Exchange 2010 to Exchange 2016 Migration – Part 4

Exchange 2010 to Exchange 2016 Migration

Introduction

In this blog series of Exchange 2010 to Exchange 2016 migration, we have worked on Exchange 2010 to 2016 migration planning, installed Exchange 2016 server and in previous article of this blog series, we started to work on Exchange 2016 server post installation configuration. We configured the virtual directories, SSL certificate and renamed the default mailbox database. In this part of the series we will configure mail flow and web based traffic configuration to point to Exchange 2016 server and update the records accordingly.

Moving the mail flow and web based traffic from Exchange 2010 server to Exchange 2016 server requires a maintenance window and should be planned for after hours

Switch Mail Flow and HTTPS traffic to Exchange 2016 Server

Once you have performed the installation and initial configuration of Exchange 2016 server. The next step is to plan for advanced configuration of Exchange 2016 server that requires you to create new mailbox database, set up application relay connector etc.

I do no have any application relay configured on Exchange 2010 and we are not going to setup any receive connector on Exchange 2016 for application relay.

You can download a complete step by step guide for Exchange 2016 server installation from TechNet Gallery that talks about Exchange 2010 database move from one drive to another, creating/renaming a database, setting up connector etc.

Modify Send Connector to include Exchange 2016 Server

Once you setup the receive connector based on your needs for application relay, next step is to modify the existing send connector to add your Exchange 2016 server as authorized server to send external emails. To add Exchange 2016 server to outbound connector, perform the following steps.

  • Login to Exchange admin center and navigate to Mail Flow > Send Connector
  • Select the existing Connector and click on edit 
  • Click on Scoping and add Exchange 2016 server to the authorized list of outbound servers

Once the exchange 2016 server is added to the list, monitor the mail flow and send test emails from a mailbox hosted on Exchange 2016 mailbox to internet and verify the mail flow is working fine from Exchange 2016 server.

Update Internal DNS Records to Point to Exchange 2016 Server

Once the mail flow is tested and verified, next step is to update the internal DNS records to point to Exchange 2016 server. As of now, your current records will be pointing to your Exchange 2010 server. Update the records to point to Exchange 2016 server for web traffic and mail flow.

  • To update the records, login to DNS server and start the DNS snap-in
  • Select the Mail and Autodiscover record and click on modify

Exchange 2010 to Exchange 2016 Migration

  • Update the record to point to Exchange 2016 server

Exchange 2010 to Exchange 2016 Migration

Once records are updated, wait for DNS cached records to be expired before performing a testing. Once the DNS is updated on end user side, login to Exchange 2010 mailbox using the URL https://mail.domain.com/owa and verify the OWA redirection and mail flow. Once internal access is verified and everything is working fine as expected, update the external HTTPS publishing which in my case is being done via NAT rule configured on router. We’ve updated the NAT rule to send the traffic to Exchange 2016 server instead of Exchange 2010 server.

Conclusion

In part four of this blog series, we have performed reviewed the advanced configuration options required for Exchange 2016 server post-installation and move the mail flow and web based traffic to Exchange 2016 server. In part five of this series, we will complete the prepare a migration batch and start migrating the test mailboxes and production mailboxes to Exchange server 2016.

If you would like to read the other parts of this blog article series, please go to:

Exchange 2010 to Exchange 2016 Migration – Part 3

Exchange 2010 to Exchange 2016 Migration

Introduction

In the first two parts of this blog series we have performed the basic design and implementation of Exchange 2016 Server in a coexistence with Exchange 2010 server. In this part of the blog series, we will perform the post-configuration steps for our exchange 2016 server installation. We will also validate the Exchange server 2016 installation and perform few tests before we start the production mailbox migration to Exchange 2016 server in part 4.

Before you start post-installation configuration, it’s always a good idea to get yourself familiar with Exchange Admin Center in Exchange 2016 Server. 

Exchange 2016 Post-Installation Configuration

Exchange 2016 server post-installation configuration requires you to perform the following steps.

  • Update the service connection point for autodiscover
  • Import Exchange SSL certificate on Exchange Server 2016
  • Configure virtual directories in Exchange 2016 Server
  • Configure Outlook Anywhere

Before we start the configuration changes, let’s verify that our Exchange 2016 server is being added to Exchange organization. To validate the exchange installation, run the Exchange Management Shell on Exchange 2016 server and run the following cmdlet.

Get-ExchangeServer | ft Name, AdminDisplayVersion -Autosize

Exchange 2010 to Exchange 2016 Migration

Once you have verified the installation of Exchange 2016 server, next step is to rename Exchange 2016 default database.

Update the service connection point for autodiscover

After you have successfully installed and verified the Exchange 2016 Server, the next step in post-installation configuration task is to update the Service Connection Point (SCP).

SCP is registered in Active Directory. Whenever a client access server is installed, a new service connection point is created for that server. SCP object is used by domain-joined machines to find their mailbox on the Exchange Server.

By default, the SCP will be in the form https://ServerFQDN /Autodiscover/Autodiscover.xml; for example https://EXCH2k16.msexperttalk.com/Autodiscover/Autodiscover.xml. This name isn’t recommended because we do not want to have hostname on our SSL certificate. This can cause SSL certificate mismatch error messages being popped up on end users domain-joined machine.

To change the service connection point on Exchange 2016 server, run the following cmdlet in Exchange Management Shell.

Set-ClientAccessService -Identity EXCH2k16 -AutodiscoverServiceInternalURI   “https://autodiscover.msexperttalk.com/Autodiscover/Autodiscover.xml”

Exchange 2010 to Exchange 2016 Migration

Import Exchange SSL certificate on Exchange 2016 Server

Once you setup the SCP, next step is to import the SSL certificate on Exchange 2016 Server. You have to export the SSL certificate on Exchange 2010 server first. To do the SSL installation, perform the following steps.

  • Login to Exchange 2010 Server and launch EMC
  • Navigate to Server Configuration > select the server > select public SSL certificate

Exchange 2010 to Exchange 2016 Migration

  • Click on “Export Exchange Certificate” under actions pane

Exchange 2010 to Exchange 2016 Migration

  • In Export Exchange Certificate wizard, select a location to save the Personal Information Exchange (PFX) file and set an appropriate strong password, then click on Export

Exchange 2010 to Exchange 2016 Migration Exchange 2010 to Exchange 2016 Migration

  • Copy the exported certificate to Exchange 2016 server.
  • Launch Exchange Admin Center and navigate to Servers > Certificates and click on … icon and click on “Import Exchange Certificate

Exchange 2010 to Exchange 2016 Migration

  • During the Import Exchange Certificate wizard we’re required to provide a full UNC path to the location of the exported PFX file along with the correct password

Exchange 2010 to Exchange 2016 Migration

  • Add Exchange 2016 Server to apply the certificate and click Finish.

Exchange 2010 to Exchange 2016 Migration

  • Once the SSL certificate is imported successfully on Exchange 2016 server, the next step is to assign services to the certificate.
  • Select the SSL certificate and click on edit icon

Exchange 2010 to Exchange 2016 Migration

  • Click on services and select “SMTP and IIS” to assign the services. Click on override the default SMTP certificate

Exchange 2010 to Exchange 2016 Migration Exchange 2010 to Exchange 2016 Migration

  • Once the certificate is assigned, restart the IIS service by running the following cmdlet

iisreset /noforce

Configure virtual directories in Exchange 2016 Server

You can configure the virtual directories from Exchange Admin center or use the following powershell script to update all virtual directories at once.

$Server = “ServerName”

 

$URL = “mail.domain.com”

 

Get-OWAVirtualDirectory -Server $Server | Set-OWAVirtualDirectory -InternalURL “https://$($URL)/owa” -ExternalURL   “https://$($URL)/owa”

 

Get-ECPVirtualDirectory -Server $Server | Set-ECPVirtualDirectory -InternalURL “https://$($URL)/ecp” -ExternalURL   “https://$($URL)/ecp”

 

Get-OABVirtualDirectory -Server $Server | Set-OABVirtualDirectory -InternalURL “https://$($URL)/oab” -ExternalURL   “https://$($URL)/oab”

 

Get-ActiveSyncVirtualDirectory -Server $Server | Set-ActiveSyncVirtualDirectory -InternalURL “https://$($URL)/Microsoft-Server-ActiveSync” -ExternalURL “https://$($URL)/Microsoft-Server-ActiveSync”

 

Get-WebServicesVirtualDirectory -Server $Server | Set-WebServicesVirtualDirectory -InternalURL “https://$($URL)/EWS/Exchange.asmx” -ExternalURL “https://$($URL)/EWS/Exchange.asmx”

 

Get-MapiVirtualDirectory -Server $Server | Set-MapiVirtualDirectory -InternalURL “https://$($URL)/mapi” -ExternalURL https://$($URL)/mapi

Exchange 2010 to Exchange 2016 Migration

Configure Outlook Anywhere

After updating the Virtual Directories for Exchange 2016 Server, we also need to update the HTTPS name and authentication method for Outlook Anywhere in Exchange Server 2016.

By default outlook anywhere protocol is being used by outlook clients to communicate with Exchange Server 2016. It’s important that these settings are correct even if you are not publishing Outlook Anywhere externally.

During co-existence with Exchange 2010 Server it’s important to ensure that the default Authentication Method Negotiate is updated to NTLM to ensure client compatibility when Exchange 2016 proxies Outlook Anywhere connections to the Exchange 2010 server.

To update these values, perform the following steps.

  • Launch Exchange Admin Center and Navigate to Servers > Servers. Select Exchange 2016 Server and click on edit

Exchange 2010 to Exchange 2016 Migration

  • Set the internal and external URL to mail.msexperttalk.com and change the authentication to NTLM. Make sure that you have selected the option for SSL offloading.

Conclusion

In part three of this blog series, we have performed the basic configuration required for Exchange 2016 server post-installation. In part four we will complete the pending post-installation configuration tasks and begin mailbox migration preparation.

If you would like to read the other parts of this blog article series, please go to:

EXCHANGE 2010 TO EXCHANGE 2016 MIGRATION – PART 2

Exchange 2010 to Exchange 2016 Migration

Introduction

In Part 1 of this blog series, we talked about planning of Exchange 2010 server upgrade to Exchange 2016 Server. In this blog series, we are going to deploy Exchange 2016 Server in coexistence with Exchange 2010 Server in same active directory site. As we do not need a legacy namespace for Exchange 2016 Server by design, I am going to use the same namespace that we are using on Exchange Server 2010 i.e. mail.msexperttalk.com. Exchange 2010 to Exchange 2016 migration – part 2 blog post is focused on completing the pre-requisites for Exchange 2016 server and deploying your first Exchange 2016 production Server in coexistence with Exchange 2010 Server.

I highly recommend to use Microsoft Exchange sizing calculator to calculate the hardware requirements of Exchange 2016 Server. Latest version of Exchange sizing calculator can be downloaded from TechNet Gallery.

Preparing for Exchange 2016 Server Installation

Exchange 2016 server installation can be done using GUI or command line. In this blog article, we will install Exchange 2016 server using a command line interface. For step by step instructions of installing and configuring Exchange 2016, you can download ebook from TechNet Gallery. To install the Exchange 2016 server pre-requisites, run the following powershell cmdlet on windows server 2012 R2 machine where you’re planning to install Exchange server 2016.

Install-WindowsFeature RSAT-ADDS

EXCHANGE 2010 TO EXCHANGE 2016 MIGRATION – PART 2

Once the RSAT-ADDS feature is installed, run the following cmdlet to install other required pre-requisites for Exchange server 2016. This process requires a system reboot.

Install-WindowsFeature AS-HTTP-Activation, Server-Media-Foundation, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS

EXCHANGE 2010 TO EXCHANGE 2016 MIGRATION – PART 2

Once the server is rebooted, Install .Net Framework 4.5.2 and Microsoft Unified Communications Managed API Core Runtime, version 4.0. If you have all the latest updates installed on windows server 2012 R2, you will get a message that .Net framework 4.5.2 or higher version is already installed. Proceed with the installation on Microsoft Unified Communications Managed API Core runtime version 4.0.

EXCHANGE 2010 TO EXCHANGE 2016 MIGRATION – PART 2 EXCHANGE 2010 TO EXCHANGE 2016 MIGRATION – PART 2 EXCHANGE 2010 TO EXCHANGE 2016 MIGRATION – PART 2

Next step is to prepare your active directory forest for Exchange server 2016 installation. Active Directory preparation requires to extend the AD schema for Exchange 2016 server and prepare AD domain where you would like to deploy Exchange 2016 server. Once you extend the AD with Exchange 2016 Server attributes, you cannot install Exchange 2013 server in your messaging organization. If you plan to install Exchange 2013 Server later on, then first extend the AD with Exchange 2013 server and then extend the for Exchange 2016 server.

The process of extending the AD schema is irreversible and it’s highly recommended to perform a full backup of active directory before extending the schema.

To extend the AD schema for Exchange Server 2016, perform the following steps.

  • Login to Exchange server 2016 server with an admin account that is a member of Enterprise Admin and Schema Admin group.
  • Launch the command prompt with elevated rights and change the directory to Exchange server 2016 where you have extracted the setup files.
  • Run the following cmdlet to extend the AD schema

.\Setup /PrepareSchema /IAcceptExchangeServerLicenseTerms

EXCHANGE 2010 TO EXCHANGE 2016 MIGRATION – PART 2

  • Once the Active Directory schema is extended for Exchange Server 2016, next step is to prepare the domain in active directory forest where you need to install your Exchange Server 2016. To prepare the AD domain, run the following cmdlet

.\Setup /PrepareAD /IAcceptExchangeServerLicenseTerms

EXCHANGE 2010 TO EXCHANGE 2016 MIGRATION – PART 2

  • After preparing the AD, the last step for exchange pre-requisites is to prepare the domain for Exchange 2016 installation. To prepare a domain, run the following cmdlet

.\Setup /PrepareDomain /IAcceptExchangeServerLicenseTerms

EXCHANGE 2010 TO EXCHANGE 2016 MIGRATION – PART 2

We are now ready to install the first exchange server 2016 server in our exchange organization.

Installing Exchange Server 2016

After preparing the pre-requisites for Exchange Server 2016, next step is to install the exchange server 2016. To install Exchange server 2016 using powershell, run the following cmdlet in elevated window.

.\setup /Mode:Install /Roles:Mailbox /IAcceptExchangeServerLicenseTerms

After the successful installation of Exchange 2016 server. Reboot the server.

Conclusion

In Part 2 of this blog series, we have successfully completed the pre-requisites installation for Exchange Server 2016. We have also installed our first Exchange server 2016 in Exchange server 2010 organization. In Part 3 of this series, we will perform the post installation tasks.

If you would like to read the other parts of this blog article series please go to:

Setting up Microsoft StaffHub for Information Workers in Office 365

Setting up Staffhub for Information Workers in Office 365

Introduction to StaffHub

Microsoft introduced StaffHub a new application in Office 365 designed to help staff workers manage their day to day activities with schedule management, information sharing and the ability to connect with other work-related apps and resources. StaffHub helps deskless workers to easily create and manage shift schedules for their team and provide relevant information. StaffHub is a go to app for deskless workers to schedule and share important information on their mobile device. Microsoft staffhub was made available in public preview in September 2016. Starting January 2017 Microsoft StaffHub was announced to be generally available worldwide for information workers. This blog post will help you setting up Microsoft StaffHub for Information Workers in Office 365 for your organization.

Microsoft StaffHub is enabled for Office 365 customers with a K1, E1, E3 or E5 plan.

StaffHub allows managers to create, assign and manage team schedule and share files. Manager and team members can also communicate with each other using StaffHub, such as when staff would like to change the shift schedule etc.

Setting up Microsoft StaffHub for Information Workers in Office 365

Setting up Microsoft Staffhub in Office 365 requires you to perform the following steps.

  • Login to Office 365 portal with global admin credentials
  • Navigate to Admin Portal > Settings > Apps and click on StaffHub 

Setting up Microsoft StaffHub for Information Workers in Office 365

  • Click on “Update StaffHub settings for your organization”. This will open up StaffHub portal to setup organization wide settings

Setting up Microsoft Staffhub for Information Workers in Office 365

  • Staffhub is enabled by default for all organizations in Office 365

Setting up Staffhub for Information Workers in Office 365

  • Configure the other configuration options available in Staffhub to allow automatic provisioning of users accounts in Office 365. You can specify the custom domain from your Office 365 tenant.

Setting up Staffhub for Information Workers in Office 365

  • StaffHub leverages Office 365 Groups. You can specify a prefix for the Group name that are created by StaffHub. This option is helpful to identify those groups created by Staffhub from reporting and monitoring perspective.

Setting up Staffhub for information workers in Office 365

  • Provide access information for important internal resources or PowerApps that your workers need access to using StaffHub

Setting up StaffHub for Information Workers in Office 365

Conclusion

Setting up StaffHub for Information workers in Office 365 will help organizations to empower end users to stay connected and productive from anywhere access. Currently Staffhub application is focused on deskless workers but to me it looks like a game changer for organizations looking to manage team schedules and roasters like a small consulting services firm looking to manage resources in a project. I’m looking at more enhanced features to be added in Staffhub application in near future to cater all type of information workers to stay effective on their day to day routine. Currently, Microsoft Staffhub mobile application is only available for iOS and Android devices.

Setting up Unified Data Loss Prevention Policies in Office 365

Introduction to Unified Data Loss Prevention Policies in Office 365

Every organization is concern about their data security. Regardless of the size of the organization or industry they deal in, organizations want to ensure the security of their data. Office 365 Data Loss Prevention (DLP) helps organizations protect their sensitive information from getting into the wrong hands. Data Loss Prevention policies in Office 365 help organization to protect the confidential data based on business requirements. Earlier this month, Microsoft introduced unified Data Loss Prevention policies in Office 365 to empower IT admins to create, manage and report DLP policies for Exchange Online, SharePoint online and OneDrive for Business from single admin pane.

Administrators are no longer required to setup and manage DLP policies separately for Exchange online, SharePoint Online and OneDrive for Business.

Unified Data Loss Prevention Policies in Office 365 is provided via the the Office 365 Security and Compliance Center. We have discussed Office 365 Security and compliance center in my previous blog post for enabling the auditing of admin users in Office 365. Now with new enhancements in Office 365, admins can create a single DLP policy in the Office 365 Security and Compliance Center that covers Exchange Online, SharePoint Online and OneDrive for Business. The unified DLP platform allows organizations to manage multiple workloads from a single management experience, reducing the time and complexity required to set up and maintain security and compliance within your organization.

New unified DLP Policies experience in Office 365 do not impact any existing policies configuration created

Setting up Unified Data Loss Prevention Policies in Office 365

Setting up unified DLP policies in Office 365 requires you to perform the following steps.

Setting up Unified Data Loss Prevention Policies in Office 365

  • Click on icon to create a new DLP policy.
  • In new policy wizard, select the DLP policy type and click next. In my case, I have selected the policy type of “Medical and Health Regulation” and creating a HIPPA compliance policy

Setting up Unified Data Loss Prevention Policies in Office 365

  • Next step is to select the services to which you would like to apply the DLP policy. I have selected all the workloads to apply the policy

Setting up Unified Data Loss Prevention Policies in Office 365

By default, SharePoint online and OneDrive is selected. You can also specify the users to whom you would like to apply the policy in SharePoint online and OneDrive for Business.

  • Click next and customize the rule if required.

Setting up Unified Data Loss Prevention Policies in Office 365

  • Once you finalized the policies, click next and define the name and description of the policy. You are also required to turn on or off your compliance policy. By default, when you create a compliance policy from Office 365 Security and Compliance center, it’s setup with the option of “Test it out”.

Setting up Unified Data Loss Prevention Policies in Office 365

Once the policies are being created, it will be applied to the users based on your criteria defined during the policy creation.

Unified Data Loss Prevention Policies Reporting in Office 365

With Office 365 Security and Compliance center, Microsoft also provide you unified reporting capabilities for your DLP policies. You can view reports for your DLP policies across Exchange Online, SharePoint Online and OneDrive for Business. This makes it easier to understand the business impact of your DLP polices and uncover actions that violate policies across multiple workloads. To view the report of your DLP policies, you are required to perform the following steps.

Setting up Unified Data Loss Prevention Policies in Office 365

DLP Policy matches will give you a unified report of your DLP policies across all platform.

1 2