Lukas Beeler's IT Blog

Exchange 2010 was released last Monday, the 9th. Today, we have Saturday the 14th – and i’m done with the Migration to Exchange 2010.

Sure, there are loads of MVPs and TAP-Members that have migrated to Exchange 2010 a long time ago, but i’m still proud of this.

At a starting point, i had a Exchange 2007 SP2 machine, with one Mailbox database, no public folders and 35 Mailboxes that used up 25GB of space. Moving this is simple enough, but the issue is that our Exchange isn’t virtualized, and i couldn’t get my hands on new hardware since the current box was only a year old.

Since in-place upgrades are not supported, i needed a temporary server for the migration. I used an HP ML110 from the Lab, which offered enough space to migrate.

Another issue was BackupExec 12.5, which did not support Exchange 2010 yet. Fortunately, Exchange 2010 (and 2007 SP2) can be backed up by using Windows Server Backup. So my goal was to just let WSB backup to a file server, and have BackupExec pickup the files from there. This way, i will get a reliable, clean and supported Exchange backup, and still have it on tape.

To Migration itself was straightforward and easy. There’s already _lots_ of content on the web about Exchange 2010, most of it from the RCs or Beta of course.

I followed the Migration Guide from TechNet, which worked out well enough. Unfortunately, the iPhone does not support Exchange 2010/2007 coexistence, which made it necessary for several people to manually reconfigure their phone.

Removing Exchange 2007 worked without issues, but after moving all the Exchange 2010 data back to the real hardware and removing the temporary server i ran into the issue of moving arbitration mailboxes, which fortunately was already documented widely on the web.

In the end, upgrading from Exchange 2007 to 2010 while keeping the same hardware is not difficult, it just needs a bit more time.

The iPhone does not properly support coexistence between Exchange 2010/Exchange 2007. See this TechNet Posting.

The error message in the IIS Log looks like this:

RdirTo:https%3a%2f%2flegacy.contoso.com%2fMicrosoft-Server-ActiveSync_LdapC2_LdapL15_Error:MisconfiguredDevice_Budget

A long time ago, i wrote a review of the HP ML110. In the comments, Paul indicated that the Performance of the E200 controllers was pretty bad, and i promised i would do benchmarks of that. Now we have a year later, and i indeed finally got the time and did those benchmarks.

For the benchmarks, i’ve used the free version of HDtune. I’ve benchmarked four systems, and five different disk configurations. Note that the free version only does benchmarks for disk reads, and it’s a not a very pervasive test. None of these benchmarks are scientific. They should serve as a general indicator of performance, not as a final world on this topic. I don’t have that much clue about benchmarking.

The first system is my computer at home: It has an i7-920 CPU at stock speed, with 3x2GB RAM at 1333 Mhz (which is a slight overclock, but within the spec of the memory i purchased). Attached to it’s ICH10R controller are an Intel X25-M G2 160GB (Firmware 02HA) and a WD1001FALS (1TB, 7×24), running Windows 7 x64.

The next system is my work laptop, which is a ThinkPad W500 with a 2.53 Ghz T9400 C2D CPU, with 4GB of RAM. Attached to it’s onboard controller is an OCZ Vertex 120GB (Firmware 1.40), running Windows 7 x64.

The third system is our Exchange Edge server, on which i dared to install a benchmark utility. It’s an IBM x3250 with two 70GB 15kRPM 2.5″ SAS drives installed, attached to an onboard LSI1064E SAS controller. The system has a Xeon 3040 2.4Ghz Dualcore CPU and 5 GB RAM. It is running Windows Server 2008 x64 SP2.

And the final system is a HP ML110 G5 with a 2.33 Ghz Xeon 3065 CPU, 8GB of RAM and a E200 with the latest firmware (1.78). Attached to that are 4 WD1001FALS drives in a RAID10 configuration. The E200 has a backup battery and 128MB of cache installed. The system is running Windows Server 2008 R2.

Please note that none of these benchmarks are scientific. They were done on real systems, with workload minimized as much as possible, but virus scanners and other mandatory background applications active. Both the laptop and the desktop have not been formatted since Windows 7 RC was installed (i migrated to Windows 7 RTM using Windows.old), but the ML110 was freshly setup and the only application that’s been installed so far is the HP ACU and Forefront Client Security. The Exchange Edge server has been in use since May 2008. As such, the ML110 is the “cleanest” machine out of these four.

Intel’s X25-M G2 160GB on an ICH10R (AHCI Mode)

This is how a graph should look. It’s nice, it’s clean, it’s fast. Intel’s X25-M G2 shows how a modern SSD and storage subsystem should behave. Clean, predictable performance.

OCZ’s Vertex 160GB on an ICH7 (AHCI Mode)

Here’s the OCZ Vertex. It’s running on a machine that’s a lot slower than the one the X25-M is attached to, and it’s storage controller is also quite a bit older. It still shows remarkably good performance. It should also be considered that this Vertex is quite a bit older – it was bought in May 09. It’s still very fast and responsive and a good SSD.

2x IBM’s 73GB 15kRPM 2.5″ SAS Disks on an LSI Logic 1064E SAS Controller

As you can see, this is the performance you get from the server hard disks on an entry-level controller in an entry-level system. It’s not astonishing, but the performance is very well acceptable.

Western Digital’s 1001FALS 1TB on an ICH10R (AHCI Mode)

Here’s how the Western Digital disk behaves on a proper controller. Please note that this is a single disk, not part of a RAID array. The performance is quite good.

4x WD’s 1001FALS 1TB on an HP E200 in RAID10

And here’s how it shouldn’t look. Compare this to the stand-alone disks above, which exhibits better performance. HP fucked up bad on this one, and there’s no fix in sight. Stay away from the E200.

And as a final word: I really don’t have much of a clue about benchmarking. If you see an obvious error here, please state what you think. If possible, i will try to correct it.

Update: As requested in the comments, i upgraded the E200 to Firmware 1.84 and redid the benchmark. It looks roughly the same.

Exchange 2010 will be out soon, and i’ve been preparing for the migration. One of the more important parts is that you will need to have both Exchange 2007 and Exchange 2010 client access servers accessible from the Internet.

If you’re following the recommended deployment method for Exchange 2007, you’ll already be using a SAN certificate in order to publish AutoDiscovery and OWA. For coexistence of Exchange 2007 and Exchange 2010, an additional name will need to be added to your SAN certificate.

With most CAs, this is a pretty straightforward process that can be done using their web interface, since the private key doesn’t need to be touched. After modifying this, you will get a new .crt file containing the certificate, but no private key (which is correct).

However, importing this into Exchange 2007 using Import-ExchangeCertificate doesn’t work – Windows won’t know which private key is associated with the newly imported certificate. When you try to use Enable-ExchangeCertificate, you will receive the following error message:

Enable-ExchangeCertificate : The certificate with thumbprint 1234 was found but is
not valid for use with Exchange Server (reason: PrivateKeyMissing).

I searched high and low on how to replace a certificate without touching the private key, but i didn’t find anything. So i turned to the community for support – MCSEBoard.de is an excellent Windows community for those who speak German.

Unfortunately, noone knew an easy way either – the suggestion was to use OpenSSL to create a new keystore.

This was rather easy, but i didn’t find any guides on the net on how to do this, so i’m publishing this here in the hope that it will help others with the same issue.

• First, you need to export the key including the private key using the Windows certificate manager. Open an elevated MMC, add the Certificate snap-in and focus on the Computer certificate. Click “Personal”, and then export the certificate with the private key.
• Download and Install OpenSSL for Windows
• Issue the following command: openssl pkcs12 -in mykey.pfx > out.txt
• Open out.txt using an LF-aware text editor, such as Notepad++. Save the PRIVATE KEY part to a textfile called key.pem.
• Save the certificate to a file called cert.crt
• Issue to the following command: openssl pkcs12 -export -in cert.crt -inkey key.pem -out newcert.p12
• Copy the newly created newcert.p12 to the Exchange server.
• Open PowerShell and run the following command: $secureString = ConvertTo-SecureString "blubb" -AsPlainText -Force – Replace “blubb” with the Passphrase you used in the step before
• Run Import-ExchangeCertificate -path newcert.p12 -pass $secureString to import the certificate back into Exchange
• The rest is as usual – use Enable-ExchangeCertificate to enable the certificate.

And that’s it. It might be a bit cumbersome – and i really hope that there is an easier way to to this. If you know, let me know so i can update this page.