NetworksAreMadeOfString

Considering how bleeding edge the majority of my projects are I’m a little behind the curve on this one but I’ve finally managed to move all my Windows Servers across to Windows Server 2008. This includes the Domain Controllers, Web Servers and most critically the Exchange servers.

This post is going to be cut into the following sections:

Exchange 2007 Prerequisites on Windows Server 2008

Cross Forest Migration of Exchange 2007 Mailboxes and User Accounts

Creating SSL Certificates for use with Exchange 2007 on Windows Server 2008

Exchange 2007 Prerequisites on Windows Server 2008
The first thing to do is to run a Windows update as there are already several patches available. Once thats done the prequisite componants of Server 2008 can be installed via the command line (not powershell!), simply load up a command prompt and paste / type each one of these:

ServerManagerCmd -i RSAT-ADDS
ServerManagerCmd -i PowerShell
ServerManagerCmd -i Web-Server
ServerManagerCmd -i Web-ISAPI-Ext
ServerManagerCmd -i Web-Metabase
ServerManagerCmd -i Web-Lgcy-Mgmt-Console
ServerManagerCmd -i Web-Basic-Auth
ServerManagerCmd -i Web-Digest-Auth
ServerManagerCmd -i Web-Windows-Auth
ServerManagerCmd -i Web-Dyn-Compression


Once those are installed (the server may have to reboot a couple of times) then Exchange 2007 SP1 can be installed. Be aware that Exchange 2007 RTM can not be installed on Windows Server 2008.

Exchange Server 2008 Service Pack 1 is available here and is in effect a copy of Exchange with the service pack streamlined in (the warez kiddies are gonna love this). Get this extracted and installed. During the install it will complain about not finding a send connector for ‘*’ remember this for later.

Once Exchange is installed and configured it’d be recommendable to do another Windows Update as even being SP1 there are a few more updates.

Once the server has restarted its time to add the Send Connector that setup complained about earlier. Within Organisation Configuration select Hub Transport and then click on the Send Connector tab and choose the ‘New Send Connector’ option. Obviously whatever is required can be configured here but all I want to do at the moment is send email out to the world:

new-SendConnector -Name 'Default Connector' -Usage 'Internet' -AddressSpaces 'smtp:*;1' -DNSRoutingEnabled $true -UseExternalDNSServersEnabled $false -SourceTransportServers 'ServerName'

Now the Exchange 2007 server can send email out to the world, unfortunately there’s no-one on it yet!

Cross Forest Migration of Exchange 2007 Mailboxes and User Accounts
Whilst most people are unlikely to have come across this situation I decided to start my AD infrastructure completely from scratch. Unlike normal people I don’t have any Workstations bound to domain controllers I just have various forests in different parts of the world for Exchange, RADIUS and Kerberos based authentication.

Despite the lack of workstations asking people to start their mailboxes, calendars and contacts etc from scratch would just not have gone down well.

The Microsoft Press Exchange 2007 Pocket Handbook recommends the following PowerShell cmdlet to get the job done:

Move-Mailbox -Identity 'domain\username' -TargetDatabase 'servername\First Storage Group\DBName' -SourceDomainController 'SourceDC'] [-DomainController 'DestinationDC'] -SourceGlobalCatalog ‘SourceGC’] [-GlobalCatalog 'DestinationGC'] -BadItemLimit 50 -IgnorePolicyMatch $true


Unfortunately this results in the following error:

A bit of poking around later and I finally get a cmdlet string that does what I need it to do:


$SourceCredential = Get-Credential
$TargetCredential = Get-Credential
Move-Mailbox -TargetDatabase "Target Server\First Storage Group\Mailbox Database" -Identity UserName -GlobalCatalog GCServerName -SourceForestGlobalCatalog GCServerName -NTAccountOU "OU=OUName,DC=DomainName,DC=com" -SourceForestCredential $SourceCredential -TargetForestCredential $TargetCredential -SourceMailboxCleanupOptions DeleteSourceNTAccount

The use of get-credentials at the beginning is so there is a System.Security.SecureString object to pass to the Move-Mailbox cmdlet. I’ve set them as variables so I know exactly which popup dialog is for which server.

Unfortunately I hit another stumbling block; because of the -SourceMailboxCleanupOptions DeleteSourceNTAccount arguement the process insists on deleting all traces of the user from the source forest and replacing them with a Mail Contact so running that command will result in a nasty message:












Simply disable the user in the source Forest and run the command again.

Now the user is in the new forest along with their mailbox etc, unfortunately the user is still disabled and the users mailbox shows as a ‘linked mailbox’ rather than a user mailbox.

Because Microsoft still haven’t provided any proper Active Directory cmdlets and I hadn’t installed the Quest cmdlets I re-enabled the user via the Active Directory Users and Computers MMC so no PowerShell example I’m afraid.

Even after enabling the account I still couldn’t login. In hindsight it makes perfect sense that a cross forest move means the user no longer has a valid UPN however I have to admit I was stuck for a moment or two! Within the account tab in Active Directory Users and Computers give the user an account name and choose a domain suffix.

The user can now login and has all their mail etc. Unfortunately the mailbox shows as a ‘linked mailbox’. I expect this is linked to the UPN / SID issues. If the loss of custom rules / forwarders etc isn’t an issue then simply disconnect and reconnect the mailbox to the corrected user account:


Disable-Mailbox -Identity UserName
Connect-Mailbox -Identity UserName -Database "Mailbox Database" -User UserName


Creating SSL Certificates for use with Exchange 2007 on Windows Server 2008

The first thing to do is create the CSR but rather than using a single Common Name Exchange 2007 has some tricks up its sleeve with autodiscover etc so the CSR will need some Subject Alternative Names as well.


New-ExchangeCertificate -GenerateRequest -SubjectName "
DC=networksaremadeofstring, DC=co, DC=uk, O=NetworksAreMadeOfString, CN=
exch07.networksaremadeofstring.co.uk"
-DomainName mail.networksaremadeofstring.co.uk, smtp.networksaremadeofstring.co.uk, autodiscover.networksaremadeofstring.co.uk, networksaremadeofstring.co.uk, exchange.networksaremadeofstring.co.uk
-FriendlyName "New Exchange"
-Path c:\mail.networksaremadeofstring.co.uk.req

When this is complete the script will output something similar to the following:

Thumbprint Services Subject
---------- -------- -------
DED40CE5BD344F7FA9C76081E5412A8AF17FB8F2 ..... DC=cadogan-house, DC=ne...


Take note of the thumbprint which will be needed later to import and enable the certificate.

Send this to a Certificate Authority of choice (I use CACert.org).

Once the Authority returns the Certificate import it into the Certificate store:

Import-ExchangeCertificate -path C:\certificate.cer


Once imported its time to enable it for various services:

Enable-ExchangeCertificate -thumbprint 493C50CFFF8B65344F1FBEAF8BE6740044F1842B -services "IIS,SMTP"


At this point I got hit with another error message about the private key being missing:

It turns out that Windows Server 2008 / Exchange 2007 doesn’t import / set the Private Key for generated certificates. In the Certificate MMC certificates are usually shown with an icon depicting a certificate and ones with a corresponding Private key also show a little key icon. The self generated certificate has a little key icon but the imported one does not.

To fix this do the following:

Load up the Certificates MMC Snap In and right-click the Personal folder, point to All Tasks, and then click Import.

Import your generated certifcate to the personal store

In the Certificates snap-in, double-click the imported certificate

In the Certificate dialog box, click the Details tab.

Get the Serial Number (i.e 00 45 67)

Load up a command prompt and type:

certutil -repairstore my 004567

Refreshing the Certificate store will now show both certificates with Private Keys. Run the Enable-Certificate cmdlet again to import the certificates and enable SSL.

So there it is, a fully working Exchange 2007 server installed on Windows Server 2008. Now the Service Packs are rolling in and more drivers are being released I’m looking forward to seeing more Server 2008 and Exchange 2007 deployments!

This entry was posted on Thursday, May 29th, 2008 at 8:30 pm and is filed under Datacenter, Email, NAMOS, Systems. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.