Exchange 2007 Upgrade

Exchange 2007 Upgrade

This is step-by-step documentation of the Exchange 2007 upgrade (or migration) from Exchange 2000 to Exchange 2007.

Current Exchange Setup:
     1 Windows 2000 Domain Controller
     1 Windows 2003 Domain Controller
     1 Exchange 2000 Server (installed on the W2k DC)

February 15, 2008 Friday
New Exchange Server is in. Winston, one of his friends and I had it rack mounted in about 5 minutes. Winston had to leave, so I stayed finish setting up the cables, etc.

Server Specs:
Dell PowerEdge 2950 III
2 x Quad Core Xeon Processors, 3.0 Ghz
8 GB RAM (4 x 2GB sticks)
8 x 73GB 15 RPM Serial-Attached SCSI 3Gbps 2.5-in HotPlug Hard Drives
Perc6i SAS RAID Controller, 2×4 Connectors, Int, PCIe, 256MB cache, x8 Bkpl
1.44MB Floppy Drive
24x IDE CD-RW/DVD ROM Drive
Integrated SAS/SATA RAID 1/ RAID 5, PERC 6/i Integrated
Redundant Power Supply

Once I got the KVM, Network and Power Cables plugged in, I booted the system to check it out. I ordered the system without an OS because non-profit for Win 2003 Server is much less than OEM & retail. I first logged into the RAID Bios. It had 2 drives in a RAID 1 and the rest (6 drives) in a RAID 5. I deleted the RAID 5 array, then recreated another 2 drives in a RAID 1 and the final 4 drives in a RAID 5. Final outcome is RAID 1 for the OS, RAID 1 for the Exchange Logs, and RAID 5 for the Exchange Database.

February 16, 2008 Saturday
During the first service (Sat night) I came up and installed Windows 2003 Server x64 on the new exchange server. Once the OS was installed, I proceeded to download all the windows updates until the OS was completely updated. Went to second service for Praise and Worship.

February 18, 2006 Monday
Monday night we had an IT – Network Support Team meeting. At this meeting, we had to perform the following:

  • Move the 5 FSMO roles from the Windows 2000 Domain Controller to the Windows 2003 Domain Controller. This was a very simple, straight forward, processes documented at:

    http://technet2.microsoft.com/windowsserver/en/library/99f53498-ce25-4ab4-b476-7aa6e1997d641033.mspx?mfr=true

  • Join new Exchange 2007 to the domain.
  • Install IIS, including: Enable Network COM+ Access, and IIS (in the details of IIS select IIS Manager, Common Files, WWW Services).
  • We then had to prepare Exchange 2000 Permissions. We did this by placing the Exchange 2007 Server disk in the new exchange server, go to the command prompt, cd d:, and run  Setup /PrepareLegacyExchangePermissionsThis command completed successfully.
  • Our next step was to Extend the Active Directory Schema. This is done by going to the command prompt, cd d:, and run  Setup /PrepareSchema

  • Next would be:  Setup /PrepareAD

  • And finally:  Setup /PrepareDomain

  • Once these are run, we would run the prerequisites from the Exchange 2007 CD: Steps 1, 2, 3. On our system, since we had the Windows Update patches up-to-date, steps 1 & 2 were already installed.

Everything seemed to be going well up to the Setup /PrepareSchema part. Once we ran this command, we got an error message:

Setup encountered a problem while validating the state of Active Directory: Domain Controller ‘mail.scc.com’ Operating System Version is 5.0 <2195> Service Pack 4. The minimum version required is 5.2 <3790> Service Pack 1

I noticed that it’s looking at mail.scc.com, which is our 2000 DC, the one we just moved the 5 FSMO roles from. I tried to ping scc.com and sure enough, it resolved mail.scc.com’s IP. I went to my workstation and my workstation, however, was resolving the 2003 domain controller, Fiserv.scc.com. I thought maybe the mail server just needed to be rebooted so I rebooted the mail server. While it was rebooting, I went back to the new exchange server and when I pinged scc.com, this time it resolved Fiserv.scc.com’s IP address (yeah!). I proceeded to run the Setup /PrepareSchema command and this completed successfully this time. I though Great! And stopped here for the day.

February 19, 2008 Tuesday
No sooner from crawling out of the bed did I have my laptop up and running and logged into the network. I logged into the new exchange server and pinged scc.com, it resolved mail.scc.com’s IP address… NO! I proceeded to remember how to change the lmhost.sam file to put Fiserv.scc.com’s ip address and scc.com. Once I did this, I pinged scc.com and it resolved Fiserv.scc.com Yeah! Back to the command prompt to run Setup /PrepareAD. I get the same error message above stating OS Version is 5.0. NO!!! So I hit google to begin researching the issue. I found a link that said to run the /domaincontroller:ServerName and this will direct it to the correct server. Sure enough…


When I added the /domaincontroller:ServerName switch, it completed successfully.

Now, it’s time for the installation of Exchange 2007. If I am unable to install Exchange from the GUI interface that appears with the AutoRun, I may have to run the “unattended installation” from the command prompt so I can include the /domaincontroller:ServerName switch.

3:00pm – Tuesday I’ve done the research and sure enough, due to our networking having a Windows 2000 Domain Controller, we are required to run the install from a command line. I’ve done the research and found the switches that I need to run the setup from a command line. Here’s the command line I’m using:

Setup /mode:install /roles:ca, ht, mb, mt /enablelegacyoutlook /legacyroutingserver:mail.scc.com /domaincontroller:Fiserv.scc.com

Here we go!

OK, so we started the upgrade and all was going well until the setup failed due to an Access Denied to the DVD Drive????


I started the setup again and had to end up taking out the MT under the /roles switch, because it had already installed the MT (Exchange Management Tools). I also had to take out the /legacyroutingserver because it could only use this once (notice it failed during the Hub Transport installation). After starting the install again, this time it completed successfully.


Great. So now I can open the Exchange Management Tools and I see all the mailboxes that are located on the Exchange 2000 Server. Yeah! Time to move a mailbox.

I haven’t received my Backup Exec 11d software yet, so I can’t backup the new exchange server until I get the software (hopefully end of this week or early next week). Having said this, I will not move everyone over until I am able to backup Exchange 2007, of course. I will, however, move my mailbox J. While my mailbox is still on Exchange 2000, I’ve exported it to a PST file on my desktop called BACKUPdate. Now at least I have a backup I can restore should something go wrong between now and the time I get my backup software.

March 14, 2008

OK, so I didn’t keep up with the detailed installation logs after we ran into a few other problems. Now I will give a detailed “recap” of what has happened up to today.

The night I completed the setup, I moved my mailbox over successfully. I wasn’t able to send/receive e-mail though. My outlook detected the new server and reconfigured itself, but no mail flow. I’m guessing that because the installation failed during the HT role initially, it didn’t complete the receive and send connectors. On top of that, I noticed about 10:00pm that my production server was offline. I checked the server and the information store was stopped. Long story short with the production server, I spent about 3 ½ hours on the phone with Microsoft until we got my production server’s Information Store to start and stay started. This wasn’t due to the Exchange 2007 upgrade, however. It just happened to do this during the upgrade.

So once we got my production server back up and running, they transferred me to an Exchange 2007 technician and after another hour and a half, we had mail flow going! At that point, we had not received our Backup Exec, so I was the only one on the server for several days.

Since I was on the server, I started looking into OWA and Exchange Active Sync. With Exchange 2007, you use one SSL Certificate for both OWA and Exchange ActiveSync (as well as Autodiscover if are going to use that). You need to purchase a Unified Communications SAN Certificate. This will allow for your internal domain an external domain to be on the same certificate using the SAN (Subject Alternative Name). Our problem is that we are the registered owners of our external domain, savannahchristian.com. We are not, however, the registered owner of our Private Internal Active Directory Domain, scc.com (short for Savannah Christian Church). Though this hasn’t been a problem for the 5 plus years this domain has been in place, now it has become a problem. Why? Well, if you are not a registered owner of your internal domain, then you can’t find any Third Party Certificate Authority to put that name on the Certificate for you. If we were only talking about OWA, it wouldn’t be that big of a deal. Not many people use OWA in-house. The problem is that Office 2007 does care if that internal domain name is on the certificate and if it not, you will get a message stating that the certificate is not trusted and you have to click Yes to continue, twice. This happens every time you open Outlook 2007.

So the question was how to get my internal domain name on my SSL Cert. There were a couple options:

  1. Rebuild the domain to either savannahchristian.com or a domain name that I can purchase. The problem with this is we have over 10 servers, and over 140 computers on our network. This would mean rebuilding the whole network, including recreating each profile under the new domain (since the domain name is different, when the user logs in it will create a different profile). This was not an option that we wanted to take.
  2. Build an internal Certificate Authority Server and create my own SAN Certificate.

We opted to go with number 2. After a quick install of a new Virtual Server, I proceeded to install the Certificate Servers (add/remove programs, windows components). I used the CSR that I created from Exchange and was able to make my own SAN Cert that included my internal and external domain. This worked great. After importing this cert into Exchange, the errors went away in Outlook 2007. I tried OWA and now I was getting a “Trusted Root Certificate” message. I went back into my CA server and grabbed the root certificate. I added the root cert to each computers trusted root’s folder via AD Group Policy. That worked great. I also had to install the trusted root certificate along with the SAN certificate into each Windows Mobile device. All is working well.

Now the problem I have is that I cannot “push” the root certificate to our staff’s home computer. When they go to OWA, they see the “trusted root certificate” message that says “Continue. Not recommended”. So I have to figure out how to push the root cert to their computers. I was able to successfully manually add the root cert to my home computer and all is well, but I really don’t want to have to do that. I’d rather it be done automatically. Any ideas?

I got my Backup Exec software in. You have to have version 11d in order to backup Exchange 2007 (which is what I ordered). I had to run a few prerequisites on my Backup Exec server including adding the Exchange Management Tools to the Backup Exec server. You will need to install the 32 bit version of Exchange Management Tools (if your Backup server is a 32 bit OS). You’ll also need to be sure they are the same version (ie, Exchange 2007 Server has SP1, you’ll need to update your Management Tools on your backup server to SP1 as well). Once you have this done, and you have your backup server install correctly, you’ll be able to backup and restore to the message. This is working great!

Once my backup was install, I successfully transferred over all of our mailboxes. I also moved my Public Folders.  Microsoft recommends leaving your old server online for at least 2 weeks to allow everyone to open Outlook so it will automatically configure to the new server. I moved my send connectors to send e-mail directly from the Exchange 2007 server, and I configured my Barracuda Spam filter to point directly to the Exchange 2007.

Everything is working great. I’ll give it about another week or so and then I’ll begin the steps to remove your last legacy exchange server. I’ll keep you posted!

UPDATE: April 23, 2008

Today I used the MS Technet Article on “How to Remove the Last Legacy Exchange Server from an Organization”.  There is one section that is very confusing.  Under the “To remove the last Exchange 2003 or Exchange 2000 server…” section, number 5 gives a Command Shell command to run.  They put “dc=<domain>” but it’s actually “dc=<domain>,dc=<ext>”.  I don’t think “ext” (domain extension) is the correct term, but here’s the example:

My domain name is scc.com, so my command shell will look like this:

Remove-ADPermissions “dc=scc,dc=com” -user “scc.com\Exchange Servers” -AccessRights WriteDACL – InheritedObjectType Group

If you do not have your “dc” correct, then you will get errors!  Copy and paste the code above and change it to match your domain name. 

Thanks to my good friend and volunteer, John S., for spending the time and research to get through this issue on his own Exchange 2007 Server, and for immediately passing it on to me! (We both did our Exchange 2007 Upgrades/Migration at the same time)  Hope this helps!

Blackberry Professional Server Online!

Update from my earlier post on the VMware Converter…

 After shutting down the Physical EMSWEB server, I successfully brought up the Virutal EMSWEB that I was able to convert from the Physical server using VMware Converter.  Upon booting up for the first time, I installed VM-Tools.  Everything is working great.  I had to disable a sound driver that was giving trouble, and I had to reconfigure the Static IP, but once I did this, I was able to use this server from the network.  No one ever knew that a change took place.

 I gave it most of the week last week to make sure all was working well.  Then, Thursday, I took the physical EMSWEB machine, unplugged the network cable, and turned the machine back on.  I renamed the server, forced it back to workgroup, and reconfigured the Static IP for the server.  Then I plugged the network back in and rejoined the server to the domain as the new Blackberry Professional Server.  I have installed Blackberry Professional Express and it is working great.  If you or anyone on staff is using a Blackberry and you do not have a Blackberry Server, I highly recommend this.  It is very easy to setup and provides the security you need for your Blackberry and your network.  The server includes secured connections from your phone to your network, and the ability to set IT policies, such as require passwords on the phone and enable/disable certain features if needed.  Should the user misplace their phone, you can change the password remotely.  And if they can’t find it long term or it was stolen, you can remotely wipe and disable the phone from the Blackberry Server.  This is a great feature also available with Exchange ActiveSync 2003 and later (we have Blackberry & Windows Mobile Devices).  The Blackberry Server also gives you the ability to not only redirect e-mail, but to synchronize with your Calendar, Contacts and Tasks as well.

 Now that I have my Blackberry configured and working with the new server (which was a free download with one free device CAL), I’ll purchase the licenses for the other 15 or so Blackberry’s that we have on our network.  As I said before, this is a great solution if you have 30 or less Blackberry’s.  Once you reach 30, you can upgrade to Blackberry Enterprise Server. 

Welcome to the Team, Erik

New to the SCC IT Team… Erik Reagan has accepted the position of Web Developer here at Savannah Christian Church, and will come on board March 26th.  Welcome to the Team, Erik!

VMWare Converter

I haven’t blogged in about a month due to being sick, and then tackling the Exchange 2007 upgrade/migration; detailed step-by-step blog on that coming soon!

What I played with tonight was VMWare Converter.  I have a Dell PowerEdge 1600SC that has dual hyper-thread Xeon’s with 4 GB RAM.  I currently am running VMware Server on this machine.  I am running two Servers, our Intranet Server and a Certificate Authority Server.  My next project, once we have completed with the Exchange 2007 upgrade, is to implement Blackberry Professional Express… http://na.blackberry.com/eng/services/server/offers/professional_express.jsp.  This is a beginner “Blackberry Enterprise Server”.  It’s a free download with one license to use one blackberry phone, and pay as you grow from there, pay per license to add a phone.  It’s something like $100.00 to add an additional license, I haven’t inquired as to whether or not they have nonprofit pricing yet.  The nice thing about it, from what I understand, is that it’s virtually BES, but capping out at 30 devices max.  Once you hit 30 devices, then you have to upgrade to BES.  Well, we have a mixed Windows Mobile and Blackberry environment, and we have approximately 15 Blackberry users (including myself).  So it makes since for us to save in cost, and go with the Blackberry Professional Software for now.

So I thought about putting the BPS on a virtual machine.  However, when I read the system requirements, it supports the ESX version of VMWare, but I didn’t see that it supports the free vmware server version.  Although I haven’t look much more into it, I decided to take a physical server that’s being used as a front end web server for an internal software we have, and convert that server to vmware, and then use the physical server (Dell PowerEdge 1600SC, dual Xeon 2GB RAM) for the new BPS server.

After a quick google search, I found that VMWare has a free download called VMWare Converter that will take a Physical Server and convert it to a virtual server.  Exactly what I needed to take the EMSWEB server (the front end internal web server) to a virtual server.  So I downloaded it, installed it, and converted EMSWEB to a virtual server.  TOO COOL!

Unfortunately, I’m doing this from home, RDP’ed into my network, and I really don’t want to turn off my EMSWEB physical server to test the virtual to see if it’s working okay.  Because if it’s not, then I have to make a trip to the office, and I don’t plan on being back to the office until Monday (it’s 12:40am, Sunday morning).  So I’ll just wait until Monday to see how it worked.  If all goes well, I’ll just take the physical EMSWEB off the network, bring it  back to a work-group, rename it, uninstall the EMSWEB apps, and bring it back on the domain as the new BPS Server.  I’ll let you know how it goes!

As I said in the beginning of this post, I have detailed step-by-step account of our upgrade from Exchange 2000 to Exchange 2007 that I will be working on completing this week and hopefully will have it posted on-line towards the end of the week.  Have a blessed week everyone!