On a new computer in each of your existing Exchange organizations, install Exchange 2007 SP1. For more information about installing Exchange 2007, see one of the following topics:

• How to Perform a Typical Installation Using Exchange Server 2007 Setup
  
• How to Perform a Custom Installation Using Exchange Server 2007 Setup
  
• How to Install Exchange 2007 in Unattended Mode
  

If you do not install the Mailbox, Hub Transport, Client Access, and Unified Messaging server roles on a single computer, you should install the Exchange 2007 server roles on separate computers in the following order:

1. Client Access server role
   
2. Hub Transport server role
   
3. Mailbox server role
   
4. Unified Messaging server role
   

An Exchange 2003 or Exchange 2000 front-end server cannot provide access to an Exchange 2007 Mailbox server. In addition, an Exchange 2007 Mailbox server cannot send or receive messages unless a Hub Transport server also exists in its Active Directory site. Therefore, when upgrading an existing Exchange organization, we recommend that you install the Client Access and Hub Transport server roles before installing the Mailbox server role. If you install the Mailbox server first, you will not have client access or mail flow to or from the Mailbox server until you install the Client Access and Hub Transport server roles.

If you plan to have an Exchange 2007 Edge Transport server in your Exchange 2007 organization, you must install the Edge Transport server role on a separate computer.

(Optional) If you are using any version of Outlook other than Outlook 2007, and if you want to share free/busy information across the forests, make sure that you have installed the Inter-Organization Replication tool in each forest. It is supported to install the Inter-Organization Replication tool on a computer that has the Exchange 2007 management tools installed without any other Exchange 2007 server roles or on an Exchange 2003 or Exchange 2000 server. For more information, see Microsoft Exchange Server Inter-Organization Replication. To synchronize free/busy data across Exchange 2007 and Exchange 2003 forests, you must use the Exchange Inter-Organization Replication tool.

In each forest, use Active Directory Users and Computers to create a container in which ILM will create contacts for each mailbox from the other forest. We recommend that you name this container FromILM. To create the container, select the domain in which you want to create the container, right-click the domain, select New, and then select Organizational Unit. In New Object - Organizational Unit, type FromILM, and then click OK. 

(Optional) Create a GALSync management agent for each forest by using ILM 2007 Feature Pack 1. This allows you to synchronize the users in each forest and create a common GAL. For detailed steps, see the procedure "To configure a GAL Synchronization management agent with ILM 2007 Feature Pack 1" later in this topic.

Note:
If you already have GALSync enabled in your existing Exchange forests, you can skip Steps 4 and 5.

(Optional) Enable GALSync. To do this, in the main ILM Identity Manager window, click Tools, click Options, and then select the Enable Provisioning Rules Extension check box. Click OK.

Options page

If you do not plan to immediately move all mailboxes from the Exchange 2003 or Exchange 2000 servers to the Exchange 2007 servers, you must complete Steps 7 and 8 so that you can send mail across forests from Exchange 2003 or Exchange 2000 mailboxes to Exchange 2007 mailboxes.

If you plan to immediately move all mailboxes from the Exchange 2003 or Exchange 2000 servers to the Exchange 2007 servers, go directly to Step 9.

Configure connectors in each forest that will have an Exchange server. For detailed steps, see "Exchange 2007 to Exchange 2003" in Configuring Cross-Forest Connectors.

Note:

If you use Basic authentication, we recommend that you use Transport Layer Security (TLS) encryption to help improve security. By default, Exchange 2007 servers are set to use TLS, but you must configure your Exchange 2003 or Exchange 2000 servers to use TLS. If you do not configure your Exchange 2003 or Exchange 2000 servers to use TLS, you will not be able to send mail between Exchange 2007 servers and Exchange 2003 or Exchange 2000 servers. For more information about using TLS in Exchange 2003 or Exchange 2000, see Microsoft Knowledge Base article 829721, How to help protect SMTP communication by using the Transport Layer Security protocol in Exchange Server.

If you require that mail can be relayed through any forest in your organization, you must configure a domain in that forest as an authoritative domain. For detailed steps, see How to Configure Authoritative Domains for the Exchange Organization.

Move mailboxes from your existing Exchange 2003 or Exchange 2000 servers to the new Exchange 2007 Mailbox servers in each forest. For detailed steps, see How to Move a Mailbox Within a Single Forest. If you want to move mailboxes from one forest to the other, see How to Move a Mailbox Across Forests.

Note:

You do not need to move your existing contacts or distribution groups within the same forest. They are available in Active Directory even if you remove your Exchange 2003 or Exchange 2000 servers from the forest. To move contacts or distribution groups from one forest to another, you must use a tool such as the Active Directory Migration Tool version 3.0 (ADMT v3). For more information about ADMT v3, see Active Directory Migration Tool v3.0.

Note:

If you have any Exchange 2003 or Exchange 2000 recipient policies that have not been applied, moving the mailboxes to an Exchange 2007 server forces the recipient policies to be evaluated again and applied. Before you move mailboxes, make sure that you want to apply all of the existing recipient policies. If you have an existing recipient policy that you do not want to apply, clear the Automatically update e-mail address based on e-mail address policy check box in Active Directory Users and Computers. For more information, see the Exchange Server Team Blog article Yes, Exchange 2007 really enforces Email Address Policies. (Note: The content of each blog and its URL are subject to change without notice.)

(Optional) Remove your old Exchange 2003 or Exchange 2000 servers from the organization. For more information about how to remove Exchange 2003 servers, see How to Uninstall Exchange Server 2003 in the Exchange Server 2003 Deployment Guide. For more information about how to remove Exchange 2000 servers, see How to Uninstall Exchange 2000 Server in the Exchange Server 2003 Deployment Guide.

Note:

To remove the last Exchange 2003 or Exchange 2000 server from an organization, you must perform special steps to move public folder replicas, remove the public folder database, move the public folder hierarchy, move the offline address book (OAB) generation server, delete routing group connectors, delete the Recipient Update Service, and verify mail flow, protocols, and recipient policies. For detailed steps, see How to Remove the Last Legacy Exchange Server from an Organization.

In ILM 2007 Feature Pack 1, select Management Agents from the toolbar, and then, under Actions, click Create.

Management Agents pane in ILM

On the Create Management Agent page, under Management agent for, select Active Directory global address list (GAL).

In the Name box, type a name for this management agent. When creating the name, we recommend that you include the name of the source forest from which this management agent will gather recipient information.

In the Description box, type a description for this management agent, and then click Next.

On the Connect to Active Directory Forest page, complete the following fields:

• Forest name   Name of the source forest.
  
• User name and Password   User name and password of an account that has permission to read schema information from the source forest.
  
• Domain   Domain for the specified account.
  

  Note:
  You can also enter the user name as <user>@<domain> and leave the domain field blank.

Click Next.

On the Configure Directory Partitions page, select the directory partitions on the source forest from which you want to project data to a destination forest.

Configure Directory Partitions page

On the Configure Directory Partitions page, click Containers.

Containers button on the Configure Directory Partitions page

On the Select Containers page, clear the top-level check box for the directory partition, select the containers for which this management agent will gather and store information, and then click OK. Be sure to select the container in which ILM will create contacts for each mailbox from the other forest, such as the FromILM container.

On the Configure Directory Partitions page, click Next.

On the Configure GAL page, click Target, and then select the container in which the contacts from other forests will reside in the target forest.

Target button on the Configure GAL page

On the Configure GAL page, click Source, and then select the container in which other forests' objects that are synchronized to the target forest will reside.

Source button on the Configure GAL page

Under Exchange configuration, click Edit to specify at least one SMTP e-mail suffix that is managed in the source forest. Click Next.

Edit button on the Configure GAL page

On the Select Object Types page, click Next.

On the Select Attributes page, click Next.

On the Configure Connector Filter page, click Next.

On the Configure Join and Projection Rules page, click Next.

On the Configure Attributes Flow page, click Next.

On the Configure Deprovisioning page, click Next.

On the Configure Extensions page, select Enable Exchange 2007 provisioning, and then click Finish.

Enable Exchange 2007 provisioning on the Configure Extensions page

On a new computer in each of your existing Exchange organizations, install Exchange 2007. For more information about installing Exchange 2007, see one of the following topics:

• How to Perform a Typical Installation Using Exchange Server 2007 Setup
  
• How to Perform a Custom Installation Using Exchange Server 2007 Setup
  
• How to Install Exchange 2007 in Unattended Mode
  

If you do not install the Mailbox, Hub Transport, Client Access, and Unified Messaging server roles on a single computer, you should install the Exchange 2007 server roles on separate computers in the following order:

1. Client Access server role
   
2. Hub Transport server role
   
3. Mailbox server role
   
4. Unified Messaging server role
   

An Exchange 2003 or Exchange 2000 front-end server cannot provide access to an Exchange 2007 Mailbox server. In addition, an Exchange 2007 Mailbox server cannot send or receive messages unless a Hub Transport server also exists in its Active Directory site. Therefore, when upgrading an existing Exchange organization, we recommend that you install the Client Access and Hub Transport server roles before installing the Mailbox server role. If you install the Mailbox server first, you will not have client access or mail flow to or from the Mailbox server until you install the Client Access and Hub Transport server roles.

If you plan to have an Exchange 2007 Edge Transport server in your Exchange 2007 organization, you must install the Edge Transport server role on a separate computer.

(Optional) If you are using any version of Outlook other than Outlook 2007, and if you want to share free/busy information across the forests, make sure that you have installed the Inter-Organization Replication tool in each forest. It is supported to install the Inter-Organization Replication tool on a computer that has the Exchange 2007 management tools installed without any other Exchange 2007 server roles or on an Exchange 2003 or Exchange 2000 server. For more information, see Microsoft Exchange Server Inter-Organization Replication. To synchronize free/busy data across Exchange 2007 and Exchange 2003 forests, you must use the Microsoft Exchange Inter-Organization Replication tool.

In each forest, in Active Directory Users and Computers, create a container where MIIS will create contacts for each mailbox from the other forest. We suggest that you name this container "FromMIIS." To create the container, select the domain in which you want to create the container, right-click the domain, select New, and then select Organizational Unit. In New Object - Organizational Unit, type FromMIIS, and then click OK.

(Optional) Create a global address list (GAL) synchronization management agent for each forest by using MIIS 2003 or Identity Integration Feature Pack for Microsoft Windows Server Active Directory with SP2. This will allow you to synchronize the users in each forest and create a common GAL. For detailed steps, see the procedure "To configure a GAL Synchronization management agent" later in this topic.

Note:
If you already have GALSync enabled in your existing Exchange forests, you can skip Steps 4 and 5.

(Optional) Enable GALSync. To do this, in the main MIIS Manager window, click Tools, click Options, and then select Enable Provisioning Rules Extension. Click OK.

Options page

If you do not plan to move all mailboxes from the Exchange 2003 or Exchange 2000 servers to the Exchange 2007 servers immediately, you must complete Steps 7 and 8 so that you can send mail across forests from Exchange 2003 or Exchange 2000 mailboxes to Exchange 2007 mailboxes.

If you plan to move all mailboxes from the Exchange 2003 or Exchange 2000 servers to the Exchange 2007 servers immediately, go directly to Step 9.

Configure connectors in each forest that will have an Exchange server. For detailed steps, see "Exchange 2007 to Exchange 2003" in Configuring Cross-Forest Connectors.

Note:

If you use Basic authentication, we strongly recommend that you use Transport Layer Security (TLS) encryption to help improve security. By default, Exchange 2007 servers are set to use TLS, but you must configure your Exchange 2003 or Exchange 2000 servers to use TLS. If you do not configure your Exchange 2003 or Exchange 2000 servers to use TLS, you will not be able to send mail between Exchange 2007 servers and Exchange 2003 or Exchange 2000 servers. For more information about using TLS in Exchange 2003 or Exchange 2000, see Microsoft Knowledge Base article 829721, How to help protect SMTP communication by using the Transport Layer Security protocol in Exchange Server.

If you require that mail can be relayed through any forest in your organization, you must configure a domain in that forest as an authoritative domain. For detailed steps, see How to Configure Authoritative Domains for the Exchange Organization.

Move mailboxes from your existing Exchange 2003 or Exchange 2000 servers to the new Exchange 2007 Mailbox servers in each forest. For detailed steps, see How to Move a Mailbox Within a Single Forest. If you want to move mailboxes from one forest to the other, see How to Move a Mailbox Across Forests.

Note:

You do not need to move your existing contacts or distribution groups within the same forest. They will be available in Active Directory even if you remove your Exchange 2003 or Exchange 2000 servers from the forest. To move contacts or distribution groups from one forest to another, you must use a tool such as the Active Directory Migration Tool version 3.0 (ADMT v3). For more information about ADMT v3, see Active Directory Migration Tool v3.0.

Note:

If you have any Exchange 2003 or Exchange 2000 recipient policies that have not been applied, moving the mailboxes to an Exchange 2007 server will force the recipient policies to be evaluated again and applied. Before you move mailboxes, make sure that you want to apply all of the existing recipient policies. If you have an existing recipient policy that you do not want to apply, clear the Automatically update e-mail address based on e-mail address policy check box in Active Directory Users and Computers. For more information, see the Exchange Server Team Blog article Yes, Exchange 2007 really enforces Email Address Policies. (Note: The content of each blog and its URL are subject to change without notice.)

(Optional) Remove your old Exchange 2003 or Exchange 2000 servers from the organization. For more information about how to remove Exchange 2003 servers, see How to Uninstall Exchange Server 2003 in the Exchange Server 2003 Deployment Guide. For more information about how to remove Exchange 2000 servers, see How to Uninstall Exchange 2000 Server in the Exchange Server 2003 Deployment Guide.

Note:

To remove the last Exchange 2003 or Exchange 2000 server from an organization, you must perform special steps to move public folder replicas, remove the public folder database, move the public folder hierarchy, move the offline address book (OAB) generation server, delete routing group connectors, delete the Recipient Update Service, and verify mail flow, protocols, and recipient policies. For detailed steps, see How to Remove the Last Legacy Exchange Server from an Organization.

To create a script that finishes provisioning the recipients that were created by the GALSync process, perform one of the following steps:

• Create an Exchange Management Shell script called MyScript.ps1 that updates all the e-mail address policies, address lists, and GALs for all the recipients in your organization. The script should contain the following lines:
  
  Get- EmailAddressPolicy | Update-EmailAddressPolicy
  Get- AddressList | Update-AddressList
  Get- GlobalAddressList  | Update-GlobalAddressList

  Note:
  This script updates all recipients in your organization. This is a costly update and can take several minutes depending on the complexity of your environment.

• Create an Exchange Management Shell script called MyScript.ps1 that updates specific e-mail address policies, address lists, and GALs for all the recipients in your organization. The script should contain the following lines:
  
  Update-EmailAddressPolicy -Identity AddressPolicy01
  Update-AddressList -Identity "All Contacts\AddressList01"
  Update-GlobalAddressList -Identity "My Global Address List"

  If you customized your GALSync management agent to create other types of objects, such as mailboxes, you must add additional lines to update the corresponding address lists, such as "All Users\AddressList01."
  

  Note:
  This script updates all recipients in your organization. This is a costly update and can take several minutes depending on the complexity of your environment.

• Create an Exchange Management Shell script called MyScript.ps1 that updates only the recipients that are in the FromMIIS organizational unit (OU). The script should contain the following line:
  
  Get-MailContact -OrganizationalUnit "FromMIIS" | Where-Object  { $_.legacyexchangedn -eq "" }  | Set-MailContact

(Optional) In each forest, use either the Windows at.exe command or Windows Scheduled Tasks to schedule the script that you created in Step 11 to run at least once per day. To schedule Exchange Management Shell commands, you must run Microsoft Windows PowerShell (PowerShell.exe) with the PsConsoleFile parameter to load the Exchange Console Extensions and with the Command parameter to run the specific Exchange Management Shell command. The command that you use is the script you created in Step 11. For example, schedule the following command:

PowerShell.exe -PsConsoleFile "C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command d:\scripts\MyScript.ps1

In MIIS or Identity Integration Feature Pack for Microsoft Windows Server Active Directory with SP2, select Management Agents from the toolbar, and then under Actions, click Create.

Management Agents pane in MIIS

On the Create Management Agent page, under Management agent for, select Active Directory global address list (GAL).

In the Name box, type a name for this management agent. When creating the name, we recommend that you include the name of the source forest from which this management agent will gather recipient information.

In the Description box, type a description for this management agent, and then click Next.

On the Connect to Active Directory Forest page, complete the following fields:

• Forest name   Name of the source forest.
  
• User name and Password   User name and password of an account that has permission to read schema information from the source forest.
  
• Domain   Domain for the specified account.
  

  Note:
  You can also enter the user name as <user>@<domain> and leave the domain field blank.

Click Next.

On the Configure Directory Partitions page, select the directory partitions on the source forest from which you want to project data to a destination forest.

Configure Directory Partitions page

On the Configure Directory Partitions page, click Containers.

Containers button on the Configure Directory Partitions page

On the Select Containers page, clear the top-level check box for the directory partition, select the containers for which this management agent will gather and store information, and then click OK. Be sure to select the container in which MIIS will create contacts for each mailbox from the other forest, such as the FromMIIS container.

On the Configure Directory Partitions page, click Next.

On the Configure GAL page, click Target, and then select the container in which the contacts from other forests will reside in the target forest.

Target button on the Configure GAL page

On the Configure GAL page, click Source, and then select the container in which other forests' objects that are synchronized to the target forest will reside.

Source button on the Configure GAL page

Under Exchange configuration, click Edit to specify at least one SMTP e-mail suffix that is managed in the source forest. Click Next.

Edit button on the Configure GAL page

On the Select Object Types page, click Next.

On the Select Attributes page, click Next.

On the Configure Connector Filter page, click Next.

On the Configure Join and Projection Rules page, click Next.

On the Configure Attributes Flow page, click Next.

On the Configure Deprovisioning page, click Next.

On the Configure Extensions page, click Finish.