Jun 01, 2015

So you are thinking of upgrading your existing Exchange Server 2010 to the all new and improved Exchange Server 2013, and you are wondering about those lovely pitfalls that may happen?

First things first, what do I need?

Microsoft Exchange Server 2010 and Exchange Server 2007 have multiple server roles: Client Access, Mailbox, Hub Transport, Unified Messaging, and Edge Transport. With Exchange Server 2013, Microsoft has reduced the number of server roles from five to three: Client Access, Mailbox, and Edge Transport. Unified Messaging is now considered a component or sub-feature of the voice-related features that are offered in Exchange Server 2013.

When you're upgrading your existing Exchange Server 2010 environment to Exchange Server 2013, there's a period of time when Exchange Server 2010 and Exchange Server 2013 servers will coexist within your organisation.

You can maintain this mode for an indefinite period of time, or you can immediately complete the upgrade to Exchange Server 2013 by moving all resources from Exchange Server 2010 to Server Exchange 2013, and then decommissioning the Exchange Server 2010 servers. You have a coexistence scenario if the following conditions are true:

• Exchange Server 2013 is deployed in an existing Exchange organisation, and
• More than one version of Microsoft Exchange Server provides messaging services to the organisation.

It isn't possible to upgrade an Exchange Server 2003 environment directly to Exchange Server 2013. You must first upgrade Exchange Server 2003 to either Exchange Server 2007 or Exchange Server 2010, and then make the upgrade to Exchange Server 2013. Microsoft recommends that you upgrade your organisation from Exchange Server 2003 to Exchange Server 2010, and then upgrade from Exchange Server 2010 to Exchange Server 2013.

Coexistence of Exchange Server 2013 and earlier versions of Exchange Server

Clean up your Active Directory

Exchange Server has been dependent on Active Directory since Exchange Server 2000 and this doesn't change in Exchange Server 2013. Active Directory is the foundation on which Exchange Server 2013 will operate. If the foundation isn’t stable, nothing built on top of it can be stable. Take the migration to Exchange Server 2013 as an opportunity to do a thorough health check and address any issues that exist in your directory.

Common problems include inaccurate site/subnet mappings, legacy Exchange Server objects for servers that are no longer online and replication problems. By addressing these issues, making sure information is accurate and cleaning up unnecessary objects before moving to Exchange Server 2013, the odds of a successful and uneventful migration are greatly increased.

In this particular blog post, I will focus on the AD part since it appears to be the weak point in most upgrades.

Exchange Server 2013 Active Directory versions The following table shows you the Exchange Server 2013 objects in Active Directory that get updated each time you install a new version of Exchange Server 2013. You can compare the object versions you see with the values in the table below to verify that the version of Exchange 2013 you installed successfully updated Active Directory during installation.

Prepare Active Directory and domains

To track the progress of Active Directory replication, you can use the repadmin tool (repadmin.exe), which is installed as part of the Windows Server 2012 and Windows Server 2008 R2 Active Directory Domain Services Tools (RSAT-ADDS) feature.

1. From a Command Prompt window, run the following command (if you want, you can skip this step and prepare the schema as part of Step 2): setup /PrepareSchema or setup /ps

• Important: If you have multiple forests in your organisation, make sure that you run your forest preparation from the correct Exchange forest. Setup preparation makes configuration changes to your forest, and it could configure a non-Exchange forest incorrectly.
• It isn't supported to use the LDIF Directory Exchange tool (LDIFDE) to manually import the Exchange Server 2013 schema changes. You must use Setup to update the schema.

This command performs the following tasks:

• Connects to the schema master and imports LDAP Data Interchange Format (LDIF) files to update the schema with Exchange 2013 specific attributes. The LDIF files are copied to the Temp directory and then deleted after they are imported into the schema.
• Sets the schema version (ms-Exch-Schema-Verision-Pt). To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions.

Note the following:

• You need to be a member of the Schema Admins group and the Enterprise Admins group in order to run this command.
• You must run this command on a 64-bit computer in the same domain and in the same Active Directory site as the schema master.
• If you use the /DomainController parameter with this command, you must specify the domain controller that is the schema master.
• After you run this command, you should wait for the changes to replicate across your Exchange organisation before continuing on. How long this takes depends upon your Active Directory site topology.
• For more information, see Exchange 2013 Active Directory Schema Changes.

2. From a Command Prompt window, run the following command: setup /PrepareAD [/OrganizationName:] or setup /p [/on:<organisation name>]

This command performs the following tasks:

• If the Microsoft Exchange Server container doesn't exist, this command creates it under CN=Services,CN=Configuration,DC=.
• If no Exchange organisation container exists under CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=, you must specify an organisation name using the /OrganisationName parameter. The organisation container will be created with the name that you specify.

The Exchange Server organisation name can contain only the following characters:

• A through Z
• a through z
• 0 through 9
• Space (not leading or trailing)
• Hyphen or dash

The organisation name can't contain more than 64 characters and the organisation name can't be blank. If the organisation name contains spaces, you must enclose the name in quotation marks (“).

• Verifies that the schema has been updated and that the organisation is up to date by checking the objectVersion property in Active Directory. The objectVersion property is in the CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= container. To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions.
• Sets the msExchProductId value on the Exchange organisation object. The msExchProductId property is in the CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= container. To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange 2013 Active Directory versions .
• If the containers don't exist, creates the following containers and objects under CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=, which are required for Exchange 2013:

CN=Address Lists Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=AddressBook Mailbox Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Addressing,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Administrative Groups,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Approval Applications,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Auth Configuration,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Availability Configuration,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Client Access,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Connections,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=ELC Folders Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=ELC Mailbox Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=ExchangeAssistance,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Federation,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Federation Trusts,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Global Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Hybrid Configuration,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Mobile Mailbox Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Mobile Mailbox Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Monitoring Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=OWA Mailbox Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Provisioning Policy Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Push Notification Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=RBAC,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Recipient Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Remote Accounts Policies Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Retention Policies Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Retention Policy Tag Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=ServiceEndpoints,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=System Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Team Mailbox Provisioning Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=UM AutoAttendant Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=UM DialPlan Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=UM IPGateway Container,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=UM Mailbox Policies,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Workload Management Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=

• If they don't exist, creates the following containers and objects under: CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=

CN=Accepted Domains,CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=ControlPoint Config,CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=DNS Customization,CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Interceptor Rules,CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Malware Filter,CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Message Classifications,CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Message Hygiene,CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=Rules,CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= CN=MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e,CN=Transport Settings,CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=

• Assigns specific permissions throughout the configuration partition.
• Imports the Rights.ldf file. This adds the extended rights required for Exchange to install into Active Directory.
• Creates the Microsoft Exchange Security Groups organisational unit (OU) in the root domain of the forest and assigns specific permissions on this OU.
• Creates the following management role groups within the Microsoft Exchange Security Groups OU: Compliance Management, Delegated Setup, Discovery Management, Help Desk, Hygiene Management, Organisation Management, Public Folder Management, Recipient Management, Records Management, Server Management, UM Management, View-Only Organisation Management.
• Adds the new universal security groups (USGs) that are within the Microsoft Exchange Security Groups OU to the otherWellKnownObjects attribute stored on the CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= container.
• Creates the Unified Messaging Voice Originator contact in the Microsoft Exchange System Objects container of the root domain.
•  Prepares the local domain for Exchange 2013. For information about what tasks are completed to prepare a domain, see Step 3.

Note the following:

• You must be a member of the Enterprise Admins group to run this.
• The computer running this command must be able to contact all domains in the forest on port 389.
• You must run this command on a computer in the same domain and in the same Active Directory site as the schema master. Setup will make all configuration changes to the schema master to avoid conflicts because of replication latency.
• After you run this command, you should wait for the changes to replicate across your Exchange organisation before continuing on. The length of time this takes depends on your Active Directory site topology.
• To verify that this step completed successfully, make sure that there is a new OU in the root domain called Microsoft Exchange Security Groups. This OU should contain the following new Exchange USGs:  Compliance Management, Delegated Setup, Discovery Management, Exchange Servers, Exchange Trusted Subsystem, Exchange Windows Permissions, ExchangeLegacyInterop, Help Desk, Hygiene Management, Managed Availability Servers, Organisation Management, Public Folder Management, Recipient Management, Records Management, Server Management, UM Management, View-Only Organisation Management

3. From a Command Prompt window, run one of the below commands:

• Run setup /PrepareDomain or setup /pd to prepare the local domain. You don't need to run this in the domain where you ran Step 2. Running setup /PrepareAD prepares the local domain.
• Run setup /PrepareDomain: to prepare a specific domain.
• Run setup /PrepareAllDomains or setup /pad to prepare all domains in your organisation.

These commands perform the following tasks:

• If this is a new organisation, creates the Microsoft Exchange System Objects container in the root domain partition in Active Directory and sets permissions on this container for the Exchange Servers, Exchange Organisation Administrators, and Authenticated Users groups. The purpose of this container is to store public folder proxy objects and Exchange-related system objects.
• Sets the objectVersion property in the Microsoft Exchange System Objects container under DC=. To see the version that should be shown after this command completes, look up the version of Exchange 2013 you're installing in the table in Exchange Server 2013 Active Directory versions.
• Creates a domain global group in the current domain called Exchange Install Domain Servers. The command places this group in the Microsoft Exchange System Objects container. It also adds the Exchange Install Domain Servers group to the Exchange Servers USG in the root domain.
• Note: The Exchange Install Domain Servers group is used if you install Exchange 2013 in a child domain that is an Active Directory site other than the root domain. The creation of this group allows you to avoid installation errors if group memberships haven't replicated to the child domain.
• Assigns permissions at the domain level for the Exchange Servers USG and the Organisation Management USG.

• To run setup /PrepareAllDomains, you must be a member of the Enterprise Admins group.
• To run setup /PrepareDomain, if the domain that you're preparing existed before you ran setup /PrepareAD, you must be a member of the Domain Admins group in the domain. If the domain that you're preparing was created after you ran setup /PrepareAD, you must be a member of the Exchange Organisation Administrators group, and you must be a member of the Domain Admins group in the domain.
• For domains in an Active Directory site other than the root domain, /PrepareDomain might fail with the following messages:

“PrepareDomain for domain has partially completed. Because of the Active Directory site configuration, you must wait at least 15 minutes for replication to occur, and run PrepareDomain for again.””Active Directory operation failed on . This error is not retriable. Additional information: The specified group type is invalid. Active Directory response: 00002141: SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0 The server cannot handle directory requests.”

You must run this command in every domain in which you will install Exchange 2013. You must also run this command in every domain that will contain mail-enabled users, even if the domain doesn't have Exchange 2013 installed.

To verify that step 3 completed successfully, confirm the following:

• You have a new global group in the Microsoft Exchange System Objects container called Exchange Install Domain Servers. (To view the Microsoft Exchange System Objects container in Active Directory Users and Computers, on the View menu, click Advanced Features.)
• The Exchange Install Domain Servers group is a member of the Exchange Servers USG in the root domain.
• On each domain controller in a domain in which you will install Exchange 2013, the Exchange Servers USG has permissions on the Domain Controller Security PolicyLocal PoliciesUser Rights AssignmentManage Auditing and Security Log policy.

Wow, ok after typing my fingers off, how do I know this worked?

We will use Active Directory Service Interfaces Editor (ADSI Edit) to verify that Active Directory has been successfully updated by doing the following.

For more information on how to use ADSI Edit, see ADSI Edit (adsiedit.msc).

• In the Configuration naming context, make sure that the msExchProductId property in the CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= container is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.
• Note, if the msExchProductId property is set to the correct value for the version of Exchange 2013 you installed, Active Directory has been successfully prepared. You don’t need to check any of remaining values in this list. The information below is for information purposes only and for those who separate the PrepareSchema and PrepareAD steps.
• In the Schema naming context, verify that the rangeUpper property on ms-Exch-Schema-Verision-Pt is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.
• In the Configuration naming context, verify that the objectVersion property in the CN=,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= container is set to the value shown for your version of Exchange 2013 in the table in Exchange 2013 Active Directory versions.
• In the Default naming context, verify that the objectVersion property in the Microsoft Exchange System Objects container under DC=

You can also check the Exchange Server setup log to verify that Active Directory preparation has completed successfully.

Upgrading is a daunting yet satisfying process, and this is probably the most important part of troubleshooting the upgrading of Exchange Server 2010 to Exchange Server 2013.