ADFS 4.0 Step by Step Guide: Federating with Workday

This article provides step by step guidelines to implement single sign on using ADFS 4.0 as the identity provider and Workday as the identifier and service provider.

Important Note:

  • Workday does not provide a service provider metadata XML file to import into AD FS.
  • Workday does not import federation metadata automatically
  • Workday does not support SAML timed out.
  • Do not tick SP initiated Auth or IdP initiated Auth at the same time. Use one or the other not both.

Prerequisites:

  • Active Directory Federation Services 4.0
  • Workday tenant
  • Admin access in Workday and ADFS

Workday supports both Idp Initiated Auth and SP initiated Auth. In both cases ADFS configuration does not change but Workday configuration will change depending on what you select as your authentication method i.e. IdP initiated or SP initiated. Workday has two section to configure in Edit Security in Workday Tenant 1. SSO section and 2. SAML Auth Section.

Workday SSO IDP Initiated Auth

Single Sign-on

Login Redirect URL:  https://sts.domain.com/adfs/ls/idpinitiatedSignon.aspx?loginToRp=https://www.workday.com/

Logout Redirect URL: https://sts.domain.com/adfs/ls/?wa=wsignoutcleanup1.0

Timeout Redirect URL:  https://wd3.myworkday.com/tenant/login-saml2.htmld (Workday does not support SAML timed out. So when a user’s session is timed out, they will be redirected back to sign in page. Use the sign url as timed out url)

Mobile Login Redirect URL:  https://sts.domain.com/adfs/ls/idpinitiatedSignon.aspx?loginToRp=https://www.workday.com/

SAML Setup

Enable SAML Authentication: Enabled

Identity Provider: IDPInitiatedAuth

Issuer: http://sts.domain.com/adfs/services/trust (do not type https in issuer)

X509 Certificate: sts.domain.com (Export certificate from ADFS, open the certificate in notepad, copy and paste the certificate in Workday security configuration)

Enable Idp Initiated Authentication: Enabled

Enable Workday Initiated Logout: Enabled

Enable IdP Initiated Logout: Enabled

Logout Request URL: https://sts.domain.com/adfs/ls/?wa=wsignoutcleanup1.0

Logout Response URL https://sts.domain.com/adfs/ls/?wa=wsignoutcleanup1.0

IdP SSO Service URL: http://sts.domain.com/adfs/services/trust

Workday SP Initiated Authentication

Single Sign-on

Login Redirect URL:  https://wd3.myworkday.com/tenant/login-saml2.htmld

Logout Redirect URL:  https://sts.domain.com/adfs/ls/

Timeout Redirect URL:  https://wd3.myworkday.com/tenant/login-saml2.htmld (Workday does not support SAML timed out. So when a user’s session is timed out, they will be redirected back to sign in page. Use the sign url as timed out url)

Mobile Login Redirect URL:  https://wd3.myworkday.com/tenant/login-saml2.htmld

SAML Setup

Enable SAML Authentication: Enabled

Identity Provider: SPInitiatedAuth

Issuer: http://sts.domain.com/adfs/services/trust (do not type https in issuer)

X509 Certificate: sts.domain.com (Export certificate from ADFS, open the certificate in notepad, copy and paste the certificate in Workday security configuration)

Enable SP Initiated Authentication: Enabled

Enable Workday Initiated Logout: Enabled

Enable IdP Initiated Logout: Enabled

Logout Request URL: https://sts.domain.com/adfs/ls/

Logout Response URL https://sts.domain.com/adfs/ls/

IdP SSO Service URL: https://sts.domain.com/adfs/ls

Force IdP initiated Authentication: ForceAuth Only

Active Directory Federation Services Configuration

Relying Party Metadata: Copy the metadata and save as XML then import into Relying Party of ADFS.


<?xml version=”1.0″ encoding=”UTF-8″?>
<md:EntityDescriptor entityID=”http://www.workday.com&#8221; xmlns:md=”urn:oasis:names:tc:SAML:2.0:metadata”><md:SPSSODescriptor AuthnRequestsSigned=”false” WantAssertionsSigned=”false” protocolSupportEnumeration=”urn:oasis:names:tc:SAML:2.0:protocol”><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</md:NameIDFormat><md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat><md:AssertionConsumerService Binding=”urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST” Location=”https://wd3.myworkday.com/tenant/login-saml.htmld” index=”0″ isDefault=”true”/></md:SPSSODescriptor></md:EntityDescriptor>

Create Claim Rule

Template: Send LDAP Attributes as Claims

EmployeeNumber Name ID
EmailAddresess UPN
SAM-Account-Name Windows Account Name (Use this option to automatically SSO from internal network)

Access Control from ADFS

Access Control using SSO from internal network and SSO using MFA from external network.  Create a separate access control policy

Name: Workday

Description: Grant Access to Workday XYZ tenant

Permission:

  1. Permit everyone
  2. Permit a security group from Active Directory and from intranet
  3. Permit the same security group in number 2 from Active Directory, from internet and require MFA

Remote into Domain Controller and add users to the security groups mentioned in number 2 and number 3 of access policy using the below PowerShell

CSV Header: UserPrincipalName, SecurityGroup

Import-Module ActiveDirectory
$Csv = Import-Csv C:\temp\AddUsersToGroups.csv
Foreach ($item in $csv) {
$UPN = $Item.UserPrincipalName
$Groups=$Item.SecurityGroup
$Users=Get-ADUser -Filter “UserPrincipalName -eq ‘$UPN'” | % {Add-ADGroupMember -Identity $Groups -members $UPN}

ADFS properties looks like below:

Endpoints: https://wd3.myworkday.com/tenant/login-saml.htmld

Binding: Post

Default: Yes

SAML Signout URL: https://sts.domain.com/adfs/ls/?wa=wsignoutcleanup1.0

SAML Signout Binding : POST

Signature: Import private key from Workday and add into the signature tab of Workday relying party properties.

Encryption: SHA256 (Workday does not support SHA1 anymore)

Certificate Bits: 2048 (Microsoft no longer support 1024 bits)

Allow SAML Signature and Skew Time. Open PowerShell in ADFS Server and run the below cmdlets.

Set-ADFSRelyingPartyTrust -TargetName Workday -SamlResponseSignature “MessageOnly”

Set-ADFSRelyingPartyTrust -TargetName Workday -NotBeforeSkew 3

Test ADFS SSO:

Open any browser and type: https://wd3.myworkday.com/tenant/login.htmld or https://wd3.myworkday.com/tenant from internal and external network or from mobile app.

Exchange 2010/2013 to Exchange 2016 Migration Step by Step

  • Deployment Location: On-premises
  • Target Environment: Exchange Server 2016 CU4
  • Current Environment: Exchange Server 2010 or Exchange Server 2013 or mixed
  • Public Folder Location: Exchange Server 2013

Understanding of Exchange Server 2016: Exchange Server 2016 wraps up in two Exchange roles to simplify hassle of many roles evolution in previous versions of Exchange Servers:

  • Mailbox- The Mailbox server includes the Client Access protocols, the Transport service, the Mailbox databases, and Unified Messaging. The Mailbox server handles all activity for the active mailboxes on that server.
  • Edge Transport- The Edge Transport server role is deployed in your organization’s perimeter network and outside your internal Active Directory forest. Designed to minimize the attack surface, the Edge Transport server handles all Internet-facing mail flow and provides SMTP relay and smart host services, anti-spam features, message protection, and transport security for the Exchange organization.

Extend AD DS Schema and Prepare AD DS: To make sure Active Directory Forest is ready to run Exchange 2016 Setup. Open a Windows Command Prompt window and go to where you downloaded the Exchange 2016 installation files. Run the following command to extend the schema.

set-executionpolicy unrestricted

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

Setup.exe /PrepareAD /OrganizationName:”<organization name>” /IAcceptExchangeServerLicenseTermsSetup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms

(Optional Steps, Only required if you have multiple Domains in a single forest)

Certificates: When deploying Exchange 2016, Microsoft strongly recommend that you obtain a public certificate issued by a third either party CA or use current certificate from existing environment. Export current certificate from Exchange Server 2013 and save the PFX format certificate into new Windows Server 2016 where Exchange Server 2016 will be installed. Add Common Name mail.domain.com and SAN autodiscover.domain.com or use *.domain.com

Supported Client: Exchange 2016 and Exchange Online support the following versions of Outlook:

  • Outlook 2016
  • Outlook 2013
  • Outlook 2010
  • Outlook for Mac for Office 365
  • Outlook for Mac 2011

Hybrid Deployment Consideration with office 365: The hybrid deployment can serve as an intermediate step to moving completely to an Exchange Online organization. To configure a hybrid deployment after initial Exchange 2016 installation or migration is complete, select Hybrid Configuration Wizard from EAC and configure desired mailflow architecture to suit your needs.

Exchange Server 2016 Systems Requirements:

  • Update Rollup 11 Exchange 2010 SP3 or later on all Exchange 2010 servers in the organization, including Edge Transport servers.
  • Exchange 2013 Cumulative Update 10 or later on all Exchange 2013 servers in the organization, including Edge Transport servers.
  • Windows Server 2008 domain functional level
  • Windows Server 2016 with desktop experience or Windows Server 2012 R2
  • 2vCPU, 8GB RAM, 30GB free space and space for mailboxes
  • .NET Framework 4.6.2
  • Unified Communications Managed API (UCMA) 5.0

Permission and RBAC:

Task Permissions required
Install the Mailbox server role

(first server installed)

Local Administrator

Enterprise Administrator

Schema Administrator

Install additional Mailbox servers Organization Management
Install the Edge Transport server role Local Administrator

Exchange Server 2016 Deployment Datasheet

Description Example value in checklist
Active Directory forest domain.com
Internal Exchange 2016 Mailbox EXCH2016
Internal Exchange 2016 Edge Transport EXCH2016EDGE
Internal Exchange 2013 Mailbox and CAS EXCH2013
Internal Exchange 2013 Edge Transport EXCH2013EDGE
Internal Exchange 2010 Mailbox and CAS EXCH2010
Internal Exchange 2010 Edge Transport EXCH2010EDGE
External and Internal Exchange 2016 FQDN for the following services:

  • Outlook Anywhere
  • Offline Address Book
  • Remote Windows PowerShell
  • Exchange Web Services (EWS)
  • Exchange ActiveSync
  • Outlook on the web
  • ECP (Exchange admin center)
mail.domain.com
Internal and External Autodiscover FQDN autodiscover.domain.com
Primary SMTP namespace domain.com
User principal name domain @domain.com

Note:

  • Edge Transport- If you have existing Edge Transport servers or if you plan to install Edge Transport servers, or both.
  • Co-existence Scenario- Applicable only if your existing organization has Exchange 2010/2013 servers.
  • Availability- Add multiple servers for availability and site resiliency

Configure default offline address book:

Configure offline address book if OAB has not been already configured in the current environment.

Get-MailboxDatabase | Format-Table Name, Server, OfflineAddressBook -AutoGet-MailboxDatabase | Set-MailboxDatabase -OfflineAddressBook “Default Offline Address Book”

Servers Build:

  • Build Windows Server 2016 and assign IPv4 to the network interface of to be Exchange Servers.
  • Rename all other Windows Server 2016 prepared for Exchange 2016 and Join them to domain
  • Rename Computer and create DNS prefix for Exchange 2016 Edge Server
  1. Log on to the computer where you want to install the Edge Transport role as a user that’s a member of the local Administrators group.
  2. Open the Control Panel, and then double-click System.
  3. In the Computer name, domain, and workgroup settings section, click Change settings.
  4. In the System Properties window, make sure the Computer Name tab is selected, and then click Change.
  5. In Computer Name/Domain Changes, click More .
  6. In Primary DNS suffix of this computer, enter the DNS domain name for the Edge Transport server. For example, domain.com.
  7. Click OK to close each window.
  8. Restart the computer.
  • Windows Server 2016 Roles and Features Prerequisites for Mailbox Role:

Open Windows PowerShell. Run the following command to install the required Windows components.

Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

After you have installed the operating system roles and features, reboot computer. Install the following software in the order shown:

  1. Microsoft Knowledge Base article KB3206632
  2. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit

Windows Server 2016 Roles and Features Prerequisites for Edge Transport Role:

Open Windows PowerShell. Run the following command to install the required Windows components.

Install-WindowsFeature ADLDS

Installation of Exchange Server 2016:

  1. Download latest release of Exchange 2016 to an accessible network location.
  2. Log on to the computer where you want to install Exchange and navigate to the network location of the Exchange 2016 installation files.
  3. Start Exchange 2016 Setup by double-clicking Setup.exe. You must right-click Setup.exe, and then select Run as administrator.
  4. On the Check for Updates page, choose whether you want Setup to connect to the Internet and download product and security updates for Exchange 2016. If you select Connect to the Internet and check for updates, Setup will download updates and apply them before continuing. If you select Don’t check for updates right now, you can download and manually install updates later. We recommend that you download and install updates now. Click Next to continue.
  5. The Introduction page begins the process of installing Exchange into your organization. It will guide you through the installation. Several links to helpful deployment content are listed. We recommend that you visit these links before continuing setup. Click Next to continue.
  6. On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next.
  7. On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, Exchange will automatically send Microsoft your error reports and information about your computer hardware and how you use Exchange. If you select Don’t use recommended settings, these settings remain disabled, but you can enable them at any time after Setup completes.
  8. On the Server Role Selection page, select Mailbox role. The management tools are installed automatically if you install any server role.
  9. Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer to complete the installation of some Windows features. If you don’t select this option, you must manually install the Windows features.
  10. Click Next to continue.
  11. On the Installation Space and Location page, either accept the default installation location or click Browse to choose a new location. Make sure that you have enough disk space available in the location where you want to install Exchange. Click Next to continue.
  12. On the Malware Protection Settings page, choose whether you want to enable malware scanning. If you disable malware scanning, it can be enabled in the future. Unless you have a specific reason to disable malware scanning, we recommend that you keep it enabled. Click Next to continue.
  13. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If they haven’t completed successfully, you must resolve any reported errors before you can install Exchange 2016. You don’t need to exit Setup when resolving some of the prerequisite errors. After resolving a reported error, click Back, and then click Next to run the prerequisite check again. Be sure to also review any warnings that are reported. If all readiness checks have completed successfully, click Install to install Exchange 2016.
  14. On the Completion page, click Finish.
  15. Restart the computer after Exchange 2016 installation is complete. Repeat the steps for all other Exchange Server 2016 Mailbox Role.

Installation of Edge Server 2016

  1. After you download Exchange 2016, log on to the computer where you want to install it.
  2. Go to the network location of the Exchange 2016 installation files.
  3. Start Exchange 2016 Setup by double-clicking Setup.exe as an administrator.
  4. On the Check for Updates page, choose whether you want Setup to connect to the Internet and download product and security updates for Exchange 2016. If you select Connect to the Internet and check for updates, Setup will download updates and apply them before continuing. If you select Don’t check for updates right now, you can download and manually install updates later. We recommend that you download and install updates now. Click Next to continue.
  5. The Introduction page begins the process of installing Exchange into your organization. It will guide you through the installation. Several links to helpful deployment content are listed. We recommend that you visit these links before continuing setup. Click Next to continue.
  6. On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next.
  7. On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, Exchange will automatically send Microsoft your error reports and information about your computer hardware and how you use Exchange. If you select Don’t use recommended settings, these settings remain disabled, but you can enable them at any time after Setup completes. For more information about these settings and how information sent to Microsoft is used, click ?.
  8. On the Server Role Selection page, select Edge Transport. Remember that you can’t add the Mailbox server role to a computer that has the Edge Transport role installed. The management tools are installed automatically if you install either server role.
  9. Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer to complete the installation of some Windows features. If you don’t select this option, you need to install the Windows features manually.
  10. Click Next to continue.
  11. On the Installation Space and Location page, either accept the default installation location or click Browse to choose a new location. Make sure that you have enough disk space available in the location where you want to install Exchange. Click Next to continue.
  12. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If they haven’t completed successfully, you need to resolve any reported errors before you can install Exchange 2016. You don’t need to exit Setup when resolving some of the prerequisite errors. After resolving a reported error, click back, and then click Next to run the prerequisite check again. Be sure to also review any warnings that are reported. If all readiness checks have completed successfully, click Next to install Exchange 2016.
  13. On the Completion page, click Finish
  14. Restart the computer after Exchange 2016 installation is complete.

Post Installation Tasks:

Check or Add Exchange Organisation Management Role

  1. In the EAC https://EXCH2016/ecp?ExchClientVer=15, go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management.
  2. In the details pane, view the Members list. If the Exchange 2016 mailbox has been successfully added as a member of the Organization Management role group, the mailbox will be listed here.

Create a test mailbox

  1. Open the EAC https://EXCH2016/ecp?ExchClientVer=15 by browsing to the URL of your Exchange 2016 Mailbox server.
  2. Enter the user name and password of the account you used to install Exchange 2016 in Domain\user name and Password, and then click Sign in.
  3. Go to Recipients > Mailboxes. On the Mailboxes page, click Add , and then select User mailbox.
  4. Provide the information required for the new user, and then click Save.
  5. Go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management, and then click Edit .
  6. Under Members, click Add .
  7. Select the Exchange 2016 mailbox you just created, click Add , then click OK. Then click Save.

Install Exchange Server 2016 Product key

  1. Open the EAC by browsing to https://Exch2016/ecp.
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Servers > Servers. Select the server you want to license, and then click Edit .
  4. (Optional) If you want to upgrade the server from a Standard Edition license to an Enterprise Edition license, on the General page, select Change product key. You’ll only see this option if the server is already licensed.
  5. On the General page, enter your product key in the Enter a valid product key text boxes.
  6. Click Save.
  7. If you licensed an Exchange server running the Mailbox server role, do the following to restart the Microsoft Exchange Information Store service:
    1. Open Control Panel, go to Administrative Tools, and then open Services.
    2. Right-click on Microsoft Exchange Information Store and click Restart.

Simply use the below PowerShell Cmdlets to install product key.

Set-ExchangeServer ExCH2016Server01 -ProductKey XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

Configure Exchange Server 2016 External URL:

There are several settings that you need to configure on the Exchange 2016 virtual directories, which include Outlook Anywhere, Exchange ActiveSync, Exchange Web Services, Offline Address Book (OAB), Outlook on the web, the Exchange admin center, and the availability service.

  1. Open the EAC by browsing to the URL of your Exchange 2016 Mailbox server. For example, https://EXCH2016/ECP or https://EXCH2016/ecp?ExchClientVer=15 .
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Servers > Servers, select the name of the Internet-facing Exchange 2016 Mailbox server, and then click Edit.
  4. Click Outlook Anywhere.
  5. In the Specify the external hostname field, specify the externally accessible FQDN of the Mailbox server. For example, mail.domain.com.
  6. While you’re here, let’s also set the internally accessible FQDN of the Mailbox server. In the Specify the internal hostname field, enter the FQDN you used in the previous step. For example, mail.domain.com.
  7. Click Save.
  8. Go to Servers > Virtual directories.
  9. In the Select server field, select the Internet-facing Exchange 2016 Mailbox server.
  10. Select the virtual directory you want to change, and then click Edit.
  11. In External URL, replace the host name between https:// and the first forward slash (/ ) with the new FQDN you want to use. For example, if you want to change the EWS virtual directory FQDN from EXCH2016.domain.com to mail.domain.com, change the external URL from https://EXCH2016.domain.com/ews/exchange.asmx to https://mail.domain.com/ews/exchange.asmx.
  12. Click Save.
  13. Repeat steps 9, 10 and 11 for each virtual directory you want to change.

To verify that you successfully configured the external URL on the Internet-facing Exchange 2016 Mailbox server virtual directories, do the following:

  1. In the EAC, go to Servers > Virtual directories.
  2. In the Select server field, select the Internet-facing Exchange 2016 Mailbox server.
  3. Select a virtual directory and then, in the virtual directory details pane, verify that the External URL field is populated with the correct FQDN and service as shown below:

Virtual directory External URL value
Autodiscover No external URL displayed
ECP https://mail.domain.com/ecp
EWS https://mail.domain.com/EWS/Exchange.asmx
Mapi https://mail.domain.com/mapi
Microsoft-Server-ActiveSync https://mail.domain.com/Microsoft-Server-ActiveSync
OAB https://mail.domain.com/OAB
OWA https://mail.domain.com/owa
PowerShell http://mail.domain.com/PowerShell

Configure internal and external URLs to be the same:

Note: I personally prefer to have same URL for internal and external web access. The same URL eliminates confusion when using OWA internally and externally. Microsoft also recommends that you use the same URL for both internal and external URLs. Using the same URL makes it easier for users to access your Exchange servers because they only have to remember one address. Regardless of the choice you make, you need to make sure you configure a private DNS zone for the address space you configure.

  1. Open the Exchange Management Shell on your Exchange 2016 Mailbox server.
  2. Store the host name of your Exchange 2016 Mailbox server in a variable that will be used in the next step. For example, EXCH2016.

$HostName = “EXCH2016”

  1. Run each of the following commands in the Shell to configure each internal URL to match the virtual directory’s external URL.

Set-EcpVirtualDirectory “$HostName\ECP (Default Web Site)” -InternalUrl ((Get-EcpVirtualDirectory “$HostName\ECP (Default Web Site)”).ExternalUrl)7.

Set-WebServicesVirtualDirectory “$HostName\EWS (Default Web Site)” -InternalUrl ((Get-WebServicesVirtualDirectory “$HostName\EWS (Default Web Site)”).ExternalUrl)

Set-MapiVirtualDirectory “$HostName\mapi (Default Web Site)” -InternalUrl ((Get-MapiVirtualDirectory “$HostName\mapi (Default Web Site)”).ExternalUrl)

Set-ActiveSyncVirtualDirectory “$HostName\Microsoft-Server-ActiveSync (Default Web Site)” -InternalUrl ((Get-ActiveSyncVirtualDirectory “$HostName\Microsoft-Server-ActiveSync (Default Web Site)”).ExternalUrl)

Set-OabVirtualDirectory “$HostName\OAB (Default Web Site)” -InternalUrl ((Get-OabVirtualDirectory “$HostName\OAB (Default Web Site)”).ExternalUrl)

Set-OwaVirtualDirectory “$HostName\OWA (Default Web Site)” -InternalUrl ((Get-OwaVirtualDirectory “$HostName\OWA (Default Web Site)”).ExternalUrl)

Set-PowerShellVirtualDirectory “$HostName\PowerShell (Default Web Site)” -InternalUrl ((Get-PowerShellVirtualDirectory “$HostName\PowerShell (Default Web Site)”).ExternalUrl)

While you are in the Shell, let’s also configure the Offline Address Book (OAB) to allow Autodiscover to select the right virtual directory for distributing the OAB. Run the following command to do this.

Get-OfflineAddressBook | Where {$_.ExchangeVersion.ExchangeBuild.Major -Eq 15} | Set-OfflineAddressBook -GlobalWebDistributionEnabled $True -VirtualDirectories $Null

To verify that you successfully configured the internal URL on the Exchange 2016 Mailbox server virtual directories, do the following:

  1. In the EAC, go to Servers > Virtual directories.
  2. In the Select server field, select the Internet-facing Exchange 2016 Mailbox server.
  3. Select a virtual directory, and then click Edit.
  4. Verify that the Internal URL field is populated with the correct FQDN and service as shown below:
Virtual directory Internal URL value
Autodiscover No internal URL displayed
ECP https://mail.domain.com/ecp
EWS https://mail.domain.com/EWS/Exchange.asmx
Mapi https://mail.domain.com/mapi
Microsoft-Server-ActiveSync https://mail.domain.com/Microsoft-Server-ActiveSync
OAB https://mail.domain.com/OAB
OWA https://mail.domain.com/owa
PowerShell http://mail.domain.com/PowerShell

Configure Exchange 2016 certificates

Outlook Anywhere and Exchange ActiveSync, require certificates to be configured on your Exchange 2016 server. You can choose whether you want to re-use the SSL certificate installed from an existing Exchange server or purchase a new SSL certificate from a third-party certificate authority (CA). If you decide to re-use a certificate, the host names you have configured on the Exchange 2016 virtual directories must match the host names configured on the SSL certificate.

  1. Open the EAC by browsing to the URL of your Mailbox server. For example, https://EXCH2016/ECP.
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Servers > Certificates. On the Certificates page, make sure your Mailbox server is selected in the Select server field, and then click New.
  4. In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority, and then click Next.
  5. Specify a name for this certificate, and then click Next.
  6. If you want to request a wildcard certificate, select Request a wild-card certificate, and then specify the root domain of all subdomains in the Root domain If you don’t want to request a wildcard certificate and instead want to specify each domain with SAN like mail.domain.com, edge.domain.com and sts.domain.com (for future hybrid configuration with ADFS)you want to add to the certificate, leave this page blank. Click Next.
  7. Click Browse, and specify an Exchange server to store the certificate on. The server you select should be the Internet-facing Mailbox server. Click Next.
  8. For each service in the following list, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example:
    • If you configured your internal and external URLs to be the same, Outlook Web App (when accessed from the Internet) and Outlook Web App (when accessed from the Intranet) should show mail.domain.com. OAB (when accessed from the Internet) and OAB (when accessed from the Intranet) should show mail.domain.com, edge.domain.com and sts.domain.com (for future hybrid configuration with ADFS)
  9. These domains will be used to create the SSL certificate request. Click Next.
  10. Add any additional domains you want included on the SSL certificate.
  11. Select the domain that you want to be the common name (for example, domain.com) for the certificate and click Set as common name. Click Next.
  12. Provide information about your organization. This information will be included with the SSL certificate. Click Next.
  13. Specify the network location where you want this certificate request to be saved. Click Finish.

After you’ve saved the certificate request, submit the request to your CA. After you receive the certificate from the CA, complete the following steps:

  1. On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.
  2. In the certificate request details pane, under Status, click Complete.
  3. On the Complete pending request page, specify the path to the SSL certificate file, and then click OK.
  4. Select the new certificate you just added, and then click Edit.
  5. On the certificate page, click Services.
  6. Select the services you want to assign to this certificate. At minimum, you should select IIS, but you can also select IMAP, POP, and UM call router if you use these services. If you want to use secure transport, you can also select SMTP to make this certificate available to Exchange 2016 transport. Click Save.
  7. click Yes.

To re-use certificate you need to export your certificate from your pre-exiting Exchange server with the certificate’s private key using the following steps:

  1. Log on directly to a pre-existing Exchange Client Access server with an administrator user account.
  2. Open an empty Microsoft Management Console (MMC).
  3. Click File, then Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, select Certificates, and then click Add >.
  5. In the Certificates snap-in window that appears, select Computer account, and then click Next.
  6. Select Local computer and click Finish. Then click OK.
  7. Under Console Root, expand Certificates (Local Computer), Personal, and then Certificates.
  8. Select the third-party certificate that’s used by Exchange that matches the host names you’ve configured on the Exchange 2016 server. This must be a third-party certificate and not a self-signed certificate.
  9. Right-click the certificate, select All Tasks, and then click Export.
  10. In the Certificate Export Wizard, click Next.
  11. Select Yes, export the private key, and then click Next.
  12. Make sure Personal Information Exchange – PKCS #12 (.PFX) and Include all certificates in the certification path if possible are selected. Make sure no other options are selected. Click Next.
  13. Select Password and enter a password to help secure your certificate. Click Next.
  14. Specify a file name for the new certificate. Use the file extension .pfx. Click Next and then click Finish.
  15. You’ll receive a confirmation prompt if the certificate export was successful. Click OK to close it.
  16. Copy the .pfx file you created to your Internet-facing Exchange 2016 Mailbox server.

After you’ve exported the certificate from your pre-existing Exchange server, you need to import the certificate on your Exchange 2016 server using the following steps:

  1. Log on to your Internet-facing Exchange 2016 Mailbox server with an administrator user account.
  2. Open an empty MMC.
  3. Click File, then Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, select Certificates, and then click Add >.
  5. In the Certificates snap-in window that appears, select Computer account, and then click Next.
  6. Select Local computer and click Finish. Then click OK.
  7. Under Console Root, expand Certificates (Local Computer), and then Personal.
  8. Right-click Personal, select All Tasks, and then click Import.
  9. In the Certificate Import Wizard, click Next.
  10. Click Browse, and select the .pfx file you copied to your Exchange 2016 Mailbox server. Click Open and then click Next.
  11. In the Password field, enter the password you used to help secure the certificate when you exported it on the pre-existing Exchange server.
  12. Verify that Include all extended properties is selected, and then click Next.
  13. Verify that Place all certificates in the following store is selected and Personal is shown in Certificate store. Click Next and then Finish.
  14. You’ll receive a confirmation prompt if the certificate import was successful. Click OK to close it.

Now that the new certificate has been imported on your Exchange 2016 Mailbox server, you need to assign it to your Exchange services using the following steps:

  1. Open the EAC by browsing to the URL of your Exchange 2016 Mailbox server. For example, https://EXCH2016/ECP.
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. On the Server > Certificates page in the EAC, select the new certificate you just added, and then click Edit.
  4. On the certificate page, click Services.
  5. Select the services you want to assign to this certificate. At minimum, you should select IIS, but you can also select IMAP, POP, and UM call router if you use these services. If you want to use secure transport, you can also select SMTP to make this certificate available to Exchange 2016 transport. Click Save.
  6. click Yes.

Configure Outlook Anywhere

  • The Outlook Anywhere external URL is set to the external host name of the Exchange 2016 server.
  • Client authentication, which is used to allow clients like Outlook 2016 to authenticate with Exchange, is set to Basic.
  • Internet Information Services (IIS) authentication, which is used to allow Exchange servers to communicate, set to NTLM and Basic.

Perform the following steps to enable and configure Outlook Anywhere on your Exchange 2010 servers. The following command will change the configuration of Outlook Anywhere on any Exchange 2010 server in your organization on which it’s already enabled.

  1. Open the Exchange Management Shell on your Exchange 2010 Client Access server.
  2. Store the external host name of your Internet-facing Exchange 2016 Mailbox server in a variable that will be used in the next steps. For example, mail.domain.com.

$Exchange2016HostName = “mail.domain.com”

  1. Run the following command to configure Exchange 2010 servers that already have Outlook Anywhere enabled to accept connections from Exchange 2016 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Set-OutlookAnywhere “$_\RPC (Default Web Site)” -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2016HostName -IISAuthenticationMethods NTLM, Basic}

  1. Run the following command to enable Outlook Anywhere and configure Exchange 2010 to accept connections from Exchange 2016 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2016HostName -IISAuthenticationMethods NTLM, Basic

To verify that you successfully configured Outlook Anywhere on your Exchange 2010 servers to accept connections redirected from Exchange 2016, do the following:

  1. Open the Exchange Management Shell on your Exchange 2010 Client Access server.
  2. Run the following command to view the Outlook Anywhere configuration on your Exchange 2010 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-OutlookAnywhere | Format-Table Server, ClientAuthenticationMethod, IISAuthenticationMethods, SSLOffloading, ExternalHostname -Auto

Configure Edge Transport server

To make the best use of an Edge Transport server, you need to configure an Edge Subscription between the Edge Transport server and an Exchange 2016 Mailbox server in an Active Directory site. Edge Subscriptions automatically create Send connectors on the Edge Transport server based on the configuration of the Mailbox server it’s subscribed to. They also replicate recipient and other information to the Edge Transport server to improve anti-spam functionality.

Perform the following steps to configure your Edge Transport server 2016.

  1. Run the following command on the Edge Transport server.

New-EdgeSubscription -FileName “C:\Edge2016.xml”

  1. Copy the Edge2016.xml to your Mailbox server. Open the Exchange Management Shell on the Mailbox server that you want to subscribe to the Edge Transport server. This Mailbox server should be in the Active Directory site to which you want to subscribe the Edge Transport server.
  2. On the Mailbox server, run the following command. Specify the path to the location where you copied the Edge2016.xml file, and the Active Directory site where your Mailbox server is located.

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -Path “C:\Edge2016.xml” -Encoding Byte -ReadCount 0)) -Site “Default-First-Site-Name” -CreateInternetSendConnector $true -CreateInboundSendConnector $true

  1. On the Mailbox server, run the following command.

Start-EdgeSynchronization

  1. On the Mailbox server, run the Test-EdgeSynchronization This cmdlet gives you detailed information about whether the subscribed Edge Transport servers have current and accurate synchronization status.

Test-EdgeSynchronization

Remove legacy Edge Subscriptions

Now that you’ve installed an Exchange 2016 Edge Transport server in your perimeter network, we need to remove the Edge Subscription between your legacy Edge Transport and Hub Transport servers. This needs to be done so that mail will flow through your new Exchange 2016 Edge Transport server. Make sure your firewall rules are changed and pointed to new Edge Servers.

Perform the following steps to remove the Edge Subscription between your legacy Edge Transport and Hub Transport servers.

  1. Log on to your legacy Edge Transport server.
  2. Run the following command to find the name of the Edge Subscription on the server.

Get-EdgeSubscription

  1. Remove the Edge Subscription using the following command and the name of the subscription found in the previous step.

Remove-EdgeSubscription EXCH2013EDGE

  1. Log on to your legacy Hub Transport server.
  2. Run the following command to find the name of the Edge Subscription on the server.

Get-EdgeSubscription

  1. Remove the Edge Subscription using the following command and the name of the subscription found in the previous step.

Remove-EdgeSubscription EXCH2013

On the Edge Transport and Hub Transport servers server, run the Get-EdgeSubscription cmdlet. No Edge Subscriptions should be listed.

Get-EdgeSubscription

Configure service connection point

  1. Open the Exchange Management Shell on your Exchange 2010 Client Access server.
  2. Store the Autodiscover host name of your Internet-facing Exchange 2016 Mailbox server in a variable that will be used in the next step. For example, autodiscover.domain.com.

$AutodiscoverHostName = “autodiscover.domain.com”

  1. Run the following command to set the SCP object on every Exchange 2010 server to the Autodiscover URL of the new Exchange 2016 server.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml

Perform the following steps to configure the SCP object on your Exchange 2013 servers.

  1. Open the Exchange Management Shell on your Exchange 2013 Client Access server.
  2. Store the Autodiscover host name of your Internet-facing Exchange 2016 Mailbox server in a variable that will be used in the next step. For example, autodiscover.domain.com.

$AutodiscoverHostName = “autodiscover.domain.com”

  1. Run the following command to set the SCP object on every Exchange 2013 server to the Autodiscover URL of the new Exchange 2016 server.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.0*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml

Perform the following steps to configure the SCP object on your Exchange 2016 servers.

  1. Open the Exchange Management Shell on your Exchange 2016 Mailbox server.
  2. Store the Autodiscover host name of your Exchange 2016 Mailbox server in a variable that will be used in the next step. For example, autodiscover.domain.com.

$AutodiscoverHostName = “autodiscover.domain.com”

  1. Run the following command to set the SCP object on every Exchange 2016 server to the Autodiscover URL of the new Exchange 2016 server.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.1*”) -And ($_.ServerRole -Like “*Mailbox*”)} | Set-ClientAccessService -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml

To verify that you successfully configured the AutoDiscoverServiceInternalUrl property on your Exchange 2010 servers with the value of the Exchange 2016 Autodiscover URL, do the following:

  1. Open the Exchange Management Shell on your Exchange 2010/2013 Client Access server.
  2. Run the following command to view the SCP object configuration on Exchange 2010 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Format-Table Name, AutoDiscoverServiceInternalUri –Auto Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Format-Table Name, AutoDiscoverServiceInternalUri -Auto

To verify that you successfully configured the AutoDiscoverServiceInternalUrl property on your Exchange 2010 servers with the value of the Exchange 2016 Autodiscover URL, do the following:

Configure DNS records

It’s time to change your DNS records to direct connections to your new Exchange 2016 servers. You’ll move the host names (for example, mail.domain.com) users have been using to connect to Outlook Web Access (now known as Outlook on the web in Exchange 2016), Autodiscover, and so on, from existing Exchange servers to new Exchange 2016 server.

Other option is without changing the DNS records to point your public DNS records to a new external IP address for Exchange 2016 Edge server, you can reconfigure your firewall to route connections for the original IP address to the Exchange 2016 server instead of the Exchange 2010/2013 server. The existing Exchange Client Access server no longer needs to be accessible from the Internet because all connections will be proxied by the Exchange 2016 server. If you choose to reconfigure your firewall, you don’t need to change your public DNS records. TTL 10 minutes to minimize impact. If you dc change DNS records, it should be like the below DNS records.

External DNS Record
FQDN Record type Value TTL
domain.com MX mail.domain.com 10 minutes
mail.domain.com A Public IP Address i.e. 203.17.x.x 10 minutes
autodiscover.domain.com A Public IP Address i.e. 203.17.x.x 10 minutes

Internal DNS Record
FQDN Record type Value TTL
mail.domain.com CNAME EXCH2016.domain.com 10 Minutes
autodiscover.domain.com A Internal IP Address i.e. 10.142.x.x 10 Minutes

 

Migrating Mailboxes from Exchange 2010/2013 to Exchange 2016:

Move arbitration mailbox

  1. In the EAC, go to Recipients > Migration.
  2. Click New , and then click Move to a different database.
  3. On the New local mailbox move page, click Select the users that you want to move, and then click Add .
  4. On the Select Mailbox page, add the mailboxes that have the following aliases:
    • SystemMailbox{1f05a927-7bd0-47e5-9b6a-0b5ec3f44403}
    • FederatedEmail.4c1f4d8b-8179-4148-93bf-00a95fa1e042
    • DiscoverySearchMailbox{D919BA05-46A6-415f-80AD-7E09334BB852}
    • SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
    • SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
    • Migration.8f3e7716-2011-43e4-96b1-aba62d229136
  5. Click OK, and then click Next.
  6. On the Move configuration page, type the name of the migration batch, and then click Browse next to the Target database box.
  7. On the Select Mailbox Database page, add the mailbox database to move the system mailbox to. Verify that the version of the mailbox database that you select is Version 15.1, which indicates that the database is located on an Exchange 2016 server.
  8. Click OK, and then click Next.
  9. On the Start the batch page, select the options to automatically start and complete the migration request, and then click New.

Move mailboxes to Exchange 2016

Since you have built a co-existence environment, you can move mailboxes to your Exchange 2016 Mailbox server. To move mailboxes to your Exchange 2016 Mailbox server, you’ll need to use the

  1. Open the EAC by browsing to the URL of your Mailbox server. For example, https://EXCH2016/ECP.
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Recipients > Migration, click Add , and then select Move to a different database.
  4. Under Select the users that you want to move, click Add .
  5. In the Select Mailbox window, select the mailboxes you want to move, and then click Add and then OK.
  6. Verify that the mailboxes you want to move are listed, and then click Next.
  7. Specify a name for the new mailbox move, and verify that Move the primary mailbox and the archive mailbox, if one exists, is selected.
  8. Under Target database, click Browse.
  9. In the Select Mailbox Database window, select a mailbox database on the Exchange 2016 server that you want to move the mailboxes to, click Add and then OK.
  10. Verify that the mailbox database displayed in Target database is correct, and then click Next.
  11. Decide which user should receive the mailbox move report once the move is complete. By default, the current user will receive the move report. If you want to change which user receives the report, click Browse, and then select a different user.
  12. Verify Automatically start the batch is selected.
  13. Decide whether you want to have mailbox moves complete automatically. During the finalization phase, the mailbox is unavailable for a short time. If you choose to manually complete the mailbox move, you can decide when the move is finalized. For example, you might want to finalize the move during off-work hours. Select or clear Automatically complete the migration batch.
  14. Click New.

Migrate public folders from Exchange 2013 to Exchange 2016

To migrate your Exchange 2013 public folders to Exchange 2016, you need to move all of your Exchange 2013 public folder mailboxes to an Exchange 2016 server. Before you move your public folder mailboxes, here are some things you should think about:

  • Exchange 2016 capacity Make sure the Exchange 2016 servers where you’ll move your public folder mailboxes have enough storage capacity.
  • Time to move It might take a while for your public folder mailboxes to be moved to Exchange 2016. Things that could impact how long it’ll take include public folder mailbox size, the number of public folder mailboxes, available network capacity, and other factors.

Perform the following steps to move your public folder mailboxes from Exchange 2013 to Exchange 2016.

  1. Open the Exchange Management Shell on your Exchange 2016 Mailbox server.
  2. Run the following command to get a list of Exchange 2016 mailbox databases you can move your public folder mailboxes to. You can use this information to check how much drive space is available for each Exchange 2016 mailbox database.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.1*”) -And ($_.ServerRole -Like “*Mailbox*”)} | Get-MailboxDatabase | Format-Table Name, EdbFilePath, Server

  1. Run the following command to get a list of Exchange 2013 public folder mailboxes. The list this command creates includes the public folder mailbox name, its size, and what Exchange 2013 server it’s on.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.0*”) -And ($_.ServerRole -Like “*Mailbox*”)} | Get-Mailbox -PublicFolder | Get-MailboxStatistics | Format-Table DisplayName, TotalItemSize, ServerName

  1. You can use the information from the previous command to decide which Exchange 2016 server to move some or all of your public folder mailboxes to. For example, you might not want to move three large public folder mailboxes to a server with low available drive space. Replace the Exchange server, database, and public folder mailbox names with your own.
  2. Move all Exchange 2013 public folder mailboxes at once.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.0*”) -And ($_.ServerRole -Like “*Mailbox*”)} | Get-Mailbox -PublicFolder | New-MoveRequest -TargetDatabase EXCH2016MbxDatabase

  1. Move all public folder mailboxes on a specific Exchange 2013 server at once.

Get-Mailbox -PublicFolder -Server EXCH2013Mbx | New-MoveRequest -TargetDatabase EXCH2016MbxDatabase

  1. Move a specific Exchange 2013 public folder mailbox.

New-MoveRequest “Sales Public Folder Mailbox” -TargetDatabase EXCH2016MbxDatabase

  1. Use the following command to see the status of the move requests you created. Depending on the size of the public folder mailboxes you’re moving and your available network capacity, it could take several hours or days for the moves to complete.

Get-MoveRequest

Do the following to check the status of your move requests:

  1. Open the Exchange Management Shell on your Exchange 2016 Mailbox server.
  2. Run the following command to see the status of the move requests you created.

Get-MoveRequest

The command above will return each move request you created along with one of the following statuses:

  • Completed The public folder mailbox was successfully moved to the target Exchange 2016 mailbox database.
  • CompletedWithWarning The public folder mailbox was moved to the target Exchange 2016 mailbox database, but one or more issues were encountered during the move.
  • CompletionInProgress The public folder mailbox’s move to the target Exchange 2016 mailbox database is in its final stages. Public folders hosted in this mailbox may be unavailable for a brief period of time while the move is finalized.
  • InProgress The public folder mailbox’s move to the target Exchange 2016 mailbox database is underway. Public folders hosted in this mailbox are available during this portion of the move.
  • Failed The public folder mailbox’s move failed for one or more reasons. You can find more information by viewing the move report that was delivered to the Administrator mailbox.
  • Queued The public folder mailbox’s move has been submitted but the move hasn’t started yet.
  • AutoSuspended The public folder mailbox’s move is ready to enter its final stages but won’t proceed further until you manually resume the move. To resume the move when you’re ready, use the Resume-MoveRequest
  • Suspended The public folder mailbox’s move has been suspended by Suspend-MoveRequest cmdlet and won’t proceed further until you manually resume the move. To resume the move when you’re ready, use the Resume-MoveRequest

Do the following to view the location of your public folder mailboxes after their move request has completed:

  1. Open the Exchange Management Shell on your Exchange 2016 Mailbox server.
  2. Run the following command to see the location of your public folder mailboxes.

Get-Mailbox -PublicFolder | Get-MailboxStatistics | Format-Table DisplayName, TotalItemSize, ServerName

In the list public folder mailboxes that are returned, verify that they’ve each been moved to an Exchange 2016 mailbox server.

Post Cutover Tasks

Remove Legacy Exchange Servers Removing Exchange 2010 after Coexistence with Exchange 2010/2013

If you’re removing Exchange 2010 after being in coexistence mode with Microsoft Exchange Server 2013, make sure you have completed the following checklist before you uninstall Exchange 2010 from your organization:

  • All Client Access server FQDNs are pointing to Exchange 2013.
  • All mail flow connectors are pointing to Exchange 2013.
  • All user and arbitration mailboxes have been moved to Exchange 2013.
  • If you were using public folders, make sure the public folders databases have been migrated to Exchange 2013.
  • Any Exchange 2010 CAS arrays you have configured must be removed.
  • Make a list of applications that may be using Exchange 2010 and then make sure to configure these applications to start using Exchange 2013 if necessary.

Mount Exchange 2010/2013 ISO. You can either run Exchange 2010/2013 Setup.exe or navigate to Control Panel to modify or remove Exchange 2010/2013 (either server roles or an entire installation).

  1. The Maintenance Mode page of the Exchange Server 2010/2013 Setup wizard begins the process of changing or removing your Exchange installation. Click Next to continue.
  2. On the Server Role Selection page, select the Exchange server roles that you want to add (if you’re changing an installation) or remove (if you’re removing one or more server roles or an entire installation). Click Next to continue.
  3. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If the prerequisites check doesn’t complete successfully, review the Summary page to help troubleshoot and fix any issues that are preventing Setup from completing. If the checks have completed successfully, click Install if you want to add a server role or Uninstall to remove the specified server role(s) or the entire installation of Exchange 2010.
  4. On the Completion page, click Finish.
  5. De-join computer from domain and shutdown the computer.

Similar Articles:

Exchange 2010 to exchange 2013 migration

Exchange 2013 Upgrade, Migration and Co-existence

Understanding Network Virtualization in SCVMM 2012 R2

Networking in SCVMM is a communication mechanism to and from SCVMM Server, Hyper-v Hosts, Hyper-v Cluster, virtual machines, application, services, physical switches, load balancer and third party hypervisor. Functionality includes:

SCVMM Network

Logical Networking of almost “Anything” hosted in SCVMM- Logical network is a concept of complete identification, transportation and forwarding of Ethernet traffic in virtualized environment.

  • Provision and manage logical networks resources of private and public cloud
  • Management of Logical networks, subnets, VLAN, Trunk or Uplinks, PVLAN, Mac address pool, Templates, profiles, static IP address pool, DHCP address pool, IP Address Management (IPAM)
  • Integrate and manage third party hardware load balancer and Cisco virtual switch 1000v
  • Provide functionality of Virtual IP Addresses (VIPs), quality of service (QoS), monitor network traffic and virtual switch extensions
  • Creation of virtual switches and virtual network gateways

Network Virtualization – Network virtualization is a parallel concept to a server virtualization, where it allows you to abstract and run multiple virtual networks on a single physical network

  • Connects virtual machines to other virtual machines, hosts, or applications running on the same logical network.
  • Provides an independent migration of virtual machine which means when a VM moved to a different host from original host, SCVMM will automatically migrate that virtual network with the VM so that it remains connected to the rest of the infrastructure.
  • Allows multiple tenants to have their own isolated networks for security and privacy reason.
  • Allows unique IP address ranges for a tenant for management flexibility.
  • Communicate using a gateway of a site or a different site if permitted by firewall
  • Connect a VM running on a virtual network to any physical network in the same site or a different location.
  • Connect cross-network using an inbox NVGRE gateway that can be deployed as a VM to provide this cross-network interoperability.

Network Virtualization is defined in Fabric>Networking Tab of SCVMM 2012 R2 management console. Virtual Machine networking is defined in VMs and Services>VM Networks Tab of SCVMM 2012 R2 management console.

Host Config

Network virtualization terminology in SCVMM 2012 R2:

Fabric.networking

Logical networks: A logical network in VMM which contains the information of VLAN, PVLAN and subnets of a site in a Hyper-v host or a Hyper-v clusters. An IP address pool and a VM network can be associated with a logical network. A logical network can connect to another network or many network or vice-versa. Cloud function of each logical network is:

Logical network Purpose Tenant Cloud
External ·Site-to-site endpoint IP addresses

·Load balancer virtual IP addresses (VIPs)

·Network address translation (NAT) IP addresses for virtual networks

·Tenant VMs that need direct connectivity to the external network with full inbound access

Yes
Infrastructure Used for service provider infrastructure, including host management, live migration, failover clustering, and remote storage. It cannot be accessed directly by tenants. No
Load Balancer ·Uses static IP addresses

·Has outbound access to the external network via the load balancer

·Has inbound access that is restricted to only the ports that are exposed through the VIPs on the load balancer

Yes
Network Virtualization · This network is automatically used for allocating provider addresses when a VM that is connected to a virtual network is placed onto a host.

·Only the gateway VMs connect to this directly.

· Tenant VMs connect to their own VM network. Each tenant’s VM network is connected to the Network Virtualization logical network.

·A tenant VM will never connect to this directly.

·Static IP addresses are automatically assigned.

Yes
Gateway Associated with forwarding gateways, which require one logical network per gateway. For each forwarding gateway, a logical network is associated with its respective scale unit and forwarding gateway. No
Services · The Services network is used for connectivity between services in the stamp by public-facing Windows Azure Pack features, and for SQL Server and MySQL Database DBaaS deployments.

·All deployments on the Services network are behind the load balancer and accessed through a virtual IP (VIP) on the load balancer.

·This logical network is also designed to provide support for any service provider-owned service and is likely to be used by high-density web servers initially, but potentially many other services over time.

No

IP Address Pool: An IP address pool is a range of IP addresses assigned to a logical network in a site which provides IP address, subnets, gateway, DNS, WINS related information to virtual machines and applications.

Mac Address Pool: Mac Address Pool contains default mac address ranges of virtual network adapter of virtual machine. You can also create customised mac address pool and assign that pool to virtual machines.

Pool Name Vendor Mac Address
Default MAC address pool Hyper-V and Citrix XenServer 00:1D:D8:B7:1C:00 – 00:1D:D8:F4:1F:FF
Default VMware MAC address pool VMware ESX 00:50:56:00:00:00 – 00:50:56:3F:FF:FF

Hardware Load Balancer: Hardware load balancer is a functionality within SCVMM networking to provide third party loading balancing of application and services. A virtual IP or IP address Pool can be associated with hardware load balancer.

VIP Templates: VIP templates is a standard template used to define virtual addresses associated with hardware load balancer. VIP is allocated to application, services and virtual machines hosted in SCVMM 2012 R2. A template that specifies the load-balancing behaviour for HTTPS traffic on a specific load balancer by manufacturer and model.

Logical Switch: logical switches act as containers for the properties or capabilities that you want network adapters to have. Instead of configuring individual properties or capabilities for each network adapter, you can specify the capabilities in port profiles and logical switches, which you can then apply to the appropriate adapters. Logical switches act as an extension of physical switch with a major difference that you don’t have to drive to data center, take a patch lead and connect to computer, then configure switch ports and assign VLAN tag to that port.  Logical switch where you define uplinks or physical adapter of Hyper-v hosts, associate uplinks with logical networks and sites.

Port Profiles: Port profiles act as containers for the security and privacy that you want network adapters to have. Instead of configuring individual properties or capabilities for each network adapter, you can specify these capabilities in port profiles, which you can then apply to the appropriate adapters. Port profiles are associated with an uplinks in logical switch.

Port Classification: Port classifications provide global names for identifying different types of virtual network adapter port profiles. A port classification can be used across multiple logical switches while the settings for the port classification remain specific to each logical switch. For example, you might create one port classification named FAST to identify ports that are configured to have more bandwidth, and another port classification named SLOW to identify ports that are configured to have less bandwidth.

Network Service: Network service is container whether you can add Windows and non-Windows network gateway and IP address management and monitoring information. An IP Address Management (IPAM) server that runs on Windows Server 2012 R2 to provide resources in VMM. You can use the IPAM server in network resource tab of SCVMM to configure and monitor logical networks and their associated network sites and IP address pools. You can also use the IPAM server to monitor the usage of VM networks that you have configured or changed in VMM.

Virtual switch extension: A virtual switch extension manager in a SCVMM allows you to use a software based vendor network-management console and the VMM management server together. For example you can install Cisco 1000v extension software in a VMM server and add the functionality of Cisco switches into the VMM console.

VM Network: A VM network in a logical network is the endpoint of network virtualization which directly connect a virtual machine to allow public or private communication among VMs or other network and services. A VM network is associated with a logical network for direct access to other VMs.

VM Networks

Related Articles:

Cisco Nexus 1000V Switch for Microsoft Hyper-V

How to implement hardware load balancer in SCVMM

Understanding VLAN, Trunk, NIC Teaming, Virtual Switch Configuration in Hyper-v Server 2012 R2

How to implement hardware load balancer in SCVMM

The following procedure describe Network Load Balancing functionality in Microsoft SCVMM. Microsoft native NLB is automatically included into SCVMM when you install SCVMM. This procedure describe how to install and configure third party load balancer in SCVMM.

Prerequisites:

Note: Load balancer provider is a third party product must be obtained from third party website using third party credentials.

Step1: Download and install load balancer provider then restart SCVMM services in Windows services. For Citrix Netscaler VPX follow the procedure. 

  1. Log on to Netscaler using nsroot account or LDAP account. 
  2. Click on Dashboard>Click downloads on right hand side corner
  3. Click on NetScaler LB Provider for Microsoft System Center Virtual Machine Manager 2012 to download load balancer provider. 
  4. Copy the load balancer provider and install in SCVMM server.
  5. Restart SCVMM Windows Services. 

Step2: Create a Run As Account for Load Balancer

  1. Open the Settings workspace.
  2. On the Home tab, in the Create group, click Create Run As Account.
  3. The Create Run As Account dialog box opens.
  4. Enter a name and optional description to identify the credentials in VMM.
  5. Enter credentials for the Run As account in the User name and Password text boxes. This is the username and password of virtual load balancer you have download from third party website and deployed in Hyper-v.
  6. Unselect Validate domain credentials.
  7. Click OK to create the Run As account.

Step3: Add Hardware Load balancer. Follow the below procedure to add load balancer

  1. Open the Fabric workspace.
  2. In the Fabric pane, expand Networking>Load Balancer>Right click  then click Load Balancers.
  3. On the Credentials page, next to the Run As account box, click Browse, and then click a Run As account you created in step 3, click OK, and then click Next.
  4. On the Host Group page, select the check box next to each host group where the load balancer will be available. By default, any child host groups are also selected.
  5. On the Manufacturer and Model page, specify the load balancer manufacturer and model, and then click Next.
  6. On the Address page, Provide TCP/IP or FQDN and port number of Load Balancer>click Next
  7. On the Logical Network Affinity page, specify the load balancer affinity to logical networks, and then click Next.
  8. On the provide page select provider>Click Test>click next
  9. On the Summary page, confirm the settings, and then click Finish.

Step4: Creating a VIP Template for third party hardware load balancer

You can create two types of load balancer 1. Generic 2. Vendor Specific. 

For vendor specific load balancer do the following.

  1. In Virtual Machine Manager (VMM), open the Fabric workspace.
  2. In the Fabric pane, expand Networking, and then click VIP Templates.
  3. On the Home tab, in the Show group, click Fabric Resources.
  4. On the Home tab, in the Create group, click Create VIP Template.
  5. On the Name page, type name, description and port: 443 of the template>click Next
  6. On the Type Page>Select Specific>Select third party Vendor & NLB type> Click Next
  7. On the protocol page> Select either TCP or UDP or both based on your requirement>Click next>Click Next>Click Finish.

For a Generic Load Balancer provider change the step 6 and select Generic then follow the step.

  1. In Virtual Machine Manager (VMM), open the Fabric workspace.
  2. In the Fabric pane, expand Networking, and then click VIP Templates.
  3. On the Home tab, in the Show group, click Fabric Resources.
  4. On the Home tab, in the Create group, click Create VIP Template.
  5. On the Name page, type name, description and port: 443 of the template>click Next
  6. On the Type Page>Select Generic> Click Next
  7. On the protocol page> Select either TCP or UDP or both based on your requirement>Click next>Click Next>Click Finish.
  • HTTPS pass-through- Traffic directly terminate at virtual machine and is not decrypted at load balancer.
  • HTTPS terminate – traffic decrypted at load balancer and re-encrypted to virtual machine. This option is best for Exchange OWA and other application. You must log on to load balancer portal then import SSL certificate of OWA and also select re-encrypt option in VIP Template.
  • There are two other option in this page HTTP and custom as well.
  1. On the Persistence page> Select either persistence or non-persistent (custom) traffic. A Persistent traffic allow an OWA session directed to specific Exchange CAS server.
  2. On the load balancing page>Select Round-Robin>Click Next
  3. On the health monitor page>Click Insert> do the following>Click Next
  • Protocol: https
  • Request: Get/
  • Response: 200
  • Interval: 120
  • Timed-out: 60
  • Retry: 3

Note: The time-out value should be less than the interval value. The interval and time-out values are in seconds.

  1. On the Load Balancing page>Select load balancing method>Click Next
  2. On the Summary page, review the settings, and then click Finish.

Next step to create load balanced web services template and connect to load balancer. On the port profile of service template of the VM you have to select network load balanced then deploy the template into production. 

Cisco Nexus 1000V Switch for Microsoft Hyper-V

Cisco Nexus 1000V Switch for Microsoft Hyper-V provides following advanced feature in Microsoft Hyper-v and SCVMM.

  • Integrate physical, virtual, and mixed environments
  • Allow dynamic policy provisioning and mobility-aware network policies
  • Improves security through integrated virtual services and advanced Cisco NX-OS features

The following table summarizes the capabilities and benefits of the Cisco Nexus 1000V Switch deployed with Microsoft Hyper-V and SCVMM.

Capabilities Features Benefits
Advanced Switching Private VLANs, Quality of Service (QoS), access control lists (ACLs), portsecurity, and Cisco vPath Get granular control of virtual machine-to-virtual machine interaction
Security Dynamic Host Configuration Protocol (DHCP) Snooping, Dynamic Address Resolution Protocol Inspection, and IP Source Guard Reduce common security threats in data center environments.
Monitoring NetFlow, packet statistics, Switched Port Analyzer (SPAN), and Encapsulated Remote SPAN Gain visibility into virtual machine-to-virtual machine traffic to reduce troubleshooting time.
Manageability Simple Network Management Protocol, NetConf, syslog, and other troubleshooting command-line interfaces Use existing network management tools to manage physical and virtual environments.

The Cisco Nexus 1000V Series has two major components:

Virtual Ethernet Module (VEM)- The software component is embedded on each Hyper-V host as a forwarding extension. Each virtual machine on the host is connected to the VEM through a virtual Ethernet port.

Virtual Supervisor Module (VSM)- The management module controls multiple VEMs and helps in defining virtual machine (VM)-centric network policies.

Supported Configurations

  • Microsoft SCVMM 2012 SP1/R2
  • 64 Microsoft Windows Server 2012/R2 with Hyper-V hosts
  • 2048 virtual Ethernet ports per VSM, with 216 virtual Ethernet ports per physical host
  • 2048 active VLANs
  • 2048 port profiles
  • 32 physical NICs per physical host
  • Compatible all Cisco Nexus and Cisco Catalyst switches as well as switches from other vendors

Comparison between Cisco Nexus 1000V editions:

Features Essential

Free Version

Advanced
VLANs, PVLANs, ACLs, QoS, Link Aggregation Control Protocol (LACP), and multicast Yes Yes
Cisco vPath (for virtual services) Yes Yes
Cisco NetFlow, SPAN, and ERSPAN (for traffic visibility) Yes Yes
SNMP, NetConf, syslogs, etc. (for manageability) Yes Yes
Microsoft SCVMM integration Yes Yes
DHCP snooping Yes
IP source guard Yes
Dynamic ARP Inspection Yes
Cisco VSG* Yes

Installation Steps for Cisco Nexus 1000V Switch for Microsoft Hyper-V are:

Step1: Download Cisco Nexus 1000v Appliance/ISO

Log on to Cisco using cisco account. Download software from this URL

Step2: Install SCVMM Components

step2

Step3: Install and configure VSM

step3

Step4: Configure SCVMM Fabric and VM Network

step4

Step5: Prepare Hyper-v Hosts

step5

Step6: Create 1000v logical switch

step6

Step7: Create VMs or connect existing VMs with logical switch

step7

References & Getting Started with Nexus 1000V

Cisco Nexus 1000v Quick Start Guide

Cisco Nexus 1000V Switch for Microsoft Hyper-V Deployment Guide

Cisco Nexus 1000v datasheet

Understanding VLAN, Trunk, NIC Teaming, Virtual Switch Configuration in Hyper-v Server 2012 R2

 

Design and Build Microsoft Distributed File System (DFS)

Supported:

  • Windows and DFS Replication support folder paths with up to 32 thousand characters.
  • DFS Replication is not limited to folder paths of 260 characters.
  • Replication groups can span across domains within a single forest
  • VSS with DFS is supported.

Scalability on Windows Server 2012 R2

  • Size of all replicated files on a server: 100 terabytes.
  • Number of replicated files on a volume: 70 million.
  • Maximum file size: 250 gigabytes.
  • File can be staged ranging 16KB to 1MB. Default is 64KB when RDC is enabled. When RDC is disabled 256KB from sending member.
  • Up to 5000 folders with target. Maximum 50000 folders with targets.

Scalability on Windows Server 2008 R2

  • Size of all replicated files on a server: 10 terabytes.
  • Number of replicated files on a volume: 11 million.
  • Maximum file size: 64 gigabytes.

Unsupported:

  • Cross forests replication is unsupported
  • NTBackup for remotely backup DFS folder.
  • DFS in a workgroup environment

Determining Time Zone in DFS

Universal Coordinated Time (UTC). This option causes the receiving member to treat the schedule as an absolute clock. For example, a schedule that begins at 0800 UTC is the same for any location, regardless of time zone or whether daylight savings time is in effect for a receiving member. For example, assume that you set replication to begin at 0800 UTC. A receiving member in Eastern Standard Time would begin replicating at 3:00 A.M. local time (UTC – 5), and a receiving member in Rome would begin replicating at 9:00 A.M. local time (UTC + 1). Note that the UTC offset shifts when daylight savings time is in effect for a particular location.

Local time of receiving member. This option causes the receiving member to use its local time to start and stop replication. Local time is determined by the time zone and daylight savings time status of the receiving member. For example, a schedule that begins at 8:00 A.M. will cause every receiving member to begin replicating when the local time is 8:00 A.M. Note that daylight savings time does not cause the schedule to shift. If replication starts at 9 A.M. before daylight savings time, replication will still start at 9 A.M. when daylight savings time is in effect.

Determine AD Forest

  • The forest uses the Windows Server 2003 or higher forest functional level.
  • The domain uses the Windows Server 2008 or higher domain functional level.
  • All namespace servers are running Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.

Using RDC:

Remote differential compression (RDC) is a client-server protocol that can be used to efficiently update files over a limited-bandwidth network. RDC detects insertions, removals, and rearrangements of data in files, enabling DFS Replication to replicate only the changes when files are updated. RDC is used only for files that are 64 KB or larger by default. RDC can use an older version of a file with the same name in the replicated folder or in the DfsrPrivate\ConflictandDeleted folder (located under the local path of the replicated folder).

RDC is used when the file exceeds a minimum size threshold. This size threshold is 64 KB by default. After a file exceeding that threshold has been replicated, updated versions of the file always use RDC, unless a large portion of the file is changed or RDC is disabled.

  • RDC is available Windows Server 2008 R2 Enterrprise and Datacenter Edition.
  • RDC is available Windows Server 2012/R2 Standard and Datacenter Edition.

DFS Namespaces Settings and Features

A referral is an ordered list of targets, transparent to the user that a client receives from a domain controller or namespace server when the user accesses the namespace root or a folder with targets in the namespace. The client caches the referral for a configurable period of time.

Targets in the client’s Active Directory site are listed first in a referral. (Targets given the target priority “first among all targets” will be listed before targets in the client’s site.) The order in which targets outside of the client’s site appear in a referral is determined by one of the following referral ordering methods:

Lowest cost, Random order, Exclude targets outside of the client’s site

Design the Replication Topology

To publish data, you will likely use a hub-and-spoke topology, where one or more hub servers are located in data centers, and servers in branch offices will connect to one or more hub servers. To prevent the hub servers from becoming overloaded, we recommend that fewer than 100 spoke members replicate with the hub server at any given time. If you need more than 100 spoke members to replicate with a hub server, set up a staggered replication schedule to balance the replication load of the hub server.

The lowest cost ordering method works properly for all targets only if the Bridge all site links option in Active Directory is enabled. (This option, as well as site link costs, are available in the Active Directory Sites and Services snap-in.) An Inter-site Topology Generator that is running Windows Server 2003 relies on the Bridge all site links option being enabled to generate the inter-site cost matrix that the Distributed File System service requires for its site-costing functionality. If the Bridge all site links option is enabled, the servers in a referral are listed in the following order:

  1. The server in the branch site.
  2. The server in regional data center site 1. (Cost = 10)
  3. The server in regional data center site 2. (Cost = 30)
  4. The server in regional data center site 3. (Cost = 50)

A domain-based namespace can be hosted by multiple namespace servers to increase the availability of the namespace. Putting a namespace server in remote or branch offices also allows clients to contact a namespace server and receive referrals without having to cross expensive WAN connections.

Definitions:

Namespace server . A namespace server hosts a namespace. The namespace server can be a member server or a domain controller.

Namespace root . The namespace root is the starting point of the namespace. In the previous figure, the name of the root is Public, and the namespace path is \\Contoso\Public. This type of namespace is a domain-based namespace because it begins with a domain name (for example, Contoso) and its metadata is stored in Active Directory Domain Services (AD DS). Although a single namespace server is shown in the previous figure, a domain-based namespace can be hosted on multiple namespace servers to increase the availability of the namespace.

Folder . Folders without folder targets add structure and hierarchy to the namespace, and folders with folder targets provide users with actual content. When users browse a folder that has folder targets in the namespace, the client computer receives a referral that transparently redirects the client computer to one of the folder targets.

Folder targets . A folder target is the UNC path of a shared folder or another namespace that is associated with a folder in a namespace. The folder target is where data and content is stored. In the previous figure, the folder named Tools has two folder targets, one in London and one in New York, and the folder named Training Guides has a single folder target in New York. A user who browses to \\domain.com\Public\Software\Tools is transparently redirected to the shared folder \\server1\Tools or \\server2\Tools, depending on which site the user is currently located in.

By default, DFS replication between two members is bidirectional. Bidirectional connections occur in both directions and include two one-way connections. If you desire only a one-way connection, you can disable one of the connections or use share permissions to prevent the replication process from updating files on certain member servers.

Step1: Organise Folder Structure in multiple servers in geographically diverse location

Example:

Server1 in Perth

D:\Marketing

D:\HR

D:\IT

Server2 in Melbourne

D:\Marketing

D:\HR

D:\IT

Step2: Install DFS on Server

Before setting up replication between servers, the DFS Replication roles need to be installed on each server that is going to participate in the replication group. Open Server Manger by clicking on the Server Manager icon on the task bar

  1. On the Welcome Tile, under Quick Start, click on Add roles and features to start the Add Roles and Features Wizard. If there’s no Welcome Tile, it might be hidden. Click View on the menu bar and click Show Welcome Tile.
  2. Click Next.
  3. Select Roll-based or feature-based installation and click Next.
  4. Select a server from the server pool and select the server on which you want to install DFS Replication. Click Next.
  5. Under Roles, expand File and Storage Services, expand File and iSCSI Services, select DFS Replication and click Next.
  6. If you have not already installed the features required for DFS Replication, the following box will pop up explaining which features and roles will be installed along with DFS Replication.
  7. Click Add Features.
  8. Back to the Select server roles dialog. It should now show DFS Replication as checked along with the other roles required for DFS Replication.
  9. Click Next.
  10. The Select features dialog shows the features that will be added along with the DFS Replication role.
  11. Click Next.
  12. Click Install.
  13. Click Close when the installation completes.
  14. You will notice a new DFS management icon.

Step3: Create New Namespace

  1. Double click on this icon to open the DFS Management MMC.
  2. In the DFS Management console, right click on Namespaces and select new namespace. In the New Namespace Wizard, select the server that will host the namespace (the DFS server) and click next to continue.
  3. Give your DFS and easy to understand namespace and click next.
  4. The next step asks whether you want to use a domain based namespace or a stand alone namespace. Select domain-name based DFS namespace and click next, then create.
  5. Once finished, you will see the newly created namespace in the namespace section of the DFS Manager along with its UNC path. This is the path you will use to access the DFS share.
  6. Now that we have create the namespace, it’s time to add some folders. In DFS, you can access multiple shared folders using a single drive letter. Add the required folders to the DFS namespace.
  7. Right click on the DFS namespace and select new folder.
  8. In the new folder window, create a folder named X, then click on the add button and locate the folder on the required server. When finished, click OK.
  9. Repeat the process to add the other shared folders.
  10. To test – Open a browser and type the UNC path of your DFS namespace. All folders appear in a single share.

Step5: Replicate Folders

  1. In the DFS Management console, double click on the folder to view its path.
  2. Log in to server 2 and create a folder named admin as well.
  3. Right click on the folder and select add folder target.
  4. Enter the UNC path of the folder located on the second server and click OK.
  5. You will be prompted to create a replication group. Click yes.
  6. Follow the wizard to configure the replication parameters.
  • Primary Member: This is the server that has the initial copy of the files you want to replicate.
  • Topology: This dictates in what fashion the replication will occur.
  • Bandwidth and Schedule: How much bandwidth to allocate and when to synchronize.
  1. Once you have finished, click create. Any file that you create, modify or delete when using the namespace UNC path will be almost immediately copied to both replicating folders.

Step6: Manually creating replication group if you didn’t create in step1

  1. In the console tree of the DFS Management snap-in, right-click the Replication node, and then click New Replication Group.
  2. Follow the steps in the New Replication Group Wizard and supply the information in the following table.
  3. Select Multipurpose replication group>Type the name of the replication group> Click Add to select at least two servers that will participate in replication. The servers must have the DFS Replication Service installed.
  4. Select Full Mesh> Select Replicate continuously using the specified bandwidth.> Select the member that has the most up-to-date content that you want to replicate to the other member.
  5. Click Add to enter the local path of the Data folder you created earlier on the first server. Use the name Data for the replicated folder name.
  6. On this page, you specify the location of the Data folder on the other members of the replication group. To specify the path, click Edit, and then in the Edit dialog box, click Enabled, and then type the local path of the Data folder.
  7. On this page, you specify the location of the Antivirus Signatures folder on the other members of the replication group. To specify the path, click Edit, and then in the Edit dialog box, click Enabled, and then type the local path of the Antivirus Signatures folder.
  8. Click Create to create the replication group.
  9. Click Close to close the wizard. Click OK to close the dialog box that warns you about the delay in initial replication.

How to Connect and Configure Virtual Fibre Channel, FC Storage and FC Tape Library from within a Virtual Machine in Hyper-v Server 2012 R2

Windows Server 2012 R2 with Hyper-v Role provides Fibre Channel ports within the guest operating system, which allows you to connect to Fibre Channel directly from within virtual machines. This feature enables you to virtualize workloads that use direct FC storage and also allows you to cluster guest operating systems leveraging Fibre Channel, and provides an important new storage option for servers hosted in your virtual infrastructure.

Benefits:

  • Existing Fibre Channel investments to support virtualized workloads.
  • Connect Fibre Channel Tape Library from within a guest operating systems.
  • Support for many related features, such as virtual SANs, live migration, and MPIO.
  • Create MSCS Cluster of guest operating systems in Hyper-v Cluster

Limitation:

  • Live Migration will not work if SAN zoning isn’t configured correctly.
  • Live Migration will not work if LUN mismatch detected by Hyper-v cluster.
  • Virtual workload is tied with a single Hyper-v Host making it a single point of failure if a single HBA is used.
  • Virtual Fibre Channel logical units cannot be used as boot media.

Prerequisites:

  • Windows Server 2012 or 2012 R2 with the Hyper-V role.
  • Hyper-V requires a computer with processor support for hardware virtualization. See details in BIOS setup of server hardware.
  • A computer with one or more Fibre Channel host bus adapters (HBAs) that have an updated HBA driver that supports virtual Fibre Channel.
  • An NPIV-enabled Fabric, HBA and FC SAN. Almost all new generation brocade fabric and storage support this feature.NPIV is disabled in HBA by default.
  • Virtual machines configured to use a virtual Fibre Channel adapter, which must use Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 or Windows Server 2012 R2 as the guest operating system. Maximum 4 vFC ports are supported in guest OS.
  • Storage accessed through a virtual Fibre Channel supports devices that present logical units.
  • MPIO Feature installed in Windows Server.
  • Microsoft Hotfix KB2894032

Before I begin elaborating steps involve in configuring virtual fibre channel. I assume you have physical connectivity and physical multipath is configured and connected as per vendor best practice. In this example configuration, I will be presenting storage and FC Tape Library to virtualized Backup Server. I used the following hardware.

  • 2X Brocade 300 series Fabric
  • 1X FC SAN
  • 1X FC Tape Library
  • 2X Windows Server 2012 R2 with Hyper-v Role installed and configured as a cluster. Each host connected to two Fabric using dual HBA port.

Step1: Update Firmware of all Fabric.

Use this LINK to update firmware.

Step2: Update Firmware of FC SAN

See OEM or vendor installation guide. See this LINK for IBM guide.

Step3: Enable hardware virtualization in Server BIOS

See OEM or Vendor Guidelines

Step4: Update Firmware of Server

See OEM or Vendor Guidelines. See Example of Dell Firmware Upgrade

Step5: Install MPIO driver in Hyper-v Host

See OEM or Vendor Guidelines

Step6: Physically Connect FC Tape Library, FC Storage and Servers to correct FC Zone

Step7: Configure Correct Zone and NPIV in Fabric

SSH to Fabric and Type the following command to verify NPIV.

Fabric:root>portcfgshow 0

If NPIV is enabled, it will show NPIV ON.

To enable NPIV on a specific port type portCfgNPIVPort 0 1  (where 0 is the port number and 1 is the mode 1=enable, 0=disable)

Open Brocade Fabric, Configure Alias. Red marked are Virtual HBA and FC Tape shown in Fabric. Note that you must place FC Tape, Hyper-v Host(s), Virtual Machine and FC SAN in the same zone otherwise it will not work.

image

Configure correct Zone as shown below.

image

Configure correct Zone Config as shown below.

image

Once you configured correct Zone in Fabric, you will see FC Tape showing in Windows Server 2012 R2 where Hyper-v Role is installed. Do not update tape driver in Hyper-v host as we will use guest or virtual machine as backup server where correct tape driver is needed. 

image

Step8: Configure Virtual Fibre Channel

Open Hyper-v Manager, Click Virtual SAN Manager>Create new Fibre Channel

image

Type Name of the Fibre Channel> Apply>Ok.

image

Repeat the process to create multiple VFC for MPIO and Live Migration purpose. Remember Physical HBA must be connected to 2 Brocade Fabric.

On the vFC configuration, keep naming convention identical on both host. If you have two physical HBA, configure two vFC in Hyper-v Host. Example: VFC1 and VFC2. Create two VFC in another host with identical Name VFC1 and VFC2. Assign both VFC to virtual machines.

Step9: Attach Virtual Fibre Channel Adapter on to virtual Machine.

Open Failover Cluster Manager,  Select the virtual machine where FC Tape will be visible>Shutdown the Virtual machine.

Go to Settings of the virtual machine>Add Fibre Channel Adapter>Apply>Ok.

image

Record WWPN from the Virtual Fibre Channel.

image

Power on the virtual Machine.

Repeat the process to add multiple VFCs which are VFC1 and VFC2 to virtual machine.

Step10: Present Storage

Log on FC storage>Add Host in the storage. WWPN shown here must match the WWPN in the virtual fibre channel adapter.

image

Map the volume or LUN to the virtual server.

image

Step11: Install MPIO Driver in Guest Operating Systems

Open Server Manager>Add Role & Feature>Add MPIO Feature.

image

Download manufacturer MPIO driver for the storage. MPIO driver must be correct version and latest to function correctly.

image

Now you have FC SAN in your virtual machine

image

image

Step12: Install Correct FC Tape Library Driver in Guest Operating Systems.

Download and install correct FC Tape driver and install the driver into the virtual backup server.

Now you have correct FC Tape library in virtual machine.

image

Backup software can see Tape Library and inventory tapes.

image

Further Readings:

Brocade Fabric with Virtual FC in Hyper-v

Hyper-V Virtual Fibre Channel Overview

Clustered virtual machine cannot access LUNs over a Synthetic Fibre Channel after you perform live migration on Windows Server 2012 or Windows Server 2012 R2-based Hyper-V hosts