David Dan

all cmdlets in Exchange 2007

read the Attachment file "Common Cmdlet Actions"

How to grant the Vault service account Send-As/Receive-As permissions in an Exchange 2007 environment

Procedure:

Procedure 1.  Using the Exchange Management Shell

Choose from the following commands depending on company security policies and run the command from the Exchange Management Shell.


Setting send-as \ receive-as permissions at the Organization level

get-organizationconfig | add-adpermission -user vsa@domain.com -extendedrights send-As,receive-As



Setting send-as \ receive-as permissions to all mailbox databases on a specified Mailbox server

get-mailboxdatabase | where-object {$_.distinguishedname -ilike "*CN=server_name*"} | add-adpermission -user vsa@domain.com -extendedrights send-As,receive-As



Setting send-as \ receive-as permissions at the server level

get-mailboxserver -Identity 'server_name' | add-adpermission -user vsa@domain.com -extendedrights send-As,receive-As



Setting send-as \ receive-as permissions to a particular mailbox database on a specified Mailbox server

get-mailboxdatabase | where-object {$_.distinguishedname -ilike "*CN=mailbox_database_name*CN=server_name*"} | add-adpermission -user vsa@domain.com -extendedrights send-As,receive-As



Procedure 2. Using ADSIEdit

1. Install the Windows Support Tools for Windows Server 2003 (Available from the Windows Server 2003 Install CD)
2. Add ADSIEdit to a custom MMC
3. Right click the root node and choose 'Connect To'
4. Choose 'Configuration' from the drop down list under 'Select a Well Know naming Context'
5. Click OK
6. Expand the 'Configuration' node
7. Expand 'CN=Configuration.......'
8. Expand 'CN=Services'
9. Expand 'CN=Microsoft Exchange'
10. Expand 'CN=Your_Organization_name'
11. If you want to set the permissions at the organization level then right click this container and choose 'Properties'.  The permissions can be set on the security tab
12. If you want to set the permissions at the server level then expand 'CN=Administrative Groups'
13. Expand 'CN=Exchange Administrative Group (FYDIBOHF23SPDLT)'
14. Expand 'CN=Servers'
15. Right click the server container you require to set permissions and choose 'Properties'.  The permissions can be set on the security tab

Changing the Queue Database path in Exchange Server 2007

The default path of the Queue database and transaction log is "C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue". To change this settings, we should open the file EdgeTransport.exe.config in this file we have to parameters:

• QueueDatabasePath: Database path (mail.que and trn.chk files)
• QueueDatabaseLoggingPath: transaction logs path (*.log and *.jrs files)

Now, let's change both parameters for the c:\Database folder, as shown in the figure below. 

Click on the image to see in the original size (readable)

After changing the config file, we have to methods do accomplish our queue database moving process:

Moving the current database

1. Click on Start / Run and type services.msc  click OK
2. Stop the service called Microsoft Exchange Transport
3. Move the database files(mail.que and trn.chk) from original location to the new place
4. Move the transactions log files (*.log and *.jrs) from original location to the new place 
5. Start the Microsoft Exchange Transport service

Creating a new queue database

1. Click on Start / Run and type services.msc  click OK
2. Restart the the Microsoft Exchange Transport service

In both cases the result will be the same, the new database will be changed for the directory specified in the .config file.

How to Create Routing Group Connectors from Exchange 2007 to Exchange Server 2003

New-RoutingGroupConnector -Name "Interop RGC" -SourceTransportServers "Ex2007Hub1.contoso.com" -TargetTransportServers "Ex2003BH1.contoso.com" -Cost 100 -Bidirectional $true -PublicFolderReferralsEnabled $true

Delete Failed DCs from Active Directory

You will need the following tool: Ntdsutil.exe, Active Directory Sites and Services, Active Directory Users and Computers.

Also, make sure that you use an account that is a member of the Enterprise Admins universal group.

Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality.

To clean up metadata

1. At the command line, type Ntdsutil and press ENTER.

C:\WINDOWS>ntdsutil
ntdsutil:

1. At the Ntdsutil: prompt, type metadata cleanup and press Enter.

ntdsutil: metadata cleanup
metadata cleanup:

1. At the metadata cleanup: prompt, type connections and press Enter.

metadata cleanup: connections
server connections:

1. At the server connections: prompt, type connect to server <servername>, where <servername> is the domain controller (any functional domain controller in the same domain) from which you plan to clean up the metadata of the failed domain controller. Press Enter.

server connections: connect to server server1

Binding to server100 ...
Connected to server100 using credentials of locally logged on user.
server connections:

Note: Windows Server 2003 Service Pack 1 eliminates the need for the above step.

1. Type quit and press Enter to return you to the metadata cleanup: prompt.

server connections: q
metadata cleanup:

1. Type select operation target and press Enter.

metadata cleanup: Select operation target
select operation target:

1. Type list domains and press Enter. This lists all domains in the forest with a number associated with each.

select operation target: list domains
Found 1 domain(s)
0 - DC=dan,DC=net
select operation target:

1. Type select domain <number>, where <number> is the number corresponding to the domain in which the failed server was located. Press Enter.

select operation target: Select domain 0
No current site
Domain - DC=dan,DC=com
No current server
No current Naming Context
select operation target:

1. Type list sites and press Enter.

select operation target: List sites
Found 1 site(s)
0 - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dan,DC=com
select operation target:

1. Type select site <number>, where <number> refers to the number of the site in which the domain controller was a member. Press Enter.

select operation target: Select site 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dan,DC=com
Domain - DC=dan,DC=com
No current server
No current Naming Context
select operation target:

1. Type list servers in site and press Enter. This will list all servers in that site with a corresponding number.

select operation target: List servers in site
Found 2 server(s)
0 - CN=SERVER1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dan,DC=com
1 - CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dan,DC=com
select operation target:

1. Type select server <number> and press Enter, where <number> refers to the domain controller to be removed.

select operation target: Select server 0
Site - CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dan,DC=com

Domain - DC=dan,DC=com
Server - CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dan,DC=com
 DSA object - CN=NTDS Settings,CN=SERVER200,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dan,DC=com
 DNS host name - server2.dan.co
 Computer object - CN=SERVER2,OU=Domain Controllers,DC=dan,DC=com
No current Naming Context
select operation target:

1. Type quit and press Enter. The Metadata cleanup menu is displayed.

select operation target: q
metadata cleanup:

1. Type remove selected server and press Enter.

You will receive a warning message. Read it, and if you agree, press Yes.

metadata cleanup: Remove selected server
"CN=SERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=dan,DC=xom" removed from server "server1"
metadata cleanup:

Forcing the Removal of a Domain Controller 2008

1. At a command prompt, type the following command, and then press ENTER:

   dcpromo /forceremoval

   If the domain controller hosts any operations master (also known as flexible single master operations or FSMO) roles, or if it is a Domain Name System (DNS) server or a global catalog server, warnings appear that explain how the forced removal will affect the rest of the environment. After you read each warning, click Yes. If you want to suppress the warnings in advance of the removal operation, you must force the removal of Active Directory Domain Services (AD DS) by using an answer file. In the answer file, specify the parameter demotefsmo=yes.

2. On the Welcome to the Active Directory Domain Services Installation Wizard page, click Next.

3. On the Force the Removal of Active Directory Domain Services page, review the information about forcing the removal of AD DS and metadata cleanup requirements, and then click Next.

4. On the Administrator Password page, type and confirm a secure password for the local Administrator account, and then click Next.

5. On the Summary page, review your selections. Click Back to change any selections, if necessary.

   To save the settings that you selected to an answer file that you can use to automate subsequent AD DS operations, click Export settings. Type a name for your answer file, and then click Save.

   When you are sure that your selections are accurate, click Next to remove AD DS.

6. You can either select the Reboot on completion check box to have the server restart automatically or you can restart the server to complete the removal of AD DS when you are prompted to do so.

7. Open Server Manager. Click Start, point to Administrative Tools, and then click Server Manager.

8. In Roles Summary, click Remove Roles.

9. If necessary, review the information on the Before You Begin page, and then click Next.

10. On the Remove Server Roles page, clear the Active Directory Domain Services check box, and then click Next.

11. On the Confirm Removal Selections page, click Remove.

12. On the Removal Results page, click Close, and then click Yes to restart the server

http://technet.microsoft.com/en-us/library/cc731871(WS.10).aspx

Managing Hyper-V via MMC

Managing Hyper-V via MMC

Windows Server 2008 Hyper-V can be managed via Microsoft Management Console (MMC) similar to other roles in Windows Server 2008. Select the "Hyper-V Manager " from the Administrative Tools folder on the Start menu to start the virtualization MMC console. With this console, you can manage either the local system or connect to other Hyper-V host systems and manage them.

Enabling Hyper-V in a Server Core deployment

1. Type “start /w ocsetup Microsoft-Hyper-V” to enable Hyper-V role.
2. Restart when prompted.
   Note: To Manage Hyper-V, you can remotely connect to the server from an existing Hyper-V Manager MMC on a different system.

Change the ESX root password

Change the ESX root password

So, you forgot the ESX root password? Maybe you just need to change it after a staff change? To save yourself the hassle of reinstalling ESX on all of your hosts follow this simple process:

1. Use Virtual Center to Vmotion all of the VMs to other ESX hosts. (if you have a stand alone host then power down all your VMs)
2. Put the host in Maintenance Mode
3. Reboot your ESX host.
4. Physically go to the ESX console. You will not be able to use a remote console like WinSCP for the next few steps.
5. At the first menu type “a”
6. At the next prompt type “single”
7. After ESX finishes booting you will end up at a # prompt
8. Type “passwd” and enter a new password
9. re-type the new password again when prompted
10. Reboot the ESX server normally. ( just type “reboot” at the # prompt)
11. Don’t forget to take the host out of Maintenance Mode in Virtual Center.

VM Corrupt redolog

Found the process

Instructions on how to foracbly terminate a VM if it is unresponsive to the VI client.

In this you will be terminating the Master World and User Worlds for the VM which in turn will terminate the VM's processes.

1. First list the running VMs to determine the VM ID for the affected VM:
#cat /proc/vmware/vm/*/names

vmid=1076 pid=-1 cfgFile="/vmfs/volumes/50823edc-d9110dd9-8994-9ee0ad055a68/vc using sql/vc using sql.vmx" uuid="50 28 4e 99 3d 2b 8d a0-a4 c0 87 c9 8a 60 d2 31" displayName="vc using sql-192.168.1.10"

vmid=1093 pid=-1 cfgFile="/vmfs/volumes/50823edc-d9110dd9-8994-9ee0ad055a68/esx_template/esx_template.vmx" uuid="50 11 7a fc bd ec 0f f4-cb 30 32 a5 c0 3a 01 09" displayName="esx_template"

For this example we will terminate the VM at vmid='1093'

2. We need to find the Master World ID, do this type:
# less –S /proc/vmware/vm/1093/cpu/status

Expand the terminal or scroll until you can see the right-most column. This is labelled 'group'. Unterneath the column you will find: vm.1092.

In this example '1092' is the ID of the Master World.

3. Run this command to terminate the Master World and the VM running in it:

/usr/lib/vmware/bin/vmkload_app –k 9 1092

4. This should kill all the VM's User Worlds and also the VM's processes.

If Successful you will see similar:

# /usr/lib/vmware/bin/vmkload_app --kill 9 1070
Warning: Jul 12 07:24:06.303: Sending signal '9' to world 1070.

If the Master World ID is wrong you may see:
# /usr/lib/vmware/bin/vmkload_app --kill 9 1071
Warning: Jul 12 07:21:05.407: Sending signal '9' to world 1071.
Warning: Jul 12 07:21:05.407: Failed to forward signal 9 to cartel 1071: 0xbad0061

"One or more users currently use a mailbox store on this server" when trying to uninstall Exchange

Issue

Resolution

This issue occurs because the Setup program detects that a mail-enabled user is connected to this mailbox store. There may also be system mailboxes or other hidden mailboxes that are not visible in Exchange System Manager or in Active Directory Users and Computers.

*check the the Exchange 2003 installation CDROM is on the drive and try to uninstall the exchange 2003.

Determine whether one or more users have the affected server listed as their Exchange home server and then move the mailbox or remove the Exchange attributes of the user.

You do not have to consider the following mailboxes:
- SystemMailbox
- Microsoft DSA
- SMTP
- Microsoft System Attendant

A combination of all 3 methods below may be required to find all affected accounts using the serach.

Method 1 (Active Directory Users and Computers):
- Right-click the domain container, and then click Find
- Select the Exchange tab
- Check the "Show only Exchange recipients" check box
- Check the "Users with Exchange mailbox" check box
- Click Find Now
- On the View menu, click Choose Columns
- Select "Exchange Home Server" in the Columns available list and click Add
- Click OK
- Click the Exchange Home Server column to sort the results

The server that appears in this column is the same value that appears in the msExchHomeServerName attribute.

Method 2 (Active Directory Users and Computers):
- Right-click the domain container, and then click Find
- Select the Advanced tab
- Select User from the Field button
- From the list of attributes displayed, choose Exchange Home Server
- Set the Condition field to Ends With
- Enter the Exchange server name into the Value field
- Click Add
- Click the Find

Method 3 (ADSIEdit.msc from Support Tools):
- Expand server.domain.com
- Expand CN=Configuration,DC=domain,DC=com
- Expand CN=Services
- Expand CN=Microsoft Exchange
- Expand CN=OrganizationName
- Expand CN=Administrative Groups
- Expand CN=AdministrativeGroupName
- Expand CN=Servers
- Expand CN=ServerName
- Expand CN=Information Store
- Expand CN=StorageGroupName
- Right-click CN=Mailbox Store (ServerName) and select Properties
- In the Select a property to view list click homeMDBBL

A combination of all 5 methods below may be required to find all affected accounts using the ldap tool.

Method 1: Use the LDP tool (Ldp.exe) to browse for mailboxes that are on a mailbox store

You can use the LDP tool to find all the accounts that have mailboxes on a particular mailbox store. This tool is included with the Microsoft Windows 2000 Support Tools package.

To use the LDP tool to find all the accounts that have mailboxes on a particular mailbox store, follow these steps:

1. Start Ldp.exe.
2. Click Connection, and then click Connect.
3. Enter the name of a domain controller, and then click OK.
   
   We recommend that you enter a domain controller in the root domain of the forest.
4. Click Connection, and then click Bind.
5. Enter the user name, the password, and the domain name of an administrative account, and then click OK.
6. On the View menu, click Search.
7. Click to select the "DC=domainname,DC=local" by Base DN check box.
8. Click the Filter box, and then type the following text:
   msExchHomeServerName=Exchange virtual server name
9. Click Subtree, and then click Run.
10. Identify the users who have mailboxes on this store. Then, use the Active Directory Users and Computers snap-in to move the mailboxes to a different store or to delete the mailboxes.

For more information about how to use the LDP tool, see the LDP documentation in the Microsoft Windows 2000 Resource Kit.

For more information about how to find data by using the LDP tool, click the following article number to view the article in the Microsoft Knowledge Base:

224543  (http://support.microsoft.com/kb/224543/ ) Using Ldp.exe to find data in the Active Directory

Back to the top

Method 2: Use the LDP tool to search for mailboxes that are on a mailbox store

1. Start Ldp.exe.
2. Click Connection, and then click Connect.
3. Enter the name of a domain controller, and then click OK.
4. Click Connection, and then click Bind.
5. Enter the user name, the password, and the domain name of an administrative account, and then click OK.
6. On the View menu, click Tree.
7. Make sure that the Base DN box is blank, and then click OK.
   
   If the Base DN box is not blank, clear its contents, and then click OK.
8. Right-click the container that you want to search, such as the CN=Users container, and then click OK.
9. Click the Filter box, and then type the following:
   (&(objectCategory=person)(objectClass=user)(msExchHomeServerName=/o=ORGANIZATION NAME/ou=ADMINISTRATIVE GROUP NAME/cn=Configuration/cn=Servers/cn=SERVER-NAME-TO-REMOVE))
10. Click Subtree, and then click Run.
11. When you have identified which users have mailboxes on this store, you can use Active Directory Users and Computers either to move the mailboxes to a different store or to delete the user's mailbox.

Back to the top

Method 3: Use Active Directory Users and Computers to browse for mailboxes that are on a mailbox store

1. Start Active Directory Users and Computers on a computer that has Exchange System Manager installed on it.
2. In Active Directory Users and Computers, click View, click to select the Advanced Features check box, and then click OK.
3. Click View, and then click Choose Columns.
4. In the Modify Columns box, click Exchange Mailbox Store in the Hidden Columns list, click Add, and then click OK to add the Exchange Mailbox Store to the Displayed Columns list.
   
   An Exchange Mailbox Store column appears in Active Directory Users and Computers that shows the mailbox store that a user has a mailbox on.
5. When you have identified which users have mailboxes on this store, you can use Active Directory Users and Computers either to move the mailboxes to a different store or to delete the user's mailbox.

Back to the top

Method 4: Use Active Directory Users and Computers to search for mailboxes that are on a mailbox store

1. Start Active Directory Users and Computers.
2. Right-click the domain that you want, and then click Find.
3. Click the Advanced tab, click Field, point to User, and then click Exchange Home Server.
4. In the Condition list, click Ends with, type the name of your Exchange computer, and then click Find Now.
5. If you are prompted to add the current criteria to your search, click Yes.
6. When you have identified which users have mailboxes on this store, you can use Active Directory Users and Computers either to move the mailboxes to a different store or to delete the user's mailbox.

The mailbox search results appear in the lower pane.

Back to the top

Method 5: Use the LDIFDE tool (Ldifde.exe) to create an export file that contains the mailboxes that are on a mailbox store

1. At a command prompt, type an LDIFDE command that is similar to the following. Then press ENTER.
   ldifde -d "DC=ROOT,DC=COM" -f c:\output.txt -r "(&(objectCategory=person)(objectClass=user)(msExchHomeServerName=/o=ORGANIZATION NAME/ou=ADMINISTRATIVE GROUP NAME/cn=Configuration/cn=Servers/cn=SERVER-NAME-TO-REMOVE))"
2. Quit the command prompt.
3. Start Notepad or some other text editor, and then load the Output.txt file that you created in step 1 to view the mailboxes that are on the mailbox store.
4. When you have identified which users have mailboxes on this store, you can use Active Directory Users and Computers either to move the mailboxes to a different store or to delete the user's mailbox.

For additional information about the LDIFDE tool, type the following command at a command prompt on a computer that is running a product that is listed in the "Applies To" section:

ldifde /?

Further Information:

How to Use the Remove Exchange Attributes Option
http://support.microsoft.com/kb/823170

Windows Server 2003 Service Pack 1 32-bit Support Tools
http://www.microsoft.com/downloads/details.aspx?familyid=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

Error message when you try to remove Exchange 2000 Server from a mailbox server that no longer hosts mailboxes: "One or more users currently use a mailbox store on this server"
http://support.microsoft.com/kb/924170

How to roll back a failed migration from Exchange Server 5.5 to Exchange 2000 Server or to Exchange Server 2003
http://support.microsoft.com/kb/839356

Creating a new SSL certificate in Exchange 2007 CAS

First As we’re going to generate a request for a new SAN certificate, we must use the New-ExchangeCertificate cmdlet for this purpose, as the IIS Manager isn’t capable of creating requests for SAN certificates. To do this launch the Exchange Management Shell, then type the following command (replace the names with your own):

New-ExchangeCertificate –GenerateRequest –SubjectName “C=dk, O=EHLO organization, CN=mailehlo.dk” –DomainName mail.ehlo.dk, autodiscover.ehlo.dk, cas01.ehlo.dk, cas02.ehlo.dk –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$true

OR we can use the  DigiCert's Exchange 2007 CSR Tool

Fill in the details, click Generate, then copy your CSR command into Exchange Management Shell.

  Information

Now just copy and paste this command into Exchange Management Shell. Your CSR will be written to c:\owa_yourdomain_com.csr.

:

New-ExchangeCertificate -GenerateRequest -Path c:\owa_yourdomain_com.csr -KeySize 2048 -SubjectName "c=IL, s=IL, l=TA, o=IT, ou=IT, cn=owa.yourdomain.com" -DomainName owa.yourdomain.com, exchange, exchange.yourdomain.com, autodiscover.yourdoamin.com -PrivateKeyExportable $True

Where do you paste this command?

Run the command in the Exchange Management Shell on your server:

1. Login to your Exchange 2007 server
2. Click Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell
3. Paste the New-ExchangeCertificate command from this page into the Exchange Management Shell window and press Enter
4. Your CSR file should now be in C:\ on your server (as named by the -Path option in the command itself.)

What Subject Alternate Names Should I Include?

If you have questions, see our page on choosing your SAN names.

What kind of SSL certificate should you buy?

When you want SSL for Exchange 2007, your choices are Single certificates and SAN certificates—also known as Unified Communications certificates.

SAN Certificates give you control of the Subject Alternative Name field so you can protect multiple URLs with just one certificate. Microsoft recommends Unified Communications Certificates because they greatly simplify your SSL configuration.

After hitting Enter, the thumbprint for the new certificate request will be listed as shown in Figure 3.7.

Figure 3.7: Generating a request for a new SAN Certificate

Submitting the SAN Certificate to a Microsoft Certificate Authority

With the SAN SSL certificate request generated, we can submit it to our Microsoft CA, or almost that is. The reason I why I say so, is because by default a Microsoft CA cannot handle certificates with the SAN field properly. To fix this issue log on to the Domain Controller and open a command prompt window, then type the following command:

Certutil –setreg policy\EditFlags –EDITF_ATTRIBUTESUBJECTALTNAME2

After hitting Enter, you should see the old and new value as in Figure 3.8.

Figure 3.8: Changing the EditFlags on the Microsoft CA

Now restart Certificate Services (CertSVC) service on the Microsoft CA server (Domain Controller) in order to have the changes applied (Figure 3.9).

Figure 3.9: Restarting the Microsoft Certificate Service

We’re now ready to submit the certificate request to the Microsoft CA. One way to do this is to open a browser and type http://dc_name/certsrv. On the Welcome page, click Request a certificate (Figure 3.10).

Figure 3.10: Microsoft Certificates Welcome page

 On the Request a Certificate page, click advanced certificate request (Figure 3.11).

Figure 3.11: Requesting a Certificate

On the Advanced Certificate Request page, click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file (Figure 3.12).

Figure 3.12: Selecting the second option on the Advanced Certificate Request page

Now paste the content of the certificate request file into the Base-64-encoded window as shown in Figure 3.13. Then select Web Server in the certificate template drop-down menu and click Submit.

Figure 3.13: Submitting the Certificate Request

*if the certificate is not working add this in the attribute san:dns=webmail.com&dns=autodiscover.com&dns=servername

The certificate has been issued and you can download a DER or Base 64 encoded version by clicking Download certificate or Download certificate chain. Let’s select Base 64 encoded followed by clicking Download certificate chain (Figure 3.14).

Figure 3.14: Downloading the issued Certificate

It’s time to import the issued certificate using the Import-ExchangeCertificate cmdlet. We do this by typing the following command:

Import-ExchangeCertificate –Path c:\certnew.p7b

The certificate has now been imported to the personal certificate store.

Figure 3.15

To verify the certificate looks like expected, let’s now type the following command:

 Get-ExchangeCertificate -Thumbprint <thumbprint> | FL

Figure 3.16: SAN Certificate - Detailed Information

Finally we need to enable the certificate for the client services, our end-users will use to connect to their mailboxes. In this setup I’ll enable the certificate for OWA, EAS, Outlook Anywhere, POP3 and IMAP4. To do so we need to type:

Enable-ExchangeCertificate –Thumbprint <thumbprint> -Services “IIS, POP, IMAP”

Figure 3.17: Enabling the SAN certificate

Creating an addition receive connector on the Hub Transport servers

 In order to not affect intra-org communication (aka Hub Transport server to Hub Transport server communication), we must create a new receive connector that listen on port 25/SMTP using the virtual IP address we specified when we created the NLB cluster. To do so launch the Exchange Management Console and then click Server Configuration followed by Hub Transport. Now select the first Hub Transport server in the result pane and then open the property page for the default <server> receive connector in the work pane as shown in Figure 2.1 below.

Figure 2.1: Opening the property page for the default <server> receive connector

Click the Network tab and configure the IP address to the internal non-cluster IP address (Figure 2.2).

Figure 2.2: Specifying a non-clustered IP address for the default <server> receive connector

Now create a new receive connector (type Custom) and name it Inbound SMTP relay (WNLB), then click Next (Figure 2.3).

Figure 2.3: Naming the new Receive WNLB receive connector

On the Local Network Settings page (Figure 2.4), configure the receive connector, so it only listens on port 25 on the NLB cluster address, which in the example is 10.10.1.194. Although optional, it’s also a good idea to enter a FQDN for the connector. Click Next.

Figure 2.4: Configuring the receive connector to listen on the virtual NLB cluster IP address

Now enter the IP addresses that should be allowed to relay through the receive connector. Make sure not to specify a ranger here, but only the specific IP addresses configured on the servers running the applications that must submit messages to the Exchange 2007 organization via this receive connector (Figure 2.5). Then click Next.

Figure 2.5: IP address that should be allowed to submit messages to this receive connector

Finally click New and then Finish to create the new receive connector (Figure 2.6).

Figure 2.6: Completion page

Now open the property page for the new receive connector, and then click the Permission Groups tab. Under the Permission Groups tab, tick Anonymous users and nothing else as shown in Figure 2.7.

Figure 2.7: Allowing anonymous users to submit message to the receive connector

Next we must grant the permissions required in order for the specified remote IP addresses to be able to relay through this receive connector. To do so, open the Exchange Management Shell and type the following command:

Get-ReceiveConnector "Inbound SMTP relay (WNLB)" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "ms-Exch-SMTP-Accept-Any-Recipient"

How to Remove the Last Legacy Exchange Server from an Organization

all you need to remove the last exchange form an organization and more

Upgrade to Windows 2008 Domain Controllers (ADPREP)

Preparing to Run ADPREP /forestprep

ADPREP /forestprep makes modifications to the schema. In order to successfully run it you should:

1. Have a good system state backup for every domain controller in your forest, or at the very least a good system state backup for one domain controller for each domain in the forest.
   
2. Be logged on as a user that belongs to the Domain Admin, Schema Admin and Enterprise Admin groups in the forest root domain.
   
3. Ensure that you are running Windows 2000 SP4 or later on all domain controllers in the forest.
   
4. You must run ADPREP /forestprep on your schema master.
   
5. If you are running Exchange 2000 in your environment refer to KB article 325379 How to upgrade Windows 2000 domain controllers to Windows Server 2003.
   
6. Ensure replication is working throughout the entire forest, including that all domain controllers are up and running and that the schema master has been up long enough for a complete replication cycle to happen for the Schema partition.

So let’s go through all these preparatory steps in detail

1. First you should perform a system state backup on all of your domain controllers using either Windows Backup (NTBackup) or a third-party backup tool. This step is necessary if you find that your schema is incompatible and you need to roll back to a previous state.
   
2. Next, check to see if your account has the appropriate group memberships. Open Active Directory Users and Computers, right-click the account you are using to do the upgrade and choose Properties. Select the Member Of tab. If you do not see Domain Admins, Enterprise Admins and Schema Admins, add the ones you are missing. Log off and back on, then run whoami /groups in a command prompt to verify the groups are in your security token.
   
   
   
3. ADPREP /forestprep will check to see if you are running at least Windows 2000 SP4. If you have Windows 2000 domain controllers in your environment you should upgrade them all to SP4. You can download SP4 from here - Windows 2000 Service Pack 4 for IT professionals.
   
4. Next, check to see if you are logged on to your schema master. There are two ways to accomplish this. One is to run regsvr32 schmmgmt.dll so you can load the Active Directory Schema snap-in. Open a new MMC and add Active Directory Schema. Right-click on the words Active Directory Schema and choose Operations Master.
   
   
   
    
   
   
   
   Another alternative is to run netdom query fsmo from a command prompt. Netdom is part of the Windows Server 2003 Support Tools. 
   
   
   
5. There are known issues with upgrading a Windows 2000 domain with Exchange 2000 running in the environment. There are different scenarios with different steps in KB article 325379 to address problems that have been encountered in the upgrade process. You will be performing one of the scenarios regardless. It is just a matter of which scenario you will have to perform.
   
6. The final verification is to check and make sure replication is working. To do this install the Windows Server 2003 Support Tools if you do not have them already installed. Run repadmin /showreps from a command prompt. 
   
   
   You are looking for Last attempt @ date\time was successful. Any errors should be addressed before attempting to run ADPREP /forestprep.
   
   NOTE: ADPREP /forestprep will only check to see if replication is working on your schema master. It will not check the replication status of all DCs in your environment. Repadmin /showreps will only check the DC that you focus it on. In order to check the entire environment you will want to run repadmin /replsum. This command will give you the status of your entire environment. You will want to fix any errors you have with replication prior to running ADPREP /forestprep.

Running ADPREP /forestprep

1. Now you are ready to prepare your forest. This procedure takes a while depending on the speed of your computer so do not interrupt it. Insert your Windows Server 2008 DVD into the DVD drive on the schema master.
   
2. Open a command prompt.
   
3. Change your drive letter to the DVD drive. If you do not have a DVD drive on your schema master you can copy the Sources\Adprep folder to your local drive and run it from the copy.
   
4. Change into the Sources\Adprep directory.
   
5. Run ADPREP /forestprep.
   
6. You will get a warning that you need to be running Windows 2000 SP4 or later.
   
7. Type C and press Enter.
   
8. You will see a series of updates from LDF files.
   
9. If all goes well, you will see ADPREP successfully updated the forest-wide information.

Preparing to Run ADPREP /domainprep

After a successful completion of ADPREP /forestprep, you will be ready to run ADPREP /domainprep. ADPREP /domainprep must be run against each domain that you wish to upgrade.

Prerequisites

In order to run ADPREP /domainprep you should:

1. Have successfully completed ADPREP /forestprep.
   
2. Be a domain admin for the domain you are running it on.
   
3. Be at Windows 2000 Native Mode Domain Functional level.
   
4. Have access to the Infrastructure Master.
   
5. Wait for the schema changes to replicate throughout the environment, or at least the Infrastructure Master must have the schema updates replicated to it.

Note: Upgrading from Windows 2000 is not supported. For more information see Guide for Upgrading to Windows 2008.

Running ADPREP /Domainprep

1. Insert the Windows Server 2008 DVD.
   Open a command prompt.
   
2. Change your drive letter to the DVD drive.
   
3. Change your directory to Sources\Adprep.
   
4. Run ADPREP /domainprep.

For a better understanding of what will occur running the ADPREP /Domainprep command, I have referenced the KB article Enhancements to ADPREP.exe in Windows Server 2003 Service Pack 1(Q324392). The More Information section describes the functionality post-Windows 2003 SP1, including the Windows 2008 ADPREP.

Preparing to Run ADPREP /domainprep /gpprep

ADPREP /domainPrep /gpprep only adds the inheritable access control entries on Group Policy objects in the Sysvol share. If you run it prior to running adprep /domainprep it will run both functions, first the domain prep and then the GP prep.

Prerequisites

In order to run ADPREP /domainprep /gpprep you should:

1. Have completed the prerequisites for ADPREP /domainprep.
   
2. Have Sysvol\Sysvol\Policies\{Default Domain and Default Domain Controller GPO guids} in place.
   
   a. In Windows Explorer Navigate to your Sysvol\Sysvol\Domain\Policies folder
   
   b. Verify the following GUIDs are inplace
   
   {31B2F340-016D-11D2-945F-00C04FB984F9}
   {6AC1786C-016F-11D2-945F-00C04FB984F9}

Note Upgrading from Windows 2000 is not supported. For more information see Guide for Upgrading to Windows 2008.

Running ADPREP /domainprep /gpprep

1. Insert the Windows Server 2008 DVD.
   
2. Open a command prompt.
   
3. Change your drive letter to the DVD drive.
   
4. Change your directory to Sources\Adprep.
   
5. Run ADPREP /domainprep /gpprep.

ADPREP /domainprep /gpprep without running adprep /domainprep first.

ADPREP /domainprep /gpprep after running adprep /domainprep

Preparing to Run ADPREP /rodcprep

RODC’s (Read-Only Domain Controllers) are a cool new feature added in Windows Server 2008. The benefits of a RODC in certain domain configurations are well worth the effort of learning and implementing them. For more information on the benefits, see RODC Features on TechNet. If you intend to introduce them into your environment you will have to run ADPREP /rodcprep. This command prepares partitions in Active Directory so RODC’s can be used by adding security to the ForestDNS, DomainDNS, and Domain partitions.

Prerequisites

In order to run ADPREP /domainprep /rodcprep you should:

1. Be a Domain Admin and Enterprise Admin.
   
2. Be able to contact all Infrastructure Master role holders in the forest.

Note ADPREP /rodcprep will let you run without first running ADPREP /forestprep and ADPREP /domainprep, however it is not recommended.

Running ADPREP /rodcprep

1. Insert the Windows Server 2008 DVD. 
   
2. Open a command prompt.
   
3. Change your drive letter to the DVD drive.
   
4. Change your directory to Sources\Adprep.
   
5. Run ADPREP /domainprep /rodcprep.

That concludes this post on running ADPREP. Running through the steps in order should eliminate many of the problems you might otherwise encounter.