Exchange 2013 to 2019 Upgrade

Exchange 2013 to 2019 Upgrade KB ID 0001808

Exchange 2013 to 2019 Upgrade

With Exchange 2013 going end of support (11 Apr 2023) you should be migrating away from it as soon as you can, (as it’s only supported on up to Server 2012 R2), so you should have migrated off it already! It’s been some time since Exchange had any ‘major’ redesigns, 2013 was version 15, 2016 was version 15.1, and 2019 is Version 15.2.

So the Exchange 2013 > 2019 Migration is pretty much the same as it was from 2013 > 2016, or even 2016 > 2019. 

  •  There should be NO Exchange 2010 servers in existence before deploying Exchange 2019. You would need to upgrade to 2013 (CU21 minimum)/2016 (CU 11 minimum) first.
  • There’s no Unified Comms Role with Exchange any more! If you need to upgrade look at Microsoft Teams.
  • Forest Functional Levels should be, (at least) Server 2012 R2.
  • WARNING: Memory recommendations are 128GB (Mailbox server) and 64GB (Edge Transport server). Make sure you have enough compute!
  • Edge Server Role is still supported.
  • Windows Server Core (2019/2022) is supported with Exchange 2019.
  • Windows Server Nano is NOT supported.
  • Windows Server 2019 (Standard or Datacenter) and Windows Server 2022 (Standard or Datacenter) Note: Exchange 2019 CU 12 minimum, are supported host Operating systems.
  • Outlook 2013 (and newer), and Outlook for mac 2016 (and newer) is supported.

Exchange 2013 to 2019 Upgrade: Solution

As with all Exchange migrations make sure your Active Directory Domain/DNS/Existing Exchange organisation is healthy before you start. Then upgrade the existing Exchange to the latest cumulative update.

Exchange 2013 to 2019 Upgrade Prerequisites

You will need your Server 2019 or Server 2022 server fully updated and added to your domain, then to add the required roles and services use the following Powershell commands;

Exchange 2013 to 2019 Upgrade: Adding Exchange Server Roles

[box]Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS[/box]

Note: Now Required on Server 2019: You will need to install .Net 4.8 (link)

For Server 2022: You DON’T need to do this, (it’s already installed).

You need to install the Microsoft Unified Communications API 4.0 (link)

 

You will also need to install Microsoft Visual C++ (link)

You will also now have to install the ‘IIS Rewrite Module’ (link)

Either download the Exchange 2019 install media, or insert the Exchange 2019 DVD, and launch setup.exe > Next > Next > Files will be copied over.

Don’t I need to extend the schema, forest or domain? The setup does all this for you, you don’t need to do this manually anymore, (yes you can manually do this before installing, if you want to, but unless your schema master is in a different root domain, or you’re not a schema admin, then I don’t see the point!)

Introduction Page > Next > At the EULA tick “I Accept…” > Next > Tick “Use Recommended settings” > Next.

Select ‘Mailbox role’, and ‘Automatically install Windows Server roles and features…” > Next > Select the install directory, Note: In production you probably DON’T want this on the Windows System drive > Next > Unless you have a reason to disable Malware scanning then select ‘No’ > Next.

Readiness Checks > Fix any Errors and heed any warnings > Install > The product will install, this will take a long time!

Finish > Reboot the server.

And there’s our new Exchange 2019 Server.

Exchange 2019 EnterProduct Key

Servers > Servers > Select the 2019 Exchange Server > Enter Product Key  > Save

At the warning click OK.

Note: You can also enter the product key using the PoweShellCommand Shell’, if you prefer.

[box]

Set-ExchangeServer {Host-name} -ProductKey 12345-12345-12345-12345-12345

[/box]

 

As directed Restart the ‘Microsoft Exchange Information Store‘ service.

[box]

Restart-Service MSExchangeIS

[/box]

Transfer Exchange Certificate to Exchange 2019

Note: The ability to Export, Import & Renew certificates and creation/completion of certificate requests has been removed from the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later).

I will leave the older (GUI) method, below for completeness – but all modern Exchange builds will need you to Open the Exchange Management Shell and perform the certificate migration via PowerShell

Transfer Certificates (PowerShell)

On your C: drive create a new folder called CERT  > Open an Administrative Exchange Managment Shell window on the SOURCE Exchange server.

[box]

Get-ExchangeCertificate -Server {Server-Name}

[/box]

Identify the certificate you require (by Subject) > Copy the Thumbprint text > Replace the thumbprint in this text with your thumbprint, then execute the following two  commands.

[box]

$Cert = Export-ExchangeCertificate -Thumbprint 4896265B267C38D39314121C7C6550C6E4DD23AB -BinaryEncoded -Password (ConvertTo-SecureString -String 'PASSWORD' -AsPlainText -Force)

[System.IO.File]::WriteAllBytes('\\New-Server-Name\C$\CERT\CertEx.pfx', $Cert.FileData)

[/box]

Remeber you will need to enable the certificate for the correct services also e.g.

[box]

Get-ExchangeCertificate -Server {New-Server-Name}

COPY the THUMBPRINT

Enable-Exchange Certificate –Thumbprint {Thumb-Print} -Service IIS,SMTP

[/box]

Transfer Certificates (ExchangeAdmin Centre {Older build versions only})

I’m using a wildcard certificate so I want to export the cert form my Exchange 2013 server and import it onto my new Exchange 2019 Server. You will want to do the same if you have a certificate with your public domain name on it and this will be your ‘internet facing’ Exchange server. Servers > Certificates > Select the Exchange 2013 Server, in the drop down menu > Select The Certificate > Click the ellipsis (three dots) > Export Exchange Certificate > Supply a UNC path and password > OK.

Change the Dropdown to the Exchange 2019 Server > Click the ellipsis > Import Exchange Certificate > Supply the UNC path and password you used (above) > Next.

Add in the Exchange 2019 Server > Finish.

Exchange 2013 to 2019 Upgrade Exchange 2019 Assign Services to Certificate

Select the newly imported certificate> Edit > Services > Select the services > Save > Note: Here I’m selecting SMTP and IIS. (You can’t use a wildcard cert for IMAP,POP).

Exchange 2019 Changing the Exchange Web Services URLs

Exchange relies heavily on web based services, and it needs the URLs setting accordingly (remember for Outlook Anywhere/OWA etc you might need to change firewall settings or repoint load balancers WAP server etc to the NEW 2019 server (and let it proxy these connections to the older Exchange servers, while they still exist).

[box]

Get-WebServicesVirtualDirectory -Server EXCH-2019 | Set-WebServicesVirtualDirectory -InternalUrl https://mail.domainx.com/ews/exchange.asmx -ExternalURL https://mail.domainx.com/ews/exchange.asmx

Set-OWAVirtualDirectory -identity "EXCH-2019\owa (Default Web Site)" -InternalURL https://mail.domainx.com/owa -ExternalURL https://mail.domainx.com/owa

Get-OABVirtualDirectory -Server EXCH-2019 | Set-OABVirtualDirectory -InternalURL https://mail.domainx.com/OAB -ExternalURL https://mail.domainx.com/OAB

Get-ECPVirtualDirectory -Server EXCH-2019 | Set-ECPVirtualDirectory -InternalURL https://mail.domainx.com/ECP -ExternalURL https://mail.domainx.com/ECP

Get-MAPIVirtualDirectory -Server EXCH-2019 | Set-MAPIVirtualDirectory -InternalURL https://mail.domainx.com/MAPI -ExternalURL https://mail.domainx.com/MAPI -IISAuthenticationMethods NTLM,Negotiate

Get-ActiveSyncVirtualDirectory -Server EXCH-2019 | Set-ActiveSyncVirtualDirectory -InternalURL https://mail.domainx.com/Microsoft-Server-ActiveSync -ExternalURL https://mail.domainx.com/Microsoft-Server-ActiveSync

Set-OutlookAnywhere -identity "EXCH-2019\RPC (Default Web Site)" -ExternalHostname mail.domainx.com -InternalHostname mail.domainx.com -InternalClientsRequireSSL $true -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod:NTLM

Set-ClientAccessService -Identity EXCH-2019 -AutoDiscoverServiceInternalUri https://mail.domainx.com/Autodiscover/Autodiscover.xml

[/box]

Exchange 2019 Rename Mailbox Database

Servers > Databases > Exchange always gives databases annoying names > Select the Database on the 2019 Exchange Server > Edit > Rename it  > Save.

Note: The path to the Database retains the original name (we will fix that in the next step).

 

Exchange 2013 to 2019 Upgrade: Move Mailbox Database

I’m pretty old school, I like my Exchange databases on their own drive/partition, and I like the logs on another drive/partition. To move both the Database and the Logs;

[box]

Move-DatabasePath -Identity Database-Name -EdbFilePath X:\Folder\Database\Database-Name.edb -LogFolderPath L:\Folder\Log-Folder\

[/box]

Add Exchange 2019 to the Send Connector

Mail Flow > Send Connectors > Select your mail SMTP connector(s) > Edit > Scoping > Source Server section > Add > Add in the new server > OK > Save.

Note: The Exchange server will now need to have TCP port 25 (SMTP) open outbound on your corporate firewall.

Hybrid (On-Prem) Exchange Migration Note

If your on-premise Exchange is part of an Office 365 Hybrid deployment you will need to add the new server to the ‘scope’ for that connector also!

Exchange 2013 to 2019 Upgrade: Decommission Exchange 2013

From this point forward we are going to start getting rid of our Exchange 2013 server, they can of course coexist, (if you wanted to wait a while).

For that reason I change the ‘mail flow’ on the firewall to point to the new Exchange server at this point, and the HTTP access for OWA, Outlook Anywhere,  and Phone/Tablet access.

Exchange 2013 to 2019 Upgrade Exchange 2013 Mailbox Migration

Yes you can do this in the Exchange Admin Center (GUI), but I prefer to do this in PowerShell. But if I don’t put this here, I’ll get emails! Recipients > Migration  > Add > Move to a different Database > Add in the mailboxes/users > Next.

Give the ‘Batch’ a name > Select to move Archive mailboxes (if you have them) > Select the destination (Exchange 2019) Database > Again if using archive mailboxes, select the target archive mailbox database > Set the bad Item limit to 99 > Next > Select Automatically Start > Select Automatically Finish > New. 

From this point, this is where I don’t like the EAC it takes AGES to update with progress! From the Exchange Shell you can get an up to date view of that is going on!

[box]

Get-MoveRequest | Get-MoveRequestStatistics

[/box]

For a better list of commands for moving user mailboxes, monitoring the migration, (and removing the move requests when you are finished). See the following article;

Exchange: PowerShell Commands

With ALL Mailboxes migraitons, DON’T FORGET that on sucessfull completion, you need to remove the move requests. (If somehting fails, or displays an error, don’t forget to search for that error (above) before going to Google!

Exchange 2013 to 2019 Upgrade: Migrating Exchange System Mailboxes

Before you start issue the following command;

[box]

Set-AdServerSettings -ViewEntireForest $true

[/box]

In addition to the user mailboxes there are a multitude of different ‘System mailboxes’ that might be hanging around, before we can get rid of the Exchange 2013 Database(s) we need to migrate those.

Firstly AuditLog Mailboxes

[box]

Get-Mailbox -AuditLog -Database "Mailbox-Database-2013"

[/box]

If there are any!

[box]

Get-Mailbox -AuditLog -Database "Mailbox-Database-2013" | New-MoveRequest -TargetDatabase "Mailbox-Database-2019"

[/box]

Then Arbitration Mailboxes

[box]

Get-Mailbox -AuditLog -Database "Mailbox-Database-2013" -Arbitration

[/box]

If there are any!

[box]

Get-Mailbox -AuditLog -Database "Mailbox-Database-2013" -Arbitration | New-MoveRequest -TargetDatabase "Mailbox-Database-2019"

[/box]

Then Monitoring Mailboxes

[box]

Get-Mailbox -Monitoring -Server "Mail-2013"

[/box]

If there are any!

[box]

Get-Mailbox -Monitoring -Server "Mail-2013" | New-MoveRequest -TargetDatabase "Mailbox-Database-2019"

[/box]

Make sure there are no archive mailboxes;

[box]

Get-Mailbox -Auditlog -Database “Database-Name” -Archive

[/box]

If there are, move them, (as above).

Also move any  Discovery mailboxes, and move them to 2019;

[box]

Get-Mailbox DiscoverySearchMailbox* | New-MoveRequest -TargetDatabase “Mailbox-Database-2019

[/box]

Exchange 2013 to 2019 Upgrade Migrating Public Folders 

Remember after Exchange 2013 these are just mailboxes! You can move them like any other mailbox 🙂

Delete Exchange 2016 Database(s)

When you are 100% sure there’s nothing left on the old database(s) remove them;

[box]

Get-MailboxDatabase -Identity "Mailbox-Database-2013" | Remove-MailboxDatabase

[/box]

Uninstall Exchange 2013

Your install directory may not be on the C: drive so change your path accordingly;

[box]

cd "C:\Program Files\Microsoft\Exchange Server\V15\Bin
setup.exe /mode:uninstall

[/box]

At this point make sure your backup/replication software is pointed to the new Exchange 2019 Server.

 

Note: If you are running an On-Premise Exchange in Hybrid mode, and post migration if you have any mail flow problems see the following article;

No Mail Flow On-Premise To/From Office 365

Related Articles, References, Credits, or External Links

Exchange 2019 Migration from Exchange 2016

Certificate Services 0xc8000202 Error

KB ID 0001639

Problem

You will see this error if you are migrating a Certificate Services Server from Server 2008, (NOT Server 2008 R2) to Windows Server 2016, (or newer).

Version of log file is not compatible with the Jet version 0xc8000202 (ESE: 514 Jet_errBadLogVersion)

You will also see the following events logged;

Event ID 17

Log Name: Application
Source: Microsoft-Windows-CertificationAuthority
Date: xx/xx/xxxx xx:xx:xx
Event ID: 17
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: 2019-CA.migrate.com
Description:
Active Directory Certificate Services did not start: Unable to initialize the database connection for MIGRATE-CA. Version of log file is not compatible with Jet version 0xc8000202 (ESE: -514 JET_errBadLogVersion).

Event ID 454

Log Name: Application
Source: ESENT
Date: 1xx/xx/xxxx xx:xx:xx
Event ID: 454
Task Category: Logging/Recovery
Level: Error
Keywords: Classic
User: N/A
Computer: 2019-CA.migrate.com
Description:
certsrv.exe (1268,P,98) Restore0001: Database recovery/restore failed with unexpected error -514.

Event ID 640

Log Name: Application
Source: ESENT
Date: xx/xx/xxxx xx:xx:xx
Event ID: 640
Task Category: General
Level: Warning
Keywords: Classic
User: N/A
Computer: 2019-CA.migrate.com
Description:
certsrv.exe (1268,P,98) Restore0001: Error -1919 validating header page on flush map file “C:\Windows\system32\CertLog\{CA-Name}.jfm”. The flush map file will be invalidated.
Additional information: [SignDbHdrFromDb:Create time:00/00/1900 00:00:00.000 Rand:0 Computer:] [SignFmHdrFromDb:Create time:00/00/1900 00:00:00.000 Rand:0 Computer:] [SignDbHdrFromFm:Create time:01/17/2020 22:30:48.514 Rand:248810345 Computer:] [SignFmHdrFromFm:Create time:01/17/2020 22:30:48.529 Rand:4091580707 Computer:]

Solution

OK, if you followed a good CA migration guide like mine here, then you already have a copy of the the Database, CA certs, Private keys, and Registry settings. So you are good, don’t panic.

This has happened because the source Jet Database that Certificate Services used on the old 2008 Server, (Note: not 2008 R2) is simply too old to be upgraded straight to the one on Server 2016 or newer.

You need to spin up a 2012 R2 server, migrate Certificate Services, onto that, then migrate to Server 2016 (or 2019) from there.

Related Articles, References, Credits, or External Links

NA

Mailbox Move ‘StalledDueToMailboxLock’

KB ID 0001581

Problem

I was doing a migration from Exchange 2007 (on prem) to Exchange 2013 (on prem), this week. I had a number of mailboxes that were ‘StalledDueToMailboxLock‘.

Solution

Nice easy fix, on the Source and Destination Exchange severs, restart the ‘Microsoft Exchange Mailbox Replication Service‘.

Wont this break my Mailboxes! No, it will interrupt the migration process, (which is already stalled). But the actual ‘Live‘ mailbox, remains on the ‘Source Server‘, until the process is successfully completed anyway.

It can take a few minutes, (time for a coffee) but check and the process should now have resumed ‘CopyingMessages‘.

Related Articles, References, Credits, or External Links

NA

Exchange: Can’t Delete a Database

KB ID 0001414

Problem

Every iteration of Exchange comes up with some new system/hidden mailbox type that stops me deleting mailbox databases!

[box]

This mailbox database contains one or more mailboxes, mailbox plans, archive mailboxes, public folder mailboxes or arbitration mailboxes, Audit mailboxes. To get a list of all mailboxes in this database, run the command Get-Mailbox -Database <Database ID>. To get a list of all mailbox plans in this database, run the command Get-MailboxPlan. To get a list of archive mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Archive. To get a list of all public folder mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -PublicFolder. To get a list of all arbitration mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -Arbitration. To get a list of all Audit mailboxes in this database, run the command Get-Mailbox -Database <Database ID> -AuditLog. To disable a non-arbitration mailbox so that you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID>. To disable an archive mailbox so you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID> -Archive. To disable a public folder mailbox so that you can delete the mailbox database, run the command Disable-Mailbox <Mailbox ID> -PublicFolder. To disable a Audit mailbox so that you can delete the mailbox database, run the command Get-Mailbox -AuditLog | Disable-Mailbox. Arbitration mailboxes should be moved to another server; to do this, run the command New-MoveRequest <parameters>. If this is the last server in the organization, run the command Disable-Mailbox <Mailbox ID> -Arbitration -DisableLastArbitrationMailboxAllowed to disable the arbitration mailbox. Mailbox plans should be moved to another server; to do this, run the command Set-MailboxPlan <MailboxPlan ID> -Database <Database ID>.

[/box]

 

Solution

OK, I’m assuming you don’t actually have any mailboxes in the database? The following will tell you;

[box]Get-Mailbox -Database “Database-Name“[/box]

If you are running Exchange 2016 you might have an AudiLog account;

[box]Get-Mailbox -Auditlog -Database “Database-Name“[/box]

Or a Monitoring Mailbox

[box]Get-Mailbox -Monitoring -Server “Server-Name“[/box]

For 2013 (and older) the likely culprits are Arbitration, Archive, or Discovery Search mailboxes, (the latter you need an extra command to see).

[box]Get-Mailbox -Auditlog -Database “Database-Name” -Arbitration

Get-Mailbox -Auditlog -Database “Database-Name” -Archive

Set-AdServerSettings -ViewEntireForest $true

Get-Mailbox -Database “Database-Name“[/box]

To move a Discovery Search Malbox

[box]Get-Mailbox DiscoverySearchMailbox* | New-MoveRequest -TargetDatabase “Target-Database“[/box]

Also Exchange 2013 or Newer may have one or more Public folder mailboxes;

[box]Get-Mailbox -PublicFolder | New-MoveRequest -TargetDatabase “Target-Database“[/box]

I Can’t Find Anything and it still Wont Let Me Delete the Datastore?

Well, there’s two things you can do;

1. On a Domain Controller, 0pen ADSIEdit.msc and Connect to ‘Configuration’. Navigate to Configuration > Services > Microsoft Exchange > {Organisation name} > Administrative Groups > {Administrative-Group-Name} > Databases  >Delete the database from here (BE CAREFUL CHECK TWICE, DELETE ONCE!). Then have a coffee refresh you datastore view and the offender will disappear.

2. With the database dismounted, move its .edb file to another folder, then mount the store, it will complain and ask if you want to mount and empty store > select ‘yes’ > You can then delete it.

 

Related Articles, References, Credits, or External Links

NA

Office 365: Migrating To Exchange Online

KB ID 0001418

Problem

This is Part-One of a migration from ‘on-premise’ Microsoft Exchange, to Office 365 (Exchange Online). I’m using my spare ‘test domain’ (.co.uk). And I’m using the 5 user E3 Office 365 subscription that the good folk at Microsoft let me have, as part of my MVP benefits.

Note: I’m using Exchange 2016, with a ‘full-hybrid’ migration into Office 365.

Step 1: Pre-Requisites

DNS: You will need access to the DNS records for your public domain, both to ‘prove’ it is your domain, and to divert mail flow, and client requests to Exchange online, rather than your on premise Exchange.

Licenses/Subscription: You need an office 365 subscription, and available licences for all the users you want to migrate. At time of writing the minimum subscription level that includes Exchange Online is E3. (Note that’s not strictly true, you do get Exchange online with E1, but you dont get any office products, so I’ve never seen an E1 licensed migration). You’ll need to have access to Office 365 with a ‘global administrator‘ account.

Backups: Not really a pre-requisite, but how are you going to backup your cloud mailboxes? As far as Microsoft is concerned, your online email gets deleted after its retention period, (amount of time after a user deletes it, i.e. up to 100 days). If your business continuity plan, requires you to keep mail ‘x‘ years, then you will need to think about Azure Backup, or a third party backup solution.

Existing Exchange: Unless you are going to use a third party migration tool, then your on premise Exchange needs to be at Exchange 2010. So if you’re still at Exchange 2007/2003/2000, then you need to either; 1) Upgrade your on-prem Exchange, 2) Do another on-prem migration before you start, or 3) Purchase a third part migration tool. Note: With Exchange 2007 you can add one Exchange 2010 Exchange server, then migrate.

Certificates: You MUST HAVE a certificate on your Exchange that is publicly singed by a third party certificate vendor. There’s no excuse to use self signed certificates these days, (for Exchange). For this exercise I bought a certificate for a year and it cost me less than ten dollars, thats half the price of a one users monthly licence for Office 365? WARNING even with a correctly setup PKI environment with publicly published CRLs etc, your own certificates wont work, and you wont find out what’s wrong, until you have migrated users, and carnage/downtime will ensue! BUY A CERTIFICATE: I’d recommend a wildcard cert for your public mail domain.

 

User UPN’s: I’ve already covered this before in the past, things will be a lot easier, if you change all your users UPN’s to match their Email addresses.

 

For more information, see the following article;

Changing Domain Users’ ‘User Logon Names’ and UPN’s

Step 2: Onsite Preparation

Fail to prepare – prepare to fail.

What most people fail to do is make sure both their AD domain, and existing Exchange is healthy, (just because everything appears to be working, doesn’t mean everything is healthy). Install the latest cumulative update for your on-premise Exchange server ,and dig into the logs to make sure everything is as it should be!

Mailbox Replication Proxy Service

MRS Proxy is at the same solution we use for ‘cross-forest’ mailbox migrations, and your on-prem Exchange will act as the MRS proxy for your mailbox migration. To enable MRS Proxy: Exchange Admin Center > Servers > Virtual Directories > EWS > Edit.

General > Enable MRS Proxy Endpoint > Save

You can also check the service is running, (Windows Key +R > Services.msc {Enter}).

Exchange 2010 Note: If you’re running Exchange 2010, you can enable MRS Proxy with the following PowerShell command;

[box]Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyConnections 50[/box]

Azure Active Directory Connector

You can download the Azure AD connector from Microsoft, it can be installed on any member server. It will replicate your users and groups etc, into Office 365. Download and execute the installer > Tick ‘I agree….’ >  Continue.

Use Express Settings.

Note: You would only NOT use Express settings if you only wanted to replicate certain groups or sub domains, or if you wanted to use ADFS, (for example because you already had Azure secured services).

Provide your office 365 logon details > Next.

Provide logon details for your on-premise domain > Next.

You will probably only see your local domain, and it will be flagged ‘Not Added’ that’s fine, below you can see my public domain because it’s already been added to office 365, (I’ll cover that later) > Next.

Tick ‘Exchange hybrid deployment’ > Install.

Read and act on any warnings > Exit.

Note: If, (as above) it asks you to enable the ‘AD Recycle bin’, see the following post;

Windows Server 2016: Active Directory Recycle Bin

It will take a while, (depending on the size of your AD,) to replicate.

After a while you will start to see all your users appear in your office 365 portal, as they are replicated across.

Enable Exchange Hybrid Deployment

Back in Exchange admin Center > Hybrid > Configure > Sign into Office 365.

Once authenticated, notice the URL changes to Exchange online! > Configure.

Click here > Install.

Run.

Next.

I only have one on-premise Exchange server, so that’s selected,( if you had multiple servers, choose the one you want to use) > Next.

Sign in.

Once authenticated > Next.

Full Hybrid > Next.

Enable.

You need to create a ‘text’ record in your public DNS to proceed.

So I’ve jumped on my public DNS host management portal, and created the text record required.

Tick ‘I have created…..’ > Verify > Next.

I dont have any ‘Edge Transport Servers’ > Next.

Again I only have one, if you have multiple CAS servers, select the one you want > Next.

And again for the ‘Send Connector’ select the CAS server that will connect to Office 365 > Next.

Select your certificate. MAKE SURE it has selected a publicly signed one, NOT a self signed one! > Next.

Enter the correct public FQDN for your on-prem Exchange > Next.

Note: This must match either the CN on your certificate, or if it’s a wildcard certificate, the domain must be the same.

Update

Close

So far so good, in Part Two, I’ll add my public domain to my Office 365 account and start migrating some users.

 

Related Articles, References, Credits, or External Links

NA

Robocopy – File Server Migration

KB ID 0001233

Problem

I’ve done a lot of migrations, and moving a client’s files and shared data, usually makes them cringe. 

I’ve lost count of the amount of times I’ve heard ‘We can’t have any downtime’, which is fine, until you tell them how much its going to cost to do this on a Saturday! 

As I posted recently, Microsoft have made this a lot easier with the file serve migration tools, which will do the whole thing for you, and migrate profiles, and shares etc.

Windows Server – Migrating Files / Folders / Shares / User Profiles

Thats great, but I find sometimes it’s a little ‘sluggish’ when copying data, and sometimes it’s better to just go ‘old school’  and use Robocopy.

Solution

Why Robocopy? Well the advantage to Robocopy, is you can use it to only copy new files or files that have changed. So in a two step procedure, you can do an initial file copy during working hours, then copy the differences out of hours, and repoint people to the new shares.

Tip: Unless you know the network well, always assume there’s some shares you don’t know about, run the fsmgmt.msc tool and expand ‘shares’.

Robocopy Step 1

Just in case things go wrong, I’m going to generate a log of whats going on, so I can see any errors or files skipped when I’ve finished. On the root of the destination servers C: drive create a folder called ROBOCOPY-Logs, and within this folder create another folder called Last-Copy, (you will see why later).

Replace the values in red below, to suit you environment;

[box]robocopy \\OLDSERVER\d$\FOLDER D:\FOLDER /e /zb /copy:DATSOU /r:3 /w:3 /log:c:\ROBOCOPY-Logs\FOLDER.log /V /NP
[/box]

Where OLDSERVER is the source fileserver, D$ is the drive letter on the Source Server, and D is the drive letter on the new server.

What are those switches doing?

  • /E Copy subdirectories recursively, (including empty ones.)
  • /ZB Use ‘restartable’ mode, and if this fails use ‘backup’ mode.
  • /copy:DATSOU Copy Data, Attributes, Time Stamps, Security, Owner, aUditing information
  • /R:3 Retry three times, if you don’t specify this, it will retry one million times!
  • /W:3 Wait time between the retries above.
  • /log Will output the log to the folder we created above.
  • /V Produce output in verbose (detailed) mode.
  • /NP Do not show percentage progress

Robocopy Step 2

The second time, the command is virtually the same, with one extra switch, (see below).

[box]robocopy \\OLDSERVER\d$\FOLDER D:\FOLDER /e /zb /copy:DATSOU /MIR /r:3 /w:3 /log:c:\ROBOCOPY-Logs\Last-Copy\FOLDER.log /V /NP
[/box]

  • /MIR This is the ‘mirror directory’ switch, and people are scared of it. Why? Because in the documentation it says it removes or ‘purges’ files. People mistakenly think that it will remove any files from the source that do not exist in the destination. This is incorrect it will only remove files from the destination that no longer exist in the source.

 

It Has Not Copied Share Permissions!

That’s correct, I never said it would, it copies NTFS permissions, ownership and ACL information. If you want to copy Share permissions then use the smigdeploy tools from the link I posted above.

Can I Copy the Share Permissions Afterwards?

Yes, if you take a look at the following article, (I wrote a while ago,) you can see me doing just that, after a file copy.

Migrating – Folders and Share Permissions

I Can’t Copy Profiles / I get Permissions Errors?

  • Make sure the user you are using to copy files with, is a member of the ‘Backup Operators’ Group.
  • Make sure you execute the Robocopy command from an administrative command window.
  • Try doing the copy from the SOURCE server.

 

Related Articles, References, Credits, or External Links

NA

Public Folder Migration Error hr=0x80040111

KB ID 0001228

Problem

I usually follow my own documented process for migrating public folders to Exchange 2016. I did that this week, and this happened;

Error;

[box]

MapiExceptionLogonFailed: Unable to make connection to the server. (hr=0x80040111, ec=-2147221231)
Diagnostic context:
    Lid: 49064   dwParam: 0x1
    Lid: 37288   StoreEc: 0x6AB
    Lid: 49064   dwParam: 0x2
    Lid: 49191   EMSMDBMT.EcDoConnectEx called [length=178]
    Lid: 48679   EMSMDBMT.EcDoConnectEx returned [ec=0x80040111][length=56][latency=0]
    Lid: 45169   StoreEc: 0x80040111
    Lid: 50544   ClientVersion: 15.1.225.42
    Lid: 52080   StoreEc: 0x80040111
    Lid: 1494    ---- Remote Context Beg ----
    Lid: 22086
    Lid: 27206
    Lid: 39869
    Lid: 56893   StoreEc: 0x8004010F
    Lid: 44989
    Lid: 24684
    Lid: 20076   StoreEc: 0x80040111
    Lid: 29100
    Lid: 20396   StoreEc: 0x80040111
    Lid: 9486    StoreEc: 0x80040111
    Lid: 24492
    Lid: 18348   StoreEc: 0x80040111
    Lid: 26540   dwParam: 0xE0003
    Lid: 22444   dwParam: 0xC30001
    Lid: 1750    ---- Remote Context End ----
    Lid: 51152
    Lid: 52465   StoreEc: 0x80040111
    Lid: 60065
    Lid: 33777   StoreEc: 0x80040111
    Lid: 59805
    Lid: 52487   StoreEc: 0x80040111
    Lid: 19778
    Lid: 27970   StoreEc: 0x80040111
    Lid: 17730
    Lid: 25922   StoreEc: 0x80040111
    + CategoryInfo          : NotSpecified: (:) [New-PublicFolderMigrationRequest], RemoteTransientException
    + FullyQualifiedErrorId : [Server={New-Server},RequestId=6cbefa76-98ad-4a2e-bb33-237d7fd795fd,TimeStamp=03/08/2016 7:1
   7:17 PM] [FailureCategory=Cmdlet-MapiExceptionLogonFailed] 42728F13,Microsoft.Exchange.Management.Migraion.NewMgrationBatch
    + PSComputerName        : {new-server}

[/box]

Solution

Although it looks a pretty scary error, it’s quite straightforward to rectify. I was doing a migration and I’d moved all the mailboxes already, so I had dismounted and removed the mailbox database on the source Exchange server. (Exchange 2010). All I had to to was mount a mailbox database (I just created a new empty one, and mounted it.)

If I then tried to do the migration, it queued up properly!

Related Articles, References, Credits, or External Links

NA

SBS 2011 Missing Netlogon Share (Post Migration)

KB ID 0000809 

Problem

Whilst performing an upgrade from SBS 2003 to SBS 2011, I went on-site this morning to be told, “The new server does not have a NETLOGON share!”. As a result the clients who had authenticated to the old server had successfully ran their logon scripts. But the clients who had authenticated to the new server had not.

Solution

1. On the original (SBS 2003) server > Start > Run > cmd {Enter} > Run the following command;

[box]
net stop ntfrs
[/box]

2. On the original (SBS 2003) server > Start > Run > Regedit > Navigate to;

[box]
HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > NtFrs > Parameters > Backup > Restore > Process at Startup
[/box]

Change the Burflags DWORD value to D4 (Hexadecimal).

3. Then start the ntfrs service again.

[box]
net start ntfrs
[/box]

4. Now go to the NEW (SBS 2011) server > Start > Run > cmd {Enter} > Run the following command;

[box] net stop ntfrs [/box]

5. On the NEW (SBS 2011) server > Start > Run > Regedit > Navigate to;

[box]
HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > NtFrs > Parameters > Backup > Restore > Process at Startup
[/box]

Change the Burflags DWORD value to D2 (Hexadecimal).

6. Then start the ntfrs service again.

[box] net start ntfrs [/box]

7. Now wait approximately one cup of coffee.

Related Articles, References, Credits, or External Links

NA

Migration From Exchange 2010 to Exchange 2016 (& 2013)

Part 1

KB ID 0000788

Problem

To complete a migration from Exchange 2010 (or 2007) to Exchange 2016/2013, you need to introduce Exchange 2016 into your existing Exchange environment, then migrate your content onto the new server(s), and finally remove Exchange 2010.

Solution

Assumptions:

In this example I’ve got aexisting Exchange 2010 environment running on Windows Server 2008 R2. I’m putting in Exchange 2016 onto a new server running Server 2012. Post install the NEW server will hold client access, and mailbox roles.

Exchange 2013/2016 Role Placement

Unlike with previous versions of Exchange, the 2016/2013 approach is NOT to split up roles to different servers, it’s considered good practice to deploy all roles on all Exchange servers.

Exchange 2013/2016 Licensing

Unless you have Microsoft “Software Assurance” you cannot simply upgrade to Exchange 2016 for free. You will need to buy the Exchange 2016 Base productYou may wish to look at an “Open Value Agreement”, which lets you pay the cost over a three year term.

The Exchange 2016 (on-premises) software itself comes in two flavours, Standard and Enterprise.

Standard: For small Exchange deployments (1-5 Mailbox Databases) and for non mailbox role servers in larger Exchange deployments.

Enterprise: For large Exchange deployments (1-50 Mailbox Databases).

Exchange 2013/2016 Client Access Licenses

As before there are two types of CAL for Exchange 2016 access. These are also ‘confusingly’ called Standard and Enterprise.

Note: An Enterprise CAL is NOT just for Exchange Enterprise 2016 and a Standard CAL is NOT just for Exchange Standard, this is a common mistake. Though you can mix and match, i.e. a standard CAL is required for all mailbox users or devices, adding an Enterprise CAL is only required for those existing users or devices requiring additional functionality.

Standard CAL: Required for all users (or devices) that require access to an Exchange mailbox. For most people these will be the CALS you need to purchase.

Enterprise CAL: Is an additional license that’s added to the Standard license, this enables the user to use archiving/journaling and unified messaging (Requires Outlook 2013). It also gives access to more advanced ActiveSync management policies and custom retention policies.

Exchange 2016/2013 Migration Step 1 “Planning / Pre Site Visit”

1. Media and Licenses: Before you start you will need to have the Exchange 2016 or  2013 CU2 (CU1 = Minimum) version of the install media (.iso or DVD). DO NOT attempt to perform the migration with a version of Exchange 2013 media that IS NOT at least CU1. Warning, this will be a DVD image (over 3.5 GB), you may wish to get this downloaded from a site with a decent Internet connection!

2. Make sure any third party Exchange software you are currently running is also supported on Exchange 2016, e.g. Anti Virus, Backup Solutions, Archiving, Mail Management, Mobile Device Software, etc, check with the software vendor.

3. DO NOT CONSIDER migrating anything until you know you have a good backup of your current Exchange environment. If you are lucky enough to have VMware ESX, Hyper-V or another virtualisation platform, consider doing a P2V conversion on your Exchange 2010 server then simply turning the 2010 Server off, then if it all goes to hell in a hand cart simply turn the original server back on again.

4. Outlook Client Access: Be aware your clients need to be using the following versions of Outlook BEFORE you migrate them.

Exchange 2016

  • Outlook 2016
  • Outlook 2013.
  • Outlook 2010 (With KB2965295)
  • Outlook for Mac 2011.
  • Outlook for Mac for Office 365

Exchange 2013

All of the above and 

  • Outlook 2007 (With SP3 and this update).
  • Entourage 2008 for Mac, Web Services Edition.

Exchange 2013/2016 Migration Step 2 “Pre-Install”

I would suggest you run through the Microsoft Exchange Server Deployment Assistant, as a “Belt and braces” approach to the migration”

1. Before you do anything, it’s time for a common sense check, make sure your existing Exchange 2010 Organisation is happy and running cleanly, and has good communication with both the domain and your DNS. Get in the event logs and make sure it’s a happy server.

Time spent on reconnaissance is seldom wasted!

2. Run a full Windows update on your existing Exchange server(s), this will install any Exchange roll-ups that are outstanding.

3. If you are planning to utilise DAG, then you should install the following hot-fix on your Exchange 2010 servers before deploying SP3.

4. For coexistence of Exchange 2010 and Exchange 2016/2013, Your Exchange 2010 Servers must have Service pack 3 installed. If you are upgrading from service pack 1 you may see the following error.

Exchange 2010 Service Pack 3 Error – ‘The IIS 6 WMI Compatibility component is required’

5. After SP3 apply the latest Update Rollup.

Exchange 2013/2016 Migration Step 3 “Server Prerequisites”

1. The server that will run Exchange 2016, will need to be a domain member*, and I would run all the current updates before you start.

Once that is complete there are a number of server roles that will need adding. (Note: in Exchange 2013 these roles are the SAME for both CAS and Mailbox Servers, in 2016 there is only mailbox and edge servers anyway).

*Note: As with previous versions of Exchange it is recommended that you DO NOT run Exchange 2016 on a domain controller.

To add the Exchange 2013/2016 Server roles via PowerShell

Note: Here on my ‘Test Network’ the server in question is also a domain controller. In your production environment this will probably NOT be the case. If so, you will need to install the Remote Server Administration Tools for Active Directory.

[box]

Install-WindowsFeature RSAT-ADDS

[/box]

Issue the following commands;

[box]

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-Clustering-CmdInterface

Then Reboot;

Restart-Computer

[/box]

2. You will need to install the Microsoft Unified Communications Managed API 4.0, Core Runtime 64-bit.

3. Exchange 2013 Only: You will also need to install the Microsoft Office 2010 Filter Pack 64 bit and Microsoft Office 2010 Filter Pack SP1 64 bit.

Exchange 2013/2016 Migration Step 4 “Install Exchange 2013/2016”

Note: Ensure the Exchange 2013 Media version you are using is CU2. 

1. Insert the DVD or open the install files and run setup.exe. It will attempt to find any outstanding updates before it starts.

2. Next.

3. Setup will begin copying files.

4. Next.

5. Accept the EULA > Next.

6. I tend to disable feedback, but the choice is yours > Next.

7. Select the server roles that you wish to install.

8. Select the folder that you wish to install the Exchange program into.

Note: Remember if deploying multiple Exchange 2013/2016 servers, it’s considered good practice to keep the folder paths contiguous across all the servers.

9. If you plan to deploy third party malware protection (post Install), then you might wish to disable this, but in most cases you will want it enabled > Next.

Note: This is built on technology that was called ‘Forefront’ in previous versions of Exchange.

10. Pre deployment readiness checks will be carried out > when complete > Next.

11. Setup will take quite some time.

12. When complete, tick the box to launch the admin console > Finish.

13. After a few seconds the Exchange Admin Center will open.

Note: If you log in and get a blank screen, ensure your users has ‘inheritable permissions’ enabled, (on the security tab of their user object in AD)

14. At this point I would move the new Exchange Database from its default location to its own volume/folder, (again keep this path contiguous across all the new servers). The following PowerShell command will do this for you;

[box]Move-DatabasePath -Identity “Database Name” -EdbFilePath “E:Folder NameDatabase name.edb” –LogFolderpath “E:Folder Name”[/box]

Exchange 2013/2016 Migration Step 5 “Migrate Mailbox’s”

STOP! Before you proceed you need to think about OWA access. For internal access this will not be a problem BUT if you have users that access OWA externally (e.g. via https://mail.yourpublicdomain.com/owa) Then you will have to DO SOME PLANNING. Unless you have two free public IP addresses, your router/firewall can only point to one CAS server at a time.

STOP AGAIN! OK I’ve had more than one email about this so, here’s a warning. Moving Mailboxes creates logs, the more you move, the more logs it creates. The only way to clear these logs properly is to do an Exchange Aware/VSS Level backup. If you just start moving mailboxes without keeping an eye on this you can fill up a volume with logs, and if you are daft enough to have this on our system volume you can take the server down, you have been warned! Or See the following Article

Exchange 2016 Enable Circular Logging

1. First make sure that the new server can see the existing Exchange infrastructure. From within the Exchange Admin Center > Servers. You should see both your Exchange 2010 Servers and the new Exchange 2016 Server.

Note: You can see the same with the following PowerShell command;

[box]Get-ExchangeServer | select Name, ServerRole, AdminDisplayVersion | ft –auto[/box]

2. Test move one mailbox from Exchange 2010 to 2016, Recipients > Mailboxes > Locate our Test User > Move Mailbox.

3. Give the test migration a name, and browse to the new datastore (Note: If the move fails you can increase both the BadItem limit and the LargeItem limit here as well) > Next.

4. New.

5. You will be asked if you want to the ‘Migration Dashboard’.

6. Here you can watch progress (remember to keep hitting ‘refresh’).

7. If you prefer to use PowerShell you can migrate all mailboxes from one database to another with the following command;

[box]

Get-Mailbox -Database Mailbox-Database | New-MoveRequest -TargetDatabase Mailbox-Databse-2013/16

If you have more than 1000 mailboxes use the following instead,

Get-Mailbox -Database Mailbox-Database -ResultSize Unlimited | New-MoveRequest -TargetDatabase Mailbox-Database-2013

[/box]

Depending on the amount of mailboxes this can take a while!

8. Then test mail flow to/from this mailbox to internal recipients in the Exchange 2010 infrastructure, and then test mail flow to/from an external mailbox.

Note: At this point you might struggle to connect to the Exchange 2016 Admin Center as ‘Administrator’, because that user’s mailbox is still on the Exchange 2010 Server. If that happens to you and you are ‘Locked Out‘ of the Exchange Admin Center, simply add the user you migrated already, to the Exchange Organization Management group, and log in as that user to https://{Exchange-2016-Server-Name}/ecp

9. You can now migrate the remainder of your mailboxes.

Note: Depending on mailbox size this can take a VERY LONG time, I would suggest staging this migration gradually. To view progress;

[box]

Get-MoveRequestStatistics -MoveRequestQueue “Mailbox-Database-2013

To check if anything is left in the OLD Database;

Get-MailboxDatabase -Identity “Mailbox-Database” | Get-Mailbox

[/box]

Exchange 2013/2016 Migration Step 6 “Change Mail flow”

At this point you need to change the SMTP feed from the old Exchange 2010 box to the new Exchange 2016 Server, how you do this depends on your network setup, some examples of how you might do this are,

i. Change the SMTP (TCP Port 25) Port redirect on your router/firewall. 
ii. Swap IP addresses from the old to the new server.
iii. Change the translation from public to private IP address to point to the new IP.

Note: If you have any mail scanning servers, anti spam hardware devices etc, then they will also need changing to point to the new server.

1. You will need to add the new server to your Exchange ‘Send Connector’ and remove the Exchange 2010 Server. (Note: I’m assuming you only have one send connector, if you have more than one i.e. for particular domains, or for secure TLS mail you will need to do these as well). From Exchange Admin Center > Mail flow > Send connectors > Select the send connector > Edit > Scoping > Add the 2016 server > Remove the 2010 server > Save.

2. You will not need to create receive connectors on the Exchange 2016 Server, if you navigate to mail flow > receive connectors > Change the drop down to point to the Exchange 2013 Server. You will see there is a ‘Default Frontend’ Connector already configured for Exchange 2016.

3. At this point, it would be sensible to once again check mail flow, to and from an external mail account.

 

Related Articles, References, Credits, or External Links

Thanks to Simcha Kope for the feedback (Adding RSAT-ADDS)
Thanks to Austin Weber for spotting my PowerShell typo.
Thanks to Tony Blunt for the log file PowerShell syntax omission.

Migration From Exchange 2010 to Exchange 2016 Part 2

How To Install Exchange 2016 (Greenfield Site)

Original Article Written 03/06/13