Migrate to Exchange 2010 Address Book Policies from Exchange 2007 Address List Segregation
Applies to: Exchange Server 2010 SP3, Exchange Server 2010 SP2
The instructions in this topic will walk you through the steps required to migrate from Exchange 2007 ACL-based global address list (GAL) segmentation (also known as GAL segregation) to Exchange 2010 Service Pack 2 (SP2) address book policies (ABPs).
Several procedures in this topic will impact users. As a result, scheduled downtime is often required.
Although not a specific prerequisite, it’s highly recommended that you review the considerations and best practices in Understanding Address Book Policies before performing the procedures in this topic.
The procedures in this topic assume that you followed the steps in the white paper Configuring Virtual Organizations and Address List Segregation in Exchange 2007 to configure your Exchange 2007 organization.
If you followed the steps in the white paper listed above to implement GAL segmentation in your Exchange 2010 organization, you are officially in an unsupported state. To successfully perform the procedures in this topic, you must first return your organization to a supported state.
Most of the code and Shell examples in this document use Contoso as the Active Directory domain name and the Exchange organization name, and Fabrikam, and Tailspin Toys as the sub-organization names. Be sure to change the name of the Exchange organization, domain, and sub-organizations to match your configuration.
You will need the scripts that you used to segment the virtual organizations in Exchange 2007.
Setting Up the Scenario
In this scenario, Tailspin Toys and Fabrikam are subsidiaries of the parent company Contoso.
Step1: Prepare to install Exchange 2010 SP2 in an existing Exchange 2007 organization that has configured GAL segmentation (downtime required)
If your organization is using Exchange 2007 GAL segmentation, installing Exchange 2010 will fail because using GAL segmentation required you to remove all the default settings and permissions from the default GAL.
On a domain controller in the Exchange 2007 organization, run the following command at the command prompt to allow access to the default GAL.
DSACLS "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=CONTOSO,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com" /N /G contoso\administrator:RP
On a domain controller that has Windows PowerShell installed or on an Exchange server using the Exchange Management Shell, run the following commands to reconfigure the default settings on the GAL.
After you complete this step, Outlook 2007 users will be able to see the default GAL. However, Outlook Web App users won’t be able to see the default GAL because Outlook Web App uses the
QueryBaseDNattribute to query the GAL.
$container = "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=CONTOSO,CN=Microsoft Exchange,CN=Services, CN=Configuration,DC=contoso,DC=com"Add-ADPermission $container -User "Authenticated Users" -AccessRights GenericRead, ListChildren -ExtendedRights Open-Address-Book
You will receive the following warning and output:
WARNING: Appropriate ACE is already present on object "CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists Container,CN=CONTOSO,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=CONTOSO,DC=COM" for account "NT AUTHORITY\Authenticated Users" Identity User Deny Inherited Rights -------- ---- ---- --------- ------ \Default Global A... NT AUTHORITY\Auth... False False Open-Address-Book \Default Global A... NT AUTHORITY\Auth... False False ReadProperty \Default Global A... NT AUTHORITY\Auth... False False ListObject, Generi... \Default Global A... NT AUTHORITY\Auth... False False ListChildren
Step 2: Install the first Exchange 2010 server
For detailed instructions, see Upgrade from Exchange 2007 Client Access
Step 3: Secure the default GAL
After you install Exchange 2010 SP2, you can remove the address lists that are created during installation and then secure the default GAL again. After you complete this step, you can continue to install additional Exchange 2010 SP2 servers in your organization. For more information, see Understanding Upgrade from Exchange 2007 to Exchange 2010.
(Optional) On an Exchange 2010 server, use the Shell to remove the newly created address lists.
Remove-AddressList "All Contacts" Remove-AddressList "All Groups" Remove-AddressList "All Users" Remove-AddressList "Public Folders"
For more detail, see Remove an Address List.
On an Exchange 2010 server, use the Shell to secure the GAL based on the instructions in the white paper Configuring Virtual Organizations and Address List Segregation in Exchange 2007.
Get-GlobalAddressList "Default Global Address List" | Add-ADPermission -User "Authenticated Users" -AccessRights GenericRead -ExtendedRights Open-Address-Book -Deny:$True
To verify that the commands were successful, run the following commands.
$galContainer = "CN=All Global Address Lists,CN=Address Lists Container,CN=CONTOSO,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com" Get-ADPermission $galContainer -user "authenticated users"
The output of this command should resemble the following:
Identity User Deny Inherited Rights -------- ---- ---- --------- ------ All Global Addres... NT AUTHORITY\Auth... False False GenericRead All Global Addres... NT AUTHORITY\Auth... False False Open-Address-Book All Global Addres... NT AUTHORITY\Auth... False True ListChildren All Global Addres... NT AUTHORITY\Auth... True True ReadProperty
Step 4: Switchover to Exchange 2010 servers (downtime required)
Before moving any mailboxes to Exchange 2010 SP2 servers, you must switchover external URL names. This requires configuring Outlook Anywhere, Outlook Web App, Exchange Web Services (EWS), Exchange Control Panel (ECP), AutoDiscover, and offline address books (OABs) to use Exchange 2010 servers instead of Exchange 2007 servers. There are many steps in this process, and you should refer to the information in Exchange 2007 - Planning Roadmap for Upgrade and Coexistence for more detail.
The following steps outline only the key procedures in the overall process and explain what each of them accomplishes. You may need to run some of these commands on each server in your organization (some only once), and most will result in some period of downtime. Therefore, it’s strongly recommended that you spend adequate time testing your entire switchover process to ensure minimal impact to your clients.
Use the Shell to move all OAB generation to an Exchange 2010 Mailbox server. Moving the OAB generation to Exchange 2010 SP2 servers allows OABs to use GALs and not just address lists as sources for the OAB content.
Get-OfflineAddressBook | Move-OfflineAddressBook -Server "MBX01_Ex2010SP2"
For more detail, see Move the Offline Address Book Generation to Another Server.
Set the virtual directory for the OAB to include an Exchange 2010 virtual organization. This will distribute copies of the OABs to the Exchange 2010 servers.
This example ensures both the Exchange 2007 and Exchange 2010 servers have copies of all OABs.
Get-OfflineAddressBook | Set-OfflineAddressBook -virtualdirectories "CAS1_Ex2007\OAB (Default Web Site)","CAS1_Ex2010SP2\OAB (Default Web Site)"
For more detail, see Configure Offline Address Book Distribution Properties.
Before any mailboxes can be moved to Exchange 2010, you must route all incoming Outlook Anywhere traffic through Exchange 2010.
This example enables Outlook Anywhere on an Exchange 2010 server and disables it on an Exchange 2007 server.
Enable-OutlookAnywhere -Server:CAS1_Ex2010SP2 -ExternalHostname:mail.contoso.com -ClientAuthenticationMethod:Basic Disable-OutlookAnywhere -Server:CAS1_Ex2007
For more detail, see the following topics:
To allow AutoDiscover to properly return URLs from Exchange 2010 servers, you must configure Outlook Web App, Exchange ActiveSync, EWS, and ECP on all Exchange 2010 servers to have valid external URL properties for the virtual directories.
The following examples assume that mail.contoso.com is the external name used to access the Exchange 2010 servers.
Set-ActiveSyncVirtualDirectory -Identity 'CAS1_Ex2010SP2\Microsoft-Server-ActiveSync*' -ExternalURL https://mail.contoso.com/Microsoft-Server-ActiveSync Set-WebServicesVirtualDirectory -Identity 'CAS1_Ex2010SP2\EWS*' -ExternalUrl https://mail.contoso.com/EWS/exchange.asmx Set-OWAVirtualDirectory -Identity 'CAS1_Ex2010SP2\OWA*' -ExternalURL https://mail.contoso.com/OWA Set-EcpVirtualDirectory -Identity 'CAS1_Ex2010SP2\ECP*' -ExternalURL https://mail.contoso.com/ECP
For more detail about how to configure the above settings, see the following topics:
To allow Exchange 2010 to redirect Outlook Web App and EWS requests back to Exchange 2007 for those users with mailboxes on Exchange 2007 servers, you need to configure the Outlook Web App and EWS external URL for 2007 to use legacy.contoso.com. This namespace is the external name used to access the Exchange 2007 servers.
Set-WebServicesVirtualDirectory -Identity 'CAS1_Ex2007\EWS*' -ExternalUrl https://legacy.contoso.com/EWS/exchange.asmx Set-OWAVirtualDirectory -Identity 'CAS1_Ex2007\OWA*' -ExternalURL https://legacy.contoso.com/OWA
To allow Exchange 2010 to proxy all incoming Exchange ActiveSync connections to Exchange 2007, clear the 2007 external URL for Exchange ActiveSync.
Set-ActiveSyncVirtualDirectory -Identity 'CAS1_Ex2007\Microsoft-Server-ActiveSync*' -ExternalURL:$null
The final step in the process is to change the public DNS so that mail.contoso.com (in the example we provided) and autodiscover.contoso.com resolve to Exchange 2010, and the legacy.contoso.com DNS record resolves to Exchange 2007. All client connections will go through Exchange 2010, and then Exchange 2010 will either redirect (in the case of Outlook Web App), proxy (in the case of Exchange ActiveSync), or provide version-specific URLs (in the case of EWS) to clients via AutoDiscover.
Step 5: Create ABPs that mirror the Exchange 2007 address list segmentation ACLs
The next step is to figure out what address lists, GALs, and OABs the virtual organizations have access to using GAL segmentation, and then create an ABP for each virtual organization that mirrors them.
If you used the steps in Configuring Virtual Organizations and Address List Segregation in Exchange 2007 to set up your Exchange 2007 organization, you created scripts that segmented your virtual organizations. View those scripts that you used to create the virtual organizations in Exchange 2007 to determine the GAL, address lists, and OAB for each virtual organization. For each virtual organization, you should find one GAL, at least one address list, and one OAB.
ABPs must have a room list. If you don’t use room lists in your organization, create a blank room address list and then use that address list when configuring the ABP or set the room list property in the ABP to use the same address list you specify for the GAL.
For example, when viewing the script used to segment the child company Tailspin Toys, the following information is located:
Tailspin Toys users are all contained in a security group called Tailspin_SG.
The security group Tailspin_SG grants users read/open access to the following:
Tailspin Toys doesn’t have a room address list.
Create an ABP that matches the Tailspin Toys organization.
For example, if you use the Exchange Management Console to create the ABP in, input the following information in the New Address Book Policy wizard:
If you use the Shell to create the ABP, run the following command.
New-AddressBookPolicy -Name 'ABP_Tailspin' -GlobalAddressList '\GAL_Tailspin' -OfflineAddressBook '\OAB_Tailspin' -AllRoomList '\RAL_BLANKROOMS' -AddressLists '\AL_TailspinContacts','\AL_TailspinGroups','\AL_TailspinUsers'
For more detail, see Create an Address Book Policy.
Follow the above instructions for each of your virtual organizations. For example, Fabrikam.
Step 6: Move mailboxes from Exchange 2007 servers to Exchange 2010 servers (downtime required)
In moving mailboxes to the Exchange 2010 servers, you will be switching over from using the ACLs to using ABPs.
We recommend that you create a script that performs this procedure in one step.
Move the mailboxes using the MoveRequest cmdlets. For more information, see Create a Local Move Request.
Assign the ABP to moved mailboxes. For more information, seeAssign an Address Book Policy to a Mailbox User (EPW).
Clear the QueryBaseDN from the user object. This can be done directly via the Adsiedit.msc console or by using a multi-step process from the Shell. This example shows how to clear the QueryBaseDN by using the Shell.
$user = ([ADSI]"LDAP://CN=Bob,CN=Users,DC=Contoso,DC=com").psbase $user.Properties["msExchQueryBaseDN"].Value=$null $user.CommitChanges()
Remove the OAB setting from the mailbox.
This example removes the OAB from John’s mailbox:
Set-Mailbox -Identity John -OfflineAddressBook $null
After the mailboxes are moved and all of the other settings have been configured, users using Outlook will get the following error and they will be required to close and restart Outlook: “The Microsoft Exchange Administrator has made a change that requires you to quit and restart Outlook.”
Step 7: What’s next?
So, after you’ve moved all of your mailboxes to Exchange 2010 SP2 and all of the mailboxes are running on ABPs with your ACLs decommissioned, you can start following the standard Exchange guidance for removing the Exchange 2007 organization.
If you get stuck, this Microsoft Knowledge Base article may help:
© 2010 Microsoft Corporation. All rights reserved.