Beruflich Dokumente
Kultur Dokumente
This article includes the initial technical plan of updating various Microsoft Systems for Bank Al Sharq, and according to the
Bank's requirements.
2- Upgrade Exchange Server 2003 to Exchange server 2016 with replication to 2 sites with latest security batches.
3- Configure the Exchange to enable working on the e-mail from an external party.
4- Windows 7 and window 10 for VM employee’s machines with latest security patches.
To meet these requirements we will break our plan into four phases, and each phase will be broken into multiple stages:
Phase one will cover the 7th requirement.
This includes building the test environment that we’ll use as an on-site "Proof of concept" lab for the next three phases.
Phase two will cover the first three requirements.
This includes upgrade Microsoft active directory Servers and exchange Servers to version 2016.
Phase three will cover the 4, 5,6th requirements.
This includes installing windows 7, 10 VMs along with the Bank’s needed Application via Windows deployment service and
Microsoft deployment Toolkit.
Phase four will cover the Eighth requirement.
SQL Server 2012 License.
1|Page
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
2|Page
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
o For AD, first from First 2003 to 2012 R2, then 2012 R2 to 2016.
- And for compatibility constrains between the Windows Server OSs, Active Directory Domain and forest functional levels,
exchange servers versions schema and roles we’ll do the upgrade in the order we mentioned above.
- In order to understand these constrains the following tables form Microsoft illustrates the operating systems
supportability matrix (Table 1), and domain/forest functional level supportability matrix (Table 2)
Exchange
Operating system platform Exchange 2016 Exchange 2016 Exchange 2010
2013 SP1 and
CU3 and later CU2 and earlier SP3
later
Windows Vista SP2 X1
Windows Server 2008 SP2 X
Windows Server 2008 R2
X X
SP1
Windows 7 SP1 X1 X1
Windows 8 X1 X1
Windows 8.1 X1 X1 X1
Windows 10 X1 X1
Windows Server 2012 X X X X
Windows Server 2012 R2 X X X
Windows Server 2016 X
Supported platforms are identified by an X character.
1Only for Exchange management tools.
3|Page
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
Operating system Exchange 2016 Exchange 2016 Exchange Exchange 2010 Exchange 2010
environment CU3 and later CU2 and earlier 2013 SP1 and SP3 RU22 or later SP3 RU5 - RU21
later
Windows Server 2003
SP2 Active Directory X X X
servers
Windows Server 2008
SP2 Active Directory X X X X
servers
Windows Server 2008
R2 SP1 Active Directory X X X X X
servers
Windows Server 2012
Active Directory X X X X X
servers
Windows Server 2012
R2 Active Directory X X X X X
servers
Windows Server 2016
Active Directory X X X X
servers
Exchange
Exchange 2016 Exchange 2016 Exchange 2010 Exchange 2010
Forest functional level 2013 SP1 and
CU3 and later CU2 and earlier SP3 RU22 or later SP3 RU5 - RU21
later
Windows Server 2003
X X X
forest functional level
Windows Server 2008
X X X X
forest functional level
Windows Server 2008
R2 SP1 forest X X X X X
functional level
Windows Server 2012
X X X X X
forest functional level
Windows Server 2012
R2 forest functional X X X X X
level
Windows Server 2016
X X X X
forest functional level
4|Page
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
As we said before we can’t upgrade the exchange server 2013 to 2016 directly, so we must do an upgrade to exchange
2010 then from 2010 to 2016.
From the other hand, a fast look at table 2, we notice that the exchange 2010 is not compatible with the AD 2016 domain
and functional levels, so we can’t upgrade the AD 2003 server before the exchange upgrade to 2010, nor after it.
What we are going to do is to upgrade the exchange server 2003 to 2010 then upgrade the AD to a version that is
compatible with exchange 2010, 2016 and upgradable to AD 2016, that version is AD 2012 R2.
After that we can upgrade the Exchange server from 2010 to 2016 where the last one is compatible with the AD 2012
R2 and finally upgrading the AD 2012 R2 to 2016.
According to the explanation above, we’ll break this phase into four stages as follow:
5|Page
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
Phase two - Stage 1; Upgrading exchange server 2003 to exchange server 2010:
Since we have 200 users in the bank, we can’t simply migrate to exchange server 2010 within a single outage window, what
we can do is to install the exchange server 2010 to work side by side with exchange server 2003.
So there will be a transition state where the old and the new system will co-exist with each other, where exchange 2010 will
act as a proxy for exchange 2003 services, so we can move the exchange 2003 configuration and user’s mailboxes to the
exchange 2010, then decommissioning the old one, without down time for end users.
Figure 2 and table3: illustrates the current Systems at the Bank’s Head Office and one branch:
Figure 2: Bank's current Topology
Branch-1
HODC2003.bankalsharq.com BRDC2003.bankalsharq.com
HOEx2003fe01.bankalsharq.com HOEx2003be01.bankalsharq.com
Load Balancer
Cluster 1 – node 1
`
HOEx2003fe02.bankalsharq.com HOEx2003be02.bankalsharq.com BREx2003.bankalsharq.com
Servers Description
Head Office equipment:
HODC2003.bankalsharq.com Head Office Master Domain Controller (Server 2003)
HOEx2003fe01.bankalsharq.com
Load Balanced Active/Active Exchange 2003 Front end server
HOEx2003fe02.bankalsharq.com
HOEx2003be01.bankalsharq.com
Load Balanced Active/Active Exchange 2003 Back end server
HOEx2003be02.bankalsharq.com
Branch equipment:
BRDC2003.bankalsharq.com Branch Master Domain Controller (2003)
BREx2003.bankalsharq.com Typical Exchange Server 2003 (Front and Back ends)
6|Page
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
The bank’s users will connecting to the mail system as the following:
The Bank’s internal Users Access their Mails through one of the Exchange 2003 Back End Servers, and according to the site
the User Belong to.
Figure 3: Exchange server 2003, the bank’s internal user’s access
Branch-1
HODC2003.alshareqbank.sy BRDC2003.bankalsharq.com
HOEx2003fe01.bankalsharq.com HOEx2003be01.bankalsharq.com
Load Balancer
HOEx2003fe02.bankalsharq.com `
HOEx2003be02.bankalsharq.com
BREx2003.bankalsharq.com
HO Internal User
BR Internal User
Load Balancer
The External Users Access their Mails through the Firewall then the Front End Servers.
The branch’s exchange server is a not an internet facing server, so the front end server of the head office will act as a proxy
for it.
Figure 4: Exchange server 2003, the bank’s external user’s access
Branch-1
HODC2003.alshareqbank.sy BRDC2003.alshareqbank.sy
HOEx2003fe01.bankalsharq.com HOEx2003be01.bankalsharq.co
m
Load Balancer
HOEx2003fe02.bankalsharq.com `
HOEx2003be02.bankalsharq.co
BREx2003.alshareqbank.sy
m
Bank External User
Let’s start with installing the exchange server 2010 that consists of Client Access Server array (two or more CAS Servers
according to the bank needs) and a Database Availability Group (two or more mailbox servers according to the bank needs).
7|Page
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
Table 4, and figure 5 illustrate the added servers (the rows in red).
Table 4: Exchange 2010 added servers
Servers Description
Head Office equipment:
HODC2003.alsahrqbank.sy Head Office Master Domain Controller (Server 2003)
HOEx2003fe01.alsahrqbank.sy
Load Balanced Active/Active Exchange 2003 Front end server
HOEx2003fe02.alsahrqbank.sy
HOEx2003be01.alsahrqbank.sy
Load Balanced Active/Active Exchange 2003 Back end server
HOEx2003be02.alsahrqbank.sy
Gateway (TMG, UAG, ISA, or any other Security
Layer 4 or 7 Firewall
System)
HOEx2010cas01.alsharqbank.sy
Load Balanced Exchange 2010 Client Access server Array
HOEx2010cas02.alsharqbank.sy
Load Balanced Exchange 2010 Database Availability Group
HOEx2010DAG01.alsharqbank.sy
(consists of two Mailbox Servers)
Branch equipment:
BRDC2003.bankalsharq.com Branch Master Domain Controller (2003)
BREx2003.bankalsharq.com Typical Exchange Server 2003 (Front and Back ends)
HOEx2010.alsharqbank.sy Typical Exchange Server 2010
HODC2003.bankalsharq.com BRDC2003.bankalsharq.com
HOEx2003fe01.bankalsharq.com HOEx2003be01.bankalsharq.co
m
Load Balancer
HOEx2003fe02.bankalsharq.com `
HOEx2003be02.bankalsharq.co
BREx2003.bankalsharq.co
m
m
Load Balancer
HOEx2010.bankalsharq.c
HOEx2010cas01.bankalsharq.co om
m
HOEx2010cas02.bankalsharq.co HOEx2010DAG01.bankalsharq.co
m m
8|Page
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
Now the Bank’s internal Users will Access their Mails through one of the exchange 2010 CAS Servers.
If the user’s mailbox belongs to the exchange 2010 mailboxes then the CAS server 2010 will route the connection to one of
the exchange server 2010 mailbox servers, but if the user’s mailbox belongs to the exchange server 2003 then the CAS
server 2010 will act as a proxy and, forward the connection to one of the exchange 2003 front end servers according to the
site the User Belong to. Figure 6: illustrate the internal user’s access.
Figure 6: Bank's internal users’ access
Branch-1
HODC2003.bankalsharq.com BRDC2003.bankalsharq.com
HOEx2003fe01.alsharqbank.sy HOEx2003be01.alsharqbank.sy
Load Balancer
HOEx2003fe02.alsharqbank.sy `
HOEx2003be02.alsharqbank.sy
BREx2003.bankalsharq.co
m
2 2
1
HO Int User Load Balancer
HOEx2010.alsharqbank.sy
HOEx2010cas01.alsharqbank.sy
BR Int User
HOEx2010cas02.alsharqbank.sy HOEx2010DAG01.alsharqbank.sy
For the external users we’ll use a new concept called the legacy name.
Usually we call the exchange 2003 servers by the FQDN mail.alsharqbank.com
Now after installing the exchange 2010, we will use the mail.alsharqbank.com FQDN for the exchange 2010 CAS server, and
we will use a FQDN called legacy.alsharqbank.com for the exchange 2003 frontend servers.
If the user’s mailbox belongs to the exchange 2010 mailboxes then the CAS server 2010 will route the connection to one of
the exchange server 2010 mailbox servers.
But if the user’s mailbox belongs to the exchange 2003 backend server the 2010 CAS server will send a redirect reply to the
user, this reply contains a redirection to the legacy name of the exchange 2003 frontend server and the user will be
connected directly to the frontend server through the firewall and using this Legacy FQDN legacy.bankalsharq.com
Figure 7 illustrate the Bank’s external user’s access with the Legacy name concept.
9|Page
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
Branch-1
Load Balancer
HOEx2003be02.bankalsharq.co
BREx2003.bankalsharq.co
m
HOEx2003fe02.bankalsharq.com ` m
4 – if the user belong
to the Branch
3
Gateway
2 Redirect to
legacy.bankalsharq.com
1
Load Balancer
HOEx2010.bankalsharq.c
HOEx2010cas01.bankalsharq.co om
m
HOEx2010cas02.bankalsharq.co HOEx2010DAG01.bankalsharq.co
m m
At this step we could move all mailbox databases and Public Folders to the exchange 2010 with the Database
Move request and public folders move request features introduced in the exchange 2010 then decommissioning
the exchange server 2003.
Figure 8 illustrate the end results of this stage where we have the exchange 2010 server along with the active
directory domain service 2003 servers.
Figure 8: Exchange Server 2010
Branch-1
Load Balancer
Gateway
Load Balancer
HOEx2010.bankalsharq.c
HOEx2010cas01.bankalsharq.co om
m
HODC2003.alshareqbank.sy BRDC2003.alshareqbank.sy
HOEx2010cas02.bankalsharq.co HOEx2010DAG01.bankalsharq.co
m m
10 | P a g e
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
1. Configure outbound email routing by creating a send connector for exchange server 2010.
2. Remove the smtp connector from the exchange 2003
3. Configuring the firewall to work with the exchange server 2010.
11 | P a g e
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
12 | P a g e
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
Phase two - Stage 2; upgrade Active Directory server from 2003 to 2012 R2:
The migration to the windows active directory domain service 2012 R2, we’re going to install an independent windows
server 2012 R2, rename it, and join it to the bank’s domain (bankalsharq.com).
We’ll install an active directory domain service and promote it to a new domain controller with capabilities of DNS Server
and Global catalog, and the replication will be from the windows server 2003 Domain controller.
Then we’ll repoint all workstations and servers either with static IP or DHCP to it by changing the DNS IP address.
After that we’re going to transfer the Flexible Single Master Operations (FSMO) Role, schema master to the new server, and
make the server the default domain controller for the site we are in (Head office or Branch).
Lastly, we’ll remove the 2003 Windows Server from the Global Catalog Server, DE promote it and remove then windows
server 2003.
Figure 9 illustrate the topology after adding the Active Directory 2012R2.
Figure 9: Migration to Active Directory 2012R2.
Branch-1
Load Balancer
Gateway
Load Balancer
HOEx2010.bankalsharq.c
HOEx2010cas01.bankalsharq.co om
m
HO2012DC01.bankalsharq.com
BR2012DC01.bankalsharq.com
HOEx2010cas02.bankalsharq.co HOEx2010DAG01.bankalsharq.co
m m
13 | P a g e
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
NOTE!! Before the upgrade to Exchange server 2016, we have to make sure that all Microsoft office application is
a version 2010 and later.
For that here will execute the third phase, “Installing windows 7, 10 VMs along with the Bank’s needed
Applications (office 2013, adobe reader, etc.)”.
After that we’ll upgrade the Active Directory Forest and Domain Functional levels to 2012 R2.
Now the Migration from exchange server 2010 to 2016 is similar to the migration from exchange server 2003 to 2010,
except the following:
In Exchange server 2016 all exchange Roles (CAS, Hub Transport, and mailbox) are combined into one server
called the mailbox server, and for high availability we have the Database Availability group (DAG) like
exchange 2010.
And an additional server called the Edge server is used as.
In the co-existence period between Exchange 2010 and 2016 we’ll not use the Legacy name concept.
First we’ll going to install the exchange server 2016, and like before the exchange 2016 will detect all exchange servers
in its Active Directory domain and create Send and receive connectors to it, and both exchange servers will co-exist
with each other, where the exchange 2016 will work as a proxy server for exchange server 2010.
Figure 10 and table 5 illustrates the Co-existence between Exchange servers 2010 and 2016
Figure 10: the Co-existence between Exchange servers 2010 and 2016
Branch-1
BANK External User
BREx2016MBX.bankalsharq.sy
BR Internal User
`
HOEx2016DAG.bankalsharq.sy
Load Balancer
BREx2010.bankalsharq.sy
HOEx2010cas01.bankalsharq.sy
HO Internal User
HOEx2010DAG01.bankalsharq.sy BR2012DC01.bankalsharq.sy
HO2012DC01.alshareqbank.sy HOEx2010cas02.bankalsharq.sy
14 | P a g e
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
Servers Description
Head Office equipment:
HO2012DC01.bankalsharq.com Head Office Master Domain Controller (Server 2012 R2)
HOEx2010cas01.bankalsharq.com Load Balanced Active/Active Exchange 2010 Client Access
HOEx2010cas02.bankalsharq.com Server array
HOEx2010mbx01.bankalsharq.com Load Balanced Active/Active Exchange 2010 Database
HOEx2010mbx02.bankalsharq.com Availability group servers
Gateway (TMG, UAG, ISA, or any other Security System)
HOEx2016mbx01.bankalsharq.com
Load Balanced Active/Active Exchange 2016 Database
HOEx2016mbx02.bankalsharq.com
Availability group servers
HOEx2010DAG01.bankalsharq.com
Branch equipment:
BR2012DC01.bankalsharq.com Branch Master Domain Controller (2012 R2)
BREx2010.bankalsharq.com Typical Exchange Server 2010
HOEx2016mbx.bankalsharq.com Typical Exchange Mailbox Server 2016
As we said, in the co-existence period between Exchange 2010 and 2016 we’ll not use the Legacy name concept.
What we’re going to do, is to move the FQDN mail.bankalsharq.com of exchange server 2010 to the exchange server
2016, then route the connection of exchange 2010 to the exchange 2016’s transport service.
Before that and in order to not in the problem of certificate we’ll going export our SAN certificate from exchange
server 2010 and imported to the exchange server 2016 and assign it to the deferent services of it.
And we’ll enable the OutlookAnywhere of exchange server 2016 and configure its internal and external URL to
mail.bankalsharq.com
Still, when the users call the FQDN mail.bankalsharq.com, the DNS server will reply with the IP address of exchange
CAS server2010, so we have to update the DNS host record for mail.bankalsharq.com from the IP address of exchange
CAS server 2010 to the Exchange server 2016 DAG IP address.
Finally, a test for sending and receiving mails to/from, internal/external users on both exchange server 2010, 2016.And
if everything goes well we can move the mailboxes, Public Folders, offline address book, etc. from exchange 2010 to
2016 in the same method that we previously used in stage two.
15 | P a g e
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
Branch-1
BREx2016MBX.bankalsharq.sy
HO2012DC01.bankalsharq.com
BR Internal User
`
HO Internal User HOEx2016DAG.bankalsharq.sy
16 | P a g e
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
1. Performing a pilot mailbox migration by creating move requests with the exchange server 2016.
2. Performing the production mailbox migrations.
3. Moving public folder replicas.
4. Move the public folder hierarchy.
5. Moving Offline Address Book.
1. Removing exchange 2010 default mailbox, default public folder databases, and default OAB.
2. Removing the recipient update services.
3. Removing routing group connectors.
4. Uninstalling exchange server 2010.
Phase two - Stage 4; upgrade Active Directory server from 2012 R2 to 2016:
Since this stage is as exact as stage 2, then no need for further explanation.
17 | P a g e
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
Phase three: installing windows 7, 10 VMs along with the Bank’s needed Application
This installation can be done using the Microsoft deployment Toolkit and Windows deployment service.
With Microsoft Deployment toolkit we can build a reference image, this image contains a windows OS Source files,
applications to be installed on the OS, and rules that defines a sequential automated installation of this image like (installing
Windows > add features > installing framework > installing Microsoft Office > installing Adobe Reader > Updates the system
> joining a domain).
After building the image we’re going to use the Distributed files system to replicate and share the image between sites.
Finally, we are going to use the Windows deployment Service to publish this image using the Pre-Installation Execution
Environment (PXE).
18 | P a g e
Al Sharq Bank.
Microsoft Migration Project - Technical Plan.
NOTE! The Server’s Licenses is divided into a server instant license and a Client Access License.
For that, if you want a licensed Domain Controller 2016 we need 3 instants license and a 200 Client Access
license,
Also for the Exchange server you need license for each server dependent on the needed performance and a 200
user client access licenses
There is a Client access license suite for most of Microsoft Services, if you want something like sharepoint,
skype for business, and active directory right management services.
19 | P a g e