At this point in the series on migrating to Exchange Server 2016 we’re ready to install the first Exchange 2016 Mailbox server into the Not Real University organization. To prepare for the installation, Not Real University has installed a new Windows Server 2012 R2 server, named NREXCH16, and joined it to Active Directory. You can check the supportability matrix for the list of currently supported operating systems. The server has also been installed with the Exchange 2016 pre-requisites.
In addition, ReFS volumes have been configured to host the mailbox database and transaction log files. Databases will be hosted on a volume mounted as D: drive, and logs on a volume mounted as E: drive.
PS C:\> Get-Disk Number Friendly Name OperationalStatus Total Size Partition Style ------ ------------- ----------------- ---------- --------------- 0 Microsoft Virtual Disk Online 130 GB GPT 1 Microsoft Virtual Disk Offline 20 GB RAW 2 Microsoft Virtual Disk Offline 10 GB RAW PS C:\> Get-Disk 1 | Initialize-Disk -PartitionStyle GPT -PassThru | New-Partition -UseMaximumSize -DriveLetter D | Format-Volume -FileSystem REFS -NewFileSystemLabel Databases -SetIntegrityStreams $false PS C:\> Get-Disk 2 | Initialize-Disk -PartitionStyle GPT -PassThru | New-Partition -UseMaximumSize -DriveLetter E | Format-Volume -FileSystem REFS -NewFileSystemLabel Logs -SetIntegrityStreams $false
Not Real University will be deploying Exchange 2016 Cumulative Update 3, which is the latest build available at the time this is being written. For your own deployment, check the Exchange Server build numbers and release dates page to ensure you’re deploying the latest, supported build of Exchange. Note, you do not need to install Exchange 2016 RTM first. You can install the latest build directly.
When the new Exchange 2016 server is installed it will register an Autodiscover SCP in Active Directory that contains the new server’s fully-qualified domain name (FQDN). The server will also be installed with a self-signed certificate. Outlook clients that query Autodiscover may attempt to connect to the newly registered Autodiscover SCP, which will mean they attempt a connection to the new server’s FQDN over HTTPS, and encounter the self-signed certificate that they don’t trust and display a certificate warning to the end user.
To avoid this issue, there’s two approaches that you can take:
- Create an Exchange deployment site in Active Directory. Microsoft recommends this approach, and has documented it here. This approach works, but might not be suitable in some organizations that don’t allow Exchange administrators to make those types of Active Directory changes, or where such a change requires going through an approval process that would take too long.
- The alternative is to immediately change the Autodiscover SCP for the new server after Exchange setup completes. The SCP should be changed to the same value as the other Exchange servers in the site. This is the simplest approach, but there’s a window of time between the first SCP value being registered and when you’re able to change it that exposes clients to the risk of the certificate warning mentioned above. You can mitigate that risk by installing the server during a time when most users are not logged on.
For Not Real University, the simpler approach of changing the Autodiscover SCP immediately after installation is being used.
Installing Exchange Server 2016 into an existing Exchange environment requires the following administrative privileges:
- Schema Admins group membership
- Enterprise Admins group membership
- For multi-domain AD forests, Domain Admins group membership for every domain where Exchange servers or mail-enabled recipients will exist
- Organization Management group membership
To prepare Active Directory and then install Exchange 2016 follow the instructions here.
Immediately after the server has been installed, the Autodiscover SCP can be updated. After the SCP is updated, Outlook clients will not connect to the Exchange 2016 server because the Autodiscover URL resolves in DNS to the existing Exchange 2010 or Exchange 2013 server, or to a load-balancer that sends the traffic to the existing servers.
Set-ClientAccessServer NREXCH16 -AutoDiscoverServiceInternalUri https://autodiscover.notrealuniversity.com/Autodiscover/Autodiscover.xml
In the next part of this series, we’ll look at configuring client access services for the newly install Exchange 2016 server.
[adrotate banner=”51″]
Hi Paul! Can Exchange 2007 and Exchange 2016 servers work together in the Edge Transport role? Currently running Exchange 2007 in the ET role, we want to deploy Exchange 2016 ET
What’s the propose of using ReFS? Are you setting 64K block size?
For the SCP on the new Exchange server, why not set it to $null? Wouldn’t that be easier and once everything is done and ready for cutover update the SCP to use the existing URL?
Hello! I’m currently trying to install Exchange 2016 on 2012 server (in a sandbox). I can go through all the motions of the install until it’s time to “/IAcceptExchangeServerLicenseTerms /PrepareSchema” at which point the install does not complete because:
“Front End Transport service cannot be installed without Mailbox service.
Client Access Front End service cannot be installed without Mailbox service.”
I’m loading from an external hard drive. Could it possibly be I’m missing some files for the install? Standing by….
so i have a 2010 server. I am trying to install 2016 so it is ready to go once we want to start the migration/ coexistance process.
so if i stop at this step. and update the SCP on the 2016 server. and dont go further with this guide. is that okay? or will i be leaving stuff broken ?
im guessing i shouldnt have any issue doing that. as i am not ready to move over virtual directories or namespaces quite yet. just wanted to get 2016 installed.
I’m migrating to Exchange 2016 and I placed the new 2016 servers into a temporary “Exchange Build” AD site. Then they released CU12. Trying to upgrade, it fails the prerequisite checks because there is not a domain controller in the Exchange Build AD site. Anyway to get past this short of moving the servers back to the production AD site? I don’t want clients to start hitting the 2016 boxes yet via SCP records, but I’d like to be on the latest CU prior to going live.
Migrated from Exchange 2010 to 2016 earlier this year. Have run into an issue launching Shell or Toolbox mmc. Errors in Shell make reference to WinRM being unable to process the request due to several possibilities related to ConnectionURI or credential. I do observer that it seems to be using the computer account to attempt the connection rather than a user account.
Testing has revealed that if I place the Exchange server AD computer account in the Domain Admins group and restart all issues are corrected. I can connect to the Shell and open Toolbox mmc. The server account in Domain Admins does cause other issues in functionality and mailbox connection for clients. I have been adding the Domain Admin group membership to the computer acccount only during needed troubleshooting times.
Any ideas on what could be causing this weird scenario?
Hi Paul, very good information once again. Btw, the way we tackle the certificate issue is by installing an internal CA signed certificate with the server FQDN on the server prior to installing Exchange. Exchange will automatically bind this certificate and clients won’t get a certificate warning.
Hi Paul
I have never noticed “Users reported” the cert error when upgrading exchanges. Does it seldom happen that outlook clients looking for an exchange will choose the new server?
Change SCP is now next on my list, installing the cert has always be high up so may be why I have never noticed this.
The Real Person!
The Real Person!
People run into this problem quite a lot because they don’t realize the SCP and other namespaces need configuring. The certificate isn’t as urgent because you can leave DNS for the namespace pointing to the old server while you sort out a certificate.
Hi Paul,
Just to elaborate on the above note the 4 SMTP servers on each DC will be load balanced like westsend.abc.com and eastsend.abc.com (also westrcv.abc.com and eastrcv.abc.com) which in turn will be behind send.abc.com (and rcv.abc.com). Any thoughts or suggestions? thanks
Paul,
Just had a thought of offloading the SMTP traffic from the DAG servers and keeping it outside e.g. 16 node DAG stretched across 2 DCs. Have 4 SMTP servers on each DC handling SMTP traffic to and from the DAG. Is that a good idea? I could attach a visio as to how I am visualizing it. thanks
Hi Paul – I have a situation where I need to uninstall the first and only Exchange 2016 server in an Exchange 2010 environment. I am trying to confirm if it is supported to move the system mailboxes that Exchange 2016 created to an Exchange 2010 database, remove and reinstall Exchange 2016, and then move the system mailboxes back?
The Real Person!
The Real Person!
I believe that will work okay, if you can’t just install the new Exchange 2016 server alongside and move them to that server instead.
Hello Paul, et. al.,
As usual, thanks for another concise article. You do mention ReFS formatting, but as I understand it MS has changed position and does not support ReFS. Is this correct?
The Real Person!
The Real Person!
ReFS is still supported according to this page:
https://technet.microsoft.com/en-us/library/ee832792(v=exchg.160).aspx
Actually the SCP entry queried BEFORE DNS so clients should connect to the 2016 server as soon as you update the entry: https://blogs.technet.microsoft.com/kristinw/2013/04/19/controlling-outlook-autodiscover-behavior/
To avoid this issue, there’s two approaches that you can take:
1. Create an Exchange deployment site in Active Directory. Microsoft recommends this approach, and has documented it here. This approach works, but might not be suitable in some organizations that don’t allow Exchange administrators to make those types of Active Directory changes, or where such a change requires going through an approval process that would take too long.
————————-
Actually, I think there is a cheap and dirty way of doing it, which I already tried in a production environment before, while I cannot say with 100% confidence it is “absolutely silver bullet”, but in the particular environment I worked with, I certain had no Outlook certificate prompts and no user complaining about production issues between when Exchange (2010, not 2016) was installed on the server and when the serer is fully configured.
The method is:
1. Install Exchange as usual
2. When installation is completed, do not reboot the server yet, but instead put in a local firewall rule to block all incoming and outgoing Exchange related traffic (port 80, port 443, port 25, what not) so the server is considered as “offline” as far as environment is concerned, and do not add it to load balancing device either
3. Proceed to reboot the server and then configure CAS aspect of the server
4. Once fully configured and verified, disable that firewall rule to make the server “visible” to the production environment.
As I said, it may have other impacts to that I may not be aware of, but it worked well for the particular environment (Government entity with over 80K active mailboxes) that I worked with, so I think it should theoretically work here too.
Hi Paul,
First of all, thanks to all your Pluralsight videos they have been very helpful.
I will be migrating from 2010 to 2016 with less than 800 mailboxes (total db 500GB), and the first server will be a physical server and eventually the second server will be virtual on the first site and the second site will be all virtual. I’m unsure with the volume requirements for this first server for it will be a stand alone for few months before adding a DAG. I currently have four databases on the 2010 that I will be migrating. Do I size up the partitions base on a stand alone server and have 8 different partitions for both db and logs, or should I just have two partitions and separate the logs and database and size up for co-location. Site resiliency will not happen most likely until one year.
Hi,
I’m upgrading single exchange 2010 environment to co-existance with 2016 and finally to two exchabge 2016 servers.
By installing first 2016, I’ve made a mistake and installed exchange files to default folder on C drive.
I want to uninstall server 2016 from new server and install it again on other drive, but the problem is I cannot uninstall.
It will not let me uninstall, untill I have arbitration and auditlog mailboxes.
Querstion is – how to get rid of them and delete default mailbox?
I currently have exchabge 2010 in production only, but after installation of 2016 I have to move arbitration mailbox from 2016 to 2010 or is there a way to completly remove new installation of 2016 without affecting 2010?
The Real Person!
The Real Person!
You’ll have to either move or remove the mailboxes. Get-Mailbox has -Arbitration and -AuditLog switches you can use to get the mailboxes, and pipe that into a move request or remove the mailboxes entirely.
Or just leave Exchange installed in the C: drive. I don’t really understand why people try to install it to different paths, to be honest.
Thanks Paul,
well, I’ve red a bit about it, and I think you’re right.
I’ts true that many tutorials say to install on other drive, but it’s irrelevant if we do this on virtual server in the same SAN. It might even cause less problems if we install on one partition (extending drive etc.). I will only separate log and database drives.
The Real Person!
The Real Person!
I don’t know which tutorials are saying that. Microsoft certainly doesn’t recommend it. I think most people do it for arbitrary reasons that make them feel better about how they’re standardizing their server builds, rather than any solid benefit.
A lot of environments do that, they install Exchange on D drive rather than C drive, because it is “cleaner”.
Can You also make a guide for the AD deployment site? I used this but the document lacks a bit. You need a DC in the deployment site, luckily you can use an IP address in a current used subnet.