Migrate WSUS to Windows Server 2012 R2

Prerequisites

  • Collect source and destination server name, IP address, Database Name, Instance Name, service account for Database instance.
  • Download Microsoft SQL Server Management Studio and install on source and destination SQL Server.
  • Make sure destination server is joined to the domain and time is synced
  • Do not run initial configuration wizard in Destination Server.
  • As best practice, do not migrate WSUS into a Domain Controller.
  • Obtain appropriate permission in source server, destination server and SQL server to initiate and complete migration tasks

Migrate local users and groups

1. Right-click in the Taskbar, click Properties, highlight Toolbars, and then click Address.

2. Type lusrmgr.msc, and then press ENTER.

3. In in the console tree of the Local Users and Groups MMC snap-in, double-click Users.

4. Manually create a list of the local users.

5. In the console tree of the Local Users and Groups MMC snap-in, double-click Groups.

6. Manually add the users from the source server to the WSUS Administrators and WSUS Reporters groups.

Back up the WSUS database on the source server

1. After you connect to the appropriate instance of the database in Object Explorer, click the server name to expand the server tree.

2. Expand Databases, and select the SUSDB database.

3. Right-click the database, point to Tasks, and then click Back Up. The Back Up Database dialog box appears.

4. In the Database list, verify the database name.

5. In the Backup type list, select Full.

6. Select Only Backup. only backup is a SQL Server backup that is independent of the sequence of conventional SQL Server backups.

7. For Backup component, click Database.

8. Accept the default backup set name that is suggested in the Name text box, or enter a different name for the backup set.

9. Follow the prompt to complete backup.

Restore the WSUS database backup on the destination server

1. After you connect to the appropriate instance of the database in Object Explorer, click the server name to expand the server tree.

2. Expand Databases, and select the SUSDB database.

3. Right-click the database, point to Tasks, and then click Restore. The Restore Database dialog box appears.

4. On the General page, use the Source section to specify the Source.

5. In the Destination section, the Database box is automatically populated with the name of the database to be restored.

6. In the Backup sets to restore grid, select the backups to restore. This grid displays the backups available for the specified location. By default, a recovery plan is suggested.

7. Follow the prompt to complete Restore. Click OK

Install WSUS Server on the destination server

Before you begin installing WSUS server into the destination server you must install Microsoft .NET Framework, Background Intelligent Transfer Service (BITS) 2.0 and Microsoft Internet Information Services (IIS) on the destination server. Follow the procedure to install WSUS into destination server and point to the new Database.

1. Open Server Manager, Click Add Roles and Features, Select WSUS and install WSUS role.

2. On the Welcome page, click Next.

3. Read the terms of the license agreement carefully, click I accept the terms of the License Agreement, and then click Next.

4. On the Select Update Source page, you can specify where client computers get updates. If you select Store updates locally, updates are stored on WSUS and you can select a location in the file system to store updates. If you do not store updates locally, client computers connect to Microsoft Update to get approved updates.

5. Make your selection, and then click Next.

6. On the Database Options page, click Use an existing database server, and select the instance name from the drop-down list.

7. Make your selection, and then click Next.

8. On the Web Site Selection page, you specify the Web site that WSUS will use. Note two important URLS: the URL to point client computers to WSUS and the URL for the WSUS console where you configure WSUS.

9. Make your selection, and then click Next.

10. On the Mirror Update Settings page, you specify the management role for this WSUS server. If you want a central management topology, enter the name of the upstream WSUS server. If this is the first WSUS server on your network or you want a distributed management topology, skip this screen.

11. Make your selection, and then click Next.

12. On the Ready to Install Windows Server Update Services page, click Next.

Change the WSUS server identity

Performing this step guarantees that WSUS-managed clients are not affected during the migration process. If the source server and the destination server run with the same identity, and a change is made to one of the servers, the communication between the client and server will fail.

1. On the destination server, open an elevated Windows PowerShell prompt and run the following script:

$updateServer = get-wsusserver

$config = $updateServer.GetConfiguration()

$config.ServerId = [System.Guid]::NewGuid()

$config.Save()

2. As soon as the server identity is changed, run the following command to generate a new encryption key:

WSUSUTIL.exe Postinstall

Point the WSUS clients to the new destination server

1. Open the Local Group Policy Editor, and in Specify intranet Microsoft update service policy, change the URL to reflect the new WSUS server.

2. Update the Group Policy settings that are used to point WSUS clients to the WSUS server by entering the FQDN of the new WSUS server. After you have updated the Group Policy settings, WSUS clients will synchronize with the new WSUS server.

3. To force the clients to detect the new destination server, open a command prompt, and run wuauclt.exe /resetauthorization /detectnow and GPUpdate /Force.

Verify the destination server configuration

  1. In Server Manager, click Tools, and then click Windows Server Update Services.
  2. In the WSUS Administration Console, expand Computers, and verify that all the Computer Groups that existed on the source server are displayed.
  3. Expand Synchronizations. In the Actions pane, click Synchronize now. After the synchronization is complete, (this may take several minutes), confirm that Succeeded is displayed in the Results column.

Reconfigure Group Policy

Open WSUS Group Policy, Edit Group Policy and Change WSUS Server.

Verify client computer functionality

After the detection is finished, open Windows Explorer and check the %WinDir%\WindowsUpdate.log to verify that the forced detection was successful.

PDF Creator    Send article as PDF   
Posted in Windows Server | Tagged , , , , | Leave a comment

Data Deduplication in Windows Storage Server 2012 R2

Deduplication in Windows Server: Data deduplication involves finding and removing duplication within data without compromising its fidelity or integrity. The goal is to store more data in less space by segmenting files into small variable-sized chunks (32–128 KB), identifying duplicate chunks, and maintaining a single copy of each chunk. Redundant copies of the chunk are replaced by a reference to the single copy. The chunks are compressed and then organized into special container files in the System Volume Information folder.

Enhanced Dedupe features in Windows Server 2012 R2

  • Data deduplication for remote storage of Virtual Desktop Infrastructure (VDI) workloads
  • Expand an optimized file on its original path.

When using the Data Deduplication feature for the first time or migrating from a previous version of Windows Server, be sure to consider the following related technologies and issues:

  • BranchCache
  • Failover Clusters
  • DFS Replication
  • FSRM quotas
  • Single Instance Storage or NAS Box

Install and Configure Data Deduplication using GUI

1. Open Server Manager, From the Add Roles and Features Wizard, under Server Roles, select File and Storage Services.

2. Select the File Services check box, and then select the Data Deduplication check box.

3. Click Next until the Install button is active, and then click Install.

4. From the Server Manager dashboard, right-click a data volume and choose Configure Data Deduplication. The Deduplication Settings page appears.

5. In the Data deduplication box, select the workload you want to host on the volume. Select General purpose file server for general data files or Virtual Desktop Infrastructure (VDI) server when configuring storage for running virtual machines.

6. Enter the number of days that should elapse from the date of file creation until files are deduplicated, enter the extensions of any file types that should not be deduplicated, and then click Add to browse to any folders with files that should not be deduplicated.

7. Click Apply to apply these settings and return to the Server Manager dashboard, or click the Set Deduplication Schedule button to continue to set up a schedule for deduplication.

Install and Configure Data Deduplication using Windows PowerShell

Start Windows PowerShell. Right-click the Windows PowerShell icon on the taskbar, and then click Run as Administrator.

Import-Module ServerManager | Add-WindowsFeature -name FS-Data-Deduplication

Import-Module Deduplication

Enable-DedupVolume E: -UsageType HyperV

Enable-DedupVolume E: -UsageType Default

Set-Dedupvolume E: -MinimumFileAgeDays 20

Get-DedupVolume | fl

Start-DedupJob E: –Type Optimization –Wait

References:

Windows Server 2012 R2 NAS Box with Deduplication Capacity

Introduction to Windows Deduplication

Windows PowerShell Cmdlet for Deduplication

Create PDF    Send article as PDF   
Posted in Windows Server | Tagged , , , , , , , , , | Leave a comment

VMware vs Hyper-v: Can Microsoft Make History Again?

In 1852 Karl Marx published “The Eighteenth Brumaire of Louis Napoleon”. In his book, Karl Marx quotes “that history repeats itself, “the first as tragedy, then as farce”, referring respectively to Napoleon I and to his nephew Louis Napoleon (Napoleon III).

Here I am not talking about Karl Marx, I am not a specialist on this matter. I am a computer geek. So Why I am refer to Karl Marx? I believe above remarks can be connected to a history between Microsoft and Novell.

In my past blog I compared VMware and Hyper-v:

http://microsoftguru.com.au/2013/01/24/microsofts-hyper-v-server-2012-and-system-center-2012-unleash-ko-punch-to-vmware/

http://microsoftguru.com.au/2013/09/14/vsphere-5-5-is-catching-up-with-hyper-v-2012-r2/

http://microsoftguru.com.au/2013/04/07/is-vmwares-fate-heading-towards-novell/

I found some similar articles echoed by other commentator:

http://blogs.gartner.com/david_cappuccio/2009/06/30/just-a-thought-will-vmware-become-the-next-novell/

http://virtualizedgeek.com/2012/12/04/is-vmware-headed-the-slow-painful-death-of-novell/

Here is Gartner Inc.’s verdict:

http://www.gartner.com/technology/reprints.do?id=1-1GJA88J&ct=130628&st=sb

http://www.gartner.com/technology/reprints.do?id=1-1LV8IX1&ct=131016&st=sb

So the question is; can Microsoft defeat VMware? Can Microsoft make history again? Here is why I believe Microsoft will make history once again regardless what VMware fan boy think. Let start….

What’s New in Windows Server 2012 R2 Hyper-V

Microsoft has traditionally put out point releases to its server operating systems about every two years. Windows Server operating systems is no longer a traditional operating systems. This is cloud OS in true terms and uses. Let’s see what’s new in Windows Server 2012 R2 in terms of virtualization.

· New Generation 2 Virtual Machines

· Automatic Server OS Activation inside VMs

· Upgrade and Live Migration Improvements in Windows Server 2012 R2

· Online VHDX Virtual Disk Resize

· Live VM Export and Clone

· Linux Guest V Enhancements

· Storage Quality of Service ( QoS )

· Guest Clustering with Shared VHDXs

· Hyper-V Replica Site-to-Site Replication Enhancements

Generation 2 VMs

Hyper-V in Windows Server 2012 R2 supports the concept of a totally new architecture based on modern hardware with no emulated devices. This makes it possible to add a number of new features, such as secure boot for VMs and booting off of virtual SCSI or virtual network adapters.

VM Direct Connect

In Windows Server 2012 R2 Hyper-V with the addition of VM Direct Connect allows a direct remote desktop connection to any running VM over what’s now called the VM bus. It’s also integrated into the Hyper-V management experience.

Extend replication to a third site

Hyper-V Replica in Windows Server 2012 is currently limited to a single replication target. This makes it difficult to support scenarios like a service provider wanting to act both as a target for a customer to replicate and a source to replicate to another offsite facility. Windows Server 2012 R2 and Hyper-V now provide a tertiary replication capability to support just such a scenario. By the same token, enterprises can now save one replica in-house and push a second replica off-site.

Compression for faster migration

Two new options in Windows Server 2012 Hyper-V help improve the performance of live migrations. The first is the ability to enable compression on the data to reduce the total number of bytes transmitted over the wire. The obvious caveat is that tapping CPU resources for data compression could potentially impact other operations, so you’ll need to take that into consideration. The second option, SMB Direct, requires network adapters that support RDMA. Microsoft’s advice: If you have 10 GB available, use RDMA (10x improvement); otherwise, use compression (2x improvement). Compression is the default choice and it works for the large majority of use cases.

Online VM exporting and cloning

It’s now possible to export or clone a running VM from System Center Virtual Machine Manager 2012 R2 with a few mouse clicks. As with pretty much anything related to managing Windows Server 2012, you can accomplish the same task using Windows PowerShell.

Online VHDX resizing

In Windows Server 2012 Hyper-V, it is not possible to resize a virtual hard disk attached to a running VM. Windows Server 2012 R2 removes this restriction, making it possible to not only expand but even reduce the size of the virtual disk (VHDX format only) without stopping the running VM.

Storage QoS

Windows Server 2012 R2 includes the ability to limit individual VMs to a specific level of I/O throughput. The IOPS are measured by monitoring the actual disk rate to and from the attached virtual hard drives. If you have applications capable of consuming large amounts of I/O, you’ll want to consider this setting to ensure that a single I/O-hungry VM won’t starve neighbor VMs or take down the entire host.

Dynamic Memory support for Linux

In the Windows Server 2012 R2 release, Hyper-V gains the ability to dynamically expand the amount of memory available to a running VM. This capability is especially handy for any Linux workload (notably Web servers) where the amount of memory needed by the VM changes over time. Windows Server 2012 R2 Hyper-V also brings Windows Server backups to Linux guests.

Shared VHDX

With Windows Server R2 Hyper-V, Windows guest clusters (think traditional Windows Server failover clustering but using a pair of VMs) no longer require an iSCSI or Fibre Channel SAN, but can be configured using commodity storage: namely a shared VHDX file stored on a Cluster Shared Volume. Note that while the clustered VMs can be live migrated as per usual, a live storage migration of the VHDX file requires one of the cluster nodes to be taken offline.

Bigger Bang for the Buck: Licensing Windows Server 2012 R2

The Windows Server 2012 R2 product is streamlined and simple, making it easy for customers to choose the edition that is right for their needs.

Datacenter edition – Unlimited Windows Server 2012 R2 virtualization license.

Standard edition 2 virtualized server license or lightly virtualized environments.

Essentials edition for small businesses with up to 25 users running on servers with up to two processors.

Foundation edition for small businesses with up to 15 users running on single processor servers.

Edition

Feature comparison

Licensing model

Server Pricing*

Datacenter

Unlimited virtual OSE

All features

Processor + CAL

$6,155

Standard

Two virtual OSE

All features

Processor + CAL

$882

Essentials

2 processor

One OSE

Limited features

Server

25 user limit

$501

Foundation

1 processor

Limited features

Server

15 user limit

OEM Only

Client Access Licenses (CALs) will continue to be required for access to Windows Server 2012 R2 servers and management access licenses continue to be required for endpoints being managed by System Center. You need Windows Server 2012 CAL to access Windows Server 2012. You also need CAL to access Remote Desktop Services (RDS) and Active Directory Rights Management Services (AD RMS).

What’s New SCVMM 2012 R2

· Public Cloud for Service Provider using Windows Azure 

· Private Cloud with System Center 2012 R2 VMM

· Any storage approach- Use any kind of Storage: DAS, SAN, NAS, Windows Server 2012 File Server, Scale-out File Server Cluster

· Networking – Management of physical network switches via OMI as well as virtual network infrastructure ( PVLANs, NV-GRE Virtualized Networks, NV-GRE Gateways )

· Virtualization host agnostic – Intel/AMD/OEM Hardware running Windows Server 2012/R2/2008 R2 Hyper-V, VMware or Citrix XenServer

· Cisco Nexus 1000V Switch

· Bootstrapping a repeatable architecture

· Bare-Metal Provisioning Scale-Out File Server Cluster and Storage Spaces

· Provisioning Synthetic Fibre Channel in Guest VMs using VMM

· Guest Clustering with Shared VHDXs

· VMM Integration with IP Address Management ( IPAM )

· Hybrid Networking with Windows Azure Pack and System Center 2012 R2 VMM

· Windows Azure Hyper-V Recovery Manager

· Delegating Access Per Private Cloud

· OM Dashboard for VMM Fabric Monitoring

Fire Power of System Center: Licensing System Center 2012 R2

System Center 2012 R2 has two version: Data Center and Standard. Both version is comprised with the following components

· Operations Manager

· Configuration Manager

· Data Protection Manager

· Service Manager

· Virtual Machine Manager

· Endpoint Protection

· Orchestrator

· App Controller

System Center license is per processor based license. Cost of System Center 2012 R2 data center is USD 3607 and cost of System Center 2012 R2 Standard is USD1323. System Center license comes with a SQL Server standard edition license. This SQL server can only be used for System Center purpose. You can virtualized unlimited number of VMs in SC 2012 R2 data center edition.

Comparing Server 2008 R2 and Server 2012 R2 in terms of virtualization.

Hyper-v is not the same as you knew in Windows Server 2008. To clear fog of your mind about Hyper-v, the following table shows the improvement Microsoft has made over the years.

Comparing VMware with Windows Server 2012 R2

While VMware still number one in Hypervisor markets but the Redmond giant can also leverage on almost a billion Windows OS user globally, as well as its expertise in software and a robust range of services (including Azure, Bing, MSN, Office 365, Skype and many more). A new battle ground is ready between Microsoft and VMware would make 2014 a pivotal hybrid cloud year. The hybrid cloud could indeed give Microsoft the chance to prevail in ways that it couldn’t with the launch of Hyper-V; Hyper-V’s market share has been gradually increasing since early 2011. According to Gartner, Microsoft gained 28% Hypervisor market share last year.

Let’s dig deeper into comparison….

The following comparison is based on Windows Server 2012 R2 Data Center edition and System Center 2012 R2 Data Center edition Vs vSphere 5.5 Enterprise Plus and vCenter Server 5.5.

Licensing:

Options

Microsoft

VMware

# of Physical CPUs per License

2

1

# of Managed OSE’s per License

Unlimited

Unlimited

# of Windows Server VM Licenses per Host

Unlimited

0

Includes Anti-virus / Anti-malware protection

Yes

Yes

Includes full SQL Database Server licenses for management databases

Yes

No

Database, Hosts & VMs

A single database license is enough for 1,000 hosts and 25,000 VMs per management server.

Purchase additional database server licenses to scale beyond managing 100 hosts and 3,000 VMs with vCenter Server Appliance.

Includes licensing for Enterprise Operations Monitoring and Management of hosts, guest VMs and application workloads running within VMs.

Yes

No 

Includes licensing for Private Cloud Management capabilities – pooled resources, self-service, delegation, automation, elasticity, chargeback

Yes

No

Includes management tools for provisioning and managing VDI solutions for virtualized Windows desktops.

Yes

No

Includes web-based management console

Yes

Yes

Virtualization Scalability:

Options

Microsoft

VMware

Maximum # of Logical Processors per Host

320

320

Maximum Physical RAM per Host

4TB

4TB

Maximum Active VMs per Host

1,024

512

Maximum Virtual CPUs per VM

64

64

Hot-Adjust Virtual CPU Resources to VM

Yes

Yes

Maximum Virtual RAM per VM

1TB

1TB

Hot-Add Virtual RAM to VM

Yes

Yes

Dynamic Memory Management

Yes

Yes.

Guest NUMA Support

Yes

Yes

Maximum # of physical Hosts per Cluster

64

32

Maximum # of VMs per Cluster

8,000

4,000

Virtual Machine Snapshots

Yes

Yes

No of Snapshot Per VMS

50

32

Integrated Application Load Balancing for Scaling-Out Application Tiers

Yes

No

Bare metal deployment of new Hypervisor hosts and clusters

Yes

Yes

Bare metal deployment of new Storage hosts and clusters

Yes

No

Manage GPU Virtualization for Advanced VDI Graphics

Yes

Yes

Virtualization of USB devices

Yes

Yes

Virtualization of Serial Ports

Yes

Yes

Minimum Disk Footprint while still providing management of multiple virtualization hosts and guest VM’s

~800KB – Micro-kernelized hypervisor ( Ring -1 )
~5GB – Drivers + Management ( Parent Partition – Ring 0 + 3 )

~155MB – Monolithic hypervisor w/ Drivers( Ring -1 + 0 )
~4GB – Management  ( vCenter Server Appliance – Ring 3 )

Boot from Flash

Yes

Yes

Boot from SAN

Yes

Yes

VM Portability, High Availability and Disaster Recovery:

 Features

Microsoft

VMware

Live Migration of running VMs

Yes

Yes

Live Migration of running VMs without shared storage between hosts

Yes

Yes

Live Migration using compression of VM memory state

Yes

No

Live Migration over RDMA-enabled network adapters

Yes

No

Live Migration of VMs Clustered with Windows Server Failover Clustering (MSCS Guest Cluster)

Yes

No

Highly Available VMs

Yes

Yes

Failover Prioritization of Highly Available VMs

Yes

Yes

Affinity Rules for Highly Available VMs

Yes

Yes

Cluster-Aware Updating for Orchestrated Patch Management of Hosts.

Yes

Yes.

Guest OS Application Monitoring for Highly Available VMs

Yes

Yes

VM Guest Clustering via Shared Virtual Hard Disk files

Yes

Yes

Maximum # of Nodes per VM Guest Cluster

64

5

Intelligent Placement of new VM workloads

Yes

Yes

Automated Load Balancing of VM Workloads across Hosts

Yes

Yes

Power Optimization of Hosts when load-balancing VMs

Yes

Yes

Fault Tolerant VMs

No

Yes

Backup VMs and Applications

Yes

Yes.

Site-to-Site Asynchronous VM Replication

Yes

Yes

Storage:

Features

Microsoft

VMware

Maximum # Virtual SCSI Hard Disks per VM

256

60 ( PVSCSI )
120 (
Virtual SATA )

Maximum Size per Virtual Hard Disk

64TB

62TB

Native 4K Disk Support

Yes

No

Boot VM from Virtual SCSI disks

Yes

Yes

Hot-Add Virtual SCSI VM Storage for running VMs

Yes

Yes

Hot-Expand Virtual SCSI Hard Disks for running VMs

Yes

Yes

Hot-Shrink Virtual SCSI Hard Disks for running VMs

Yes

No

Storage Quality of Service

Yes

Yes

Virtual Fibre Channel to VMs

Yes

Yes.

Live Migrate Virtual Storage for running VMs

Yes

Yes

Flash-based Read Cache

Yes

Yes

Flash-based Write-back Cache

Yes

No

SAN-like Storage Virtualization using commodity hard disks.

Yes

No

Automated Tiered Storage between SSD and HDD using commodity hard disks.

Yes

No

Can consume storage via iSCSI, NFS, Fibre Channel and SMB 3.0.

Yes

Yes

Can present storage via iSCSI, NFS and SMB 3.0.

Yes

No

Storage Multipathing

Yes

Yes

SAN Offload Capability

Yes

Yes

Thin Provisioning and Trim Storage

Yes

Yes

Storage Encryption

Yes

No

Deduplication of storage used by running VMs

Yes

No

Provision VM Storage based on Storage Classifications

Yes

Yes

Dynamically balance and re-balance storage load based on demands

Yes

Yes

Integrated Provisioning and Management of Shared Storage

Yes

No

Networking:

 Features

Microsoft

VMware

Distributed Switches across Hosts

Yes

Yes

Extensible Virtual Switches

Yes

Replaceable, not extensible

NIC Teaming

Yes

Yes

No of NICs

32

32

Private VLANs (PVLAN)

Yes

Yes

ARP Spoofing Protection

Yes

No

DHCP Snooping Protection

Yes

No

Router Advertisement Guard Protection

Yes

No

Virtual Port ACLs

Yes

Yes

Trunk Mode to VMs

Yes

Yes

Port Monitoring

Yes

Yes

Port Mirroring

Yes

Yes

Dynamic Virtual Machine Queue

Yes

Yes

IPsec Task Offload

Yes

No

Single Root IO Virtualization (SR-IOV)

Yes

Yes

Virtual Receive Side Scaling ( Virtual RSS )

Yes

Yes

Network Quality of Service

Yes

Yes

Network Virtualization / Software-Defined Networking (SDN)

Yes

No

Integrated Network Management of both Virtual and Physical Network components

Yes

No

Virtualized Operating Systems Support: 

Operating Systems

Microsoft

VMware

Windows Server 2012 R2

Yes

Yes

Windows 8.1

Yes

Yes

Windows Server 2012

Yes

Yes

Windows 8

Yes

Yes

Windows Server 2008 R2 SP1

Yes

Yes

Windows Server 2008 R2

Yes

Yes

Windows 7 with SP1

Yes

Yes

Windows 7

Yes

Yes

Windows Server 2008 SP2

Yes

Yes

Windows Home Server 2011

Yes

No

Windows Small Business Server 2011

Yes

No

Windows Vista with SP2

Yes

Yes

Windows Server 2003 R2 SP2

Yes

Yes

Windows Server 2003 SP2

Yes

Yes

Windows XP with SP3

Yes

Yes

Windows XP x64 with SP2

Yes

Yes

CentOS 5.7, 5.8, 6.0 – 6.4

Yes

Yes

CentOS Desktop 5.7, 5.8, 6.0 – 6.4

Yes

Yes

Red Hat Enterprise Linux 5.7, 5.8, 6.0 – 6.4

Yes

Yes

Red Hat Enterprise Linux Desktop 5.7, 5.8, 6.0 – 6.4

Yes

Yes

SUSE Linux Enterprise Server 11 SP2 & SP3

Yes

Yes

SUS Linux Enterprise Desktop 11 SP2 & SP3

Yes

Yes

OpenSUSE 12.1

Yes

Yes

Ubuntu 12.04, 12.10, 13.10

Yes

Yes

Ubuntu Desktop 12.04, 12.10, 13.10

Yes

Yes

Oracle Linux 6.4

Yes

Yes

Mac OS X 10.7.x & 10.8.x

No

Yes

Sun Solaris 10

No

Yes

Windows Azure:

Here are a special factors that put Microsoft ahead of VMware: Microsoft Azure for on-premises and service provider cloud.

Windows Azure Pack is shipping with Windows Server 2012 R2. The Azure code will enable high-scale hosting and management of web and virtual machines.

Microsoft is leveraging its service provider expertise and footprint for Azure development while extending Azure into data centers on Windows servers. That gives Microsoft access to most if not all of the world’s data centers. It could become a powerhouse in months instead of years. Widespread adoption of Microsoft Azure platform gives Microsoft a winning age against competitor like VMware.

On premises client install Windows Azure pack to manage their system center 2012 R2 and use Azure as self-service and administration portal for IT department and department within organization. To gain similar functionality in VMware you have to buy vCloud Director, Chargeback and vShield separately.

Conclusion:

This is a clash of titanic proportion in between Microsoft and VMware. Ultimately end user and customer will be the winner. Both companies are thriving for new innovation in Hypervisor and virtualization market place. End user will enjoy new technology and business will gain from price battle between Microsoft and VMware. These two key components could significantly increase the adoption of hybrid cloud operating models. Microsoft has another term cards for cloud service provider which is Exchange 2013 and Lync 2013. Exchange 2013 and Lync 2013 are already widely used for Software as a Service (SaaS). VMware has nothing to offer in Messaging and collaboration platform. Microsoft could become for the cloud what it became for the PC. It could enforce consistency across clouds to an extent that perhaps no other player could. As the cloud shifts from infrastructure to apps, Microsoft could be in an increasingly powerful position and increase Hyper-v share even further by adding SaaS to its product line. History will repeat once again when Microsoft defeat VMware as Microsoft defeated Novell eDirectory, Corel WordPerfect and IBM Notes.

References:

http://blogs.technet.com/b/keithmayer/archive/2013/10/15/vmware-or-microsoft-comparing-vsphere-5-5-and-windows-server-2012-r2-at-a-glance.aspx#.UxaKbYXazIV

http://www.datacentertcotool.com/

http://www.microsoft.com/en-us/server-cloud/solutions/virtualization.aspx#fbid=xrWmRt7RXCi

http://wikibon.org/wiki/v/VMware_vs_Microsoft:_It%27s_time_to_stop_the_madness

http://www.infoworld.com/d/microsoft-windows/7-ways-windows-server-2012-pays-itself-205092

http://www.trefis.com/stock/vmw/articles/221206/growing-competition-for-vmware-in-virtualization-market/2014-01-07

Supported Server and Client Guest Operating Systems on Hyper-V

Compatibility Guide for Guest Operating Systems Supported on VMware vSphere

PDF Printer    Send article as PDF   
Posted in Virtualization | Tagged , , , , , , , , , , , | Leave a comment

Exchange 2013 Upgrade, Migration and Co-existence

Migration Guide

Exchange 2007/2010 to Exchange 2013 Migration Step by Step Guide

How to Configure Unified Messaging in Exchange 2013 Step by Step

Mail flow in Exchange 2013

image

Source: Microsoft TechNet

image

Source: Microsoft TechNet

Protocol Exchange 2007 & Exchange 2013 Exchange 2007 & Exchange 2013
Namespace legacy.domain.com no additional namespace
OWA Non-silent redirection to
legacy.domain.com
Proxy to CAS2010
Silent direction
EAS Proxy to MBX2013 Proxy to CAS2010
Outlook Anywhere Proxy to CAS2007 Proxy to CAS2010
Autodiscover Redirect to CAS2007 Proxy to CAS2010
EWS Autodiscover Proxy to CAS2010
POP/IMAP Redirect to CAS2007 Proxy to CAS2010
OAB Redirect to CAS2007 Proxy to CAS2010
RPS N/A Proxy to CAS2010
ECP N/A Proxy to CAS2010

Exchange 2013 Perquisites

Supported Co-existence Scenario

  • Exchange 2010 SP3
  • Exchange 2007 SP3+RU10

Supported Client

  • Outlook Anywhere Only, Outlook 2007 or later
  • Outlook for Mac 2011
  • Entourage 2008 for Mac

Active Directory

  • Windows 2003 Forest Functional Level or higher
  • At least one global catalog. two global catalog is highly recommended for redundancy purpose
  • No support for RODC or ROGC

Namespace

  • Contiguous
  • Non-Contiguous
  • Single level Domain
  • disjoint

Operating Systems

  • Windows Server 2008 R2 SP1
  • Windows Server 2012 or Windows Server 2012 R2

Other Components

  • Internet Information Service (IIS)
  • .Net Framework 4.5
  • Unified Communication Managed API

Cumulative Updates

  • CU is a full exchange installer or binary
  • Required for co-existence with Exchange 2007/2010

Upgrade from Exchange 2010 to Exchange 2013

1. Prepare

  • Prepare Exchange 2010 with SP3
  • Test Exchange using Test cmdlets
  • Test Active Directory health status
  • Prepare Active Directory Schema using Exchange 2013 schema

2. Deploy Exchange 2013

  • Install both Exchange 2013 MBX and CAS servers
  • Install Management Server on admin PC

3. Obtain and deploy Certificates

  • Create Certificate CSR from Exchange 2013
  • Sign the certificate from public CA
  • Install Certificate and assign certificate to IIS,SMTP,POP,IMAP

OR

  • Export certificate from Exchange 2010 and import into Exchange 2013

4. Configure Mail flow

  • Create mail and autodiscover namespace and point to Exchange 2013
  • Add Exchange 2013 MBX server into Send Connector
  • Configure Frontend receive connector
  • Create anonymous relay

5. Switch Primary Name Space

  • Switch OWA, ActiveSync and SMTP traffic to Exchange 2013
  • Use TMG/UAG to switch OWA and ActiveSync to Exchange 2013
  • Switch port 25 forwarding to Exchange 2013
  • Validate traffic flow to Exchange 2013

6. Move Mailboxes

  • Build Exchange DAG
  • Migrate user mailbox
  • Migrate resource mailbox
  • Migrate public folders

7. Repeat additional sites

8. Decommission Exchange 2010

Upgrade from Exchange 2007 to Exchange 2013

1. Prepare

  • Prepare Exchange 2007 with SP3 +RU
  • Test Exchange using Test cmdlets
  • Test Active Directory health status
  • Prepare Active Directory Schema using Exchange 2013 schema

2. Deploy Exchange 2013

  • Install both Exchange 2013 MBX and CAS servers
  • Install Management Server on admin PC

3. Obtain and deploy Certificates

  • Create a certificate CSR from Exchange 2013 with legacy namespace
  • Sign the certificate from public CA
  • Install Certificate and assign certificate to Exchange 2013 IIS,SMTP,POP,IMAP
  • Install same certificate into Exchange 2007

4. Configure Mail flow

  • Create legacy DNS record pointing to Exchange 2007
  • Create mail and autodiscover namespace and point to Exchange 2013 CAS
  • Create Send Connector in Exchange 2013
  • Configure Frontend receive connector
  • Create anonymous relay

5. Switch Primary Name Space

  • Switch OWA, ActiveSync and SMTP traffic to Exchange 2013
  • Use TMG/UAG to switch OWA and ActiveSync to Exchange 2013
  • Switch port 25 forwarding to Exchange 2013
  • Validate traffic flow to Exchange 2013 using MCA and ExRCA

6. Move Mailboxes

  • Build Exchange DAG
  • Migrate user mailbox
  • Migrate resource mailbox
  • Migrate public folders

7. Repeat additional sites

8. Decommission Exchange 2007

Validate External Connectivity

Certificate Best Practice

  • Minimize number of certificates
  • Minimize number of host name
  • use split DNS for Exchange host name
  • Don’t list machine name in certificates
  • Use Subject Alternative Name Certificate or SAN certificates

Restart Transport Services and Information Store Service

  • Patch Exchange Server using WSUS or ConfigMgr
  • Reboot DAG member one by one
  • Reboot CAS server one by one
  • Management Tools
  • User Exchange 2013 Administration Center to manage co-existence and migration tasks
  • Use Exchange 2010 management console to move offline address book

Cutover Process

  • Public folder migration is part of final cutover
  • Exchange and Active Directory health check
  • verify proposed and implemented Exchange 2013

Post Migration

  • Shutdown Exchange 2010 servers for minimum 48 hours in working days
  • Decommission Exchange 2010
Free PDF    Send article as PDF   
Posted in Exchange Server | Tagged , , , , , , , , , , , , , , , , , | Leave a comment

Exchange 2007/2010 to Exchange 2013 Migration Step by Step Guide

Before you begin, create a work sheet in spreadsheet recording required information to migrate Exchange 2007/2010 to Exchange 2013. For this article, I am going to use following work sheet. This work sheet and migration guide are tested in production exchange migration which I did for few of my clients. Note that this article is not situation specific hence I can’t provide you a silver bullet for your situation.

Deployment Work Sheet

Version Readiness Check

Present Server Proposed Server
Exchange 2007 SP3 OR 2010 SP3 Exchange 2013 CU3

Exchange Role Assignment

Exchange 2013 has two server roles; the Mailbox and Client Access server roles. You need at least one Client Access server and one Mailbox server in the Active Directory forest. If you’re separating your server roles, Microsoft recommend installing the Mailbox server role first.

Mailbox Role: The Mailbox server includes the Client Access protocols, the Transport service, the Mailbox databases, and Unified Messaging (the Client Access server redirects SIP traffic generated from incoming calls to the Mailbox server). The Mailbox server handles all activity for the active mailboxes on that server.

Client Access: The Client Access server provides authentication, limited redirection, and proxy services for all of the usual client access protocols: HTTP, POP and IMAP, and SMTP. The Client Access server, a thin and stateless server, doesn’t do any data rendering. With the exception of diagnostic logs, nothing is queued or stored on the Client Access server.

Server Name Exchange Roles
AUPEREXMBX01,AUPEREXMBX02 Mailbox
AUPEREXCAS01,AUPEREXCAS02 CAS

Active Directory Schema and Forest

When you install Exchange 2013 for the first time, your Active Directory schema will be updated. This schema update is required to add objects and attributes to Active Directory to support Exchange 2013. Additionally, replicating the changes made to your schema may take several hours or days and is dependent on your Active Directory replication schedule. A forced replication can be performed after schema preparation.

Description AD Forest Domain Controller
Primary SMTP namespace Superplaneteers.com AUPERDC01,AUPERDC02
User principal name domain Superplaneteers.com AUPERDC01,AUPERDC02

Legacy Edge Transport

N/A

Network Configuration

Server Name TCP/IP DNS Replication network
AUPEREXMBX01 10.10.10.11

 

10.10.10.2

10.10.10.3

192.168.100.11/24
AUPEREXMBX02 10.10.10.12 10.10.10.2

10.10.10.3

192.168.100.12/24
AUPEREXCAS01 10.10.10.13 10.10.10.2

10.10.10.3

N/A
AUPEREXCAS02 10.10.10.14 10.10.10.2

10.10.10.3

N/A

The network adapter name used within the operating system of mailbox server must be changed to closely match the associated network name. For example: Domain Network and Replication Network. The following binding order must be maintained within Windows operating systems:

  1. First in Order- Domain adapter connected to the Active Directory network
  2. Second in Order- Replication adapter connected to the heartbeat network.

Here is a guide how to change adapter binding order http://technet.microsoft.com/en-us/library/cc732472(v=ws.10).aspx Microsoft does not support multiple default gateways on a single server, no default gateway is required on the replication network card.

Disk layout

Server Name C:\ E:\ F:\ G:\
AUPEREXMBX01 50 GB 50 GB 500GB 300GB
AUPEREXMBX02 50 GB 50 GB 500GB 300GB
AUPEREXCAS01 50 GB 50 GB N/A N/A
AUPEREXCAS02 50 GB 50 GB N/A N/A

Resilient Exchange Configuration

Purpose Name TCP/IP Subnet Type
DAG AUPEREXDAG01 10.10.10.15 255.255.255.0 N/A
CAS NLB or Load Balancer Mail.superplaneteers.com 10.10.10.16 255.255.255.0 Multicast

Exchange Administrator

User name Privileges
ExMigrationAdmin Domain Admins

Domain user

Schema Admin

Enterprise Admin

Organisation Management

Local Administrator

Certificates

A public Secure Sockets Layer (SSL) certificate is a prerequisite in Exchange 2013. SSL helps to protect communication between your Exchange servers and clients and other mail servers by encrypting data and, optionally, identifying each side of the connection.

You can buy a third-party certificate from public CA such as Verisign. Certificates published by public CAs are trusted by most operating systems and browsers.

Common Name Subject Alternative Type Assigned to
mail.superplaneteers.com autodiscover.superplaneteers.com SSL IIS,SMTP,POP,IMAP

Supported Client

Exchange 2013 supports the following minimum versions of Microsoft Outlook and Microsoft Entourage for Mac:

  • Outlook 2013 (15.0.4420.1017)
  • Outlook 2010 Service Pack 1 with the Outlook 2010 November 2012 update (14.0.6126.5000).
  • Outlook 2007 Service Pack 3 with the Outlook 2007 November 2012 update (12.0.6665.5000).
  • Entourage 2008 for Mac, Web Services Edition
  • Outlook for Mac 2011

Exchange 2013 does not support Outlook 2003.

Public DNS records

DNS record Record Type IP/Alias/FQDN Priority
Mail.superplaneteers.com A 203.17.x.x N/A
superplaneteers.com MX Mail.superplaneteers.com 10
Autodiscover.superplaneteers.com CNAME Mail.superplaneteers.com N/A

If you have hosted email security then your MX record must look like this. An example is given here for TrendMicro hosted email security.

DNS record Record Type IP/Alias/FQDN Priority
Mail.superplaneteers.com A 203.17.x.x N/A
superplaneteers.com MX in.sjc.mx.trendmicro.com 10
Autodiscover.superplaneteers.com CNAME Mail.superplaneteers.com N/A

Internal DNS records

DNS record Record Type Hardware Load Balancer

VIP or CAS NLB IP

Mail.superplaneteers.com A 10.10.10.16
Autodiscover.superplaneteers.com A 10.10.10.16

If you don’t have CAS NLB or hardware load balancer then create Host(A) record of mail.superplaneteers.com and point to Exchange 2013 CAS Server.

Send Connector

Here I am giving an example of TrednMicro smart host. Do not add smart host without proper authorization from smart host provider otherwise you will not be able to send email from internal organisation to external destination.

Intended use Address Space Network Settings Authentication Smart Host
Internet “*” default Basic, Exchange, TLS relay.sjc.mx.trendmicro.com

Receive Connector

Name Intended use Network Settings IP Range Server(s)
Client Frontend Client default All Available IPv4 AUPEREXMBX01

AUPEREXMBX02

Default Frontend Inbound SMTP default All Available IPv4 AUPEREXMBX01

AUPEREXMBX02

Anonymous Relay

Relay Authentication Permission Remote IP SMTP
Anonymous Relay TLS, Externally Secured Anonymous, Exchange Servers IP Address of Printers, Scanner, Devices, App Server 10.10.10.11

10.10.10.12

Port Forwarding in Cisco Router

Rule Source Address Destination Address NATed Destination Port
OWA Any 203.17.x.x 10.10.10.16 443
SMTP Any 203.17.x.x 10.10.10.16 25

Again if you don’t have CAS NLB or load balancer your NATed destination is Exchange 2013 CAS server.

Mailbox Storage

Storage Group Type Database location
Mailbox storage F:\Exchange Data
Mailbox storage logs G:\Exchange Log

Email address Policy

Email Address Policy %g.%s@superplaneteers.com

Virtual Directory for internal and external network

Virtual directory Internal and External URL value
Autodiscover https://autodiscover.superplaneteers.com/autodiscover/autodiscover.xml
ECP https://mail.superplaneteers.com/ecp
EWS https://mail.superplaneteers.com/EWS/Exchange.asmx
Microsoft-Server-ActiveSync https://mail.superplaneteers.com/Microsoft-Server-ActiveSync
OAB https://mail.superplaneteers.com/OAB
OWA https://mail.superplaneteers.com/owa
PowerShell http://mail.superplaneteers.com/PowerShell

Since you have finished your work sheet, now you are ready to virtualize Exchange servers on Hyper-v.

1. Virtualize Windows Server 2012 R2

2. Configure TCP/IP properties

3. Disable Windows Firewall

4. Join Windows server 2012 R2 to domain.

Download following software as prerequisites.

1. Microsoft Exchange Server 2010 Service Pack 3 (SP3) OR Exchange Server 2007 Service Pack 3

2. Cumulative Update 3 for Exchange Server 2013 (KB2892464)

3. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit

4. Microsoft Office 2010 Filter Pack 64 bit

5. Microsoft Office 2010 Filter Pack SP1 64 bit

Additional Prerequisites if you would like to install Exchange 2013 on Windows Server 2008 R2 SP1.

  1. Microsoft .NET Framework 4.5
  2. Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit
  3. Microsoft Office 2010 Filter Pack 64 bit
  4. Microsoft Office 2010 Filter Pack SP1 64 bit
  5. Microsoft Knowledge Base article KB974405 (Windows Identity Foundation)
  6. Knowledge Base article KB2619234 (Enable the Association Cookie/GUID that is used by RPC over HTTP to also be used at the RPC layer in Windows 7 and in Windows Server 2008 R2)
  7. Knowledge Base article KB2533623 (Insecure library loading could allow remote code execution)

Windows Firewall

Open Control Panel > Windows Firewall. Turn off Firewall components (Domain, private and Public) completely.

Preparing Base Windows Server 2012 for Exchange 2013

Mailbox Server Role in Windows Server 2012 R2

To install prerequisites in Windows Server 2012, open Windows PowerShell as an administrator. Execute the following cmdlet one by one.

Import-Module ServerManager

Install-WindowsFeature RSAT-ADDS

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

Reboot Windows Server 2012

Client Access Server Role in Windows Server 2012 R2

To install prerequisites in Windows Server 2012, open Windows PowerShell as an administrator, Execute the following cmdlet one by one.

Import-Module ServerManager

Install-WindowsFeature RSAT-ADDS

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

Reboot Windows Server 2012

If you are installing Exchange 2013 on Windows Server 2008 R2 SP1.

Prepare mailbox role Windows Server 2008 R2 SP1

Open Windows PowerShell as an administrator, Execute the following cmdlets one by one.

Import-Module ServerManager

Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI

Reboot Windows Server 2008 R2

Prepare Client Access in Windows Server 2008 R2

Open Windows PowerShell, Execute the following cmdlet one by one.

Import-Module ServerManager

Add-WindowsFeature Desktop-Experience, NET-Framework, NET-HTTP-Activation, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Web-Server, WAS-Process-Model, Web-Asp-Net, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI

Reboot Windows Server 2008 R2

Install Service pack 3 on exchange 2010

Upgrading to SP3 requires a schema update, review the Active Directory Schema changes beforehand. Upgrade your Exchange servers to SP3. This should be performed in the following order:

1. CAS servers

2. Hub and/or Edge servers

3. Mailbox servers

4. Unified Messaging servers

Upgrade Exchange 2010 to Exchange 2010 SP3 level

1. Once the files are extracted, locate and run setup.exe as an administrator

2. Select Install Microsoft Exchange Upgrade.

3. Select Next at the welcome screen. Read and accept the license terms, then select Next.

4. If you’ve got all the requirements you’ll see all the green checks, Select Upgrade to begin the upgrade

5. Select Next to start the upgrade.

6. When the upgrade is complete, select Finish.

7. Reboot the server to allow changes to take affect.

Prepare Active Directory Schema

Before you prepare Active Directory, make sure your Active Directory is healthy. Follow the procedure for AD health check.

1. Prepare Active Directory in an Active Directory site where you want to install Exchange 2013.

2. Domain Controller must be Server 2008 Standard/Enterprise (x86/x64) OR Server 2008 R2 Standard / Enterprise OR Windows Server 2012 OR Windows Server 2012 R2.

3. Each domain needs at least one writeable global catalog server

4. Ensure AD replication is working properly in each site / domain

5. Ensure Active Directory is healthy. Visit http://microsoftguru.com.au/2009/09/01/active-directory-health-check/

6. Run the following command in a domain controller, Open command prompt as an administrator

repadmin /showrepl

repadmin /replsummary

repadmin /syncall

netdom query fsmo

Dcdiag /e

Netdiag

7. Open Active Directory Sites and Services MMC, make sure all domain controllers are global catalog.

8. Start Menu, Run, Type eventvwr to open event view, Review event logs to see everything is working as per normal

9. Start Menu, Run> Services.msc to open services, Check DNS server, DNS Client, File replication services are started and set to automatic

10. Open SYSVOL in all domain controllers and check everything is same in all domain controllers.

Now you are ready to prepare Active Directory Domain and Forest.

1. Extract the Exchange2013-x64-cu3.EXE package you have downloaded from Microsoft web site to a common location. In my example I will use E:\EXCHANGE2013

2. Open a command prompt as an Administrator, and navigate to the directory in which you extracted the files to. In the case of this example it will be E:\Exchange2013. You should see a Setup.exe file located there.

3. Run the following cmd:

  • Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

OR

  • Setup.exe /PS /IacceptExchangeServerLicenseTerms

4. Run the following cmd:

  • Setup.exe /PrepareAD /OrganizationName:<NAMEHERE> /IAcceptExchangeServerLicenseTerms

OR

  • Setup.exe /PAD /OrganizationName:<NAMEHERE> /IAcceptExchangeServerLicenseTerms

Now replicate Active Directory manually or wait for replication to complete. Verify event logs in Domain controllers to see any unexpected error or logs pops up or not. If everything looks fine then go ahead and install Exchange 2013.

Installing Exchange 2013 CU3

  1. After you have downloaded Exchange 2013 CU2, log on to the computer on which you want to install Exchange 2013.
  2. Navigate to the network location of the Exchange 2013 installation files.
  3. Start Exchange 2013 Setup by right clicking Setup.exe select Run as administrator
  4. On the Check for Updates page, choose whether you want Setup to connect to the Internet and download product and security updates for Exchange 2013. Select Don’t check for updates right now, you can download and install updates manually later. Click Next to continue.
  5. The Introduction page begins the process of installing Exchange into your organization. Click Next to continue.
  6. On the License Agreement page, review the software license terms. If you agree to the terms, select I accept the terms in the license agreement, and then click Next.
  7. On the Recommended settings page, select whether you want to use the recommended settings. If you select Use recommended settings, Exchange will automatically send error reports and information about your computer hardware and how you use Exchange to Microsoft. click Next.
  8. On the Server Role Selection page, select both Mailbox role and Client Access role or separate role based on your design. The management tools are installed automatically if you install any other server role.
    Select Automatically install Windows Server roles and features that are required to install Exchange Server to have the Setup wizard install required Windows prerequisites. You may need to reboot the computer to complete the installation of some Windows features. If you don’t select this option, you must install the Windows features manually. Click Next to continue.
  9. On the Installation Space and Location page, click Browse to choose a new location. I strongly recommend you installing Exchange 2013 on a separate partition other then C:\ drive. Click Next to continue.
  10. On the Malware Protection Settings page, choose whether you want to enable or disable malware scanning. If you disable malware scanning, it can be enabled in the future. Unless you have a specific reason to disable malware scanning, we recommend that you keep it enabled. Click Next to continue.
  11. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. click Next to run the prerequisite check again. Be sure to also review any warnings that are reported. If all readiness checks have completed successfully, click Install to install Exchange 2013.
  12. On the Completion page, click Finish.
  13. Restart the computer after Exchange 2013 has completed.
  14. Once rebooted log on to Exchange server and review Event Logs in Exchange Server.
  15. Repeat the steps for all Exchange Server 2013 in your organisation.

Create a Test mailbox

1. Open the EAC by browsing to the URL of your Client Access server. For example, https://AUPEREXCAS01/ecp?ExchClientVer=15.

2. Enter the user name and password of the account you used to install Exchange 2013 in Domain\user name and Password, and then click Sign in.

3. Go to Recipients > Mailboxes. On the Mailboxes page, click Add and then select User mailbox.

4. Provide the information required for the new user and then click Save.

5. Go to Permissions > Admin Roles. On the Admin Roles page, select Organization Management and click Edit .

6. Under Members, click Add .

7. Select the Exchange 2013 mailbox you just created, click Add, then click OK. Then click Save.

Install Exchange 2013 certificates

Depending on your requirements, you can configure wild card certificate or a SAN certificate. I will go for SAN certificate to avoid further configuration such as certificate principal name configuration. In this example, I will create a SAN certificate which is as follows.

  1. Open the EAC by browsing to the URL of your Client Access server. For example, https://AUPEREXCAS01/ecp?ExchClientVer=15.
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Servers > Certificates. On the Certificates page, make sure your Client Access server is selected in the Select server field, and then click New .
  4. In the New Exchange certificate wizard, select Create a request for a certificate from a certification authority and then click Next.
  5. Specify a name for this certificate and then click Next.
  6. If you want to request a wildcard certificate, select Request a wild-card certificate and then specify the root domain of all subdomains in the Root domain field. If you don’t want to request a wildcard certificate and instead want to specify each domain you want to add to the certificate, leave this page blank. Click Next.
  7. Click Browse and specify an Exchange server to store the certificate on. The server you select should be the Internet-facing Client Access server. Click Next.
  8. For each service in the list shown, verify that the external or internal server names that users will use to connect to the Exchange server are correct. For example: CN=mail.superplaneteers.com and SAN=autodiscover.superplaneteers.com
  9. These domains will be used to create the SSL certificate request. Click Next.
  10. Add any additional domains you want included on the SSL certificate.
  11. Select the domain that you want to be the common name for the certificate and click Set as common name. For example, mail.superplaneteers.com. Click Next.
  12. Provide information about your organization. This information will be included with the SSL certificate. Click Next.
  13. Specify the network location where you want this certificate request to be saved. Click Finish.

After you’ve saved the certificate request, submit the request to your certificate authority (CA) which is public CA. Clients that connect to the Client Access server must trust the CA that you use. After you receive the certificate from the CA, complete the following steps:

  1. On the Server > Certificates page in the EAC, select the certificate request you created in the previous steps.
  2. In the certificate request details pane, click Complete under Status.
  3. On the Complete pending request page, specify the path to the SSL certificate file and then click OK.
  4. Select the new certificate you just added, and then click Edit .
  5. On the certificate page, click Services.
  6. Select the services you want to assign to this certificate. At minimum, you should select IIS but you can also select IMAP, POP, SMTP and UM call router if you use these services. Click Save.
  7. If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.

To re-use existing certificate follow the steps below

  1. Log on directly to your Exchange 2010 Client Access server with an administrator user account.
  2. Open an empty Microsoft Management Console (MMC).
  3. Click File, then Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, select Certificates and then click Add >.
  5. In the Certificates snap-in window that appears, select Computer account and click Next.
  6. Select Local computer and click Finish. Then click OK.
  7. Under Console Root, expand Certificates (Local Computer), Personal, and then Certificates.
  8. Select the 3rd-party certificate that’s used by Exchange 2010 that matches the host names you’ve configured on the Exchange 2013 server. This must be a 3rd-party certificate and not a self-signed certificate.
  9. Right-click on the certificate and select All Tasks and then Export….
  10. In the Certificate Export Wizard, click Next.
  11. Select Yes, export the private key and click Next.
  12. Make sure Personal Information Exchange – PKCS #12 (.PFX) and Include all certificates in the certification path if possible are selected. Make sure no other options are selected. Click Next.
  13. Select Password and enter a password to help secure your certificate. Click Next.
  14. Specify a file name for the new certificate. Use the file extension .pfx. Click Next and then click Finish.
  15. You’ll receive a confirmation prompt if the certificate export was successful. Click OK to close it.
  16. Copy the .pfx file you created to your Exchange 2013 Client Access server.

After you’ve exported the certificate from your Exchange 2010 server, you need to import the certificate on your Exchange 2013 server using the following steps.

  1. Log on directly to your Exchange 2013 Client Access server with an administrator user account.
  2. Open an empty Microsoft Management Console (MMC).
  3. Click File, then Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, select Certificates and then click Add >.
  5. In the Certificates snap-in window that appears, select Computer account and click Next.
  6. Select Local computer and click Finish. Then click OK.
  7. Under Console Root, expand Certificates (Local Computer), and then Personal.
  8. Right-click Personal and select All Tasks and then Import….
  9. In the Certificate Import Wizard, click Next.
  10. Click Browse and select the .pfx file you copied to your Exchange 2013 Client Access server. Click Open and then click Next.
  11. In the Password field, enter the password you used to help secure the certificate when you exported it on the Exchange 2010 Client Access server.
  12. Verify that Include all extended properties is selected and click Next.
  13. Verify that Place all certificates in the following store is selected and Personal is shown in Certificate store. Click Next. Click Finish.
  14. You’ll receive a confirmation prompt if the certificate import was successful. Click OK to close it.

Now that the new certificate has been imported on your Exchange 2013 Client Access server, you need to assign it to your Exchange services using the following steps.

  1. Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013CAS/ECP.
  2. Open the EAC by browsing to the URL of your Client Access server. For example, https://Ex2013/ECP.
  3. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  4. On the Server > Certificates page in the EAC, select the new certificate you just added, and then click Edit .
  5. On the certificate page, click Services.
  6. Select the services you want to assign to this certificate. At minimum, you should select IIS but you can also select IMAP, POP, SMTP and UM call router if you use these services. Click Save.
  7. If you receive the warning Overwrite the existing default SMTP certificate?, click Yes.

Configure Exchange 2013 external and internal URLs

  1. Open the EAC by browsing to the URL of your Client Access server. For example, https://AUPEREXCAS01/ecp?ExchClientVer=15.
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Servers > Servers, select the name of the Internet-facing Exchange 2013 Client Access server and then click Edit .
  4. Click Outlook Anywhere.
  5. In the Specify the external hostname field, specify the externally accessible FQDN of the Client Access server. For example, mail.superplaneteers.com.
  6. While you’re here, let’s also set the internally accessible FQDN of the Client Access server. In the Specify the internal hostname field, insert the FQDN you used in the previous step. For example, mail. superplaneteers.com.
  7. Click Save.
  8. Go to Servers > Virtual directories and then click Configure external access domain .
  9. Under Select the Client Access servers to use with the external URL, click Add .
  10. Select the Client Access servers you want to configure, and then click Add. After you’ve added all the Client Access servers you want to configure, click OK.
  11. In Enter the domain name you will use with your external Client Access servers, type the external domain you want to apply. For example, mail.superplaneteers.com. Click Save.

Configure External and Internal URL to be same

  1. Open the Exchange Management Shell on your Exchange 2013 Client Access server.
  2. Store the host name of your Client Access server in a variable that will be used in the next step. For example, In my case, mail.superplaneteers.com

$HostName = “mail.superplaneteers.com “

3. Run each of the following commands in the Shell to configure each internal URL to match the virtual directory’s external URL.

Set-EcpVirtualDirectory “$HostName\ECP (Default Web Site)” -InternalUrl ((Get-EcpVirtualDirectory “$HostName\ECP (Default Web Site)”).ExternalUrl)

Set-WebServicesVirtualDirectory “$HostName\EWS (Default Web Site)” -InternalUrl ((get-WebServicesVirtualDirectory “$HostName\EWS (Default Web Site)”).ExternalUrl)

Set-ActiveSyncVirtualDirectory “$HostName\Microsoft-Server-ActiveSync (Default Web Site)” -InternalUrl ((Get-ActiveSyncVirtualDirectory “$HostName\Microsoft-Server-ActiveSync (Default Web Site)”).ExternalUrl)

Set-OabVirtualDirectory “$HostName\OAB (Default Web Site)” -InternalUrl ((Get-OabVirtualDirectory “$HostName\OAB (Default Web Site)”).ExternalUrl)

Set-OwaVirtualDirectory “$HostName\OWA (Default Web Site)” -InternalUrl ((Get-OwaVirtualDirectory “$HostName\OWA (Default Web Site)”).ExternalUrl)

Set-PowerShellVirtualDirectory “$HostName\PowerShell (Default Web Site)” -InternalUrl ((Get-PowerShellVirtualDirectory “$HostName\PowerShell (Default Web Site)”).ExternalUrl)

To verify that you have successfully configured the internal URL on the Client Access server virtual directories, do the following:

  1. In the EAC, go to Servers > Virtual directories.
  2. In the Select server field, select the Internet-facing Client Access server.
  3. Select a virtual directory and then click Edit .
  4. Verify that the Internal URL field is populated with the correct FQDN.

Move Arbitration Mailboxes

Follow the below steps to move all arbitration and discovery search mailboxes to 2013 database.

Open Exchange Management Shell with run as administrator and run the following cmds

Get‐Mailbox –Arbitration | New-MoveRequest –TargetDatabase TargetDBName

Get-Mailbox “*Discovery*” | New-MoveRequest –TargetDatabase TargetDBName

OR

Type the following comdlets in EMS to find arbitration mailboxes and migrate using migration wizard.

Get-Mailbox –Arbitration >C:\Arbitration.txt

Get-Mailbox “*Discovery*” >C:\Discovery.txt

  1. In the EAC, go to Recipients > Migration.
  2. Click New , and then click Move to a different database.
  3. On the New local mailbox move page, click Select the users that you want to move, and then click Add .
  4. On the Select Mailbox page, add the mailbox that has the following properties:
    • The display name is Microsoft Exchange.
    • The alias of the mailbox’s email address is SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}.
  5. Click OK, and then click Next.
  6. On the Move configuration page, type the name of the migration batch, and then click Browse next to the Target database box.
  7. On the Select Mailbox Database page, add the mailbox database to move the system mailbox to. Verify that the version of the mailbox database that you select is Version 15. x, which indicates that the database is located on an Exchange 2013 server.
  8. Click OK, and then click Next.
  9. On the Start the batch page, select the options to automatically start and complete the migration request, and then click New.

Enable and configure Outlook Anywhere

To allow your Exchange 2013 Client Access server to redirect connections to your Exchange 2010 servers, you must enable and configure Outlook Anywhere on all of the Exchange 2010 servers in your organization. If some Exchange 2010 servers in your organization are already configured to use Outlook Anywhere, their configuration must also be updated to support Exchange 2013. When you use the steps below to configure Outlook Anywhere, the following configuration is set on each Exchange 2010 server:

  1. Open the Exchange Management Shell on your Exchange 2010 Client Access server.
  2. Store the external host name of your Exchange 2013 Client Access server in a variable that will be used in the next steps. For example, mail.superplaneteers.com.

$Exchange2013HostName = “mail.superplaneteers.com”

Run the following command to configure Exchange 2010 servers that already have Outlook Anywhere enabled to accept connections from Exchange 2013 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Set-OutlookAnywhere “$_\RPC (Default Web Site)” -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic}

If you didn’t enable Outlook Anywhere in Exchange 2010 already, Run the following command to enable Outlook Anywhere and configure Exchange 2010 to accept connections from Exchange 2013 servers.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic

Configure service connection point (SCP)

Autodiscover uses an Active Directory object called the service connection point (SCP) to retrieve a list of AutoDiscover URLs for the forest in which Exchange is installed. When you install Exchange 2013, you need to update the SCP object to point to the Exchange 2013 server. This is necessary because Exchange 2013 servers provide additional AutoDiscover information to clients to improve the discovery process.

You must update the SCP object configuration on every Exchange server in the organization. You need to use the version of the Exchange Management Shell that corresponds to the version of the Exchange servers you’re updating.

Perform the following steps to configure the SCP object on your Exchange 2010 servers.

  1. Open the Exchange Management Shell on your Exchange 2010 Client Access server.
  2. Store the AutoDiscover host name of your Exchange 2013 Client Access server in a variable that will be used in the next step. For example, autodiscover.superplaneteers.com.

$AutodiscoverHostName = “autodiscover.superplaneteers.com”

Run the following command to set the SCP object on every Exchange 2010 server to the AutoDiscover URL of the new Exchange 2013 server.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 14*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml

Perform the following steps to configure the SCP object on your Exchange 2013 servers.

  1. Open the Exchange Management Shell on your Exchange 2013 Client Access server.
  2. Store the AutoDiscover host name of your Exchange 2013 Client Access server in a variable that will be used in the next step. For example, autodiscover.superplaneteers.com.

$AutodiscoverHostName = “autodiscover.superplaneteers.com”

Run the following command to set the SCP object on every Exchange 2013 server to the AutoDiscover URL of the new Exchange 2013 server.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml

Configure Exchange 2013 Mail flow

Receive connectors

There are four receive connectors in Exchange 2013. They are:

· Default <server name>   Accepts connections from Mailbox servers running the Transport service and from Edge servers.

· Client Proxy <server name>   Accepts connections from front-end servers. Typically, messages are sent to a front-end server over SMTP.

· Default FrontEnd <server name>   Accepts connections from SMTP senders over port 25. This is the common messaging entry point into your organization.

· Outbound Proxy Frontend <server name>   Accepts messages from a Send Connector on a back-end server, with front-end proxy enabled.

1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Receive Connector

2. Select Default Frontend AUPERMBX01, Click on Edit or Pencil icon, On the Security Parameter, Select Anonymous, Click Save.

3. Repeat the steps for Default Frontend AUPERMBX02.

Send connector:

All you have to do is to add Exchange 2013 mailbox servers to the existing send connector as shown below:

Open Exchange management Shell as an administrator, execute the following command.

Set-SendConnector –Identity Outbound –SourceTransportServers AUPEREXMBX01, AUPEREXMBX02

OR

1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Send Connector, Click Edit or Pencil icon

2. Click on scoping and + icon on Source Server parameter to add the server

3. Select the Exchange 2013 Mailbox servers (AUPEREXMBX01 and AUPEREXMBX02) and add them and Click save.

4. Send connector configuration completed.

Configure a smart host if necessary

1. In the EAC https://AUPEREXCAS01/ecp?ExchClientVer=15, navigate to Mail flow > Send connectors, and then click Add .

2. In the New send connector wizard, specify a name for the send connector and then select Custom for the Type. You typically choose this selection when you want to route messages to computers not running Microsoft Exchange Server 2013. Click Next.

3. Choose Route mail through smart hosts, and then click Add . In the Add smart host window, the fully qualified domain name (FQDN), such as relay.sjc.mx.trendmicro.com. Click Save.

4. Under Address space, click Add . In the Add domain window, make sure SMTP is listed as the Type. For Fully Qualified Domain Name (FQDN), enter * to specify that this send connector applies to messages sent to any domain. Click Save.

5. For Source server, click Add . In the Select a server window, choose a server and click Add . Click OK.

6. Click Finish.

Anonymous Relay

Create a new receive connector using Exchange Administration Center with the following parameters.

  • Name: Anonymous Relay
  • Role: Frontend Transport
  • Type: Custom
  • Available IP: Exchange 2013 server IP
  • Port: 25
  • Security: Anonymous
  • Authentication: TLS, Externally Secured
  • Permission: Exchange Servers, Anonymous users

1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server. Click Mail flow, Click Receive Connector, Click Add or + icon

2. Select an Exchange Mailbox Server name AUPEREXMBX01, Type Anonymous Relay on the name, Click Frontend transport, Select Custom, Click Next..

3. On the Network Adapter Binding, Add Exchange 2013 MBX Server IP (10.10.10.11) and port 25. On the remote network settings, add printer, scanner, device and application server IPs. Click Save to create Anonymous Relay.

4. Select newly created Anonymous relay, Click Edit or Pencil Icon, Click Security parameter, Select TLS, Externally Secured in Authentication and Select Exchange Servers, Anonymous users in Permission groups.

5. Open Exchange 2013 Management Shell and execute the following

Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

6. Open Exchange management Shell in Exchange 2010 execute cmdlet

Get-ReceiveConnector –Identity “Anonymous relay” | Fl

From PowerShell Windows copy all the IP addresses of printer and scanner to a notepad

7. Edit Anonymous Relay in Exchange 2013 Administration center and add all the IPs addresses you copied in previous step into remote network setting of Exchange 2013 relay.

8. Repeat step 1 to step 7 on all mailbox servers.

Configure Public Name Space

At this stage, you are ready to configure public DNS record. Update your public DNS record including Hosted Email Security. You only need to configure public DNS if you are changing public IPs and hosted email security otherwise you just have to change the port 443 and port 25 forwarding rule in internal Cisco router in your organization.

You public DNS must look similar to this table.

superplaneteers.com MX Mail.superplaneteers.com
mail.superplaneteers.com A 203.17.x.x (Public IP)
autodiscover.superplaneteers.com A 203.17.x.x (Public IP)

Request your ISP who provided you 203.17.x.x public IP to create reverse DNS record for mail.superplaneteers.com. This is very important for Exchange to function correctly. When you send email to a destination, many destination server checks reverse DNS. If reverse DNS is wrong you could be banned from sending email to destination server. Note that outlook.com check reverse DNS and SPF records of domain sending email to an outlook address.

Configure TMG/UAG

If you are publishing internet facing Exchange 2013 CAS using TMG or UAG, follow the URL below and publish Outlook Web App and Active Sync.

http://microsoftguru.com.au/2013/09/19/publish-exchange-server-2010-using-forefront-uag-2010-step-by-step/

http://microsoftguru.com.au/2010/03/16/forefront-tmg-2010-publish-outlook-web-access-and-exchange-servers-using-forefront-tmg-2010/

Create internal DNS Record

Create Host(A) record with reverse DNS in the forward lookup zone of forest superplaneteers.com. Internal DNS records must look similar to this table.

FQDN Record Type IP Address
Mail.superplaneteers.com A 10.10.10.16
Autodiscover.superplaneteers.com A 10.10.10.16

If you don’t have CAS NLB or load balancer then your internal host(A) record must point to Exchange 2013 CAS server.

Open PowerShell as an administrator, execute the following

Resove-Dnsname mail.superplaneteers.com

Nslookup mail.superplaneteers.com

Configure Offline Address Book

To create a new offline address book and set the same OAB on all mailbox databases at once, run the following command. The command example uses “Default Offline Address Book” for the name of the OAB.

Open Exchange Management Shell, execute the cmdlets

New-OfflineAddressBook -Name “Default Offline Address Book” -AddressLists “Default Global Address List”

Restart-Service MSExchangeMailboxAssistants

Wait a few minutes and check if the OAB files is created in C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\OAB\<newGUID>

Try to access the new OAB in IE: https://mail.superplaneteers.com/oab/<newguid/oab.xml

Get-MailboxDatabase | Set-MailboxDatabase -OfflineAddressBook “Default Offline Address Book (Ex2013)”

To Change the generation server open Exchange 2010 Management Shell and run the following command:

Move-OfflineAddressBook –Identity “Default Offline Address Book” –Server AUPERCAS01,AUPERCAS02

Configure new transport rule in Exchange 2013 or Export transport rules from legacy Exchange.

Follow this reference if you are migrating from Exchange 2007

You cannot migrate transport rules from Exchange Server 2007 to Exchange Server 2013

The following cmdlet example exports all your Transport Rules to the XML file, ExportedRules.xml, in the “c:\TransportRules” folder:

Export-TransportRuleCollection -FileName “c:\TransportRules\ExportedRules.xml”

The following example cmdlet imports your transport rule collection from the XML file ExportedRules.xml in the “C:\TransportRules” folder

[Byte[]]$Data = Get-Content -Path “C:\TransportRules\ExportedRules.xml” -Encoding Byte -ReadCount 0 Import-TransportRuleCollection -FileData $Data

To create new Transport rule,

1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server.

  1. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  2. Click Mail Flow, Click Rules, Click Add or + Icon, Type the Name of Rule, Select rule conditions, Click More Option.
  3. Select Date when you would like to activate the rule
  4. Click whether you would like to enforce the rule or test the rule
  5. Follow the wizard to finish the rule settings.

Move mailboxes to Exchange 2013

  1. Open the EAC by browsing to https://AUPEREXCAS01/ecp?ExchClientVer=15 of your Client Access server.
  2. Enter your user name and password in Domain\user name and Password, and then click Sign in.
  3. Go to Recipients > Migration, click Add and then select Move to a different database.
  4. Under Select the users that you want to move, click Add .
  5. In the Select Mailbox window, select the mailboxes you want to move, click Add and then OK.
  6. Verify that the mailboxes you want to move are listed and then click Next.
  7. Specify a name for the new mailbox move and verify that Move the primary mailbox and the archive mailbox if one exists is selected.
  8. Under Target database, click Browse.
  9. In the Select Mailbox Database window, select a mailbox database on the Exchange 2013 server that you want to move the mailboxes to, click Add and then OK.
  10. Verify that the mailbox database displayed in Target database is correct and then click Next.
  11. Decide which user should receive the mailbox move report once the move is complete. By default, the current user will receive the move report. If you want to change which user receives the report, click Browse and select a different user.
  12. Verify Automatically start the batch is selected.
  13. Decide whether you want to have mailbox moves automatically complete. During the finalization phase, the mailbox is unavailable for a short time. If you choose to complete the mailbox move manually, you can decide when the move is finalized. For example, you might want to finalize the move during off-work hours. Select or clear Automatically complete the migration batch.

14. Click Finish.

OR

Open Exchange Management Shell

Get-Mailbox –Database “Exchange 2010 database name’ | New-MoveRequest –targetdatabase “Exchange 2013 database name”

Get-MoveRequest

Migrate Room or Resource mailboxes

Open EMS and execute the cmdlets

Get-Mailbox -RecipientTypeDetails roommailbox -database SOURCEDBNAME | new-moverequest -targetdatabase TARGETDBNAME

Upgrade Distribution groups

Open Exchange management Shell as an administrator, execute the following command.

Get-DistributionGroup -resultsize unlimited | Set-DistributionGroup –ManagedBy “CN=Organization

Management,OU=Microsoft Exchange Security Groups,DC=superplaneteers,DC=com”

Get-DistributionGroup -resultsize unlimited | Set-DistributionGroup –ForceUpgrade

Upgrading Distribution Groups with multiple owners to Exchange 2013

Open Exchange management Shell as an administrator, execute the following command.

foreach ($DL in (Get-DistributionGroup -ResultSize Unlimited)) { $owners = Get-ADPermission $DL.identity | ?{$_.User -notlike “*Exchange*” -and $_.User -notlike “S-*” -and $_.User -notlike “*Organization*” -and $_.User -notlike “NT*” -and $_.User -notlike “*Domain Admins*” -and $_.User -notlike “*Enterprise Admins” -and $_.User -notlike “BUILTIN*” -and $_.User –notlike “*Delegated Setup*”}  | %{$_.user.tostring()};Set-DistributionGroup $DL -BypassSecurityGroupManagerCheck -ManagedBy $owners }

Reference http://blogs.technet.com/b/microsoft_exchange_tips/archive/2013/11/07/upgrading-distribution-groups-with-multiple-owners-to-exchange-2013.aspx

Migrate Public Folder

In Exchange 2013, public folders were re-engineered using mailbox infrastructure to take advantage of the existing high availability and storage technologies of the mailbox database. Public folder architecture uses specially designed mailboxes to store both the public folder hierarchy and the content. This also means that there’s no longer a public folder database. High availability for the public folder mailboxes is provided by a database availability group (DAG).

There are two types of public folder mailboxes: the primary hierarchy mailbox and secondary hierarchy mailboxes. Both types of mailboxes can contain content:

  • Primary hierarchy mailbox   The primary hierarchy mailbox is the one writable copy of the public folder hierarchy. The public folder hierarchy is copied to all other public folder mailboxes, but these will be read-only copies.
  • Secondary hierarchy mailboxes   Secondary hierarchy mailboxes contain public folder content as well and a read-only copy of the public folder hierarchy.

There are two ways you can manage public folder mailboxes:

  • In the Exchange admin center (EAC), navigate to Public folders > Public folder mailboxes.

Before you migrate public folder, I would recommend creating new separate mailbox database in Exchange 2013 then start the migration process.

Step1: Perform Perquisites
Download all four of the Microsoft Exchange 2013 public folder migration scripts and save the script in C:\PFScripts
Prerequisites in Exchange 2010 Server
Open Exchange Management Shell in Exchange 2010 server, run the following cmdlets one by one.
Run the following command to take a snapshot of the original source folder structure.
Get-PublicFolder -Recurse | Export-CliXML C:\PFMigration\Legacy_PFStructure.xml

Run the following command to take a snapshot of public folder statistics such as item count, size, and owner
Get-PublicFolderStatistics | Export-CliXML C:\PFMigration\Legacy_PFStatistics.xml

Run the following command to take a snapshot of the permissions.
Get-PublicFolder -Recurse | Get-PublicFolderClientPermission | Select-Object Identity,User -ExpandProperty AccessRights | Export-CliXML C:\PFMigration\Legacy_PFPerms.xml

Save the information from the preceding commands for comparison at the end of the migration.
In Exchange 2010, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderStatistics -ResultSize Unlimited | Where {$_.Name -like “*\*”} | Format-List Name, Identity

In Exchange 2007, to locate public folders that have a backslash in the name, run the following command:
Get-PublicFolderDatabase | ForEach {Get-PublicFolderStatistics -Server $_.Server | Where {$_.Name -like “*\*”}}

If any public folders are returned, you can rename them by running the following command:
Set-PublicFolder -Identity <public folder identity> -Name <new public folder name>

Make sure there isn’t a previous record of a successful migration. If there is, you’ll need to set that value to $false. If the value is set to $true the migration request will fail.
The following example checks the public folder migration status.
Get-OrganizationConfig | Format-List PublicFoldersLockedforMigration, PublicFolderMigrationComplete

Set-OrganizationConfig -PublicFoldersLockedforMigration:$false -PublicFolderMigrationComplete:$false

Prerequisites on Exchange 2013
Make sure there are no existing public folder migration requests. If there are, clear them.
Get-PublicFolderMigrationRequest | Remove-PublicFolderMigrationRequest -Confirm:$false

To make sure there are no existing public folders on the Exchange 2013 servers, run the following commands.
Get-Mailbox -PublicFolder
Get-PublicFolder

If the above commands return any public folders, use the following commands to remove the public folders.
Get-MailPublicFolder | where $_.EntryId -ne $null | Disable-MailPublicFolder -Confirm:$false
Get-PublicFolder -GetChildren \ | Remove-PublicFolder -Recurse -Confirm:$false
Get-Mailbox -PublicFolder |Remove-Mailbox -PublicFolder -Confirm:$false

Step2: Generate CSV Files
On the Exchange 2010 server, run the Export-PublicFolderStatistics.ps1 script to create the folder name-to-folder size mapping file.
.\Export-PublicFolderStatistics.ps1 <Folder to size map path> <FQDN of source server>

Run the PublicFolderToMailboxMapGenerator.ps1 script to create the public folder-to-mailbox mapping file. This file is used to create the correct number of public folder mailboxes on the Exchange 2013 Mailbox server.
.\PublicFolderToMailboxMapGenerator.ps1 <Maximum mailbox size in bytes> <Folder to size map path> <Folder to mailbox map path>

<Folder to size map path> is  \\AUPEREX2010\c$\PFstat.csv
<Maximum mailbox size in bytes> is 20000000
<Folder to mailbox map path> is \\AUPEREX2010\c$\PFMigration\mapgen.csv

Step3: Create public folder mailboxes on Exchange 2013
Run the following command to create the first public folder mailbox on the Exchange 2013 Mailbox server.
New-Mailbox -PublicFolder <Name> -HoldForMigration:$true –database “Exchange 2013 database”

Run the following command to create additional public folder mailboxes as needed based on the .csv file generated from the PublicFoldertoMailboxMapGenerator.ps1 script.

$numberOfMailboxes = 25;
for($index =1 ; $index -le $numberOfMailboxes ; $index++)
{
$PFMailboxName = “Mailbox”+$index;  if($index -eq 1) {New-Mailbox -PublicFolder $PFMailboxName -HoldForMigration:$true -IsExcludedFromServingHiearchy:$true;}else{NewMailbox-PublicFolder $PFMailboxName -IsExcludedFromServingHierarchy:$true}
}

Step4: Start Migration request

Legacy system public folders such as OWAScratchPad and the schema-root folder subtree in Exchange 2007 won’t be recognized by Exchange 2013 and will be treated as bad items. This will cause the migration to fail. As part of the migration request, you must specify a value for the BadItemLimit parameter.

From the Exchange 2013 Mailbox server, run the following command:

$PublicFolderDatabasesInOrg = @(Get-PublicFolderDatabase)
$BadItemLimitCount = 5 + ($PublicFolderDatabasesInOrg.Count -1)
New-PublicFolderMigrationRequest -SourceDatabase (Get-PublicFolderDatabase -Server <Source server name>) -CSVData (Get-Content <Folder to mailbox map path> -Encoding Byte) -BadItemLimit $BadItemLimitCount

To verify that the migration started successfully, run the following command.
Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatistics -IncludeReport | Format-List

Step 5: Lock Source Server
On the Exchange 2010 server, run the following command to lock the legacy public folders for finalization.

Set-OrganizationConfig -PublicFoldersLockedForMigration:$true

Step6: Finalize public folder migration
Set-PublicFolderMigrationRequest -Identity \PublicFolderMigration -PreventCompletion:$false
Resume-PublicFolderMigrationRequest -Identity \PublicFolderMigration

Step7: Test Public Folder Migration
Run the following command to assign some test mailboxes to use any newly migrated public folder mailbox as the default public folder mailbox
Set-Mailbox -Identity <Test User> -DefaultPublicFolderMailbox <Public Folder Mailbox Identity>

Log on to Outlook 2007 or later with the test user identified in the previous step, and then perform the following public folder tests:

Post Migration Check

1. Verify Internal and external DNS records and aliases of autodiscover and mail are pointing to Exchange 2013 CAS server or load balancer VIP or CAS NLB IP. At this stage do not delete Host(A) record of legacy exchange servers until you decommission them.

2. Point your Spam Guard or hosted email security to forward all the emails to exchange 2013 to receive incoming mail via Exchange 2013.

3. Configure Spam Guard or hosted email security to accept emails from all Exchange 2013 Mailbox servers.

4. Configure smart host if necessary.

5. Configure all other application to send email via the Exchange 2013 Mailbox Servers

6. Test inbound and outbound email from outlook client and mobile devices.

7. Start Monitoring Exchange, Open EMS and execute Get-mailbox –monitoring

8. Go to https://testconnectivity.microsoft.com/ to test connectivity of Exchange 2013

9. Go to http://mxtoolbox.com/ to test your MX, Reverse DNS and DNS records.

Decommission Legacy Exchange Server

Before you decommission legacy Exchange server, make sure you have completed the following tasks

  1. Make sure public and internal DNS, MX and CNAME are correct.
  2. Move all user mailboxes to Exchange 2013.
  3. Move all room mailboxes to Exchange 2013.
  4. Move all public folders to Exchange 2013
  5. Move all arbitration mailboxes to Exchange 2013.
  6. Move all Discovery Search mailboxes to Exchange 2013
  7. Add all Exchange 2013 mailbox servers in all the send connectors and remove the Exchange 2007/2010 servers from Send Connector.
  8. Create new anonymous relay receive connectors in Exchange 2013 and all IPs in remote network settings properties of relay
  9. Ensure you have configured Autodiscover correctly at AutoDiscoverServiceInternalUri properties if all CAS 2013. Issue Get-ClientAccessServer | fl cmdlet to view internal url of autodiscover.

10. Remove Exchange 2010 CAS arrays. Execute Get-clientaccessarray | remove-ClientAccessArray in Exchange 2010 management shell

11. Point all the applications to use Exchange 2013 SMTP.

12. Test inbound and outbound email from various supported clients.

Now is the time to shutdown legacy exchange servers in your organization and test Exchange 2013 mail flow again. Make sure you shut down the server during working hours and working days. Keep the legacy exchange down for at least 48hrs. To decommission legacy Exchange follow the steps

1. Bring all legacy servers online means power on all servers which were down in previous step.

2. Remove all Public Folder replicas else Public Folder Database will not be removed. To remove public folder replicas, open Exchange Management Console in exchange 2010, Click Tools, Open Public Folder Management Console, Select Default Public Folder, Click properties, Click Replication, Remove exchange 2010 database from replication. Repeat the same for systems public folder.

3. Remove Exchange 2007/2010 mailbox database and Public folder databases from EMC or EMS.

4. Go to Control Panel to remove Exchange 2007/2010. On Program and Features screen click on Uninstall. On the Maintenance Mode page of the Exchange Server 2007/2010 Setup wizard begins the process of removing your Exchange installation. Click Next to continue.    

5. On the Server Role Selection page, uncheck in 2007/2010 all Exchange server roles and Exchange management tools to remove. In Exchange 2007 CCR remove passive node first then follow the same steps on active node. Click next to continue.

6. On the Readiness Checks page, view the status to determine if the organization and server role prerequisite checks completed successfully. If the prerequisites check doesn’t complete successfully, review the Summary page and fix any issues that are preventing Setup from removing exchange 2007/2010. If the checks have completed successfully, click Uninstall to remove the entire installation of Exchange 2007/2010.

7. On the Completion page, click Finish.

8. Verify the setup log files and folder located at c:\ExchangeSetupLogs.

9. Uninstall Internet Information Services (IIS) from windows Server 2008 or add/remove program and features in Windows Server 2003.

10. Disjoin the legacy Exchange servers from the Domain.

11. Delete Host(A) DNS record of Legacy Exchange Server. Delete ONLY legacy DNS record.

References

http://technet.microsoft.com/en-us/library/ee332361(EXCHG.141).aspx

http://technet.microsoft.com/en-us/library/bb123893(EXCHG.80).aspx

http://technet.microsoft.com/en-US/exdeploy2013/Checklist?state=2284-W-CABEAgAAQAAACQEAAQAAAA~~

http://support.microsoft.com/kb/2846555

http://support.microsoft.com/?kbid=940726

http://www.petenetlive.com/KB/Article/0000036.htm

http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-1-step-by-step-exchange-2007-to-2013-migration.aspx

http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-2-step-by-step-exchange-2007-to-2013-migration.aspx

http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-3-step-by-step-exchange-2007-to-2013-migration.aspx

http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-4-step-by-step-exchange-2007-to-2013-migration.aspx

http://www.expta.com/2013/05/owa-2013-cu1-redirection-is-broken-for.html

PDF Converter    Send article as PDF   
Posted in Exchange Server | Tagged , , , , , , , , , , , , , , , , , , , , , | 1 Comment

Microsoft Forefront Product Roadmap

Microsoft is discontinuing any further releases of the following Forefront-branded solutions:

  • Forefront Protection 2010 for Exchange Server (FPE)
  • Forefront Protection 2010 for SharePoint (FPSP)
  • Forefront Security for Office Communications Server (FSOCS)
  • Forefront Threat Management Gateway 2010 (TMG)
  • Forefront Threat Management Gateway Web Protection Services (TMG WPS)
  • Forefront Unified Access Gateway 2010 (UAG)
  • Forefront Client Security
  • Forefront Security for Exchange Server

There is no change to the FIM roadmap. Microsoft will continue to develop next version of FIM.

References.

http://support.microsoft.com/lifecycle/search/default.aspx?sort=PN&alpha=Forefront&Filter=FilterNO

http://redmondmag.com/articles/2013/12/17/microsoft-ending-uag-sales.aspx

 

Fax Online    Send article as PDF   
Posted in Forefront Technologies | Tagged , , , , , , , | Leave a comment

How to Configure Unified Messaging in Exchange 2013 Step by Step

There are many ways you can achieve unified messaging functionality in Exchange 2013. It all depends on your Exchange, Lync and telephony infrastructure.

Before you begin, you have to install Exchange language pack for non-English Exchange deployment. For English deployment you don’t need to install language pack.

Depending on your Exchange 2013 version, Download Exchange Language Pack from the following web sites.

http://www.microsoft.com/en-au/download/details.aspx?id=35368

http://www.microsoft.com/en-au/download/details.aspx?id=39713

http://www.microsoft.com/en-au/download/details.aspx?id=41176

Right click the UMLanguagePack.Country-Code.exe file, Click Run As Administrator.

In the Exchange 2013 Setup wizard, on the License Agreement page,  select I accept the terms in the license agreement, and then click Next then click Install.

Click Finish to complete the installation of the UM language pack.

Scenario#1

If you have a Cisco Call Manager for IP telephony then you just need to perform few tasks in Exchange 2013 to integrate Exchange and Cisco Call Manager. Here are the steps to accomplish unified messaging in Exchange 2013 with Cisco Call Manager.

Step1: Create a Service Account named domainname\sa-ExchangeUC  and set password and account to be never expired. Set user cannot change password.  

Step2: Open Exchange 2013 Management Shell as an administrator (Account must be a member of Exchange organisation management role). issue the following command. 

New-ManagementRoleAssignment –Name:UMServicesConnectionACC –Role:ApplicationImpersonation -User:”domainanem\sa-ExchangeUC “

Get-ManagementRoleAssignment

Step3: Create an anonymous relay in Exchange 2013. Here is a guideline

Name: Anonymous Relay

Role: Frontend Transport

Type: Custom

Available IP: Exchange 2013 server IP

Port: 25

Authentication: TLS, Externally Secured

Permission: Exchange Servers, Anonymous users

Open Exchange Management Shell and execute the following

Get-ReceiveConnector “Anonymous Relay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

Now add Cisco Call Manager IP address into remote network settings properties of anonymous relay.

Step4: Export Exchange Client Access Certificate from Exchange 2013 as .pfx format (public key included) and import into computer account of windows machine then export as .cer format certificate into Cisco Unity. reference http://www.digicert.com/ssl-support/pfx-import-export-iis.htm

Step5: Configure Cisco Unity for Unified Messaging. Follow this link to configure Cisco Call Manager. Detailed guide is available in Cisco Unity and Microsoft Exchange configuration guide.

Scenario#2

There are other ways to achieve same result if you decide Exchange 2013 to manage dial plan, auto attendant, hunt group and voice delivery etc. In this scenario, you have configure lot more then previous steps. There is no concrete steps for your scenario or your IP telephony systems. But here is what you have to do to accomplish unified messaging between IP-PBX and Exchange 2013. I assume your Exchange 2013 and IP-PBX are working per normal.  

Step1: Create a Service Account named domainname\sa-ExchangeUC and set password and account to be never expired. Set user cannot change password in the properties of sa-ExchangeUC account.

Step2: Export Exchange Client Access Certificate from Exchange 2013 as .pfx format (public key included) and import into computer account of a windows machine then export as .cer format certificate into IP-PBX.

Step3: Configure IP-PBX to connect to Exchange 2013 using service account you have created in previous step.

Step4: Create a virtual extension number. This extension number will be used in a Exchange 2013 only.  

Step5: Create a dial plan

In the Exchange admin center (EAC), navigate to Unified Messaging > UM dial plans, and then click Add Add Icon.

On the New UM Dial Plan page, complete the following boxes:

Name: ExchangeUC Dial Plan

Extension Length: 4 or Exact length used in IP-PBX

Dial plan type: Telephone extension

VoIP security mode: Unsecured

Country/Region code: +61 (for australia)

Click Save.

Step6: Create a PIN Policy

In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, click the ExchangeUC Dial Plan you have created in previous step and then click Edit Edit Icon.

On the UM Dial Plan page, under UM Mailbox Policies, select the UM mailbox policy you want to edit, and then click Edit Edit Icon.

Click Properties. On the UM mailbox policy page, click PIN policies.

On the PIN Policies page, configure the following PIN settings

PIN Length: 5

PIN Cycle: 5

Enforce PIN lifetime: 60

Sign-in failure: 5

Sign-in lockout:15

Click Save.

Step8: Add a DNS record in the forward lookup zone of Active Directory DNS

lets say DNS Name: IPPBX.domainname.com and corresponding IP: 10.10.70.240

Step8: Add UM IP Gateway

In the EAC, navigate to Unified Messaging > UM IP Gateways, and then click Add Add Icon.

On the New UM IP gateway page, enter the following information:

Name: Cisco Unity or 3CX whichever is your gateway

Address: FQDN or IP Address of IP-PBX

UM Dial Plan: ExchangeUC Dial Plan

Click Save.

Step9: Create Auto Attendant

In the EAC, navigate to Unified Messaging > UM dial plans, select the ExchangeUC Dial Plan for which you want to add an auto attendant, and then click Edit Edit Icon.

On the UM Dial Plan page, under UM Auto Attendants, click Add Add Icon.

On the New UM auto attendant page, complete the following boxes:

Name: ExchangeUC Auto Attendant

Uncheck “Create this auto attendant as enabled”

Uncheck “Set the auto attendant to respond to voice commands”

Access Number: click Add Add Icon and add virtual extension number you have created in step 4.

Click Save.

Step 10 (Optional):

In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the ExchangeUC Dial Plan and then click Edit Edit Icon.

On the UM Dial Plan page, under UM Hunt Groups, click Add Add Icon.

On the New UM Hunt Group page, complete the following boxes:

Associated UM IP gateway: IPPBX.domainname.com

Name: ExchangeUC Hunt Group

Dial plan   Click Browse to select the ExchangeUC Dial Plan

Pilot identifier: a string that uniquely identifies the pilot identifier obtained from IP-PBX.

Click Save.

Step11: Setup UM Dial Plan Policies

In the EAC, navigate to Unified Messaging > UM dial plans. In the list view, select the ExchangeUC Dial Plan and then click Edit Edit Icon.

On the UM Dial Plan page, under UM Mailbox Policies, click New Add Icon.

On the New UM mailbox policy page, in the Name box, enter the name of ExchangeUC mailbox policy.

Click Save.

Step12: Enable User for Voice Mail

In the EAC, click Recipients. In the List view, select the user whose mailbox you want to enable for Unified Messaging.

In the Details pane, under Phone and Voice Features, click Enable.

On the Enable UM mailbox page, click the Browse and select ExchangeUC mailbox policy, and then click OK.

On the Enable UM mailbox page, complete the following boxes:

Extension Number: Type the extension number you have created in IP-PBX for this mailbox

PIN Settings: Type a 5 digit PIN number

Click Finish.

Now you have successfully configured Unified Messaging in Exchange 2013. However if you have Lync 2013 in your organisation. you will have to perform the following steps in Exchange 2013 to integrate Lync and Exchange.

Step1: Set Dial Start-up mode to dual

Open Exchange Management Shell, Enter the following command

Set-UmService -Identity “FQDN of Exchange Server” -DialPlans “ExchangeUC Dial Plan” -UMStartupMode “Dual”

Step2: Assign Exchange Certificate to UM

Type Get-ExchangeCertificate and copy the thumbprint in notepad

Enable-ExchangeCertificate -Server “FQDN of Exchange Server” -Thumbprint “EA5A332496CC05DA69B7578A110D22d” -Services “UM”

I assume that you already assigned this certificate to IIS, SMTP services. Restart the MsExchangeUM service on the Exchange server.

Step3: Assign certificate to call router

Set-UMCallRouterSettings -Server “FQDN of Exchange Server” -UMStartupMode “Dual” -DialPlans “ExchangeUC Dial Plan”
Enable-ExchangeCertificate -Server “FQDN of Exchange Server” -Thumbprint “45BAA32496CC891169B75B9811320F78A1075DDA” –Services “IIS”, “UMCallRouter”

Restart the MsExchangeUM service on the Exchange server.

Step4: Test UM Service

$credential = Get-Credential “DomainName\User1″

Test-CsExUMConnectivity -TargetFqdn “FQDN of Exchange Server” -UserSipAddress “sip:User1@DomainName.com” -UserCredential $credential

$credential = Get-Credential “DomainName\User2″

Test-CsExUMVoiceMail -TargetFqdn “FQDN of Exchange Server” -ReceiverSipAddress “sip:user1@DomainName.com” -SenderSipAddress “sip:user2@DomainName.com” -SenderCredential $credential

References:

http://technet.microsoft.com/en-us/library/jj673564%28v=exchg.150%29.aspx

http://technet.microsoft.com/en-us/library/jj150478%28v=exchg.150%29.aspx

PDF Creator    Send article as PDF   
Posted in Exchange Server | Tagged , , , , , , , , , , | Leave a comment

Experience Mobile (iPhone & Android) Browsing with Forefront UAG

If you are scratching your head how to grant access to your website for iPhone and Tablet published via Forefront UAG, there is way to achieve your goal. But before I articulate how to achieve this let’s revisit how UAG endpoint compliance works.

By default UAG checks compliance of every endpoint device. If you do now allow all endpoint devices in UAG Trunk it will be blocked due to policy violation. Since release of UAG SP3, mobile devices are identified as “Other” in UAG Endpoint Policy. “Other” includes iPhone, iPad, Android phone and tablet. Surprisingly I found that UAG also blocks Windows 8 mobile phone unless you allow it explicitly in endpoint policy.

When an endpoint device connect to Trunk portal or a published website, UAG automatically check Default Session Access  and Default Web Application Access policy.  However for FTP and similar policy UAG checks  Default Web Application Upload and  Default Web Application Download policy as well. You need to tweak little bit in the Trunk properties and application properties to make it work.

Let’s begin with Trunk properties. Log on the UAG server using administrative credential. Open UAG Management Console.

Step1: Advanced Trunk Configuration

  1. Select the Trunk where you publish the application, in the Trunk Configuration area, click Configure.
  2. On the Advanced Trunk Configuration dialog box, click the Endpoint Access Settings tab.
  3. On the Endpoint Access Settings tab, click Edit Endpoint Policies.
  4. On the Manage Policies and Expressions dialog box, click the Default Session Access policy, and then click Edit Policy.
  5. On the Policy Editor dialog box, under Select platform-specific policies, in the Other drop-down list, click Always, and then click OK.
  6. On the Manage Policies and Expressions dialog box, click the Default Web Application Access policy, and then click Edit Policy.
  7. On the Policy Editor dialog box, under Select platform-specific policies, in the Other drop-down list, click Always, and then click OK.
  8. Repeat the step 4 to step 7 on all the required policies. Example for FTP policies perform step4 to step7 for Default Web Application Upload and  Default Web Application Download policies.
  9. On the Manage Policies and Expressions dialog box, click Close.
  10. On the Advanced Trunk Configuration dialog box, click OK.
  11. Activate the configuration. Wait for activation to complete. Note that it takes  few minutes.
  12. Open elevated command prompt using run as administrator option. Type iisreset and hit enter.

Step2: Allow Premium Mobile Portal

  1. Select the application you published through the Trunk where you configured advanced properties in previous steps. In the Applications area, click the required application, and then click Edit.
  2. On the Application Properties dialog box, click the Portal tab.
  3. On the Portal tab, select the Premium mobile portal and Non-premium mobile portal check box.
  4. On the Application Properties dialog box, click OK.
  5. Activate the configuration. Wait for activation to complete. Note that it takes few minutes.
  6. Open elevated command prompt using run as administrator option. Type iisreset and hit enter.

Step3: Test Mobile Devices

  1. Browse published website in Windows Phone or iPhone
  2. Open Forefront UAG Monitor, Check the Session compliance, Authentication in Active Session.
  3. Check all systems logs in UAG monitor. You will see a session is connected successfully with endpoint device type, endpoint IP and GUID mentioned in the logs.
Create PDF    Send article as PDF   
Posted in Forefront Technologies | Tagged , , , , , , , , , , , , , , , , , , , , , , | Leave a comment

Publish FTP Using Microsoft Forefront UAG 2010

Recently I have completed a UAG project. The purpose of the project was to publish several websites, SharePoint and OWA. All went ok except I got stuck with FTP. After trying several times, publishing FTP failed with error “Your Computer does not meet the security policy requirements of this application”. I went through UAG events to find out a solution of this issue. No luck. I went thought Ben Ari’s blog. No luck. Actually Ben’s blog tells you a little on FTP and doesn’t tell you about backend FTP server and UAG in details. So I end up being calling Microsoft Tech support to help me sort out the issue.  So here is my research on FTP and outcome for you guys who are struggling to publish FTP using UAG.

Prerequisites:

  1. Forefront UAG 2010 SP3
  2. Windows 7 or Windows 8 Client
  3. Windows Server 2008 R2 Domain
  4. Internet Explorer 9 or later
  5. Passive Mode FileZilla FTP Client or passive mode CuteFTP Client
  6. Passive mode IIS 7.5 FTP 
  7. Client Connection Port 20 & 21.
  8. Passive mode port range 1024-65534

image

image

Create a separate FTP Trunk:

You need to create a separate trunk for FTP. Right Click HTTP/HTTPS Trunk, Create a new Trunk. In my case I have created a HTTPS Trunk which means you need a proper public certificate with matching Common Name of Certificate for HTTPS trunk to work correctly. Note that you need certificate with public key. You must import certificate in PFX format.

image

Once you configured a trunk with all default settings, Click Configure to configure Advanced settings of Trunk. 

image

On the Authentication Tab, Uncheck Require users to authenticate at session logon. If you would like that user authenticate at session using domain credentials you can keep it. I don’t want user’s to authenticate twice so I un-ticked this one.

image

Click Session Tab, make sure disable component installation and disable scripting for portal are unchecked.

image

Click Endpoint Access Settings Tab, Click Edit Endpoint Policies, Select Default Session Access, Click Edit Policy, On the other, Click Always. Click Ok. Repeat the step for Default Privileged Endpoint, Default non web access Policy. Click Ok.

image

image

Add Enhanced Generic Client Application (Multiple Servers)

Add a Enhanced generic client application (multiple servers) on this FTP trunk. Use all default settings except server settings which is shown in below screen shots.

image

image

On the Server Settings Tab, make sure you type fully qualified domain name of FTP server. In my test lab, I configured my domain controller as FTP server which is not best practice in production environment. This is only for demonstration purpose. On the Ports, Use 20,21,1024-65534, On the Executable type real path of FTP client installed in Windows 7 or Windows 8. In my case C:\Program Files\FileZilla FTP Client\FileZilla.exe. Click Ok. 

image

image

On the socket forwarding select basic.

image

image

image

On the Endpoint policy make sure other is set to always. Click Ok.

image

Activate the Trunk

Click File, Click Activate.

image

Wait for Activation to complete.

image

Open Command Prompt as an administrator. Type iisreset and hit enter.

image

Error and Warning:

Open a browser from Windows client, browse https://ftp.yourdomain.com and see the outcome. Make you sure FileZilla Client is installed in C:\Program Files\FileZilla FTP Client\ location in Windows 7 or Windows 8.   You may or may not receive warning depending on your client environment. To fix the warning open, UAG web monitor, Click Session monitor and select the FTP trunk, Click connected session, see endpoint information.

In my case I received “Your Computer does not meet the security policy requirements of this application” which says I don’t have any antivirus installed (Compliant antivirus not detected) but I have Symantec antivirus. Solution? Actually UAG is looking Microsoft security essentials in my computer. Work around is install Microsoft Security Essentials and turn on Windows firewall. 

image

image

image

image

image

To avoid this issue, you can create a new endpoint policy. Click Configure on Trunk, Click Edit endpoint policies, Click Add policy.

image

image

Create a new policy allowing any antivirus, any firewall shown below screen shot. Click Ok.

image

Apply the policy into Endpoint Policy.

image

Again activate the trunk. run iisreset.

Testing FTP

Open browser, browse https://ftp.yourdomain.com 

image

Click FTP to open FileZilla Client application. Once UAG component is installed. Type the ftp server name, username and password on ftp client to connect

image

image

image

Now go back to UAG web monitor. select FTP trunk, Go to Endpoint information, you will see client is compliant and connected.

image

image

Further Study

Publish FTP using TMG

Passive mode IIS 7.5 FTP 

UAG Articles

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

 

PDF Printer    Send article as PDF   
Posted in Forefront Technologies | Tagged , , , , , , , , | Leave a comment

UAG 2010 SP4 is Available

UAG 2010 SP4

UAG 2010 SP4 Release Notes

Free PDF    Send article as PDF   
Posted in Forefront Technologies | Tagged , , , , , , | Leave a comment