January 23, 2004 Enterprise Testing and Architecture Migrating GoodLink to Windows 2003 and Exchange 2003 Summary This document should be used by customers who are migrating from a Windows NT 4.0 domain to Windows 2003 ( or 2000) Active Directory domain and migrating from an Exchange 5.5 organization to an Exchange 2003 (or 2000) organization. Because GoodLink is tightly coupled with Exchange, and because GoodLink is considered critical productivity software, the customer wants to ensure a minimal impact to GoodLink users during the Exchange2003 migration process. This document details the recommended process for migrating the GoodLink system and the GoodLink users to Active Directory and Exchange 2003. Please read the document completely before beginning the migration. Migration Requirements Minimized downtime Support Exchange 5.5 and Exchange 2003 Coexistence Support Native Mode Exchange 2003 Transition Phases of Migration Windows NT Account Migration to Windows 2003 Active Directory GoodLink Mailbox Move from Exchange 5.5 to Exchange 2003 Provisioned Users Mailbox Move from Exchange 5.5 to Exchange 2003 Good recommends that the customer upgrade each GoodLink Server host to GoodLink version 3.0 or above before entering any phase of the migration process listed below. Phase I Windows NT 4.0 GoodLink Service Account Migration to Windows 2003 Active Directory If the customer plans to run their Windows NT 4.0 domains in parallel with their new Active Directory domains and they do not plan to upgrade their existing domain controllers in-place, then they will need to create a new GoodLink account in Active Directory that will coexist with the existing GoodLink NT account. There will be no impact to GoodLink services during this phase since the GoodLink services will continue to run under the existing Windows NT 4.0 domain account. Exchange 2003 and Exchange 5.5 will also coexist in the customer environment. To support this coexistence the new GoodLink service account will need permissions to both the Exchange 5.5 and the Exchange 2003 systems. It is assumed that the customer has created new GoodLink AD account using one of the methods below before proceeding with Phase 1 Active Directory Users and Computer (recommended) Microsoft Active Directory Migration Tool Active Directory Connector Third party tool that supports domain account migration. Phase 1 Actions Before customer can change the GoodLink service account on each GoodLink server from the legacy Windows NT account to the new Active Directory account, they must first grant the Active Directory account the appropriate permissions to: 1) Access user mailboxes on Exchange 2003 and Exchange 5.5 2) Administer GoodLink Hosts and Run as a Service 3) Access to the existing GoodLink Exchange 5.5 mailbox These permissions can be granted without impacting GoodLink service and therefore the customer can leave GoodLink services running when executing these tasks. Granting Permissions to Access user mailboxes on Exchange 2003 and Exchange 5.5 Using Active Directory Users and Computers, grant the new GoodLink Active Directory account membership into the Exchange Services group. The Exchange Services group is created when Active Directory Connector Service component is installed on a Windows 2003 domain controller. The group has global Exchange permissions to all Exchange servers in the Exchange organization (E55 and E2003). These permissions include both send as and receive as access to each Exchange mailbox in the Exchange organization which are necessary for GoodLink to function. An alternative method of granting the proper Exchange permissions to the new GoodLink AD account is to use Exchange Administrator to grant the account Service Account Admin permissions at the site and configuration level of each site in the Exchange Organization, and then use Exchange 2003 System Manager to grant the GoodLink AD account permission within Exchange 2003 (See the 2000_2003 Exchange Security Settings for the GoodAdmin Domain Account technical document for step by step instructions on how to grant the Exchange 2003 permissions). This method takes more time, but is more secure. Note: Do not add the GoodLink account to other Active Directory domain groups and do not use the delegate permission feature of Exchange 2003 System Administrator to grant GoodLink an administrative role. Unlike Exchange 5.5, Exchange 2003 restricts mailbox access to high level administrative groups and administrator roles. Granting Permissions to Administer GoodLink Hosts and Run as a Service Once the Exchange permissions have been granted to the new GoodLink domain account, go to each GoodLink server host, add the new GoodLink domain account to the local administrators group, and grant the GoodLink AD account log on as service rights. Granting the New AD Account Rights to the Existing GoodLink Mailbox At this point, the GoodLink mailbox should still reside on an Exchange 5.5 server. The new GoodLink AD account will need mailbox owner rights to this existing GoodLink mailbox. Launch Exchange 5.5 Administrator. Find the GoodLink mailbox. Open the properties page for the GoodLink mailbox and select the permissions tab. Select Add and choose the new GoodLink AD account. Verify that mailbox owner is checked and choose OK. At this point, the AD GoodLink service account is ready to take over for the Windows NT GoodLink service account. Phase 1 Summary 1. Migrated the GoodLink NT 4.0 account to Active Directory 2. Granted the GoodLink AD account Exchange permissions 3. Granted the GoodLink AD account Admin and logon as service permissions on each GoodLink Server host 4. Granted the GoodLink AD account owner rights to the existing Exchange 5.5 GoodLink mailbox There is no GoodLink service impact during this phase. GoodLink continues to run using the original NT account. This phase should take approximately 1 hour. If permissions replication takes a while in the customer environment, allow more time before moving to the next phase. Note about migrating the accounts of provisioned users: Migrating the Windows NT accounts of provisioned users has no affect on GoodLink performance since there is no relationship between GoodLink and individual users’ domain accounts. Customer should feel free to migrate the Windows NT account of provisioned users at anytime. Rollback Procedures If necessary, delete the new GoodLink AD account and start this phase again. GoodLink services are not affected by the tasks in Phase I. Phase II Updating the GoodLink Service Account on each GoodLink server Synopsis In this phase customer will change the service log on account for all GoodLink services from the GoodLink Windows NT 4.0 domain account to the new GoodLink Active Directory domain account. This change will be performed on all GoodLink servers. Successful completion of Phase I above is a prerequisite for this phase. During this phase, the GoodLink services will be stopped for a few seconds and then restarted. At the completion of this phase, the new GoodLink Active Directory account will be used as the log on account for all GoodLink services on all GoodLink hosts and the new GoodLink Active Directory account will have a new MAPI profiles associated with the existing GoodLink Exchange 5.5 mailbox. The customer will need a copy Microsoft Windows Messaging (ntwms.exe) to perform certain tasks in this phase. Phase II Actions The following actions should be performed in order on each GoodLink Server host. It is recommended that customer verifies that devices on each GoodLink server host are able to synchronize in both directions before moving to the next host. Specifically, the customer will 1) Create new MAPI profiles on the GoodLink host 2) Change the log on account for the GoodLink services on the GoodLink host 3) Update the GoodLink registry on the GoodLink host Creating new MAPI profiles Log on to the GoodLink Host as the new GoodLink AD account and install Windows Messaging. An inbox should appear on the desktop. Right click the inbox and choose properties. Click the show profiles button. Click the add button and add a new profile called GoodLink Server and associate it with the Exchange 5.5 GoodLink mailbox. The profile should be enabled for Exchange services. If you have installed GoodLink Management Server on this host, create another profile called GoodLink Management Server following the instructions above. If you did not install GoodLink Management Server on this host, but you installed GoodLink Management Console, create a profile called GoodLink Management Console using the instructions in above. (This step is not necessary if GoodLink Management Server and GoodLink Management console were both installed on the host. It is only necessary if the GoodLink Management console was installed by itself.) Updating NT Login Registry Key on the GoodLink Host On the GoodLink host, launch the registry editor. Change the following key’s data field to reflect the GoodLink Active Directory account (use domainname\username): HKLM/software/Good Technology/GoodLink Install Parameters/NT Login This key is used during upgrades to auto-populate the service account during the GoodLink software installation. Changing it while GoodLink is running has no affect on GoodLink performance. Changing the Log on Account for the GoodLink Services From the GoodLink host, launch the Computer Management MMC. Under Services, right click the GoodLink Server service and choose properties. From the properties, select the logon tab. Under “This account” change the account from the GoodLink NT 4.0 account to the GoodLink Active Directory Account, then change the password to the GoodLink AD account password. Choose OK. Perform this same procedure for GoodLink Watchdog service and the GoodLink Management Server service (if it is installed on this host) Phase II Summary 1. Created new MAPI profiles on each GoodLink host 2. Changed the log on account to the GoodLink AD account for each GoodLink service on each host 3. Updated the NT Login registry key on each GoodLink host to reflect the new GoodLink AD account The impact on GoodLink service is minimal during this phase. At the end of this phase the GoodLink host services should be running as the new GoodLink AD account and still using the existing GoodLink Exchange 5.5 mailbox. If this phase is successful, the GoodLink Windows NT 4.0 account can be retired. Rollback Procedures If necessary, the GoodLink service log on account can be switched back to the original Windows NT 4.0 account since this account still exists and has the proper Exchange and local host permissions. GoodLink services will need to be restarted after the service logon account is changed. MAPI profiles for the original Windows NT account still exists, so MAPI profiles would not need to be changed, deleted, or added during a rollback. The data field for “NT Login” registry entry can be changed back to the original Windows NT domain account to complete the rollback. The rollback can be done to one or all of the GoodLink hosts as necessary. Phase III Moving the GoodLink Mailbox from Exchange 5.5 to Exchange 2003 Exchange 2003 System Manager needs to be installed on all GoodLink servers prior to moving the GoodLink mailbox or any provisioned user’s mailbox. This phase has and estimated downtime of 25-40 minutes. Phase III Actions 1. Export User lists from each GoodLink Server 2. Install Exchange 2003 System Manager on each GoodLink server 3. Move the GoodLink Mailbox to Exchange 2003 4. Update the registry on each GoodLink server Exporting the user lists on each GoodLink Server As a precaution, it is recommended that customer export the user list on each GoodLink server before executing the remaining tasks of this phase. In the very rare case that a user is not listed in the users list after the GoodLink mailbox is moved to Exchange 2003, the exported user list can be imported. Steps A. Log on to a GoodLink Server as the Active Directory GoodLink account B. Launch the GoodLink Management Console C. Choose Action | Export from the menu D. Save the user list as a CSV file. E. Choose Action | Export Statistics F. Save the statistics as a CSV file (do not use the same name as the user list) Moving the GoodLink mailbox for Exchange 5.5 to Exchange 2003 The section requires that customer stop the GoodLink services on all GoodLink service for a certain amount of time while software is installed and the GoodLink mailbox is moved. Though moving the GoodLink mailbox from one Exchange server to another using the move mailbox wizard is not a difficult task, following the steps below will insure the safest migration of the GoodLink mailbox. Steps A. On all GoodLink servers, stop all GoodLink services (GoodLink, Watchdog, and GoodLink Management Server service if present). B. Set each service to manual. C. On one GoodLink Server install Exchange 2003 System Manager and reboot D. Using the Active Directory move mailbox utility, move the GoodLink Mailbox from the Exchange 5.5 server to the Exchange 2003 server. E. After the GoodLink mailbox has been moved, log on to the GoodLink server using the GoodLink AD account and launch Windows messaging by double clicking on the inbox icon (installed in phase II). Verify that you can log into the GoodLink mailbox. F. On the GoodLink server, launch the GoodLink Management Console and make sure that all of the provisioned users are listed in the user list. You can compare the exported list to the GoodLink Management Console List. G. On the GoodLink server, start the GoodLink services and set them to automatic. H. Check the Windows Application event log and make sure there are no critical GoodLink errors. (It there are critical errors, stop all of the GoodLink services) I. Verify that users who were provisioned on this particular GoodLink server can synchronize messages to and from their devices. If successful, you can leave this GoodLink server running for the remainder of this phase. J. Install Exchange 2003 System Manager on the remaining GoodLink servers. Reboot each. (The Exchange System Manager installation takes the most amount of time in this phase, so if you can install it in parallel you can save time.) K. For each of the remaining GoodLink servers, set the services to automatic, start the services, check the event logs and verify two-way synchronization (as you did in steps G and H). Do this one server at a time. If successful, leave the GoodLink services running and move to the next GoodLink Server host. Updating the Exchange Server Registry Key on each GoodLink Server Host During a GoodLink Server software upgrade, the GoodLink installer will auto-populate certain fields with information taken from the GoodLink section of the registry. You will need to change the data field of the Exchange Server key in the GoodLink section of the registry so it is accurate for future upgrades. This field does not affect GoodLink performance and can be changed while GoodLink is running. Steps A. Log on to the GoodLink Server host and launch the registry editor. B. Select HKEY_LOCAL_MACHINE/SOFTWARE/Good Technology/GoodLink Install Parameters C. Modify the string value of the Exchange Server key to reflect the new Exchange server name D. Perform steps A, B, and C for each remaining GoodLink Server host. Phase III Summary 1. Exported copies of the User list and statistics. 2. Installed Exchange 2003 System Administrator on all GoodLink Server hosts 3. Moved the GoodLink mailbox from Exchange 5.5 to Exchange 2003 4. Updated the GoodLink section in the registry to reflect the Exchange 2003 server where the GoodLink mailbox now resides. Rollback Procedures Usually, if the GoodLink mailbox was moved successfully to the Exchange 2003 server, it’s easier and more productive to troubleshoot problems while the mailbox is located on the Exchange 2003 server rather than move the GoodLink mailbox back to Exchange 5.5. For example, if the user list wasn’t accurate after the move, or if the GoodLink services didn’t start, or if mailboxes were not synchronizing, it’s usually something that can be fixed without moving the mailbox back to Exchange 5.5. In the very rare case that the mailbox move wasn’t successful and the GoodLink mailbox is corrupted, the GoodLink Mailbox can be restored from a backup. If it has been concluded that moving mailbox back to Exchange 5.5 is the appropriate troubleshooting step, stop all GoodLink Services on all GoodLink hosts. Use the Active Directory move mailbox wizard to move the GoodLink mailbox back to Exchange 5.5. Having Exchange 2003 System Manager installed on the GoodLink server will not affect GoodLink service if the GoodLink mailbox is moved back to Exchange 5.5. So there is no need to uninstall it. The registry key entry that was changed can be change back to the Exchange 5.5 server following same instructions listed above. Phase IV Moving Provisioned Mailboxes from Exchange 5.5 to Exchange 2003 If Phases I, II, and III were successful, you can move mailboxes (single or batch move) using the Active Directory move mailbox wizard only. GoodLink server pauses moved mailboxes for 15 minutes or more while it attempts to find the moved mailboxes on the destination Exchange server. Services for these mailboxes will resume as soon as they are found. Other provisioned mailboxes will not be affected by this process and should continue to synchronize.