First, I had Server 2008 R2 Datacenter as my operating system on both the existing server (denoted double) and the new server (denoted ruby).  The servers could clearly communicate with each other within the same datacenter as well so that file / data transfers could be effective.  The first thing to adding any server is to give the new server a name and know its network configuration details ahead of time.  I’m not going to go into details about how to install Windows, since it’s pretty simple.  Just make sure that you have the correct drivers installed for your server after the installation completes.

Note about installing Windows: just so that you don’t run into any issues with your system, make sure that your primary hard drive is attached to the first port for your motherboard’s interface, in my case, the first hard drive was connected to SATA 0.  If you don’t do this, you’ll run into a lot of problems and waste a lot of time (like I did!).  In addition, make sure that your BIOS has AHCI enabled prior to installing Windows, this also caused problems in my scenario.  Once Windows is installed, make sure that you can disable write caching on your hard disk without the operating system freezing (in computer management, under storage, right click the disk and optimize for quick removal).  If you followed the above, this shouldn’t cause Windows to hang, and will prevent Active Directory from incapacitating your system during the restart phase of the installation.  In addition, this is a good time to name your computer, join it to some default workgroup, add remote administration features, and change the time zone / clock settings.

Before continuing, I’d also recommend disabling Internet Explorer’s advanced security features; this is done by going to the computer management main screen and scrolling down, finding IE ESC and turning it off (acknowledging all of the warnings).  If you keep them on, you’ll find yourself doing way too much work to download necessary applications, etc.  These features are only useful if you plan on doing general web surfing on the server (which I would not recommend for security reasons).  I also activated windows, ran all the necessary windows updates (several reboots and optional updates as well).  After this all has been done, I ended up rebooting the machine a final time.

At this point, I installed several applications (using IE to get Google Chrome initially).

• Google Chrome (http://chrome.google.com) for web surfing / downloading the rest of these
• Adblock plus for chrome (http://adblockplus.org/en/) to block malware / ads
• 7zip (http://www.7-zip.org/download.html) for good archive file support
• Microsoft Security Essentials (http://windows.microsoft.com/en-US/windows/products/security-essentials), Windows 7 version works fine, this is a quick, safe, free antivirus solution for all of those who hate Symantec’s ability to slow down the entire system (hey, that’s me!)   This is also good for desktop users!  I would recommend disabling the scheduled Sunday scan since real-time protection is sufficient in my case.
• Magic ISO (http://www.magiciso.com/tutorials/miso-magicdisc-overview.htm) to mount ISO images (including the Exchange 2010 ISO if you downloaded it from MSDN like I did).
• Office Filter Packs which are a prerequisite for Exchange 2010 (http://www.microsoft.com/download/en/details.aspx?id=17062)

At this point, I added 2 custom firewall rules on both servers that allowed unrestricted incoming traffic from each server.  I then started the Active Directory installer by installing the AD User Service Role, and then ran DCPromo.exe as suggested by the installer.  I did an advanced mode install, adding a new controller to an existing domain in an existing forest, installing the DNS role locally, and I let it install.  For the AD Restore Password, make sure you remember what you set it to since this will be the password to the local (inaccessible) administrator account on the server incase everything fails.  At this point, the server should reboot at least once on its own.

Next, I mounted the Exchange ISO and went through the step by step screens to install it.  For me, I installed the mailbox, client access, hub transport, and management tools roles.  I told it that the client role would be internet facing to the OWA website (matthouse.org).  Exchange takes roughly 3 hours to install at this point.  After it is done, you should enter the Exchange Management Console (EMC), enter a product key to active it, and add a send connector for your organization (for the new server specifically).  If you’re wondering why your server isn’t sending mail (and you’re new to this and installing Exchange for the first time), try adding a send connector that is internet facing and allows *, that will fix your problem.

You will want to run Windows updates again and make sure that all of the Exchange updates are installed before continuing.  This may require several reboots of the server.

At this point, Exchange should be synched with the other server mostly so it’s time to start migrating services.  I first recommend changing all of your DNS records for mail over to the new server and give them time to propagate (as per the Time to Live [TTL] value on the record).  I also did mailbox remove requests (through the EMC) to the database on the new server; this should be fairly intuitive for anyone with a background in at least some systems administration.  I also went through all the client access role options and made sure that the internal / external sites for IMAP, POP, OWA, OAB, and ECP were properly set up for my main OWA address (matthouse.org).

Since Exchange by default requires https://server/owa to gain access to Outlook Web Access [OWA], I needed to add a few files to the web root of the domain to properly forward the user onto the OWA website when they went to the main website.  To do this, simply go to the IIS manager, go to the Default Website, and right click and open the document root.  In here, add 2 files as follows:

Web.config:
<?xml version=”1.0″ encoding=”UTF-8″?>
<configuration>
<system.webServer>
<httpErrors>
<error statusCode=”403″ subStatusCode=”4″ path=”https://matthouse.org” responseMode=”Redirect” />
</httpErrors>
</system.webServer>
</configuration>

Default.aspx

<script language=”c#” runat=”server”>
private void Page_Load(object sender, System.EventArgs e)
{
Response.Status = “301 Moved Permanently”;
Response.AddHeader(“Location”,”https://matthouse.org/owa”);
}
</script>

Basically, these 2 files will forward anyone from the web root to the appropriate OWA directory in SSL (https) mode.  I figure that anyone competent can figure out what needs to be changed, it isn’t rocket science, after all.

At this point, I added a real RapidSSL certificate to the server.  To do this, I went to the Exchange Management Console, went to the server tab, found the place to generate a CSR (Certificate Signing Request) and I created one.  I pasted everything from the CA (Certificate Authority) and imported it to Exchange and set all the services to use it (IIS, SMTP, POPS, IMAPS).  I also found the remote desktop session host manager window, right clicked the configuration of the server, and right clicked on rdp-tcp and went to properties.  I selected the general tab, selected the appropriate already installed certificate and ok’d everything, after restarting my RDP session, I had the new secure connection.

For anyone who is curious about anti-spam, there is a hidden anti-spam feature on the Exchange Hub Transport role, to get this, you can run the below steps in the Exchange PowerShell environment.  Afterwards, you will see an Anti-spam option in the Hub Transport role node under the Organization Configuration node of the EMC.  As for me, I opted for Forefront Protection 2010 (formerly Forefront Security 2010) since it provides a much more sophisticated scanning engine, although it does cost more and takes a lot more memory and configuration to get running smoothly.

• cd /
• cd c:\
• cd program files
• cd microsoft
• cd exchange server
• cd v14
• cd scripts
• ./install-AntispamAgents.ps1
• Restart-Service MSExchangeTransport

After all of this, I also found an IE9 / EMC interoperability bug where you can’t close the EMC if IE9 is installed on the system, this seems to be a bug with the Microsoft Management Console (MMC), so the patch can be directly downloaded from Microsoft, I would recommend searching Google for hotfix 2624899 to get the patch.  Keep in mind that a hotfix rollup in the future will include this patch from Microsoft so I’d recommend only installing it if you have this issue.

At this point, I’d recommend securing the firewall, RDP’s port, and adding some backup scripts.

Next, it is time to remove the old server.  I ran the following in the Exchange Management Power Shell Environment: “Get-Mailbox -Arbitration -Database db1 | New-MoveRequest -TargetDatabase db2”, where db1 is on the old server, and db2 is on the new server.  In EMC, I went to the organization node > mailbox > offline address book (OAB), added a new OAB generated by the new server and removed the existing one generated by the old server.  I also went to hub transport under organization, went to send connectors and removed the old server from the send connector.

On the new server, go to Active Directory Sites and Services under Administrative Tools and find each domain controller and view the properties.  Make sure the new domain controller is a global catalog and the old domain controller is not a global catalog server (respectively), these will be under the NTDS settings properties page.  Next, we need to transfer several roles, I used (http://www.petri.co.il/seizing_fsmo_roles.htm) as a guide for this.

• open command prompt (run cmd)
• ntdisutil
• roles
• connections
• connect to server <new domain controller>
• q
• transfer naming master
• transfer infrastructure master
• transfer PDC
• transfer RID master
• transfer schema master
• q

On the old server, remove the Active Directory Certificate Services role if it exists (you can probably ignore any warnings since Exchange should be using external certificates).  You may have to reboot the server.  Finally, go to add/remove programs on the old server, and remove Exchange 2010 by deselecting all of the roles.  Exchange automatically detects if it is safe to remove everything and will transfer anything left behind over to the new server.  Do the same for Active Directory by running DCPromo.exe (under the Active Directory node of the server management console), and running through the prompt.  If you get any warnings / errors when attempting to remove Exchange / Active Directory, take the advice and don’t continue since you might end up creating a lot more work for yourself.

Once everything is removed, you can trash the old server from the network and Exchange has been successfully moved.  For me, I ended up having about 4 reboots that affected OWA for users for a total of roughly 5 minutes each while Exchange rebooted.

As usual, thanks for reading.  Disclaimer: this information is provided on an as-is basis, I do not guarantee that this will work in your scenario, but I hope that it can help someone else out that is having similar difficulties to the ones that I’ve described.

To change the policy, goto your start menu and in the search area (provided it will run commands), type in “gpmc.msc” and hit enter.  This will bring up the Group Policy Management Console.  Expand the local forest that you want to modify the password policy for.  Expand Domains, and the domain that you wish to modify.  Right click on Default Domain Policy and click edit.  This will bring up a new screen.  You want to navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy.  From this screen, you will be able to modify the password policy.  You can either reboot or type in a new command “gpupdate /force” and the new settings will take over.

I don’t recommend disabling features such as complexity because your users will then be able to use passwords such as “letmein, password, changeme”, etc.  These are insecure passwords and those who use them are simply asking to get their accounts compromised.

Also, the solution above will not work if you have a password window open that is forcing you to use a complex window, you will have to go through that wizard again.  This also won’t reverse the force password changes on next login if a user needs to change their password due to the old policies.

Over the past week, I got a new server to host Microsoft Exchange which is a powerful email server from Microsoft.  Before you go all crazy on Microsoft (I know I typically do), Exchange is one of the few excellent products they make.  I am actually very hard pressed to find anything that compares to it that is open source and can easily run on Linux which 99% of  my hosting business up until now has ran off from.  Man, I never thought that I would say that

So the first logical question is, why move your email to exchange?  As you know, I’ve had 1and1 mailxchange now for quite some time.  I really wanted a solution that would sync my calendar, contacts, tasks, files, and email to every device I use on a daily basis.  Mailxchange was that solution but there are many problems. First the web client is very slow,  sure its flashy, but it takes 5 minutes to load on my connection (that is fairly fast).  I don’t have the time to wait on this client to load.  The next problem is it needs custom software to connect to Outlook and Mobile Devices, I’m not into installing “connectors” to software when it has functionality built in with other products.  Perhaps one of my biggest problems is the level of support I’ve gotten from 1and1.  My mail has gone down on a few occasions and I’ve been unable to easily send a support ticket in asking what is wrong.  I’m not even sure if 1and1 backs up my email and I have no method of backup, so I’m kind of stuck if they go down or don’t back up the server.  Its kind of scary actually since I save all of my email.

So about 2 weeks ago, I started talking to a few friends.  I know that I get a free msdn copy of Microsoft Exchange 2003 and Server 2003 from my University.  I figured if I could find a few friends who were interested in small mailboxes on exchange, I could cover the cost for the hardware to host my copies of this software.  I figured that I could host 4 people and handle a server that costs $25 a month from 3dgwebhosting which I’ve had in the past and they run excellent hosting on Windows server 2003.  They cover the license cost, so I’d only be covering exchange.  The downfall was I would only have 10GB to work with which isn’t a lot for email and backups.  Because of this, I looked for alternate hosting.  I decided that if I could find xen hosting, xen would support Windows.

About this time when I was looking, I knew that http://fsckvps.com who is a child company of vaserv in England hosted xen vps machines.  I went to that site to look up their support email and found out about the horrible hypervm owner hanging and they were down.  Anxious to get this hosting off the ground, I began looking at alternate places for hosting.  Shortly after, I found good reviews on other blogs of a new hosting company called Elite Data Hosting.  I contacted them about a 10mbps plan to host exchange on and they got an account for me on a xen vps using my server key.  I’m basically paying $15 a month for ~325MB of ram and 30GB of hard disk space.  The server is a high end server and I have had no complaints.  They even took the time to install Windows for me from my disk!

Elite Data Hosting is good news for me because I now can have my 2 guaranteed friends and myself have a guaranteed 5GB of space for files / mailboxes a piece.  It will also be very easy to automate backups of these mailboxes.  We all split the $5 a month cost for the server so I’m basically paying what I would be paying 1and1 but I control my backups and have a better piece of mind.

So now I started the daunting task of setting up the Exchange server. Normally with Microsoft products, it takes about 5 seconds and about 10 clicks of the next button to install software and another 3 minutes to say configure this software to do this.  By that point, everything normally works flawlessly (except for the occasional crashes of Microsoft Windows).  On linux, there is always a lot of configuration, but linux always works without the crashes and instability.  Perhaps this is the way to tell what is good and bad???

To get back to Exchange, I must say, this is the hardest piece of software I have ever had to install on both Linux and Windows.  Part of the reason is the way Exchange relies on existing Server 2003 infustructure to improve itself.  I’m not so sure if I’d rely on a Windows Server operating system, but I really have no choice with Exchange.  Exchange requires Active Directory among other server features to run correctly and the prerequisite list is a nightmare to get through in less than 5 hours if you ask me.  I started with a clean server a week from last Tuesday and didn’t get Exchange running until about Monday and I had 8 hours a day into it at the very least.  I will take part of the blame for not knowing what I was doing past Active Directory configuration, but Exchange was no day at the beach to figure out.  I also had a lot of errors that I spent hours reading about to find simple fixes.  Finally after all of the struggle, I got exchange fully working to the point where I wanted it about 2 days ago. During my struggle, I posted a lot about my solutions on Admin Reference which is my site where I post solutions to all of my problems.  I picture it as another *free* experts exchange but more tutorial based than question based.  Maybe some day it will do a little of both   That is my goal anyways!

One side note that I should add is, when I first loaded Outlook Web Access, I got a crappy looking interface.  I found out quickly that Exchange only supports Internet Explorer in its premium interface (the one that looks nice and loads quick).  Sadly, this is the only reason why I have opened Internet Explorer, and I have found that Firefox can open an IE tab, so I’ve began using that.  I will also likely find a solution when I migrate completely to Linux (my next upcoming project).

So now that Exchange works, what was so difficult? Most of my difficulty was from I never managed an exchange server in the past, and I couldn’t find any decent documentation on how to do it. That is why I posted a lot to Admin Reference unlike I normally would.  My biggest issue was the domain errors which were caused by firewalls and figuring out how to get Outlook Web Access and Outlook Mobile Access working with SSL encryption.  I also was not prepared to spend money on an SSL certificate (required by exchange) and provide antivirus / spam scanning to the server.  I was under the impression that spam/virus protection was built in, but it isn’t, and the freeware gfi version is no longer free.  I figured out how to migrate linux spamassassin to the server and that is adequate for spam protection

One last question that I should cover is why didn’t I go with Exchange 2007?  I will admit that Exchange 2007 is very nice software, but there are a few problems:

• My first issue would be, Exchange 2007 is really bloated.  If you compare the 2003 to 2007 installation disks, the 2003 install disk is about 300MB, the 2007 version is closer to 1.7GB.  That is a huge difference, one that I’m not willing to upgrade for.
• My next issue is due to the bloat, I would need a much powerful server.  I could upgrade to the 600MB RAM server plan with a 50GB hard disk or so for 30 dollars a month, but then I would have to start hosting more mailboxes than I’d want to to cover the costs, and I’m not really into that idea.  I might upgrade for 2003 if people are interested and it won’t take too many server resources or hurt my rigged spam fighting solution, but that is a decision that I’d rather not make now since it works perfectly as is!
• My final issue is, newer software normally sucks.  I always wait for at least Service Pack 1 (2 if possible) until I start using a product mainstream.  Exchange 2003 is at SP2 while Exchange 2007 is at SP1.  With other Microsoft software, I’ve found that when I compare a fresh install of Server 2003 to Server 2008: Microsoft Server 2003 with a GUI (Graphical User Interface or your windows desktop) uses 400MB on a new install, while the Microsoft Server 2008 Core Edition (no desktop, strictly command line to reduce bloat) uses 800MB on a new install with nothing configured.  This is a huge jump and I have a feeling that Exchange 2003-2007 will be very similar (the requirements for 2003 is 256MB of ram, 2007: 2GB of ram).  BIG DIFFERENCE, huh!

All in all, I figure I am paying about $200 bucks total for my new email solution, but my friends really do help cut the cost down to where I can happily afford it.  I still have 1 slot open but have a feeling that will be closed before long.  For a private email server, I consider it an excellent learning experience, and a good way to get some good content on Admin Reference! Hopefully you got some helpful tips out of this.

One final note:  I’d like to put a plug out there to any other system admins.  If you are like me, you are always running into new problems that don’t have easy solutions.  Why not take a few minutes when you find the answer and post it to Admin Reference?  Maybe someday you will look back on it (I know I have) and say thats how to fix it!  Someday when it gets a little more material, I plan on integrating the forum into a wiki that is easily searachable for solutions to problems.