Now that you have started to deploy Windows 2000 and Active Directory and you have configured at least one connection agreement with ADC to synchronize the Exchange directory with Active Directory, you are ready for upgrading. In a production environment, it is good practice to prepare a full backup of the computer running Exchange Server 5.5 before launching the Setup program of Exchange 2000 Server. You may even restore your system on a test machine and perform a test upgrade there. This helps familiarize you with the entire upgrade task and shows that it can be performed without problems.
This lesson discusses available options for upgrading to Exchange 2000 Server. It introduces two general upgrade strategies that you may find useful. In environments with more than one server, the upgrade is accompanied by a coexistence phase that comes with special requirements, also covered here.
At the end of this lesson, you will be able to:
Estimated time to complete this lesson: 2 hours
In general, you have to decide between two upgrade strategies. You can either install Exchange 2000 Server directly on a computer running Exchange Server 5.5, performing an in-place upgrade, or join an existing Exchange Server 5.5 site with a new server and move mailboxes and other resources to Exchange 2000 Server manually, which corresponds to a move-mailbox upgrade.
TIP
It is a good idea to review the installation and configuration of connectors, gateways, and any third-party software prior to the upgrade to ensure that they are compatible with Exchange 2000 Server.
The in-place upgrade is simple and quickly accomplished, but it is only supported over Exchange Server 5.5 Service Pack 3 or later. When you launch the Exchange 2000 Setup program directly on a computer running Exchange Server 5.5 Service Pack 3, the previous version is detected automatically, and Setup switches into upgrade mode, not allowing you to add additional components or change the existing configuration in any way. To make any changes, you will need to launch Setup one more time after the upgrade in maintenance mode, which was introduced in Chapter 5, "Installing Microsoft Exchange 2000 Server."
During the in-place upgrade, Setup stops the Exchange Server services to convert the information store databases. The upgrade process works with approximately 8 GB per hour, which is extremely fast. However, the actual conversion speed depends on a number of factors, such as the number of mailboxes and public folders.
NOTE
The database conversion is a resource-intensive task during which the computer or the Setup procedure may appear to hang, for instance, at 85 or at 100 percent completion. This is an expected behavior, especially if the size of the databases being upgraded is large. You will need to be patient; do not terminate the Setup process, and do not restart the server.
The following prerequisites must be met to perform an in-place upgrade:
A significant disadvantage of the in-place upgrade is server downtime because the Exchange Server services must be stopped during the upgrade process. In-place upgrading also requires installing Windows 2000 Server and possibly updating Exchange Server to version 5.5 with Service Pack 3 first, which also causes the system to be unavailable for a period of time. If your organization is supposed to be up and running 24 hours, 7 days a week, consider a move-mailbox upgrade instead of the in-place approach. During a move-mailbox upgrade, you join an existing site with a machine running Exchange 2000 Server and move all resources from the legacy Exchange server to this computer. As soon as all resources have been moved, the old system may be removed from the site.
You may want to use the upgrade to Exchange 2000 Server as a perfect opportunity to replace outdated server hardware, or you may reuse the old hardware for subsequent Exchange 2000 Server installations after the data has been moved from the old system. This is known as a leapfrog upgrade (see Figure 6.8).
Figure 6.8 The leapfrog upgrade method
The move-mailbox upgrade involves manual configuration steps, but its most significant advantage is that business processes are not interrupted. Prepare a new computer according to the hardware and software requirements outlined in Chapter 5 and launch the Exchange 2000 Setup program. During Setup, indicate that you will join an existing organization. You need to specify an existing server running Exchange Server 5.5 with Service Pack 3. The name of the existing organization is retrieved from the specified server and replicated to Active Directory. The Exchange 2000 server will then join the selected site. As soon as Exchange 2000 Server is running in the site, you can move mailboxes and replicate public folders to the new system. This doesn't affect the installed client base because clients are redirected to new mailbox and public folder locations automatically, provided that the old home server is still available in the network (see Figure 6.9).
NOTE
When joining a site you must specify a server running Exchange Server 5.5 with Service Pack 3.
Figure 6.9 Redirection of Outlook 2000 to Exchange 2000
The move-mailbox migration strategy works best for mailbox and public folder resources. Existing connectors, however, need to be reconfigured on the new server if you plan to remove the old server from the site. This is also true if you have installed Key Management Service (KMS) in your organization. To most conveniently upgrade servers responsible for connectors (bridgehead servers) and KMS, consider the in-place upgrade method.
NOTE
It is a good idea to check the configuration of messaging connectors after an in-place or leapfrog upgrade. Do not forget to check whether or not the routing information is upgraded properly.
You can upgrade to Exchange 2000 Server in any order, which means that you don't need to consider upgrading bridgehead or connector servers first. As a matter of fact, you might want to upgrade these systems last, especially when they are running connector instances not supported by Exchange 2000 Server, such as the Professional Office System (PROFS) connector. It is advisable to upgrade public and mailbox servers first so that your users can benefit from the advanced messaging and collaboration features of Exchange 2000 Server immediately.
In this exercise you will perform an in-place upgrade to Exchange 2000 Server. At the end of this exercise, you will be operating an Exchange organization consisting of an Exchange 2000 server and a computer running Exchange Server 5.5.
To view a multimedia demonstration that displays how to perform this procedure, run the EX4CH6*.AVI files from the \Exercise_Information\Chapter6 folder on the Supplemental Course Materials CD.
To perform an in-place upgrade to Exchange 2000 Server
At this point, you have reached the Component Selection wizard screen, which provides you with information about the individual components that will be updated. It is important to note that you cannot change the Action displayed for any component (see Figure 6.10).
Figure 6.10 The Upgrade action on the Component Selection wizard screen
The in-place upgrade method is easy to accomplish if all prerequisites are met. You cannot change any configuration settings during the installation process. During the upgrade, existing configuration information is transferred to Active Directory. To verify that the configuration is now present in Active Directory, start the Exchange System snap-in from the Microsoft Exchange program group. Computers running previous versions of Exchange Server are shown as transparent objects and sites are matched with administrative groups, as explained in Chapter 5, "Installing Microsoft Exchange 2000 Server."
NOTE
To minimize the risk of permission-related problems during an in-place upgrade of a production system, check the consistency of the server prior to running the Exchange 2000 Server Setup program. Open the Exchange Administrator program, and display the properties of the affected server object. Switch to the Advanced tab, and then click on the Consistency Adjuster button. Select only the Remove Unknown User Accounts From Mailbox Permissions and Remove Unknown User Accounts From Public Folder Permissions check boxes, and then click OK. It is not necessary to synchronize the directory or re-home public folders.
During the coexistence phase, it is important to coordinate system administration and maintenance carefully. Although Exchange 2000 Server resources are displayed in the directory information tree within the Exchange Administrator, any changes you make to these configuration objects are not replicated to Exchange 2000 Server and don't take effect. When displaying the configuration of the organization in the Exchange System snap-in, resources of previous Exchange versions are shown as transparent objects. The Exchange System snap-in displays the information as read-only and prevents you from changing settings.
NOTE
You must administer Exchange Server 5.5 using the Exchange Administrator program and Exchange 2000 Server using the Exchange System snap-in and other Microsoft Management Console (MMC) snap-ins.
Use only the Active Directory Users and Computers management tool for mailbox management. Don't use Exchange Administrator for this purpose. After all, you are migrating away from Exchange Server 5.5, and, therefore, it is a good idea to create mailboxes for new Windows 2000 accounts on servers running Exchange 2000 Server only. Avoid the creation of additional mailboxes on the legacy system.
Whether you join an existing site with a new Exchange 2000 server or perform an in-place upgrade, thus joining a site automatically, Exchange 2000 Server must disguise itself on the site to appear as an Exchange 5.5 server. When viewing your organization in Exchange Administrator, note that Exchange 2000 servers are displayed in much the same way as servers running previous versions of Exchange.
The disguising function results from a helper directory service, which the Setup program of Exchange 2000 Server installs automatically. You can find this service when launching the Services utility from the Administrative Tools program group. Look for the Microsoft Exchange Site Replication Service (SRS). It will be activated and its database initialized when you install a first Exchange 2000 server on a site or when you upgrade a directory replication bridgehead server. On all other Exchange 2000 servers, this component is deactivated by default. On BLUESKY-PDC, for instance, this service is configured to start automatically because this is the first Exchange 2000 server on the site.
You can think of SRS as an Exchange directory service for Exchange 2000 Server. Only the Name Service Provider Interface (NSPI) is disabled to prevent Microsoft Outlook clients from connecting to SRS and retrieving directory information from this service. As a matter of fact, SRS contains much of the executable code of the former directory service, which ensures full compatibility with earlier versions.
SRS consists of the following components (see Figure 6.11):
Figure 6.11 Directory replication between Exchange 2000 Server and Exchange Server 5.5
NOTE
When installing or enabling SRS, all existing Exchange 2000 administrators inherit the permissions to manage the SRS environment. Administrators that have been granted permissions in Exchange System Manager at a later time are unable to manage SRS. To grant these administrators SRS permissions, use the Exchange Administrator program and connect to the Exchange 2000 server. Grant the desired user account the appropriate rights, such as Service Account Administrator, as usual at the organization, site, and configuration level. You need the rights of a Permissions Admin.
Within a site, SRS automatically replicates directory information using remote procedure calls (RPCs). Between sites, SRS replicates directory information via e-mail messages, just as the Exchange directory service does (see Figure 6.11). SRS automatically disables the directory replication to servers in the site as well as bridgeheads in other sites as soon as they are upgraded to Exchange 2000 Server. This ensures that replication data is not duplicated because the replication between Exchange 2000 systems is handled through Active Directory.
The SRS only replicates data with previous Exchange directories. Connection agreements of the ADC, on the other hand, replicate changes between SRS and Active Directory, as indicated in Figure 6.11. In a manner similar to the Exchange directory service, SRS accepts incoming connections from the ADC via a customized LDAP port if you are running Exchange 2000 Server on a domain controller; otherwise, it accepts them through the well-known LDAP port 389.
During the first installation of Exchange 2000 Server in an existing site, a configuration connection agreement is configured automatically. You can verify its existence when launching the Active Directory Connector tool from the Microsoft Exchange program group. For the ADC of BLUESKY-PDC, for instance, a connection agreement named Config CA_BLUESKY-OLD-10_BLUESKY-PDC was created. As you can see on the Connections property sheet, this connection agreement connects to SRS on BLUESKY-PDC through the customized TCP port 379 to synchronize configuration and routing information from the SRS database with Active Directory.
NOTE
If you are installing a first Exchange 2000 server on a Windows 2000 domain controller not running any previous version of Exchange Server and joining an existing site, SRS automatically uses TCP port 379 to avoid LDAP port conflicts with Active Directory.
As discussed in Chapter 3, "Microsoft Exchange 2000 Server Architecture," the mechanisms for server-to-server communication in Exchange 2000 rely primarily on SMTP and the extended Windows 2000 SMTP service. This is different than previous Exchange Server versions, where directory services performed directory replication and Message Transfer Agents (MTAs) provided the native messaging transport between servers in a site and message transfer to servers in other sites.
Within sites, computers running previous versions of Exchange Server communicate with each other using RPCs. When integrating Exchange 2000 Server in a site, the new system must comply with this tradition and use RPCs as well. Specifically, SRS will contact remote Exchange directory services for directory replication, and the MTA of Exchange 2000 Server will transfer messages with legacy MTAs. The MTA of Exchange 2000 Server works similar to the old MTA, with minor enhancements and the exception that the new MTA uses LDAP instead of Directory API (DAPI) to perform directory lookups.
NOTE
If you install two or more Exchange 2000 servers in a site, these servers will detect each other through Active Directory and route messages to one another using the SMTP service rather than the MTA.
All Exchange servers in a site must validate each other using a common Site Services account before server-to-server communication is allowed. Servers not using the correct Site Services account will not be able to communicate. Therefore, Exchange 2000 Server must use the common Site Services account for its communication with previous versions of Exchange Server as well.
When joining an existing site, you will be prompted for the Site Services account information. You can correct or change the Site Services account password within the Exchange System snap-in when displaying the properties of the administrative group that represents your site (such as BLUESKY-OLD-10, which can be found under Administrative Groups). Click Modify on the General property sheet to change the information displayed under Exchange 4.0/5.x Service Account For This Site.
NOTE
The Site Services account specified in the properties of an administrative group is only used for communication with legacy Exchange systems. Exchange 2000 servers use the LocalSystem account for their native communication.
Exchange 2000 Server can utilize any existing connector installed in the site because SRS, in conjunction with the ADC, replicates configuration information, including information about connected sites and gateways, to Active Directory. Likewise, information about existing Exchange 2000 connectors is replicated to all Exchange directories. Earlier versions of Exchange Server can, therefore, also use new connectors for message transfer (see Figure 6.12).
Figure 6.12 Intersite message transfer and gateway connections
NOTE
Through directory replication, routing information from servers running previous Exchange Server versions is placed in the Exchange 2000 Server link state table. This allows Exchange 2000 Servers to include any existing connectors in its routing decisions.
Proxy address definitions must be preserved on Exchange 2000 Server so that all users in a site or administrative group have the same proxy addresses generated. Consequently, when joining an existing site, the proxy address definitions (SMTP, X.400, Lotus cc:Mail, and MS Mail) must be copied to a recipient policy for the administrative group that represents a particular site in Exchange 2000 Server. You can view the definition of the recipient policy in the Exchange System snap-in. In the console tree, open the Recipients container, and then select Recipient Policies. In the details pane, you will find an object with a name that corresponds to your site (such as BLUESKY-OLD-10) that has the highest priority. When you display the properties of this policy object, you will find a Filter Rule in the General property sheet that activates the policy for all objects with a LegacyExchangeDN attribute set to the organization and site name of the site that you joined with the Exchange 2000 server.
It is important to note that Outlook Web Access (OWA) will be replaced entirely when upgrading to Exchange 2000 Server. If you have customized the .asp pages of OWA to implement your own Web-based messaging solution, this solution will not work with Exchange 2000 Server, because OWA in Exchange 2000 Server has been entirely redesigned. The rendering process is handled directly by an Internet Server API (ISAPI) component (DAVEX.DLL) and other DLLs, instead of .asp pages. The new architecture is explained in Chapter 22, "Microsoft Outlook Web Access."
To preserve your customized solution, install Exchange 2000 Server on a separate computer running Windows 2000, and then use the move-mailbox approach to migrate mailboxes and public folders. Leave the old server running to front end Exchange 2000 Server with OWA from Exchange Server 5.5. When users connect to their mailboxes via HTTP and the legacy OWA version, the location of the mailbox is determined from the Exchange directory.
NOTE
You cannot front end a computer running Exchange Server 5.5 with OWA from Exchange 2000 Server.
As outlined in Chapter 5, it is advantageous to switch an Exchange 2000 Server organization into native mode as soon as all earlier versions of Exchange Server are upgraded. This gives you full control over the configuration of administrative and routing groups and eliminates mixed mode limitations. However, as long as computers running previous Exchange Server versions exist in your organization, changing to native mode is impossible. Consequently, the Change Mode button in the General property sheet of the organization (for example, Blue Sky Airlines [Exchange]) is deactivated in the Exchange System snap-in.
IMPORTANT
To switch an organization to native mode, all computers running previous Exchange Server versions must be upgraded or removed. Switching to native mode disables interoperability with previous versions, which is an irreversible process.
In this exercise you will complete the migration of the test environment to Exchange 2000 Server by using the move-mailbox approach. As soon as all resources are on BLUESKY-PDC, you will remove the legacy system and switch the organization to native mode.
To view a multimedia demonstration that displays how to perform this procedure, run the EX5CH6*.AVI files from the \Exercise_Information\Chapter6 folder on the Supplemental Course Materials CD.
To perform a move-mailbox upgrade and finalize the migration
NOTE
The Active Directory Connector adds a description of Disabled Windows User Account to each disabled object that it creates for an Exchange Server 5.5 mailbox. When enabling these accounts, the description is not changed automatically. In a production environment, you have to update this information manually (or using LDIFDE for batch operation) to avoid confusing account descriptions in Active Directory.
At this point, you have successfully moved all mailbox resources to the new Exchange 2000 server (see Figure 6.13). You would also have to replicate existing public folder instances to the new server, which is not required in the test environment because public folders were not created. Public folder replication is covered in Chapter 18, "Public Folder Replication."
Figure 6.13 Moving mailboxes to Exchange 2000 Server
Figure 6.14 An Exchange 2000 organization in native mode
At this point, you are operating a native mode Exchange 2000 organization that cannot integrate earlier versions of Exchange Server, which is indicated by the missing Site Replication Service container that once was available under Tools in mixed mode.
Although the move-mailbox upgrade represents an interesting alternative to the in-place approach, a complete migration requires numerous manual configuration steps. After you have removed a server running an earlier version of Exchange Server from the site, you need to delete its references from Active Directory using the Exchange Administrator program. The last Exchange server must be deleted from the SRS database manually because no other Exchange directory service exists in the site that could accomplish this via directory replication.
Upgraded users now working with mailboxes on Exchange 2000 Server will notice subtle changes in the structure of the address book because they now connect to a Global Catalog server for address lookups, as explained in Chapter 2, "Integration with Windows 2000." However, users might sometimes see duplicate accounts in the address book. These duplicate accounts, which might be generated during the migration process, require a dedicated cleanup using the Active Directory Account Cleanup Wizard.
The procedures outlined in this chapter rely on a Windows NT and Exchange Server in-place upgrade, which implicitly prevents the generation of duplicate accounts because the user accounts are converted to Windows 2000 accounts first and then synchronized with Exchange Server 5.5 mailbox information. However, depending on the complexity of your Windows NT domain environment, it might be necessary to synchronize Exchange Server 5.5 mailbox information before upgrading Windows NT user accounts, in which case user connection agreements of the ADC create Windows 2000 accounts for all those mailboxes for which user account information was missing in Active Directory. This may happen, for instance, when users work with Exchange Server mailboxes that reside in different domains and all PDCs could not be upgraded to Windows 2000. If ADC user connection agreements generated Windows 2000 accounts for those Windows NT users' mailboxes, and you upgrade these users to Windows 2000 at a later time, you will end up with duplicate accounts (see Figure 6.15).
TIP
To avoid the generation of duplicate accounts in your environment, upgrade all existing PDCs to Windows 2000 before configuring user connections agreements with the ADC.
If you need to remove numerous duplicate accounts from Active Directory, you will find the Active Directory Cleanup Wizard a very helpful tool. It is available in the Microsoft Exchange program group. This utility searches through the Active Directory forest for possible duplicate Windows NT accounts and displays a list of duplicates that were found, giving you the opportunity to review and adjust the cleanup procedure. It is also possible to manually match duplicates that were not found and merge duplicate accounts into a selected destination account. Merging duplicate accounts preserves group and distribution list membership and access permissions to existing resources. You can find more information about the Active Directory Cleanup Wizard in the Microsoft Exchange 2000 Server online documentation.
Figure 6.15 Duplicate account creation
NOTE
It is not possible to perform cleanups or merge operations across multiple Active Directory forests.