In conversation with a good friend, David Rankin, also known as The Highlander, and because I was in the middle of a Data Protection Manager 2007 Health Check and needed to check builds, versions, patches applied etc. he kindly help providing me his wonderful list which I am publishing here now! It is not rocket science but the fact that its all in one place makes the difference!

If any other patches appear meanwhile I’ll try to keep it up to date, in order every single one of you desperate protectors in a crusade to find the builds have a nice place to go… and reliable!!!

Thanks David!!

SSL certificates are issued for periods of spanning a number of years (typically in multiples for example one, two or more years, however eventually they do expire and need to be renewed).

The renewal process involves generating a fresh CSR (Certificate Signing Request) on one of your Exchange Client Access servers. This is then sent to a root certification authority (e.g. VeriSign) for processing into a valid SSL certificate (essentially they sign the request).

Creating a Certificate

In order to generate a CSR file on the Client Access Server and Windows Server 2008 open the Exchange Management Shell and type the following command:

New-ExchangeCertificate -GenerateRequest -Path c:\myReq.csr -KeySize 1024 -SubjectName “c=GB, s=Middx, i=MyCompany, ou=IT, cn=mail.mydomain.com” -PrivateKeyExportable $True

The string that you provide after the -SubjectName switch is very important and it is made up of the following values:

• c – This is the country of origin.
• s – This is the state we are in.
• i – This is the company that you work for, or indeed the SSL certificate will be assigned to. You should note that if you have purchased SSL certificates before it is worth ensuring that the company naming convention is consistent throughout all certificates that you have purchased.
• ou – This is the organisation unit that the section of the company which will take charge of the certificate.
• cn – This should be set to the DNS FQDN of the Client Access Server which will be using the certificate.

This will produce a file in the root of C drive on the CAS server called myReq.csr. This should be sent to our root certification authority.

When the CSR has been generated you will be provided with a CRF (Certificate Response File) which looks like the following (this will be returned to you via email):

-----BEGIN CERTIFICATE-----JJkbbssCCAuucgAwIBAgIQcyE6jZgwnFgAq0d7onjMFzANBgkqhkiG9w0BAQUFADCBzj

EEWNNNEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du

MR0wGwYDVQQKExRUaGF3dGUgQ29uc3VsdGluZyBjYzEoMCYGA1UECxMfQ2VydGlmaWNhdGlv

biBTZXJ2aWNlcyBEaXZpc2lvbjEhMB8GA1UEAxMYVGhhd3RlIFByZW1pdW0gU2VydmVyIENB

MSgwJgYJKoZIhvcNAQkBFhlwcmVtaXVtLXNlcnZlckB0aGF3dGUuY29tMB4XDTA4MDcxMTE2M

DU0OFoXDTEwMDcyNjE1NTcxN1owgYYxCzAJBgNVBAYTADDDDDDjujjjjjw87666cvNxMJkeDE

PMA0GA1UEBxMGTG9uZG9uMSswKQYDVQQKEyJMb25kb24gQm9yb3VnaCBvZiBIb3Vuc2xvdyBD

b3VuY2lsMQswCQYDVQQLEwJJVDEcMBoGA1UEAxMTb3dhLmhvdW5zbG93Lmdvdi51azCBnzANB

gkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAolvn0lT1W+cdRFjqOn56tPwHNULjq7LDA/G4ZAIVf9

cl7y4jLKR/6/3x2O/1st8OEcFDFKElmn8dzoA3pG14JL8ZmBTh0RLxtGRw9fHB2ARuYplagoD

LqgA5mzEPo3a3wCKboTaEwKwoeQ9dAp2bGcvs4lMPptI48eoSDhFs/u0CAwEAAaOBpjCBozAd

BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwQAYDVR0fBDkwNzA1oDOgMYYvaHR0cDovL

2NybC50aGF3dGUuY29tL1RoYXd0ZVByZW1pdW1TZXJ2ZXJDQS5jcmwwMgYIKwYBBQUHAQEE

JjAkMCIGCCsGAQUFBzABhhZodHRwOi8vpgthennn/ss88877a222129tMAwGA1UdEwE

B/wQCMAAwDQYJKoZIhvcNAQEFBQADgYEAuYSyeOUx53TkjCfol2psVY3E9uzMb6P6nrgs2U

uG8BBQlshPkv+te8G2JpaaaaCmcrCV8J0WQN8mRm5443vbdasafJTBxB2PAZfl3GSWEgDIH

q/lg3IOxG43YK4qDWYTu3j/Ngymq8g/d+0VrqkF/AmXWnGMGIQmE3GUnUDXeZKOR8SM=

-----END CERTIFICATE-----

You should copy the CRF (including the Begin Certificate and End Certificate) into a text file called owa.txt and then rename the file owa.cer. You should then copy this file up to a drive on the CAS server where you are working.

Installing a Certificate (CAS)

Firstly you need to remove the existing (expired) SSL certificate from your Client Access Server. In order to accomplish this you need to open the Exchange Management Shell and then type in the following command:

Get-ExchangeCertificate | fl | out-file –filePath c:\certs.txt

This will create a text file in the root of C drive called certs.txt which contains the details of every certificate install on the server. The output should look like the following:

The key property that will identify the certificate that you wish to replace is the Not After field. As this is essentially the expiry date and should have already expired or indeed be very close to expiring. Make a note of the thumbprint (the long number at the bottom after the Thumbprint field) and then type in the following command:

Remove-ExchangeCertificate –thumbprint <thumbprint that you noted down>

As a tip here is to copy the thumbprint from the text file above and then paste it into the PowerShell Window. When you have typed the command and pressed enter you will be presented with the confirmation message:

Are you sure you want to perform this action?

Remove certificate with thumbprint 138B6EC5AAE868F495ECCBDA05C1F011B08A7CD3?

[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help(default is “Y”):

Confirm the action by entering A and then press ENTER. You are now ready to import the new certificate onto the Client Access Server. In order to do this type in the following command within the PowerShell window (ensure that the path you specify to the certificate file matches the location where you placed the new certificate in the earlier steps):

Import-ExchangeCertificate -path e:\certificates\owa.cer –FriendlyName “owa.mydomain.com”

You should then be presented with the following output (again here you will need to make a note of the thumbprint):

Thumbprint Services Subject

———- ——– ——-

B52842F7408772B7151FF74FDAE914EA7B59B53A ….. CN=owa.mydomain.com,…

Now that the certificate has been imported into the certificates repository you need to enable it for OWA. In order to do this run the following command in the PowerShell window:

Enable-ExchangeCertificate -Thumbprint B52842F7408772B7151FF74FDAE914EA7B59B53A -Services IIS

The new certificate should now be installed you can confirm this by running the following command:

Get-ExchangeCertificate

The output of which should be:

Thumbprint Services Subject

———- ——– ——-

B52842F7408772B7151FF74FDAE914EA7B59B53A …W. CN=owa.mydomain.com,…

The key thing here to note is the W under services (this signifies that the cert has been enabled for OWA) and that the thumbprint matched what you have typed in previously.

This is a case study of a customer who wanted to perform a migration from Exchange Server 2000 / 2003 to Exchange Server 2007 whilst consolidating a number of remote sites to a centralised hub site. The main premise of this engagement was to ascertain Microsoft’s best practice methodologies for migrating very large mailboxes and moving large amounts of data with the least amount of risk of data loss, and the consolidation of globally dispersed messaging environments.

I’d like to send from here a HUGE THANKS to my peer, Ray Khan for putting all of this information together, as he was the one involved on the project and who kindly present to us this awesome case study which hopefully will encourage some other customers!

Problem Statement

This customer had a need to migrate all of their regional site data into a centralised site in UK with the least amount of downtime. They had users with very large mailboxes in China and Japan of up to 40 GB per mailbox, however there were only 30 to 40 users at each of these sites. There was a total of around 600 GB of mailbox data that would be required to be migrated from the regional sites to UK.

The objective was to archive most of the data from these mailboxes onto a new Enterprise Vault platform, so once on Exchange Server 2007 they would only have around two gigabytes of "online" mail.

They had reviewed several migration approaches but wanted our advice on these approaches and any others that have been proven in other environments.

As part of their upgrade project they were also investigating all other messaging platforms including Microsoft’s BPOS solution as well as partner’s and other third party solutions and also considering carrying on running On Premise. This aspect was out scope for this engagement.

Infrastructure before Upgrade

The company has just under a couple of thousand employees. Over 75% of their staff are located in UK and Switzerland the other 25% are located around the major financial centres around the world including China, Japan, and US.

Their Exchange server organization exists inside a single Active Directory Forest running Exchange Server 2003 SP2 in native mode. However there were several Exchange 2000 SP3 mailbox servers situated at some of their key branch offices such as China, Japan, UAE, Canada and Uruguay.

Exchange Estate Summary

• 31 servers globally, 11 routing groups and 6 administrative groups;
• they employ a single ended Exchange topology and do not use any front-end servers;
• 4,128 mailboxes (including resource mailboxes but some are dormant or on disabled accounts);
• 5.1 TB personal mailbox data and approximately 650 GB of Public Folder data (PF's mostly in UK and Switzerland);
• The global organisation sends around 850,000 messages a week and receives around 1,000,000 messages a week;

Exchange 2003 Integrations

• 17 Enterprise Vault 6.x and 7.x archiving servers hosting around 7.5TB of archive data (but not all regions have archiving);
• 10 Blackberry Enterprise Servers servicing around 800 Blackberry handsets globally;
• OCS 2007 R1 transitioning to R2;

Many of their users have very large mailboxes, averaging 2 to 4 GB, but in some regions where no archiving exists we have users with up to 40GB mailboxes

Our client estate is based on Windows XP SP3 and Outlook 2003 with SP3 (new workstations with 2GB RAM).

Networks (Global MPLS WAN)

• 100 Mbps (between UK and Switzerland);
• 45 Mbps (between UK, China, Japan and US);
• 2 Mbps (high latency links between UK, UAE, Uruguay, Canada, Singapore, etc.);

Target Architecture

They planned to transition their entire organization to Exchange Server 2007 SP2 into a consolidated and centralised architecture hosted in our new Global Data Centre in UK. This network will be facilitated by Cisco WAN Accelerators, situated at all of their branch offices.

They were also planning to consolidate and centralise their archiving and BES estate into the UK Global Data Centre.

They were in the planning/design phase of this programme and were scheduled to commence deployment in beginning of 2010 for completion by end of summer of 2010.

Proposed Solution

This customer designed a number of solutions to address the problem statements listed above. They decided to go for the following approach to migrate the Exchange Server 2000 / 2003 users with very large mailboxes and archive their data to the centralised site using SCR data replication technologies... Please refer to the steps below for more detail.

Migration Steps

1. Install and configure the entire centralised Exchange Server 2007 SP2 infrastructure, EV and BES infrastructure into the Global Data Centre (GDC). Install WAN Accelerators;
2. Install an Exchange Server 2007 staging mailbox server in the GDC (to receive gross branch office mailboxes);
3. Install an Exchange Server 2007 MBX/HT as swing server at the remote site (on the same LAN);
4. Configure staging server in the GDC as an SCR target of the swing box Exchange Server 2007;
5. Run Move-Mailbox command from Exchange Server 2000 (at the branch office) to Exchange Server 2007 swing box server (move entire existing mailbox over – swing box becomes the production MBX/HT for the branch office users);
6. Allow SCR to seed the staging server over a period of up to 2 to 3 weeks (however long it is expected to take – after testing) – using SMB 2.0 as both servers will be Windows Server 2008 SP2;
7. Once all data is migrated across – perform VSS backup of the SCR target – run ESEUtil /G to check database - invoke SCR disaster recovery process and switch the active mailbox node to the staging server in the GDC;
8. Move BES account to GDC BES server;
9. Enable EV archiving policy and groom the mailboxes (that are in the staging server) to 1 GB in size – all inside the GDC site (SAN to SAN);
10. Once complete run Move-Mailbox to migrate the 1 GB mailboxes to the production CCR cluster (SAN to SAN);
11. Once all data is validated delete the staging server databases used to eliminate white space;
12. Move Exchange Server 2007 swing box server to the next branch office;
13. Remove and re-install Exchange MBX/HT in the next branch office site (also rename the swing server);

Summary

This customer decided to migrate to Exchange Server 2007 and to continue managing their infrastructure to On Premise using the above approach. They have managed to migrate their remote site data using the strategy outlined above. They are continuing with us from a support perspective and will be booking further proactive engagements looking forward to migrating to Exchange Server 2010.

Overview

Exchange Server 2010 help organizations guard their messaging with built-in protective technologies; offers anywhere access to email, voice mail, calendars, and contacts; and enables new levels of operational efficiency. Help develop your expertise in this advanced messaging system with state-of-the-art training from Exchange Server 2010 product specialists. Choose a certification path that is relevant to your current job role or one that prepares you for your next career step.

Microsoft Certified Technology Specialist certification

Whether you are new to Microsoft Certification or a Microsoft Certified Professional (MCP) certified on Microsoft Exchange Server 2003, consider earning the Microsoft Certified Technology Specialist (MCTS): Microsoft Exchange Server 2010 – Configuration certification. This certification highlight your area of expertise and help validate the knowledge and skills that are required to deploy and administer an enterprise messaging environment by using Exchange Server.

Exam 70-662 – TS: Exchange Server 2010, Configuring

Microsoft Certified IT Professional certification

The Microsoft Certified IT Professional (MCITP): Enterprise Messaging Administrator certification is also appropriate for MCPs who are certified on Microsoft Exchange Server 2003 as well as IT professionals who are new to Microsoft Certification. This certification helps demonstrate your professional expertise in using Microsoft Exchange Server 2010 to excel in a specific job role, such as the lead engineer for messaging solutions within an enterprise organization.

Exam 70-662 – TS: Microsoft Exchange Server 2010, Configuring

Exam 70-663 – Pro: Designing and Deploying Messaging Solutions with Microsoft Exchange Server 2010

Microsoft Certified Master program

Differentiate yourself as the technical expert. The Microsoft Certified Master (MCM) program helps the best professionals in the IT industry become even better. Whether you want to enhance and help validate your advanced skills or take your career to the next level, achieving a Microsoft Certified Master certification will help differentiate you from others in the competitive ranks of senior IT professionals.

This unique program consists of three weeks of mandatory, hands-on training led by experts, and extensive written and lab-based testing. Candidates' practical product knowledge, technical acumen, knowledge of best practices, personal and professional stamina, and communication skills are constantly challenged as they work toward attaining this premier Microsoft technical certification.

MCM Certification

Microsoft Certified Architect certification

Validate your capability to translate business problems into technology solutions. When you earn the Microsoft Certified Architect (MCA) certification, you can be recognized by Microsoft and the IT industry worldwide as an expert who holds the highest level of professional certification from Microsoft.

MCA Certification

Data Protection Manager

As this blog main technologies are Exchange and Data Protection Manager I could miss the Data Protection Manager exams information:

Exam 70-658 – TS: System Center Data Protection Manager 2010, Configuring

If you are concerned on knowing exactly what you need to do in order to migrate your current Exchange environment to Exchange Server 2010, whatever reason it is (multiple firewall rules, multiple certificates, multiple external URLs/ports for clients) don’t be as there is good news. We completely understand that this complexity means there is opportunity for making mistakes, which causes deployments to stall-not to mention a lot of frustration.

The solution is Exchange Server 2010 Deployment Assistant!!!

It will allows you to create Exchange Server 2010 On-Premises deployment instructions that are customized to your environment and all of your specific situations. It starts by collecting some information from you, and based on a your answers, it provides a finite set of instructions that are designed to get you up and running on Exchange Server 2010.

Main idea is to avoid the infinite information you can find in Internet specially in Exchange Server 2010 library and go straight to what you need to do.

Here is a screenshot from the tool, after the initial set of questions were answered and instructions generated.

Happy Exchange Server 2010 Migration!!!