •  A Barracuda box for filtering the email prior to delivery to the Exchange box.
  •  Organization has 2000+ users where OWA was the primary means of access for the majority of the users (students).
  • The DNS is configured as a split-brain DNS where the internal and external DNS is the same… for our references, let’s use sdprairie.net as an example going forward.
  • Users would access webmail.sdprairie.net both internally and externally, so there is a host record in the Active Directory for webmail.sdprairie.net

Here’s the Process for Pre-Requisite Work

  1. Verify hardware and software requirements are met. We installed Windows Server 2008 R2 SP1 for the Exchange 2010 SP1 and named the server EXCHG10. This is a good choice since all the pre-requisites for E2K10 SP1 are met and you don’t have to download a bunch of hotfixes  to install Exchange 2010 SP1. Nice!
  2. Make sure Exchange 2007 has at least SP2 installed.
  3. Verify and upgrade Active Directory as needed. Our network was at Server 2008 Active Directory levels in both domains and Forest, but you should check the following:
    1. Schema Master server has to be at Server 2003 SP2 minimum
    2. Global Catalog Servers need to be at Server 2003 SP2 minimum
    3. Active Directory needs to be at Server 2003 Native Mode and Forest Functional Level should be 2003 minimum.
    4. You can check requirements out on Microsoft site here.
  4. Upgrade Active Directory Schema to facilitate Exchange 2010. It will upgrade during install if correct credentials are used, but I like to do this separately just for verification purposes. Insert the Exchange 2010 SP1 disk or mount an iso of the install files and run the following: (Note: this makes a lot of changes under the hood and therefore you need to use Exchange 2007 management console to manage the users from Exchange 2007 and the same for Exchange 2010).
    1. Setup.com /PrepareExchangeLegacyPermissions
    2. Setup.com /PrepareSchema
    3. Setup.com /PrepareAD
    4. Setup.com /PrepareDomain (or PrepareAllDomains if more than one – but then you wouldn’t be reading this for a simple install)
  5. Install the Microsoft Office 2010 64-bit filter converter pack which can be downloaded here. This allows Exchange to index Office documents.
  6. Start the TCP Port Sharing service and set the start to “Automatic.”
  7. Next install the Server 2008 R2 Operating System PreRequisites.
    1. Open a Powershell Command and run the command “Import-Module ServerManager” and press enter.
    2. Now we use the “Add-WindowsFeature” command is used to install the pre-requisites. Run the following command in Powershell after running the one noted above:
      Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,
      Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,
      WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,
      Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart
    3. Run Windows Update on Server before installing Exchange 2010.

Now for the Install of Exchange

  1. Put the Exchange DVD in the drive or mount an iso file and run setup.exe
  2. Choose the language option – “Only Languages from the DVD” in most cases.
  3. Choose “Typical” install – we installed on the C:\ drive and moved database files after install was completed.
  4. Enter a domain name for the Client Access Internet facing domain. Using our example, it is webmail.sdprairie.com. Check the box to note that this is “Internet Facing.”
  5. Watch it complete the Readiness Check and make any corrections as noted.
  6. Watch the server install (or better yet, take a coffee break :-). This will probably take around 20 minutes.
  7. Reboot server and test email flow on Exchange 2007. (I always like to test internal, external email flows as I make changes, just in case I have to troubleshoot, I know where things quit working).
  8. At this point, I will move a mailbox (typically the administrator) to the new Exchange Server using the Exchange 2010 Console and test mail flow again before making changes.

Changing the Mail Flow

Let’s change the mail flow to use the new Exchange 2010 Server. We need to make sure there is little downtime while changing the client access methods and the mail routing. Make sure you test both internal, external email flows.

  1. On Exchange 2010, put in a Send Connector to the Internet
  2. On Exchange 2010, edit the Default Receive Connector on the Server Hub Transport to allow Anonymous Connections under the “Permissions” tab.
  3. Configure both internal and external DNS to point legacy.sdprairie.com to the old Exchange 2007 server. You will need 2 public IP numbers.
  4. Point the webmail.sdprairie.com and autodiscover.sdprairie.com domains to point to the new Exchange 2010 server both externally and internally.
  5. The Barracuda has the mail.sdprairie.com name pointing to it both internally and externally in DNS.

Let’s Get the Certificate Stuff Right

Getting the certificate stuff straight got me in a tangle thinking about it, but in reality, it was pretty easy…

  1. Purchase a UCC/SAN certificate for up to 5 domains on GoDaddy. (You can use any place that sells these, but GoDaddy is pretty cost effective.
  2. Generate a certificate in Exchange 2010 using the “Certificate Wizard.” This link on MSExchange.org explains it quite well.
  3. Using the example of the sdprairie.net domain, choose the names of webmail.sdprairie.net, EXCHG10.sdprairie.net, legacy.sdprairie.net, autodiscover.sdprairie.net.
  4. Finish the install of the certificate using the wizard. I won’t elaborate on this, just see the reference :-)
  5. Export the certificate with a password. Save this file and move it to Exchange 2007. Import this certificate into the Exchange 2007 using Exchange 2007 methods.  Here’s a link that outlines this.
  6. Once this is setup, a user can logon to https://webmail.sdprairie.net/owa and the Exchange 2010 OWA interface will come up. If the mailbox is on Exchange 2007, it will seamlessly redirect to the Exchange 2007 interface, otherwise it will continue to the Exchange 2010 OWA.
  7. One thing I wondered about here… Outlook client would error out on users with an unsupported certificate on the Exchange 2007, so was wondering if I’d added the old exchange server name to the UCC certificate since I had one more item left, would it have obviated this error. It was more a nuisance than anything.

This is still not done… but am publishing for now /lee

Snippy Tool for XP

I love, love, love the Snippy Tool in Windows 7 and Vista. It gives you much smaller files than doing a screen shot with the “prt sc” button on the computer. When I have folks email me a screen shot, the file is often a couple MBs in size when using the traditional print screen. However, if you use the Snippy Tool you can usually get a good resolution of a screen shot with a files size of less than 100 K. Needless to say, it makes for a much smaller file!

However, XP does not have a built-in Snippy Tool and there are still a lot of XP users out there… but a bit of googling found a great alternative. You can get the download and directions for this Snippy Tool here.

Basically you download a file called snippy.exe. You can save it on the desktop, then double click it to put it in the system tray. Right click on this icon and choose settings to adjust them to your preferences. To capture an image, right click on the icon, choose capture, and your cursor will turn into a pencil. Select your image and then click on the tool again and choose “Save As…”

Hope this works as well for you as it does for me. Here’s a picture of the icon….snippy tool

NOTE: This also works well on Server 20xx since the newer servers do not have Snippy Tool without the Desktop Experience.

Local Administrator Account on Vista and Windows 7

When you image a computer with Vista and Windows 7 and sysprep the image, the local administrator account becomes disabled. This can create a problem if the computer is not joined to a domain as you are shutout from access unless you have another account.

To alleviate this problem, before uploading the image with a sysprep:

1. Make another account, give it a password and put it in the local administrators group.

2. Test the account to make sure it works.

3. Upload the image with your imaging tool of choice and sysprep

4. If for some reason, you forgot to do this, you can use a utility to enable the local administrator account and blank out the password. The one I use is “Offline NT Password and Registry Editor.”  Directions and downloads can be found here.

Default User Profiles in XP

One of the things I work with quite often is assisting clients in creating images of their workstations/laptops to deploy through Altiris Deployment Solution.  Most of the work in imaging involves creating the “perfect” image to deploy. Once all the updates, software, etc. is installed, you probably want to have a profile that all users get on their initial logon. This is referred to as the “Default User Profile,” and in XP it is usually located at C:\Documents and Settings\Default User. If a user has not logged onto the computer before, it will take initial settings from this folder unless other arrangements have been made on your network.

The steps that I use to accomplish this are as follows:

  • Add all your extra software to the workstation that all users will use. Some items we generally add are Office, Quicktime, Real Player or an alternative, a free PDF creator, Adobe Reader, Shockwave, Flash, and additional web browsers if desired.
  • Create a user in Active Directory in an OU (Organizational Unit) that has no Group Policies applied to it other than what you have at the top domain level (which are hopefully few).
  • Logon to this base machine with the domain administrator account. Add the above created user to the Local Administrators Group. Do this by:
    • Right click “My Computer” and select “Manage.”
    • In the left pane, expand the “Local Users and Groups,” and then click on “Groups.”
    • In the right pane, double-click on “Administrators.”
    • Click on the “Add..” button and the bottom. Below is a picture that should give you an idea of what you need to look for. It is a screenshot from Windows 7 computer, but most of the info is the same.

      Add user to local administrators group

    • After you click on “Add…” a dialog box appears where you can type in the username you want to add to the Administrators group. Note that the  “From this location:” box at the top should show your domain name.
  • Now log off the computer and  then logon with the newly created account. It will create a base profile with the original Default User Profile that is on the computer.
  • Make changes and adjustments to how you want the profile to be for your users. Keep it basic as adding things like mapped drivers, printers, links etc. can be accomplished with Group Policies and logon scripts.  Some recommendations:
    • Go to Control Panel and make adjustments in the Power Settings. You may need to change the Control Panel View to Classic Settings to get this applet.
    • Configure wallpaper/background. I like to set it to “None” and add wallpaper through Group Policies.
    • Set an initial Home Page in Internet Explorer. This can be accomplished with Group Policies, but then it cannot be changed, so if you want your users to have the option to change, you may want to set the homepage initially.
    • Set task bar to “Quick Launch” and add shortcuts you wish here. You will need to unlock the taskbar, extend the range and lock it again so several shortcuts can be added. Many of the clients I work with like to add the Office Program shortcuts such as Word, Excel, and Powerpoint.
  • Reboot the computer and logon as the Domain Admin.
  • Make sure the option to show hidden files is enabled.
    • Double-click on “My Computer” and then select “Tools” from the menu bar and then “Folder Options….”
    • Click on the “View” tab and select the option to “Show Hidden Files and Folders.”
  • Next we will copy the profile of the user you configured to the Default User folder.
    • Right click on “My Computer” and select “Properties.” Click on the “Advanced” tab and then on the “Settings” button under “User Profiles.”

      Click on "Settings" under "User Profiles"

    • In the “User Profiles” box, click on the profile for the user you configured as noted above and then click on the “Copy To…” button.

      Click on profile you configured and then "Copy To.."

      In the “Copy To” box, click on “Browse” button and navigate to C:\Documents and Settings\Default User.” (Note that if you did not enable the option to show hidden files and folders as noted above, this folder will not be visible). Next click on the “Change” button under “Permitted to Use.” Type in “Everyone.” This is done so all users logging on for the first time will be able to use the Default User profile.

      Next click on “OK.” A warning will appear about copying over the profile. Click on “Yes/OK” and proceed to complete the copy.

      You may now proceed to upload your image. All users should get this new profile.

      A few items to note when creating images that I have encountered:

      * Make sure the Default User has no additional Group Policies on the OU it is in.

      *Make sure the computer you are using is not in an OU with additional Group Policies. Put it in the generic “Computers” folder in Active Directory Users and Computers (ADUC).

      * Do NOT EDIT the Default Domain and the Default Domain Controller Policies. If something needs to be changed, make a new policy and move it up in the list so it is applied last. This could be a post of its own, but I have run into issues in imaging when changes have been made here that affect all users/computers, so am mentioning it as a reminder.

      * There are other ways of handling the Default User, but this has worked for me. Some additional info can be found in the links below:

      Petri IT Knowledgebase

      Microsoft Support – Customize Default Profile

      *Windows 7 and Vista profiles are configured differently and will be another post.

How to Configure Altiris Deployment Job to Upload a Windows 7 Image

Altiris Deployment Solution 6.9 SP4 is primarily used to deploy images and software in the K12 schools we work with. Since Windows 7 is just beginning to be deployed, and there are some differences in uploading an image with this program, I put together some directions on this as a reminder.

1. This assumes your computer is ready to upload for imaging… updates, software installed etc. (If you are using Symantec Endpoint Protection in the image, please remove the Hardware-ID registry entry).

2. Open the Altiris Deployment Console and right lick on a folder used to create images (Usually I name it “Create Images”) and choose “New Job..”

3. Give the Job a meaningful name and make sure it is highlighted. Then in the far right hand pane, click on the command button named “Add” and choose “Create Disk Image.”

create-disk-image

Choose "Create Disk Image..."

4. In the screen that results from the above choice, fill it in as noted below.

a. Choose the place to upload the image. Please make a folder for each new image.

b. Because this is Windows 7, make sure you choose the option “Prepared Using Sysprep.”

c. Choose the Operation System, in this case Windows 7 Professional.

d. Choose to “USE EXISTING KEY.”

e. Choose to use WinPE (Auto-Select) as the imaging

use-exisiting-key

Make sure you configure for sysprep before uploading

5. Once the job is configured, you can drag the computer down to the job in the Deployment Console. If PXE is not the first boot option, you will need to press F12 or ESC to access the boot menu on the computer.

6. Please note that the computer needs to run the sysprep.exe file before it reboots to upload the image. This may take several minutes… you NEED TO STAY AROUND to hit the F12 button if you do not have PXE enabled as the first boot device.  If you sysprep an image too many times (more than 3), you will need to rebuild the image again.

Adding Drivers to WinPE PXE Files in Altiris Deployment Solution

Have had a lot of questions lately on adding NIC drivers to an Altiris WinPE PXE image. There are probably a couple ways of doing this, but here’s what works for me.

  • First, you need to download drivers from the vendor’s website if you don’t have them. Make sure you download the Vista drivers. In most installs this would be the 32-bit driver.
  • Extract these drivers to a folder on your Altiris server.
  • If you have downloaded an Intel driver it is probably in an executable named PROWin32.exe or something similar. If you double click on this, it will try and install the drivers on your server, which you do not want to happen. To extract them, do the following:
    • Copy the PROWin32.exe to the root of the C:\ Drive.
    • Make a folder on this drive — I named mine Intel-NIC.
    • Open a command prompt and cd\ to the C:\ drive.
    • Type “PROWin32.exe /s /e /f C:\Intel-NIC”  (without the quotes). This will extract the files into the Intel-NIC folder that you will navigate to later.
  • Once you have drivers downloaded, open up the Altiris deployment console.
  • Click on the “PXE Configuration” icon located in the upper right part of the window.
  • Next click on “WinPE Managed” and then the “Edit” button.
  • In the “Edit Shared Menu Option” screen, click on “Edit” button.In the “Boot Disk Creator” window, click on the “Edit” button at bottom of screen.In the “Boot Disk Creator – Create Configuration” window, click on “Next.”

    In the “Boot Disk Creator – Create Windows PE Configuration” window, deselect the “Auto-detect all Device Drivers” check box and then click on the “Have Disk…” command button.

    In the “Add WinPE Hardware Device Drivers” window, click on “Browse” to navigate to the folder where the extracted drivers are located. You will want to locate an *.inf file to upload. Each driver is a bit different, so you may need to navigate to a couple different folders to get the drivers you need.

    Once you locate the *.inf file, you will be presented with a window that lists the drivers that will be installed. Click “OK” to begin the process.

    Select the “Auto-Detect Device Drivers” checkbox again if it was deselected and keep selecting “Next” taking the defaults until you start to build the pxe files. There will be several screens to click through. The final screen building the pxe image again is noted below. This will take several minutes to complete, so be patient and get a cup of coffee.

    That should do it and your WinPE should be good to go.



Message Size Limits in Exchange 2007

The message size limit in Exchange 2007 is around the 10 MB limit and for some folks, that just doesn’t cut it. Here’s a link to change it..

Exchangepedia’s post on controlling message size.

Outlook Web Access (OWA) has to be adjusted also if you are using this for large attachments. Couple links that outline this:

Microsoft Technet article

Microsoft Exchange Team Blog

Of course, need to add my 2 cents on this….

  • If you increase your message size, the sending person’s mail server may not allow for these larger attachment sizes, so this needs to be taken into consideration.
  • There are other ways of dealing with large attachment sizes – such as an FTP site or use some of the free ftp sending sites, such as You Send It that work quite well.
  • Check your attachment file – is there something you can do to make it smaller? For instance..
  1. Photos are generally by default fairly large and if you send several, the attachment size adds up. There are programs to resize these quickly (one I like is Irfanview – a freebie). Your photo editing software probably has a means of changing size also.
  2. PDFs – Had an instance where the user was trying to send 30 MB PDF files that he had generated from a pdf creator plugin with an application. We ran this through PrimoPDF to create a MUCH smaller file of 1 MB and did not appear to lose anything that the recipient needed.
  3. Word documents with images – Word docs often have screen prints of bitmap/BMP files. These can get huge if there are too many of them. With Vista and Windows 7, the snippy tool will create a small image… save it as a jpg or png file. If you have XP, you can use the free Snippy Tool.