Training
Find Training
Manage My Learning
Training Options
Browse by Subject
Guide My Training
Certifications
Certification Overview
Browse by Subject
Browse by Name
Find an Exam
Prepare for an Exam
Register for an Exam
Books
Books Overview
New and Upcoming
Find Books
Where to Buy
Special Offers
What's New
Community
Learning Community
Member Sites
Worldwide Sites
Help and Support




 
Microsoft® Exchange 2000 Server Resource Kit
Author Microsoft Corporation
Pages 1120
Disk 1 Companion CD(s)
Level Advanced
Published 08/30/2000
ISBN 9780735610170
Price $69.99
To see this book's discounted price, select a reseller below.
 

More Information

About the Book
Table of Contents
Sample Chapter
Index
Related Series
Related Books
About the Author

Support: Book & CD

Rate this book
Barnes Noble Amazon Quantum Books

 

Chapter 6: Microsoft® Exchange 2000 Server Resource Kit

Chapter 6   Deployment Strategies

Peter Nilsson, Principal Consultant, Microsoft
Will Martin, Senior Consultant, Microsoft

A good deployment strategy saves time, money and frustration. Use this chapter to examine the issues involved in developing a deployment strategy before you begin.

Every company requires a different approach to upgrades, migration, and deployment. The discussion in this chapter can help you decide which approach you should take to achieve your goals with the least disruption, at the lowest cost. Although this chapter doesn’t include details about costs, effective planning can prevent the need to revisit and re-engineer at a later date—which keeps your costs down.

To help you build a highly effective Microsoft Exchange 2000 infrastructure for routing and managing e-mail messages, this chapter focuses on high-level planning issues. It does not provide detailed procedures describing how to perform tasks such as upgrading different types of connectors.

In This Chapter

     Deployment Roadmap

     Preparing to Deploy

     Populating User Accounts in Active Directory

     Upgrading Windows NT Server to Windows 2000 Server

     Upgrading Exchange Mailboxes

     Scenarios

Deployment Roadmap

Most of this chapter discusses the deployment of Exchange 2000 in an existing Exchange 5.5 organization. Many of the considerations for this situation do not apply if you are deploying Exchange for the first time. You can concentrate solely on issues such as whether your design should be centralized or distributed, how many users to support per server, and how large you can allow databases to grow.

New Exchange 2000 Organization

If you are creating a new Exchange 2000 organization, the information in the rest of this chapter can still be useful, especially if your design is complicated by either of the following factors:

  • The existence (planned or real) of multiple forests in your organization.

  • The need to merge an Exchange 5.5 organization into the Exchange 2000 network at some point in the future.

Because Exchange 2000 is not restricted by Exchange 5.5 site topology, you can deploy servers in any order, and in almost any design. You can easily modify the topology to fit changing circumstances.

The key planning issue that is new for Exchange 2000 regards effective integration with Active Directory; for example, ensuring correct placement and availability of global catalog servers.

Existing Exchange Organization

Upgrading to Exchange 2000 usually involves four distinct phases, as outlined in Table 6.1. Each phase requires planning and is described in detail later in this chapter.

NOTE:
Three concepts in Table 6.1 are discussed in "Upgrading Exchange Mailboxes," later in this chapter. The in-place upgrade method involves performing an upgrade on a single functioning Exchange 5.5 server. The move mailbox upgrade method involves moving mailboxes from an Exchange 5.5 server to an Exchange 2000 server. The leapfrog upgrade method involves using the move mailbox upgrade method in a specific sequence.

Table 6.1   Deployment roadmap

PhaseAvailable Methods
PreparationRun ForestPrep and DomainPrep.
Populate Active DirectoryPerform in-place domain upgrade, followed by running ADC (Active Directory Connector).

Run ADC, upgrade later and run Active Directory Cleanup Wizard.

Run ADC, clone user accounts later by using Active Directory Migration Tool.

Run Active Directory Migration Tool with SIDHistory, and then run ADC.

Run Active Directory Migration Tool without SIDHistory, recreate Access Control Lists (ACLs), and then run ADC.
Upgrade the operating system for Exchange servers to Microsoft Windows 2000 ServerUpgrade existing resource domain (in which Exchange is running) to Windows 2000 and connect to existing forest.

Do not upgrade if computers running Exchange 5.5 will be retired or recycled.

Upgrade existing servers and move them to a new Windows 2000 domain.
Upgrade or migrate existing Exchange mailboxesIn-place upgrade.

Move mailboxes to new or upgraded servers.

Perform leapfrog upgrade method.

With this roadmap, each deployment phase can be planned largely in isolation from the others. Note that the different phases are dependent on each other, and that the overall system architect should have a good grasp of the interdependencies. Separate teams can be assembled to plan the different stages. These deployment teams can make the best use of specialized skills that exist and compensate for skill gaps within the organization.

After initial deployment decisions have been made, it should be necessary to concentrate on only one stage at a time. This streamlines the overall planning and design process.

Preparing to Deploy

The first phase of the Exchange upgrade is small but important for the Active Directory administrator.

Although it isn’t necessary to perform this phase separately for technical reasons, you may want to separate it based on your administrator constraints.

Two processes need to be complete before Exchange 2000 can be installed on a server in the forest:

  • The Active Directory schema must be updated.

  • Appropriate permissions must be assigned.

Exchange 2000 Setup is designed to allow these two processes to be executed separately from the installation or upgrade of a server. Run ForestPrep to apply schema changes and run DomainPrep to set appropriate permissions. For more information, see Microsoft Exchange 2000 Server Planning & Installation.

Deciding Whether to Install ADC First or Run ForestPrep

As you prepare for a system deployment, you can install ADC either before or after you run ForestPrep. Depending on whether you are installing a new Exchange organization or joining an existing Exchange 5.5 organization, ForestPrep presents different options.

If you are installing Exchange 2000 for the first time, complete the following steps in the order given:

To install Exchange for the first time

  1. Run ForestPrep.

  2. Run DomainPrep.

  3. Install Exchange 2000.

If you are upgrading an existing Exchange 5.5 organization, you must specify this when you run ForestPrep. Though it is not necessary to configure connection agreements before you run ForestPrep, ADC must be installed.

To upgrade an existing Exchange 5.5 organization

  1. Install ADC.

  2. Run ForestPrep. Choose to join an existing Exchange 5.5 organization. ForestPrep then contacts the Exchange 5.5 directory that you specify and builds a root Exchange 2000 organization in Active Directory.

  3. Run DomainPrep.

  4. Run Exchange 2000 Setup either to upgrade an existing Exchange 5.5 server, or to add a new Exchange 2000 server to an existing Exchange 5.5 site.

Completing the preceding steps causes the following to occur:

  • After you install ADC, a number of schema changes are made and replicated to all domain controllers in the forest. In addition, because the partial attribute set is changed, all global catalog servers replicate partial replicas from other domains. Several additions to the configuration naming context also replicate to all domain controllers in the forest.

  • After you run ForestPrep, more schema changes are made and replicated to all domain controllers in the forest. The partial attribute set does not change, so global catalogs do not replicate again. Some additions are made to the configuration naming context and these additions are also replicated to all domain controllers.

  • After you run DomainPrep, small changes are made, primarily to the local domain naming context. These changes are replicated to all domain controllers in the local domain.

  • After you run Setup, when the first Exchange 2000 server is installed, a configuration connection agreement is created and information about the Exchange 5.5 network is written to the configuration naming context. This is replicated to all domain controllers in the forest.

In addition, before anyone can use Exchange 2000, you must run user connection agreements to synchronize Exchange 5.5 mailboxes and Windows 2000 user accounts. This may cause additional information to be replicated within affected domain naming contexts, and also to global catalog servers. Only attributes that change replicate to global catalog servers; the entire objects do not replicate.

An Exchange 2000 server must be placed close to a global catalog server on the network, usually on the same LAN segment (or equivalent). In addition, global catalog servers must have the hard drive space and RAM to handle the demand that will be generated by Exchange.

It is important that you understand and plan for the frequency and volume of directory changes that occur after Exchange 2000 becomes an integrated part of your infrastructure. If you have deployed any earlier versions of Exchange, the administrators of the earlier versions can help you to predict the number and types of directory changes. Your Active Directory infrastructure must be designed to handle the load of both Windows 2000 Server and Exchange 2000 Server.

Populating User Accounts in Active Directory

This chapter assumes that you are upgrading an existing Exchange 5.5 installation. In an organization with more than one Exchange server, this means that a coexistence phase is necessary when Exchange 5.5 and Exchange 2000 servers run as part of the same Exchange organization. Because Exchange 2000 no longer has its own directory and relies entirely on Active Directory, all of the Exchange 5.5 users need to be represented as mailbox-enabled users in Active Directory before the first Exchange 2000 server can be a working part of the Exchange organization. Users must be represented as mailbox-enabled users complete with all the configuration details that Exchange 2000 needs to address and route mail correctly.

The only way to get the correct Exchange data into Active Directory is to use ADC. The role of ADC is complicated by the fact that you are not just upgrading Exchange, but synchronizing that upgrade with an upgrade or migration from Microsoft Windows NT version 4.0 to Windows 2000 Server. Upgrading to Exchange 2000 and synchronizing with migrations or upgrades to Windows 2000 Server can be complex and can occur in various phases. However, before installing ADC, you should complete the main tasks to upgrade or migrate to Windows 2000 Server.

Review this section to see what upgrade or installation tasks can be done at the same time as installing ADC. All other upgrade and migration tasks should be completed before installing ADC. This section describes ways to synchronize the actions of ADC with what occurs during the Windows NT 4.0 domain upgrade.

In practice, installing, configuring, and running ADC can be the first step of upgrading your first Exchange server. But because this step is so complex, the planning is discussed independently in the following scenarios.

Scenarios

This list describes five scenarios for using ADC to migrate accounts to Windows 2000:

  • Perform an in-place domain upgrade, and then run ADC.

  • Run ADC, and then upgrade later and run Active Directory Cleanup Wizard.

  • Run ADC, and then clone later using Active Directory Migration Tool.

  • Run Active Directory Migration Tool with SIDHistory, and then run ADC.

  • Run the Active Directory Migration Tool without SIDHistory, recreate Access Control Lists (ACLs), and then run ADC.

This section describes each scenario and the best way to achieve the same goal in each case: Create a single Active Directory user account with all the correct Exchange attributes for each Exchange user who has a Windows NT 4.0 account.

In-Place Domain Upgrade Followed by ADC

An in-place domain upgrade is a straightforward scenario. To begin with, all the Windows NT 4.0 account domains (all the domains that contain accounts that have been used to access Exchange mailboxes) must be upgraded to Windows 2000. At a minimum, the primary domain controller in each relevant domain must be upgraded. All the domains must be in the same forest: A maximum of one of the upgrades could have created a new forest and the rest must have joined their domains to the existing forest either as child domains of an existing domain or root domains of a new tree.

You can now install and configure ADC with connection agreements that synchronize Exchange 5.5 mailboxes with Active Directory user accounts. ADC matches the security identifier (SID) from the primary Windows NT Account with the primary SID of an Active Directory user account. A SID is statistically unique number that identifies each user and group. When a new user or group is created, Windows 2000 generates a SID for the account. The operating system uses the identifier to verify access permissions when a user requests access to an object, instead of using the user name. Because the SIDs did not change during the upgrade from Windows NT 4.0 to Windows 2000, ADC matches the mailbox to a user account based on the existing SIDs. Then, ADC populates the existing account in Active Directory with information from the Exchange 5.5 directory, such as an e-mail address, a phone number, or an office location.

Run ADC, Upgrade Later, and Run Active Directory Cleanup Wizard

You may want to start upgrading to Exchange 2000 before you migrate to Windows 2000 Server. If so, you can use ADC to populate Active Directory with the basic user accounts that are required for Exchange 2000. Then at a later date, you can upgrade existing Windows NT 4.0 account domains, and then merge the resulting duplicate account objects in a clean-up stage.

Before running ADC, a basic Active Directory infrastructure must be in place. In addition, you must specify a target domain in which ADC creates disabled user accounts. For the purposes of this discussion, assume that the target domain is the root domain of the forest.

When ADC runs, a disabled user account is created in Active Directory for each Exchange 5.5 mailbox. Each disabled user account contains all of the Exchange configuration information, such as e-mail addresses and the name of the private information store that contains the mailbox. Mailbox permissions are copied from the Security Descriptor of the Exchange 5.5 mailbox and assigned to the Windows 2000 user account.

When ADC is run in this way, the msExchMasterAccountSid attribute is created on each disabled user account and assigned the SID from the primary Windows NT 4.0 account for the Exchange 5.5 mailbox.

Everything is now in place to begin the upgrade to Exchange 2000. You can upgrade user mailboxes to Exchange 2000 either by moving the mailboxes to an Exchange 2000 server or by upgrading the server on which the mailboxes reside. Users can continue to access their mail by using their Windows NT 4.0 security credentials.

You will upgrade the Windows NT 4.0 account domains to Windows 2000 later. At this point, these domains must join the forest that Exchange 2000 is using, either as child domains of the existing root domain or as root domains of a new tree. There are now two accounts in Active Directory for each Exchange user: the original disabled user account and the newly upgraded account.

IMPORTANT:
Exchange 2000 cannot be used while these duplicate accounts exist in Active Directory.

The solution is to run Active Directory Account Cleanup Wizard, which is included with Exchange 2000. Active Directory Account Cleanup Wizard goes through Active Directory to match and merge duplicate accounts. The wizard does this by matching the msExchMasterAccountSid attribute created on each disabled user account by ADC with the primary SID of the upgraded user account.

Active Directory Account Cleanup Wizard merges all the attributes of the disabled user account into the upgraded user account. As part of the process, the disabled user account is deleted, leaving a single mailbox-enabled user account in Active Directory for each Exchange user.

Run ADC and Migrate Later By Using the Active Directory Migration Tool

This scenario starts off in the same way as the previous one, except that there is no intention of upgrading the Windows NT 4.0 account domains; instead, you will migrate user accounts later.

ADC creates the disabled user account in the same way as described in the previous scenario. You can then begin the Exchange 2000 deployment.

To migrate users, select one of the following methods:

  • Merge accounts during migration.

  • Migrate to a different account and merge later (by using Active Directory Cleanup Wizard).

The first method is preferred; with the second method you create duplicate objects, replicate them around the entire Active Directory, then merge details in a second operation that generates another round of replication.

You can use tools like Active Directory Migration Tool to merge accounts during migration. If you use Active Directory Migration Tool to migrate accounts into the domain that contains the disabled user accounts created by ADC, Active Directory Migration Tool detects the duplicate accounts and follows whatever conflict handling behavior has been chosen. The options for conflict handling are ignore, which does nothing; replace, which merges accounts; and rename, which creates a separate account using a prefix or suffix supplied by the administrator. When you merge accounts during migration, you much choose the replace option when you run Active Directory Migration Tool.

NOTE:
Third-party tools generally offer equivalent functionality.

The second method—to migrate to a different account and merge later—is more complex; how you proceed depends in part on how you migrate the accounts.

If the migrated accounts are cloned (that is, the sIDHistory attribute is populated with Windows NT 4.0 SIDs), the matching required for the merge is easy because the Active Directory Account Cleanup Wizard looks in sIDHistory if it doesn’t find a match on the primary SID. You can clone accounts only if the target Windows 2000 domain is in native mode.

If accounts are not cloned (that is, they are migrated without putting anything into sIDHistory), the Active Directory Account Cleanup Wizard cannot match old accounts with new accounts on its own. In this case, you can still manually associate accounts; the Active Directory Account Cleanup Wizard finishes the merge operation. However, merging a large number of accounts by using this method would be tedious and time-consuming, with the possibility of introducing errors.

The second method may also affect the way you use domains during the upgrade or migration process. In Exchange 5.5, when users and mailboxes are created together using the Exchange Administrator program, the Windows NT 4.0 user accounts and Exchange directory names (RDNs) are the same by default. If they are the same, you cannot migrate those user accounts directly to the domain that contains the disabled user accounts that were created by ADC. You must specify that the disabled user accounts not be created in the domain to which you want to migrate the users.

Therefore, it is recommended that you create a child domain under your root domain and use this as a transition domain in which to create the disabled user accounts. This allows you to migrate user accounts directly to the domain you want. You can remove the transition domain after the Active Directory Account Cleanup Wizard has deleted all the disabled user accounts.

Run Active Directory Migration Tool with sIDHistory and Then Run ADC

Running ADC after fully migrating all your user accounts is simple. Although you can use Active Directory Migration Tool to clone users from one or more Windows NT 4.0 source domains into one or more Windows 2000 domains, you should try to consolidate user accounts. In this scenario, you configure Active Directory Migration Tool so that the sIDHistory attribute is updated with primary and group SIDs from the source account. Cloned users get new SIDs, but they can still access resources for which permissions have been assigned by using their old SIDs.

The key is that ADC recognizes sIDHistory and can match the Exchange 5.5 mailbox’s primary Windows NT 4.0 account with the old primary SID that is now stored in sIDHistory.

Next



Top of Page


Last Updated: Friday, July 6, 2001