The actual upgrade from Exchange Server 5.5 is relatively easy compared to the various prerequisites that must be met. Directory synchronization between Active Directory and the Exchange directory is important for several reasons. For instance, you need to extend Active Directory with Exchange-specific items and build a common global address list across all platforms.
This lesson focuses on the task of preparing an Exchange Server organization for an upgrade, including installation of Windows 2000 Server and configuration of Active Directory. You will use the Active Directory Connector (ADC) to populate and synchronize user accounts with mailbox information.
At the end of this lesson, you will be able to:
Estimated time to complete this lesson: 3 hours
Exchange Server 5.5 is typically used in a Windows NT 4.0 domain environment—Exchange 2000 Server is strictly a Windows 2000 platform. Hence, your preparation requires an upgrade to Windows 2000 Server and Active Directory first. You must deploy Active Directory in your environment if you are planning to install Exchange 2000 Server.
To avoid the installation of separate Windows 2000 domains, consider upgrading the PDC(s) in your domain environment directly. This is probably the easiest upgrade method because it preserves all account information, including the original security identifiers (SIDs). A SID is a value that uniquely identifies a user account and is used by Windows 2000 to determine access permissions. However, upgrading the PDC involves an additional configuration step if your PDC also runs Exchange Server (see Exercise 1).
Exchange 2000 Server is unable to work with Windows NT 4.0-based security information. This includes the Site Services account used to communicate with previous Exchange Server versions. Because Exchange 2000 Server needs to use the Site Services account, you must first upgrade the PDC of the domain in which this special account exists. During this upgrade, the Site Services account is converted into a Windows 2000 security principal. You can read more about Site Services account dependencies later in this chapter.
NOTE
You don't need to upgrade your entire Windows NT 4.0 environment to Windows 2000 to upgrade to Exchange 2000 Server. However, it is a good idea to upgrade at least the PDCs of all your user domains.
Apart from upgrading existing domains to Windows 2000 Server, you have the option of installing Windows 2000 in separate domains and using the Active Directory Migration Tool to clone the existing security information. Cloned accounts are specific Windows 2000 accounts for which properties and group memberships have been copied from corresponding Windows NT 4.0 source accounts. Although the account objects have a different primary SID than their source accounts, each source account's SID is copied to the SIDHistory attribute of the corresponding clone. Through the old SID preserved in the SIDHistory attribute, the Windows 2000 user can access all network resources available to the source account—provided that trusts exist between the Windows NT domains and the clone's Active Directory domain.
The Active Directory Migration Tool is appropriate for complex Windows NT environments consisting of multiple Windows NT 4.0 domains because it allows consolidation of the domain environment. You can read more about this tool in Planning Migration from Microsoft Windows NT to Microsoft Windows 2000, which is available in the online documentation for Windows 2000 Server.
When upgrading PDCs or backup domain controllers (BDCs) running Exchange Server 5.5, you need to change the Lightweight Directory Access Protocol (LDAP) port number for the Exchange directory service. The legacy Exchange directory supports LDAP and so does Active Directory. Hence, both expect incoming LDAP connections on TCP port 389, LDAP's well-known TCP port, by default. On an Active Directory domain controller, such as an upgraded PDC, Active Directory is started automatically and locks TCP port 389 for its own use. When Exchange Server starts, it cannot access the same port and cannot communicate via LDAP until you change the LDAP port for the Exchange directory to a port other than 389 (see Figure 6.1).
NOTE
Microsoft recommends changing the LDAP port for the Exchange directory service prior to upgrading to Windows 2000 and Active Directory.
Figure 6.1 Active Directory and Exchange directory on a domain controller
In this exercise you will change the LDAP port for the Exchange directory service using the Exchange Administrator program. This is a prerequisite for subsequent exercises in this chapter.
To view a multimedia demonstration that displays how to perform this procedure, run the EX1CH6.AVI files from the \Exercise_Information\Chapter6 folder on the Supplemental Course Materials CD.
At this point, you have configured the Exchange directory service to use TCP port 390 (see Figure 6.2).
Figure 6.2 Changing the LDAP port number for the Exchange directory
To prevent port conflicts when running Exchange 2000 Server on a domain controller, change the TCP port number for the LDAP interface of the Exchange directory service. Be cautious, however, not to specify a TCP port in use by another service. A list of well-known ports can be found in the SERVICES file in the \Winnt\System32\Drivers\Etc directory.
Exchange 2000 Server can only be installed on a computer running Windows 2000 Server, Windows Advanced Server, or Windows Datacenter Server updated with Windows 2000 Service Pack 1. Furthermore, the server must be a member of an Active Directory domain. If you are planning to directly upgrade an existing computer from Exchange Server 5.5, you need to upgrade its operating system first.
Active Directory supports mixed networks containing computers running Windows NT Server 4.0 and Windows 2000 Server, so you don't need to upgrade all operating systems at once before installing Exchange 2000 Server. Upgrade the PDC first and then the computers running Exchange Server 5.5 one at a time. If the Exchange servers are operating as BDCs, change the LDAP port number for the Exchange directory as previously outlined prior to the upgrade. If your domain also contains member servers running Exchange Server 5.5, upgrade them after the BDCs have been upgraded.
In this exercise you will upgrade the PDC of your test environment to Windows 2000 Server. This will preserve all existing accounts, including the Site Services account for Exchange Server.
To view a multimedia demonstration that displays how to perform this procedure, run the EX2CH6*.AVI files from the \Exercise_Information\Chapter6 folder on the Supplemental Course Materials CD.
At this point, Setup copies important files to the computer's hard disk and reboots the computer (see Figure 6.3).
Figure 6.3 Starting the Windows upgrade process
At this point, you have successfully configured the Active Directory environment hosting an Exchange Server 5.5 organization (see Figure 6.4).
Figure 6.4 Running the Active Directory Installation Wizard
As soon as the Active Directory environment is configured, both domain controllers BLUESKY-PDC and BLUESKY-BDC are listed in the domain controllers organizational unit (OU). Because the domain environment operates in mixed mode, BDCs (BLUESKY-BDC) can fully participate and the Exchange Server organization functions as normal. It is only during the upgrade, when Active Directory is not yet configured, that Exchange Server services are unable to start.
To ensure a common global address list for all users, whether they still reside on Exchange Server 5.5 or are migrated to Exchange 2000 Server, you need to synchronize the directories with each other. To enable directory synchronization, install the Active Directory Connector (ADC) and configure user connection agreements. Connection agreements can replicate recipient and public folder information between Exchange Server 5.5 and the Global Catalog.
NOTE
The Active Directory Connector of Exchange 2000 Server requires Exchange Server 5.5 Service Pack 3. Consequently, you need to update at least one server in each site to Exchange Server 5.5 SP3 to achieve complete system integration.
To support Exchange Server 5.5, Windows 2000 provides a basic ADC version. The ADC of Exchange 2000 Server, alternatively, comes with enhanced functionality for replicating configuration and routing information. The Exchange 2000 version updates the Active Directory schema on its first installation. Because this schema extension is a prerequisite for upgrading to Exchange 2000 Server, you must install at least one instance of the Exchange 2000 ADC in your Active Directory forest as part of your upgrade preparation.
TIP
For best performance, upgrade all ADC installations to the version that comes with Exchange 2000 Server.
As soon as the Windows NT user accounts are migrated to Active Directory, you need to synchronize the accounts with their corresponding mailbox information using an ADC connection agreement. Directory synchronization is performed between the Global Catalog and the Exchange directory service (see Figure 6.5). Typically, the Global Catalog is the first server installed in the forest. It is a good idea to assign this role to one server in each Windows 2000 domain. Yet even if you do not plan to deploy ADC in all of your domains, you need to extend the domain where the schema master resides using the ADC Setup program with the /schemaonly switch. As mentioned earlier, the Active Directory schema must be extended to support additional Exchange 2000-related object classes and attributes. As soon as this is accomplished, you can deploy ADC in child domains.
Figure 6.5 Directory synchronization via ADC and a connection agreement
In Exchange Server 5.5 it is possible to specify one Windows NT account as the primary Windows account for multiple mailboxes. In Exchange 2000 Server, account and mailbox information are part of the same Active Directory object; hence, each Windows 2000 account can have only one mailbox directly associated with it. To synchronize the information from additional mailboxes with Active Directory, additional account objects must be created in Active Directory. The ADC is also able to create Windows accounts for mailbox objects where a corresponding Active Directory object could not be found.
You can control the automatic creation of Active Directory accounts via the Advanced tab of each connection agreement. By default, disabled Windows user accounts are created, but you may change this behavior to create enabled accounts or Windows contacts by selecting the appropriate option from the When Replicating A Mailbox Whose Primary Windows Account Does Not Exist In The Domain check box.
In this exercise you will synchronize Active Directory with the Exchange directory using the ADC and a connection agreement. To prepare for an upgrade to Exchange 2000 Server, install and configure the ADC, which can be found on the Exchange 2000 Server installation CD.
To view a multimedia demonstration that displays how to perform this procedure, run the EX3CH6*.AVI files from the \Exercise_Information\Chapter6 folder on the Supplemental Course Materials CD.
To install and configure the ADC
At this point, you have successfully installed the ADC on BLUESKY-PDC and updated the directory schema (see Figure 6.6).
Figure 6.6 Installing the ADC
Figure 6.7 Configuring a connection agreement
After you have successfully configured the connection agreement, recipient information is replicated between Active Directory and the Exchange Server organization. According to the default configuration, the ADC creates disabled Windows 2000 accounts for all Exchange Server 5.5 mailboxes that do not have a matching Active Directory object. You can find these disabled accounts in the OU that you have specified in your connection agreement, such as the Users OU.