Thursday, June 14, 2012

Exchange 2007 to Exchange 2010 Upgrade/Migration

The past couple of days we have spent preparing and doing and upgrade/migration from Exchange 2007 On-Premise to Exchange 2010 On-Premise. All of this is in preparation to migrate voice-mail off of Call-Pilot and our Nortel PBX to Exchange Unified Messaging. That does was made largely because of the every increasing cost of maintenance and replacement wiring for the legacy phone switch. This post will work through the steps, errors and troubleshooting we went through to get Exchange 2010 up and working.

Figure 1. Starting Network Design
Our starting point is the configuration in figure 1. where all Exchange servers are running SP3 Rollup 6.  In addition, all steps until Step # should be able to be completed during normal hours without downtime. This was importance for us because we don't have the redundant hardware or storage to create a replica of the exchange environment. We installed the new servers in a virtual environment.
  1. Provision a server in VMware
  2. Run the Exchange setup /prepareSchema on the Domain Controller that is SchemaMaster
  3. Run the Exchange setup /prepareAD against all domains in your environment. (We have 2, an empty upper root and another full one.)

    Note: You will need to move the schema Master to the domain where the exchange server will be installed. Not doing so may result in the following error messages: Hat tip to here for the help

    Error: Setup needs to contact the Active Directory schema master but this computer is not in the same Active Directory domain as the schema master (DC=muc,DC=prv). Click here for help... http://go.microsoft.com/fwlink/?linkid=30939&l=en&v=ExBPA.14&id=2376fec1-b9ce-44db-beb6-cb9ac4788988

    Error: Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master.  Run setup with the /prepareAD parameter on a computer in the domain muc and site Default-First-Site-Name, and wait for replication to complete. Click here for help... http://technet.microsoft.com/en-US/library/ms.exch.err.default(EXCHG.141).aspx?v=14.1.218.11&e=ms.exch.err.Ex28883C&l=0&cl=cp 
     
  4.  Run PS cmd- Add-WindowsFeature Web-WMI,Web-Asp-Net,Web-ISAPI-Filter,Web-Client-Auth,Web-Dir-Browsing,Web-Http-Errors,Web-Http-Logging,Web-Http-Redirect,Web-Http-Tracing,Web-Request-Monitor,Web-Static-Content on the exchange server
  5.  Our original desire was to only install the CAS role. Due to the certificates we needed to request, we also needed to install the Hub Transport and UM roles while we were going through the setup. So total roles installed = CAS,HUB,UM
  6. Perform any Updates
  7. Request a UC SAN Certificate for the 2010 server: Do not include Federation service in your request. Use this article as a good example of how to do this in 2010.

    - Note: We use Entrust for our certificates and I highly recommend their services. After authorization, we had access to a Certificate Management Service from which we can create, revoke and reuse certificates after they are purchased. With this we don't have to wait on authorization for every single certificate. Their support is great and they are cheaper than the major certificate vendor.

    - Certificate Name of the UC SAN (Subject Alternate Name) certificate
    - Common Name = webmail.domain.edu or mail.domain.edu whatever you have currently set your 2007 CAS to
    - SAN = legacy.domain.edu (for redirection of 2007 mailboxes to 2007 CAS)
    - SAN = autodiscover.mountunion.edu
    - SAN = 2010ExchangeName.domain.domain.local
    - SAN = domain.edu
    - SAN = UM.domain.edu ( For UM roles when required)
  8. Install the certificate by replying to the request in the GUI.
  9. Add the DNS entries for legacy.domain.edu to the DNS servers and have them mapped to the 2007 CAS server.
  10. Change firewall rules to allow access to the 2010 CAS server and allow the 2 Cas servers to talked to each other.

    Everything up to this point should be able to be completed with no downtime
  11. Change the DNS of the primary mail server and autodiscover to point to the new 2010 CAS server.
  12. Replace the current UC SAN certificate that is on the 2007 CAS.
    - Common Name = legacy.domain.edu
    - SAN = autodiscover.domain.edu
    - SAN = 2007ServerName.domain.domain.local (This is critically to avoiding errors from Outlook Clients
    - SAN = webmail.domain.edu

    - The error received is if you don't have the proper private name is " Security Alert : Information you exchange with this site cannot be viewd or changed by others. However, there is a problem with this site's security certificate. The name on the security certificate is invalid or does not match the name of the site.
  13. This will need to be generated by Powershell in 2007. The easiest way I found is to use a site like https://www.digicert.com/easy-csr/exchange2007.htm to generate the powershell to paste into the powershell command line.
  14. Take that CSR and submit it to your CA to get a certificate.
  15. Install the certificate with Import-ExchangeCertificate -Path C:\filename.cer
  16. Run a Get-ExchangeCertificate and copy the thumbprint you just installed.
  17. Do an Enable-ExchangeCertificate -Services "SMTP,IIS,POP,IMAP" and respond with the thumbprint.
  18. If you are looking for full information on the certificates you can run a Get-ExchangeCertificate | fl to see expiration dates and all SANs
  19. Make sure to change any spam filter rules to make 2010 the new primary place that mail passes through
Your mail configuration should now be up and Exchange should be passing mail through the 2010 CAS server.   I will do a follow up post that covers a couple of the problems we ran into along the way. Finally, here is an image of the environment after setup.

Here are a couple links to other useful resources when performing this upgrade.

http://blogs.catapultsystems.com/IT/archive/2010/02/17/preparing-for-the-transition-from-exchange-2007-to-exchange-2010-part-1-of-4.aspx


 http://technet.microsoft.com/en-us/library/bb124350.aspx


http://www.simple-talk.com/sysadmin/exchange/upgrade-from-exchange-2007-to-exchange-2010---part-1/ 


http://blogs.technet.com/b/exchange/archive/2006/11/17/3397307.aspx
Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)