HIS/SNA server : How does HIS client search for sponsor servers.

Had a project in with the Bank to help migrate 4 HIS servers from token ring connections into Ethernet connections.

========================
Environment:
========================
4 x HIS 2000 servers
2 of the server are in 1 HIS subdomain (HISPROD) and the other 2 servers are in another HIS subdomain (HISCOLD)
The 2 set of servers has the same PU/LU configuration. The main purpose is to have the 2nd set to be on standby mode.
Servers were running on Token Ring connections, which talks to a switch, which then talks to mainframe. Each server has 3 token ring adapters, hence 3 connections to the switch.

Main objective is to migrate all 4 servers to ethernet connections and make sure they are functional in Ethernet environment.

========================
Planning:
========================
1. 2 of the servers are production servers. The other 2 are standby. Hence the plan is to get 2 standby servers into ethernet connection first, then migrate production users to connect to standby servers. Monitor connections for 2 weeks, then change productions servers to ethernet connections and migrate users back to production servers.

2. The migration will be using DNS repointing, meaning User querying for production servers' IP will be directed to Standby servers' IP

2. Migration need to be done 2 servers at the same time. This is due to the fact that they are both in 1 HIS subdomain. When HIS client is searching for a sponsor server, it will actually look at the sponsor server list setup on the client.
a. when it hits the first server, it will query for the LU that it is suppose to connect, if the LU resides in any HIS servers within the HIS subdomain, the client will be pointed to contact the HIS server directly.
b. If the LU is not in any HIS servers within the HIS subdomain, the client will refer back to the HIS client sponsor server list for the next server to connect.

** This is a key point why HIS servers within the same HIS subdomain needs to be migrated together. **

========================
Implementation
========================
1. Make sure both set of servers has the same SNA configurations. Export and import snacfg.
a. export sna configuration out. "snacfg /print > c:\snacfg.txt"
b. Modify snacfg.txt to fit the target servers configuration. (e.g. server name, remote host address ... )
c. Delete SNADLC settings (since the target servers already has that)
d. Delete server settings (since the target servers already has that)
e. Delete everything after the last workstation config (this includes printer, tnserver etc...)
f. copy the modified snacfg.txt to target server and import. "snacfg @snacfg.txt"
g. Normaly error will gives u the target line number, so just go back to the snacfg.txt to check
h. If there is no error, the import will be completed. Verify at SNA manager console.

2. Modify DNS to repoint servers.
a. identiy which zone DNS users are querying.
b. Change DNS settings to point to the new IP in each of the zone.
c. Wait for replication to complete to all your DNS servers. This will roughly be the AD convergence time if you're using AD integrated DNS. You can write a batch script to query all your DNS servers for the particular Host record. nslookup
d. Wait for IP cache on client's PC to update. This will by default be 1 hour.

3. Shutdown original 2 HIS servers and turn on the target 2 HIS servers.

4. Verify all PU connections are active.

5. Get user to verify.

AD : GPO version number

[Reminder to myself] to find out more about GPO version number

AD :USN rollback. Prehibiting repliction.

[Reminder to myself] to update regarding USN rollback

AD : Removing Lingering Objects

[Reminder to myself] to update regarding lingering objects

Creating Windows 2003 Hyper V Virtual Machines

Creating the virtual machine is straight forward, however there's a little trick with the windows 2003 machines. The integration setup can only be run with windows 2003 SP2, and without integration setup, we can't get any mouse interaction on the server.

So the idea is to copy the service pack 2 file onto the server and installed it with only keyboard interaction.

1. Create a new virtual machine. (Add in a legacy Network Device)
2. Install the VM with windows 2003 server.
3. Use keyboard (TAB, Shift-TAB, Spacebar, etc..) to navigate thru the setup wizard.
4. Once installation completes, use keyboard to navigate to network connection.
OR
you can use netsh command to key in an IP address for the server.
5. The reason we are using "Legacy network device" is because before Integration Setup is ran, the server will not recognize the normal network device. So configure "Legacy Network" connection with an IP and do a file transfer to copy the Service Pack 2 file over.
6. Run the service pack 2 file, restart as required.
7. Run the Integration Setup, restart as required.

Now the server is ready to be used as normal.

Forest Trust + Dedicated Exchange Forest

Need to setup a trust relationship between 2 AD forest. The requirement are as below :
1. TM5 Q2 environment has its own AD environment, but does not have exchange.
2. DEV-AHB has its own AD environment including 2 exchange servers.
3. AmIdentity is going to do a UAT test on TM5 Q2, which requires users to be created in TM5 Q2 environment, users will have mailboxes created.
4. Exchange could not be installed in TM5 Q2 environment, due to licensing issue.
5. Suggestion is to create a trust realtionship between TM5 Q2 and DEV-AHB, and let users in TM5 Q2 to be able to utilize the exchange in DEV-AHB.

I have never done this before, so it's actually very challenging. The trusting part could be easy, but the exchange part might require some skills.

1. TM5 Q2 hasn't been /ADPREP yet, so users will not have exchange properties.
2. TM5 Q2 has a different time zone due to business requirement. Building a trust between these 2 environment might sync time on the servers.

So, before actually doing it on the real environment, i'm now building a virtual server with a AD forest. And i'm gonna build a trust with this server to DEV-AHB. And try to see whether new users can be created with mailbox on them.

================================

So after some research and testing. Here are the findings:

To allow an AD forest's user to utilise the Exchange resource in another AD forest. There will be a few requirements.

1. Exchange Forest need to trust Account Forest.
2. A mailbox-enabled disabled account need to be created in Exchange Forest for every user in Account forest who require a mailbox.
3. If you are using exchange 2007, there is an linked mailbox function where you can go thru a wizard and provision the users.
4. If you are using exchange 2003 or below, you will have to manually go thru the creation of accounts and disabling them and assigning the neccessary rights.

Using a Dedicated Exchange Forest
Using Multiple Forests with Exchange
How to Deploy Exchange 2007 in a Cross-Forest Topology
Deploying an Exchange 2007 Resource Forest (Part 1)
Understanding and using the External Associated Account in Windows Server 2003 and Exchange 2003

=============================================
Now, the steps to manual provision Associated External Accounts in exchange 2003, 2000.


Forest A (with exchange), Forest B (User account forest), Forest A Trust Forest B

1. Create a User in ForestA, with mailbox enabled.
2. Disable ForestA\User.
3. Create a User in ForestB. ForestB\User
4. Under ForestA\User properties, under "Securities", add ForestB\User into the ACL and allow "Send As"
5. Under ForestA\User Properties, under "Exchange Advanced" > "Mailbox Rights", add ForestB\User into the ACL and allow "Read Permission", "Full Mailbox Access" and "Associated External Account"
6. Verified by logging on to OWA using ForestB\User credentials.
7. The email address for this account will be the email address as seen under ForestA\User email address.