Exchange stories

MS09-056 may stop OCS services

2009-11-09T02:58:00.000-08:00

after applying the update above on my OCS R2 Edge server and restart it, I get a strange event in the Office Communications Server log:

Event ID: 12299

Description:The service is shutting down due to an internal error.
Error Code: C3E93C23 (SIPPROXY_E_INVALID_INSTALLATION_DATA)Cause: Check the previous entries in the event log for the failure reason.Resolution:Check the previous event log entries and resolve them. Restart the server. If the problem persists contact Product Support Services.

and the following one as well:

Event ID: 12290

Description:The evaluation period for Microsoft Office Communications Server 2007 R2 has expired. Please upgrade from the evaluation version to the full released version of the product.

---------------------------------------------------------

That was funny! I was sure that I am using licensed copy of the product, so what is the problem.
I found the KB974571, which state clearly the following:

"Services that are required by Communications Server are not started after you install this update and then restart a computer that is running any of the following versions of Communications Server:
Live Communications Server 2005 (LCS)
Live Communications Server 2005 SP1
Office Communications Server 2007 Enterprise edition (OCS)
Office Communications Server 2007 Standard edition
Office Communications Server 2007 R2 Enterprise edition
Office Communications Server 2007 R2 Standard edition
Office Communicator 2007 Evaluation version only*
Office Communicator 2007 R2 Evaluation version only*
Office Communicator 2005 Evaluation version only*"

MS had released a HotFix to resolve this issue.

after running the fix, the service start normally.

Certificate issue (Private key not installed)

2009-09-01T02:56:00.001-07:00

Recently , I was working on OCS certificate issue. The issue in summary, is that I have requested a certificate for the OCS edge server as well as the Reverse proxy server (ISA 2006), the certificate holds multiple SANs in order to utilize it in both the OCS edge server for the Edge and the web conference roles, and also the Reverse proxy to allow downloading meeting contends and the address list.

Anyway, I have received the certificate, I import it on the ISA server and once I tried to select it on the web listener I get the error: Private Key not installed.

There is a very similar scenario in the exchange team blog ,the missing thing is that I should import the received certificate first on the machine that generate the request to get the private key pairs.

In my case I was requesting the certificate on the Edge server. So, we need to first import the certificate on the edge server to get the certificate working properly with its private key, and then export it to be installed on the ISA server.

So let's go to the edge server

Click the certificate link on the right pane to launch the certificate wizard, click next

Then we have to choose process an offline certificate……

Then browse to the path of the certificate file that has been downloaded from the 3^rd party CA, and finish.

Assigning the certificate

Let's access the certificate wizard, but this time we shall choose Assign an existing certificate
On the Available Certificate screen choose the imported certificate and click Next
On the next screen, I shall choose two options
I choose to assign the certificate for both the access edge and web conference, because I had already requested a certificate with multiple SANs that include them.

And Next then Finish.

Now to export the certificate we should run new MMC, from the file menu choose Add/remove snap-ins

Then add, and choose Certificates, and
make sure to choose computer account, and click Next
Then click finish.

From the certificate console, go to the certificate folder under personal, you should find the imported certificate there, right click it and choose export from all tasks.
Click Next on the Welcome to the certificate export wizard

Make sure to choose the first option on the next dialog and click Next
And ensure to choose enable strong protection and click Next
On the next window, set a password and click Next.
Then specify a name for the file and location.

And finally finish.

We can use the same way now to import it on the ISA server, from the certificate console we shall right click certificate and choose Import from all tasks
Click Next on the welcome screen,

Specify the path of the file on next screen and click Next,

Specify the password for the file and click Next,

Make sure you choose the second option on the Certificate store screen, and click Next
And then finish.
Now back to the ISA console, trying to select the imported certificate on the web listener is successful

You can notice that the private key is correctly installed.
Moreover testing the rule is giving successful completion.

To verify access through the Reverse Proxy:

Open a Web browser, type the URLs in the Address bar that are used by clients to access the

Address Book files, Live Meeting content and Distribution Group expansion where

https://externalwebfarmFQDN is the external FQDN of the reverse proxy server.

• For Address Book Server type https://externalWebFarmFQDN/abs/ext User should

receive an HTTP challenge.

• For Web conferencing, type https://externalWebFarmFQDN/conf/ext/Tshoot.html

This URL should display the troubleshooting page for Web conferencing.

• For group expansion type

https://externalWebFarmFQDN/GroupExpansion/ext/service.asmx User should receive an HTTP challenge.

How to update Tanjay polycom (1.0.522.34)

2009-07-28T06:39:00.001-07:00

Symptoms:

OCS 2007 R2 Enterprise edition deployed over windows 2008, everything is working fine. Updating polycom CX700 device that came with an old version (1.0.522.34) to R2 phone edition fail with no errors!

The IIS 7 log is giving the 200 success entry, which indicates everything is fine.

And the imageupdate log on the OCS server (under Logs\Server\Audit\imageUpdates) is not giving any errors, showing that the device is requesting the correct URL.

In our situation, the device should be updated in two phases. It should be updated first to the Interim version (1.0.522.103), then updated to the latest version which is (3.5.6907.31) at the time of writing this article.

Troubleshooting:

In order to make sure that your device is capable of accessing the new updates, you should be able to browse the internal URL for the updates: http://Pool_FQDN/DeviceUpdateFiles_Int/UCPhone/Polycom/CX700/A/ENU/3.5.6907.31/CPE/CPE.nbt

You should be prompted with a dialog to save the file. In my case I was getting a blank page! , there were no errors and the IIS log is showing the same 200 success entry!
That was really odd.

While I am trying to figure out this issue I came across the Microsoft Office Communicator 2007 R2 Phone Edition Release Notes which are very useful. I notice that I have some missed WMI settings, those where ExternalUpdatesDownloadURL and ExternalUpdatesStoreURL.

I edited those settings as the MS notes recommended (at the end of the notes), but that does not solve my problem.

I realized that my problem is much related to IIS, in other words, the IIS is not giving the correct information. So I start searching about IIS7 errors on the MS TechNet, I noticed that my IIS is missing some component, that was HTTP Errors (a role service under IIS role).I installed this service. Then I tried to access the internal URL, and I get the error 500.19…. This one has been solved clearly by this MS KB942055

After that I do manual restart my polycom cx700 device, and get updated successfully to the interim version then to the (3.5.6907.31) version.

Lack of Documentation:

Well the problem has been sorted out, but! I really wonder if I had missed to install this role service by mistake or because of any other reason.

Back to the MS documentation that has been released for the R2 edition, I had double checked the document OCS 2007 R2 Deploying Enterprise Edition; I foxed on Configuring IIS 7.0 on Windows Server 2008, the requirements there are not including the HTTP Errors feature. It's very obvious that OCS 2007 R2 installation well run smoothly without this feature, but at least adding a Note to the document recommending this feature for troubleshooting purposes will save a lot of time.

For me, I waste a lot of time troubleshooting this issue till sorted out, and I shouldn't if that feature was recommended by the document.

Event ID: 1025 on Exchange 2003 SP2

2008-07-30T01:01:00.001-07:00

Today morning, I found that the application log on the exchange server is flooded with the following warning:

Event Type: Warning

Event Source: MSExchangeIS Mailbox Store

Event Category: General

Event ID: 1025

Date: 7/30/2008

Time: 8:45:28 AM

User: N/A

Computer: MAIL

Description:

An error occurred on database "DatabaseName".

Function name or description of problem: EcEntryIdFromAddr

Error: 0x467

For more information, click http://www.microsoft.com/contentredirect.asp.

A related article on MS support site stated that this error can occur on exchange 2000, but in our case we have exchange 2003, any way the cause part of the article state the following:

CAUSE

This problem can occur if a message from the Internet contains a "REPLY-TO" field. The information store asks for the same attribute (proxy addresses) twice and Dsaccess only fills in the first instance. This problem can occur with Microsoft MSN Hotmail accounts if you alter the reply to address.

However to eliminate the error, I have browsed the queue and find out a message pending in the local delivery queue. To sort this error out, I did the following:

Stop the SMTP service.
Open the queue directory.
Open the stucked messages for local delivery with notepad.
Delete the "REPLY-TO" line.
Start the SMTP service.

The messages then will be delivered and the error will be eliminated. In my case the messages was coming from a Blackberry device.

ABCD System Center Essentials (SCE)

2008-06-29T04:38:00.001-07:00

In this post I am gonna go through the basic steps to install and configure SCE, and make it up and running.

Initially, once you insert the media it will check for the pre-requisites and give you a nice report whether it is applicable to install SCE or not, and tell you what is the missing components ( .Net framework, IIS…)

I am not going to talk about the installation process since it is as simple as 10 clicks wizard. Once the installation wizard finished, you will get the following screen:

After that, you will launch the SCE console

It is clear that the configuration steps are not completed, mainly we have to configure these three configuration steps in order to make SCE working, and those are:

Configure product feature: this will configure proxy setting, group policy setting (Domain level or local policy), Firewall Exception, enable remote assistance on client machine, Error collection setting and schedule discovery.
Configure computers and devices to manage: enable you to discover the network and find out the clients and servers then push the installation of client agent.
Configure Microsoft Update settings: it is very similar to the WSUS configuration, this will enable you to choose which OS updates to download and which language, and which office and other Microsoft product updates to download, it is easy and a matter of simple click, then you can synchronize with Microsoft site or schedule it on non working hours.

Note: in order to allow the SCE server to discover computers in your network, certain ports must be opened the server VLAN and the clients VLAN, those are:

TCP (135, 139, 445)
UDP (137, 138)
If you face problems with installing the agent for any reason, you can manually install the agent by following the steps in this link:

http://technet.microsoft.com/en-us/library/bb437257.aspx

for more information:
http://technet.microsoft.com/en-us/library/cc308579(TechNet.10).aspx

DNS Disaster Recovery!

2008-04-17T00:19:00.001-07:00

If you are working in an organization that hosts its own DNS server where you have the records for MX, Web and other servers that are accessible externally, you must put a plan for how to rebuild your DNS server in case of failure or a disaster.

In this article, I am going to show you how to backup the zones in your DNS server and restore those using DNSCMD command lines; DNSCMD is a part of Support tools. So you must install the support tools in order to run this command.

I am going to simulate the case, by backing up a production DNS server and restore it to a virtual machine image. After installing the support tools on the server go to:

Start -> programs -> windows support tools -> command prompt

The syntax for our command is: dnscmd [ServerName] /zoneexport ZoneName ZoneExportFile

So based on my server and zone names, I will use the following syntax:

C:\>dnscmd MyDNSname /zoneexport TestZone.com TestZone.com.bak

You will notice that the output of this command is:

DNS Server MyDNSname exported zone

TestZone.com to file %windir%\system32\dns\ TestZone.com.bak

DNS server Command completed successfully.

Now you have to browse to the specified path and copy the .bak file, which we will use it to restore the zone to a different server.

On the new server which supposes to be as a new one, install the DNS service and don't create any new zone.
Paste the .bak file on %systemroot%\system32\dns and rename the extension to .dns
Go to DNS management console, right click forward lookup zone and choose new zone, Next, Next, give it the same name, then next, make sure to choose the second choice, it should take the name of the zone automatically.

Now check your zone, it should contain your old records.

Note: In my case, the DNS server is a member server setting on the DMZ zone so the option to have active directory integrated zone is not available. One more thing, the previous exercise is valid in case of corrupted zone or you need to do some modifications on a specific zone, this will get your zone back before the changes.

For more information: http://technet2.microsoft.com/WindowsServer/en/library/d652a163-279f-4047-b3e0-0c468a4d69f31033.mspx?mfr=true

Creating a custom address list

2008-04-14T06:00:00.001-07:00

In the previous article we imported a group of contacts from different companies into our AD, the good thing is that those contacts are categorized into OUs based on different company name. I believe we can create a custom address list based on the company names. but first of all we have to change the company name for each contact !

Actually, this is an easy process with ADModify. Just download the tool and extract it. Note: you will need .Net frame work in order to work.

Once you run the tool, click on Modify Attribute, and then you will get this screen:

In the Domain List, choose your domain. In the Domain controller List, choose any available DC.

Then click on contacts only, to filter your search. Now click on the green arrow, after that browse to the required OU, once you find it, just click it and click Add to List->, then Select All, and click Next, go to the Organization tab, now we can change the company property for the selected group of contacts in one shot, just check mark company and write the company name, then click Go.

Now let's go to Exchange Management Console to create the customized address list.

Open your EMC, browse to Organization Configuration->Mailbox, right click Mailbox and choose New Address List, give it a name and click the following specific types, then check mark contacts with external e-mail addresses and click next. In the next screen check mark recipient is in a company in Step 1 and click specified in step 2 to fill the company name. To make sure you are filtering the right contacts click preview. Now click next and Next to create the address list immediately.

Now your customized address list has been created and should be accessible to your outlook clients either through MS outlook or OWA.

Enjoy it!

Importing Mail Contacts to exchange 2007 in bulk!

2008-03-27T04:36:00.000-07:00

Scenario:
Your company needs to have an address list that contains contacts from multiple companies. I was talking with Alaa in this regards, he suggest implementing MIIS, but unfortunately it needs some requirements that is not available yet in our servers room :). So we need something fast to import those contacts to our exchange 2007 server.

Solution:
First, we need a CSV file that contains some columns to be exported from those companies (exported from the Domain Controllers), this file will have some attributes of the users like display name and e-mail address.
Login to the domain controller in each company (or ask the in charge person) and do the following:
- Open AD Users & Computers, go to View->add/remove columns, then add the following columns, in the same order:
Name
Display Name
E-mail address
Exchange Alias

Browse to the OU that contain the users accounts that need to be imported, make sure that the view is showing the columns that you had select in the previous step, if not, choose them again, go to Action->Export List, and save the file as (comma delimited) ( *.csv). You need now to work on this file using MS excel.

Open this file with excel, now we have to rename the columns as the following:
Name DisplayName MailAddress Alias
It should looks like this:

Save the file, then copy it to C:\ on the Exchange server (where you want to import the contacts)
Start Exchange Management Shell, copy and paste the following command:

import-csv c:\contacts.csv | foreach { new-mailcontact -alias $_.Alias -name $_.displayName -ExternalEmailAddress $_.MailAddress -org contacts }

Note: before running this command you must have an OU on the AD called contacts otherwise the command will return an error. You can also create your own OU, but change the OU name after –org switch in the previous command.

The contacts is created now, in the next article am gonna show how to create a custom address list for each company based on the imported contacts.

How to enable Remote desktop remotely.

2008-03-05T23:27:00.001-08:00

Most administrators prefer to administer their servers remotely through remote desktop (formerly known as terminal services). But what if you forget to enable remote desktop before shipping the server to a remote site, well, you still have the chance to do it remotely through remote registry.

First of all you should have access to the server with administrative privilege.

-On your xp machine, start->Run->regedit
- On the File menu, click Connect Network Registry.
- type the computer name and then click Check Names
-provide your administrative credential in the next dialog and click ok
-now in the computer node that appear in the registry editor, drill down to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server

-click Terminal Server, then in the detail pane double-click fDenyTSConnections
- in Value data, type 0, and then click OK

Now you need to restart the server remotely in order to implement the change, this can be done through command prompt, run the following command:

shutdown -m \\ComputerName –r

You can now start your RDP sessions.

Server name, #5.0.0 SMTP; 550 failed to meet SPF requirements

2008-03-04T05:04:00.000-08:00

One of our clients report that he can’t send e-mail to certain domain, the bounce back message state the following:
The following recipient(s) cannot be reached:

xx@zz.com on 3/4/2008 10:01 AM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
xx@zz.com #5.0.0 SMTP; 550 failed to meet SPF requirements

What I understand from this message is that our server doesn’t have SPF record.
SPF record is a single TXT entry in the DNS database for each domain, the main purpose of inventing this record is to fight spammers and ensure the identity of the senders.

So, how to create and test it?

By googling SPF, I found useful information; here is how to create your SPF record.
If you are hosting your own DNS server (external DNS), you can follow up in this article, otherwise, follow only step one and contact your ISP to create the record (that is if your ISP hosting your MX record).

Marc Grote wrote a good article regarding this topic, any way, here is what you have to do:

Step one: follow this wizard that will give you your SPF record, copy this string.
Step Two: go to your DNS server, under forward lookup zone, right click your (domain name) zone, and choose other new record, then select TXT record, paste your SPF record in the Text textbox. You should have something similar to this.

Now how to ensure that you create the record successfully, in other word how to query it?
This web site provide this facility, moreover you can test your SPF string before implement it.

That is it, my client start sending e-mail again and no bounce back messages.

WSUS 3.0 Error: The server is failing to download some updates.

2008-03-03T04:56:00.000-08:00

The following errors start appearing in my WSUS 3.0 server application log:

Event Source: Windows Server Update Services
Event ID: 10032
Description:
The server is failing to download some updates.

Event Source: Windows Server Update Services
Event Category: Synchronization
Event ID: 364
Description:
Content file download failed. Reason: The server does not support the necessary HTTP protocol. Background Intelligent Transfer Service (BITS) requires that the server support the Range protocol header.
Source File: /msdownload/update/software/crup/2008/02/bcm2007qfe-kb946140-fullfile-enu_9c8d60aef0faf5ba4a7b71ba3647241b89c19dda.cab Destination File: c:\WSUS\WsusContent\DA\9C8D60AEF0FAF5BA4A7B71BA3647241B89C19DDA.CAB.

To solve the problem I did the following:
-Stop the Background Intelligent Transfer Service.
-Run the following command:

%programfiles%\Update Services\Setup\ExecuteSQL.exe -S %Computername%\MICROSOFT##SSEE -d "SUSDB" -Q "update tbConfigurationC set BitsDownloadPriorityForeground=1"

-Start the Background Intelligent Transfer Service.
-Restart the Update service.
And that’s it, the service start downloading the updates successfully, and you will get the following information event in your app log.

Ref: http://support.microsoft.com/kb/922330

Transitioning from exchange 2000 to 2007 (Part 3)

2007-09-03T00:36:00.000-07:00

Now after checking the entire pre-installation components, if we start the setup we will get some error messages such as this one:
Setup encountered a problem while validating the state of Active Directory: Domain Controller Operating System version is 5.0 (2195) Service Pack 4. The minimum version required is 5.2 (3790) Service Pack 1.
This a common issue actually, the reason behind this is that the setup is checking all the DCs that they must be 2003 sp1 as well as the GCs, because of that we have to point the setup to the specific 2003 dc.. This issue will be fixed in exchange 2007 sp1.

So, I am going to start the setup in an unattended mode starting by prepare the forest by running the mentioned switches previously but with specifying /dc: parameter to point to the windows 2003 DC.

•The first thing we need to do in deploying Exchange 2007 into a legacy Exchange
Organization is to run Setup.com /PrepareLegacyExchangePermissions
to run this command, open the command prompt, browse to the directory of the exchange 2007 setup files, the simply type the command.

•After that we have to prepare the schema, this can be done by running the following command
Setup.com /PrepareSchema /DC:

•Prepare AD, by typing the command:
Setup.com /PrepareAD /dc:
Note: you can run the Setup.com /PrepareAD command before running
/PrepareLegacyExchangePermissions and /PrepareSchema, this will run the /PrepareLegacyExchangePermissions and /PrepareSchema commands automatically.

Now we can start the setup, but we have to start the setup in an unattended mode as we said, by combining a couple of switches with the setup command, depending on your needs:
setup /m:Install /roles:M,HT,C,MT /dc: /EnableLegacyOutlook /LegacyRoutingServer: /t:"d:\program files\Microsoft\Exchange Server"
This command will install the management tools, Hub Transport role, Client access role and the Mailbox role.
That is it, exchange 2007 had been installed, and now we have to move the mailboxes to the new exchange 2007 and finally decommission the old 2000 server.

For more details, you can follow up with Henrik article on moving the mailboxes and decommissioning the old exchange server.

References:

http://technet.microsoft.com/en-us/library/bb124920.aspx
http://www.msexchange.org/tutorials/Transitioning-Exchange-2000-2003-Exchange-Server-2007-Part1.html
http://www.amazon.com/exec/obidos/ASIN/1597491373/isaserver1-20/
http://forums.microsoft.com/

Transitioning from exchange 2000 to 2007 (Part 2)

2007-09-02T00:35:00.000-07:00

It is recommended to run the latest version of Exchange best practice analyzer tools now, and choose Exchange 2007 readiness check, in my case, the tool gave me the following report:

So, my exchange organization is in mixed mode, it must be changed to native mode.

In general, there is three prerequisites that must checked before installing exchange 2007, they are:
® Active Directory forest: the domain functionality level must be windows 2000 or windows server 2003, also you must make sure that the domain controller that is the schema master is running windows server 2003 SP1 or higher, this is also applied for the Global catalog server running on the site as well.

There are some switches that you can run them to prepare the environment by preparing the permission required for exchange 2007, preparing the schema, preparing active directory, and preparing domain.

Those switches are:
Setup.com /PrepareLegacyExchangePermissions
Setup.com /PrepareSchema
Setup.com /PrepareAD
Setup.com /PrepareDomain or Setup.com /PrepareAllDomains

Note: you can run the 32-bit version of exchange 2007 to prepare you environment.

®Exchange organization: it is a must to run the exchange organization in native mode, so we have to remove any exchange servers running exchange 5.5 .In my case I have to change the organization mode simply by opening the exchange system manager, right click exchange organization, choose properties then choose the change mode button you will get a warning message, click yes, as simple as that.

®Server requirements:
Software needed:

- .Net framework 2.0 and the update KB926776 as well
-MMC 3.0
-Windows PowerShell 1.0
-HotFix for Windows x64 (KB904639)

Also, there are some additional components that you have to install on the server depending on the role you are planning to implement, those are:
For Mailbox server role, you need the following components:
• Enable network COM+ access
• Internet Information Services
•World Wide Web Service

For Client Access Server, you need the following components:
-www
-RPC over HTTP proxy
-ASP.NET 2.0

For Hub transport server role, no more components are needed.
But be sure that the SMTP AND NNTP is not installed.

For Edge transport server role, you will need ADAM
AND also make sure that SMTP AND NNTP.

In the next article we gonna start the setup........

Transitioning from exchange 2000 to 2007 (Part 1)

Transitioning from exchange 2000 to 2007 (Part 3)

Transitioning from exchange 2000 to 2007 (Part 1)

2007-08-29T00:35:00.000-07:00

Transitioning from exchange 2003 to exchange 2007 is easy and straightforward, there is many articles on the web describing the process. Henrik walther wrote one of the best articles on this topic. But what about transitioning from exchange 2000 to exchange 2007 in a situation where you have a single box (windows 2000 DC and exchange 2000), I believe the scenario is different a little bit and need more concentrate and careful.
In this article series (3 parts), I am gonna show you my real experience on this issue, enjoy it!

• The setup is as follow:
-Two Domain controllers running windows 2000 advanced server.
-Exchange 2000 is installed on one of the domain controllers.
-The FSMO roles had been moved to the domain controller that is not running exchange.

Well, the first thing we have to think about it is to upgrade the domain controllers to windows 2003 before we go through the installation of Exchange 2007, since this is one of the requirements for exchange 2007.
Regarding to MS KB325379, there is certain attributes in the schema must be changed before we run the /Forestprep , /Domainprep of the windows 2003, those attributes are:
-CN=ms-Exch-Assistant-Name
-CN=ms-Exch-House-Identifier
-CN=ms-Exch-LabeledURI

These attributes must appear as msExchAssistantName, msExchHouseIdentifier, and msExchLabeledURI.
In order to do such change, we can create a script that modifies these attribute in the following way:
Quoted
“

“1.Log on to the console of the schema operations master by using an account that is a member of the Schema Admins security group.
2.Click Start, click Run, type notepad.exe in the Open box, and then click OK.
3.Copy the following text including the trailing hyphen after "schemaUpdateNow: 1" to Notepad.

dn: CN=ms-Exch-Assistant-Name,CN=Schema,CN=Configuration,DC=X
changetype: Modify
replace:LDAPDisplayName
LDAPDisplayName: msExchAssistantName
-

dn: CN=ms-Exch-LabeledURI,CN=Schema,CN=Configuration,DC=X
changetype: Modify
replace: LDAPDisplayName
LDAPDisplayName: msExchLabeledURI
-

dn: CN=ms-Exch-House-Identifier,CN=Schema,CN=Configuration,DC=X
changetype: Modify
replace: LDAPDisplayName
LDAPDisplayName: msExchHouseIdentifier
-

dn:
changetype: Modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

4.Confirm that there is no space at the end of each line.
5.On the File menu, click Save. In the Save As dialog box, follow these steps:
a. In the File name box, type the following:
\%userprofile%\InetOrgPersonPrevent.ldf
b. In the Save as type box, click All Files.
c. In the Encoding box, click Unicode.
d. Click Save.
e. Quit Notepad.
6.Run the InetOrgPersonPrevent.ldf script.
a. Click Start, click Run, type cmd in the Open box, and then click OK.
b. At a command prompt, type the following, and then press ENTER:
cd %userprofile%
c. Type the following command
c:\documents and settings\%username%>ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X "domain name path for forest root domain"
Syntax notes:
•DC=X is a case-sensitive constant.
•The domain name path for the root domain must be enclosed in quotation marks.
For example, the command syntax for an Active Directory forest whose forest root domain is TAILSPINTOYS.COM would be:
c:\documents and settings\administrator>ldifde -i -f inetorgpersonprevent.ldf -v -c DC=X "dc=tailspintoys,dc=com"
Note You may need to change the Schema Update Allowed registry subkey if you receive the following error message:
Schema update is not allowed on this DC because the registry key is not set or the DC is not the schema FSMO Role Owner.
For more information about how to change this registry subkey, click the following article number to view the article in the Microsoft Knowledge Base:
285172 Schema update require Write access to schema in Active Directory “
Now we have to verify that previous attributes had been modified, this can be done through ADSI edit tools (installed as a part of the support tools), under the schema find the attributes (CN=ms-Exch-Assistant-Name CN=ms-Exch-House-Identifier CN=ms-Exch-LabeledURI). Double click each of them, on the attributes tab in the "Select which properties to view" dropdown, select either Mandatory. In the next drop down "Select a property to view" select lDAPDisplayName. Then at the text in the box next to value, make sure that the three attributes same as the attribute name without the CN= and the dashes i.e. msExchAssistantName).

Now we can safely run adprep on the schema operations master. To do so, Log on to the console of the schema operations master with an account that is a member of the Schema Admins security group.
Click Start, click Run, type cmd, and then click OK.
X:\I386\adprep /forestprep
Where X:\I386\ is the path of the Windows Server 2003 installation media.
Verify that the adprep /forestprep changes have replicated on all the domain controllers in the forest.

After that, Run adprep /domainprep on the Infrastructure master. To do so, click Start, click Run, type cmd, and then on the Infrastructure master type the following command:
X:\I386\adprep /domainprep

Verify that domainprep completed successfully, and a replication had been initiated between the DCs.

In my scenario, I had a new server (windows 2003 SP1) which I promote it successfully to be the first domain controller running windows 2003, after preparing the schema.
After that I had transferred the FSMO roles to the new DC and set it as a Global catalog, then upgrade the old DC to windows 2003 (the one that it is not running exchange).

Transitioning from exchange 2000 to 2007 (Part2)
Transitioning from exchange 2000 to 2007 (Part 3)