The Master Upgrade Guide from Technet

http://technet.microsoft.com/en-us/library/cc731188(WS.10).aspx

Few Others Upgrade Overview

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2010/05/26/transitioning-your-active-directory-to-windows-server-2008-r2.aspx

http://blogs.technet.com/b/askds/archive/2008/11/11/so-you-want-to-upgrade-to-windows-2008-domain-controllers-adprep.aspx

Firewall Ports Required

http://support.microsoft.com/kb/179442

http://support.microsoft.com/kb/832017/

Schema Stuff

http://technet.microsoft.com/en-us/library/testing-for-active-directory-schema-extension-conflicts(WS.10).aspx

http://blogs.technet.com/b/askds/archive/2010/04/16/friday-mail-sack-i-live-again-edition.aspx

“Search for Is there a way to isolate a DC in order to do an AD Schema upgrade?” for the support policy on doing this.

Preparing For The Worst (Yikes!)

http://technet.microsoft.com/en-us/library/planning-active-directory-forest-recovery(WS.10).aspx

Installing AD on separate volumes for performance (You want to make sure you have enough RAM to load the entire DB)

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2007/02/09/active-directory-on-separate-volumes.aspx

Running ADPrep (Gives you the ADSIEdit.mmc way to confirm /SchemaPrep /DomainPrep /RODCPrep)

http://technet.microsoft.com/en-us/library/dd464018(WS.10).aspx

Common mistakes when upgrading from 2000 to 2003 (still some are relevant)

http://support.microsoft.com/kb/555040

Setting NTP server on the new PDC Master (Don’t forget this step)

http://blogs.dirteam.com/blogs/paulbergson/archive/2010/05/18/moving-the-ntp-service-to-a-new-pdce.aspx

Putting a DC in a VM?

http://blogs.technet.com/b/askds/archive/2010/06/10/how-to-virtualize-active-directory-domain-controllers-part-1.aspx

http://blogs.technet.com/b/askds/archive/2010/06/15/how-to-virtualize-active-directory-domain-controllers-part-2.aspx

Verifying SRV DNS Records

http://support.microsoft.com/default.aspx?scid=kb;en-us;816587
Transferring FSMO Roles via Powershell

http://msmvps.com/blogs/ad/archive/2010/08/10/using-powershell-to-transfer-fsmo-roles.aspx

http://support.microsoft.com/kb/841290

DSQuery * -Filter “(&(sAMAccountType=805306368)(scriptPath=yourscriptnamehere))”  -Attr samAccountName -L -Limit 0

http://support.microsoft.com/kb/2252421

It’s a very good detailed write up which clears up what people generally get held up on. Usually you load up the ADM template for Outlook, specify the path to your import file, fire up Outlook and nothing in the safe senders list. You then scratch head, run a gpupdate.exe /force and try again, still nothing. The trick is one of these registry keys that is not in this policy has to be set to tell Outlook to indeed yes please load this list up.

Key: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1x.0\Outlook\Mail

Key: HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Outlook\Mail

DWORD: JunkMailImportLists
Value: 1

Version 11.0 is 2003, 12.0 is 2007 and 14.0 is 2010.

Ok so how do we push this key out to the environment? In the KB it lists out a few choices you can use such as, Group Policy, LoginScript, and Outlook Customization tool. In the KB they actually give you the new ADM file to upload to your domain controller to push out this new key. Those guys thought of everything! Since it is using this key, HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\1x.0\Outlook\Mail your Outlook client will always re-import the list. What if though your list doesn’t change that much, maybe once every 6 months or even longer. Every time you launch Outlook you are going to get an RPC call across the network to check this list, see that there is no new to update and continue to load. Why do you want your clients to make this unnecessary RPC call when you KNOW there is nothing new. Granted if we are FORCING what will always be in this list then yes we’d want Outlook to check on each launch and add the appropriate users or domains to the list. But if you are just adding some “suggested” safe senders and if people choose to remove them well then that is ok too. If that is the case why don’t we have Outlook only check the list when we KNOW there is a new update for them. To do that we use the HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Outlook\Mail

Once Outlook loads, it will set this value from 1 back to 0 and no longer check the list. Sounds exactly like we may want to do, now how do we roll this out? First we could use Group Policy using a custom ADM template like above to flip this key. However this isn’t really what we want as every time the policy refreshes, it will set they key back to 1 then check the list again on next launch. This is better than the other key but really, not that much better. Solution: enter the loginscript.

The way I went about solving this problem was to read/write a registry key to check the value, if the value you have matches what’s in the script then we don’t need to import our new list. If it doesn’t match, change the HKEY_CURRENT_USER\Software\Microsoft\Office\1x.0\Outlook\Mail back to 1 so when the user launches Outlook it will indeed re-import the new list. Also since you are checking a PER USER setting, you need to get the SID of the user so you can store your custom key in the correct location. This is needed especially if you have a machine shared by multiple people. The example below is for Outlook 2007.

Function SafeSenders()

On error resume next
‘needed for first run if no regkey exists, will through an error, need script to continue to run

Dim ojbFSO, shell, serialnumber, scriptrun

Set ObjFSO = CreateObject(“Scripting.FileSystemObject”)
set shell =CreateObject(“wscript.shell”)

Set oWshNetwork = CreateObject(“WScript.Network”)

‘Getting Sid
Set oUserAccount = GetObject(“winmgmts://./root/cimv2″) _
.Get(“Win32_UserAccount.Domain=’” & oWshNetwork.UserDomain & “‘” _
& “,Name=’” & oWshNetwork.UserName & “‘”)

sUserSID = oUserAccount.SID
‘Debug
‘msgbox sUserSID

reglocation = “HKEY_USERS\” & sUserSID & “\YOUR CUSTOM KEY\SafeSenders”

‘Debug
‘Msgbox reglocation

‘Current Version
serialnumber = “whateveryouwant”

‘Registry Key Location
scriptrun = shell.regread(reglocation)

‘Debug
‘Msgbox ScriptRun

if scriptrun = serialnumber Then
‘Current Version already run on machine, nothing left to do in this function
‘Debug
‘Msgbox “Script already ran, exiting function”
Exit Function

End if

shell.RegWrite “HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Outlook\Options\Mail\JunkMailImportLists”,”1″, “REG_DWORD”

shell.RegWrite reglocation,serialnumber, “REG_SZ”
‘Script completed, updating registry
‘Debug
‘msgbox sUserSID

End Function

http://msexchangeteam.com/archive/2006/02/22/420275.aspx

In Exchange 2007/2010 the resources are now actually special mailbox types combined with the Availability Service too book resources.

If you use Outlook 2000/2002/2003/2007 with Exchange 2003 you have no issues doing Direct Booking as stated here.

http://support.microsoft.com/kb/291616

What if you are on Outlook 2010 and Exchange 2003? The Outlook team assumes you are using Exchange 2007/2010 so direct booking is not enabled by default in the Outlook 2010 client. If a user tries to use Direct Booking as in previous versions of Outlook they will get a bounce back message saying the resource was not booked properly. Clearly confusing to the end user.

The fix, enable the Direct Booking feature in Outlook 2010. It will now work like previous versions of Outlook.

http://support.microsoft.com/kb/982774

Also you have to pass is not the display name of the service which is seen in the Services MMC snap-in but the actual service name. To find this out run “sc query” from a command box. This will display all services with their actual services name to display name. Example: wuauserv is Windows Update.

function isServiceRunning(strComputer,strServiceName)

Dim objWMIService, strWMIQuery

strWMIQuery = “Select * from Win32_Service Where Name = ‘” & strServiceName & “‘ and state=’Running’”

Set objWMIService = GetObject(“winmgmts:” _
& “{impersonationLevel=impersonate}!\\” & strComputer & “\root\cimv2″)

if objWMIService.ExecQuery(strWMIQuery).Count > 0 then
isServiceRunning = true
else
isServiceRunning = false
end if

end function

http://support.microsoft.com/kb/981872

http://support.microsoft.com/kb/981109

http://support.microsoft.com/kb/2022960

Alright so we got our command line tool, let’s let her rip and clean house. If you run adadmcli.exe /? you get a whole list of different usage commands which we wont go into depth here, just how to solve our problem at hand. However how you run it on a front end Exchange server and back end server in a cluster our a little bit different and isn’t completely clear in /?. But let’s dive into the process I used for this.

1.) First things first, disable this account in AD. Their account has been compromised, it’s getting turned off. We’ll get you back online later after this mess is cleared up thank you very much.

2.) Disable outbound mail for your server or servers (front and back). Let’s do our little part of trying not to completely turn the Internet into a spam wasteland if we can help it. We do this by simply going into ESM, expand the server, click on “Queues” and hit the big “Disable Outbound Mail” button. If you are in a Front End/Back End architecture, you would do it on both your Front End server and the Back End server this persons account resides on. We have clean up in multiple places that needs to take place most likely. Your back end may be completely clean but it may also be backed up at this point. After this step, all outbound mail for your organization is disabled.

3.)  Let’s clean up the front end servers first so we can get outbound mail flowing for the other servers that don’t need to be cleaned. Copy over aqadmcli.exe to the front end server. Open up a command prompt and enter aqadmcli.exe and hit enter. Now it’s time to do some cleaning.

4.) Since you are on the front end, you really don’t need to set the server since it defaults to the local host . You can define which queue you want to target but in our case, we are going to clear all of them of ANY mail from this user. So yes if there is actual legitimate mail from this user in these queues, they will be gone as well. To me I’m ok with this, your account just sent out 250k worth of spam clogging up my queues, your mail privileged has been revoked while I work on this.  The actual command we run is the following without the quotes, “delmsg flags=SENDER,sender=username@yourdomain” and hit enter. At this point the tool is doing it’s job, it’s looking through all the queues on this server from any messages from this account and is deleting it. You’ll see it scroll through and how many messages it deleted. I tend to run this a few times just in case there are any messages that are still in transit. After this type quit and enable outbound mail. Do this same process on any other front end servers.

5.) At this point outbound mail for your org is up and clean for your front end servers and all back end servers that don’ t have this compromised account. Now time to clean up the back end server. Once again, copy over aqadmcli.exe and run the program as above. Now since we are on a back end server in a cluster we have to actually set the server we are on and the virtual server that is running on it. We do this by running this command without the quotes, “setserver sn=hostname,vs=number” So for example if my backend server is named xbe01 and the virtual server it is hosting is xvs01 the command would look like “setserver sn=xbe01,vs=1″. After this is set, we run the same command as above to clear out all mail queues from mail from this user, “delmsg flags=SENDER,sender=username@yourdomain”. Once again  I run this a few times make sure all messages that were in transit are completely cleared out. Once this comes back clean we can quit this program and re-enable outbound mail for this back end server. All mail is now flowing outbound for your org.

6.) The last step is to “educate” the user on what happened and change their password/enable their account as part of your normal account enabling process, you do have those right.

And that’s it you are done. It’s little more work than a sweet, sweet powershell command but MUCH faster than actually using ESM. Now sit back and monitor your queues for a bit to make sure everything is ok, that spam didn’t stand a chance.

http://support.microsoft.com/kb/981197