• YouVersion.com

    Search the Bible

  • Pages

  • Categories

  • March 2008
    M T W T F S S
    « Jan   Apr »
  • Archives

  • Advertisements

Exchange 2007 Upgrade

Exchange 2007 Upgrade

This is step-by-step documentation of the Exchange 2007 upgrade (or migration) from Exchange 2000 to Exchange 2007.

Current Exchange Setup:
     1 Windows 2000 Domain Controller
     1 Windows 2003 Domain Controller
     1 Exchange 2000 Server (installed on the W2k DC)

February 15, 2008 Friday
New Exchange Server is in. Winston, one of his friends and I had it rack mounted in about 5 minutes. Winston had to leave, so I stayed finish setting up the cables, etc.

Server Specs:
Dell PowerEdge 2950 III
2 x Quad Core Xeon Processors, 3.0 Ghz
8 GB RAM (4 x 2GB sticks)
8 x 73GB 15 RPM Serial-Attached SCSI 3Gbps 2.5-in HotPlug Hard Drives
Perc6i SAS RAID Controller, 2×4 Connectors, Int, PCIe, 256MB cache, x8 Bkpl
1.44MB Floppy Drive
Integrated SAS/SATA RAID 1/ RAID 5, PERC 6/i Integrated
Redundant Power Supply

Once I got the KVM, Network and Power Cables plugged in, I booted the system to check it out. I ordered the system without an OS because non-profit for Win 2003 Server is much less than OEM & retail. I first logged into the RAID Bios. It had 2 drives in a RAID 1 and the rest (6 drives) in a RAID 5. I deleted the RAID 5 array, then recreated another 2 drives in a RAID 1 and the final 4 drives in a RAID 5. Final outcome is RAID 1 for the OS, RAID 1 for the Exchange Logs, and RAID 5 for the Exchange Database.

February 16, 2008 Saturday
During the first service (Sat night) I came up and installed Windows 2003 Server x64 on the new exchange server. Once the OS was installed, I proceeded to download all the windows updates until the OS was completely updated. Went to second service for Praise and Worship.

February 18, 2006 Monday
Monday night we had an IT – Network Support Team meeting. At this meeting, we had to perform the following:

  • Move the 5 FSMO roles from the Windows 2000 Domain Controller to the Windows 2003 Domain Controller. This was a very simple, straight forward, processes documented at:


  • Join new Exchange 2007 to the domain.
  • Install IIS, including: Enable Network COM+ Access, and IIS (in the details of IIS select IIS Manager, Common Files, WWW Services).
  • We then had to prepare Exchange 2000 Permissions. We did this by placing the Exchange 2007 Server disk in the new exchange server, go to the command prompt, cd d:, and run  Setup /PrepareLegacyExchangePermissionsThis command completed successfully.
  • Our next step was to Extend the Active Directory Schema. This is done by going to the command prompt, cd d:, and run  Setup /PrepareSchema

  • Next would be:  Setup /PrepareAD

  • And finally:  Setup /PrepareDomain

  • Once these are run, we would run the prerequisites from the Exchange 2007 CD: Steps 1, 2, 3. On our system, since we had the Windows Update patches up-to-date, steps 1 & 2 were already installed.

Everything seemed to be going well up to the Setup /PrepareSchema part. Once we ran this command, we got an error message:

Setup encountered a problem while validating the state of Active Directory: Domain Controller ‘mail.scc.com’ Operating System Version is 5.0 <2195> Service Pack 4. The minimum version required is 5.2 <3790> Service Pack 1

I noticed that it’s looking at mail.scc.com, which is our 2000 DC, the one we just moved the 5 FSMO roles from. I tried to ping scc.com and sure enough, it resolved mail.scc.com’s IP. I went to my workstation and my workstation, however, was resolving the 2003 domain controller, Fiserv.scc.com. I thought maybe the mail server just needed to be rebooted so I rebooted the mail server. While it was rebooting, I went back to the new exchange server and when I pinged scc.com, this time it resolved Fiserv.scc.com’s IP address (yeah!). I proceeded to run the Setup /PrepareSchema command and this completed successfully this time. I though Great! And stopped here for the day.

February 19, 2008 Tuesday
No sooner from crawling out of the bed did I have my laptop up and running and logged into the network. I logged into the new exchange server and pinged scc.com, it resolved mail.scc.com’s IP address… NO! I proceeded to remember how to change the lmhost.sam file to put Fiserv.scc.com’s ip address and scc.com. Once I did this, I pinged scc.com and it resolved Fiserv.scc.com Yeah! Back to the command prompt to run Setup /PrepareAD. I get the same error message above stating OS Version is 5.0. NO!!! So I hit google to begin researching the issue. I found a link that said to run the /domaincontroller:ServerName and this will direct it to the correct server. Sure enough…

When I added the /domaincontroller:ServerName switch, it completed successfully.

Now, it’s time for the installation of Exchange 2007. If I am unable to install Exchange from the GUI interface that appears with the AutoRun, I may have to run the “unattended installation” from the command prompt so I can include the /domaincontroller:ServerName switch.

3:00pm – Tuesday I’ve done the research and sure enough, due to our networking having a Windows 2000 Domain Controller, we are required to run the install from a command line. I’ve done the research and found the switches that I need to run the setup from a command line. Here’s the command line I’m using:

Setup /mode:install /roles:ca, ht, mb, mt /enablelegacyoutlook /legacyroutingserver:mail.scc.com /domaincontroller:Fiserv.scc.com

Here we go!

OK, so we started the upgrade and all was going well until the setup failed due to an Access Denied to the DVD Drive????

I started the setup again and had to end up taking out the MT under the /roles switch, because it had already installed the MT (Exchange Management Tools). I also had to take out the /legacyroutingserver because it could only use this once (notice it failed during the Hub Transport installation). After starting the install again, this time it completed successfully.

Great. So now I can open the Exchange Management Tools and I see all the mailboxes that are located on the Exchange 2000 Server. Yeah! Time to move a mailbox.

I haven’t received my Backup Exec 11d software yet, so I can’t backup the new exchange server until I get the software (hopefully end of this week or early next week). Having said this, I will not move everyone over until I am able to backup Exchange 2007, of course. I will, however, move my mailbox J. While my mailbox is still on Exchange 2000, I’ve exported it to a PST file on my desktop called BACKUPdate. Now at least I have a backup I can restore should something go wrong between now and the time I get my backup software.

March 14, 2008

OK, so I didn’t keep up with the detailed installation logs after we ran into a few other problems. Now I will give a detailed “recap” of what has happened up to today.

The night I completed the setup, I moved my mailbox over successfully. I wasn’t able to send/receive e-mail though. My outlook detected the new server and reconfigured itself, but no mail flow. I’m guessing that because the installation failed during the HT role initially, it didn’t complete the receive and send connectors. On top of that, I noticed about 10:00pm that my production server was offline. I checked the server and the information store was stopped. Long story short with the production server, I spent about 3 ½ hours on the phone with Microsoft until we got my production server’s Information Store to start and stay started. This wasn’t due to the Exchange 2007 upgrade, however. It just happened to do this during the upgrade.

So once we got my production server back up and running, they transferred me to an Exchange 2007 technician and after another hour and a half, we had mail flow going! At that point, we had not received our Backup Exec, so I was the only one on the server for several days.

Since I was on the server, I started looking into OWA and Exchange Active Sync. With Exchange 2007, you use one SSL Certificate for both OWA and Exchange ActiveSync (as well as Autodiscover if are going to use that). You need to purchase a Unified Communications SAN Certificate. This will allow for your internal domain an external domain to be on the same certificate using the SAN (Subject Alternative Name). Our problem is that we are the registered owners of our external domain, savannahchristian.com. We are not, however, the registered owner of our Private Internal Active Directory Domain, scc.com (short for Savannah Christian Church). Though this hasn’t been a problem for the 5 plus years this domain has been in place, now it has become a problem. Why? Well, if you are not a registered owner of your internal domain, then you can’t find any Third Party Certificate Authority to put that name on the Certificate for you. If we were only talking about OWA, it wouldn’t be that big of a deal. Not many people use OWA in-house. The problem is that Office 2007 does care if that internal domain name is on the certificate and if it not, you will get a message stating that the certificate is not trusted and you have to click Yes to continue, twice. This happens every time you open Outlook 2007.

So the question was how to get my internal domain name on my SSL Cert. There were a couple options:

  1. Rebuild the domain to either savannahchristian.com or a domain name that I can purchase. The problem with this is we have over 10 servers, and over 140 computers on our network. This would mean rebuilding the whole network, including recreating each profile under the new domain (since the domain name is different, when the user logs in it will create a different profile). This was not an option that we wanted to take.
  2. Build an internal Certificate Authority Server and create my own SAN Certificate.

We opted to go with number 2. After a quick install of a new Virtual Server, I proceeded to install the Certificate Servers (add/remove programs, windows components). I used the CSR that I created from Exchange and was able to make my own SAN Cert that included my internal and external domain. This worked great. After importing this cert into Exchange, the errors went away in Outlook 2007. I tried OWA and now I was getting a “Trusted Root Certificate” message. I went back into my CA server and grabbed the root certificate. I added the root cert to each computers trusted root’s folder via AD Group Policy. That worked great. I also had to install the trusted root certificate along with the SAN certificate into each Windows Mobile device. All is working well.

Now the problem I have is that I cannot “push” the root certificate to our staff’s home computer. When they go to OWA, they see the “trusted root certificate” message that says “Continue. Not recommended”. So I have to figure out how to push the root cert to their computers. I was able to successfully manually add the root cert to my home computer and all is well, but I really don’t want to have to do that. I’d rather it be done automatically. Any ideas?

I got my Backup Exec software in. You have to have version 11d in order to backup Exchange 2007 (which is what I ordered). I had to run a few prerequisites on my Backup Exec server including adding the Exchange Management Tools to the Backup Exec server. You will need to install the 32 bit version of Exchange Management Tools (if your Backup server is a 32 bit OS). You’ll also need to be sure they are the same version (ie, Exchange 2007 Server has SP1, you’ll need to update your Management Tools on your backup server to SP1 as well). Once you have this done, and you have your backup server install correctly, you’ll be able to backup and restore to the message. This is working great!

Once my backup was install, I successfully transferred over all of our mailboxes. I also moved my Public Folders.  Microsoft recommends leaving your old server online for at least 2 weeks to allow everyone to open Outlook so it will automatically configure to the new server. I moved my send connectors to send e-mail directly from the Exchange 2007 server, and I configured my Barracuda Spam filter to point directly to the Exchange 2007.

Everything is working great. I’ll give it about another week or so and then I’ll begin the steps to remove your last legacy exchange server. I’ll keep you posted!

UPDATE: April 23, 2008

Today I used the MS Technet Article on “How to Remove the Last Legacy Exchange Server from an Organization”.  There is one section that is very confusing.  Under the “To remove the last Exchange 2003 or Exchange 2000 server…” section, number 5 gives a Command Shell command to run.  They put “dc=<domain>” but it’s actually “dc=<domain>,dc=<ext>”.  I don’t think “ext” (domain extension) is the correct term, but here’s the example:

My domain name is scc.com, so my command shell will look like this:

Remove-ADPermissions “dc=scc,dc=com” -user “scc.com\Exchange Servers” -AccessRights WriteDACL – InheritedObjectType Group

If you do not have your “dc” correct, then you will get errors!  Copy and paste the code above and change it to match your domain name. 

Thanks to my good friend and volunteer, John S., for spending the time and research to get through this issue on his own Exchange 2007 Server, and for immediately passing it on to me! (We both did our Exchange 2007 Upgrades/Migration at the same time)  Hope this helps!


2 Responses

  1. Great recap of what you went through to get your Ex07 server running.
    I wish that I would have kept a detailed log of what we went through during the install. Your migration is great and almost identical to ours. The only exception is that we demoted our 2000 server that was a DC.

    I am not at the step where I have a test user in the new Sever store but she cannot send or receive mail. What did MS have you do. I was planning on opening a case with them too but if it is relatively simple it would be awesome not to have to hang on the phone for a couple of hours.

  2. When our Ex07 couldn’t send/receive, it ended up being that the Routing Group/Connectors were not setup. If you go into the System Manager on the Exchange 2000 box, you’ll see both the Ex2000 & Ex07 Servers. If you expand the servers you should see the Routing Groups, and then Connectors under that. You’ll need to add a connector to each Connectors folder. This will create the connection needed for email flow between the two servers.

    I just finished going through “Removing your last exchange server” today! Unfortunately, I don’t have the Exchange 2000 Server to log into anymore to check any settings. I am going to post an UPDATE to that post with a correction to the ms documentation on “How to Remove the Last Legacy Exchange Server from an Organization”, so check back.

    Feel free to email if you have any other questions. I’d be more than happy to help!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: