Migrate from W2008R2/Exchange 2010 to Nethserver/WebTop

migrate
activedirectory
migration
webtop5
mail

(Mats) #1

I’ve an old Windows 2008R2 with Exchange 2010 that I want to migrate to Nethserver with WebTop. What we are talking about is the AD, the login script for the clients, and less than ten mailboxes.

So far have I installed the server and joined it to the domain and everything works fine so far but now am I a bit stuck and looking for advice about the best way to do this.

Things I’m looking for answer on.
-Best way to move the mail, size is up to 5 GB each.
-Is it possible to promote Nethserver to PDC?
-Pros/cons with setting up a new domain and recreate everything in the AD instead of adding Nethserver as backup domain controller.
-Any other advices?

NethServer Version: 7.6.18.10


(Rob Bosch) #2

Hi @mahaq. Welcome to the NethServer community. I hope you will feel at home. We will try to help you with your questions.
We have seen a previous request to migrate from exchange to webtop. You might find some hints and tips in that discussion: Migrate exchange to webtop5

For the migration of Windows Server to NethServer. Yes it is possible to promote NethServer as Domain Controller and transfer FSMO roles afterwards, but AFAIK not from the webinterface. @davidep probably can tell you more about this since he was able to add NethServer as a DC to an existing (AD/Samba)domain.

Pro on creating a new domain: you can start fresh.
con: you have to recreate every user, device and GPO.

Please do share your progress so we all can learn!


(Davide Principi) #3

Still experimental

https://wiki.nethserver.org/doku.php?id=howto:add_ns7_samba_domain_controller_to_existing_active_directory


(Mats) #4

After reading and thinking have I decided to go for creating a new AD and then export/import pst files. The main reason is that I had and old .local domain that initially was created with 2003 SBS and later on migrated to a 2008R2 Std server so it needed a major cleanup if I should have kept it. My new setup is domain in the format internal.domain.tld to replace the old domain.local.


(Rob Bosch) #5

Thank you for getting back on this. If you want, please keep us informed on your progress. (we all might learn something from it… :wink: )


(Mats) #6

Here is a summary of my experience so far. To understand the prerequisites is the server installed on the DMZ with a 192.168.x.x address with a single network card. I’m using it for authentication, authorization, email using imap and webtop5 and internal DNS. I’ve also installed mattermost and ejabberd. Spam control and DHCP is managed by the firewall that is running Sophos XG Home edition.

What I’ve liked so far

  • The installation process was smooth, had some issue in the begging as always when I try to do too much during the installation instead of afterwards in the configuration.
  • The community that is quick to help with good advices and quick response and action on bugs.
  • Let’s encrypt was easy to use after some work in the DNS so the internal domain was visible, I’ll have to wait and see how the renewal goes.
  • Mattermost was really easy to install and configure.
  • The new UI looks promising but is still buggy and as an advice focus on fixing the bugs before adding more features.
  • Adding computers to the domain was easy.
  • Mostly it just works and I haven’t experienced any issues in runtime so far.

Things that hasn’t gone that smooth.

  • The mail migration was a struggle and is still not completed which has delayed the shutdown of the Windows server. The Windows server is not doing any work but I still want to have access to Exchange if needed. I went for the approach to export to pst files and import using pst2webtop. The result was that roughly 50% of the mail was imported and I’ll have to open the pst files with a mail client and drag over the mails, haven’t tested it yet but that was my approach when migrating to Exchange and it worked really smooth that time. Looking back should that have been my first approach. It won’t be an issue when complete folders hasn’t been migrated but a struggle when some mails has been imported and some hasn’t.
  • Activating the subscription was a really stupid decision by me. If you have no intention using the subscription don’t activate to start because it was a challenge to revert to community edition.

Things left to do

  • As mentioned above finish the mail migration
  • Getting a better understanding of ejabbard
  • Swap over the remaining computers. Have so far done one Windows client and one Windows client and one Linux client remains to do but based on the experience so far am I not expecting any problems.

Minor remarks

  • The network is called green and cannot be changed, at least not from the UI and I will not try to do it using the terminal without fully understanding the impact. I use green for my client network and this server is placed on the dmz that is called orange, that goes back to the days when I used Smoothwall as firewall.
  • The webtop UI feels a bit dated, it does it work, just doesn’t feel like a modern web ui. Not really a complaint since we mostly use mail clients on computers or phones.
  • I got tired to drag and drop the migrated mails in the web client so for one user I moved the inbox using Putty and it worked fine except they are not included in the mail quota. That won’t be a problem since no user will even get close to max their the quota in the next 25 years or so, just a funny little bug.

(Mats) #7

I forgot one thing and the settings for password policy is limited with either no policy at all or a “strong” policy that requires special characters and a minimum length of seven characters. I would prefer a bit more flexibility as no requirement for special character, unless you use a dot or a comma are they usually placed on the keyboard so they are harder to reach, but with a minimum length of say twelve characters. That would be more secure compared to the current alternatives while making it easier for the users to remember. Having a couple of checkboxes to decide which characters to include and slider for the password length would be a good improvement.


(Michael Kicks) #8

I suggest you to take your time (maybe not now) and take a look to rpamd documentation as a possible alternative to make manage spam to Sophos. It seems a bit more powerful and manageable. Only remember to train as ham the “good mail” you had into your users folders.

Hope that this will be interesting stuff for @dev_team.
Also, consider for mailtransfer as “the last option” load the messages from IMAP. Even Outlook 2010 can use NethServer IMAP :wink:

By Nethserver perspective is usual to have at least a green interface. You can setup a dummy/virtual interface and change role for the current network card setting as red.
Don’t forget before the change to verify under network services which services should be reached from your lan and the internet.
Due to your choice to put nethserver in DMZ i’m gonna ask what you are using for Backup :slight_smile:


(Rob Bosch) #9

Maybe a bit late but did you try using imapsync? I found a post where is claimed it actually works to use imapsync to move mailboxes from an MS Exchange server to a Dovecot based Linux mailserver.
https://www.barryodonovan.com/2013/02/08/synchronising-microsoft-exchange-to-another-imap-server-dovecot
From experience I can say that using imapsync for moving from Dovecot to Dovecot works like a charm, but I never had the opportunity to use it with MS Exchange.
have fun… :wink:


(Davide Principi) #10

There’s a “doveadm quota recalc” command that suits this kind of mailbox manual changes


(Mats) #11

[quote=“pike, post:8, topic:11658”]

I suggest you to take your time (maybe not now) and take a look to rpamd documentation as a possible alternative to make manage spam to Sophos. It seems a bit more powerful and manageable. Only remember to train as ham the “good mail” you had into your users folders.
[/qoute]
If I understand it correct is it using Baysian filtering. My experience is that it will require a lot of maintenance to keep up to date with how spammers are changing their behaviour. Actually is the spam filtering done by Sophos really good, It rejects all mail that is considered to be obvious spam at once and the remaining parts some are marked as spam with very few mistakes. I haven’t spent a single minute on training or configuring it and I’m not aware that I’ve lost a single mail that incorrectly been considered as spam and totally rejected. I actually get a lot more spam at work and that with a mail address I’m a lot more more careful to not register on different sites.

Depends a bit what you consider as backup. As backup if Nethserver fails will the firewall cache all mails and release them as soon as mail server is available again. The DMZ is far from wide open, see it more like a secondary LAN subnet. If you mean regular backup as being able to restore will I probably use the built-in solution in Nethserver but I’m also looking into using a solution like Amanda or something similar to keep it centralized. Your suggestion feels like too much of workaround. It doesn’t disturb anything so I might as well leave it as it is.


(Mats) #12

Thanks for the advice, I’ll give it a try.


(Mats) #13

I logged on as root and executed the command but that through an exception for missing +x perm. I then tried sudo -u vmail doveadm quota recalc which at least didn’t through an exception but it also didn’t seem to cause any change. What I see on the page Mail quota are still the same numbers as before.


(Michael Kicks) #14

Rspamd use Bayesian filters, but not only that. I don’t know exactly what Sophos XG can do but… i’ll give it a try. The suggestion to train the rspamd consider it as “best practice”, only to let the antispam know “what you like”. A nice feature included into “server-connected” (and not gateway-connected" of spam detection tool is that you can tell your users “put spam into spam directory” to train the antispam filters.
Anyway, take it as suggestion in case you are looking for a replacement for Sophos XG :wink:

Nice point… I was meaning “backup of the nethserver installation”, not as failover/redundant/deputy mailserver.
By my point of view, if it’s a bare-metal server maybe a NAS could be the best option (with vlan switches) for a single NIC-setup, or a dual lan setup with NAS connected to the “green” network (via Nethserver perspective), with the red one used to internet connection. This arrangment will lead to not bottleneck the service connection during backup. Use only one network adapter (real or virtual does not matter) could lead to overload the firewall, if the target destination is on “green network” by firewall perspective.
Also, thanks for let me now that XG can be a buffer for mail messages. It’s quite a nice feature.