Original Source: PeteNetLive - KB0000234 - Exchange 2003 to 2010 Transition "Swing Migration" (I've copied this content here so I can make my own annotations)

Assumptions:

In this example I've got an existing Exchange 2003 environment running on Windows 2003. I'm putting in Exchange 2010 onto a new server running Server 2008 R2. Post install the NEW server will hold client access, mailbox, and hub transport roles.

Step 1 - "Pre-Site Visit"

1. Make sure before you start you have the Exchange 2010 media and unlock code, you don't want to download the media on a site with a slow internet connection, (at time of writing the disk image is 1GB in size).

2. If your existing servers are all x32, and you are also upgrading domain controllers, during the process you will be extending the domain schema (i.e. it's not 2003 R2) then make sure you have x32 bit Windows media with you.

3. Make sure any third party anti virus and/or mail scanning software is supported and will work on Exchange 2010, and you have the media and licences handy.

4. You will need to install on a x64 bit server, make sure you have a server capable, and Windows x64 bit media with licences.

5. You will need your Exchange 2003 CD, its fond of asking for it during the uninstall process.

6. Before you even think about going further make sure you have a good backup! If you are lucky enough to have VMware [ESX][2], Hyper-V or another virtualisation platform, consider doing a P2V conversion on your Exchange 2003 server then simply turning the 2003 Server off, then if it all goes to hell in a hand cart simply turn the original server back on again.

7. While your thinking about backups - does your backup software support Exchange 2010? you might need a new Exchange agent, check with your software re seller.

Step 2 - "Pre Install"

1. Before you do anything, it's time for a common sense check, make sure your existing Exchange 2003 Organisation is happy and running cleanly, and has good communication with the domain and DNS. Get in the event logs and make sure its a happy server.

Time spent on reconnaissance is seldom wasted!

1. Make sure your Exchange 2003 server(s) is/are up to "Exchange 2003 Service Pack 2" (In fact get the latest Exchange update roll up after that as well to be on the safe side).

[

Exchange 2003 Build Numbers

Microsoft Exchange Server 2003 6.5.6944 October 2003
Microsoft Exchange Server 2003 SP1 6.5.7226 May 2004
Microsoft Exchange Server 2003 SP2 6.5.7638 October 2005

1. The brief says your Global Catalog server should be at at least Server 2003 SP2, however I'd be updating all the domain controllers to Service Pack 2. (Note: you need 381Mb free space on the system drive, plus 170MB additional free space to install SP2).

Locate the Global Catalog Server

Find the Service Pack Level

1. The domain functional level needs to be at "Windows Server 2003". When done, leave enough time for it to replicate to all domain controllers in the domain.

1. Now the forest functional level needs raising to "Windows Server 2003". When done leave enough time to replicate across the entire forest.

1. Now you need to put your existing Exchange organisation into "Native Mode".

Multiple Exchange 2003 Servers Note:

1. If you have multiple Exchange 2003 Servers with routing groups you need to suppress link states, on EVERY Exchange 2003 server, Start > Run > regedit {enter} > Navigate to Locate HKEY_LOCAL_MACHINESystemCurrentControlSetServicesRESvcParameters > Right Click > New DWORD > Call it SuppressStateChanges. > Set its value to 1 >Then either reboot or restart the Simple Mail Transfer Protocol (SMTP) service, the Microsoft Exchange Routing Engine service, and the Microsoft Exchange MTA Stacks services.

1. At this point I would apply the "cup of coffee" rule, then check the domain controllers event logs and the event log on the Exchange 2003 box make sure everything is running smoothly.

2. Now you THINK Exchange is happy, it's time to MAKE SURE download the run the Microsoft Exchange Pre-Deployment Analyser (ExPDA).

1. Continue to run and fix any problems it reports. Note: If you use a smart host, you may see the following warning,

SMTP is configured to route all messages to a smart host.

You may have some mail routing issues if you leave your smart host configured (It's set on the Virtual SMTP server on the Exchange 2003 Server (Or on your SMTP connector if you have one in routing groups)). Remove it for now, and add it back to the 2010 Send connector later.

1. (this may not be required. Only do this if you have trouble migrating mailboxes) Install this patch on Exchange 2003. This resolves an issue where a mailbox is migrated to 2010 but never removed from 2003, preventing you from uninstalling Exchange 2003. Reboot after installation.

2. Set the mailbox retention to 0 days (see this link for instructions.

Step 3 - "Deploy Exchange 2010"

1. Build your new server apply all the latest service packs and updates. Join it to the domain, and log in with a user account that is a member of the Schema Admin's group, before proceeding you need to install the Office 2010 filter pack on the new server CLICK HERE.

Warning: Never disable IPv6 on an Exchange 2010 Server! and make sure it's installed before proceeding.

1. You need to add certain roles to the new server before attempting to install Exchange 2010 you can [script that][17] though I prefer to do things myself. Start > Server Manger > Roles > Add Roles > Next > Select Web Server (IIS) > Next > Next.

1. On Role Services, under security > tick Basic Authentication > tick Windows Authentication > Tick Digest Authentication > Under Performance tick Dynamic Content compression.

1. Under Management Tools > Select IIS6 Management Comparability > Next > Install > Close (when finished).

1. Now you need to add "Server Features", primarily .Net Framework 3.5 that is in Server Manager > Features > Add Features > Expand .NET Framework 3.5.1 Features > Expand WCF Activation > tick HTTP Activation > Select to add Required Role Services.

1. Scroll down and below "Remote Server Administration Tools" > Role Administration Tools > Select "AD DS and AD LDS Tools" > Next > Next > Next > Install > Close (when finished) > You may be asked to reboot.

The next step cannot be carried out unless you have rebooted.

1. You need to set the startup type of the "Net Tcp Port Sharing" service to automatic > Click start > Run > Services.msc {enter} > Locate the Net Tcp Port Sharing Service and set its startup type to automatic.

1. Put in the Exchange 2010 DVD, run setup.exe, If you are using the multi language version you should be at "Step 3: Choose Exchange Language option" > Select it. > Select Install Languages from DVD.

1. Select "Step 4: Install Microsoft Exchange" > Files will extract and setup will Start.

1. At the Introduction screen > Next.

1. Accept the EULA > Next.

1. No, we don't want to do error reporting > Next > Select "Typical" > (If you installing with SP1 see the note below) > Next.

***|**Update 18/03/11***|**

If you are deploying Exchange 2010 with SP1 included, at this point select "Automatically install Windows Server roles and features required for Exchange Server"

1. If this is the only one, or it going to be your main "Bridgehead Server" then it will be internet facing > tick the box > enter your domain name > Next

1. At this point you select your existing Exchange 2003 Server > Browse to it > Select it > Next > No we don't want to join the CEIP > Next.

1. Exchange will perform its readiness checks, it will probably give you a couple of warnings, the first one is telling you (once ran) you can't have an Exchange 2007 server in the domain, and the other it telling you to replicate free/busy data if you have Outlook 2003 clients. (We will sort that out later). > Click Install.

1. When done click Finish.

1. The Exchange management console will open, to enter the Product Key, select "Server Configuration > Select the server > Select Enter Product Key. Then either restart the exchange information store service or reboot.

Note: You will notice that, if you look in the Exchange 2003 Management Console you now have an extra administrative group (Called FYDIBOHF23SPDLT - that's geek humour, roll each letter and number back one).

Step 4 - "Configure and Migrate"

1. Your new server will have one mailbox database and one Public folder database, you can change their paths, if you want to move them onto faster drives, or other volumes. Select "Organisation Configuration" > Mailbox > You can right click each data store and move it if required. Note: You can also set up local continuous replication here as well.

1. Now Its time to make sure nothing is broken, go to the existing Exchange 2003 Server and check mail flow inbound and outbound.

1. Do you have any clients running Outlook 2003 or earlier? If you do remember the warning we saw earlier?

Warning: If Microsoft Outlook/Office 2003 is in use, you should replicate the free/busy folder on this server to every other free/busy server in the organization. This step should be performed once setup completes.

Well now, lets assume we do have Outlook 2003, this means calendar scheduling is done from a public folder (called the SHEDULE+ FREE BUSY folder) this public folder needs to be replicated to our new server, or calendaring and scheduling will break. Note: If your clients are Outlook 2007 or above then skip this step - those clients use the auto discover service instead.

On the Exchange 2003 Server Open Exchange Management > Locate the Public folders > Change the view to "System Folders".

Then expand the "SHEDULE+ FREE BUSY" folder and locate the folder that has the same name as your OLD administrative group (i.e. NOT the one with FYDIBOHF23SPDLT in it). right click it and select properties.

Then on the replication tab, add in the NEW Exchange servers "Public Folder Database".

Once you have it added, set the replication.

1. Do you use Public Folders? If not skip to the next step, If you do you will need to replicate them to the new server, If you have just completed the step above the procedure is the same. On the Exchange 2003 Server, open Exchange System Manager> Locate the Public folders > If you cannot see your public folders, change the view to "View Public Folders".

Select each one of your public folders, go to its properties and add in the New Exchange 2010 Server as a replication partner.

Note: If mail cannot flow from 2003 to 2010 then the public folders will NEVER replicate make sure that works before expecting the folders to replicate OK. If it does skip to number 5.

Mail will not flow between Exchange 2003 and Exchange 2010

This happens a lot! The quickest and simplest way to fix it, is to delete and re-create the routing group connector between the Exchange 2003 and Exchange 2010 server. Execute the following four commands in the Exchange Management Shell. (Just insert your server names).

Get-RoutingGroupConnector | Remove-RoutingGroupConnector

New-RoutingGroupConnector -Name "Exch2003-Exch2010" -SourceTransportServers "EX-2010.petenetlive.com" -TargetTransportServers "EX-2003.petenetlive.com" -Cost 100 -Bidirectional $true

Net Stop "Microsoft Exchange Transport"

Net Start "Microsoft Exchange Transport"

1. At this point you need to change the SMTP feed from the old Exchange 2003 box to the new Exchange 2010 Server, how you do this depends on your network setup, some examples of how you might do this are,

   1. Change the SMTP (TCP Port 25) Port redirect on your router/firewall address
   2. Swap IP addresses from the old to the new server.
   3. Change the translation from public to private IP address to point to the new IP.

   Note: If you have any mail scanning servers, anti spam hardware devices etc, then they will also need changing to point to the new server.

2. Mail delivery may seem to be working fine, but to avoid potential problems it's a good idea to re-create the default receive connector and copy a working server for the correct config. Note: There are two receive connectors, one for external mail delivery and another for communication between the two servers being migrated. Only delete the external receive connector! Make sure you test inbound and outbound mail flow after doing this.

3. Once the SMTP Feed has swapped across, inbound mail may fail and return the following error,

EX2010.domaina.com #530 5.7.1 Client was not authenticated ##

To fix that you will need to allow anonymous access on the servers default receive connector. (you shouldn't need to do this if you re-created the receive connector in the previous step)

You may also find outbound mail will fail and sit on the outbound queue with the following error,

A matching connector cannot be found to route the external recipient

To fix that you will need to create a "Send Connector". Launch the Exchange 2010 Management Console > Organization Configuration > Hub Transport > Send Connectors > New Send Connector.

Give the new connector a name > Under "Select intended use for this send connector", select "Internet" > Add >Set the address space to a single asterisk > Select "Include all sub domains" > OK > Next > Enter a smart host (if you use one, or you removed it earlier) > Next > Next > New > Finish.

Then test mail flow works once again, this time through the new server.

1. Disable mailbox limits on the new server so that large mailboxes can be moved across. Go into Organization Configuration > Database Management, right-click on the Mailbox Database, and untick all three options on the Limits tab.

2. Now you can start moving mailboxes from the old server to the new one, what I tend to do is move one mailbox, test mail flow outbound/inbound, then test mail flow internally from the mailbox I've just moved, to a mailboxes that's still on the old server. Once I've proved this works I will move the rest of the mailbox's.

To move a mailbox, open the exchange 2010 management console, expand "Recipient Configuration" > Select Mailbox > You should see all the mailbox's listed > Right click the mailbox you want to move > Select "New Local Move Request".

At the introduction screen, hit the browse button and select your new servers data store > Next > Next > New > Finish. (specify to skip 50 corrupted messages)

Once you have moved one and tested, it you can move the rest of the mailbox's.

1. Next task is to change the server responsible for generating the offline address book. On the Exchange 2010 server Exchange Management Console, Expand "Organization Configuration" > Mailbox > Select the "Offline Address Book" tab > Right click the Default Offline address book and select "Move" > Browse > Select the new server > OK > Move > Finish.

1. The old Exchange server relies on the recipient update service, the new server does not. If you try and edit your address policy with the Exchange 2010 console you will see this error,

"The specified e-mail address policy couldn't be edited. E-mail address policies created with legacy versions of Exchange must be upgraded using the 'Set-EmailAddressPolicy' task, with the Exchange 2010 Recipient Filter specified."

Unfortunately this can not be fixed in the management console, you need to issue some powershell commands to fix it. Click Start > All Programs > Microsoft Exchange Server 2010 > Exchange Management Shell.

Issue the following command,

Get-EmailAddressPolicy | where {$_.RecipientFilterType -eq "Legacy"} | Set-EmailAddressPolicy -IncludedRecipients AllRecipients

Get-EmailAddressPolicy | where {$_.RecipientFilterType "eq "Legacy"} | Set-EmailAddressPolicy "IncludedRecipients AllRecipients

Once executed you need to press "Y" to accept.

Note: You may have multiple recipient policies in operation, they will all need upgrading.

Note2: If you get an error along the lines of "Mailbox manager settings cannot be managed by the current version of Exchange Management Console" [Click here][55].

1. While we still have the "Management Shell" window open we need to update our "Address Lists" as well to do that issue the following 5 commands one by one.

   Set-AddressList "All Users" –IncludedRecipients MailboxUsers

   Set-AddressList "All Groups" –IncludedRecipients Mailgroups

   Set-AddressList "All Contacts" –IncludedRecipients MailContacts

   Set-AddressList "Public Folders" -RecipientFilter { RecipientType -eq 'PublicFolder' }

   Set-GlobalAddressList "Default Global Address List" -RecipientFilter {(Alias -ne $null -and (ObjectClass -eq 'user' -or ObjectClass -eq 'contact' -or ObjectClass -eq 'msExchSystemMailbox' -or ObjectClass -eq 'msExchDynamicDistributionList' -or ObjectClass -eq 'group' -or ObjectClass -eq 'publicFolder'))}

Enter "Y" for yes when prompted.

1. At this point locate the directories that hold your new Exchange databases and logs, and MAKE SURE that these folders have been excluded from your normal [AV][57] scanning. AV has a habit of quarantining Exchange log files and breaking the database - this is easy to fix when the [stores won't mount][58] but it's not good!

Step 5 - "Transferring Certificates from Exchange 2003/2007 to Exchange 2010"

Exporting/Backing up your certificate/Private Key (to .pfx file format)

1. Start > Run
2. Type in MMC and click OK
3. Go into the File Tab (or Console) > select Add/Remove Snap-in
4. Click on Add > Click on Certificates and click on Add, then close (to close the Add Standalone Snap-in window)
5. Click on OK (in the Add/Remove Snap-in window)
6. Select Computer Account
7. Select Local Computer
8. Click the + to Expand the Certificates Console Tree
9. Look for the Personal directory/folder and expand Certificates.
10. Right Click on the Certificate you would like to backup and choose > ALL TASKS > Export
11. Follow the Certificate Export Wizard to backup your certificate to a .pfx file
12. Choose to 'Yes, export the private key'
13. Choose to include all certificates in certificate path if possible. (do NOT select the delete Private Key option)
14. Leave default settings > Enter Password (THIS IS required otherwise it won't export the private key)
15. Choose to save file on a set location
16. Finish
17. You will receive a message > Export Successful
18. The .pfx file backup is now saved in the location you selected.

Importing your Certificate/Private Key (from .pfx file format)

1. Start > Run
2. Type in MMC and click OK
3. Go into the File Tab (or Console) > select Add/Remove Snap-in
4. Click on Add > Click on Certificates and click on Add, then close (to close the Add Standalone Snap-in window)
5. Click on OK (in the Add/Remove Snap-in window)
6. Select Computer Account
7. Select Local Computer
8. Click the + to Expand the Certificates Consol Tree
9. Right click on the Personal Certificates Store (folder)
10. Choose > ALL TASKS > Import
11. Follow the Certificate Import Wizard to import your Primary Certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.
12. Close the MMC console. In the case that you are prompted, it is not necessary to save the changes made to the MMC console.

Configuring Your Site - Microsoft Exchange 2007

1. to enable the certificate use the following command > and Press "A" to confirm.:

   Get-ExchangeCertificate -DomainName webmail.tatiara.sa.gov.au | Enable-ExchangeCertificate -Services IIS,SMTP
   

Alnernate Method of importing certificate

You can instead go into EMC > Server Config, and choose "Import Exchange Certificate" from the action panel. Then select the certificate and "Assign services to certificate" from the action panel.

Step 6 - Enable Outlook Anywhere

1. Go to Server Configuration > Client Access
2. In the Action panel, click on "Enable Outlook Anywhere"
3. Enter the external host name, eg mail.mundy.co
4. Select NTLM Authentication
5. Double-click on the owa object on the Outlook Web App tab and configure the correct external URL, eg https://mail.mundy.co/owa
6. Use the same address internally (make sure you've got split DNS pointing to the new Exchange server's IP address
7. Do the same for all tabs except for POP3 and IMAP

Step 7 - Avoid security warning when starting Outlook 2007

1. Start the Exchange Management Shell.

2. Modify the Autodiscover URL in the Service Connection Point. The Service Connection Point is stored in the Active Directory directory service. To modify this URL, type the following command, and then press ENTER:

   Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml
   

3. Modify the InternalUrl attribute of the EWS. To do this, type the following command, and then press ENTER:

   Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx
   

4. Modify the InternalUrl attribute for Web-based Offline Address Book distribution. To do this, type the following command, and then press ENTER:

   Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab
   

5. Open IIS Manager.

6. Expand the local computer, and then expand Application Pools.
7. Right-click MSExchangeAutodiscoverAppPool, and then click Recycle.

Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:

• The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following: https://ServerName.contoso.com/ews/exchange.asmx
• The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as "mail.contoso.com."

In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.

Examples

Set-WebServicesVirtualDirectory -Identity "CaramelEX01\EWS (Default Web Site)" -InternalUrl https://gateway.caramel.com.au/ews/exchange.asmx

Set-ClientAccessServer -Identity CaramelEx01 -AutodiscoverServiceInternalUri https://gateway.caramel.com.au/autodiscover/autodiscover.xml

Set-OABVirtualDirectory -Identity "CaramelEx01\oab (Default Web Site)" -InternalUrl https://gateway.caramel.com.au/oab

Step 8 - Autodiscover and DNS SVR records

To use the new DNS SRV lookup method in order to locate the Exchange 2007 Autodiscover service, follow these steps.

Note: You must create the Autodiscover SRV record in the external DNS zone that matches the right side of your user's SMTP addresses. For example, if a user's primary SMTP address is This email address is being protected from spambots. You need JavaScript enabled to view it. , the record must be created in the contoso.com external DNS zone. If you have multiple primary SMTP address domains in your organization, you must create an Autodiscover SRV record in each zone.

1. In your external DNS zone, remove any HOST (A) or CNAME records for the Autodiscover service.
2. Use the following parameters to create a new SRV record:
3. Service: _autodiscover
4. Protocol: _tcp
5. Port Number: 443
6. Host: mail.contoso.com

Note: For more information about how to create this record, see the "About SRV records" section.

Note: In this example, mail.contoso.com is a name for which your certificate is valid. Usually, this is the same DNS name that you use for Outlook Anywhere and for Outlook Web Access.

In this example, the Autodiscover service does the following when the client tries to contact the Autodiscover service:

1. Autodiscover posts to https://contoso.com/Autodiscover/Autodiscover.xml. This fails.
2. Autodiscover posts to https://autodiscover.contoso.com/Autodiscover/Autodiscover.xml. This fails.
3. Autodiscover performs the following redirect check:

GET http://autodiscover.contoso.com/Autodiscover/Autodiscover.xml

This fails.

1. Autodiscover uses DNS SRV lookup for _autodiscover._tcp.contoso.com, and then "mail.contoso.com" is returned.
2. Outlook asks permission from the user to continue with Autodiscover to post to https://mail.contoso.com/autodiscover/autodiscover.xml.
3. Autodiscover's POST request is successfully posted to https://mail.contoso.com/autodiscover/autodiscover.xml.

About SRV records

If you are using Windows DNS, the steps to create an SRV Record are as follows:

1. Open the DNS Management MMC snap-in.
2. Expand Forward Lookup Zones.
3. Locate and right-click the external DNS zone, and then click Other New Records.
4. Click Service Location (SRV).
5. Enter the parameters by using the required values.
6. Click OK.

Note: Depending on your DNS solution, you may be unable to implement SRV records. Contact your DNS hosting provider or your DNS administrator for guidance.

Step 9 - "Do Nothing"

Seriously, now you need to wait, before you can proceed all the public folders need to have replicated to the new server, in some cases this can take days, as a general rule of thumb, at this point I would wait 1 week before proceeding to decommission the Exchange 2003 server, this allows for both public folder replication, and any head slapping "Doh! we forgot to {insert random forgotten thing here}".

Also in this time, any clients running Outlook (Pre 2007) can log in, and will get their Outlook profile automatically updated to point to the migrated mailbox on the new Exchange 2010 server.

Step 10 - "Decommission and remove Exchange 2003"

1. Lets check our public folders, this one is in sync.

And then switch to system folders (See [here][39] if you forgot how to swap the view). If you see the status as "Local Modified" or "Remote Modified" then check the item count on the folders to make sure they have the same item count (Select the status column).

1. Once you are happy you can remove the replica that is on the Exchange 2003, > Properties > Replication > Select the 2003 Server > Remove > Apply.

1. Repeat the above procedure for all the public folders you have set to replicate to the new server. Note: Here's a quick method if you have a lot to do.

2. Remember when you installed Exchange 2010 it created a new administrative group in your Exchange 2003 organisation? (The FYDIBOHF23SPDLT one). It did this to connect to the existing organisation, and it created some routing group connectors, you now need to remove them.

1. Even though Exchange 2010 does not use the recipient update service, you need to tell Exchange 2003 that it does, because you can't remove Exchange 2003 from a server that thinks it is providing Recipient Update Services. Launch the "Exchange System Manager" > Expand recipients > Select Recipient Update Services > Right click each one and change the server name to the new Exchange 2010 server. Do this for EVERY policy.

Note: With Exchange 2010 (post SP1) This May Not Work!

So that you can gracefully remove Exchange 2003, The Recipient Update Services needs to be removed first. If you cannot gracefully remove it (as above). Then you will need to Manually Remove it from Active Directory. To do this run ADSIEdit.msc (On Server 2003 you will need the [support tools][65] installing first). Then navigate to;

Configuration >  CN=Configuration,CN={domain} >  CN=Services >  CN=Microsoft Exchange > CN={Exchange organization name} > CN=Address Lists Container > CN=Recipient Update Services

Then delete the entries in the right hand window.

1. Have a quick common sense check! Are you sure everything is OUT of your Exchange 2003 Databases? If so, delete your stores from Exchange 2003 > you will need to dismount them first > Repeat for all private databases.

1. Finally you can now go to "Add or Remove Programs" and remove Exchange 2003. (Change the action type to "Remove"). Note: You may be asked to insert the Exchange 2003 install media.

When done reboot the server.

Step 11 - "Finish up"

1. Now you may need to change your backups to include the new data stores. Your backup software may require you install the Microsoft Exchange Server MAPI Client and Collaboration Data Objects, before you install the backup agents (ARCserve and Symantec Backup Exec for example). Download them

[here][70]. 2. If you have any links to "Outlook Web Access" (i.e. on your public website or in Share point, they will need the URL's changing from https://server/exchange to https://server/owa

1. Be aware: some [AV][57] software (McAfee for example) likes to block [TCP][71] port 25 ([SMTP][72]), this is not good on an Exchange server! don't forget to disable this feature or you may have mail flow issues.

1. You may get some support calls like "internal user A cannot send an email to internal user B" if that happens check that they are NOT using the automatically remembered email facility in Outlook, this stores previously typed email addresses in a local file called an NK2 file (or nicknames file). but it stores internal addresses like this...

Those paths no longer exist, get then to pick the name from the "Global Address List" instead, or if they are really persist ant you can add a line to the login script that deletes the .nk2 file.