- Pre-Migration Operational Evaluations
- Exchange Migration Roadma
- Prerequisites and Precautions
- Active Directory Connector Operation
- Forest and Domain Preparation
- ADC Installation
- Connection Agreement Properties
- Initial Exchange 2003 Server Installation
- Connection Agreement Testing
- Site Replication Service Configuration
- Completing the Migration
- Shift to Exchange Native Mode
- Looking Forward
ADC Installation
I recommend installing the ADC using the prescriptive checklist in Exchange Server 2003 Setup rather than using the ADC Setup directly. Following the prescriptive checklist ensures that you run all the preliminary tests to validate your configuration and the operation of your infrastructure. You can also take full advantage of the ADC Tools and the Connection Agreement Wizard.
The checklist appears as part of the standard Exchange and ADC Setup. Figure 12.17 shows an example of the checklist.
Figure 12.17 Component Selection window showing ForestPrep selected under Action if all prerequisites are met.legacy Exchange serversmigration to Exchange 2003ADC installationmigration from legacy ExchangeADCinstallationADC (Active Directory Connector)installationinstallingADCForestprep stepsForestprep step, ADC installation
You'll need to install the Windows Server 2003 Support Tools prior to starting the ADC installation so that you have the Dcdiag and Netdiag utilities available. These are required components of the prescriptive checklist.
You can do the installation in an admin-mode remote desktop session, if that's your normal way of managing your servers. In Windows Server 2003, you might want to connect directly to the console by running mstsc /console. This puts a warning message on the regular console display to warn your colleagues if they select the server with a KVM switch.
The prescriptive checklist prompts you to run Forestprep to modify the Active Directory schema. If you do not use the checklist, the ADC Setup Wizard updates the schema using its own files. The end result is the same. Unlike Exchange 2000, the ADC in Exchange Server 2003 performs the same schema modifications as the Exchange server setup.
This section does not contain a step-by-step procedure for installing the ADC. That's provided by the prescriptive checklist. It gives you an overview the of the more important elements of the checklist along with pointers about the information you'll need to enter, and it shows you what a clean set of deployment log entries would look like.
-
To start the ADC installation, insert the Exchange Server 2003 CD and launch Setup from the root of the CD.
-
At the main welcome screen, under the Deployment column, select Exchange Deployment Tools. The Welcome to the Exchange Server Deployment Tools window opens.
-
Click Deploy, the first Exchange 2003 Server option. The Deploy the First Exchange 2003 Server window opens.
-
Select the Coexistence with Exchange 5.5 option. This opens the prescriptive checklist. Follow the numbered items in the checklist. Make sure you specify the log file location on a handy local folder so you can review the logs frequently during the process.
Initial Testing
The first major item on the prescriptive checklist runs a comprehensive suite of tests called DSScopeScan. This suite includes the following tests (detailed a little later in this section):
-
DSConfigSum. This test reports the total number of sites and the number of servers in each site.
-
DSObjectSum. This utility reports the total number of public folders, distribution lists, distribution lists with hidden membership, and custom recipients.
-
UserCount. This test reports the total number of recipients (users) in the organization, broken down by site.
-
VerCheck. This test verifies that you have the right Exchange version and service pack level on your Exchange servers.
You must specify the name of an Exchange 5.5 SP3 (or higher) server, an Active Directory domain controller, and a location for the deployment log files. If you enter an incorrect path for the log files, each element of DSScopeScan errors out and you'll see that the log folder holds no files. If this happens, simply correct the entry for the path and run the tool again.
The main log file for the deployment is Exdeploy.log. It shows the result of each test performed by DSScopeScan. (The other deployment tools have their own detailed logs with summaries appended to Exdeploy.log.) For example, if your logon account does not have sufficient legacy Exchange permissions, you get an error message like this in the Exdeploy.log file:
Warning: Either you do not have permission to view hidden objects in the Exchange 5.5 directory, or the directory is not Exchange 5.5 SP1 or later. Returned information may be inaccurate.
A file called Exdeploy-Progress.log gives a blow-by-blow account of the installation, useful only if something entirely unexpected and strange goes wrong. Be sure to resolve all error messages prior to continuing. New messages append to the end of each log, so you won't lose any diagnostic information by running DSScopeScan over and over. See Appendix C, "Detailed Deployment Log Contents," for details on the expected content of the individual logs.
After you have resolved any errors that came up in DSScopeScan, go to the next page of the prescriptive checklist.
ForestPrep
The next major step in the prescriptive checklist runs Forestprep. This modifies the Active Directory schema to include new attributes and classes used by Exchange and also installs the top-level objects for a placeholder organization tree in the Configuration naming context in the Active Directory forest.
Clicking ForestPrep in the prescriptive checklist launches Exchange Setup, which takes you through an End-User License Agreement (EULA) window to the Component Selection window shown in Figure 12.18.
Figure 12.18 Component Selection window showing ForestPrep selected under Action, if all prerequisites are met.Forestprep step, ADC installationinstallingADCForestprep stepsADC (Active Directory Connector)installationForestprep stepsinstallingADCForestprep stepsForestprep step, ADC installation
If you properly completed all prerequisites, the Action column automatically fills in with the word Forestprep. If the Action column remains empty, you neglected to fulfill one of the prerequisites. To see what you missed, manually select Forestprep in the Action column. An error window will appear describing what you forgot to do.
During ForestPrep, you'll get prompted for the name of the Microsoft Exchange Server Administrator Account, as shown in Figure 12.19. This account gets Exchange Full Administrator privileges in the skeleton Organization container created by ForestPrep. Enter the domain name and the name of the account that you want to act as the initial Exchange administrator.
Figure 12.19 Exchange Server administrator account given Exchange Full Administrator role in organization.legacy Exchange serversmigration to Exchange 2003ADC installationmigration from legacy ExchangeADCinstallationADC (Active Directory Connector)installationForestprep stepsinstallingADCForestprep stepsForestprep step, ADC installation
When ForestPrep completes, return to the prescriptive checklist.
DomainPrep
The next step in the prescriptive checklist runs DomainPrep. This creates objects in the Active Directory domain that represent Exchange service accounts, public folders, and groups that represent Exchange servers in the domain and the enterprise.
When you click on DomainPrep, Exchange Setup launches and takes you through a EULA window to the Component Selection window. This time the Action column is filled in with word DomainPrep.
If the Action column remains empty, you neglected to fulfill one of the prerequisites. To see what you missed, manually select DomainPrep, and an error window appears describing what you forgot to do.
During DomainPrep, a warning message appears informing you that the domain has been identified as insecure for mail-enabled groups. The default configuration of Active Directory in Windows Server 2003 places the Authenticated Users group in the Pre-Windows 2000 Compatible Access group. This group has Read permissions for group membership. This does not override the Deny Read permissions used to hide group membership, but Setup doesn't seem to know that. Click OK to acknowledge the message.
When DomainPrep finishes, return to the prescriptive checklist.
Verification Tests
At this point, let's take a breather and figure out where we stand. As part of the preparation steps to installing the ADC, you've updated the schema, made significant changes to the Global Catalog, and added quite a few objects to the Domain naming context. You want to make sure that all these changes fully propagate to all domain controllers and Global Catalog servers in the enterprise before you proceed. For this purpose, the next step of the prescriptive checklist presents a tool called OrgPrepCheck. This tool runs two tests, Orgcheck and Polcheck.
-
OrgCheck. This test verifies that Setup created the proper Exchange objects in the Configuration naming context and Domain naming context. For example, it verifies that the Exchange Domain Servers group, Exchange Enterprise Servers group, and Exchange Services group exist. It also verifies that the schema changes have fully propagated and that it can find a Global Catalog server in the same site as the ADC server.
-
PolCheck. This test queries each domain controller in the domain to determine if the Exchange Enterprise Servers group has been given the Manage Auditing and Security Logs privilege. If this has not yet occurred, then the Domainprep changes have not yet replicated to that domain controller, or an error prevented the changes from applying. You can use Active Directory Sites and Services to force replication to the affected domain then run OrgPrepCheck again.
A successful run of these two tests indicate that the schema changes have fully replicated and that every domain has been properly updated to include the necessary Exchange objects. You're ready to proceed to the next step in the prescriptive checklist.
ADC Setup
You're now ready for the meat and potatoes part of the ADC installation. Click the Run ADC Setup Now option in the prescriptive checklist to launch ADC Setup. (You can run Forestprep and Domainprep on a different server than where you install the ADC.)
-
At the welcome window, click Next. A EULA window opens.
-
Click Next. The Component Selection window opens, as shown in Figure 12.20. Select both options to install the ADC and the ADC Management components.
Figure 12.20 Component Selection window permits installing the ADC and the ADC Tools, or just the tools.
-
Click Next. The Install Location window opens. Enter a path for the ADC executable files. The ADC does not use a database, but it does store error logs in this location.
-
Click Next. Setup installs the ADC and keeps you notified via a status window. At the completion of ADC Setup, return to the prescriptive checklist. This could take quite a while. Go grab a sandwich and come back in a half hour or so.
ADC Tools
The next step in the prescriptive checklist prompts you to open the ADC management console and select the ADC Tools option, as shown in Figure 12.21.
Figure 12.21 ADC Tools simplify the process of testing prerequisites and installing Connection Agreements.legacy Exchange serversmigration to Exchange 2003ADC Toolsmigration from legacy ExchangeADCtool selectionADC (Active Directory Connector)tool selectioninstallingADCtool selection
The ADC Tools consists of a suite of utilities designed to report on inconsistencies in the legacy Exchange directory service, to automate the process of marking resource mailboxes with NTDSNoMatch, and to automate the process of creating Recipient and Public Folder Connection Agreements. The user interface divides these chores into four steps:
-
Step 1: Tool Settings. In this step, you specify the name of the Exchange 5.5 server to use for data collection and a location for the ADC logs.
-
Step 2: Data Collection. This step runs a suite of utilities that scans both Active Directory and the legacy Exchange directory service to find parameters that will be synchronized by the ADC.
-
Step 3: Resource Mailbox Wizard. This step determines if the same user owns multiple mailboxes and gives you the opportunity to identify the user's primary mailbox so that the other mailboxes can be designated as resource mailboxes and given new, disabled accounts in Active Directory.
-
Step 4: Connection Agreement Wizard. This step creates Connection Agreements that define the replication endpoints of the ADC and determine how attributes will be mapped between the endpoints.
The ADC reads and writes to the legacy Exchange directory service using LDAP. The server must be running Exchange 5.5 SP3 or higher so that it supports LDAP writes and LDAP queries that use paged results.
Step 1: Tool Settings
Click Set. The Tool Settings window opens. Here you specify the name of an Exchange 5.5 server to use for data collection. You do not necessarily need to select the server you will use for Connection Agreements, but you could. Select a location for the ADC logs. The default location puts the files in your user profile.
Step 2: Data Collection
Click Run to query the Exchange 5.5 server and collect information about the Exchange organization. ADC Tools performs a series of four tests that check for objects and attributes in legacy Exchange and Active Directory. These tests also build XML database files used by later steps for resource mailbox marking.
Resource Mailbox Scan
This test looks for mailboxes that have the same owner. If it finds them, it puts an entry in the ADCTools.log file similar to the following:
Pass 1 of 4: Resource Mailbox Scan 01/09/2004 13:37:35 Warning: The Data Collection tool found objects that must be marked as resource mailboxes before they can be replicated to Active Directory. Running the Resource Mailbox Wizard in Step 3 will resolve these issues.
Active Directory Connector Object Replication Check
This test verifies that each mailbox owner has a match to an Active Directory user object. If it finds unmatched objects, it identifies them in the ADCTools.log file. Here's a sample listing:
Pass 2 of 4: Active Directory Connector Object Replication Check 01/09/2004 13:37:48 Matched 'cn=PhoenixUser1,cn=Recipients,ou=Phoenix,o=Company' to 'cn=Phoenix User1,ou=Phoenix,dc=Company,dc=com' based on SID. Could not find match to 'cn=PhoenixUser2,cn=Recipients,ou=Phoenix,o=Company'. Could not find match to 'cn=phoenixuser3,cn=Recipients,ou=Phoenix,o=Company'. Warning: The Data Collection tool found objects that are not replicated from the Exchange 5.5 directory to Active Directory. Running the Connection Agreement Wizard in Step 4 will resolve these issues.
The log might reassure you that the Connection Agreement Wizard will resolve replication issues for the matched entries, but you should not proceed until you resolve any unmatched entries. You do not want the ADC to create disabled user accounts in Active Directory for any mailboxes other than resource mailboxes. The presence of other unmatched objects indicates a possible error in the user account migration, if you migrated from a separate NT domain, or user accounts that someone deleted without deleting the mailboxes.
Active Directory Object Replication Scan
This test looks for mail-enabled objects in Active Directory that do not have corresponding recipient objects in legacy Exchange. You have not yet run a Connection Agreement, so this test does not find any invalid entries. Here's a sample listing:
Pass 3 of 4: Active Directory Object Replication Scan 06/09/2003 13:38:17 No mail enabled objects found in Active Directory. Active Directory Object Replication Scan completed. No unreplicated objects found.
If you run this test once you've deployed Exchange 2003 servers, you might get an error such as this:
Warning: The Data Collection tool found mail-enabled users, contacts, or groups that are not replicated from Active Directory to the Exchange 5.5 directory. Running the Connection Agreement wizard in Step 4 will resolve these issues.
This error indicates that you created a mail-enabled object in Active Directory, but the ADC has not yet replicated that object to the legacy Exchange directory service. Resolve this by determining why the CA has not replicated the object. The most likely cause involves a failure of the CA to locate the two endpoint servers.
Active Directory Unmarked Resource Mailbox Scan
This test checks for potential resource mailboxes that do not have an NTDSNoMatch entry. Since you have not yet run the ADC or deployed Exchange 2003 servers, this check comes up clean. If you run the test after you have been operating awhile, you might get an error about mismatched accounts. This indicates that the ADC cannot match a potential resource mailbox to a disabled user account. The most likely cause involves a failure to properly mark the primary and resource mailboxes assigned to the same owner in legacy Exchange. Correct the problem and repeat the test.
Step 3: Resource Mailbox wizard
The next step in the ADC Tools identifies and marks resource mailboxes using the Resource Mailbox Wizard. Larger enterprises might have hundreds of these resource mailboxes. You can use the bulk edit capabilities to create .csv files for doing the mailbox marking.
-
Click Run to start the Resource Mailbox Wizard. The Welcome window opens.
-
Click Next. The Select Primary and Resource Mailboxes window opens, shown in Figure 12.22. This window lists owners of multiple mailboxes along with the mailboxes they own. The wizard makes a guess about the primary mailbox based on the user's account name and mailbox alias. It indicates the primary mailbox in bold.
Figure 12.22 Resource Mailbox Wizard searches out mailboxes with the same owner and allows you to specify which mailbox is the user's primary mailbox and designates the remainder as resource mailboxes.mailboxesResource Mailbox wizardADC tool selectionResource Mailbox wizardADC tool selection
-
If the wizard guesses wrong about the primary mailbox, highlight the true primary mailbox and click Set as Primary. The other mailboxes automatically shift to resource mailboxes.
-
Click Next. The Site Credentials window opens, as shown in Figure 12.23.
Figure 12.23 Site Credentials window validates the account you select to install the ADC.
-
Click Set Credentials and browse for an account that has administrative permissions in the legacy Exchange organization. Use the Exchange service account, because you know it has Service Account Admin permissions. If the Password State column indicates Validated, you know you entered the correct password, but that does not guarantee that the account has sufficient admin permissions.
-
Click Next. A Summary window opens. Verify that all settings are correct.
-
Click Next. This applies the changes.
-
Click Finish to return to the ADC Tools window.
-
In the ADC Tools window, click Verify to test that each resource mailbox has been marked with NTDSNoMatch.
Step 4: Connection Agreement wizard
You've arrived at the point where you'll create Connection Agreements that replicate the e-mail attributes to the Active Directory objects. The Connection Agreement Wizard asks you a few questions then sets up sufficient Recipient and Public Folder CAs to connect each site to Active Directory.
-
Click Run to start the CA Wizard.
-
At the main welcome window, click Next to open the Staging Area window, shown in Figure 12.24.
Figure 12.24 Staging Area allows you to enter the OU in Active Directory where Distribution Groups, Contacts, and disabled User accounts will be created.Connection Agreemen wizardADC tool selectionCAs (Connection Agreements)creating with wizardlegacy Exchange serversmigration to Exchange 2003ADC Toolsmigration from legacy ExchangeADCtool selectionADC (Active Directory Connector)tool selectioninstallingADCtool selection
-
Browse to the ADC_Staging_Area OU (or whatever OU you created to act as the repository for group and contact objects replicated from legacy Exchange).
-
Click Next. The Site Connections window opens (Figure 12.25). The Two-Way Connections pane of the window should list every legacy site. If you don't see a site, stop and determine the problem. Replication failure at the legacy Exchange server used by the ADC can cause this problem.
Figure 12.25 Site Connections shows the Connection Agreements suggested by the Connection Agreement Wizard.Connection Agreemen wizardADC tool selectionCAs (Connection Agreements)creating with wizardlegacy Exchange serversmigration to Exchange 2003ADC Toolsmigration from legacy ExchangeADCtool selectionADC (Active Directory Connector)tool selectioninstallingADCtool selection
-
Click Next. The Site Credentials window opens, shown in Figure 12.26. Use the Set Credentials button to enter the name and password for an account with Service Account Admin permissions in each site. In the example, each site uses the company\exservice account.
Figure 12.26 Site Credentials window validates the account you provide to install the Connection Agreements.Connection Agreemen wizardADC tool selectionCAs (Connection Agreements)creating with wizardlegacy Exchange serversmigration to Exchange 2003ADC Toolsmigration from legacy ExchangeADCtool selectionADC (Active Directory Connector)tool selectioninstallingADCtool selection
-
Click Next. The Domain Credentials window opens. Enter a set of administrator credentials for each domain in the Active Directory forest.
-
Click Next. The Connection Agreement Selection window opens, shown in Figure 12.27. Leave all the entries checked.
Figure 12.27 Connection Agreement Selection window allows you to not install one or more Connection Agreements suggested by the wizard.Connection Agreemen wizardADC tool selectionCAs (Connection Agreements)creating with wizardlegacy Exchange serversmigration to Exchange 2003ADC Toolsmigration from legacy ExchangeADCtool selectionADC (Active Directory Connector)tool selectioninstallingADCtool selection
-
Click Next to get a summary window.
-
Click Next again to build the Connection Agreements.
-
When the CA Wizard has completed its tasks, check the final window for reported errors.
-
Click Finish to return to the ADC Tools interface.
-
Click Verify to initialize the Connection Agreements. This verifies that all necessary updates were applied to both directory services.
-
In the ADC Services console, select the Active Directory Connector icon and press F5 to refresh the display. The listing now includes the Connection Agreements created by the wizard, as shown in Figure 12.28.
Figure 12.28 ADC Services console showing Connection Agreements created by the wizard and their endpoint servers.Connection Agreemen wizardADC tool selectionCAs (Connection Agreements)creating with wizardlegacy Exchange serversmigration to Exchange 2003ADC Toolsmigration from legacy ExchangeADCtool selectionADC (Active Directory Connector)tool selectioninstallingADCtool selection
Final Checks
At this point, now that you've completed installing the ADC, you should check a few Active Directory users to make sure the Exchange attributes appear in their properties using the Active Directory Users and Computers console. Also, check the staging area to make sure you have objects representing the legacy distribution lists and custom recipients. Figure 12.29 shows an example.
Figure 12.29 Active Directory Users and Computers showing the Universal Distribution Groups and Contacts created by the ADC.legacy Exchange serversmigration to Exchange 2003ADC installation, final checksmigration from legacy ExchangeADCinstallation, final checksADC (Active Directory Connector)installationfinal checksinstallingADCfinal checks
Once you get an Exchange 2003 server up and running, you can familiarize yourself with the operation of a Connection Agreement by creating mailbox-enabled users, mail-enabled groups, and contacts; then using the ADC to replicate them to the legacy Exchange directory service.
At this point, you've finished the ADC installation and you're ready to proceed with installing the first Exchange 2003 server. Ordinarily, at a major milestone such as this, you would want to do some verification testing. But you can't do a thorough test of the ADC until you have all the Connection Agreements, and this won't happen until you install the first Exchange 2003 server. For that reason, you'll find a section on verifying CA operation in the next section.