Supported Systems for Exchange 2013

Supported Domain Controller

  • Windows Server 2012 R2 Standard or Datacenter 1
  • Windows Server 2012 Standard or Datacenter
  • Windows Server 2008 R2 Standard or Enterprise SP1 or later
  • Windows Server 2008 R2 Datacenter RTM or later
  • Windows Server 2008 Standard or Enterprise SP1 or later (32-bit or 64-bit)
  • Windows Server 2008 Datacenter RTM or later
  • Windows Server 2003 Standard Edition with Service Pack 2 (SP2) or later (32-bit or 64-bit)
  • Windows Server 2003 Enterprise Edition with SP2 or later (32-bit or 64-bit)

Supported Forest

Windows Server 2003 forest functionality mode or higher 2

  1. Windows Server 2012 R2 is supported only with Exchange 2013 SP1 or later.
  2. Windows Server 2012 R2 forest functionality mode is supported only with Exchange 2013 SP1 or later.

DNS Name Space

  • Contiguous
  • Noncontiguous
  • Single label domains
  • Disjoint

Mailbox, Client Access, and Management Tools

  • Windows Server 2012 R2 Standard or Datacenter
  • Windows Server 2012 Standard or Datacenter
  • Windows Server 2008 R2 Standard with Service Pack 1 (SP1)
  • Windows Server 2008 R2 Enterprise with Service Pack 1 (SP1)
  • Windows Server 2008 R2 Datacenter RTM or later

Supported Client

  • Outlook 2013
  • Outlook 2010
  • Outlook 2007
  • Entourage 2008 for Mac, Web Services Edition
  • Outlook for Mac 2011

Supported Coexistence

  • Exchange 2007 SP3 Update Rollup 10
  • Exchange 2010 SP3 Update Rollup 6

Supported Hybrid Deployment

  • Latest version of Office 365

Relevant Articles

Exchange 2013 Upgrade Guide

Exchange 2013 Deployment

Unified Messaging in Exchange 2013

Publish Exchange 2013

Exchange 2013 Upgrade, Migration and Co-existence

Migration Guide

Exchange 2007/2010 to Exchange 2013 Migration Step by Step Guide

How to Configure Unified Messaging in Exchange 2013 Step by Step

Mail flow in Exchange 2013

image

Source: Microsoft TechNet

image

Source: Microsoft TechNet

Protocol Exchange 2007 & Exchange 2013 Exchange 2007 & Exchange 2013
Namespace legacy.domain.com no additional namespace
OWA Non-silent redirection to
legacy.domain.com
Proxy to CAS2010
Silent direction
EAS Proxy to MBX2013 Proxy to CAS2010
Outlook Anywhere Proxy to CAS2007 Proxy to CAS2010
Autodiscover Redirect to CAS2007 Proxy to CAS2010
EWS Autodiscover Proxy to CAS2010
POP/IMAP Redirect to CAS2007 Proxy to CAS2010
OAB Redirect to CAS2007 Proxy to CAS2010
RPS N/A Proxy to CAS2010
ECP N/A Proxy to CAS2010

Exchange 2013 Perquisites

Supported Co-existence Scenario

  • Exchange 2010 SP3
  • Exchange 2007 SP3+RU10

Supported Client

  • Outlook Anywhere Only, Outlook 2007 or later
  • Outlook for Mac 2011
  • Entourage 2008 for Mac

Active Directory

  • Windows 2003 Forest Functional Level or higher
  • At least one global catalog. two global catalog is highly recommended for redundancy purpose
  • No support for RODC or ROGC

Namespace

  • Contiguous
  • Non-Contiguous
  • Single level Domain
  • disjoint

Operating Systems

  • Windows Server 2008 R2 SP1
  • Windows Server 2012 or Windows Server 2012 R2

Other Components

  • Internet Information Service (IIS)
  • .Net Framework 4.5
  • Unified Communication Managed API

Cumulative Updates

  • CU is a full exchange installer or binary
  • Required for co-existence with Exchange 2007/2010

Upgrade from Exchange 2010 to Exchange 2013

1. Prepare

  • Prepare Exchange 2010 with SP3
  • Test Exchange using Test cmdlets
  • Test Active Directory health status
  • Prepare Active Directory Schema using Exchange 2013 schema

2. Deploy Exchange 2013

  • Install both Exchange 2013 MBX and CAS servers
  • Install Management Server on admin PC

3. Obtain and deploy Certificates

  • Create Certificate CSR from Exchange 2013
  • Sign the certificate from public CA
  • Install Certificate and assign certificate to IIS,SMTP,POP,IMAP

OR

  • Export certificate from Exchange 2010 and import into Exchange 2013

4. Configure Mail flow

  • Create mail and autodiscover namespace and point to Exchange 2013
  • Add Exchange 2013 MBX server into Send Connector
  • Configure Frontend receive connector
  • Create anonymous relay

5. Switch Primary Name Space

  • Switch OWA, ActiveSync and SMTP traffic to Exchange 2013
  • Use TMG/UAG to switch OWA and ActiveSync to Exchange 2013
  • Switch port 25 forwarding to Exchange 2013
  • Validate traffic flow to Exchange 2013

6. Move Mailboxes

  • Build Exchange DAG
  • Migrate user mailbox
  • Migrate resource mailbox
  • Migrate public folders

7. Repeat additional sites

8. Decommission Exchange 2010

Upgrade from Exchange 2007 to Exchange 2013

1. Prepare

  • Prepare Exchange 2007 with SP3 +RU
  • Test Exchange using Test cmdlets
  • Test Active Directory health status
  • Prepare Active Directory Schema using Exchange 2013 schema

2. Deploy Exchange 2013

  • Install both Exchange 2013 MBX and CAS servers
  • Install Management Server on admin PC

3. Obtain and deploy Certificates

  • Create a certificate CSR from Exchange 2013 with legacy namespace
  • Sign the certificate from public CA
  • Install Certificate and assign certificate to Exchange 2013 IIS,SMTP,POP,IMAP
  • Install same certificate into Exchange 2007

4. Configure Mail flow

  • Create legacy DNS record pointing to Exchange 2007
  • Create mail and autodiscover namespace and point to Exchange 2013 CAS
  • Create Send Connector in Exchange 2013
  • Configure Frontend receive connector
  • Create anonymous relay

5. Switch Primary Name Space

  • Switch OWA, ActiveSync and SMTP traffic to Exchange 2013
  • Use TMG/UAG to switch OWA and ActiveSync to Exchange 2013
  • Switch port 25 forwarding to Exchange 2013
  • Validate traffic flow to Exchange 2013 using MCA and ExRCA

6. Move Mailboxes

  • Build Exchange DAG
  • Migrate user mailbox
  • Migrate resource mailbox
  • Migrate public folders

7. Repeat additional sites

8. Decommission Exchange 2007

Validate External Connectivity

Certificate Best Practice

  • Minimize number of certificates
  • Minimize number of host name
  • use split DNS for Exchange host name
  • Don’t list machine name in certificates
  • Use Subject Alternative Name Certificate or SAN certificates

Restart Transport Services and Information Store Service

  • Patch Exchange Server using WSUS or ConfigMgr
  • Reboot DAG member one by one
  • Reboot CAS server one by one
  • Management Tools
  • User Exchange 2013 Administration Center to manage co-existence and migration tasks
  • Use Exchange 2010 management console to move offline address book

Cutover Process

  • Public folder migration is part of final cutover
  • Exchange and Active Directory health check
  • verify proposed and implemented Exchange 2013

Post Migration

  • Shutdown Exchange 2010 servers for minimum 48 hours in working days
  • Decommission Exchange 2010

Exchange 2007/2010 SP3 Released

 

Exchange 2007/2010 SP3 released.

Download Exchange 2007 SP3

Download Exchange 2010 SP3

Blogging year 2010—-what stats says

Sharing stats of my blog https://araihan.wordpress.com with my visitors. I started this free wordpress before founding http://microsoftguru.com.au

Team WordPress.com + Stats Helper Monkeys
January 2nd, 2011, 03:35pm

Here’s a high level summary of my overall blog health:

Blog-Health-o-Meter
Wow

Blog-Health-o-Meter™

“We think you did great!” comments by WordPress

Crunchy numbers

Featured image

 

This blog (https://araihan.wordpress.com) was viewed about 200,000 times in 2010.

The most popular post that day was Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step.

Where did they come from?

The top referring sites in 2010 were google.com, google.co.in, microsoftguru.com.au, experts-exchange.com, and en.wordpress.com.

Some visitors came searching, mostly for exchange 2010 edge, network policy server radius, exchange 2010 edge transport, installing tmg 2010, and exchange 2010 edge subscription.

Attractions in 2010

These are the posts and pages that got the most views in 2010. You can see all of the year’s most-viewed posts and pages in your Site Stats

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step March 2010
 

Windows Server 2008: how to configure Network Policy Server or Radius Server –Step by Step Guide November 2009
 

Install and configure WSUS 3.0 SP2 – Step-By-Step August 2009
 

Step by Step Guide on Exchange Server 2010 Edge Transport Role November 2009
 

Transitioning from Exchange Server 2003 to Exchange Server 2010—-Step by Step October 2009
 

Comments from WordPress: “Some of your most popular posts were written before 2010. Your writing has staying power! Consider writing about those topics again”.

See you in 2011!

How to configure Exchange 2010 Unified Messaging Server –step by step

An UM infrastructure is an integration of Microsoft Exchange Server, IP Gateway Conventional PBX and IP-PBX to deliver voicemail, greetings and customer messages to a single outlook client.  Microsoft Exchange Server Unified Messaging (UM) combines voice messaging and e-mail messaging into a single messaging infrastructure. Unified Messaging puts all e-mail and voice messages into one Exchange 2010 mailbox that can be accessed from many different devices. After Unified Messaging servers have been deployed on a network, users can access their messages using Outlook Voice Access, from any telephone, from a mobile phone, or from the computer.
Windows Server 2012 Step by Step

Systems Requirements

Microsoft Certified PBX and IP Gateway

Microsoft Telephony Advisor for Exchange Server

Exchange 2010 pre-requisites

Unified Communication Architecture

image

To install Unified Messaging Server Role on Exchange 2010

  • Log on to the server on which you want to install Exchange 2010
  • Insert the Exchange 2010 DVD into the DVD drive (or browse to your install location). If Setup.exe doesn’t start automatically, navigate to the DVD drive and double-click Setup.exe
  • On the Start page, click Choose Exchange language option. Select Install only languages from the DVD
  • In the Exchange Server 2010 Setup wizard, on the Introduction page, click Next.
  • On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next.
  • On the Error Reporting page, select Yes, and then click Next.
  • On the Installation Type page, click Custom Exchange Server Installation.
  • On the Server Role Selection page, select the UM server role
  • On the Customer Experience Improvement Program page, choose the appropriate selection for your organization, and then click Next.
  • On the Completion page, click Finish

After you install and configure the Unified Messaging server, You must create the following objects after you successfully install the Unified Messaging server role:

  • Dial Plan objects
  • IP Gateway objects
  • Hunt Group objects
  • Mailbox Policy objects
  • Auto Attendant objects
  • UM Server objects

Once UM server configured. You must configure other UM devices such AudioCodecs IP Gateway, Siemens, Cisco or your preferred PBX, IP-PBX devices to work with Microsoft Exchange Server 2010 UM. Microsoft supported configuration “how to” guides are at the end this articles in PDF format.

How UM use Active Directory and HT server to Transmit Email

The Unified Messaging server role uses Active Directory site membership information to determine which Hub Transport servers are located in the same Active Directory site as the Unified Messaging server. The Unified Messaging server submits messages for routing to a Hub Transport server within the same Active Directory site. The Hub Transport server performs recipient resolution and queries Active Directory to match a telephone number, or another Unified Messaging property, to a recipient account. After the recipient resolution completes, the Hub transport server will deliver the message to the target mailbox in the same way as a regular e-mail message.

To Create UM Dial Plan

  • In the console tree, navigate to Organization Configuration > Unified Messaging.
  • In the action pane, click New UM Dial Plan.
  • In the New UM Dial Plan wizard
  • On the Set UM Servers page, click Add, and then, on the Select UM Server page, select the UM server that you want to add to the UM dial plan.
  • On the Completion page, confirm whether the dial plan was successfully created.
  • Click Finish to complete the New UM Dial Plan wizard 1183To enable Unified Messaging on an Exchange 2010 server
  • In the console tree, navigate to Server Configuration > Unified Messaging.
  • select the Unified Messaging server, Click on Enter Product Key to enter UM license
  • Once licensed, In the result pane, select the Unified Messaging server to enable.
  • In the action pane, click Enable UM Server 17To Create an UM IP Gateway
  • In the console tree, navigate to Organization Configuration > Unified Messaging.
  • In the work pane, click the UM IP Gateways tab.
  • In the action pane, click New UM IP Gateway.
  • In the New UM IP Gateway wizard
  • On the Completion page, confirm whether the UM IP gateway was successfully created.
  • Click Finish to complete the New UM IP Gateway wizard 4567To Create an UM Hunt Group
  • In the console tree, navigate to Organization Configuration > Unified Messaging.
  • In the work pane, click the UM IP Gateways tab.
  • In the result pane, select a UM IP gateway.
  • In the action pane, click New UM Hunt Group.
  • In the New UM Hunt Group wizard,view or complete the following fields,  Associated UM IP gateway ,Name  Dial plan   Click the Browse button to select the dial plan that will be associated with the UM hunt group.  Pilot identifier   An extension number or a Session Initiated Protocol (SIP) Uniform Resource Identifier (URI) can be used in this field.
  • On the Completion page, confirm whether the UM hunt group was successfully created
  • Click Finish to complete the New UM Hunt Group wizard. 192021To add a UM server to a dial plan
  • In the console tree, click Server Configuration.
  • In the result pane, select the Unified Messaging server.
  • In the action pane, click Properties.
  • On the UM Settings > Associated Dial Plans, click Add.
  • In the Select Dial Plan window, select the dial plan you want to add from the list of available dial plans, and then click OK.
  • Click OK again to accept your changes. 222324
  • To configure the start-up mode
  • In the console root, navigate to Server Configuration > Unified Messaging.
  • In the result pane, click to select the Unified Messaging server you want to set up.
  • In the action pane, click Properties.
  • On the UM Settings tab, in the Startup Mode drop-down list, select one of the following settings: TCP   Use this setting if the UM server is being added to only UM dial plans that are set to Unsecured but won’t be added to dial plans that are set to SIP Secured or Secured. In TCP mode, the UM server will only listen on TCP port 5060 for SIP requests. By default, the UM server will startup in TCP only mode. TLS   Use this setting if the UM server is being added to UM dial plans that are set to SIP Secured or Secured but won’t be added to dial plans that are set to Unsecured. In TLS mode, the UM server will only listen on TCP port 5061 for SIP requests.

    Dual   Use this setting if the UM server is being added to UM dial plans that have different security settings. In Dual mode, the UM server can listen on ports 5060 and 5061 simultaneously.

    Click OK.

    To configure number of concurrent voice calls

  • In the console tree, navigate to Server Configuration > Unified Messaging.
  • In the result pane, click to select the Unified Messaging server you want to set up.
  • In the action pane, click Properties.
  • On the UM Settings tab, in the Maximum concurrent calls text box, type the maximum number of concurrent voice calls.
  • Click OK. 22To view number of active calls
  • Click Start, click Programs, click Administrative Tools, and then click Performance.
  • In the Performance console, right-click the details pane, and then select Add Counters from the menu. You can also press CTRL+I to open the Add Counters window.
  • In the Add Counters window, in the Performance object list, select MSExchangeUMGeneral.
  • In Select Counters from list, select Current Calls, click Add, and then click Close.
  • In the Performance console, in the details pane, select the Current Calls counter to display the number of current calls.  To add UM Mailbox
  • In the console tree, navigate to Organization Configuration > Unified Messaging.
  • In the work pane, click the UM Mailbox tab.
  • In the action pane, click New UM Mailbox.
  • In the New UM Mailbox wizard
  • On the Completion page, confirm whether the UM Mailbox was successfully created.
  • Click Finish to complete the New UM Mailbox wizard 89   10

    To add UM Auto Attendant

  • In the console tree, navigate to Organization Configuration > Unified Messaging.
  • In the work pane, click the UM Auto Attendant tab.
  • In the action pane, click New UM Auto Attendant .
  • In the New UM Auto Attendant wizard
  • On the Completion page, confirm whether the UM Auto Attendant was successfully created.
  • Click Finish to complete the New UM Auto Attendant wizard  1112To verify UM mailbox property
  • In the console tree, navigate to Organization Configuration > Unified Messaging.
  • In the work pane, click the UM Mailbox tab.
  • Right click Newly UM Mailbox.
  • Click on Property  1314 1516       
  •  AudioCodecs Configuration Guide

    Siemens HiPath 4000 Configuration Guide

    Design Guide for Cisco Unified Messaging 1.0

    Cisco CallManager Express Configuration Guide

    CallManager for Cisco Unity Express Configuration Example

    Cisco Unity Express Command Reference Complete Book

    Command Reference for Cisco Unified Messaging Gateway (Cisco UMG) Release 8.0

    Cisco Unified Communication Software

    Cisco IP Phone

    Quick Start Guide for Outlook Voice Access 2010 

  • Cisco Unified Communications Manager Administration Guide, Release 7.1(2)Microsoft Exchange 2010 Unified Messaging PBX Configuration Note for Cisco Unified Communications Manager 7.0

     

Rename Domain with Exchange 2007/2010 not feasible! an alternative solutions

Recently my company registered a new domain name and wanted to me to investigate best possible way to rename domain internally, change websites (hosted on IIS) publicly accessible CNAME to new domain name and change email address for entire organization. Fun hahh!! Google search appears that domain rename possible in win2k3 AD and exchange 2003 SP1.  However, according to Microsoft TechNet I can not rename Windows 2008 native domain with Exchange 2007 . what happen to those who are in the following situation:

  • Rename Business registration
  • Merger and/or Acquisition between companies
  • Change of ownership

If your management decide to have new user account@newdomain, email addresses@newdomain and websites with new domain name. Now you will not have a choice but  find out a solution regardless of who says what. In this article (Ref: Plan A), I will investigate and share with you what happen if you rename domain on a test environment similar to my organisation i.e. Microsoft Active Directory 2008 and Exchange 2007/2010. Those who are in my situation, I will explain (Ref: Plan B) how I can accomplish same objectives with alternative deployment that means without messing around AD domain and Exchange 2007/2010.  I know plan A is going to fail but worthwhile to produce documents to management and go for plan B. So that business runs smoothly. when time perfect and fund is available then rebuild Microsoft messaging systems for entire organization.

Light bulbDo NOT perform these steps in a production environment. Domain rename is NOT supported when Exchange 2007/2010 installed in a member server.

Rename Domain on a Testbed

Objectives:

  • Rename Domain
  • Migrate IIS to new domain
  • Fix GPO and Exchange (only applicable for Exchange 2003)

Assumptions:

image

Steps involve:

  • Set up your control station for the domain rename operation.
  • Freeze the Forest Configuration
  • Back up all the domain controllers in your forest.
  • Generate the current forest description.
  • Specify the new forest description.
  • Generate domain rename instructions
  • Push domain rename instructions to all domain controllers, and verify DNS readiness.
  • Verify the readiness of the domain controllers.
  • Execute the domain rename instructions
  • Update the Exchange configuration, and restart the Exchange servers (Only applicable for Exchange 2003 SP1)
  • Unfreeze the forest configuration
  • Re-establish external trusts
  • Fix Group Policy objects (GPOs) and links.

Precaution: Use the following link for Active Directory Backup and Restore in Windows Server 2008  or keep your resume handyWink

To verify the forest functionality to Windows Server 2008

  1. Open Active Directory Domains and Trusts.
  2. In the scope pane, right-click Active Directory Domains and Trusts and then click Raise Forest Functional Level.
  3. In the Select an available forest functional level box, click Windows Server 2008, and then click Raise.
  4. Click OK to raise the forest functionality, and then click OK again.

12

To analyze and prepare DNS zones for domain rename

  1. Compile a list of DNS zones that need to be created.
  2. Use the DNS MMC snap-in to create the required DNS zones compiled in step 1.
  3. Configure DNS zones according to “Add a forward lookup zone” in Windows Server 2008.
  4. Configure dynamic DNS update according to “Allow dynamic updates” in Windows Server 2008.

To generate the current forest description file

In windows server 2008, rendom and GPFix utility are available in %Windir%system32 folder. If you change your directory into c:Windowssystem32 and run rendom /list then domainlist.xml will be placed in same directory.

  1. On the control station, open a command prompt and change to the X:DomainRename directory.
  2. At the command prompt, type rendom /list the following command and press ENTER:
  3. Save a copy of the current forest description file (domainlist.xml) generated in step 2 as domainlist-save.xml for future reference by using the following copy command: copy domainlist.xml domainlist-save.xml

95

To edit the domainlist.xml file

  1. Using a simple text editor such as Notepad.exe, open the current forest description file domainlist.xml generated in “STEP 3: Generate the Current Forest Description” earlier in this document.
  2. Edit the forest description file, replacing the current DNS and/or NetBIOS names of the domains and application directory partitions to be renamed with the planned new DNS and/or NetBIOS names.

67

8

To review the new forest description in domainlist.xml

At the command prompt, type the following and then press ENTER: rendom /showforest

To generate the domain rename instructions and upload them to the domain naming master

  1. On the control station, open a command prompt.
  2. From within the X:DomainRename directory, execute the following command: rendom /upload
  3. Verify that the domain rename tool created the state file dclist.xml in the directory X:DomainRename and that the state file contains an entry for every domain controller in your forest

10

To discover the DNS host name of the domain naming master

  1. On the control station, open a command prompt.
  2. At the command prompt, type the following and then press ENTER: Dsquery server –hasfsmo name

To force synchronization of changes made to the domain naming master

The following procedure forces the Active Directory changes initiated at the Domain Naming master DC in STEP 4 to replicate to all DCs in the forest.

  1. On the control station, open a command prompt.
  2. At the command prompt, type the following and then press ENTER: repadmin /syncall /d /e /P /q DomainNamingMaster

where DomainNamingMaster is the DNS host name of the domain controller that is the current domain naming master for the forest.

To verify the readiness of domain controllers in the forest

1. On the control station, open a command prompt and change to the X:DomainRename directory

2. At the command prompt, type the following command and then press ENTER: rendom /prepare

3. Once the command has finished execution, examine the state file domainlist.xml to determine whether all domain controllers have achieved the

To execute the domain rename instructions on all domain controllers

  1. On the control station, open a command prompt.
  2. At the command prompt, type the following and then press ENTER: rendom /execute
  3. When the command has finished execution, examine the state file domainlist.xml to determine whether all domain controllers have reached either the Done state or the Error state.
  4. If the domainlist.xml file shows any DCs as remaining in the Prepared state, repeat step 2 in this procedure as many times as needed until the stopping criterion is met.

12

To force Rendom /execute to re-issue the RPC to a DC in the Error state

  1. In the domainlist.xml file, locate the <Retry></Retry> field in the domain controller entry for the DC that you believe should be retried.
  2. Edit the domainlist.xml file such that the field reads <Retry>yes</Retry> for that entry.
  3. The next execution of the rendom /execute command will re-issue the execute-specific RPC to that DC.

To fix up DFS topology in every renamed domain

On the control station, open a command prompt. For each Dfs root, if any of the topology components as described above needs to be fixed, type the following command (the entire command must be typed on a single line, although it is shown on multiple lines for clarity) and press ENTER:

dfsutil /RenameFtRoot /Root:DfsRootPath /OldDomain:OldName /NewDomain:NewName /Verbose

-Where-

DfsRootPath is the DFS root to operate on, e.g., \microsoftguru.com.aupublic.

OldName is the exact old name to be replaced in the topology for the Dfs root.

NewName is the exact new name to replace the old name in the topology.

To fix up Group Policy in every renamed domain

  1. On the control station, open a command prompt and change to the X:DomainRename directory.
  2. At the command prompt, type the following command (the entire command must be typed on a single line, although it is shown on multiple lines for clarity) and press ENTER:

gpfixup /olddns:OldDomainDnsName /newdns:NewDomainDNSName /oldnb:OldDomainNetBIOSName

/newnb:NewDomainNetBIOSName /dc:DcDnsName 2>&1 >gpfixup.log

-Where-

OldDomainDnsName is the old DNS name of the renamed domain.

NewDomainDnsName is the new DNS name of the renamed domain.

OldDomainNetBIOSName is the old NetBIOS name of the renamed domain.

NewDomainNetBIOSName is the new NetBIOS name of the renamed domain.

DcDnsName is the DNS host name of a domain controller in the renamed domain, preferably the PDC emulator, that successfully completed the rename operation with a final Done state in the dclist.xml state file in “STEP 8: Execute Domain Rename Instructions” earlier in this document.

For example,

gpfixup /olddns:wolverine.com.au /newdns:microsoftguru.com.au /oldnb:wolverine /newnb:microsoftguru /dc:dc.wolverine.com.au 2>&1 >gpfixup1.log

11

To force replication of the Group Policy fix-up changes made at the DC named in DcDNSName in above step of this procedure to the rest of the DCs in the renamed domain, type the following and then press ENTER: repadmin /syncall /d /e /P /q DcDnsName NewDomainDN

-Where-

DcDnsName is the DNS host name of the DC that was targeted by the gpfixup command.

NewDomainDN is the distinguished name (DN) corresponding to the new DNS name of the renamed domain.

Repeat steps  in this procedure for every renamed domain. You can enter the commands in sequence for each renamed domain.

For Example, repadmin /syncall /d /e /P /q dc.microsoftguru.com.au dc=microsoftguru,dc=com, dc=au 

To update the DNS name of the CA machine

  1. On the CA machine, open registry editor and locate the entry CAServerName under HKLMSystemCurrentControlSetCertSvcConfigurationYourCAName.
  2. Change the value in CAServerName to correspond to the new DNS host name.

To update the Web enrolment file

To enable proper Web enrollment for the user, you must also update the file that is used by the ASP pages used for Web enrollment. The following change must be made on all CA machines in your domain.

1. On the CA machine, search for the certdat.inc file (if you have used default installation settings, it should be located in the %windir%system32certsrv directory).

14

2. Open the file, which appears as follows:

1516

17

<%’ CODEPAGE=65001 ‘UTF-8%>

<%’ certdat.inc – (CERT)srv web – global (DAT)a

‘ Copyright (C) Microsoft Corporation, 1998 – 1999 %>

<% ‘ default values for the certificate request

sDefaultCompany=””

sDefaultOrgUnit=””

sDefaultLocality=””

sDefaultState=””

sDefaultCountry=””

‘ global state

sServerType=”Enterprise” ‘vs StandAlone

sServerConfig=”OLDDNSNAMEYourCAName”

sServerDisplayName=”YourCAName”

nPendingTimeoutDays=10

‘ control versions

sXEnrollVersion=”5,131,2510,0″

sScrdEnrlVersion=”5,131,2474,0″

%>

3. Change the SServerConfig entry to have the NewDNSName of the CA machine.

To perform attribute clean up after domain rename

  1. On the control station, open a command prompt.
  2. At the command prompt, from within the X:DomainRename directory, execute the following command: rendom /clean
Command-line usage to run XDR-fixup.exe

XDR-fixup.exe /s:start_domainlist.xml /e:end_domainlist.xml [/user:username /pwd:password | *] [/trace:tracefile] /changes:changescript.ldf /restore:restorescript.ldf [/?]

Note This command is one line. It has been wrapped for readability.

Command-line usage to verify XDR-fixup.exe

Use the following command line to verify the changes that are made by XDR-fixup.exe:

XDR-fixup /verify:restorescript.ldf /changes:verifycorrections.ldf

To unfreeze the forest configuration

From within the X:DomainRename directory, execute the following command: rendom /end

To force remove domain member if fails to join new domain using following command. Then re-join domain manually.

netdom remove <machine-name> /Domain:<old-domain> /Force”

To use Control Panel to check for primary DNS suffix update configuration for a computer

The following procedures explain two ways to view the setting for a member computer that determines whether the primary DNS suffix changes when the name of the membership domain changes.

1. On a member computer, in Control Panel, double-click System.

2. Click the Computer Name tab and then click Change.

3. Click More and then verify whether Change primary domain suffix when domain membership changes is selected.

4. Click OK until all dialog boxes are closed.

To use the registry to check for primary DNS suffix update configuration for a computer

1. On the Start menu, click Run.

2. In the Open box, type regedit and then click OK.

3. Navigate to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters.

4. Verify whether the value of REG_RWORD SyncDomainWithMembership is 0x1. This value indicates that the primary DNS suffix changes when the domain membership changes.

To determine whether Group Policy specifies the primary DNS suffix for a computer

  1. On a member computer, perform one of the following steps:
  2. At a command prompt, type gpresult. In the output, under Applied Group Policy objects, check to see whether Primary DNS Suffix is listed.

Open the Resultant Set of Policy Wizard, as follows:

In Active Directory Users and Computers, right-click the computer object, click All Tasks, and then click Resultant Set of Policy (Logging).

Open a command prompt and then type: ipconfig /all

Check the Primary DNS Suffix in the output. If it does not match the primary DNS suffix that is specified in the System Control Panel for the computer (see “To use Control Panel to check for primary DNS suffix update configuration for a computer” earlier in this document), then the Primary DNS Suffix Group Policy is applied.

u In the registry, check for the presence of the entry Primary DNS Suffix under HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftSystemDNSclient. If a value is present, then the Primary DNS Suffix Group Policy is applied to the computer.

To install Support Tools

1. On the Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition operating system CD, double-click the Support folder.

2. In the Support folder, double-click the Tool folder and then run suptools.msi.

To use ADSI Edit to add DNS suffixes to msDS‑AllowedDNSSuffixes

The attribute msDS‑AllowedDNSSuffixes is an attribute of the domain object. Therefore, you must set DNS suffixes for each domain whose name is going to change.

1. On the Start menu, point to Programs, Windows Server 2003 Support Tools, Tools, and then click ADSI Edit.

2. Double-click the domain directory partition for the domain you want to modify.

3. Right-click the domain container object, and then click Properties.

4. On the Attribute Editor tab, in the Attributes box, double-click the attribute msDS‑AllowedDNSSuffixes.

5. In the Multi-valued String Editor dialog box, in the Value to add box, type a DNS suffix and then click Add.

6. When you have added all the DNS suffixes for the domain, click OK.

7. Click OK to closed the Properties dialog box for that domain.

8. In the scope pane, right-click ADSI Edit and click Connect to.

9. Under Computer, click Select or type a domain or server.

10. Type the name of the next domain for which you want to set the primary DNS suffix, and then click OK.

11. Repeat steps 2 through 7 for that domain.

12. Repeat steps 8 through 10 to select each subsequent domain and repeat steps 2 through 7 to set the primary DNS suffix for each subsequent domain that is being renamed.

                  18

To apply the Group Policy setting Primary DNS Suffix to groups of member computers

1. In Active Directory Users and Computers, right-click the domain or organizational unit that contains the group of computers to which you are applying Group Policy.

-Or-

In Active Directory Sites and Services, right-click the site object that contains the computers to which you are applying Group Policy.

2. Click the Group Policy tab.

3. In the Group Policy object Links box, click the Group Policy object that you want to contain the Primary DNS Suffix setting.

-Or-

To create a new Group Policy object, click New and then type a name for the object.

4. With the Group Policy object selected, click Edit.

5. Under Computer Configuration, click to expand Administrative Templates, Network, and then click DNS Client.

6. In the results pane, double-click Primary DNS Suffix.

7. Click Enabled, and then in the Enter a primary DNS suffix box, type the DNS suffix for the domain whose member computers are in the group you selected in Step 1.

8. Click OK.

9. Close the Group Policy dialog box, and then close the properties page for the selected object.

To configure the redirecting alias DNS entry

1. In the DNS MMC snap-in, expand the DNS server node to expose the old DNS zone.

2. Right-click the old DNS zone.

3. Click New Alias (CNAME ).

4. In the Alias name box, type the original fully qualified domain name (FQDN) of the HTTP Server..

5. In the Fully qualified domain name for target host box, type the new FQDN of the HTTP Server, and then click OK.

At this point you can test the redirection by pinging the FQDN of the old HTTP server. The ping should be remapped to the new FQDN of the HTTP server.

Issues involving domain rename:

  • XDR-Fixup tool does not work on Exchange 2010 
  • Exchange SMTP stops functioning
  • Exchange organization initialization fails

19

Simple alternative solutions without renaming domain

Microsoft does not support domain rename if Exchange 2007 installed in member server. So what could be work around if you have to have new user account, corresponding emails account and web sites with new domain name without renaming domain.

  • Prepare a control workstation station and log on as a domain admin, schema admin and enterprise admin
  • Create a new range of IP in your infrastructure
  • Prepare an windows server 2008 and promote as your new primary domain with new domain name
  • Create External trust between two domains
  • Ask your ISP Add new Host (A) and MX record with new domain

  20          

  • Point this new MX record to existing SMTP server
  • Add new domain into trusted domain list

232122

  • Add new email policy for new domain

2425

2627

2829

30

  • Change default email address to new email addresses through email property of mailbox using Exchange management console

31

  • Migrate IIS web sites to new web server
  • Redirect CNAME record to new websites for customers and stakeholder
  • Add 301 redirect using Google webmaster if necessary 

Relevant Articles:

Microsoft Exchange System Attendant service does not start

completely remove Exchange 2000 or Exchange 2003 from Active Directory

How to remove Exchange Server 2003 from your computer

How to remove the first Exchange Server 2003 computer from the administrative group

Removing and Modifying Exchange 2007

Step-by-Step Guide to Implementing Domain Rename

Windows Server 2003 Active Directory Domain Rename Tools

Exchange Server Domain Rename Fixup

Microsoft KB842116

Microsoft Exchange Server Domain Rename Fixup (XDR-Fixup)

Windows 2003 domain rename tools

 

Forefront TMG 2010: Publishing Exchange server 2010

To ensure that every Exchange client access mail securely from anywhere (internally and externally) Exchange deployment published through Forefront TMG 2010. you need to plan and deploy the different roles of Exchange Server which includes Exchange HT, CAS, ET and Mailbox and publish in Forefront TMG 2010. The main purpose of these deployment is to improve performance for client access, secure client access and encourage utilization of best practices of Exchange, TMG, and the Exchange clients (Microsoft Outlook) involved. There are few consideration you must take into account such as placing of server in different network segments. Create proper policies in TMG to allow https, POP3, IMAP, SMTP traffic securely to Microsoft Mail clients. In the following figure, I have illustrated a typical Exchange 2010 design that include Forefront TMG 2010.

image

Client Access

Allowing client access, you need to understand and plan what client access methods you need to make available on the Internet for your end users. Users with laptops can either use Outlook Web Access (OWA), which is lightweight and available via a Web browser to access
their mailboxes, or they can use RPC over HTTP over the Internet to check e-mail via Microsoft Outlook. Of course users with mobile devices capable of ActiveSync can access their mailboxes using Exchange Active Sync (EAS). When the administrator has decided which client access methods need to be made available, access to certain folders needs to be allowed through TMG. This is done via the Exchange Publishing Wizard, which is discussed in the next section. the default paths configured after running the New Exchange Publishing Wizard.

Outlook Web Access

/owa/*

/public/*

/exchange/*

/exchweb/*

RPC over http

/rpc/*

Outlook Mobile Access

Not Supported

Exchange Active Sync

/Microsoft-Server-ActiveSync/*

Outlook Anywhere

/rpc/*

/OAB/*

/ews/*

/AutoDiscover/*

Enterprise Root CA

When you publish Exchange client access with TMG, communications from external clients and from TMG itself to the published server can be encrypted using Secure Sockets Layer (SSL). Certain authentication mechanisms, such as Basic Authentication, allow user credentials
to be sent in clear text over the wire. This can be potentially unsafe if anyone runs a network sniffer over the wire and can therefore see user names and passwords. Hence it is essential to ensure that traffic is encrypted using SSL. By using certificates, we can analyze the session at
TMG before we forward it to the published Exchange Server by terminating the connection at the TMG. This is known as SSL bridging. SSL bridging protects against attacks that are hidden in SSL-encrypted connections. For SSL-enabled Web applications, TMG decrypts the client’s request, inspects it, and terminates the SSL connection with the client computer. The Web Publishing rules determine how TMG communicates the request for the object to the published Exchange server. If the secure Exchange publishing rule is configured to
forward the request using Secure HTTP (HTTPS), TMG initiates a new SSL connection with the published server. Because TMG is now an SSL client, it requires the published Web server to respond with a server-side certificate.

Authentication

TMG has a custom form for the Outlook Web Access client that is preconfigured when you use the Exchange publishing wizard. Using forms-based authentication, you can enforce required authentication methods, enable two-factor authentication, and provide centralized logging. After a user is authenticated, TMG can then delegate the credentials as per the configuration on the rule to the Exchange Server. It is important to ensure that the credentials being delegated should be in the same form as expected by the Exchange Server. In the event
of an authentication mismatch, client access fails and a credential delegation alert is logged by TMG.

Authentication Method Access Method
Microsoft Active Directory 2008
LDAP (Active Directory)

Outlook Web Access
Outlook Anywhere
Microsoft ActiveSync (only basic Authentication)

RSA SecurID

Outlook Web Access
Microsoft ActiveSync
(requires RSA SecurID
component installed
on Exchange servers)

Outlook Web Access

When a Web client connects to an Outlook Web Access
Exchange Server front-end server, it loads the Outlook Web page that contains the user- interface icons and headers of messages currently in the mailbox. Subsequently, any operation that the user performs (such as Open, Send, or Move To Folder) generates a new HTTP connection that transfers an average of 10 to 20 KB. When accumulating the behaviour of Outlook Web Access over many users, the Web client
typically creates relatively low bits per connection value (such as 100 kilobits per connection).  This traffic profile is relatively light and is distinguished by only two TCP connections, with a request rate corresponding to the user’s e-mail activity. Because this client is browser-based, it’s much less likely to produce error states as a normal course of events as does the Outlook

RPC over HTTP  or Outlook Anywhere

RPC over HTTP enables Outlook clients to access an Exchange
server in the internal corporate network from the Internet. When connecting to Exchange Server, an Outlook client working in Cached Exchange Mode typically starts with a synchronization of mailbox content with a local cache file by opening up anywhere between 10 to 15 connections to TMG. This behaviour is by default. After the
synchronization is complete, intermittent connections occur, in which new messages are transferred. The Outlook client would, however, maintain about 10 connections with TMG after it is connected. For a user utilizing Outlook heavily, the synchronization operation transfers many bytes of data over a small number of connections, so the overall characteristic bits per connection value is rather high (such as 500 kilobits per connection). 
Also known as RPC over HTTP, this traffic profile is the noisiest of all Exchange clients. It imposes a combination of high connection count (can be 20 or more separate TCP connections) with a higher data rate also coincident with the user activity.

Exchange Active Sync or Outlook Mobile Access

This traffic profile is the lightest client of all, with only one TCP connection and very light traffic flow. A new HTTP connection is only made when a user performs an operation such as Open, Send, or Move To Folder.

Relevant Articles

Exchange Server 2010: Server Roles

How to configure Exchange 2010 Hub Transport (HT) Server

How to configure Exchange 2010 Client Access Server (CAS) Role

Forefront TMG 2010: Publish Outlook Web Access and Exchange Servers using Forefront TMG 2010

Forefront Protection 2010: how to install and configure Forefront Protection 2010 for Exchange Server 2010—Step by step

share this Add to FacebookAdd to DiggAdd to Del.icio.usAdd to StumbleuponAdd to RedditAdd to BlinklistAdd to TwitterAdd to TechnoratiAdd to Yahoo BuzzAdd to Newsvine