Upgrading From Earlier Versions
Planning Groups in Exchange 2000 – Distribution Lists in Exchange 5.5
The most significant difference between Exchange 5.5 and 2000 is the way they handle directory information. (Directory information is a combination of not just a list of all your users and their information, but also all servers, connectors, etc… and where they are in your organization. Exchange 5.5 had its own Directory Service, as we had talked about earlier, but Exchange 2000 relies on Windows 2000’s Active Directory directory service. So grouping users for sending messages will now have to change because in Exchange 5.5 you had Distribution Lists, but in Windows 2000, users are grouped as Universal, Global, or Domain Local Groups. Windows 2000 also separates these three groups into two subtypes called “Distribution Groups” and “Security Groups.”
Each one (Universal, Global, or Domain Local) can be a security group or a distribution group and there are different reasons why you would pick one over the other. As you should already know from Windows 2000, a Domain Local Group can have members from any domain and access resources only in the domain it was created in. Global Groups can contain users from the domain it was created in, but access resources in any Domain. Universal Groups contain users from any domain and can access resources in any domain. What’s the difference between Distribution Groups and Security? I thought you’d never ask. Security Groups are used to assign permissions to objects in your Forest, however they can be mail-enabled, so they really serve two purposes. Distribution Groups, on the other hand, are used strictly for email.
When you move distribution list from Exchange 5.5 to Active Directory, membership gets mapped to a Universal Distribution Group by default. Why wouldn’t Microsoft move a distribution list to a security group you may ask? After all, security groups can be mail-enabled, so you would just be increasing the functionality. Well, it has to do with the way that corporations usually use distribution lists and security groups, as well as the performance differences between the two. Think about it for a second, when you create a distribution list in Outlook or in Exchange, what is your purpose? True, you may use it for securing access to public folders, but most of the time they are used for sending email messages to multiple entities. OK. You may say, “That doesn’t answer my question. I could still use a security group and extend my functionality.” The real problem is in performance. Microsoft has a white paper that explains this very well. Here, I’ll paraphrase: Whenever you log on to Active Directory, you receive a Security Token (List of your permissions) from a domain controller. That token is passed to the global catalog server which matches the user to any Universal security groups. If you are a member of any of them, the token reflects that you are. Hence, the more Universal Security groups that you have on your network, the worse that performance will actually be for the global catalog server.
Now that you understand how distribution lists are migrated, let’s look at how we move them. This is done using a utility called the Active Directory Connector, or ADC. The ADC converts all distribution lists to universal distribution groups in Windows 2000. But then the problems start, if you are not careful. You see public folders in Exchange 2000 act just like folders in your file system. You can essentially assign permissions to them just as you would any NTFS folder. Now, think about that for a second. If permissions are assigned based upon users and security groups, what happens to all of your permissions for your new distribution groups? After all, distribution groups do not have security principles, SID’s associated with them. Well, STORE.EXE comes along to help out. If one of the following four things is true, then the distribution group will become a security group:
Be sure to have a domain in Native mode if any of these are true, because the process will fail otherwise because STORE.EXE will not be able to create the Security Groups in AD. If you need to give access to Exchange 2000 public folders, use as few universal groups as possible and leverage the functionality of global and domain local groups to lighten he load on the Global Catalog Servers. For email distribution, use universal distribution groups, because they have no security principal, therefore they will not tax the global catalog by mapping themselves to the user’s security token.
Upgrading the Databases
Before you begin your upgrade process, be sure to have the latest service pack for Exchange Server. Then, be sure Windows 2000 and DNS are properly configured on your network. BACK UP YOUR EXCHANGE DATABASES!!!! This can never be emphasized too much. If you do not properly back up your databases, you can experience something that you never want t, loss of Data. Please do this. If you are intending on setting up Exchange 5.5 on a Windows 2000 server, you should know what additional Exchange components will be affected by the upgrade.
The actual process of upgrading your Exchange 5.5 Databases to 2000 is actually very fast. Microsoft touts that Exchange databases can be upgraded as quickly as 30 GB per hour. You should use this factor to plan how long the actual upgrade process will take on your system so that you can choose an appropriate time to do it. Microsoft suggests 30 minutes for prep time and whatever the size of your DB is factored into 30GBPH transfer time. For example, if you have a 15 GB Information Store, you should have your system upgraded in one hour from the time you sit down and take out your Exchange 2000 CD.
If you have multiple connectors to foreign mail systems, you should see how they will be impacted as well. For example, do you have and EDK-based connectors, or are you only connecting to mail systems that Exchange 2000 currently supports, like Lotus Notes, cc: Mail, GroupWise, or Microsoft Mail. If the Server is a mailbox server, (It hosts email for your clients) you could either upgrade it in place or move the mailboxes after the connection is made. If it is a public folder server, the same applies as for a mailbox server. As far as connector servers are concerned; once your ADC is in place, either system can replicate changes after synchronization has occurred between the foreign system and Exchange 5.5, so feel free to test Exchange 2000 connectors with little fear of how it will affect your existing system. If you have a small number of servers in a single site, don’t be too concerned, you can upgrade them without many difficulties.
Exchange 2000 Preparation
So let’s do it. Active Directory should be set up at this point and you should have an existing Exchange 5.5 Server somewhere. The first step is to run ForestPrep. Type “d:.exe /ForestPrep” where “D:” is your CD Rom drive. Enter all of your information until you get to a screen like the one shown below:
Exchange 2000 Setup with ForestPrep switch enabled
The next step prompts you to either join an existing Exchange 5.5 Organization or create a new Exchange 2000 organization. Select Join an existing Exchange 5.5 organization. Next setup will prompt you to enter the name of a server in the 5.5 organization. Enter one and click next.
As with ForestPrep, DomainPrep only needs to be run once per domain. But as with ForestPrep, you need to run it once to prepare every other domain. For example, if you have five Active Directory domains, you will need to run ForestPrep once and DomainPrep five times. The command line to execute DomainPrep is “d:.exe /DomainPrep” where “D:” is your CD Rom drive. After this step is complete, you can go ahead and start upgrading the Exchange 5.5 Servers. Finish the other options and then it’s time to install the Active Directory Connector.
What is the Active Directory Connector?
The Active Directory Connector, or ADC, is used for one purpose, to synchronize Exchange 5.5 Directory information with Active Directory. So, if you do not have Exchange 5.5 anywhere in you organization, YOU DO NOT NEED THIS UTILITY. It comes as an additional item on the Windows 2000 server CD ROM, but a more extensive version is available on the Exchange 2000 server CD.
Install the Active Directory Connector
Before we start, there are some things that you need to do to get the ADC installed. First is security. You must be a member of the Domain Admins, Enterprise Admins, and Schema Admins security groups. At that point it would be best if we could do this on a Domain Controller, preferably a Global Catalog server, for performance reasons if you have multiple domains. Don’t forget, if you have multiple domains, you must run the ADC setup once per domain.
Place the Exchange 2000 CD in the drive, switch to the ADC folder and run Setup.exe. The Active Directory Connector setup wizard will ask you for the Exchange 5.5 Service account and password, so have this information ready. Setup will modify the Windows 2000 Schema to allow Exchange 5.5’s Directory Service to populate it with user information. (Note: Schema information for Active Directory only needs to be updated once for the ADC.)
Configuring the Active Directory Connector
Now the ADC should be installed. It’s time to configure it. You must create connection agreements to allow the information to replicate from AD and Exchange 5.5. A new MMC will show up when you go into Administrative tools called the “Active Directory Connector”. In the Active Directory Connector Manager screen, shown below, Right-click the icon representing the ADC on your server. Click New, and then click Recipient Connection Agreement. This creates a Connection Agreement that allows the ADC to transfer recipient information between Active Directory and Exchange 5.5.
Creating a new Connection Agreement
Once you create the ADC, there will be options on what type of replication that you would want to perform. If you select either Two-way or From Windows to Exchange, Active Directory will need permission to update the Exchange 5.5 Directory Service.
If you have multiple Exchange 5.5 sites, or Windows 2000 domains, the process will become much more complex because each Exchange 5.5 site keeps track of updating its own directory information and each Windows 2000 domain keeps track of certain domain-specific information.
Running the Upgrade
At this point, your Forest, Domain, and Exchange 5.5 Directory information should all be ready for you to begin the last step. Insert the Exchange 2000 CD into the CD ROM of an existing Exchange 5.5 server that is running Windows 2000 with Service Pack 1 and Exchange 5.5 Service pack 3. Follow the steps like you would for any normal installation, except you will select Upgrade instead of Install. The only other thing that you need is the existing Exchange 5.5 Service Account password. The Exchange databases are not upgraded until everything else has been completed. This is to ensure that if the installation fails, your Exchange 5.5 databases will not be affected.
Is it running?
If you want to check to see if the installation worked successfully, go to the Services in Administrative tools and check to see if all of the Exchange 2000 services that are set to automatically start up have started. If you ever install a service pack or do any adjustments to the installation, check the services. Also, it is helpful to look to the Event Viewer to see if there are any errors. Exchange 2000 does not require a reboot of your system after you install it, but it might be a good idea to do so, just to check Event log errors that may occur during a reboot. The last thing that you can look to is the “Exchange Server Setup Progress.log” file. This file is located in the root of the c: and contains detailed information about what occurred, or didn’t occur during installation. Check the Start Menu. You should see a new program group called Microsoft Exchange. Within that group, you should find the Active Directory Cleanup Wizard, Active Directory Users and Computers, Migration Wizard, and the System Manager. These are the main utilities that you use to manage Exchange and will be discussed more in depth in the Administrative Interface section of the review.
Here’s a little side treat. If you re-run setup for any reason, be it for reinstallation or to add/remove components, the following will show up in the “Exchange Server Setup Progress.log” file. But who’s Cartman???
Helpful Knowledge Base Articles