Tuesday, September 30, 2014

Why you should upgrade Distribution groups moving to Exchange Server 2013

If you previously migrated from Exchange Server 2003 to Exchange Server 2007 and now moving to Exchange Server 2013, Group owners will not be able manage distribution groups created in Exchange Server 2003 or Exchange Server 2007 anymore. They can get the following error message when trying to make changes to a group from Outlook: 

In helping a user who could not manage a mail-enabled security group that she was the owner of and had all the correct rights and RBAC roles assigned, we saw that the Exchange Version for the problem group was 6.5 which was an old 2003 group that was not upgraded when our organization migrated to Exchange 2007 a few years ago.

When checking the group we were able to see the Exchange Version Number as shown below:
To upgrade the group using the Exchange Management Shell:
Set-DistributionGroup -id "Name of the group" -Forceupgrade -bypassSecuritygroupManagerCheck
After the group was upgraded we checked the Exchange Version number. It was now Version 14 as shown below. The user was able to manage the group after Active Directory (AD) Replication had occurred.
If you want to upgrade all your groups at the same time you can use the following from the Exchange Management Shell :
Get-DistributionGroup -ResultSize unlimited | Set-DistributionGroup -forceupgrade -bypassSecuritygroupManagerCheck
If you want to get list of the groups with their Exchange Versions in a report that can be shared with management before you begin to upgrade them, you can run the following from the Exchange Management Shell:

$groupdata = Get-DistributionGroup -ResultSize unlimited | select displayname, exchangeversion
$groupdata | export-csv c:\groups_exchversion.csv 

If you want to see the Exchange versions of your groups and get a count by Exchange versions, run the following in the Exchange Management Shell:
$groupdata | group ExchangeVersion
 Get-DistributionGroup -ResultSize Unlimited | Group ExchangeVersion if you had not done the previous CSV export like the example above.
The output should be similar to the following that I got running this in our environment today 

As you can see we have some work to do with upgrading our groups so let me get back to that. If you upgrade the distribution groups to Exchange 2013 but the owners/managers are still on Exchange 2007 they will no longer be able to manage the groups. This happens because the Exchange trusted subsystem cannot modify the legacy (2003 and 2007) objects. If you migrate the users to Exchange 2013 but the groups are not upgraded they will also not be able to manage the group. You should be following the guidance of using Exchange 2007 administrative tools to manage Exchange 2007 objects and using Exchange 2013 administrative tools to manage Exchange 2013 objects.  
Our current approach is to migrate the user mailboxes to Exchange Server 2013 and upgrade the groups for that specific OU to the Exchange 2103 version after the user migration. This way we can ensure that the groups are upgraded in the same timeframe as the user migration to avoid the support ticket that generated this blog post. 
Good luck to those of you moving to Exchange 2013. Please share your feedback and thoughts in the comments.