This post is an excerpt from the Exchange Server 2003 to 2010 Migration Guide.
We are approaching the stage of the migration project where the Exchange 2010 servers begin to perform production roles, such as message routing, remote access, and hosting mailboxes.
This period is referred to as the “co-existence” period.
For some organizations a co-existence period is not necessary, because they are small enough that 100% of the services and data on Exchange 2003 can be migrated across to Exchange 2010 within a single outage window.
For example a small business with just a few dozen, small mailboxes could perform the entire migration in a single weekend with no business hours impact. Such organizations can skip the co-existence phase if they wish to, which reduces the amount of configuration work required.
However for the rest of us a co-existence period is required, which means there are some necessary configurations to put in place first before any production services or data are migrated to Exchange 2010.
Establishing the Legacy Namespace
The legacy namespace is the name that will be used by Exchange 2003 mailbox users to access Outlook Web Access after the remote access namespace is transitioned to the internet-facing Exchange 2010 Client Access server.
What this means is that Outlook Web Access/App connections are first made to the Client Access server. Exchange 2010 mailbox users are proxied as normal to the appropriate Mailbox server. However Exchange 2003 mailbox users are redirected to the legacy namespace instead.
Some people find the legacy namespace to be a confusing topic. In effect the legacy namespace is simply another DNS name, published with ISA Server or another firewall, that legacy (Exchange 2003) mailbox users are redirected to for Outlook Web Access.
Creating the Legacy DNS Record
The legacy name can be anything you like however the name that is commonly chosen is simply “legacy”, or in this example scenario “legacy.exchangeserverpro.net”.
This legacy name should be included in your Exchange 2010 SSL certificate when it is provisioned.
Create a DNS record for the legacy name in your public DNS zone. If you are using split DNS you should also create the record in your internal DNS zone.
The public IP address that the DNS record is created for can be the same as the public IP address of your primary remote access name (e.g. mail.exchangeserverpro.net) if you are using ISA Server 2006 to publish Exchange remote access. ISA Server is capable of publishing the different names to different internal servers using the same web listener.
If you are using a different firewall or a simple NAT router then you may need to configure the legacy namespace on a separate public IP address.
Tip: If you are using split DNS take a look at how your existing OWA public name is configured in your internal DNS zone. If it uses the public IP then do the same with your legacy name, however if it uses the internal IP then you should configure the legacy name to the internal IP as well for the internal DNS zone.
Configuring the OWA Virtual Directory for Legacy Redirection
The OWA Virtual Directory on the internet-facing Client Access server must be configured with the legacy URL to redirect users to.
Open the Exchange Management Shell and run the Set-OWAVirtualDirectory cmdlet with the following parameters:
- -Identity is the name of the OWA Virtual Directory being modified
- -Exchange2003URL is the legacy URL to redirect Exchange 2003 mailbox users to
Set-OwaVirtualDirectory -Identity "esp-ho-ex2010a\owa (Default Web Site)" -Exchange2003Url https://legacy.exchangeserverpro.net/exchange
Assigning the SSL Certificate to Exchange Server 2003
The Exchange 2003 front end server needs to be configured with the new SAN certificate that was provisioned for Exchange 2010. This is so that remote access connections to the legacy namespace can occur over SSL without any certificate errors or warnings.
To export the certificate from Exchange Server 2010 launch the Exchange Management Shell and run the following commands.
First determine the thumbprint of the SAN certificate that is installed.
Get-ExchangeCertificate Thumbprint Services Subject ---------- -------- ------- 4DE8E0AC4ECB09623645842752FAA80C4160BF0B ...WS. CN=mail.exchangeserverpro.net, OU=IT Department, O=Exchange Ser... F539B9045F765F9F0DFDE1EA9CB4BACAAE2C6C54 IP..S. CN=esp-ho-ex2010a
In this example the thumbprint is “4DE8E0AC4ECB09623645842752FAA80C4160BF0B”.
Next export the certificate to a file by running the following command. Note this is a single-line command.
$file = Export-ExchangeCertificate -Thumbprint 4DE8E0AC4ECB09623645842752FAA80C4160BF0B -BinaryEncoded:$true -Password (Get-Credential).password
A popup dialog appears for you to enter a password to protect the private key. The username field is not important but requires something to be entered in it for the dialog to accept, so just enter “username” and then a strong password.
Next run the following command to generate the file.
Set-Content -Path "C:\Admin\ex2010cert.pfx" -Value $file.FileData -Encoding Byte
Open Windows Explorer and look at the location you specified as the –Path parameter in the above command, and you will now see the exported certificate.
Copy the file to the Exchange Server 2003 front end server.
On the Exchange 2003 front end server launch mmc.exe and add the Certificates snap-in to the console, choosing the Computer account context.
Choose Local Computer and then click Finish, Close, and OK to return to the console.
Right-click Personal and choose All Tasks -> Import. Step through the Certificate Import Wizard choosing the certificate file that was copied from the Exchange Server 2010 server.
Enter the password that you used when the certificate was exported from Exchange Server 2010.
Place the certificate in the Personal certificate store.
Complete the wizard and confirm that the import was successful.
The imported certificate will now appear alongside the existing SSL certificate on the front end server, if you had one installed already.
The certificate now needs to be added to the HTTPS binding for the IIS website on the Exchange 2003 front end server.
Launch IIS Manager from the Administrative Tools menu of the Exchange 2003 front end server.
Right-click the web site that hosts the Exchange 2003 virtual directories, and then choose Properties.
Select the Directory Security tab and click on Server Certificate.
Click Next to step through the welcome page. Choose Replace the current certificate, and then click Next to continue.
Select the SSL certificate that was imported from the Exchange 2010 server and click Next to continue.
Confirm your selection and then click Next again, and then Finish.
Click OK to apply the close the web site properties dialog box.
You should now test your Exchange 2003 remote access (e.g. Outlook Web Access) to verify that the new certificate is working correctly.
About Paul Cunningham
Paul,
Great migration document, has really asssited me with the transition!
When exporting the cert back to 2003 I followed the instructions but could not locate the certificate to import, the only certificates it showed me were my current and old certs for OWA, any ideas?
Thanks
You mean when you’re browsing to find the file to import? Check that it’s showing “all files” and not just one specific file extension.
Dear Paul,
I have case in my office, we use exchange server 2003 with outlook, every saturday & sunday we cannot send / receive email, what’s problem? is there something wrong with exchange configuration? any ideas to solve it?
Thanks.
The first thing I’d look at is what happens on Saturdays/Sundays? Is that when your backups run? Is that overloading the server? Does your office network drop out on those days? Is the cleaner unplugging your network switch to plug in their vacuum cleaner?
Could be anything. You need to work out what other things are consistently happening on those days.
Hello Paul,
I am in between of migration from exchange 2003 to exchange 2010. I am little confused with SSL migration.
Can I use same SSL common name, which is currently assign to exchange 2003, for new exchange 2010 SSL certificate creation? I am not sure will godaddy will allow to create two ssl certificate, with the same common name? I heard Active-sync to iphone and other devise stopped working after certificate is import to exchange 2003.
Has anyone had this issues?
Yes you can use the same name in your Exchange 2010 cert. If Godaddy won’t let you do that then find a better SSL provider.
I’ve never experienced a problem with ActiveSync after importing the certificate to the 2003 server.
Hi Paul,
If you have a casarray should the identity be pointing to the array external url? Thanks
Paul,
Great article! I’m in the planning stages of performing an Exchange 2003 to 2010 transition and was a little confused with the namespace configuration. Your article has clarified most of my concerns; however, I have a question regarding changing to the legacy namespace on Exchange 2003 FE. Do you or anyone have instructions on how to change the namespace on the Exchange 2003 FE? We use OWA as well as ActiveSync so we need the legacy namespace changed for both. I was going to buy your “Exchange 2003 to Exchange 2010 Migration” ebook, but I was hesitant because the book states “migration.” I was looking for a book on “transition.” So if the migration book is the correct one, will I also find how to change the legacy namespace for Exchange 2003 FE in the book?
Thanks,
Shingo
Hi Shingo, the legacy namespace/URL only applies to OWA, because OWA traffic is *redirected* by the Exchange 2010 internet-facing CAS to the 2003 FE, whereas ActiveSync traffic is *proxied* by the Exchange 2010 CAS to the 2003 FE.
Yes, the guide explains how to configure both services for co-existence.
“Migration” and “transition” refer to the same thing. In the Exchange 2007 era “transition” was more popular because it made clear that there was no in-place upgrade from previous Exchange versions. These days that seems to be well understood by everyone and the words “transition”, “migration” and “upgrade” seem to be used depending on who you’re talking to but all meaning the same thing.
Thanks! I’ll be buying the ebook either this week or next, but I’m definitely gonna get a copy. Appreciate your quick response.
Hi Paul,
Thanks for the answer!!
One more question. IF I move OfflineAddressBook from 2003 to 2010, users who has mailbox on exchange 2003, will be able to get address book sync with there outlook 2007? I want to keep exchange 2003 running and keep couple of mailboxes.
Make sure the OAB is still configured for Public Folder distribution, and the Outlook 2007 clients will continue to download it from the 2003 server’s PF database.
Hi Paul,
Great article – much easier to follow than the MS KBs.
As I’m new to the issue of SAN certificates etc (most of my clients were able to forgo the co-existence) in this case the client has a certificate for the existing Exchange 2003 that will be immediately revoked by the CA once we request the new cert from the Exchange 2010 box. We need to avoid an outage for Active Sync in particular.
Also is it possible to obtain the “legacy” cert from an alternate CA?
Do we need the “autodiscover” URL added to the New (Exchange 2010) cert as currently we have encryption off as users are on OL 2003 but will be migrating to OL 2010 soon.
Why will the other cert be immediately revoked when you request the new one?
My client informs me that this is the case with Thawte – he manages the certificate registration
Hi Paul,
Great article that helps to clear up a lot of questions I had.
But I’m still a little confused with OWA access. I would really appreciate it if you are able to help clear it up in mind.
Do I move the existing certificate ‘mail.domain.com’ from E2K3 to the E2K10 server, and create a new ‘legacy.domain.com’ certificate and apply that to E2K3 server?
Then change firewall access on exisitng ‘mail.domain.com’ public dns record/IP to E2K10.
As I am not using ISA server, but a Watchguard firewall. Should I then create a public dns record on a different public IP for the ‘legacy.domain.com’ certificate and E2K3 server?
Then for OWA access no matter what server the mailbox resides, do users continue to access the ‘mail.domain.com’ URL?
With that configuration, does the incoming request for ‘mail.domain.com’ come into E2K10, then if intended for E2K3 goes back out to the WAN and back in again to E2K3?
I hope I have made myself clear. Quite difficult when I am not clear in my own mind….
That sounds correct yes.
With ISA you can get away with a single IP, but I assume many other firewalls will need the primary and legacy namespaces to be on separate IP’s. Depends on the firewall’s capabilities I guess.
But yes, you’re pretty much spot on there. Its a tough concept to grasp sometimes until you see it in action the first time. If you can arrange an out of hours window to test it, and be ready to roll back if you get into uncomfortable territory, then you may find it all just goes well
WOW! Thank you for the fast response!!
I seem to have had a EUREKA moment!
I will look into the firewalls capabilities for hosting the two namespaces, and configure in the most appropriate way.
But at least now I understand the concept.
Thank you!
Hi Paul,
We bought the migration guide and it really helped us in preparing for the Exchange 2003-2010 migration. Thanks for the brilliant guide. I ‘m getting confused with our current setup.
Our current Exchange 2003 OWA name space is https://mailweb.domain.org. The public ip is natted to the interal ip address of the Exchange 2003 front end server. Internal users also use the same name space. The exchange 2003 front end server host name is also mailweb in the active directory domain “domain.org”.
We would like our users to use the same name space https://mailweb.domain.org for the exchange 2010 OWA, ActiveSync,and Outlook Anywhere during and after the migration.
How can I accomplish this task?
Thanks,
Suresh
The Ex2003 FE server is actually named “mailweb”? Thats going to cause some problems.
For external OWA users you’d probably be able to do some tricks with ISA/TMG to handle it, but internally that won’t help.
I think what you should do is deploy a new Ex2003 FE of a different name so that “mailweb” can become just a DNS alias, then you will be able to migrate that DNS alias over to Exchange 2010 and do the co-existence phase properly.
Thanks Paul!
We are in the process of migrating from Exchange 2003 to Exchange 2010.
We have received the certificates from GoDaddy. We have purchase UCC to manage the different names.
We are now dealing with the co-existence of Exchange 2003 Front End and Exchange 2010 WebApp.
We have imported the certifictes into to the Exchange 2010 servers and assigned the services.
Since we are going to be implementing legacy and coexist with Exchange 2003 FE we have exported the certificate from Exchange 2010 and imported into the Exchange 2003 OWA as described in your article.
The problem that I have is that once the Exchange 2010 UCC exported certificate is imported into Exchanghe 2003 OWA the computers are getting a certificate error when they try to access the OWA server. Once I change the certificate back to the old certificate everything works fine.
I have done the process from scratch a couple of times but I am getting the same problem.
I ran of options and I am not sure what is wrong here.
Any advise?
Thank you.
Depends on the certificate error you’re getting.
If its a name mismatch error, the certificate should include both the webmail name (eg mail.company.com) that you are planning to migrate from 2003 -> 2010, as well as the legacy name (eg legacy.company.com) that the 2003 server will be configured as once the mail.company.com name is cut over to the 2010 server.
If its one of the other errors (eg trusted root cert authority) that is a separate issue of course.
Hi Paul,
Thanks for you feedback. The Intermediate certificate didn’t get installed correctly. I have noticed that neither your guide or the article above have the intermediate certificate step. At least with GoDaddy the new certificate for Exchange 2003 will not work unless the intermediate certificate has been imported there as well.
I also receive an error when I have the SAN Cert installed on my 2003 box. Did you ever get this resolved?
Hi Nino, looks like in Xavi’s case there were additional intermediate certs required to be installed. That is something that will vary from each certificate authority so you should check with the CA that you used to purchase your cert from (they hopefully have some support info published about it, or contact their customer service).
Hi Paul, Yeah that is what I figured, but it is weird. I am pretty sure I have the intermediate certs installed correctly, as it works fine on the 2010 Box. I did setup a test website on my exchange 2003 box just to see if I get the same error and I do, so it is definitely something strange with the certs.. :/ but works fine on 2010 :/
Restart required perhaps? I recall when installing intermediate certs on ISA server it needs a full restart of Windows, not just the Firewall services for example.
Ohhh yeah, didn’t want to have to do that really, but I will give it a shot and pencil it in for this evening. I will report back if it resolves my problem, and hopefully get a response from GoDaddy shortly too.
Thanks!
Hi there, Just reporting back. I performed a reboot of our 2003 Exchange Server which I installed the SAN certificate onto and this resolved the problem immediately. Rather annoying but I am glad that it is all working now. Thank you for your help!
Hi Paul,
Just a quick question about the SSL certificates. Is it possible to use a standard SSL certificate on the Exchange 2003 server (as we have now), or do I need to have the SAN/UCC certificate include the legacy.domain.com name and then export it? The reason being is that I can have the standard SSL certificate re-issued for free, and our current SAN/UCC certificate would require an additional fee to add another subject alt. name.
Thanks for your time!
Brad
You should be able go either way with the 2003 server – a single-name cert with just the legacy name, or a SAN cert with multiple names.
Depends on the environment of course, but every case I’ve worked on it has been fine to do it that way.
We are in a lengthy 2003-2010 migration which will take several months due to huge volumes o mailboxes, & therefore need 2003 and 2010 mailboxes to coexist. have you come across the situation whereby resource mailboxes (e.g. meeting rooms) can be shared across both 2003 and 2010 users? we are finidng that meeting room bookings do not work both ways e.g. if the resource mbx is ngrated to 2010, it doesn’t work for 2003 users while if left in 2003, can’t be used by 2010 users.
What do you mean exactly by “doesn’t work” and “can’t be used”. How are each of the types of mailbox users trying to access the resource mailboxes to make bookings?
hi what about with mobile phone and outlook any where? with mail box on server2003
can work with co coexistence 2003-2010
Best article out there… I was stuck on how to implement the legacy namespace with an additional IP on my Sonicwall until I read this article.
1 to 1 NAT for the legacy namespace was my solution.
Great information. I’m hoping you are still responding to these posts.
I have gone through great lengths to set up a copy of our production environment in a lab setting. I mention this, because I don’t really want to purchase any certs for the lab setting.
I have the 2010 CAS redirecting to the 2003 FE server. The browser is redirected fine, however the credentials don’t seem to get passed and the user is required to enter the credentials a 2nd time when arriving at the 2003 FE server.
I have searched all over looking for an answer to this problem. The only possible problem that I think might be causing the need for a 2nd login is not having the certs installed. Would not having the certs cause the user to re-enter their credentials again? When the user re-enters their credentials the 2003 FE works fine, so I’m pretty sure that I have everything else configured properly.
Thoughts?
Corby,
I believe you have to enable forms-based authentication on your Exchange 2003 front-end server to allow users to access their mailboxes through single-sign during coexistence.
Paul,
I’m doing a EX2003 to EX2010 migration. I have a question on the Certs. From my understanding, my 2003 server ONLY needs a Cert with the legacy namespace. My 2010 server needs a SAN Cert with my webmail namespace and the autodiscover namespace. Everything I see says it should also have the legacy namespace, but is that a requirement for the 2010 server? Is it only in there so we only need one SAN Cert for both servers? I have a single name cert with legacy and would like to just use that for the 2003 server, but need to get confirmation that legacy is not needed on the 2010 server.
Thanks!
Rob
You have have the legacy name just in the separate cert if you want. But later when you decom the 2003 server, it is a possibility that an external client or device will try to connect to the legacy name still, and so if that name is also on the 2010 cert you will avoid issues with that situation.
Hi Paul,
I have bought your walkthrough and found it amazingly helpful, thank you. I am however having trouble getting co-existence to work between my single Exch2003 box (there was no front end server, just the one box), and a standalone Exch2010 box. I’ve set up the legacy namespace etc and I’m also using TMG for the publishing rules. I’ve created the new 2010 publishing rule and the legacy namespace rule.
When I switch over to the 2010 publishing rule however, my 2003 mailboxes lose Outlook Anywhere (RPC over HTTP) and Activesync access. OWA redirection is fine though. My 2010 mailboxes are fine – autodiscover works, activesync, OWA and Outlook anywhere work a treat.
I notice your walkthrough did involve a 2003 front/back end architecture – am I supposed to be doing something different for my scenario? It seems that the CAS is just not proxying back to my 2003 box for those mailboxes. I’m a single domain/single internet facing site.
Any pointers would be most appreciated!
Just to add a bit more info to my issue, when I run an Activsync test using ExRCA for a 2003 mailbox, it fails at the ‘An ActiveSync session is being attempted with the server.’ step. Basically I’m getting:
403 – Forbidden: Access is denied
You do not have permission to view this directory or page using the credentials that you supplied.
ExRCA says this is from IIS7 so I can only assume it’s the Exchange 2010 box denying access?
Please help!
Since I’m getting no love from this forum I thought I’d just post a fix for one of two of my issues:
I got Outlook Anywhere working by going to ESM on the 2003 server, properties of the server, RPC-HTTP tab, and selecting ‘RPC-HTTP back end server’. ESM will throw an error message saying that there is no front -end server, but ignore that.
After a while (wait up to 15 minutes), the RpcHttpConfigurator service on the 2010 box will write the appropriate entries to…
HKLM\software\Microsoft\Rpc\RpcProxy\ValidPorts_AutoConfig_Exchange
…on the 2010 server, allowing the 2010 to now proxy RPC traffic to the 2003 server. Hope this maybe helps someone, as this was not clear in the ESP walkthrough, or any other document I found! Admittedly, it’s rather obvious now I think about it!
I’m still getting 403 – Forbidden issues with ActiveSync though, so if anyone has any suggestions, please feel free to chip in!
For the ActiveSync issue, have you done the steps starting on pg135 of the guide for the Exchange 2003 ActiveSync permissions?
Hi Paul,
Thanks for getting back to me.
Yes, I have installed the hotfix and ensured that the Microsoft-Server-ActiveSync virtual directory is set to accept integrated auth. I’ve also given the server a full reboot just for good measure.
I’ve been looking at the IIS logs on both the 2010 server and 2003 server, and it seems the requests from the 2010 server are being logged on the 2003 box (at least I can see requests coming from the 2010 server’s IP), so it is proxying the traffic. However I am seeing a lot of 403.4 status codes on the 2003 server logs, which to my knowledge means that the 2010 box is not using SSL?
Any ideas? I’m starting to get board members breathing down my neck on this!
Thanks in advance.
Does the 2003 server have an SSL certificate installed that the Exchange server would trust?
Hi Paul,
Yes, both the 2003 and 2010 have the UC certificate I obtained for the project installed, with all the required SANs configured, and the cert is trusted by all servers in question (Starfield Tech cert).
The requests coming from the 2010 box to the 2003 box are coming in on port 80, so it’s like the 2010 server isn’t trying to use SSL. Furthermore, if I deselect ‘Require Secure Channel (SSL)’ in the properties of the Microsoft-Server-ActiveSync virtual directory in IIS on the 2003 box, then it all works!
Obviously though, I’d rather not disable SSL, even if only for the co-existence period if I can help it…
Okay. Sounds like you’ve run into this scenario, and that disabling the SSL requirement for the coexistence period is in fact the solution.
http://blogs.msexchange.org/walther/2011/05/14/exchange-20032010-activesync-coexistence-lesson-learned/
Paul, sir, you are a star! Reading that link makes sense. I’ll just disable the SSL requirement on the 2003 box. I was starting to think I’d just have to go with this, since it’s only really disabling SSL for that last leg of the journey, but it’s always good to get confirmation from an expert.
Thanks for the prompt replies today, and thanks for the walkthrough, which has proved extremely helpful.
If I get stuck with anything remaining in the migration then I’ll be sure to give you a shout.
Thanks again!
Paul, love all of your articles – very informative and concise. We are in the midst of deploying Exchange 2010 alongside our current 2003 environment, I need some clarification on namespace, and in particular in relation to Outlook Anywhere. Your articles have helped, just want to make sure we perform due diligence on this.
We have a forest root domain, and a “production” domain, in which all users and Exchange exist. let’s call the root “firm.law” and the production domain “corp.firm.law”. Our external domain name is “company.com”. We have four AD sites, Site1, Site2, Site3, and Site4. We do host a zone for the “company.com” on our AD integrated DNS for internal use, as well as externally hosts DNS for the external URLS (aka, webmail.company.com).
The plan is to have a CAS Array created at the two larger sites, Site1 and Site2, using NLB for load balancing until we can budget for hardware LB (Kemp?), which are external facing to the Internet. Site3 and Site4 will also have a CAS Array setup, however only a single host per array, and they are NOT external facing to the Internet. Each site has their own database server and the hub transport role is combined with the CAS server. Our SAN currently has webmail.company.com, Autodiscover.company.com, Legacy.company.com, webmail.east.company.com (Site1), and webmail.west.company.com (Site2).
Two questions:
1. Best way to configure the Outlook clients. Should the mailbox databases be associated with the internal names of the array (site1array.corp.firm.law, site2array.corp.firm.law, etc), thus the Outlook clients will be “homed” to each of the site arrays?
2. In regards to OA, should the client be set to the external names (webmail.east.company.com and webmail.west.company.com), and then redirected to that Site3/4 users array in their respective site? Or should each site have an externally facing connection to facilitate OA?
I hope that is clear!
Joseph
I purchased your book (which contains this article), and I just wanted to clarify something regarding the public IP that should be matched to the FQDN of the legacy Exchange server. My question revolves around this statement:
“The public IP address that the DNS record is created for can be the same as the public IP address of your primary remote access name…”
We use an external public IP service. Should the DNS A record that I create for legacy.mydomain.com contain the same public IP address used by the main internet-facing Exchange 2010 CAS server?
You should read that sentence in its entirety. It can be the same IP address is you’re using a reverse proxy like ISA/TMG that can proxy the requests to different internal hosts based on the DNS name being requested.
Otherwise you’ll need two different public IP addresses.
Hi Paul,
I have purchased your 2003 to 2010 migration guide and I’m planning to do a 1 day cutover. So I have a couple of questions which I hope you can help me understand:
1) Since I’m planning a 1 day weekend cutover (small environment of 130 mailboxes), is it necessary to do these steps for co-existence?
2) Can I go ahead and install Exchange 2010 ahead of time and wait to do all of the cutover changes on the cutover day? or is it better to do the Exchange install on the day?
3) What steps from your guide can I omit since it is a 1 day install, and move mailboxes? or do I still follow the exact same steps as outlined.
4) I can export the SSL cert from Exchange 2003 and import it to be used on the Exchange 2010 server and maintain the same URL for OWA/AS/RPC-HTTPS?
I appreciate your help on this. Thanks.
Kyle
1) If you’re planning a big cutover like that then you can skip the co-existence configurations.
2) I would install it ahead of time, so that you aren’t rushing and have time to fully test it and configure backups/monitoring etc for your environment.
3) Basically the entire co-existence chapter.
4) The Exchange 2003 cert won’t have the correct names on it, even if you’re planning to use the same external name for OWA etc (it will be missing the Exchange 2010 server FQDN and the autodiscover name, for example). I recommend you provision a new SAN SSL cert for Exchange 2010.
Hi Paul,
So a couple more questions to clarify:
#2) So once 2010 is installed, it will not affect the sending/receiving of Exchange 2003 until the send and receive connectors are configured etc… In other words, it will remain out of the picture until I’m ready to start the cutover?
#4) When you suggest provisioning a new SAN SSL, can I safely assume that the certificate vendor should be able to re-issue a new SSL to use with the new Exchange server?
Another question I forgot to ask:
5) Is there anything special with the 2003 public folders? The client has requested to retain these for now, and move them to Sharepoint at a later time. Essentially, once the routing group connector between 2003 and 2010 is established, the public folders get replicated? Anything else that I need to look out for other than what you’ve outlined in your doc?
Thanks again.
2) Yes. The guide covers that and I’ll also refer you to this:
http://exchangeserverpro.com/exchange-2010-faq-common-concerns-when-installing-the-first-exchange-2010-server
4) Yes they should be able to, but that is a question for your vendor obviously. I’ve had no problems getting the certs I needed from Digicert.
5) Public folders aren’t an enjoyable migration experience for me but the guide does cover the steps to get them across to the 2010 server (no it doesn’t happen automatically when the routing group connector is established). Frankly its a bit of a pain and there’s often a small number of replicas that won’t cleanly move and sometimes need to be forcibly removed.
Hi Paul,
Thanks for your responses.
As you recommended to install Exchange ahead of time, I will likely run in to the SSL autodiscover pop up for the end users correct? I suppose if I don’t want this headache, I would need to sort out the SSL SAN cert with my cert vendor so its ready for installing on the new Exchange installation? It’s probably best then to wait for the cutover day to do everything in one shot.
You can get around the autodiscover issue by installing all the pre-reqs for your CAS, then just installing the management tools and using those to generate the certificate request. When you have the certificate from your provider (which can take minutes if you do it right) you can then install the server roles and enable the cert immediately afterwards.
Doing everything in one day is pretty risky if you ask me, but that is your call to make as I don’t know your environment and how complex your migration is going to be.
Hi Paul,
your statement about resolving the SSL cert warning:
Issuing a new SSL certificate from a trusted, private Certificate Authority on your network (not ideal, but resolves the issue for computers that are domain members)
I have an issued computer cert from the internal CA in the domain. Will this take care of the warnings that people will see pop up?
thanks.
Yes, if you have a private CA already in your environment it can be a quick and easy *temporary* solution to provision a cert from that while you are dealing with getting a cert from a commercial CA. The internal CA is trusted by domain-joined computers, so they should not popup any warnings due to untrusted certs.
http://exchangeserverpro.com/how-to-issue-a-san-certificate-to-exchange-server-2010-from-a-private-certificate-authority/
Excellent. So this should allow me to install Exchange 2010 and introduce the server in to the environment without end users being prompted with the SSL error (technically)?…. because I definitely want to take your advice with installing it ahead of time before the cutover day and agree it is a little risky to leave it all for one day.
I’ve used all these techniques with success in the past.
1) Doing the first install after hours and acquiring the cert quickly from Digicert
2) Using an internal CA to issue a temporary cert
3) Installing just mgmt tools and acquiring the cert before installing the CAS role
Best of luck!
One more quick question
….
#3) Is this just installing hub transport and Mailbox roles with mgmt tools?
I will let you know how everything goes.
Thanks.
You can install the management tools on their own without any server roles.
Paul,
I just wanted send you a quick note to let you know that the upgrade/migration went very smoothly thanks to your document and your support with all of my questions!
I’ll leave the 2003 server on for another week or so before taking it fully out of the picture. I may have to hit you up with some questions with the decommissioning, but I’ll get in touch at that point.
Thanks again!
Kyle
Glad to hear it
Hi Paul, just got your guide and am hoping to use it in the next month.
Question: I know the guide was written a while ago but is there any reason not to install with SP3 now instead of SP2?
Thanks
Going with the latest is a good idea. Just make sure you double check for application integration issues.
There’s a bug described here you should probably be aware of:
http://blogs.technet.com/b/rmilne/archive/2013/03/18/exchange-2010-sp2-ru6-and-sp3-unable-to-delete-messages.aspx