Wow. I took our Exchange 2007 Server from 8GB RAM to 16GB RAM on Sunday. PowerEdge 2950 III, Dual Quad Core Processors, 16GB RAM, Check this out…
That’s awesome! 570MB free, 16GB of RAM AND 16GB Pagefile being used!
Filed under: Church IT, Exchange | Leave a comment »
UPDATE: April 23, 2008
Today I used the MS Technet Article on “How to Remove the Last Legacy Exchange Server from an Organization”. There is one section that is very confusing. Under the “To remove the last Exchange 2003 or Exchange 2000 server…” section, number 5 gives a Command Shell command to run. They put “dc=<domain>” but it’s actually “dc=<domain>,dc=<ext>”. I don’t think “ext” (domain extension) is the correct term, but here’s the example:
My domain name is scc.com, so my command shell will look like this:
Remove-ADPermissions “dc=scc,dc=com” -user “scc.com\Exchange Servers” -AccessRights WriteDACL – InheritedObjectType Group
If you do not have your “dc” correct, then you will get errors! Copy and paste the code above and change it to match your domain name.
Thanks to my good friend and volunteer, John S., for spending the time and research to get through this issue on his own Exchange 2007 Server, and for immediately passing it on to me! (We both did our Exchange 2007 Upgrades/Migration at the same time) Hope this helps!
Filed under: Church IT, Exchange | Leave a comment »
Exchange 2007 Upgrade
This is step-by-step documentation of the Exchange 2007 upgrade (or migration) from Exchange 2000 to Exchange 2007.
Current Exchange Setup:
1 Windows 2000 Domain Controller
1 Windows 2003 Domain Controller
1 Exchange 2000 Server (installed on the W2k DC)
February 15, 2008 Friday
New Exchange Server is in. Winston, one of his friends and I had it rack mounted in about 5 minutes. Winston had to leave, so I stayed finish setting up the cables, etc.
Server Specs:
Dell PowerEdge 2950 III
2 x Quad Core Xeon Processors, 3.0 Ghz
8 GB RAM (4 x 2GB sticks)
8 x 73GB 15 RPM Serial-Attached SCSI 3Gbps 2.5-in HotPlug Hard Drives
Perc6i SAS RAID Controller, 2×4 Connectors, Int, PCIe, 256MB cache, x8 Bkpl
1.44MB Floppy Drive
24x IDE CD-RW/DVD ROM Drive
Integrated SAS/SATA RAID 1/ RAID 5, PERC 6/i Integrated
Redundant Power Supply
Once I got the KVM, Network and Power Cables plugged in, I booted the system to check it out. I ordered the system without an OS because non-profit for Win 2003 Server is much less than OEM & retail. I first logged into the RAID Bios. It had 2 drives in a RAID 1 and the rest (6 drives) in a RAID 5. I deleted the RAID 5 array, then recreated another 2 drives in a RAID 1 and the final 4 drives in a RAID 5. Final outcome is RAID 1 for the OS, RAID 1 for the Exchange Logs, and RAID 5 for the Exchange Database.
February 16, 2008 Saturday
During the first service (Sat night) I came up and installed Windows 2003 Server x64 on the new exchange server. Once the OS was installed, I proceeded to download all the windows updates until the OS was completely updated. Went to second service for Praise and Worship.
February 18, 2006 Monday
Monday night we had an IT – Network Support Team meeting. At this meeting, we had to perform the following:
Everything seemed to be going well up to the Setup /PrepareSchema part. Once we ran this command, we got an error message:
Setup encountered a problem while validating the state of Active Directory: Domain Controller ‘mail.scc.com’ Operating System Version is 5.0 <2195> Service Pack 4. The minimum version required is 5.2 <3790> Service Pack 1
I noticed that it’s looking at mail.scc.com, which is our 2000 DC, the one we just moved the 5 FSMO roles from. I tried to ping scc.com and sure enough, it resolved mail.scc.com’s IP. I went to my workstation and my workstation, however, was resolving the 2003 domain controller, Fiserv.scc.com. I thought maybe the mail server just needed to be rebooted so I rebooted the mail server. While it was rebooting, I went back to the new exchange server and when I pinged scc.com, this time it resolved Fiserv.scc.com’s IP address (yeah!). I proceeded to run the Setup /PrepareSchema command and this completed successfully this time. I though Great! And stopped here for the day.
February 19, 2008 Tuesday
No sooner from crawling out of the bed did I have my laptop up and running and logged into the network. I logged into the new exchange server and pinged scc.com, it resolved mail.scc.com’s IP address… NO! I proceeded to remember how to change the lmhost.sam file to put Fiserv.scc.com’s ip address and scc.com. Once I did this, I pinged scc.com and it resolved Fiserv.scc.com Yeah! Back to the command prompt to run Setup /PrepareAD. I get the same error message above stating OS Version is 5.0. NO!!! So I hit google to begin researching the issue. I found a link that said to run the /domaincontroller:ServerName and this will direct it to the correct server. Sure enough…
When I added the /domaincontroller:ServerName switch, it completed successfully.
Now, it’s time for the installation of Exchange 2007. If I am unable to install Exchange from the GUI interface that appears with the AutoRun, I may have to run the “unattended installation” from the command prompt so I can include the /domaincontroller:ServerName switch.
3:00pm – Tuesday I’ve done the research and sure enough, due to our networking having a Windows 2000 Domain Controller, we are required to run the install from a command line. I’ve done the research and found the switches that I need to run the setup from a command line. Here’s the command line I’m using:
Setup /mode:install /roles:ca, ht, mb, mt /enablelegacyoutlook /legacyroutingserver:mail.scc.com /domaincontroller:Fiserv.scc.com
Here we go!
OK, so we started the upgrade and all was going well until the setup failed due to an Access Denied to the DVD Drive????
I started the setup again and had to end up taking out the MT under the /roles switch, because it had already installed the MT (Exchange Management Tools). I also had to take out the /legacyroutingserver because it could only use this once (notice it failed during the Hub Transport installation). After starting the install again, this time it completed successfully.
Great. So now I can open the Exchange Management Tools and I see all the mailboxes that are located on the Exchange 2000 Server. Yeah! Time to move a mailbox.
I haven’t received my Backup Exec 11d software yet, so I can’t backup the new exchange server until I get the software (hopefully end of this week or early next week). Having said this, I will not move everyone over until I am able to backup Exchange 2007, of course. I will, however, move my mailbox J. While my mailbox is still on Exchange 2000, I’ve exported it to a PST file on my desktop called BACKUPdate. Now at least I have a backup I can restore should something go wrong between now and the time I get my backup software.
March 14, 2008
OK, so I didn’t keep up with the detailed installation logs after we ran into a few other problems. Now I will give a detailed “recap” of what has happened up to today.
The night I completed the setup, I moved my mailbox over successfully. I wasn’t able to send/receive e-mail though. My outlook detected the new server and reconfigured itself, but no mail flow. I’m guessing that because the installation failed during the HT role initially, it didn’t complete the receive and send connectors. On top of that, I noticed about 10:00pm that my production server was offline. I checked the server and the information store was stopped. Long story short with the production server, I spent about 3 ½ hours on the phone with Microsoft until we got my production server’s Information Store to start and stay started. This wasn’t due to the Exchange 2007 upgrade, however. It just happened to do this during the upgrade.
So once we got my production server back up and running, they transferred me to an Exchange 2007 technician and after another hour and a half, we had mail flow going! At that point, we had not received our Backup Exec, so I was the only one on the server for several days.
Since I was on the server, I started looking into OWA and Exchange Active Sync. With Exchange 2007, you use one SSL Certificate for both OWA and Exchange ActiveSync (as well as Autodiscover if are going to use that). You need to purchase a Unified Communications SAN Certificate. This will allow for your internal domain an external domain to be on the same certificate using the SAN (Subject Alternative Name). Our problem is that we are the registered owners of our external domain, savannahchristian.com. We are not, however, the registered owner of our Private Internal Active Directory Domain, scc.com (short for Savannah Christian Church). Though this hasn’t been a problem for the 5 plus years this domain has been in place, now it has become a problem. Why? Well, if you are not a registered owner of your internal domain, then you can’t find any Third Party Certificate Authority to put that name on the Certificate for you. If we were only talking about OWA, it wouldn’t be that big of a deal. Not many people use OWA in-house. The problem is that Office 2007 does care if that internal domain name is on the certificate and if it not, you will get a message stating that the certificate is not trusted and you have to click Yes to continue, twice. This happens every time you open Outlook 2007.
So the question was how to get my internal domain name on my SSL Cert. There were a couple options:
We opted to go with number 2. After a quick install of a new Virtual Server, I proceeded to install the Certificate Servers (add/remove programs, windows components). I used the CSR that I created from Exchange and was able to make my own SAN Cert that included my internal and external domain. This worked great. After importing this cert into Exchange, the errors went away in Outlook 2007. I tried OWA and now I was getting a “Trusted Root Certificate” message. I went back into my CA server and grabbed the root certificate. I added the root cert to each computers trusted root’s folder via AD Group Policy. That worked great. I also had to install the trusted root certificate along with the SAN certificate into each Windows Mobile device. All is working well.
Now the problem I have is that I cannot “push” the root certificate to our staff’s home computer. When they go to OWA, they see the “trusted root certificate” message that says “Continue. Not recommended”. So I have to figure out how to push the root cert to their computers. I was able to successfully manually add the root cert to my home computer and all is well, but I really don’t want to have to do that. I’d rather it be done automatically. Any ideas?
I got my Backup Exec software in. You have to have version 11d in order to backup Exchange 2007 (which is what I ordered). I had to run a few prerequisites on my Backup Exec server including adding the Exchange Management Tools to the Backup Exec server. You will need to install the 32 bit version of Exchange Management Tools (if your Backup server is a 32 bit OS). You’ll also need to be sure they are the same version (ie, Exchange 2007 Server has SP1, you’ll need to update your Management Tools on your backup server to SP1 as well). Once you have this done, and you have your backup server install correctly, you’ll be able to backup and restore to the message. This is working great!
Once my backup was install, I successfully transferred over all of our mailboxes. I also moved my Public Folders. Microsoft recommends leaving your old server online for at least 2 weeks to allow everyone to open Outlook so it will automatically configure to the new server. I moved my send connectors to send e-mail directly from the Exchange 2007 server, and I configured my Barracuda Spam filter to point directly to the Exchange 2007.
Everything is working great. I’ll give it about another week or so and then I’ll begin the steps to remove your last legacy exchange server. I’ll keep you posted!
UPDATE: April 23, 2008
Today I used the MS Technet Article on “How to Remove the Last Legacy Exchange Server from an Organization”. There is one section that is very confusing. Under the “To remove the last Exchange 2003 or Exchange 2000 server…” section, number 5 gives a Command Shell command to run. They put “dc=<domain>” but it’s actually “dc=<domain>,dc=<ext>”. I don’t think “ext” (domain extension) is the correct term, but here’s the example:
My domain name is scc.com, so my command shell will look like this:
Remove-ADPermissions “dc=scc,dc=com” -user “scc.com\Exchange Servers” -AccessRights WriteDACL – InheritedObjectType Group
If you do not have your “dc” correct, then you will get errors! Copy and paste the code above and change it to match your domain name.
Thanks to my good friend and volunteer, John S., for spending the time and research to get through this issue on his own Exchange 2007 Server, and for immediately passing it on to me! (We both did our Exchange 2007 Upgrades/Migration at the same time) Hope this helps!
Filed under: Church IT, Exchange | 2 Comments »
I am really looking forward to going to Exchange 2007 this year. We are currently on Exchange 2000. Tonight, I had to take the server offline (the MS Exchange Services) and perform an offline defrag because we are riding the 16 GB limit… again. I understand that with Exchange 2003 and later, the limit has been raised to at least 75 GB, unless you go with Enterprise which is unlimited. Anyone made the move to Exchange 2007 yet?
Here’s what I’m doing tonight…
Filed under: Church IT, Exchange | Leave a comment »
So the end of this month marks one year that we have had the Barracuda Spam Firewall 300 and we love it! We’ve all been in the boat, you may be in it now, where you are being told and forwarded e-mails daily about the spam that your church’s staff members are receiving. Pharmaceuticals, Viagra, or V~ag ra, etc… What do we do?
This is the question I was faced with several times last year. Sure, we use Trend Micro Client/Server/Messaging which has a spam filter/blocker built in to it; and this was my answer to the problem for a while, “We have a spam filter in place and we are doing what we can to block it.”, but it was just not doing the job. Before I came to work at the church, I worked for The Savannah Bancorp, Inc., holding company for The Savannah Bank, Bryan Bank & Trust, and Harbourside Mortgage here in Savannah, Georgia, and Hilton Head, South Carolina. I still keep in contact with my old boss, Terry, who is the VP of Information Technology at the Bank/Holding Company. I asked him what they were using and he told me the Barracuda Spam Firewall. He said he tried other solutions, but this was the best he had found. So I did some research and liked what I was seeing. Even better, Barracuda has a 30 day trial with a no questions asked, if you don’t like it, just send it back. So, I went through the pre-approval procedures that we have set in place to purchase a big ticket item, and then ordered the trial.
Here’s our results after one year:
Click the image above. Yes, you are reading correctly. Out of 4,601,301 total e-mails received this year, 4,311,654 were completely blocked as definite spam. 6,382 were blocked because they contained a virus. And so on. This is a hardware appliance we are talking about, so all this is being done before an e-mail even reached our Exchange Server (see the load we took off of our exchange server, and the potential risk that was blocked). Needless to say, I very rarely get complaints (possibly less than a hand full for the year) of Spam any longer. Pretty cool…
When we first got the Barracuda, it was blocking anywhere between 22,000 – 25,000 e-mails per day. Over the course of the year, this number dropped to blocking 10,000 – 13,000 e-mails per day on average.
Here’s a screen shot from today…
In my next post, I’ll go into detail about what is a Barracuda Spam Firewall, how it works, and why we like it so much.
Filed under: Church IT, Exchange, Spam Filter | Leave a comment »
Cisco Ospina 