Explore technical insights and updates for Office 365 and Exchange Server. Priasoft empowers IT professionals with reliable solutions and expertise.
I want my business to use Exchange 2013, but how do I get there?
Migrating to Exchange 2013 can be seamless and uneventful with the right partner and solution. However, there are many options available to get to this destination. The goal of this document is to provide a simply overview of the different options available.
Current Version?
An important first question to ask is what the current version(s) of Exchange are in the environment from which you intend to migrate.
Exchange 2013 CANNOT be installed in the same AD Domain or Forest in which Exchange 2003 or earlier is also installed. The Exchange 2013 installer will perform many health and status checks to determine if it is safe to install. An existing installation of Exchange 2003 or earlier will be caught and prevent the installer from proceeding. Furthermore, any remnant of Exchange 2003/2000 will also block the installer.
Often, setting up a separate Active Directory forest that is dedicated to running Exchange is a better solution than integrating the Exchange application into your production Active Directory security forest.
The Exchange forest (also known as the resource forest) is dedicated to running Exchange and hosting mailboxes. User accounts are contained in one or more forests, referred to as the account forests, which are separate from the resource forest. Using this model, updates and changes to Exchange can be made without affecting the production user account forests.
How it works:
The user from the account forest (where logons occur) is associated with a mailbox attached to a disabled placeholder user in the resource forest. This allows users to access mailboxes that reside in the Exchange resource forest.
The resource forest model is nearly identical to what is provided by Office 365’s Exchange Online, only with more control and easier configuration and setup. There are 3 ways a user would access the mailbox in the resource forest:
- Without a Windows Trust: Users would be prompted for credentials by Outlook and other clients. There is not a built-in Single-Sign-On feature without a Trust.
- With a Windows Trust Using ‘Linked Mailboxes’: Users are not prompted for credentials and the mailbox account in the resource forest is marked with the SID of the logon user in the account forest.
- With a Windows Trust Using ‘SID Future’: Users are not prompted for credentials and the SID of the resource forest account is copied to the user in the account forest as an additional SID.
Note that setting up a Resource Forest does NOT mean that the same level of complexity must be created with regards to Active Directory Domain Controllers and AD Sites. In this scenario, AD plays a supporting role to Exchange and its primary purpose is to provide the address book (by way of the Global Catalog). As such, one (or more likely two, for redundancy) Domain Controller is all that is required, even if there is a need for many Exchange servers. This means that the setup and deployment of a resource forest is quick and not as costly as may have initially been imagined. The DCs in this Resource Forest are not processing logons, logon scripts, and the myriad of other actions and services that a DC normally provides.
A few key Benefits:
- A dedicated security boundary between Active Directory and Exchange administration.
- Features of new platform are realized immediately compared to a ‘mixed-mode’ setup where some key features are always disabled during the while 2 versions run concurrently.
- You can move to new versions of Exchange, like Exchange 2010, 2013, 2016, without polluting, corrupting, or disrupting your existing production Exchange implementation
- Eliminates risk to your existing Exchange implementation
- There are important risks to consider by adding a newer version of exchange to an existing one such as:
- …the newer version will try to take control of many actions, like inbound mail flow, transport rules, and other system level operational tasks.
- …the newer version may enforce attributes on users that are incompatible, but which the current deployment does not
- …the newer version cannot be fully tested and made “production-ready” without interfering with the current environment
- …once the AD Schema is extended to support the new version, there is no ability to reverse the changes
- …Public Folder databases/mailboxes may not sync to newer versions. For example, there is NO REPLICATION between Exchange 2013 PFs and older versions of exchange. If the PF deployment is very large, users may be without PF data for days or weeks after the mailbox migration.
- If a need arises during setup or testing of the Resource Forest to re-architect the environment, such can be done with no impact to the current environment.
- If you merge with another entity it’s simply a matter of creating a trust with the new accounts forest and not having to disrupt the exchange organization
- If you divest part of your business entity’s its much simpler to break off the Exchange resources without giving away sensitive security objects that would be part of the User Domains.
- Schema modifications needed for Exchange are isolated to just the Exchange forest and do not need to be implement in the Accounts forest
- Less stress on Global Catalogs and directory replication in the user accounts forest as all this traffic can remain in the Exchange resource forest
- Patches and updates that are not Exchange related, do not have to be installed in the Exchange forest. This adds a level of stability that is unavailable in a mixed AD/Exchange forest.
- AD container and OU structure can be designed with Exchange Administration in mind and does not have to follow complex architecture of a user forest You can manage users and groups in a way the makes sense for Exchange and not be dependent on how users in the account forest are managed – imagine having a container structure where Executive and Large mailboxes were separated from contractors and simple “mail-consumers”.
- Distribution lists are not co-mingled with security groups because of separate forests. DLs in the Exchange forest can be guaranteed to only provide access to exchange resources.
A few “reported” detractors to the Resource Forest (but not really)
- More admin work
- This is one of the first proposed “negatives” of a Resource Forest. However, it’s a bit of a fallacy. While it is true, at a technical level, that 2 object have to be created and configured when a new user is hired, there is plenty of ability to script such actions into a single atomic event. Powershell, available since Exchange 2007 makes such work trivial now.
- Compared to the many advantages and the infrequency (in most organizations…but not all) of new hires/terminations, the Resource Forest should still be considered.
- Password Sync
- This is reported from time to time, but really only by those that don’t truly understand the model. There are 2 options listed above to provide single-sign-on, which inherently means that passwords do not need to sync.
Prerequisites
- Two Active Directory forests:
- One forest contains the user accounts for your organization. In this procedure, this forest is called the accounts forest.
- One forest does not contain user accounts and does not yet have Exchange installed. In this procedure, this forest is called the Exchange Forest or Resource Forest. You will use the procedure to install Exchange in this forest.
- You have correctly configured Domain Name System (DNS) for name resolution across forests in your organization. To check that you have DNS configured correctly, ping each forest from the other forest or forests in your organization.
For more detailed information on deploying an Exchange resource forest see the following:
Starting with version 6.5.20112.4 of the Priasoft Migration Suite for Exchange you can now transfer users from one migration batch to another on separate active consoles. This feature is valuable in scenarios where you have two or more Migration consoles running against the same source and target Exchange organization and need to move one of more users between them during the migration for load balancing purposes.
Prerequisites For Transferring Users From One Active Console To Another
- Both Migration consoles must be active (i.e. the Mailbox Migration Manager Migration console is running on the host computers)
- Both Migration consoles must be running version 6.5.20112.4 of the Priasoft Migration Suite for Exchange or higher.
- Remote management must be enabled on both Migration consoles (enabled by default)
- RPC network connectivity must be allowed between both Migration consoles (I.e. firewall not preventing connection, network routing, etc.)
- Both Migration consoles computer account must be a member of the same Active Directory Domain.
- Both Migration consoles must be running against the same source and target Exchange organizations.
- Both Migration consoles must be running in the same mode (i.e. mixed mode, dry run mode, backfill mode, etc.)
To access the new feature, use the tools menu from within the Migration Console:
Host operating system
The host operating system you select is based on the type of migration you are performing. When selecting an appropriate operating system to install the Priasoft Migration Suite for Exchange, use the target version of your Exchange implementation and the table below:
| Target Exchange Version | XP 32bit | XP 64Bit | Win7 32Bit | Win7 64Bit | Svr 2008 32Bit | Svr 2008 64Bit |
| Exchange 5.5, 2000, 2003 | X | X | X | X | X | X |
| Exchange 2007(requires 32bit Exchange 2007 management tools) | X | X | X | |||
| Exchange 2010 | X | X | X | X |
If target is Exchange 2007, you must install the 32bit Exchange 2007 Management Tools (x86) http://www.microsoft.com/download/en/details.aspx?id=11876. This forces the OS to be 32bit it the target is Exchange 2007.
Note: whenever possible we recommend using a 64bit operating system. 64bit operating systems support more physical ram and therefore allow more concurrent mailboxes to be migrated simultaneously.
Additional Requirements
Priasoft’s applications (excluding ProfileManager) are .NET Framework assemblies. The Microsoft .NET Framework 2.0 is required.
Priasoft uses Extended MAPI for mailbox data migration:
Extended MAPI comes from Outlook. Below, select the proper Outlook version to install on the migration console.
- If source is Exchange 5.5, you cannot use Outlook 2007 for MAPI (not supported by MS and will not work). We recommend Outlook 2003.
- For any other Exchange source or target we recommend Outlook 2003 or 2007.
- Outlook 2010 is not supported on the migration console
General Server Recommendations
- Use on a ‘purpose built’ and ‘fresh install’ computer, designated for migrations.
- Ensure latest patches and updates are installed on migration console via Windows Update.
- Disable ‘User Account Control’ if the migration computer is on Windows 7 or 2008 Server
- Disable windows Firewall on the migration computer.
- Migration computer should not be in any restrictive group policies
- Migration computer minimum hardware requirements are 2GB of RAM; and 2 CPU’s, VCPU’s, or cores
- Virtualization of migration console is supported on VMware or Microsoft based solutions
- Ensure time sync is working properly between source, target and migration console.
- Turn of “Automatic Updates” to prevent any automatic reboots of the server during migration operations.
What is a dry run?
The priasoft Migration Suite for Exchange allows you to do a ‘dry run’. An Exchange dry run is a testing process where the effects of a possible migration failure are intentionally mitigated. For example, an aerospace company may conduct a “dry run” test of a jet’s new pilot ejection seat while the jet is parked on the ground, rather than while it is in flight. In addition, a dry run allows you to understand how long your migration will take and what loads can be expected on both source and target Exchange systems. Read more
Post migration the source user’s mailbox is left in a “dormant state” so that if the need arises you can roll back the user. However, you may want to access the source mailboxes data without having to roll the source user back. This article will explain how to access a source mailbox post migration after migration using the Priasoft Migration Suite for Exchange.
Several properties are set on the source object post migration to place it in a “dormant state”. This is done to allow for roll back and to prevent unauthorized access to the source post migration. The main property that will block access to the source mailbox data post migration is the ProtocolSettings attribute on the users source AD object.
The ProtocolSettings attribute on the source user object in the Active Directory stores client access settings. This attribute is a multi-valued string property, where each string applies to a different protocol. MAPI access is restricted by adding the following string to the ProtocolSettings:
MAPI§<Bool1>§<Bool2>§§§§§§
The eight § separators define exactly nine fields. The meanings of the fields are as follows:
| MAPI | Specifies that this string contains settings that apply to the MAPI protocol |
| Bool1 | 0 to block all MAPI access; 1 to determine MAPI access based on Bool2. |
| Bool2 | 0 for “no effect”; 1 to deny access to non-cached mode Outlook clients |
| Remaining 6 fields | Currently not used |
If there is no MAPI string in ProtocolSettings, all MAPI clients are allowed.
In order to gain access to the source mailbox post migration you will need to clear the MAPI§ setting in the ProtocolSettings attribute on the source mailbox.
Please note:
Changes to this setting do not take effect immediately and can up to two hours to take effect. This is because, as with others mailbox properties stored in the DS, ProtocolSettings are cached in the MIBCache (default TTL = 2hrs) and in DSAccess (default TTL = 15 min). These caches may delay the time it takes for a change in the ProtocolSettings to become effective.
In order to read more about the Information Store cache, please see the following article: http://support.microsoft.com/?id=179065
You may receive the following error trying to install Exchange 2010 SP1. We sure did…
Error message is as follows:
Some controls aren’t valid. Setup previously failed while performing the action “Install”. You can’t resume setup by performaing the action “BuildToBuildUpgrade”.
Steps to resolve and be able to install SP1:
- Open regedit and browse to the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v14\
- Look in the installed rolls for a key named Action (in our case it was under the MailboxRole key)
- Back up the section of the registry in case you need to roll back
- Delete the Action key
SP1 setup should now proceed without any further issues.
The Exchange Experts – Who Are We?
Priasoft, a Microsoft Partner, offers enterprise-class solutions for Exchange migration, management, and eDiscovery. Supporting Exchange 2010, 2013, 2016, 2019, and Office 365/Exchange Online, our platform enables secure migration, management, and organization of email data, with advanced tools for compliance, public folder analysis, and AI-driven insights.
