Exchange 2010 Cross Forest Migration

Tags

, , ,

Here is the scenario of my test lab which we will be following.

Source Forest: Exchange 2010
Target Forest: Exchange 2010
AD Functional Level: Both running at 2008R2

You have been given a chance to work on a project for cross forest migration for your company. In this article i will elaborate the step that you need to perform in order to do cross forest migration.

Assumption:

1. Active Directory trust is in place between both the organization
2. Exchange connectors have been setup for email flow internally.

Once you have AD Trust and Exchange connectors in place then the following steps needs to be performed to migrate users and exchange mailboxes from source forest to target forest

1. Install ADMT on target Exchange domain joined machine.
2. Install Password Export Service on source domain controller if you want to migrate users accounts with password.
3. Run ADMT to migrate user account along with Password and SID history
4. Enable MRS Proxy on all CAS servers in source exchange. You can enable enable MRS Proxy by running the Cmdlet
Set-WebServicesVirtualDirectory –Identity “EWS (Default Web Site)” –MRSProxyEnabled $True
5. Once MRSProxy is enabled, increase the timeout settings to 20 minutes from 1 minute. Go to
C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\ExchWeb\EWS\ and open Web.Config file in notepad. After changing this. Reset IIS service. Now the source exchange forest is ready.
6. Run ADMT to migrate users accounts along with SID history and password.
6.1 Run ADMT and Choose User Account Migration Wizard
6.2 Choose Source Domain, Source Domain Controller and Target Domain from the wizard.
6.3 Choose ‘Select users from domain’
6.4 Add required user accounts
6.5 Select Target OU. Note: All users selected above will be migrated to this OU, if different OUs are required they will need to be migrated in different batches with the relevant OU
6.6 Select Migrate passwords
6.7 Select Target Account State: ‘Target same as source’, uncheck ‘Disable source accounts’ and uncheck ‘’Days until source accounts expire’. Check ‘Migrate user SIDs to target domain’
6.8 The first time ADMT is run, the following prompt appears. Select Yes
6.9 Enter user name, password and domain
6.10 Select required User options
6.11 Select ‘Exclude specific object properties from migration’ – choose Mail, Mailnickname and msExch*
6.12 Select ‘Do not migrate source object if a conflict is detected in the target domain’
6.13 Click Finish
6.14 Verify that users where copied and no errors. If there are error View Log and resolve errors.

After migrating user account with SID and password history you can see that user account is now enabled in AD and SID is visible in user attributes.

Exchange Migration

Exchange migration is assuming that User account has been migrated following steps above.
Create tarhet Mail User with @source.com SMTP address in Exchange management console. Prepare-MoveRequest in the next section uses SMTP address as one of it matching parameters.
Run Prepare-MoveRequest script on target exchange. PS cmdlets are as below
$RemoteCred=Get-Credential
$LocalCred=Get-Credential
Run Prepare-MoveRequest command for each mailbox that will be migrated.
.\Prepare-MoveRequest.PS1 –identity test@source.com –RemoteForestDomainController “DC.source.com” –RemoteForestCredential $RemoteCred –LocalForestDomainController “DC.target.com” –LocalForestCredential $LocalCred –UseLocalObject -Overwritelocalobject –Verbose

Add Secondary SMTP address in target Exchange
Secondary @target.com SMTP address is required New-MoveRequest script in the next section.

@target.com secondary SMTP address can be added manually, through script or by modifying target Address Policy to include Mail User and the target OU.

Run New-MoveRequest to move the user mailbox
Run the following command on target Exchange EMS to move the user mailbox.

New-MoveRequest –Identity test@source.com –Remote –RemoteHostName “Exchange.source.com” –RemoteCredential $RemoteCred –TargetDeliveryDomain target.COM –TargetDatabase “DB Name” –BadItemLimit ‘10’

User Experience:

Once the mailbox is moved to target exchange server. User’s need to

1. Reconfigure their mobile device (s).
2. They won’t be able to access their emails through Source Exchange OWA. They can access emails using target OWA URL.
3. Their primary smtp address will be changed to target.
4. User will get a prompt on their outlook that “The Microsoft Exchange Administrator has made a change that requires you to quit and restart your outlook”. Once user restart outlook their outlook profile will be redirected.

Advertisements

Aside

Exchange 2013 Virtual Directories

Tags

, , ,

Exchange 2013 Virtual Directories

Many of the client protocols used with Exchange Server 2013 are accessed through virtual directories. A virtual directory is used by Internet Information Services (IIS) to allow access to a web application such as Exchange ActiveSync, Outlook Web App, or the Autodiscover service. You can manage a variety of virtual directory settings on Exchange 2013 including authentication, security, and reporting settings.
You can manage virtual directory settings in EAC, EMS, and certain virtual directory settings in Internet Information Services Manager.
In Exchange, we have following virtual directories
⦁    Autodiscover
⦁    Exchange ActiveSync (EAS)
⦁    Outlook Web App (OWA)
⦁    Exchange Control Panel (ECP)
⦁    Exchange Web Service (EWS)
⦁    Offline Address Book (OAB)
⦁    Powershell

I am explaining here, how you can manage the Virtual Directories through Exchange Admin Center:

Access Virtual Directories in Exchange 2013:

To access a virtual directory through EAC, go to Exchange Admin Center –>  Servers –>  Virtual Directories to open virtual directories structure as shown in the following screen shot:

Image

1. Autodiscover (Default Web Site)

Select Autodiscover (Default Web Site) and click edit to go through the following windows:

Image

You don’t find any editable field on this page. The first row will show the name of your CAS server and the second row will show the last time when this virtual directory was modified. To setup the authentication settings on your virtual directory go to Authentication.

Image

To set up the internal and external URL of Autodiscover, Go to Exchange Management Shell and use the following Cmdlet.
Set-AutodiscoverVirtualDirectory -Identity ‘AutoDiscover (Default Web Site)’ -ExternalUrl https://www.name.domainname.com

2. ECP (Default Web Site)

Select ECP (Default Web Site) and click edit to go through the following windows:
Image

On this page you can set Internal and External URLs for ECP. You can setup these URLs by using following EMS cmdlet as well.

Set-ECPVirtualDirectory -Identity ‘ServerName\ECP (default Web Site)’ -InternalUrl https://mail.domain.com/ECP

Set-ecpVirtualDirectory -Identity ‘ecp (default Web Site)’ -ExternalUrl https://webmail.domain.com/ECP

To modify the authentication settings for ECP, Go to Authentication Tab
Image

3. EWS (Default Web Site)

Select EWS (Default Web Site) and click edit to go through the following windows:
Image

Like ECP virtual Directory you can set Internal and External URL for EWS virtual directory from here. To setup Internal and External URL using EMS. Use the following Cmdlet
Set-WebServicesVirtualDirectory -Identity ‘Server\EWS (Default Web Site)’ -ExternalUrl https://mail.domain.com/EWS/exchange.asmx

Set-WebServicesVirtualDirectory -Identity ‘Server\EWS (Default Web Site)’ -InternalUrl https://webmail.domain.com/EWS/exchange.asmx

To modify the authentication settings, Go to Authentication Tab
Image

4. EAS (Default Web Site)

Select EAS (Default Web site) and click edit to go through the following windows:
Image

Like other virtual directories you can modify Internal and External URL from this console or use the following EMS cmdlet.

Set-ActiveSyncVirtualDirectory -Identity “Server\Microsoft-Server-ActiveSync” -InternalUrl https:\\webmail.domain.com\Microsoft-Server-ActiveSync

Set-ActiveSyncVirtualDirectory -Identity “Server\Microsoft-Server-ActiveSync” -ExternalUrl https:\\mail.domain.com\Microsoft-Server-ActiveSync

To modify the authentication settings, go to Authentication Tab
Image

5. OAB (Default Web Site)

Select OAB (Default Web Site) and click Edit to go through the following windows:
Image

You can setup Internal and External URL on this console. You can modify polling interval for OAB virtual directory as well. To setup the internal and external URLs using EMS cmdlet, use below cmdlet
Set-OABVirtualDirectory -Identity “Server\OAB (Default Web Site)” -ExternalUrl https://mail.domain.com/oab
Set-OABVirtualDirectory -Identity “Server\OAB (Default Web Site)” -InternalUrl https://webmail.domain.com/oab

6. Powershell (Default Web Site)

This virtual directory is being used when we connect to the Exchange system using remote PowerShell.
Select powershell (Default Website) and click Edit to go through the following windows:
Image

Here you can setup your internal and external URLs for Powershell Virtual Directory or use the Set-PowerShellVirtualDirectory cmdlet to setup the URLs.
To modify authentication settings go to authentication tab
Image

7. OWA (Default Web Site)

Select owa (Default Website) and click Edit to go through the following windows:
Image

In OWA virtual directory edit page you can setup Internal, External URLs and have other options like authentication settings, features and file access that you can configure.
To modify the authentication settings, click on Authentication
Image

The available authentication methods are Standard authentication methods (such as Integrated, Digest, Basic) and Forms Based Authentication. To modify the features that can be available to a user using OWA, go to features tab and allow or disallow features to the users that will be available on OWA

Image

When you click ‘More Options’ you will be able to see more features on each items as displayed below:
Image

You can controlled the file access through OWA, to do so click on File Access.
Image

We may set various file access restrictions selectively when accessing owa from Public/Private computers.
By running the Set-OwaVirtualDirectory cmdlet, you can enable or disable features and manage security of various owa items.

Note: You need to modify IIS for respective virtual directory in which you are going to made any change.

For more information about Virtual Directories, please check below technet articles.

Virtual Directory Management

http://technet.microsoft.com/en-us/library/ff952752%28v=exchg.150%29.aspx

Exchange ActiveSync Virtual Directory Management Tasks

http://technet.microsoft.com/en-us/library/bb125170%28v=exchg.150%29.aspx

Default Settings for Exchange Virtual Directories

http://technet.microsoft.com/en-us/library/gg247612%28v=exchg.150%29.aspx

Aside

Customization of Outlook Web App

Tags

In 2013 people were asking about customization of Outlook Web App (OWA) in Exchange 2013 whether we can customize or not?? Well !! the answer is “YES” we can customized OWA in Exchange 2013 like we do in previous versions of Exchange. Administrators were asking questions on Technet Forum and many other communities about this and never heard anything about their question but here is something i got for them, the official Microsoft URL’s for Customization of OWA in Exchange 2013

http://technet.microsoft.com/en-us/library/bb201700%28v=exchg.150%29.aspx

http://technet.microsoft.com/en-us/library/ee633483%28v=exchg.150%29.aspx

 

These articles clearly states that these applies to Exchange 2010 but it’s a typing Mistake or Microsoft forgot to update the applies to tab of their page for these articles but i tested all those steps and features described there in my lab and the result is YES they are for Exchange 2013 and those applies to Exchange 2013. I had already sent an email to Microsoft regarding this and hopefully this will be changed very soon and we can have the page updated stating that this applies to Exchange 2013 as Microsoft frequently update their technet library.

If you want to customized your Outlook web app page you can use above Microsoft Technet articles and customized your OWA. As per Microsoft you can modify following items in your OWA.

1. OWA Theme

2. Logon & Error Page

3. Image and Font

4. Language Selection

In my view, OWA customization is really an awesome feature and you can customized OWA to insert your company logo on your Outlook Web App Sign-in Page, change the color and modify the Error message page and contents whatever you want to do. I have tested all of them and implemented in production except Language Selection as most of us prefer to have English as default language selection.

 

Happy Customization of OWA !! It’s really a nice thing to do as an Admin.. If you want to have screenshot of all the steps mentioned in TechNet Article then do let me know via your comments and i will have the screenshots uploaded for you. Thanks.

Aside

What’s new in Exchange 2013 SP1 — New Features and Enhancements !!!

Tags

,

What’s new in Exchange 2013 SP1 — New Features and Enhancements !!!

Microsoft released Exchange Server 2013 SP1 (Cumulative Update 4) on Feb 25, 2014 with a lot of improvements in Exchange Architecture, Administration, Security, Compliance and end user experience. The final build number for Exchange Server 2013 SP1 is 15.00.0847.032. With the release of Exchange 2013 SP1 Microsoft reintroduce the server role of Edge Transport and now we have three server roles in Exchange 2013 SP1.

  1. Client Access Server Role
  2. Mailbox Server Role
  3. Edge Transport Role

New Features in Exchange 2013 are:

  • Windows Server 2012 R2 Support — Exchange Server 2013 SP1 allows you to run your messaging infrastructure on Microsoft latest server operating system, namely Windows Server 2012 R2. Many may be surprised that Windows Server 2012 R2, which was released by Microsoft back in August does not support running Exchange Server 2013.
  • EAC Command Logging — Just like Exchange 2010 Management Console, Microsoft includes the functionality of command logging in Exchange 2013 SP1 EAC. You can review up to 500 commands executed by the user in EAC user interface. Cmdlet Logging is invoked from EAC help menu.
  • ADFS for OWA — ADFS for OWA in Exchange 2013 SP1 supports claims-based authentication.
  • Introduction of Edge Transport Role — Edge Transport role sits in the DMZ and handles all Internet-facing mail flow providing additional security through agents and transport rules, and reduces the attack surface. Microsoft reintroduce the role of Edge Transport server in SP1 which was missing in earlier release of Exchange 2013. Existing deployments of Exchange 2013 with 2007 / 2010 Edge transport server role are still supported.
  • OWA Junk Email Reporting – Junk email reporting in OWA is supported in SP1.
  • S/MIME for Message Signing and Encryption – With Exchange 2013 SP1, S/MIME is supported across Outlook, OWA, and Exchange ActiveSync clients. This functionality was previously removed as part of the transition in OWA architecture to deal with multiple device display format.
  • DLP Policy Tips — DLP Policy tips in OWA are now supported in Exchange 2013 SP1. Previously this was only supported with Outlook 2013.
  • DLP Document fingerprints — DLP policies allow you to detect sensitive information such as financial information. DLP Document Fingerprinting extends this functionality to detect forms used in your organization to better control sensitive information.
  • SSL Offloading — You can now terminate SSL connections on LB device in Exchange 2013 SP1 means workload for SSL encryption and decryption for inbound connections to CAS server can be handled by Load Balancer.
  • Mapi over Http – With the release of Exchange 2013 SP1, Microsoft introduce a new protocol for outlook client connectivity with Exchange server although the old protocol Mapi over http will continue to serve the old clients. This is an optional feature and you need to enable it. Mapi over http is still a default selection. Mapi over Http will only work with Outlook 2013 SP1 as of now. To enable Mapi over Http, run the following command in EMS

Set-OgranizationConfig –MapiHttpEnabled $true

  • Multiple AD Forest support for Hybrid Deployment
  • DAG without Administrative Access Point — DAG without administrative access points means you can deploy DAG without a cluster name object and DAG IP address and it’s been supported due to the change in windows server 2012 R2 clustering feature that can operate without access point, no ip address or network name resource. DAG without administrative access point are only supported in Windows Server 2012 R2. However, this is optional not a default option and can impact third party applications like backup.
  • Enhanced text editor for OWA – New enhanced and improved capabilities that you expect from a modern application. More rich previews, linked content, text editor.

Upgrade to Exchange 2013 SP1:

The process of upgrading your messaging infrastructure to Exchange 2013 SP1 is same as of deploying a Cumulative update. As a consultant my advice is to first deploy the SP1 in lab environment and then in production although SP1 has already been deployed by millions of customers through Microsoft Technology Adoption Program (TAP).

Happy Upgrade !!!

Aside

Step by Step Guide to Install Microsoft Exchange 2013

Tags

This article describes a step-by-step guide for the installation of Microsoft Exchange 2013. The installation is single server deployment of Exchange Server 2013 with the Mailbox and Client Access Server roles. Before we proceed with the installation of our Exchange 2013 Lab. Lets review the software and Infrastructure requirements of Microsoft Exchange 2013. Before you deploy Exchange 2013 in your production use Microsoft Exchange Sizing Calculator to size your deployment. Lets get started !!!

Software Requirements for Exchange 2013:

  • Microsoft .Net Framework 4.5
  • Windows Management Framework 3.0 (For Exchange 2013 CU2 or CU3)
  • Windows Management Framework 4.0 (For Exchange 2013 SP1 or later)
  • Remote Server Administration Tool for AD DS
  • Microsoft Unified Communications Managed API 4.0, Core runtime 64-bit
  • Microsoft Office Filter Pack 64-bit
  • Microsoft Office Filter Pack SP1 64-bit

For Detail on Software Requirement please read following Technet Article.

http://technet.microsoft.com/en-us/library/bb691354%28EXCHG.150%29.aspx

Lets get started with the Setup:

Prepare Active Directory

The first step before we install our Exchange server is to prepare Active Directory..

 

11

Prepare Schema

After Preparing Active Directory, the next step is to Prepare your schema

22

Prepare Domain

Domain preparation is done after scheme preparation

22

Once you are done with the preparation of Active Directory, Schema and Domain start the installation of Exchange 2013

11 12 13 14 15 16 17 18 19

Congratulations !!! you are done with the installation of your first Exchange 2013. To check your Exchange 2013 installation go to Internet Explorer and browse https://MachineName/ecp..

Important URLs for Exchange Installation are:

Download Exchange 2013 Setup:

http://technet.microsoft.com/en-US/evalcenter/hh973395

Download Exchange 2013 Prerequisites:

http://technet.microsoft.com/en-us/library/bb691354(EXCHG.150).aspx