Start by installing Windows Server 2008 on the server you’re intending on using for mail. In our example we installed all the Exchange functionality on a single server – in practice you’ll probably want to separate out the Hub and Storage functions, and use a separate Edge server for mail traffic and user access to mail. There’s no problem with connecting to the network while you’re doing the install – Windows Server 2008 installs as a workgroup server – and you’ll automatically be delivered the latest drivers and the most up to date OS patches. You’ll also need to give the server an appropriate fixed IP address, as it’s going to become a key component of the network infrastructure.
On the role and feature-based install model introduced with Windows Server 2003 and enhanced in Windows Server 2003 R2. Make sure you use these tools to install Internet Information Server – as Exchange 2007 will use it for Outlook Web Access and Exchange ActiveSync. Exchange 2007 requires that servers have the Power Shell management scripting environment and the .NET framework. We’d also recommend installing Terminal Services as part of any Windows Server installation, as using Remote Desktop to access the new server and the existing SBS 2003 domain controller will let you handle much of the migration process from the comfort of your desk (even if that’s back at your office).
Once Windows Server 2008 has been installed, take out the install DVD and shut the server down. As you’re going to be adding a Windows Server 2008 machine to what’s really a Windows Server 2003 network, you need to upgrade the Active Directory schema on our SBS 2003 server. This will allow you to manage the Windows Server 2008 machine from the SBS 2003 machine. You may need to update your version of Remote Desktop to one that supports the latest versions of the RDP protocol.
Put the Windows Server 2008 DVD in your SBS 2003 machine’s DVD drive (a network accessible DVD drive is suitable, especially if access to any machine room is limited, and you’re using Remote Desktop to manage the server). Open a command line and change directory to SOURCES\ADPREP. You need to use ADPREP.EXE to update the Active Directory schema. Start by typing the following command to update the Active Directory forest:
This will begin the process of updating the schema. Be prepared to wait some time, especially if you’re working with SBS 2003 rather than SBS 2003 R2. Once the forest schema has been updated you can update the domain schema. Type the following command:
You’re now ready to bring the new Windows Server 2008 machine into your existing domain. Turn on the server, and then log in as a local administrator.
Start by joining the server to the existing SBS-managed domain. Once the server is part of the domain, you will to promote it from a member server to a domain controller. Launch DCPROMO using the Start menu search bar to find the program. Choose to add a domain controller to an existing domain. You’ll need to use the credentials of an existing domain administrator to start the process.
Make the server a Global Catalog server. If you’re going to be keeping the existing SBS 2003 system there’s no need to make the new server a DNS server. DCPROMO will then add the requisite Active Directory Domain Services to your Windows Server 2008 machine. This can take some time, especially if you’re working with a large SBS-managed network with more than 50 users. Once the DCPROMO process is complete you’ll need to restart the server. You can now log in as a domain administrator.
Now you can start the process of installing Exchange 2007 on the new server. There’s one key issue that needs to be dealt with first. Exchange 2007 needs to install on a server that’s a Schema Master.
One of the limitations of SBS 2003 is that the SBS server needs to own all five of the FSMO roles. The Flexible Single Master Operations are key domain management tasks, and in a standard Active Directory implementation, these roles can be parceled out across several servers. Microsoft’s restrictions on SBS can be overcome – as the SBS license allows FSMO roles to be temporarily transferred to other servers for the purpose of server migration and major hardware upgrades. You can continue to run SBS for up to seven days (there is an option to install an update that extends this to 21 days) with the FSMO roles on other servers. Don’t let the migration drag on as after that point, the server will reboot every hour, until the roles are transferred back.
You’ll need to be logged in to your SBS server to move the Schema Master to the Windows Server 2008 machine. Start by registering SCHMMGMT.DLL. This allows you to use the Windows Schema Master management tools to transfer the Schema Master role to the Windows Server 2008 machine. Open a command line and type the following command:
You’ll next need to open the Windows Management Console. Once you’ve done this, by typing mmc at a command prompt or from the Run option on the start menu, you can load the Active Directory Schema management snap-in. From the File menu click Add/Remove Snap-in. This opens a dialog box where you can choose to add the appropriate tools. Choose Active Directory Schema. This will load the schema management tools, which you can use to move the Schema Master to a new machine.
In the Schema Manager console, right click on Active Directory Schema and then choose Change Domain Controller. You’ll see a list of available servers. Choose the new Windows Server 2008 machine, and then click Change to move the Schema Master role to your new Exchange machine. Right click Active Directory Schema again, and choose Operations Master. This allows you to make the new server the operations master for the FSMO role we’ve just transferred.
Now you can start the Exchange 2007 installation. Log on to the server, and load the Exchange 2007 DVD; using an Exchange 2007 SP1 DVD reduces the amount of time you’ll need to set aside for downloading and installing uploads. Choose the appropriate Exchange installation for your network needs – a typical install with Hub Transport, Client Access and Mailbox roles should be sufficient for most small networks. Once Exchange has installed, restart the Windows Server 2008 machine and then open the Exchange Management console to confirm that your install completed successfully.
You will now have added your new Exchange server to the existing SBS Exchange network. On the SBS server open the Exchange System Manager.
Expand the Administrative Groups tab to see the available administrative groups. Your new server should have added itself as Exchange Administrative Group (FYDIBOHF23SPDLT). Do not move it out of this Administrative Group or the associated routing group, Exchange Routing Group (DWBGZMFD01QNBJR) – these are required to allow Exchange 2007 to interoperate with Exchange 2003. (As a side note, there’s definitely a sense of humour in the Exchange team at Microsoft, as the default administrative group and routing group names are both Caesar Ciphers of EXCHANGE12ROCKS).
If you’re planning to run the two servers together, you can now move the Schema Master FSMO role back to the SBS server; if you’re not, you now have seven days to finish your complete server migration before the reboots start. To move the role back use the Active Directory Schema MMC snap-in and change both Domain Controller and Operations Master to point to your SBS server.
You’ll also need to make sure that both servers have the same mailbox size limits – otherwise large mailboxes will fail to move successfully. If you’re unable to make moves at night, you can do them during working hours – but users will be unable to connect to the Exchange server while their mailboxes are being transferred (remember to warn them in advance). Any mail that’s been delivered to the server during a mailbox transfer will be queued and delivered once the mailbox is on the new server.
The actual process of moving mailboxes from the SBS Exchange 2003 server to Exchange 2007 is relatively simple. Log on to your Exchange 2007 server, and open the Exchange Management Console. Expand Recipient Configuration, and select the Mailbox view. This lets you see the organization’s mailboxes, along with where they’re currently stored. A pane on the right gives you various Actions you can perform on the mailboxes. These include the Move Mailbox wizard.
This wizard is the simplest way of moving mailboxes between servers – and, along with the underlying move – Mailbox PowerShell commandlet, is the only supported way of moving mail to an Exchange 2007 server. If you’re moving a large set of mailboxes it’s worth writing a PowerShell script to handle the move for you.
Use the Move Mailbox wizard to move either an individual mailbox or groups of mailboxes (shift-click to select several at once). As the wizard is multi-threaded it can handle up to four mailbox moves at once. First select the target database, and then choose the move options. You can choose to abort the move if corrupted messages exist, as well as choosing the appropriate Active Directory servers. You can also schedule the moves for out of hours – so you don’t have to be on site for a move to take place – as well as making sure that any moves that haven’t taken place inside a set time limit are cancelled. The wizard will check mailbox quotas before making a move to make sure that the system limits allow the mailbox to transfer to a new server.
Once a move’s started you’ll see a progress bar showing the status of the move, with descriptive text for the current step in the move process. When a move completes there’s a summary screen with the results. There’s also an XML format report you can use for further analysis.
We found that a large 4GB mailbox took about 3 hours to move, over a gigabit network. In practice, most mailboxes are a lot smaller, so expect to be able to move many more SBS mailboxes in a single overnight session. Once the mailboxes have been moved, your Outlook users will automatically be switched to the new Exchange server. There’s no need to change anything on the desktop – the Exchange organization will handle the changes for you. There’s one exception; if you have used a self-certified certificate for the SBS Exchange server, you may need to delete it from all client devices (including Windows Mobile) so they can connect – especially if you’re using the same external DNS name.
While Outlook handles the changes gracefully, things aren’t so easy for users working with ActiveSync connections to mobile devices or for secure IMAP and POP3 connections. Mobile users will need to perform a manual sync on their phone (they’ll get a message in ActiveSync reminding them to do this) and accept the server policies before mail will start arriving. POP3 and IMAP connections will only continue to work if you make sure that your new mail server has the same external CNAME as the old SBS install. If you’re not using the same DNS name, you’ll need to recreate connections for external mail clients.
Microsoft has made a significant change to the way Exchange 2007 handles secure certificate-managed connections. In the past it was easy enough to use a single certificate for a single DNS name, and to self-certify a server. Now Exchange 2007 requires a SAN certificate to manage multiple names for the same server. Subject Alternative Name certificates let you store several names for the same server in a single certificate – so the same certificate can secure connections between mail servers inside a network, as well as securing client access to Outlook Web Access and Exchange ActiveSync and for remote Outlook users using RPC over HTTPS connections (now called Outlook Anywhere). While it’s still technically possible to self-certify an Exchange 2007 install, it’s a lot easier to purchase a certificate from a third-party. Shop around, though, as prices can vary considerably.
Once you’ve bought and installed a certificate, you’ll need to activate it on your Exchange server. Open the Exchange 2007 Management Shell and type the following command to add a certificate to IIS (for OWA, ActiveSync and Outlook Anywhere), POP3 and IMAP:
enable-ExchangeCertificate –Services IIS, POP, IMAP
Once you set up the appropriate mappings in your site DNS, you should be able to access your new Exchange server securely from anywhere on the public Internet. Outlook Anywhere also includes tools for auto-configuring Outlook 2007 clients. You’ll need to make sure that the appropriate auto configuration DNS name has been set (both inside and outside your firewall), so that Outlook can automatically load the mail server settings.
The next step is to move your existing anti-spam settings from the SBS Exchange server to your new Exchange 2007 system (see sidebar for details). Once the server is secured, you can start migrating SMTP send and receive away from the SBS Exchange server.
Migrating mail send and receive First add a new SMTP send connector to the Hub Transport. In the Action pane for the Hub Transport in the Exchange Management Console click on New Send Connector. This opens a Wizard that will help create a new SMTP connection. Give your connector a name, and choose an intended use.
You’ll also need to define an address space that will be used for mail routing – use * to allow the SMTP client to bind to all the available IPv4 addresses used by your Exchange server. Mail can be sent directly to SMTP servers, or via an ISP-based smart host. If you’re working with a server in a DSL-connected office, use a smart host to reduce the risk of mail being classified as spam.
Test that mail can be sent to the new SMTP connection using another mail server in the local domain – one option is to use an SMTP mail server on your laptop, and applications like the free PostCast Server (www.postcastserver.com) work well. Alternatively simply telnet to your server, making sure to connect to the SMTP server on TCP port 25. When connected, type EHLO to check for a working SMTP server.
You can now reroute SMTP connections from your old SBS server to the new Exchange 2007 machine. This will involve changing internal DNS settings, as well as any external IP address mappings. If you’re working with a NAT firewall, change the port mappings for SMTP to point to the new server. Once you’ve opened up your new server to the public Internet, use a service like Gmail to test if mail is being sent and delivered correctly.
Finally you need to move the Offline Address Book and any public folders you might be using. Switch back to the SBS server, and open Exchange System Manager. Expand the Servers section and choose the SBS Exchange server. In the public folders for each storage group, right click and choose Move All Replicas. This will take some time (depending on the inter-server replication schedule), and you may find that some folders will not copy to the new server. We found that the ExchangeV1 folder wouldn’t move between our test servers but it’s unnecessary in an Exchange 2007 environment and is safe to delete. You can now delete the public folder store from the SBS server’s storage group.
With the system public folder replicas moved, send the standard public folders to the new server. Create a new Public Folders container on the new server from the SBS server, and then drag the public folder tree from the Folders section of the SBS administrative group to the new server.
Once the public folders have been moved, move over the OAB. Switch back to the Exchange 2007 server, and in the Exchange Management Console go to the Organization Configuration section. Open Mailbox, and switch to the Offline Address Book tab. In the Actions pane choose Move, and select the new server as the host for the OAB. The wizard will then walk you through moving the OAB between servers.
You’re now finally ready to remove the routing connector between the two servers. On the SBS server, open the routing groups’ connectors folders for the two servers and delete the connectors that link the two servers. Once the connection has been severed, the two servers will no longer be routing mail between each other. Use Gmail or another Web mail service to make sure that the Exchange 2007 server is receiving and sending mail.
Now that all mail functions have been switched to Windows Server 2008 and Exchange 2008 you can decommission the SBS Exchange server. On the SBS server, use Exchange’s System Manager to first remove the mailbox manager from Recipient Policy. Open up Recipients, and select Recipient Policies. Right click the policy, and delete any content from the mailbox manager settings. Switch to Recipient Update Services and delete the services that managed mail for your Active Directory domains. You won’t be able to delete the Enterprise Configuration service from System Manager; instead use ADSI Edit to edit the Active Directory configuration directly.
You can now uninstall Exchange from the SBS 2003 server, using the Change/Remove tools in the Add/Remove Programs control panel. If the SBS Exchange install includes the Intelligent Message Filter anti-spam tools you’ll need to make sure these are uninstalled first.
Expect to take more than one day to complete this procedure, especially if you need to move a large number of mailboxes. A weekend will usually be sufficient, though be prepared to overrun – especially if there are any corrupted mailboxes on the original mail server.