This gallery contains 1 photo.
Supported Environment Microsoft 365, Office 365, Exchange 2016, 2013, 2010, 2007 or 2003. Supported G Suite G Suite Enterprise, Business, Basic, and Education accounts G Suite Cost Standard prices are shown. Google occasionally offers special discounts to some customers for … Continue reading
This gallery contains 1 photo.
Deciding on the best migration path of your users’ email to Office 365 can be difficult. Your migration performance will vary based on your network, existing messaging systems design, mailbox size, migration speed, and so on. For migrations from an … Continue reading
This gallery contains 9 photos.
Assumptions: An operational on-premises Microsoft messaging environment or an IMAP Source An operational Microsoft Office 365 tenant for Exchange Online Active Directory synchronised with Microsoft Azure Active Directory using DirSync Licenses are assigned to Active Users. There are place holder … Continue reading
This article will explain how to create mail flow coexistence between disparate IMAP source and Exchange Online destination. Use case: Customer wants a mailflow co-existence between hosted email e.g. Gmail and Exchange Online during mailbox migration phase. Customer has on-premises … Continue reading
Mail flow in Exchange 2013
Source: Microsoft TechNet
Source: Microsoft TechNet
| Protocol | Exchange 2007 & Exchange 2013 | Exchange 2007 & Exchange 2013 |
| Namespace | legacy.domain.com | no additional namespace |
| OWA | Non-silent redirection to legacy.domain.com |
Proxy to CAS2010 Silent direction |
| EAS | Proxy to MBX2013 | Proxy to CAS2010 |
| Outlook Anywhere | Proxy to CAS2007 | Proxy to CAS2010 |
| Autodiscover | Redirect to CAS2007 | Proxy to CAS2010 |
| EWS | Autodiscover | Proxy to CAS2010 |
| POP/IMAP | Redirect to CAS2007 | Proxy to CAS2010 |
| OAB | Redirect to CAS2007 | Proxy to CAS2010 |
| RPS | N/A | Proxy to CAS2010 |
| ECP | N/A | Proxy to CAS2010 |
Exchange 2013 Perquisites
Supported Co-existence Scenario
Supported Client
Active Directory
Namespace
Operating Systems
Other Components
Cumulative Updates
Upgrade from Exchange 2010 to Exchange 2013
1. Prepare
2. Deploy Exchange 2013
3. Obtain and deploy Certificates
OR
4. Configure Mail flow
5. Switch Primary Name Space
6. Move Mailboxes
7. Repeat additional sites
8. Decommission Exchange 2010
Upgrade from Exchange 2007 to Exchange 2013
1. Prepare
2. Deploy Exchange 2013
3. Obtain and deploy Certificates
4. Configure Mail flow
5. Switch Primary Name Space
6. Move Mailboxes
7. Repeat additional sites
8. Decommission Exchange 2007
Validate External Connectivity
Certificate Best Practice
Restart Transport Services and Information Store Service
Cutover Process
Post Migration
Before you begin, create a work sheet in spreadsheet recording required information to migrate Exchange 2007/2010 to Exchange 2013. For this article, I am going to use following work sheet. This work sheet and migration guide are tested in production exchange migration which I did for few of my clients. Note that this article is not situation specific hence I can’t provide you a silver bullet for your situation.
Deployment Work Sheet
Version Readiness Check
| Present Server | Proposed Server |
| Exchange 2007 SP3 OR 2010 SP3 | Exchange 2013 CU3 |
Exchange Role Assignment
Exchange 2013 has two server roles; the Mailbox and Client Access server roles. You need at least one Client Access server and one Mailbox server in the Active Directory forest. If you’re separating your server roles, Microsoft recommend installing the Mailbox server role first.
Mailbox Role: The Mailbox server includes the Client Access protocols, the Transport service, the Mailbox databases, and Unified Messaging (the Client Access server redirects SIP traffic generated from incoming calls to the Mailbox server). The Mailbox server handles all activity for the active mailboxes on that server.
Client Access: The Client Access server provides authentication, limited redirection, and proxy services for all of the usual client access protocols: HTTP, POP and IMAP, and SMTP. The Client Access server, a thin and stateless server, doesn’t do any data rendering. With the exception of diagnostic logs, nothing is queued or stored on the Client Access server.
| Server Name | Exchange Roles |
| AUPEREXMBX01,AUPEREXMBX02 | Mailbox |
| AUPEREXCAS01,AUPEREXCAS02 | CAS |
Active Directory Schema and Forest
When you install Exchange 2013 for the first time, your Active Directory schema will be updated. This schema update is required to add objects and attributes to Active Directory to support Exchange 2013. Additionally, replicating the changes made to your schema may take several hours or days and is dependent on your Active Directory replication schedule. A forced replication can be performed after schema preparation.
| Description | AD Forest | Domain Controller |
| Primary SMTP namespace | Superplaneteers.com | AUPERDC01,AUPERDC02 |
| User principal name domain | Superplaneteers.com | AUPERDC01,AUPERDC02 |
Legacy Edge Transport
N/A
Network Configuration
| Server Name | TCP/IP | DNS | Replication network |
| AUPEREXMBX01 | 10.10.10.11
|
10.10.10.2
10.10.10.3 |
192.168.100.11/24 |
| AUPEREXMBX02 | 10.10.10.12 | 10.10.10.2
10.10.10.3 |
192.168.100.12/24 |
| AUPEREXCAS01 | 10.10.10.13 | 10.10.10.2
10.10.10.3 |
N/A |
| AUPEREXCAS02 | 10.10.10.14 | 10.10.10.2
10.10.10.3 |
N/A |
The network adapter name used within the operating system of mailbox server must be changed to closely match the associated network name. For example: Domain Network and Replication Network. The following binding order must be maintained within Windows operating systems:
Here is a guide how to change adapter binding order http://technet.microsoft.com/en-us/library/cc732472(v=ws.10).aspx Microsoft does not support multiple default gateways on a single server, no default gateway is required on the replication network card.
Disk layout
| Server Name | C: | E: | F: | G: |
| AUPEREXMBX01 | 50 GB | 50 GB | 500GB | 300GB |
| AUPEREXMBX02 | 50 GB | 50 GB | 500GB | 300GB |
| AUPEREXCAS01 | 50 GB | 50 GB | N/A | N/A |
| AUPEREXCAS02 | 50 GB | 50 GB | N/A | N/A |
Resilient Exchange Configuration
| Purpose | Name | TCP/IP | Subnet | Type |
| DAG | AUPEREXDAG01 | 10.10.10.15 | 255.255.255.0 | N/A |
| CAS NLB or Load Balancer | Mail.superplaneteers.com | 10.10.10.16 | 255.255.255.0 | Multicast |
Exchange Administrator
| User name | Privileges |
| ExMigrationAdmin | Domain Admins
Domain user Schema Admin Enterprise Admin Organisation Management Local Administrator |
Certificates
A public Secure Sockets Layer (SSL) certificate is a prerequisite in Exchange 2013. SSL helps to protect communication between your Exchange servers and clients and other mail servers by encrypting data and, optionally, identifying each side of the connection.
You can buy a third-party certificate from public CA such as Verisign. Certificates published by public CAs are trusted by most operating systems and browsers.
| Common Name | Subject Alternative | Type | Assigned to |
| mail.superplaneteers.com | autodiscover.superplaneteers.com | SSL | IIS,SMTP,POP,IMAP |
Supported Client
Exchange 2013 supports the following minimum versions of Microsoft Outlook and Microsoft Entourage for Mac:
Exchange 2013 does not support Outlook 2003.
Public DNS records
| DNS record | Record Type | IP/Alias/FQDN | Priority |
| Mail.superplaneteers.com | A | 203.17.x.x | N/A |
| superplaneteers.com | MX | Mail.superplaneteers.com | 10 |
| Autodiscover.superplaneteers.com | CNAME | Mail.superplaneteers.com | N/A |
If you have hosted email security then your MX record must look like this. An example is given here for TrendMicro hosted email security.
| DNS record | Record Type | IP/Alias/FQDN | Priority |
| Mail.superplaneteers.com | A | 203.17.x.x | N/A |
| superplaneteers.com | MX | in.sjc.mx.trendmicro.com | 10 |
| Autodiscover.superplaneteers.com | CNAME | Mail.superplaneteers.com | N/A |
Internal DNS records
| DNS record | Record Type | Hardware Load Balancer
VIP or CAS NLB IP |
| Mail.superplaneteers.com | A | 10.10.10.16 |
| Autodiscover.superplaneteers.com | A | 10.10.10.16 |
If you don’t have CAS NLB or hardware load balancer then create Host(A) record of mail.superplaneteers.com and point to Exchange 2013 CAS Server.
Send Connector
Here I am giving an example of TrednMicro smart host. Do not add smart host without proper authorization from smart host provider otherwise you will not be able to send email from internal organisation to external destination.
| Intended use | Address Space | Network Settings | Authentication | Smart Host |
| Internet | “*” | default | Basic, Exchange, TLS | relay.sjc.mx.trendmicro.com |
Receive Connector
| Name | Intended use | Network Settings | IP Range | Server(s) |
| Client Frontend | Client | default | All Available IPv4 | AUPEREXMBX01
AUPEREXMBX02 |
| Default Frontend | Inbound SMTP | default | All Available IPv4 | AUPEREXMBX01
AUPEREXMBX02 |
Anonymous Relay
| Relay | Authentication | Permission | Remote IP | SMTP |
| Anonymous Relay | TLS, Externally Secured | Anonymous, Exchange Servers | IP Address of Printers, Scanner, Devices, App Server | 10.10.10.11
10.10.10.12 |
Port Forwarding in Cisco Router
| Rule | Source Address | Destination Address | NATed Destination | Port |
| OWA | Any | 203.17.x.x | 10.10.10.16 | 443 |
| SMTP | Any | 203.17.x.x | 10.10.10.16 | 25 |
Again if you don’t have CAS NLB or load balancer your NATed destination is Exchange 2013 CAS server.
Mailbox Storage
| Storage Group Type | Database location |
| Mailbox storage | F:Exchange Data |
| Mailbox storage logs | G:Exchange Log |
Email address Policy
| Email Address Policy | %g.%s@superplaneteers.com |
Virtual Directory for internal and external network
| Virtual directory | Internal and External URL value |
| Autodiscover | https://autodiscover.superplaneteers.com/autodiscover/autodiscover.xml |
| ECP | https://mail.superplaneteers.com/ecp |
| EWS | https://mail.superplaneteers.com/EWS/Exchange.asmx |
| Microsoft-Server-ActiveSync | https://mail.superplaneteers.com/Microsoft-Server-ActiveSync |
| OAB | https://mail.superplaneteers.com/OAB |
| OWA | https://mail.superplaneteers.com/owa |
| PowerShell | http://mail.superplaneteers.com/PowerShell |
Since you have finished your work sheet, now you are ready to virtualize Exchange servers on Hyper-v.
1. Virtualize Windows Server 2012 R2
2. Configure TCP/IP properties
3. Disable Windows Firewall
4. Join Windows server 2012 R2 to domain.
Download following software as prerequisites.
1. Microsoft Exchange Server 2010 Service Pack 3 (SP3) OR Exchange Server 2007 Service Pack 3
2. Cumulative Update 3 for Exchange Server 2013 (KB2892464)
3. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit
4. Microsoft Office 2010 Filter Pack 64 bit
5. Microsoft Office 2010 Filter Pack SP1 64 bit
Additional Prerequisites if you would like to install Exchange 2013 on Windows Server 2008 R2 SP1.
Windows Firewall
Open Control Panel > Windows Firewall. Turn off Firewall components (Domain, private and Public) completely.
Preparing Base Windows Server 2012 for Exchange 2013
Mailbox Server Role in Windows Server 2012 R2
To install prerequisites in Windows Server 2012, open Windows PowerShell as an administrator. Execute the following cmdlet one by one.
Import-Module ServerManager
Install-WindowsFeature RSAT-ADDS
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation
Reboot Windows Server 2012
Client Access Server Role in Windows Server 2012 R2
To install prerequisites in Windows Server 2012, open Windows PowerShell as an administrator, Execute the following cmdlet one by one.
Import-Module ServerManager
Install-WindowsFeature RSAT-ADDS
Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation
Reboot Windows Server 2012
If you are installing Exchange 2013 on Windows Server 2008 R2 SP1.
Prepare mailbox role Windows Server 2008 R2 SP1
Open Windows PowerShell as an administrator, Execute the following cmdlets one by one.
Import-Module ServerManager
Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI
Reboot Windows Server 2008 R2
Prepare Client Access in Windows Server 2008 R2
Open Windows PowerShell, Execute the following cmdlet one by one.
Import-Module ServerManager
Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI
Reboot Windows Server 2008 R2
Install Service pack 3 on exchange 2010
Upgrading to SP3 requires a schema update, review the Active Directory Schema changes beforehand. Upgrade your Exchange servers to SP3. This should be performed in the following order:
1. CAS servers
2. Hub and/or Edge servers
3. Mailbox servers
4. Unified Messaging servers
Upgrade Exchange 2010 to Exchange 2010 SP3 level
1. Once the files are extracted, locate and run setup.exe as an administrator
2. Select Install Microsoft Exchange Upgrade.
3. Select Next at the welcome screen. Read and accept the license terms, then select Next.
4. If you’ve got all the requirements you’ll see all the green checks, Select Upgrade to begin the upgrade
5. Select Next to start the upgrade.
6. When the upgrade is complete, select Finish.
7. Reboot the server to allow changes to take affect.
Prepare Active Directory Schema
Before you prepare Active Directory, make sure your Active Directory is healthy. Follow the procedure for AD health check.
1. Prepare Active Directory in an Active Directory site where you want to install Exchange 2013.
2. Domain Controller must be Server 2008 Standard/Enterprise (x86/x64) OR Server 2008 R2 Standard / Enterprise OR Windows Server 2012 OR Windows Server 2012 R2.
3. Each domain needs at least one writeable global catalog server
4. Ensure AD replication is working properly in each site / domain
5. Ensure Active Directory is healthy. Visit active directory health check
6. Run the following command in a domain controller, Open command prompt as an administrator
repadmin /showrepl
repadmin /replsummary
repadmin /syncall
netdom query fsmo
Dcdiag /e
Netdiag
7. Open Active Directory Sites and Services MMC, make sure all domain controllers are global catalog.
8. Start Menu, Run, Type eventvwr to open event view, Review event logs to see everything is working as per normal
9. Start Menu, Run> Services.msc to open services, Check DNS server, DNS Client, File replication services are started and set to automatic
10. Open SYSVOL in all domain controllers and check everything is same in all domain controllers.
Now you are ready to prepare Active Directory Domain and Forest.
1. Extract the Exchange2013-x64-cu3.EXE package you have downloaded from Microsoft web site to a common location. In my example I will use E:EXCHANGE2013
2. Open a command prompt as an Administrator, and navigate to the directory in which you extracted the files to. In the case of this example it will be E:Exchange2013. You should see a Setup.exe file located there.
3. Run the following cmd:
OR
4. Run the following cmd:
OR
Now replicate Active Directory manually or wait for replication to complete. Verify event logs in Domain controllers to see any unexpected error or logs pops up or not. If everything looks fine then go ahead and install Exchange 2013.
Installing Exchange 2013 CU3
Create a Test mailbox
1. Open the EAC by browsing to the URL of your Client Access server. For example, https://AUPEREXCAS01/ecp?ExchClientVer=15.
2. Enter the user name and password of the account you used to install Exchange 2013 in Domainuser name and Password, and then click Sign in.
3. Go to Recipients > Mailboxes. On the Mailboxes page, click Add and then select User mailbox.
4. Provide the information required for the new user and then click Save.
5. Go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management and click Edit .
6. Under Members, click Add .
7. Select the Exchange 2013 mailbox you just created, click Add, then click OK. Then click Save.
Install Exchange 2013 certificates
Depending on your requirements, you can configure wild card certificate or a SAN certificate. I will go for SAN certificate to avoid further configuration such as certificate principal name configuration. In this example, I will create a SAN certificate which is as follows.
After you’ve saved the certificate request, submit the request to your certificate authority (CA) which is public CA. Clients that connect to the Client Access server must trust the CA that you use. After you receive the certificate from the CA, complete the following steps:
To re-use existing certificate follow the steps below
After you’ve exported the certificate from your Exchange 2010 server, you need to import the certificate on your Exchange 2013 server using the following steps.
Now that the new certificate has been imported on your Exchange 2013 Client Access server, you need to assign it to your Exchange services using the following steps.
Configure Exchange 2013 external and internal URLs
Configure External and Internal URL to be same
$HostName = “mail.superplaneteers.com “
3. Run each of the following commands in the Shell to configure each internal URL to match the virtual directory’s external URL.
Set-EcpVirtualDirectory “$HostNameECP (Default Web Site)” -InternalUrl ((Get-EcpVirtualDirectory “$HostNameECP (Default Web Site)”).ExternalUrl)
Set-WebServicesVirtualDirectory “$HostNameEWS (Default Web Site)” -InternalUrl ((get-WebServicesVirtualDirectory “$HostNameEWS (Default Web Site)”).ExternalUrl)
Set-ActiveSyncVirtualDirectory “$HostNameMicrosoft-Server-ActiveSync (Default Web Site)” -InternalUrl ((Get-ActiveSyncVirtualDirectory “$HostNameMicrosoft-Server-ActiveSync (Default Web Site)”).ExternalUrl)
Set-OabVirtualDirectory “$HostNameOAB (Default Web Site)” -InternalUrl ((Get-OabVirtualDirectory “$HostNameOAB (Default Web Site)”).ExternalUrl)
Set-OwaVirtualDirectory “$HostNameOWA (Default Web Site)” -InternalUrl ((Get-OwaVirtualDirectory “$HostNameOWA (Default Web Site)”).ExternalUrl)
Set-PowerShellVirtualDirectory “$HostNamePowerShell (Default Web Site)” -InternalUrl ((Get-PowerShellVirtualDirectory “$HostNamePowerShell (Default Web Site)”).ExternalUrl)
To verify that you have successfully configured the internal URL on the Client Access server virtual directories, do the following:
Move Arbitration Mailboxes
Follow the below steps to move all arbitration and discovery search mailboxes to 2013 database.
Open Exchange Management Shell with run as administrator and run the following cmds
Get‐Mailbox –Arbitration | New-MoveRequest –TargetDatabase TargetDBName
Get-Mailbox “*Discovery*” | New-MoveRequest –TargetDatabase TargetDBName
OR
Type the following comdlets in EMS to find arbitration mailboxes and migrate using migration wizard.
Get-Mailbox –Arbitration >C:Arbitration.txt
Get-Mailbox “*Discovery*” >C:Discovery.txt
Enable and configure Outlook Anywhere
To allow your Exchange 2013 Client Access server to redirect connections to your Exchange 2010 servers, you must enable and configure Outlook Anywhere on all of the Exchange 2010 servers in your organization. If some Exchange 2010 servers in your organization are already configured to use Outlook Anywhere, their configuration must also be updated to support Exchange 2013. When you use the steps below to configure Outlook Anywhere, the following configuration is set on each Exchange 2010 server:
$Exchange2013HostName = “mail.superplaneteers.com”
Run the following command to configure Exchange 2010 servers that already have Outlook Anywhere enabled to accept connections from Exchange 2013 servers.
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Set-OutlookAnywhere “$_RPC (Default Web Site)” -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic}
If you didn’t enable Outlook Anywhere in Exchange 2010 already, Run the following command to enable Outlook Anywhere and configure Exchange 2010 to accept connections from Exchange 2013 servers.
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic
Configure service connection point (SCP)
Autodiscover uses an Active Directory object called the service connection point (SCP) to retrieve a list of AutoDiscover URLs for the forest in which Exchange is installed. When you install Exchange 2013, you need to update the SCP object to point to the Exchange 2013 server. This is necessary because Exchange 2013 servers provide additional AutoDiscover information to clients to improve the discovery process.
You must update the SCP object configuration on every Exchange server in the organization. You need to use the version of the Exchange Management Shell that corresponds to the version of the Exchange servers you’re updating.
Perform the following steps to configure the SCP object on your Exchange 2010 servers.
$AutodiscoverHostName = “autodiscover.superplaneteers.com”
Run the following command to set the SCP object on every Exchange 2010 server to the AutoDiscover URL of the new Exchange 2013 server.
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml
Perform the following steps to configure the SCP object on your Exchange 2013 servers.
$AutodiscoverHostName = “autodiscover.superplaneteers.com”
Run the following command to set the SCP object on every Exchange 2013 server to the AutoDiscover URL of the new Exchange 2013 server.
Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml
Configure Exchange 2013 Mail flow
There are four receive connectors in Exchange 2013. They are:
· Default <server name> Accepts connections from Mailbox servers running the Transport service and from Edge servers.
· Client Proxy <server name> Accepts connections from front-end servers. Typically, messages are sent to a front-end server over SMTP.
· Default FrontEnd <server name> Accepts connections from SMTP senders over port 25. This is the common messaging entry point into your organization.
· Outbound Proxy Frontend <server name> Accepts messages from a Send Connector on a back-end server, with front-end proxy enabled.
1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Receive Connector
2. Select Default Frontend AUPERMBX01, Click on Edit or Pencil icon, On the Security Parameter, Select Anonymous, Click Save.
3. Repeat the steps for Default Frontend AUPERMBX02.
All you have to do is to add Exchange 2013 mailbox servers to the existing send connector as shown below:
Open Exchange management Shell as an administrator, execute the following command.
Set-SendConnector –Identity Outbound –SourceTransportServers AUPEREXMBX01, AUPEREXMBX02
OR
1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Send Connector, Click Edit or Pencil icon
2. Click on scoping and + icon on Source Server parameter to add the server
3. Select the Exchange 2013 Mailbox servers (AUPEREXMBX01 and AUPEREXMBX02) and add them and Click save.
4. Send connector configuration completed.
Configure a smart host if necessary
1. In the EAC https://AUPEREXCAS01/ecp?ExchClientVer=15, navigate to Mail flow > Send connectors, and then click Add .
2. In the New send connector wizard, specify a name for the send connector and then select Custom for the Type. You typically choose this selection when you want to route messages to computers not running Microsoft Exchange Server 2013. Click Next.
3. Choose Route mail through smart hosts, and then click Add . In the Add smart host window, the fully qualified domain name (FQDN), such as relay.sjc.mx.trendmicro.com. Click Save.
4. Under Address space, click Add . In the Add domain window, make sure SMTP is listed as the Type. For Fully Qualified Domain Name (FQDN), enter * to specify that this send connector applies to messages sent to any domain. Click Save.
5. For Source server, click Add . In the Select a server window, choose a server and click Add . Click OK.
6. Click Finish.
Anonymous Relay
Create a new receive connector using Exchange Administration Center with the following parameters.
1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Receive Connector, Click Add or + icon
2. Select an Exchange Mailbox Server name AUPEREXMBX01, Type Anonymous Relay on the name, Click Frontend transport, Select Custom, Click Next..
3. On the Network Adapter Binding, Add Exchange 2013 MBX Server IP (10.10.10.11) and port 25. On the remote network settings, add printer, scanner, device and application server IPs. Click Save to create Anonymous Relay.
4. Select newly created Anonymous relay, Click Edit or Pencil Icon, Click Security parameter, Select TLS, Externally Secured in Authentication and Select Exchange Servers, Anonymous users in Permission groups.
5. Open Exchange 2013 Management Shell and execute the following
Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”
6. Open Exchange management Shell in Exchange 2010 execute cmdlet
Get-ReceiveConnector –Identity “Anonymous relay” | Fl
From PowerShell Windows copy all the IP addresses of printer and scanner to a notepad
7. Edit Anonymous Relay in Exchange 2013 Administration center and add all the IPs addresses you copied in previous step into remote network setting of Exchange 2013 relay.
8. Repeat step 1 to step 7 on all mailbox servers.
Configure Public Name Space
At this stage, you are ready to configure public DNS record. Update your public DNS record including Hosted Email Security. You only need to configure public DNS if you are changing public IPs and hosted email security otherwise you just have to change the port 443 and port 25 forwarding rule in internal Cisco router in your organization.
You public DNS must look similar to this table.
| superplaneteers.com | MX | Mail.superplaneteers.com |
| mail.superplaneteers.com | A | 203.17.x.x (Public IP) |
| autodiscover.superplaneteers.com | A | 203.17.x.x (Public IP) |
Request your ISP who provided you 203.17.x.x public IP to create reverse DNS record for mail.superplaneteers.com. This is very important for Exchange to function correctly. When you send email to a destination, many destination server checks reverse DNS. If reverse DNS is wrong you could be banned from sending email to destination server. Note that outlook.com check reverse DNS and SPF records of domain sending email to an outlook address.
Configure TMG/UAG
If you are publishing internet facing Exchange 2013 CAS using TMG or UAG, follow the URL below and publish Outlook Web App and Active Sync.
Publish-exchange-server-2010-using-forefront-uag-2010-step-by-step/
Publish-outlook-web-access-and-exchange-servers-using-forefront-tmg-2010/
Create internal DNS Record
Create Host(A) record with reverse DNS in the forward lookup zone of forest superplaneteers.com. Internal DNS records must look similar to this table.
| FQDN | Record Type | IP Address |
| Mail.superplaneteers.com | A | 10.10.10.16 |
| Autodiscover.superplaneteers.com | A | 10.10.10.16 |
If you don’t have CAS NLB or load balancer then your internal host(A) record must point to Exchange 2013 CAS server.
Open PowerShell as an administrator, execute the following
Resove-Dnsname mail.superplaneteers.com
Nslookup mail.superplaneteers.com
Configure Offline Address Book
To create a new offline address book and set the same OAB on all mailbox databases at once, run the following command. The command example uses “Default Offline Address Book” for the name of the OAB.
Open Exchange Management Shell, execute the cmdlets
New-OfflineAddressBook -Name “Default Offline Address Book” -AddressLists “Default Global Address List”
Restart-Service MSExchangeMailboxAssistants
Wait a few minutes and check if the OAB files is created in C:Program FilesMicrosoftExchange ServerV15ClientAccessOAB<newGUID>
Try to access the new OAB in IE: https://mail.superplaneteers.com/oab/<newguid/oab.xml
Get-MailboxDatabase | Set-MailboxDatabase -OfflineAddressBook “Default Offline Address Book (Ex2013)”
To Change the generation server open Exchange 2010 Management Shell and run the following command:
Move-OfflineAddressBook –Identity “Default Offline Address Book” –Server AUPERCAS01,AUPERCAS02
Configure new transport rule in Exchange 2013 or Export transport rules from legacy Exchange.
Follow this reference if you are migrating from Exchange 2007
You cannot migrate transport rules from Exchange Server 2007 to Exchange Server 2013
The following cmdlet example exports all your Transport Rules to the XML file, ExportedRules.xml, in the “c:TransportRules” folder:
Export-TransportRuleCollection -FileName “c:TransportRulesExportedRules.xml”
The following example cmdlet imports your transport rule collection from the XML file ExportedRules.xml in the “C:TransportRules” folder
[Byte[]]$Data = Get-Content -Path “C:TransportRulesExportedRules.xml” -Encoding Byte -ReadCount 0 Import-TransportRuleCollection -FileData $Data
To create new Transport rule,
1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server.
Move mailboxes to Exchange 2013
14. Click Finish.
OR
Open Exchange Management Shell
Get-Mailbox –Database “Exchange 2010 database name’ | New-MoveRequest –targetdatabase “Exchange 2013 database name”
Get-MoveRequest
Migrate Room or Resource mailboxes
Open EMS and execute the cmdlets
Get-Mailbox -RecipientTypeDetails roommailbox -database SOURCEDBNAME | new-moverequest -targetdatabase TARGETDBNAME
Upgrade Distribution groups
Open Exchange management Shell as an administrator, execute the following command.
Get-DistributionGroup -resultsize unlimited | Set-DistributionGroup –ManagedBy “CN=Organization
Management,OU=Microsoft Exchange Security Groups,DC=superplaneteers,DC=com”
Get-DistributionGroup -resultsize unlimited | Set-DistributionGroup –ForceUpgrade
Upgrading Distribution Groups with multiple owners to Exchange 2013
Open Exchange management Shell as an administrator, execute the following command.
foreach ($DL in (Get-DistributionGroup -ResultSize Unlimited)) { $owners = Get-ADPermission $DL.identity | ?{$_.User -notlike “*Exchange*” -and $_.User -notlike “S-*” -and $_.User -notlike “*Organization*” -and $_.User -notlike “NT*” -and $_.User -notlike “*Domain Admins*” -and $_.User -notlike “*Enterprise Admins” -and $_.User -notlike “BUILTIN*” -and $_.User –notlike “*Delegated Setup*”} | %{$_.user.tostring()};Set-DistributionGroup $DL -BypassSecurityGroupManagerCheck -ManagedBy $owners }
Migrate Public Folder
In Exchange 2013, public folders were re-engineered using mailbox infrastructure to take advantage of the existing high availability and storage technologies of the mailbox database. Public folder architecture uses specially designed mailboxes to store both the public folder hierarchy and the content. This also means that there’s no longer a public folder database. High availability for the public folder mailboxes is provided by a database availability group (DAG).
There are two types of public folder mailboxes: the primary hierarchy mailbox and secondary hierarchy mailboxes. Both types of mailboxes can contain content:
There are two ways you can manage public folder mailboxes:
Before you migrate public folder, I would recommend creating new separate mailbox database in Exchange 2013 then start the migration process.
Step1: Perform Perquisites
Download all four of the Microsoft Exchange 2013 public folder migration scripts and save the script in C:PFScripts
Prerequisites in Exchange 2010 Server
Open Exchange Management Shell in Exchange 2010 server, run the following cmdlets one by one.
Run the following command to take a snapshot of the original source folder structure.
Get-PublicFolder -Recurse | Export-CliXML C:PFMigrationLegacy_PFStructure.xml
Run the following command to take a snapshot of public folder statistics such as item count, size, and owner
Get-PublicFolderStatistics | Export-CliXML C:PFMigrationLegacy_PFStatistics.xml
Run the following command to take a snapshot of the permissions.
Get-PublicFolder -Recurse | Get-PublicFolderClientPermission | Select-Object Identity,User -ExpandProperty AccessRights | Export-CliXML C:PFMigrationLegacy_PFPerms.xml
Save the information from the preceding commands for comparison at the end of the migration.
In Exchange 2010, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderStatistics -ResultSize Unlimited | Where {$_.Name -like “**”} | Format-List Name, Identity
In Exchange 2007, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderDatabase | ForEach {Get-PublicFolderStatistics -Server $_.Server | Where {$_.Name -like “**”}}
If any public folders are returned, you can rename them by running the following command:
Set-PublicFolder -Identity <public folder identity> -Name <new public folder name>
Make sure there isn’t a previous record of a successful migration. If there is, you’ll need to set that value to $false. If the value is set to $true the migration request will fail.
The following example checks the public folder migration status.
Get-OrganizationConfig | Format-List PublicFoldersLockedforMigration, PublicFolderMigrationComplete
Set-OrganizationConfig -PublicFoldersLockedforMigration:$false -PublicFolderMigrationComplete:$false
Prerequisites on Exchange 2013
Make sure there are no existing public folder migration requests. If there are, clear them.
Get-PublicFolderMigrationRequest | Remove-PublicFolderMigrationRequest -Confirm:$false
To make sure there are no existing public folders on the Exchange 2013 servers, run the following commands.
Get-Mailbox -PublicFolder
Get-PublicFolder
If the above commands return any public folders, use the following commands to remove the public folders.
Get-MailPublicFolder | where $_.EntryId -ne $null | Disable-MailPublicFolder -Confirm:$false
Get-PublicFolder -GetChildren | Remove-PublicFolder -Recurse -Confirm:$false
Get-Mailbox -PublicFolder |Remove-Mailbox -PublicFolder -Confirm:$false
Step2: Generate CSV Files
On the Exchange 2010 server, run the Export-PublicFolderStatistics.ps1 script to create the folder name-to-folder size mapping file.
.Export-PublicFolderStatistics.ps1 <Folder to size map path> <FQDN of source server>
Run the PublicFolderToMailboxMapGenerator.ps1 script to create the public folder-to-mailbox mapping file. This file is used to create the correct number of public folder mailboxes on the Exchange 2013 Mailbox server.
.PublicFolderToMailboxMapGenerator.ps1 <Maximum mailbox size in bytes> <Folder to size map path> <Folder to mailbox map path>
<Folder to size map path> is \AUPEREX2010c$PFstat.csv
<Maximum mailbox size in bytes> is 20000000
<Folder to mailbox map path> is \AUPEREX2010c$PFMigrationmapgen.csv
Step3: Create public folder mailboxes on Exchange 2013
Run the following command to create the first public folder mailbox on the Exchange 2013 Mailbox server.
New-Mailbox -PublicFolder <Name> -HoldForMigration:$true –database “Exchange 2013 database”
Run the following command to create additional public folder mailboxes as needed based on the .csv file generated from the PublicFoldertoMailboxMapGenerator.ps1 script.
$numberOfMailboxes = 25;
for($index =1 ; $index -le $numberOfMailboxes ; $index++)
{
$PFMailboxName = “Mailbox”+$index; if($index -eq 1) {New-Mailbox -PublicFolder $PFMailboxName -HoldForMigration:$true -IsExcludedFromServingHiearchy:$true;}else{NewMailbox-PublicFolder $PFMailboxName -IsExcludedFromServingHierarchy:$true}
}
Step4: Start Migration request
Legacy system public folders such as OWAScratchPad and the schema-root folder subtree in Exchange 2007 won’t be recognized by Exchange 2013 and will be treated as bad items. This will cause the migration to fail. As part of the migration request, you must specify a value for the BadItemLimit parameter.
From the Exchange 2013 Mailbox server, run the following command:
$PublicFolderDatabasesInOrg = @(Get-PublicFolderDatabase)
$BadItemLimitCount = 5 + ($PublicFolderDatabasesInOrg.Count -1)
New-PublicFolderMigrationRequest -SourceDatabase (Get-PublicFolderDatabase -Server <Source server name>) -CSVData (Get-Content <Folder to mailbox map path> -Encoding Byte) -BadItemLimit $BadItemLimitCount
To verify that the migration started successfully, run the following command.
Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatistics -IncludeReport | Format-List
Step 5: Lock Source Server
On the Exchange 2010 server, run the following command to lock the legacy public folders for finalization.
Set-OrganizationConfig -PublicFoldersLockedForMigration:$true
Step6: Finalize public folder migration
Set-PublicFolderMigrationRequest -Identity PublicFolderMigration -PreventCompletion:$false
Resume-PublicFolderMigrationRequest -Identity PublicFolderMigration
Step7: Test Public Folder Migration
Run the following command to assign some test mailboxes to use any newly migrated public folder mailbox as the default public folder mailbox
Set-Mailbox -Identity <Test User> -DefaultPublicFolderMailbox <Public Folder Mailbox Identity>
Log on to Outlook 2007 or later with the test user identified in the previous step, and then perform the following public folder tests:
Post Migration Check
1. Verify Internal and external DNS records and aliases of autodiscover and mail are pointing to Exchange 2013 CAS server or load balancer VIP or CAS NLB IP. At this stage do not delete Host(A) record of legacy exchange servers until you decommission them.
2. Point your Spam Guard or hosted email security to forward all the emails to exchange 2013 to receive incoming mail via Exchange 2013.
3. Configure Spam Guard or hosted email security to accept emails from all Exchange 2013 Mailbox servers.
4. Configure smart host if necessary.
5. Configure all other application to send email via the Exchange 2013 Mailbox Servers
6. Test inbound and outbound email from outlook client and mobile devices.
7. Start Monitoring Exchange, Open EMS and execute Get-mailbox –monitoring
8. Go to https://testconnectivity.microsoft.com/ to test connectivity of Exchange 2013
9. Go to http://mxtoolbox.com/ to test your MX, Reverse DNS and DNS records.
Decommission Legacy Exchange Server
Before you decommission legacy Exchange server, make sure you have completed the following tasks
10. Remove Exchange 2010 CAS arrays. Execute Get-clientaccessarray | remove-ClientAccessArray in Exchange 2010 management shell
11. Point all the applications to use Exchange 2013 SMTP.
12. Test inbound and outbound email from various supported clients.
Now is the time to shutdown legacy exchange servers in your organization and test Exchange 2013 mail flow again. Make sure you shut down the server during working hours and working days. Keep the legacy exchange down for at least 48hrs. To decommission legacy Exchange follow the steps
1. Bring all legacy servers online means power on all servers which were down in previous step.
2. Remove all Public Folder replicas else Public Folder Database will not be removed. To remove public folder replicas, open Exchange Management Console in exchange 2010, Click Tools, Open Public Folder Management Console, Select Default Public Folder, Click properties, Click Replication, Remove exchange 2010 database from replication. Repeat the same for systems public folder.
3. Remove Exchange 2007/2010 mailbox database and Public folder databases from EMC or EMS.
4. Go to Control Panel to remove Exchange 2007/2010. On Program and Features screen click on Uninstall. On the Maintenance Mode page of the Exchange Server 2007/2010 Setup wizard begins the process of removing your Exchange installation. Click Next to continue.
5. On the Server Role Selection page, uncheck in 2007/2010 all Exchange server roles and Exchange management tools to remove. In Exchange 2007 CCR remove passive node first then follow the same steps on active node. Click next to continue.
6. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If the prerequisites check doesn’t complete successfully, review the Summary page and fix any issues that are preventing Setup from removing exchange 2007/2010. If the checks have completed successfully, click Uninstall to remove the entire installation of Exchange 2007/2010.
7. On the Completion page, click Finish.
8. Verify the setup log files and folder located at c:ExchangeSetupLogs.
9. Uninstall Internet Information Services (IIS) from windows Server 2008 or add/remove program and features in Windows Server 2003.
10. Disjoin the legacy Exchange servers from the Domain.
11. Delete Host(A) DNS record of Legacy Exchange Server. Delete ONLY legacy DNS record.
References
http://technet.microsoft.com/en-us/library/ee332361(EXCHG.141).aspx
http://technet.microsoft.com/en-us/library/bb123893(EXCHG.80).aspx
http://technet.microsoft.com/en-US/exdeploy2013/Checklist?state=2284-W-CABEAgAAQAAACQEAAQAAAA~~
http://support.microsoft.com/kb/2846555
http://support.microsoft.com/?kbid=940726
http://www.petenetlive.com/KB/Article/0000036.htm
http://www.expta.com/2013/05/owa-2013-cu1-redirection-is-broken-for.html
Trend Micro Worry-Free Business Security (WFBS) protects business users and assets from data theft, identity theft, risky websites, and spam (Advanced only).
Trend Micro offers the following editions:
Standard: Designed to protect clients (desktops, portable computers, and servers) on your local network. This edition includes Outbreak Defence, Firewall, and Antivirus/Anti-spyware scanning. It also comes with technical support, malware/virus pattern file downloads, real-time scanning, and program updates for one year.
Advanced: Designed to protect clients and Microsoft Exchange servers on your network. In addition to all the features in Worry-Free Business Security Standard, this edition includes Anti-spam, Content Filtering, Data Loss Prevention, and Attachment Blocking.
Features worry-free business Features
TrendMicro Components:
Registration Key
A Registration Key comes with your purchase of Worry-Free Business Security. It has
22 characters (including hyphens) and is in the following format: xx-xxxx-xxxxx-xxxxx-xxxxx
Use a fully licensed Registration Key to register Worry-Free Business Security on the Trend Micro website at http://olr.trendmicro.com.
Security Server
At the center of Worry-Free Business Security is the Security Server. The Security Server hosts the web console, the centralized web-based management console for Worry-Free Business Security. Hosts the Web Console, downloads updates from the Trend Micro ActiveUpdate Server, collects and stores logs, and helps control virus/malware Outbreaks Manages all agents from a single location
Scan Server
The Security Server includes a service called Scan Server, which is automatically installed during Security Server installation. As such, there is no need to install it separately. The Scan Server runs under the process name iCRCService.exe and appears as Trend Micro Smart Scan Service from Microsoft Management Console.
Downloads scanning-specific components from Trend Micro and uses them to scan clients
Agents
Agents protect clients from security threats. Clients include desktops, servers, and Microsoft Exchange servers.
Security Agent Protects desktops and servers from security threats and intrusions Protects Windows 7/Vista/XP/Server 2003/Server 2008 computers from malware/viruses, spyware/grayware, Trojans, and other threats
Messaging Security Agent Protects Microsoft Exchange servers from email-borne security Threats
Web Console
The web console is the central point for monitoring clients throughout the corporate network. It comes with a set of default settings and values that you can configure based on your security requirements and specifications. The web console uses standard Internet technologies, such as Java, CGI, HTML, and HTTP.
WFBS Ports
WFBS uses the following ports:
• Server listening port (HTTP port): Used to access the Security Server. By default, WFBS uses one of the following:
• IIS server default website: The same port number as your HTTP server’s TCP port.
• IIS server virtual website: 8059
• Apache server: 8059
• Client listening port: A randomly generated port number through which the Security Agent and Messaging Security Agent receive commands from the Security Server.
Trend Micro Security (for Mac) Communication port: Used by the Trend Micro Security (for Mac) server to communicate with Mac clients. The default is port 61617.
SMTP port: Used by the Security Server to send reports and notifications to administrators through email. The default is port 25.
Proxy port: Used for connections through a proxy server.
Systems requirements:
TrendMicro Download Location:
Installation:
1. Double-click the SETUP.EXE file. The Trend Micro Installation screen appears.
2. Click Next. The License Agreement screen appears.
3. Read the license agreement. If you agree with the terms, select I accept the terms of the license agreement.
4. Click Next. The Setup Type screen appears.
5. From the Setup Type page, choose one of the following options:
6. Click Next. The Product Activation page appears Note: If you do not have an Activation Code, you may not have registered your copy of WFBS yet. Click Register Online to open a new browser window.
7. Click Next. The Setup Overview page appears. The Setup Overview page shows the components that you need configure in order to install the Trend Micro Security Server and the Security Agent (as well as the Messaging Security Agent [MSA] if you are using WFBS Advanced).
8. Click Next. If you selected Custom Installation, the Select Target Folder page would appear. The default WFBS install folder is C:Program FilesTrend MicroSecurity Server. If you want to install WFBS in another folder, click Browse.
9. Click Next. The Select Components page appears.
10. Select the components that you want to install. For WFBS Advanced only: The Configure Security Server page now highlights the Security Server.
11. Configure the Security Server. The Security Server configuration tasks consist of pre-scanning the server for malware as well as configuring the web server and the proxy server.
12. Click Next. The Computer Prescan page appears.
13. Choose whether or not to pre-scan your computer for threats by selecting one of the following options:
Prescan my computer for threats– The prescan targets the most vulnerable areas of the computer, which include the following:
14. Click Next. If you selected Custom Installation, the Web Server page would appear. Select a web server to host the Security Server web console. Choose one of the following:
15. Click Next. The Web Server Identification page appears.
16. Choose from one of the following server identification options for client-server communication:
17. Click Next. The Administrator Account Password page appears.
18. Specify different passwords for the Security Server web console and the Security Agent.
Note: The password field holds 1-24 characters and is case sensitive.
19. Click Next. The SMTP Server and Notification Recipient(s) page appears.
20. Enter the required information:
21. Click Next. The Trend Micro Smart Protection Network page appears.
22. Choose whether or not you want to participate in the Trend Micro Smart Protection Network feedback program.
23. Click Next. If you selected Custom Installation, the General Proxy Settings page would appear. The Configuring Security Agent page highlights the Security Agent.
24. Configure the Security Agent. The Security Agent configuration tasks consist of setting the agent installation path, configuring the agent’s server and desktop settings as well as the proxy server settings for additional services.
25. Click Next. If you selected Custom Installation, the Security Agent Installation Path page would appear.
26. Set the following items:
27. Click Next. If you selected Custom Installation, the Configuring Security Agents Settings page would appear.
28. You can configure Security Agent settings for Servers and Desktops: In each group, you can configure the following components:
29. Click Next. If you selected Custom Installation, the Proxy Setting for Additional Services page would appear. The Smart Scan, Web Reputation, and Behaviour Monitoring services use the proxy server address and port used by Internet Explorer on client computers. If that proxy server requires authentication, use this page to specify logon credentials.
30. For WFBS Advanced only: Configure the MSA. You will be prompted to install the MSA at one of the following points: Note: This procedure applies to both local and remote MSA installation.
31. Click Next. The Install Messaging Security Agent page appears.
32. Provide the following information:
i. Exchange Server
ii. Domain Administrator Account
iii. Password
33. Click Next. If you selected Custom Installation, the Messaging Security Agent Settings page would appear. Configure the following:
35. Proceed with the installation process. The Start Copying Files page shows a summary of all the parameters that will be used during the installation of WFBS. Do one of the following:
The Install Third Party Components page appears. This page informs you which third party components will be installed.
36. Click Next to start installing the selected components. The entire installation process may take some time to complete. During the installation, a status page will show the progress being made. When the Setup Wizard Complete screen appears, click Finish.
Installing the Client/Server Security Agent (CSA) or Security Agent (SA) using Remote Install
Installing Agent for Exchange Server
The Messaging Security Agent (MSA) can also be installed from the Web Console.
1. Log on to the Web Console.
2. Click the Security Settings tab, and then click the Add button.
3. Under the Computer Type section, click Microsoft Exchange server.
4. Under Microsoft Exchange Server Information, type the following information:
• Server name: The name of the Microsoft Exchange server to which you want
to install MSA.
• Account: The built-in domain administrator user name.
• Password: The built-in domain administrator password.
5. Click Next. The Microsoft Exchange Server Settings screen appears.
6. Under Web Server Type, select the type of Web server that you want to install on
the Microsoft Exchange server. You can select either IIS Server or Apache Server.
7. For the Spam Management Type, End User Quarantine will be used.
8. Under Directories, change or accept the default target and shared directories for
the MSA installation. The default target and shared directories are C:Program
FilesTrend MicroMessaging Security Agent and C$, respectively.
9. Click Next. The Microsoft Exchange Server Settings screen appears again.
10. Verify that the Microsoft Exchange server settings that you specified in the
previous screens are correct, and then click Next to start the MSA installation.
11. To view the status of the MSA installation, click the Live Status tab.
Configure Smart Host for Outbound Email
1. Open the Exchange Management Console.
2. Click on the plus sign (+) next to Organization Configuration.
3. Select Hub Transport and click the Send Connectors tab.
4. Right-click the existing Send Connector then select Properties and go to the Network tab.
5. Select Route mail through the following smart hosts and click Add.
6. Select Fully Qualified Domain Name (FQDN)and specify the HES relay servers:
o HES US / Other Regions Relay Record: relay.sjc.mx.trendmicro.com
o HES Europe, Middle East, and Africa (EMEA) Relay Record: relay.mx.trendmicro.eu
7. Click OK.
8. Go to the Address Space tab and click Add.
9. Add an asterisk (*) and then click OK.
10. Click Apply > OK.
11. Go to the Source Server tab and add your Exchange Server.
12. Click Apply > OK.
Before you begin next step, make sure you have a valid public DNS and MX record configured and available via ping or nslookup. To find Out MX Record, follow the step or contact your ISP.
C:Usersraihan >nslookup
> set type=mx
> domainname.com.au
Non-authoritative answer:
domainanme.com.au MX preference = 20, mail exchanger = mx1.domainname.net.au
domainanem.com.au MX preference = 10, mail exchanger = mail.domainname.com.au
mx1.domainname.net.au internet address = 203.161.x.x
mail.domainname.com.au internet address = 116.212.x.x
Pinging domainname.com.au [203.161.x.x] with 32 bytes of data:
Registered Hosted Email Security
Firstly you’ll need to have registered with Trend Micro Online https://olr.trendmicro.com/registration/ .
Create service account (See upcoming post on creating a secure services account)
Open Hosted Email Security Web console
Register Your Domains with Trend Micro
1. Go to the Trend Micro Online Registration portal.
2. Create a new OLR account.
a. Under the “Not registered” section, select your country and language from the dropdown list, then click Continue.
Enter your HES Registration Key.
If you have other Trend Micro products or services you want to register, enter their Registration Keys and click Continue. Otherwise, click No. The License Terms page appears.
Select I Accept, then click Submit.
Complete the registration information form.
Specify your OLR logon ID.
Note: The OLR logon ID will also serve as your HES portal login ID.
Click Submit.
The next page will show your HES Activation Code (AC). This means that you have successfully registered HES. You will receive an email copy containing your Activation Code, username and temporary password.
3. Using the provided OLR username and password, log on to the HES console:
For US: https://us.emailsec.trendmicro.com/loginPage.imss
For EMEA: https://emailsec.trendmicro.eu/loginPage.imss
Note: Make sure that the Log on with Trend Micro Online Registration user name and password checkbox is ticked.
4. Enter your domain and IP information, then click Add Domain.
5. Once your managed domain list is complete, tick the checkbox beside your managed domain and click Submit.
6. Wait for your confirmation email. This will take 48 hours at most. The confirmation email will guide you through the final steps needed before starting the service.
Navigate to Administration > Domain Management
Download the ActiveDirectory Sync Client
Install the ActiveDirectory Sync Client
http://esupport.trendmicro.com.au/solution/en-us/1059663.aspx
http://esupport.trendmicro.com.au/solution/en-us/1060411.aspx
1. Extract the ActiveDirectory Sync Client file and run setup.exe
2. Usual I agree, next, next stuff
3. Then you’ll need your DOMAIN, the user will be the sa-TrendMicroHE we created earlier along with it’s password.
4. Click Next
5. Leave installation path as is, and change to install for Everyone
6. Click Next
7. Click Next
8. Click Close when finish
9. The ActiveDirectory Sync Client will then open
10. For the source paths you’ll need to enter the LDAP source paths for your server where users and groups are located to get you start some defaults are (don’t forget to change it to <yourdomain>)
LDAP://OU=Users,,OU=CompanyName,DC=<yourdomain>,DC=com
11. Click Add
LDAP://OU=Distribution Groups, OU=companyname,DC=<yourdomain>,DC=com
12. Click Add
13. Click Configure
14. Click OK
15. Click Apply
16. This will restart the service
Amend ClientMHS_AD_ACL.config
1. Open C:Program Files (x86)Trend MicroHosted Email Security ActiveDirectory Sync ClientIMHS_AD_ACL.config in notepad
2. Installed Config file looks like this:
<?xml version=”1.0″ encoding=”utf-8″?>
<ad_acl>
<ldap_path name=”default”>
<objectClass name=”User”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
</ad_acl>
3. Change the following to add groups and public folders. Ref
<?xml version=”1.0″ encoding=”utf-8″?>
<ad_acl>
<ldap_path name=”default”>
<objectClass name=”User”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
<ldap_path name=”default”>
<objectClass name=”group”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
<ldap_path name=”default”>
<objectClass name=”publicFolder”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
<ldap_path name=”default”>
<objectClass name=”*”>
<displayNameAttr>displayName</displayNameAttr>
<emailAttr>mail</emailAttr>
<emailAttr>proxyAddresses</emailAttr>
</objectClass>
</ldap_path>
</ad_acl>
4. Save this (you’ll need to save to desktop then move it back over the original file, otherwise it will Access Denied) and return the the ActiveDirectory Sync Client
5. Click Sync Now
6. Give it a few moments then click History
7. Here you should see the correct number of groups and users you expect. Check the times are correct for when you’ve pressed. And it should finish with Sync domain <yourdomain.com> successful
8. Click Close
9. Click Close
Post Configuration Check
If you have a Common Name certificate or Subject Alternative Name certificate in Exchange webmail or other website and you would like to change that to wild card certificate to consolidate your certificate uses in wide variety of infrastructure and save money. You can do so safely with a minor downtime with no or little loss of productivity.
Microsoft accept certified SSL provider which are recorded in this url http://support.microsoft.com/kb/929395/en-us
Here is a guide lines how to accomplish this objective.
Step1: Check Current Exchange SSL Certificate
Open Exchange Management Shell and Issue Get-ExchangeCertificate Command. Record the information for future reference.
Step2: Record Proposed Exchange SSL Wildcard Certificate
Step3: Generate a wildcard certificate request
You can use https://www.digicert.com/easy-csr/exchange2007.htm to generate a certificate command for exchange server.
New-ExchangeCertificate -GenerateRequest -Path c:star_your_company.csr -KeySize 2048 -SubjectName “c=AU, s=Western Australia, l=Perth, o=Your Company, ou=ICT, cn=*.yourdomain.com.au” -PrivateKeyExportable $True
Step4: Sign the certificate request and download SSL certificate in PKCS#7 format
For more information, you can go to help file of your certificate provider. But for example I am using rapidSSL. Reference https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&id=SO14293&actp=search&viewlocale=en_US&searchid=1380764656808
1. Click https://products.geotrust.com/geocenter/reissuance/reissue.do
2. Provide the common name, technical contact e-mail address associated with the SSL order,
and the image number generated from the Geotrust User Authentication page.
3. Select Request Access against the correct order ID. An e-mail will be sent to the technical contact e-mail address specified above.
4. Click on the link listed in the e-mail to enter the User Portal Click View Certificate Information. Select the appropriate PKCS#7 or X.509 format from the drop down menu depending on the server requirements. NOTE: Microsoft IIS users select PKCS#7 format and save the file with .p7b extension.
5. Save the certificate locally and install per the server software.
Step5: Locate and Disable the Existing CA certificate
Now this step is a disruptive step for webmail. You must do it after hours.
1. Create a Certificate Snap-In in Microsoft Management Console (MMC) by following the steps from this link: SO14292
2. With the MMC and the Certificates snap-in open, expand the Trusted Root Certification Authorities folder on the left and select the Certificates sub-folder.
3. Locate the following certificate in the MMC: If this certificate is present, it must be disabled. Right click the certificate, Select Properties
4. In the Certificate purposes section, select Disable all purposes for this certificate
Click OK to close the MMC without saving the console settings.
Step6: Install Certificate
To install a SSL certificate onto Microsoft Exchange, you will need to use the Exchange
Management Shell (EMS). Microsoft reference http://technet.microsoft.com/en-us/library/bb851505(v=exchg.80).aspx
1. Copy the SSL certificate file, for example newcert.p7b and save it to C: on your Exchange server.
2. Run the Import-ExchangeCertificate and Enable-ExchangeCertificate commands together. For Example
Import-ExchangeCertificate -Path C:newcert.p7b | Enable-ExchangeCertificate –Services “SMTP, IMAP, POP, IIS”
3. Verify that your certificate is enabled by running the Get-ExchangeCertificate command.
For Example Get-ExchangeCertificate -DomainName yourdomain.com.au
4. In the Services column, letters SIP and W stand for SMTP, IMAP, POP3 and Web (IIS). If your certificate isn’t properly enabled, you can re-run the Enable-ExchangeCertificate command by pasting the thumbprint of your certificate as the -ThumbPrint argument such as: Enable-ExchangeCertificate -ThumbPrint [paste] -Services ” IIS”
Step7: Configure Outlook settings
Microsoft reference http://technet.microsoft.com/en-us/library/cc535023(v=exchg.80).aspx
To use the Exchange Management Shell to configure Autodiscover settings by using the Set-OutlookProvider cmdlet if you are using Exchange 2007.
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.yourdomain.com.au
To change Outlook 2007 connection settings to resolve a certificate error
1. In Outlook 2007, on the Tools menu, click Account Settings.
2. Select your e-mail address listed under Name, and then click Change.
3. Click More Settings. On the Connection tab, click Exchange Proxy Settings.
4. Select the Connect using SSL only check box.
5. Select the Only connect to proxy servers that have this principal name in their certificate: check box, and then, in the box that follows, enter msstd:*.yourdomain.com.au.
6. Click OK, and then click OK again.
7. Click Next. Click Finish. Click Close.
8. The new setting will take effect after you exit Outlook and open it again.
Step8: Export Certificate from Exchange in .pfx format
The following Step8 to Step 10 is for Forefront TMG 2010 configuration only. If you are using different method to publish Exchange then you don’t need to follow these steps. Use help file of your firewall/Edge product to configure SSL.
Open Exchange Management Shell, run
Export-ExchangeCertificate -Thumbprint D6AF8C39D409B015A273571AE4AD8F48769C61DB
010e -BinaryEncoded:$true -Path c:certificatesexport.pfx -Password:(Get-Credential).password
Step9: Import certificate in TMG 2010
1.Click Start and select Run and tape mmc
2.Click on the File menu and select Add/Remove Snap in
3.Click Add, select Certificates among the list of Standalone Snap-in and click Add
4.Choose Computer Account and click Next
5.Choose Local Computer and click Finish
6.Close the window and click OK on the upper window
7.Go to Personal then Certificates
8.Right click, choose All tasks then Import
9.A wizard opens. Select the file holding the certificate you want to import.
10.Then validate the choices by default
11.Make sure your certificate appears in the list and that the intermediary and root certificates are in their respective files. If not, place them in the appropriate file and replace existing certificates if needed.
Step10: Replace Certificate in Web Listener
1. click Start Forefront Threat Management Gateway console. The Forefront TMG console starts.
2. In the console tree, expand the name of your Security Server, and then click Firewall Policy.
3. In the results pane, double-click Remote Web Workplace Publishing Rule.
4. In Remote Web Workplace Publishing Rule Properties, click the Listener tab.
5. Select External Web Listener from the list, and then click Properties.
6. In External Web Listener Properties, click the Certificates tab.
7. Select Use a single certificate for this Web listener or Assign a certificate for each IP address, and then click Select Certificate.
8. In the Select Certificate dialog box, click a certificate in the list of available certificates, and then click Select. Click OK twice to close the Properties dialog boxes.
9. To save changes and update the configuration, in the results pane, click Apply.
Step11: Test OWA from external and internal network
On the mobile phone, open browser, type webmail.yourdomain.com.au and log in using credential.
Make sure no certificate warning shows on IE.
Use the RapidSSL Installation Checker https://knowledge.rapidssl.com/support/ssl-certificate-support/index?page=content&actp=CROSSLINK&id=SO9556 to verify your certificate.
Relevant References
Request an Internet Server Certificate (IIS 7)
An UM infrastructure is an integration of Microsoft Exchange Server, IP Gateway Conventional PBX and IP-PBX to deliver voicemail, greetings and customer messages to a single outlook client. Microsoft Exchange Server Unified Messaging (UM) combines voice messaging and e-mail messaging into a single messaging infrastructure. Unified Messaging puts all e-mail and voice messages into one Exchange 2010 mailbox that can be accessed from many different devices. After Unified Messaging servers have been deployed on a network, users can access their messages using Outlook Voice Access, from any telephone, from a mobile phone, or from the computer.
Systems Requirements
Microsoft Certified PBX and IP Gateway
Microsoft Telephony Advisor for Exchange Server
Unified Communication Architecture
To install Unified Messaging Server Role on Exchange 2010
After you install and configure the Unified Messaging server, You must create the following objects after you successfully install the Unified Messaging server role:
Once UM server configured. You must configure other UM devices such AudioCodecs IP Gateway, Siemens, Cisco or your preferred PBX, IP-PBX devices to work with Microsoft Exchange Server 2010 UM. Microsoft supported configuration “how to” guides are at the end this articles in PDF format.
How UM use Active Directory and HT server to Transmit Email
The Unified Messaging server role uses Active Directory site membership information to determine which Hub Transport servers are located in the same Active Directory site as the Unified Messaging server. The Unified Messaging server submits messages for routing to a Hub Transport server within the same Active Directory site. The Hub Transport server performs recipient resolution and queries Active Directory to match a telephone number, or another Unified Messaging property, to a recipient account. After the recipient resolution completes, the Hub transport server will deliver the message to the target mailbox in the same way as a regular e-mail message.
To Create UM Dial Plan
To enable Unified Messaging on an Exchange 2010 server
To Create an UM IP Gateway
To Create an UM Hunt Group
To add a UM server to a dial plan
Dual Use this setting if the UM server is being added to UM dial plans that have different security settings. In Dual mode, the UM server can listen on ports 5060 and 5061 simultaneously.
Click OK.
To configure number of concurrent voice calls
To view number of active calls
To add UM Auto Attendant
To verify UM mailbox property
Siemens HiPath 4000 Configuration Guide
Design Guide for Cisco Unified Messaging 1.0
Cisco CallManager Express Configuration Guide
Command Reference for Cisco Unified Messaging Gateway (Cisco UMG) Release 8.0
Cisco Unified Communication Software
First read what’s new in Exchange 2007 SP3. Here is quick guide on Exchange 2007 SP3 installation. Download Exchange 2007 Service pack 3 . As a precaution backup Exchange 2007. If you are running Exchange on vSphere then take a snapshot so that you can go back to pre-SP3 stage. Exchange 2007 SP3 is un-supported in an upgrade scenario on Windows Server 2008 R2.
To take snapshot>right click on virtual machine>Click on Snapshot>Click Take a Snapshot>Type Name and uncheck snapshot memory>Click Ok.
Stop any backup services agent such as Backup Exec or CommVault running on Exchange Server
Extract E2K7SP3EN64.exe and run setup.exe follow the installation prompt.
Once finish, reboot server. Verify all exchange related services started. Check internal and external email going and coming into organisation. Check CPU and memory uses in Exchange server. There are known issue with SP3 such as cpu sparks. install updaterollup1 for Exchange 2007 SP3 after installing SP3. You are good to go now.
SP3 Known Issue: CPU sparks
Recently my company registered a new domain name and wanted to me to investigate best possible way to rename domain internally, change websites (hosted on IIS) publicly accessible CNAME to new domain name and change email address for entire organization. Fun hahh!! Google search appears that domain rename possible in win2k3 AD and exchange 2003 SP1. However, according to Microsoft TechNet I can not rename Windows 2008 native domain with Exchange 2007 . what happen to those who are in the following situation:
If your management decide to have new user account@newdomain, email addresses@newdomain and websites with new domain name. Now you will not have a choice but find out a solution regardless of who says what. In this article (Ref: Plan A), I will investigate and share with you what happen if you rename domain on a test environment similar to my organisation i.e. Microsoft Active Directory 2008 and Exchange 2007/2010. Those who are in my situation, I will explain (Ref: Plan B) how I can accomplish same objectives with alternative deployment that means without messing around AD domain and Exchange 2007/2010. I know plan A is going to fail but worthwhile to produce documents to management and go for plan B. So that business runs smoothly. when time perfect and fund is available then rebuild Microsoft messaging systems for entire organization.
Do NOT perform these steps in a production environment. Domain rename is NOT supported when Exchange 2007/2010 installed in a member server.
Rename Domain on a Testbed
Objectives:
Assumptions:
Steps involve:
Precaution: Use the following link for Active Directory Backup and Restore in Windows Server 2008 or keep your resume handy
To verify the forest functionality to Windows Server 2008
To analyze and prepare DNS zones for domain rename
To generate the current forest description file
In windows server 2008, rendom and GPFix utility are available in %Windir%system32 folder. If you change your directory into c:Windowssystem32 and run rendom /list then domainlist.xml will be placed in same directory.
To edit the domainlist.xml file
To review the new forest description in domainlist.xml
At the command prompt, type the following and then press ENTER: rendom /showforest
To generate the domain rename instructions and upload them to the domain naming master
To discover the DNS host name of the domain naming master
To force synchronization of changes made to the domain naming master
The following procedure forces the Active Directory changes initiated at the Domain Naming master DC in STEP 4 to replicate to all DCs in the forest.
where DomainNamingMaster is the DNS host name of the domain controller that is the current domain naming master for the forest.
To verify the readiness of domain controllers in the forest
1. On the control station, open a command prompt and change to the X:DomainRename directory
2. At the command prompt, type the following command and then press ENTER: rendom /prepare
3. Once the command has finished execution, examine the state file domainlist.xml to determine whether all domain controllers have achieved the
To execute the domain rename instructions on all domain controllers
To force Rendom /execute to re-issue the RPC to a DC in the Error state
To fix up DFS topology in every renamed domain
On the control station, open a command prompt. For each Dfs root, if any of the topology components as described above needs to be fixed, type the following command (the entire command must be typed on a single line, although it is shown on multiple lines for clarity) and press ENTER:
dfsutil /RenameFtRoot /Root:DfsRootPath /OldDomain:OldName /NewDomain:NewName /Verbose
-Where-
DfsRootPath is the DFS root to operate on, e.g., \microsoftguru.com.aupublic.
OldName is the exact old name to be replaced in the topology for the Dfs root.
NewName is the exact new name to replace the old name in the topology.
To fix up Group Policy in every renamed domain
gpfixup /olddns:OldDomainDnsName /newdns:NewDomainDNSName /oldnb:OldDomainNetBIOSName
/newnb:NewDomainNetBIOSName /dc:DcDnsName 2>&1 >gpfixup.log
-Where-
OldDomainDnsName is the old DNS name of the renamed domain.
NewDomainDnsName is the new DNS name of the renamed domain.
OldDomainNetBIOSName is the old NetBIOS name of the renamed domain.
NewDomainNetBIOSName is the new NetBIOS name of the renamed domain.
DcDnsName is the DNS host name of a domain controller in the renamed domain, preferably the PDC emulator, that successfully completed the rename operation with a final Done state in the dclist.xml state file in “STEP 8: Execute Domain Rename Instructions” earlier in this document.
For example,
gpfixup /olddns:wolverine.com.au /newdns:microsoftguru.com.au /oldnb:wolverine /newnb:microsoftguru /dc:dc.wolverine.com.au 2>&1 >gpfixup1.log
To force replication of the Group Policy fix-up changes made at the DC named in DcDNSName in above step of this procedure to the rest of the DCs in the renamed domain, type the following and then press ENTER: repadmin /syncall /d /e /P /q DcDnsName NewDomainDN
-Where-
DcDnsName is the DNS host name of the DC that was targeted by the gpfixup command.
NewDomainDN is the distinguished name (DN) corresponding to the new DNS name of the renamed domain.
Repeat steps in this procedure for every renamed domain. You can enter the commands in sequence for each renamed domain.
For Example, repadmin /syncall /d /e /P /q dc.microsoftguru.com.au dc=microsoftguru,dc=com, dc=au
To update the DNS name of the CA machine
To update the Web enrolment file
To enable proper Web enrollment for the user, you must also update the file that is used by the ASP pages used for Web enrollment. The following change must be made on all CA machines in your domain.
1. On the CA machine, search for the certdat.inc file (if you have used default installation settings, it should be located in the %windir%system32certsrv directory).
2. Open the file, which appears as follows:
<%’ CODEPAGE=65001 ‘UTF-8%>
<%’ certdat.inc – (CERT)srv web – global (DAT)a
‘ Copyright (C) Microsoft Corporation, 1998 – 1999 %>
<% ‘ default values for the certificate request
sDefaultCompany=””
sDefaultOrgUnit=””
sDefaultLocality=””
sDefaultState=””
sDefaultCountry=””
‘ global state
sServerType=”Enterprise” ‘vs StandAlone
sServerConfig=”OLDDNSNAMEYourCAName”
sServerDisplayName=”YourCAName”
nPendingTimeoutDays=10
‘ control versions
sXEnrollVersion=”5,131,2510,0″
sScrdEnrlVersion=”5,131,2474,0″
%>
3. Change the SServerConfig entry to have the NewDNSName of the CA machine.
To perform attribute clean up after domain rename
XDR-fixup.exe /s:start_domainlist.xml /e:end_domainlist.xml [/user:username /pwd:password | *] [/trace:tracefile] /changes:changescript.ldf /restore:restorescript.ldf [/?]
Note This command is one line. It has been wrapped for readability.
Use the following command line to verify the changes that are made by XDR-fixup.exe:
XDR-fixup /verify:restorescript.ldf /changes:verifycorrections.ldf
To unfreeze the forest configuration
From within the X:DomainRename directory, execute the following command: rendom /end
To force remove domain member if fails to join new domain using following command. Then re-join domain manually.
netdom remove <machine-name> /Domain:<old-domain> /Force”
To use Control Panel to check for primary DNS suffix update configuration for a computer
The following procedures explain two ways to view the setting for a member computer that determines whether the primary DNS suffix changes when the name of the membership domain changes.
1. On a member computer, in Control Panel, double-click System.
2. Click the Computer Name tab and then click Change.
3. Click More and then verify whether Change primary domain suffix when domain membership changes is selected.
4. Click OK until all dialog boxes are closed.
To use the registry to check for primary DNS suffix update configuration for a computer
1. On the Start menu, click Run.
2. In the Open box, type regedit and then click OK.
3. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters.
4. Verify whether the value of REG_RWORD SyncDomainWithMembership is 0x1. This value indicates that the primary DNS suffix changes when the domain membership changes.
To determine whether Group Policy specifies the primary DNS suffix for a computer
Open the Resultant Set of Policy Wizard, as follows:
In Active Directory Users and Computers, right-click the computer object, click All Tasks, and then click Resultant Set of Policy (Logging).
Open a command prompt and then type: ipconfig /all
Check the Primary DNS Suffix in the output. If it does not match the primary DNS suffix that is specified in the System Control Panel for the computer (see “To use Control Panel to check for primary DNS suffix update configuration for a computer” earlier in this document), then the Primary DNS Suffix Group Policy is applied.
u In the registry, check for the presence of the entry Primary DNS Suffix under HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftSystemDNSclient. If a value is present, then the Primary DNS Suffix Group Policy is applied to the computer.
To install Support Tools
1. On the Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition operating system CD, double-click the Support folder.
2. In the Support folder, double-click the Tool folder and then run suptools.msi.
To use ADSI Edit to add DNS suffixes to msDS‑AllowedDNSSuffixes
The attribute msDS‑AllowedDNSSuffixes is an attribute of the domain object. Therefore, you must set DNS suffixes for each domain whose name is going to change.
1. On the Start menu, point to Programs, Windows Server 2003 Support Tools, Tools, and then click ADSI Edit.
2. Double-click the domain directory partition for the domain you want to modify.
3. Right-click the domain container object, and then click Properties.
4. On the Attribute Editor tab, in the Attributes box, double-click the attribute msDS‑AllowedDNSSuffixes.
5. In the Multi-valued String Editor dialog box, in the Value to add box, type a DNS suffix and then click Add.
6. When you have added all the DNS suffixes for the domain, click OK.
7. Click OK to closed the Properties dialog box for that domain.
8. In the scope pane, right-click ADSI Edit and click Connect to.
9. Under Computer, click Select or type a domain or server.
10. Type the name of the next domain for which you want to set the primary DNS suffix, and then click OK.
11. Repeat steps 2 through 7 for that domain.
12. Repeat steps 8 through 10 to select each subsequent domain and repeat steps 2 through 7 to set the primary DNS suffix for each subsequent domain that is being renamed.
To apply the Group Policy setting Primary DNS Suffix to groups of member computers
1. In Active Directory Users and Computers, right-click the domain or organizational unit that contains the group of computers to which you are applying Group Policy.
-Or-
In Active Directory Sites and Services, right-click the site object that contains the computers to which you are applying Group Policy.
2. Click the Group Policy tab.
3. In the Group Policy object Links box, click the Group Policy object that you want to contain the Primary DNS Suffix setting.
-Or-
To create a new Group Policy object, click New and then type a name for the object.
4. With the Group Policy object selected, click Edit.
5. Under Computer Configuration, click to expand Administrative Templates, Network, and then click DNS Client.
6. In the results pane, double-click Primary DNS Suffix.
7. Click Enabled, and then in the Enter a primary DNS suffix box, type the DNS suffix for the domain whose member computers are in the group you selected in Step 1.
8. Click OK.
9. Close the Group Policy dialog box, and then close the properties page for the selected object.
To configure the redirecting alias DNS entry
1. In the DNS MMC snap-in, expand the DNS server node to expose the old DNS zone.
2. Right-click the old DNS zone.
3. Click New Alias (CNAME ).
4. In the Alias name box, type the original fully qualified domain name (FQDN) of the HTTP Server..
5. In the Fully qualified domain name for target host box, type the new FQDN of the HTTP Server, and then click OK.
At this point you can test the redirection by pinging the FQDN of the old HTTP server. The ping should be remapped to the new FQDN of the HTTP server.
Issues involving domain rename:
Simple alternative solutions without renaming domain
Microsoft does not support domain rename if Exchange 2007 installed in member server. So what could be work around if you have to have new user account, corresponding emails account and web sites with new domain name without renaming domain.
Relevant Articles:
Microsoft Exchange System Attendant service does not start
completely remove Exchange 2000 or Exchange 2003 from Active Directory
How to remove Exchange Server 2003 from your computer
How to remove the first Exchange Server 2003 computer from the administrative group
Removing and Modifying Exchange 2007
Step-by-Step Guide to Implementing Domain Rename
Windows Server 2003 Active Directory Domain Rename Tools
Exchange Server Domain Rename Fixup
Windows 2003 domain rename tools
Blog by Raihan Al-Beruni 