Exchange Q & A: Migration mailbox

Migrating Exchange mailboxes and ensuring mailbox security is a very tricky business, especially cross-forest or mailbox migration between domain servers.

Virtualized Exchange

Q: We want to deploy the Exchange 2010 message transfer solution on the clustered Hyper-V server and plan to protect the mailbox database through Database Availability Group (DAG. We noticedRequirements for Exchange 2010Some of them have the following descriptions, so I 'd like to hear from you:

"Microsoft does not support combining Exchange high availability solution Database Availability group [DAG] with a cluster, high availability or migration solution based on the hypervisor. DAG is supported only when the hardware virtualization environment does not use a clustered root server ."

A: As described above, combining Exchange 2010 DAG with virtualized high availability (HA) is not supported. You must use application-level HA or virtualized HA. For Exchange 2010, we recommend that you use application-level HA.

If you only have a clustered root server and need to use a DAG, you can store DAG members on the clustered Hyper-V root server-as long as you disable all the virtualized HA of each virtual DAG Member Server. The TechNet document should be updated when you read this content, reflecting this new support method.

Load Balancing Exchange

Q: We are currently designing a new infrastructure for Exchange 2010. We have decided to use a hardware Load balancer to provide high availability and allocate loads between client access servers in the CAS array. To reduce the SSL workload on CAS servers and take full advantage of methods such as cookies and SSL-ID, we need to move the SSL workload to the hardware Load balancer.

We know that transferring SSL workloads for Outlook Web Access (OWA), Outlook Anywhere (OA), and Exchange Web Services (EWS) is feasible, but Exchange ActiveSync (EAS) is this operation supported? I asked this question because I knowHow to configure SSL burden reduction for Outlook Web Access in Exchange Server 2007This feature is not supported in Exchange 2007.

A: In fact, for Exchange 2007 and Exchange 2010, transferring SSL workloads for EAS is supported. The Exchange 2007 Documentation has never been updated to reflect this support.

Keep in mind that this option is only applicable to inbound CAS servers and Internet-oriented websites. It is not applicable to CAS-to-CAS proxies.

Cross-Forest migration

Q: We are currently preparing to perform a cross-Forest migration from Exchange 2003 to Exchange 2010. We have established a lab environment that simulates the production environment to ensure that things are going smoothly as expected.

First, follow the Exchange 2010 TechNet documentationUse Prepare-MoveRequest.ps1 scripts in Shell to prepare mailboxes for cross-Forest migration), Prepare a target forest containing valid Active Directory objects. After the script runs successfully, we can see that the AD object is created in the target forest. But when we try to use the following command to migrate the original mailbox, we receive the error message shown in 1:

New-MoveRequest -Identity 'cotestuser1@contoso.com -RemoteLegacy -TargetDatabaseMDB01 -RemoteGlobalCatalog 'DC1.contoso.com' -RemoteCredential $Cred -TargetDeliveryDomain 'fabrikam.com'

Figure 1 cross-Forest mailbox migration error

Do you know why this error is caused?

A: It's a coincidence that I encountered this problem when performing a cross-Forest migration from Exchange 2003 to Exchange 2010 just a few months ago. With the help of Dmitri GavrilovExchange product group's Exchange Mailbox team's head Developer), I found this is because there is no NetBIOS resolution between two Active Directory forests.

When you use the New-MoveRequest cmdlet for cross-Forest mailbox migration, the Exchange 2010 server running the command in the target forest must be able to access the source mailbox server in the Exchange 2003 Organization using its NetBIOS name. This is because the New-MoveRequest cmdlet tries to connect to the source server using the server LegacyDN, which usually only contains the NetBIOS name. Therefore, you must set WINS or use host files to eliminate this error message.
 

Urgent and disorderly Medical Treatment

Q: I have learned from many places that the following ports must be enabled when you use a hardware Load balancer to provide HA and use all clients on the internal network to access servers for Load Distribution of Outlook clients, so that the Outlook connection can run properly: TCP-143 and dynamic RPC over TCP/UDP-1024-65535. Is that true? I think Exchange 2010 does not support User Datagram Protocol (UDP ).

A: You are right. Exchange 2010 no longer supports UDP. In fact, you do not need to open UDP, only TCP is enough. This is also applicable to Outlook 2003, although Outlook initially attempted to use UDP notifications. If the Exchange server does not respond to UDP, it will use TCP instead to poll the Exchange Server. The problem is that the Outlook 2003 Client in online mode only polls once every 60 seconds, which causes the following problems:

• An outbound email can be retained for up to one minute.
• A new email can arrive at the inbox at most one minute.
• It takes up to one minute to delete an item from a folder.
• It takes up to one minute to move items from one folder to another to disappear from the original folder.

If your Outlook 2003 client is in online mode, follow the steps described in the following Knowledge Base Article to fix this problem: if you are using an Exchange 2010 mailbox, in Outlook 2003, it takes a long time to send and receive email messages.

Email Protection

Q: I am currently designing an Exchange 2010 infrastructure. One of the requirements is to have HA at all levels, so we will use the DAG and Client Access Server to use a client access array and a redundant hardware Load balancer) to protect the mailbox database.

We also plan to use the Forefront Threat Management Gateway (TMG) array to publish the Client Access Server to the Internet. I'm not sure how to publish the CAS server to the Internet in an appropriate way. Do we just need to direct the ISA Web publishing rule to the hardware Load balancer on the internal network, and then let the hardware Load balancer allocate client traffic between CAS servers?
 

A: Yes. Let me explain it. When you use TMG or UAG to publish an Exchange 2010 CAS server, you can use the load balancing function of the Web server farm that comes with TMG. Do not just direct Web publishing rules to the hardware Load balancer on the internal network.

In a typical scenario, when TMG receives a client request, it changes the source IP address field in the IP header to the IP address configured in its internal interface. This means that all client requests sent from TMG to the hardware Load balancer via proxy are displayed as from the same client IP address. This causes HLB to send all client requests to the same CAS server, instead of distributing them to different CAS servers in the Exchange 2010 CAS array.

Someone may say that you only need to change the proxy request behavior from "display the request as from the ISA Server computer" to "display the request as from the initial client", as shown in 2 ), but it is not that simple. If you do this, you need to set TMG as the default gateway or use static routing on each CAS server. See figure 2). This may cause other problems. In any case, most enterprises still use NAT, which means that the source IP address is displayed as the IP address of the NAT device from the same client ), this is true even if you set TMG to the default gateway on the CAS server.

Figure 2 TMG proxy request Behavior

Although TMG provides an additional layer of security that enables you to authenticate these clients before they are passed to the CAS server through a proxy, note that, in terms of relevance, the TMG Web server load balancing function has the same limitations as Windows network load balancing. It actually uses the Windows NLB component, which means that you are limited to IP-based source relevance and cannot use relevance methods such as cookies or SSL-ID ).

Mailbox in migration

Q: We have deployed Exchange 2010 in the Active Directory forest that contains a root domain and multiple subdomains. There are Exchange 2010 servers in each subdomain. Sometimes we need to migrate mailboxes between mailbox servers in different domains. We try to use the Exchange command line to manage program commands.

We also need to use the New-MoveRequest cmdlet to migrate mailboxes between subdomains, but when we do this, we do not see the mailboxes in other domains. The command can be completed successfully, but the mailbox is not listed. In addition, because the mailbox cannot be seen through the Exchange command line management program, we will receive an error message when trying to migrate the mailbox. Do you know what happened?

A: When you use the Exchange 2010 command line manager, the default recipient range is set to the domain level. This means that when running commands such as Get-Mailbox cmdlet, only the local inbox will be listed. To change the recipient range to the entire forest, you must run the following command, see Figure 3): Set-ADServerSettings-ViewEntireForest: $ true

Figure 3 change the default recipient range

Original article: http://technet.microsoft.com/zh-cn/magazine/ff772734.aspx

Source: Microsoft TechNet Chinese site