Exchange Domain Migration Automation

eimagine recently underwent a rebranding which included changing our domain from thinketg.com to eimagine.com. Normally this would require clicking through a multitude of menus and screens, but this can all be conveniently accomplished with Powershell.

Fortunately our setup is fairly simple with a single server hosting the CAS, Mailbox, and Edge roles. The manual portion of the setup was to deploy a Server 2012 R2 VM, installed Exchange 2013 CU 8 (Build 15.0.1076.9), install my public CA wildcard certificate in the Local Machine Personal store, and then run the appropriate Powershell commands from the EMS.

First, I need to grab the thumbprint of my wildcard certificate:

$domainname = "eimagine"
get-exchangecertificate | Where Subject -like "CN=*.$domainname.com*"

Copy the thumbprint and paste it as indicated below:

$wildcardCertificateThumbprint = '<insert thumbprint here>'

Setup POP and IMAP (if needed):

Set-POPSettings -X509CertificateName pop.$domainname.com
Set-IMAPSettings -X509CertificateName imap.$domainname.com

Setup UM and assign the certificate to all Exchange services:

Set-UMService -Identity etgex1 -UMStartUpMode TLS
Enable-ExchangeCertificate -Thumbprint $wildcardCertificateThumbprint -Services POP,IMAP,SMTP,IIS #Thumbprint of *.eimagine.com certificate
Enable-ExchangeCertificate -Thumbprint $exchangeServerCertificateThumbprint -Services 'UM, UMCallRouter' -Confirm #Thumbprint of etgex1.eimagine.local certificate
Restart-Service MSExchangeUM

Enter the old server name and the new server to copy all of the receive connectors:

$OldServer = "exchange-old"
$NewServer = "echange-new"
[array]$ReceiveConnectors = Get-ReceiveConnector -Server $OldServer | Where {$_.Name -notlike “Default Frontend $($OldServer)” -and $_.Name -notlike “Client Frontend $($OldServer)”}
$ReceiveConnectors | foreach {
New-ReceiveConnector -Name $_.Name -RemoteIPRanges $_.RemoteIPRanges -bindings $_.Bindings -Banner $_.Banner -ChunkingEnabled $_.ChunkingEnabled -DefaultDomain $_.DefaultDomain -DeliveryStatusNotificationEnabled $_.DeliveryStatusNotificationEnabled -EightBitMimeEnabled $_.EightBitMimeEnabled -DomainSecureEnabled $_.DomainSecureEnabled -LongAddressesEnabled $_.LongAddressesEnabled -OrarEnabled $_.OrarEnabled -Comment $_.Comment -Enabled $_.Enabled -ConnectionTimeout $_.ConnectionTimeout -ConnectionInactivityTimeout $_.ConnectionInactivityTimeout -MessageRateLimit $_.MessageRateLimit -MaxInboundConnection $_.MaxInboundConnection -MaxInboundConnectionPerSource $_.MaxInboundConnectionPerSource -MaxInboundConnectionPercentagePerSource $_.MaxInboundConnectionPercentagePerSource -MaxHeaderSize $_.MaxHeaderSize -MaxHopCount $_.MaxHopCount -MaxLocalHopCount $_.MaxLocalHopCount -MaxLogonFailures $_.MaxLogonFailures -MaxMessageSize $_.MaxMessageSize -MaxProtocolErrors $_.MaxProtocolErrors -MaxRecipientsPerMessage $_.MaxRecipientsPerMessage -PermissionGroups $_.PermissionGroups -PipeliningEnabled $_.PipeLiningEnabled -ProtocolLoggingLevel $_.ProtocolLoggingLevel -RequireEHLODomain $_.RequireEHLODomain -RequireTLS $_.RequireTLS -EnableAuthGSSAPI $_.EnableAuthGSSAPI -ExtendedProtectionPolicy $_.ExtendedProtectionPolicy -SizeEnabled $_.SizeEnabled -TarpitInterval $_.TarpitInterval -Server $NewServer
}

Enter the URL you wish to use for all of the web services:

$URLName="webmail.$domainname.com"
$ComputerName="eimagine-new"

Get-WebServicesVirtualDirectory -Server $ComputerName | Set-WebServicesVirtualDirectory -InternalUrl https://$URLNAME/ews/exchange.asmx -ExternalURL https://$URLNAME/ews/exchange.asmx
Set-OWAVirtualDirectory -identity "$computername\owa (Default Web Site)" -InternalURL https://$URLNAME/owa -ExternalURL https://$URLNAME/owa
Get-OABVirtualDirectory -Server $ComputerName | Set-OABVirtualDirectory -InternalURL https://$URLNAME/OAB -ExternalURL https://$URLNAME/OAB
Get-ECPVirtualDirectory -Server $ComputerName | Set-ECPVirtualDirectory -InternalURL https://$URLNAME/ECP -ExternalURL https://$URLNAME/ECP
Get-MAPIVirtualDirectory -Server $ComputerName | Set-MAPIVirtualDirectory -InternalURL https://$URLNAME/MAPI -ExternalURL https://$URLNAME/MAPI -IISAuthenticationMethods NTLM,Negotiate
Get-ActiveSyncVirtualDirectory -Server $ComputerName | Set-ActiveSyncVirtualDirectory -InternalURL https://$URLNAME/Microsoft-Server-ActiveSync -ExternalURL https://$URLNAME/Microsoft-Server-ActiveSync
Set-OutlookAnywhere -identity "$computername\RPC (Default Web Site)" -ExternalHostname $URLNAME -InternalHostname $URLNAME -InternalClientsRequireSSL $true -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod:NTLM
Set-ClientAccessServer -Identity $ComputerName -AutodiscoverServiceInternalUri https://$URLNAME/Autodiscover/Autodiscover.xml
Set-OutlookProvider expr -CertPrincipalName:"msstd:$URLName"

Setup Office Web Apps:

Set-OrganizationConfig -WACDiscoveryEndpoint https://officewebapps.$domainname.com/hosting/discovery

Run these commands to set up Outlook Web App integration:

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingEnable $True -InstantMessagingType OCS
Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -InstantMessagingEnabled $true –InstantMessagingType OCS

If you have Macs running Office 2016, you will need to add the below key to the registry (see https://support.microsoft.com/EN-US/kb/980436 for more details):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"AllowInsecureRenegoClients"=dword:00000001

Setup Skype for Business/Lync Integration (if applicable):

First, find the thumbprint of the local machine’s domain CA certificate by running:

$sysinfo = Get-WmiObject -Class Win32_ComputerSystem
$server = “{0}.{1}” -f $sysinfo.Name, $sysinfo.Domain
$serverCertificateThumbprint = get-exchangecertificate | Where Subject -like "CN=$server*" | select Thumbprint
$serverCertificateThumbprint

Then add the below 2 lines to C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\Owa\web.config under <appSettings> replacing the thumbprint with the value returned above:

<add key="IMCertificateThumbprint" value="<Local Machine Domain CA Certificate Thumbprint>"/>
<add key="IMServerName" value="<Skype Front-End FQDN"/>

Setup the trusted application pool on the Skype Front-end server (requires downtime):

#Run on Skype Front-end as Administrator
New-CsTrustedApplicationPool -Identity <Exchange server FQDN> -Registrar <Skype Front-end FQDN> -Site "<Skype Site Name>" -RequiresReplication $False
New-CsTrustedApplication -ApplicationId OutlookWebAccess -TrustedApplicationPoolFqdn etgex1.eimagine.local -Port 8081
Enable-CsTopology
iisreset
C:\Windows\System32\Inetsrv\Appcmd.exe recycle apppool /apppool.name:"MSExchangeOWAAppPool"

Run a final IISRESET on your Exchange server and then your Exchange server will be fully migrated to the new domain name.

Now you’ll need to set the new email address for all of your users by adding the new domain as an accepted domain in Exchange:

New-AcceptedDomain -Name "$domainname" -DomainName $domainname -DomainType Authoritative

Now set the email address policy to use your new domain name (this will overwrite the default policy making the new domain primary and the old domain secondary):

Set-EmailAddressPolicy -Identity 'Default Policy' -Name 'Default Policy' -IncludedRecipients 'AllRecipients" -Priority "Lowest" -EnabledEmailAddressTemplates 'SMTP:@$domainname.com,smtp:@<olddomain>.com'

That’s it!

Please let us know in the comments if you have any questions or need guidance.

Leave a Reply

Your email address will not be published.