Exchange 2003 to Exchange 2010: The “Swing” Migration – Part 4

Good morning and welcome back! Today I am going to do some updates on coverage for the current Exchange Server 2010 “Swing Migration” from Exchange Server 2003.


Initially this weekends maintenance was going to cover four main items:

1. Replicate Public Folders

 

• Install SSL Certificate for OWA

 

 

• Redirect the Domain FQDN for Exchange

 

 

• Swap the IP Addresses from Exchange 2003 to Exchange 2010

 

 

• Verify Mail Flow between servers

 

 

I will take a bit of time to explain how these items came about and the steps needed to proceed. In the original instructions some of these items were not mentioned or taken into account.


Replicating Public Folders:


On the Exchange 2003 Server, open Exchange System Manager > Locate the Public folders > If you cannot see your public folders, change the view to “View Public Folders”.

 

Select each one of your public folders, go to its properties and add in the New Exchange 2010 Server as a replication partner.

Note: If you have a lot of “Nested Public folders” then this can take ages, see this article here on Public Folder Migration from Exchange 2003 to Exchange 2010. Note: If mail cannot flow from 2003 to 2010 then the public folders will NEVERreplicate make sure that works before expecting the folders to replicate OK.

In order to verify if the replication is working you can click “Details” on the properties screen to find the Sync status. I have found it will show one of two status messages. “In Sync” or “Local Modified”. So far as I can tell both mean the folders are syncing as this seems to be a quirk with Exchange 2003 not showing correct status reports. I recommend testing thoroughly before assuming it is working.


Install SSL Certificate for OWA:


One of the things that I also found we needed to facilitate was purchasing a SSL certificate in order to make sure OWA worked correctly. Our current setup did not use a certificate which is not secure but is easier to setup on the new server than to transfer.

My suggestion, GET YOUR CERTIFICATE AHEAD OF TIME!!!

Hosting solutions can take up to 4 days I have found to complete this process. Make sure you know your domain names ahead of time and the requirements needed to request a certificate. Here’s what I learned:

1. Exchange requires a specific SSL Certificate called a UCC. Unified Communications Certificate.
2. Each service or domain name you use will count as a single domain on the certificate. Example:
   1. Autodiscover.domain.com
   2. webmail.domain.com
   3. domain.com
   4. internal.domain.com
      1. This all means you would need 4 seats on the certificate. Certificate come in 5, 10, and higher flavors.
3. Shop around for prices!! They are not all built the same.

I will add instructions on installing Exchange certificates in another post, but every major hosting service also supplies support and instructions on them.

**Important note: When applying for your certificate make sure you have a (1) Signed letter of Intent, and a (2) Proof that you can operate under the name being certified or (3) Federal Tax information. The hosting company will ask for these items to verify your claim to certificate.

Redirect the Domain FQDN for Exchange

Ok this one came out of left field and hit me when I was applying for my SSL Certificate.

Problem: My internal domain name does not match my external webmail domain. On top of that I do not own the external equivalent of my internal domain name. Therefore no authority can be given to the hosting certificate to provide SSL for it.

Answer: You need to redirect your internal domain on the new Exchange server to see the external one. How do I do this?

To reconfigure your domain to use only the external domain name you have a couple of options. If you are using Active Directory you can migrate an internal Active Directory domain to a registered External name. This will change the internal FQDN of your Exchange Servers so they will become a valid subdomain of your registered domain (e.g. change from CASServer01.yourcompany.internal to CASServer01.yourcompany.com) allowing you to use a SAN certificate or a Wildcard to secure these names. Alternatively, you can redirect the internal names to use the external mail URL, but this method will not allow access to mail using the Outlook Anywhere service so users connecting over a VPN would have connection problems.

Redirecting your Exchange Server to use the External DNS Name

To update your Exchange 2007 or Exchange 2010 server you will need to run the following commands from the Exchange Management Shell and replace the Server running the Client Access Role with your external domain name. These commands update the URL for the Autodiscover service, Exchange Web Services (EWS) and the OWA Web-based Offline Address book respectively.

Before running these commands you will just need to check make sure a DNS record exists mapping the IP Address to the Exchange Client Access (CAS) server.

Note: Each of these commands below should be run on a single line in the Exchange Management Console (EMC):

Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “HostName\EWS (Default Web Site)” -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity “HostName\oab (Default Web Site)” -InternalUrl https://mail.yourdomain.com/oab

Recycle the IIS Application Pools

Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.

1. Open IIS Manager by clicking Start, then enter inetmgr.

2. Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.

This is about as far as I went on my Saturday maintenance. I had to wait on a SSL certificate that seemed to take forever and even if I did switch it I would have to recycle 40 cellphones that are not currently set up to use SSL.

Know when to call it quits. I verified that mail would flow back and forth and left it be for my next two week testing period.

Lessons learned.

I have yet to hear anyone else’s nightmare stories but I am sure they are out there!!! Lets hear them!

Resources:

• Exchange 2003 to Exchange 2010: The “Swing” Migration – Part 3
• Exchange 2003 to Exchange 2010: The “Swing” Migration – Part 2
• Exchange 2003 to Exchange 2010: The “Swing” Migration – Part 1

 
http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
http://www.petenetlive.com/KB/Article/0000234.htm

DirectTV + Viacom = Freebies!

Everyone with DirectTV and kids is definitely feeling the pain when they can’t watch their favorite shows. This is a really good example of the corporation giants vying for more phat lewts.

I myself had looked into switching to Dish Network just last night. The odd part is that the same package with Dish is about $40 cheaper for the first 12 months and $20 dollars cheaper each month after that. Why oh why do we keep paying more?

One thing to keep in mind is just last month there were similar outages for Dish Network. So no company is exempt from problems. I think Viacom just needs to throw it’s weight around every now and then to prove they are still the big boy on the block.

Repost from CNN: Call DirectTV and get free stuff?

(CNN) — Maybe it pays to be a complainer.

Several DirecTV customers are reporting on online forums that they were able to get up to $10 per month knocked off their bills because they threatened to leave the satellite TV company over the fact that Viacom programming is no longer available for DirecTV customers.

“Wow they must like me, I got $10 off per month for 12 months, Starz for free for 6 months, and NFL Sunday Ticket for $99. So I come out $20 ahead after a year,” one commenter wrote on a forum on the site Satellite Guys. “All I did was say I’d like to cancel due to the Viacom dispute. I was not expecting to get all that thrown at me.”

A dispute between satellite provider DirecTV and the media company Viacom led late Tuesday to nearly 20 million customers losing access to 26 Viacom channels, including MTV, Nickelodeon and Comedy Central.

CNNMoney has more information on the dispute: “Viacom is seeking a 30% increase, or $1 billion more than its previous deal, DirecTV said in a statement. Viacom countered that its proposed increase totals ‘a couple of pennies per day per subscriber.’ Disputes between media companies and cable or satellite TV providers have become increasingly common, but this one is hitting an especially wide audience.”

DirecTV announced that it would give its subscribers free access to premium Encore channels this month to show appreciation for their loyalty.

“To thank you for your patience until Viacom channels are returned, all eight Encore Channels (including Encore Family) will be made available to all customers thru July 31st,” the company wrote Wednesday on its Facebook page. “Tune to Channels 535 to 542 to start watching.”

People who called the company, however, seemed to get better offers.

Another commenter on the Satellite Guys forum wrote that he or she received “$5 off for 3 months, $5 off Starz 6 months, $5 off Sports Pack 6 months” from the company.

“(I) only asked about it, never said I wanted anything! Very well done Directv!” that commenter wrote.

“I got $25 off of Premier for 6 months,” wrote another person.

CNN could not independently verify these reports. In response to a question about whether the company is offering deals to customers who threaten to leave, a spokesman said only that DirecTV is “always willing to work with our customers to keep them happy.”

“We have not seen an impact on our subscriber numbers and an overwhelming number of our customers are telling us they will stick with us until this is resolved,” the spokesman said in a statement. “They appreciate that we are fighting on their behalf to keep their bills at an acceptable level.”

Several forums reported relatively long wait times for people who placed calls to DirecTV. And the Internet is full of hate mail for both DirecTV and Viacom.

Read More Here: Call DirectTV and get free stuff?

Lets hear what you got as a valued customer?

Yahoo hack compromises 443,000 passwords

Reposted from CNN Article here: Yahoo’s password hack shows that it failed security 101

NEW YORK (CNNMoney) — If it wasn’t clear before, it certainly is now: Your username and password are almost impossible to keep safe.

Nearly 443,000 e-mail addresses and passwords for a Yahoo site were exposed late Wednesday. The impact stretched beyond Yahoo because the site allowed users to log in with credentials from other sites — which meant that user names and passwords for Yahoo (YHOO, Fortune 500), Google’s (GOOG, Fortune 500) Gmail, Microsoft’s (MSFT, Fortune 500) Hotmail, AOL (AOL) and many other e-mail hosts were among those posted publicly on a hacker forum.

What’s shocking about the development isn’t that usernames and passwords were stolen — that happens virtually every day. The surprise is how easily outsiders cracked a service run by one of the biggest Web companies in the world.

The group of seven hackers, who belong to a hacker collective called D33Ds Company, got into Yahoo’s Contributor Network database by using a rudimentary attack called a SQL injection.
SQL injections are one of the most basic tools in the hacker toolkit. By simply entering commands into the search field or URL of a poorly secured website, hackers can access databases located on the server that’s hosting the site.

In this case, they were able to uncover the list of the Yahoo site’s usernames and passwords.
That’s something the hackers never should have been able to see. Usernames and passwords on huge websites are typically stored cryptographically and randomized, so that even if attackers were able to get their hands on the database, they wouldn’t be able to decipher it.

Read More here: Yahoo’s password hack shows that it failed security 101

Internet blackout expected for thousands coming Monday

Posted via CNNMoney — Hundreds of thousands of Internet users whose computers are infected with a particularly nasty virus will be unable to access the Web starting on Monday.

The Federal Bureau of Investigation will shut down Internet servers that it temporarily set up to support those affected by malicious software, called DNSChanger. Turning off those servers will knock all those still infected offline.

Over the past five years, a group of six Estonian cybercriminals infected about 4 million computers around the world with DNSChanger. The malware redirected infected users’ Web searches to spoofed sites with malicious advertisements.

In November 2011, the FBI and some overseas partners arrested those responsible, commandeered their servers, and attempted to warn those affected to get rid of the virus.

The FBI did not immediately take down the rogue servers, as infected computers would have lost Internet access, an FBI spokesman said.

Read More…

To help the users still infected, the agency laid out a step-by-step plan on how to check to see if your computer has the virus. The quickest way to see if your system is OK is to go to dns-ok.us, a site set up to check for the infection.

What Does DNSChanger Do to My Computer?

DNSChanger malware causes a computer to use rogue DNS servers in one of two ways. First, it changes the computer’s DNS server settings to replace the ISP’s good DNS servers with rogue DNS servers operated by the criminal. Second, it attempts to access devices on the victim’s small office/home office (SOHO) network that run a dynamic host configuration protocol (DHCP) server (eg. a router or home gateway). The malware attempts to access these devices using common default usernames and passwords and, if successful, changes the DNS servers these devices use from the ISP’s good DNS servers to rogue DNS servers operated by the criminals. This is a change that may impact all computers on the SOHO network, even if those computers are not infected with the malware.

Am I Infected?

The best way to determine if your computer or SOHO router has been affected by DNSChanger is to have them evaluated by a computer professional. However, the following steps can help you gather information before consulting a computer professional.
To determine if a computer is using rogue DNS servers, it is necessary to check the DNS server settings on the computer. If the computer is connected to a wireless access point or router, the settings on those devices should be checked as well.

Checking the Computer:

If you are using a Windows computer, open a command prompt. This can be done by selecting Run from the Start Menu and entering cmd.exe or starting the command prompt application, typically located in the Accessories folder within Programs on your Start Menu, as shown below:

At the command prompt, enter:

ipconfig /all

Look for the entry that reads “DNS Servers……….”

The numbers on this line and the line(s) below it are the IP addresses for your DNS servers. These numbers are in the format of nnn.nnn.nnn.nnn, where nnn is a number in the range of 0 to 255. Make note of the IP addresses for the DNS servers and compare them to the table of known rogue DNS servers listed later in this document. If the IP addresses of your DNS server appear in the table below, then the computer is using rogue DNS.

You can also look for your DNS servers without using the command prompt.
For windows XP machines, click on Start and select My Network Places. Then select Network Connections. In this example, the wireless connection is used.