Figure 1. Starting Network Design |
- Provision a server in VMware
- Run the Exchange setup /prepareSchema on the Domain Controller that is SchemaMaster
- Run the Exchange setup /prepareAD against all domains in your environment. (We have 2, an empty upper root and another full one.)
Note: You will need to move the schema Master to the domain where the exchange server will be installed. Not doing so may result in the following error messages: Hat tip to here for the help
Error: Setup needs to contact the Active Directory schema master but this computer is not in the same Active Directory domain as the schema master (DC=muc,DC=prv). Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=2376fec1-b9ce-44db-beb6-cb9ac4788988
Error: Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run setup with the /prepareAD parameter on a computer in the domain muc and site Default-First-Site-Name, and wait for replication to complete. Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&e=ms.exch.err.Ex28883C&l=0&cl=cp
- Run PS cmd- Add-WindowsFeature Web-WMI,Web-Asp-Net,Web-ISAPI-Filter,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-Request-Monitor,Web-Static-Content on the exchange server
- Our original desire was to only install the CAS role. Due to the certificates we needed to request, we also needed to install the Hub Transport and UM roles while we were going through the setup. So total roles installed = CAS,HUB,UM
- Perform any Updates
- Request a UC SAN Certificate for the 2010 server: Do not include Federation service in your request. Use this article as a good example of how to do this in 2010.
- Note: We use Entrust for our certificates and I highly recommend their services. After authorization, we had access to a Certificate Management Service from which we can create, revoke and reuse certificates after they are purchased. With this we don't have to wait on authorization for every single certificate. Their support is great and they are cheaper than the major certificate vendor.
- Certificate Name of the UC SAN (Subject Alternate Name) certificate
- Common Name = webmail.domain.edu or mail.domain.edu whatever you have currently set your 2007 CAS to
- SAN = legacy.domain.edu (for redirection of 2007 mailboxes to 2007 CAS)
- SAN = autodiscover.mountunion.edu
- SAN = 2010ExchangeName.domain.domain.local
- SAN = domain.edu
- SAN = UM.domain.edu ( For UM roles when required) - Install the certificate by replying to the request in the GUI.
- Add the DNS entries for legacy.domain.edu to the DNS servers and have them mapped to the 2007 CAS server.
- Change firewall rules to allow access to the 2010 CAS server and allow the 2 Cas servers to talked to each other.
Everything up to this point should be able to be completed with no downtime - Change the DNS of the primary mail server and autodiscover to point to the new 2010 CAS server.
- Replace the current UC SAN certificate that is on the 2007 CAS.
- Common Name = legacy.domain.edu
- SAN = autodiscover.domain.edu
- SAN = 2007ServerName.domain.domain.local (This is critically to avoiding errors from Outlook Clients
- SAN = webmail.domain.edu
- The error received is if you don't have the proper private name is " Security Alert : Information you exchange with this site cannot be viewd or changed by others. However, there is a problem with this site's security certificate. The name on the security certificate is invalid or does not match the name of the site. - This will need to be generated by Powershell in 2007. The easiest way I found is to use a site like https://www.digicert.com/easy-csr/exchange2007.htm to generate the powershell to paste into the powershell command line.
- Take that CSR and submit it to your CA to get a certificate.
- Install the certificate with Import-ExchangeCertificate -Path C:\filename.cer
- Run a Get-ExchangeCertificate and copy the thumbprint you just installed.
- Do an Enable-ExchangeCertificate -Services "SMTP,IIS,POP,IMAP" and respond with the thumbprint.
- If you are looking for full information on the certificates you can run a Get-ExchangeCertificate | fl to see expiration dates and all SANs
- Make sure to change any spam filter rules to make 2010 the new primary place that mail passes through
Here are a couple links to other useful resources when performing this upgrade.
http://blogs.catapultsystems.com/IT/archive/2010/02/17/preparing-for-the-transition-from-exchange-2007-to-exchange-2010-part-1-of-4.aspx
http://technet.microsoft.com/en-us/library/bb124350.aspx
http://www.simple-talk.com/sysadmin/exchange/upgrade-from-exchange-2007-to-exchange-2010---part-1/
http://blogs.technet.com/b/exchange/archive/2006/11/17/3397307.aspx
No comments:
Post a Comment