Transitioning Client Access to Exchange Server 2010


NOTE: This article has been updated to correct the MSAS URLs mentioned in this article.

By now most of you have heard about the release of Exchange 2010.  Those of you that are upgrading from Exchange 2003, Exchange 2007 or a mixture of the two, are probably curious about the client access upgrade strategy.  To satisfy your curiosity, we are releasing a series of blog articles on the subject.  The first in this series provides a summary of the steps that are required to introduce Exchange 2010 within your environment from a client access perspective.  More detailed information about the upgrade process is discussed in TechNet and within the Deployment Assistant.  The second and third parts in this series will discuss the end user experience for OWA and ActiveSync, respectively.  Look for those in upcoming weeks.

Many of you have been asking how you can transition your existing Exchange environment to Exchange 2010 from a client access perspective. For most of you, this will also mean coexisting with legacy Exchange and Exchange 2010 for a period of time. This post will hopefully answer these questions by breaking down your transition into two scenarios:

  1. Transitioning an Exchange 2003 environment to Exchange 2010.
  2. Transitioning an Exchange 2007 (that may or may not contain Exchange 2003 mailbox servers) environment to Exchange 2010.

The underlying goal here is to move your primary namespace, mail.contoso.com and autodiscover.contoso.com, over to Exchange 2010 and introduce a new namespace for legacy access, legacy.contoso.com and associate it with your legacy Exchange client access infrastructure. Users will continue to use mail.contoso.com as their access point into the organization for messaging services. While Exchange 2003/2007 end users will see the legacy.contoso.com namespace in their browser address bar, ActiveSync settings, and Test Auto-Configuration output within Outlook, they only need to use the mail.contoso.com namespace as their primary entry point into the organization; in addition, IT should continue directing customers to utilize the mail.contoso.com namespace for all external connectivity mechanisms.

Note: The host names, mail.contoso.com or legacy.contoso.com, that are referenced in this document are not hard-coded or required. You can utilize whichever names make the most sense for your environment (e.g. owa.contoso.com and legacyowa.contoso.com). From a documentation perspective, we are going to utilize mail.contoso.com and legacy.contoso.com so that we are consistent in our transition story. For more information on Autodiscover namespaces, please see http://technet.microsoft.com/en-us/library/bb332063.aspx.

Transitioning an Exchange 2003 Environment to Exchange 2010

When you are ready to begin transitioning your organization to Exchange 2010, you must transition the “Internet Facing AD Site(s)” first, and then transition your internal Active Directory sites. It is not supported to transition an internal Active Directory site before all your Internet-accessible sites have been transitioned.

The steps for introducing Exchange 2010 into the environment are:

Note: These steps do not discuss how to set up your CAS2010 servers in a load balancing array. Please review your load balancing solution’s instructions for how to properly create and join your CAS2010 servers in a load balancing array.

1. In order to support external client coexistence with CAS2010 and legacy Exchange in your “Internet Facing AD Site”, you will (potentially) need to acquire a new commercial certificate.  As a best practice, Microsoft recommends utilizing a certificate that supports Subject Alternative Names; however, you can utilize a wildcard certificate as well.

This commercial certificate that will be leveraged by external clients will contain at a minimum three SAN values (note that other scenarios may require you to add additional values):

  1. mail.contoso.com (your primary OWA/EAS/OA access URL)
  2. autodiscover.contoso.com
  3. legacy.contoso.com (your OWA/EAS namespace for legacy mailbox access)

Prior to Windows Vista SP1, the Windows RPC/HTTP client-side component required that the Subject Name (aka Common Name) on the certificate match the “Certificate Principal Name” configured for the Outlook Anywhere connection in the Outlook profile. Therefore, as a best practice, you should ensure that mail.contoso.com is listed as the Subject Name in your certificate unless you plan on changing the configuration which can be achieved by using the Set-OutlookProvider cmdlet with the EXPR parameter as described in http://msexchangeteam.com/archive/2008/09/29/449921.aspx.

2. Ensure all Exchange 2003 servers are at Service Pack 2 and that you meet all forest/domain pre-requisites.

3. Install CAS2010 and configure it accordingly:

  • During the installation of CAS2010 you have the option to enter the external namespace that will be used for the virtual directories. You can enter this value in both the graphical user interface or the command-line setup:
    • For the graphical user interface setup experience of CAS2010 you are asked to configure a Client Access external domain. At this point you canter the domain name of mail.contoso.com.
    • If installing via the command line, you can utilize the setup property /ExternalCASServerDomain and specify mail.contoso.com
  • If you haven’t already done so, install the RPC over HTTP proxy component.  You can do this utilizing the ServerManagerCmd tool: ServerManagerCmd.exe -i RPC-over-HTTP-proxy
  • Configure your OWA settings appropriately (e.g. forms based authentication vs. basic authentication). For the purpose of this document, the default OWA settings are assumed.
  • Configure your EAS authentication settings appropriately (e.g. Basic vs. certificate authentication). For the purposes of this document, the default authentication mechanism, basic authentication, is assumed.
  • Enable Outlook Anywhere (for the purposes of this document, the default authentication settings are assumed): Enable-OutlookAnywhere -Server: -ExternalHostName:mail.contoso.com – SSLOffloading $false

4. If you chose to not specify the external domain name for CAS during setup, you will need to enable the following ExternalURLs to ensure that clients that leverage Autodiscover function correctly:

5. To ensure that Outlook Web Access functions correctly, you will need to enable the following URLs:

6. For your Outlook clients, you can configure CAS2010 to participate in an RPC Client Access Service array:

  • Create a load balancing array for CAS2010, if one has not already been created.
  • Create a DNS entry in your internal DNS infrastructure that resolves to the Virtual IP Address (VIP) of the CAS load balancing array. The DNS entry, for example, could be outlook.contoso.com.
  • Configure your load balancing array to load balance the MAPI RPC ports:
    • TCP 135
    • TCP 1024-65535
  • Run the following cmdlet to create the Client Access Service array: New-ClientAccessArray -Name outlook.contoso.com -FQDN outlook.contoso.com -Site “Internet Facing AD Site”

7. Install the HT2010 and MBX2010 server roles into the “Internet Facing AD Site” and configure accordingly.

  • You can change the Offline Address Book generation server and enable web distribution on CAS2010 by performing the following steps:
    • To move the Offline Address Book: Move-OfflineAddressBook “Default Offline Address List” -Server
    • To add CAS2010 as a web distribution point:
      • $OABVDir=Get-OABVirtualDirectory -Server
      • $OAB=Get-OfflineAddressBook “Default Offline Address List”
      • $OAB.VirtualDirectories += $OABVdir.DistinguishedName
      • Set-OfflineAddressBook “Default Offline Address List” -VirtualDirectories $OAB.VirtualDirectories

8. Create the legacy host record (legacy.contoso.com) in your external DNS infrastructure and associate it either with the FE2003 infrastructure (less likely) or your proxy infrastructure (more likely).

9. You will configure External DNS and/or your reverse proxy infrastructure’s publishing rules to have the autodiscover.contoso.com namespace point to CAS2010.

10. If utilizing a reverse proxy infrastructure, you will publish the legacy namespace to the FE2003 infrastructure so that at this point the FE2003 infrastructure can be accessed either via mail.contoso.com or legacy.contoso.com namespaces.

11. You will then schedule Internet protocol client downtime (please note that this downtime window should be relatively small – enough time for you to make the change and validate that everything works as desired) and perform the following steps:

  • You will reconfigure External DNS and/or your reverse proxy infrastructure’s publishing rules to have the mail.contoso.com namespaces point to CAS2010. 
  • Users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2010 Client Access Server and the Exchange 2003 back end server to communicate using Kerberos authentication.

To enable this authentication change on Exchange 2003 you need to either:

    • Install http://support.microsoft.com/?kbid=937031 and then use the Exchange System Manager to adjust the authentication settings of the ActiveSync virtual directory. Repeat this for each Exchange 2003 mailbox server in your organization.
    • Or, set the msExchAuthenticationFlags attribute to a value of 6 on the Microsoft-Server-ActiveSync object within the configuration container on each Exchange 2003 mailbox server.  An example script is provided at http://technet.microsoft.com/en-us/library/cc785437.aspx.

Note: It is important that you do not use IIS Manager to change the authentication setting on the Microsoft-Server-ActiveSync virtual directory as the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.

  • Disable Outlook Anywhere by utilizing the Exchange System Manager and selecting the “Not part of an Exchange managed RPC-HTTP topology” radial button on the RPC-HTTP tab of the Front-End server’s properties. Optionally, you can also remove the RPC over HTTP proxy component (refer to your Windows Server documentation for more information).

Important: This requires an up-front investment in CAS2010 architecture as all Outlook Anywhere clients will utilize CAS2010 once you transition the Outlook Anywhere endpoint. Be sure to follow all proper scalability planning documentation when deploying CAS2010 to ensure that you do not create a bottleneck in your CAS infrastructure due to Outlook Anywhere clients.

  • Test all client scenarios and ensure they function correctly.

12. Complete downtime and enable Internet protocol client usage.

As a result of following these steps, the environment would look similar to this diagram:

Transitioning an Exchange 2007 environment to Exchange 2010

When you are ready to begin transitioning your organization to Exchange 2010, you must transition the “Internet Facing AD Site” that is associated with your external Autodiscover record, then regional Internet facing AD Sites, and then transition your internal Active Directory sites. It is not supported to transition an internal Active Directory site before all your Internet-accessible sites have been transitioned.

The steps for introducing Exchange 2010 into the environment are:

Note: These steps do not discuss how to set up your CAS2010 servers in a load balancing array. Please review your load balancing solution’s instructions for how to properly create and join your CAS2010 servers in a load balancing array.

1. In order to support external client coexistence with CAS2010 and legacy Exchange in your “Internet Facing AD Site”, you will (potentially) need to acquire a new commercial certificate.  As a best practice, Microsoft recommends utilizing a certificate that supports Subject Alternative Names; however, you can utilize a wildcard certificate as well.

This commercial certificate that will be leveraged by external clients will contain at a minimum three SAN values (note that other scenarios may require you to add additional values):

  1. mail.contoso.com (your primary OWA/EAS/OA access URL)
  2. autodiscover.contoso.com
  3. legacy.contoso.com (your OWA/EAS namespace for legacy mailbox access)

Prior to Windows Vista SP1, the Windows RPC/HTTP client-side component required that the Subject Name (aka Common Name) on the certificate match the “Certificate Principal Name” configured for the Outlook Anywhere connection in the Outlook profile. Therefore, as a best practice, you should ensure that mail.contoso.com is listed as the Subject Name in your certificate unless you plan on changing the configuration which can be achieved by using the Set-OutlookProvider cmdlet with the -EXPR parameter as described in http://msexchangeteam.com/archive/2008/09/29/449921.aspx.

2. Ensure all Exchange 2007 CAS within the organization are at Service Pack 2, all Exchange 2003 servers (if they exist) are at Service Pack 2, and that all Exchange 2007 Mailbox, Hub Transport, and Unified Messaging servers are at Service Pack 2 in the “Internet Facing AD Site”. Also, ensure you meet all the forest/domain pre-requisites.

3. Install CAS2010 and configure it accordingly:

  • During the installation of CAS2010 you have the option to enter the external namespace that will be used for the virtual directories. You can enter this value in both the graphical user interface or the command-line setup:
    • For the graphical user interface setup experience of CAS2010 you are asked to configure a Client Access external domain. At this point you canter the domain name of mail.contoso.com.
    • If installing via the command line, you can utilize the setup property /ExternalCASServerDomain and specify mail.contoso.com
  • If you haven’t already done so, install the RPC over HTTP proxy component.  You can do this utilizing the ServerManagerCmd tool: ServerManagerCmd.exe -i RPC-over-HTTP-proxy
  • Configure your OWA settings appropriately (e.g. forms based authentication vs. basic authentication). For the purpose of this document, the default OWA settings are assumed.
  • Configure your EAS authentication settings appropriately (e.g. Basic vs. certificate authentication). For the purposes of this document, the default authentication mechanism, basic authentication, is assumed.
  • Enable Outlook Anywhere (for the purposes of this document, the default authentication settings are assumed): Enable-OutlookAnywhere -Server: -ExternalHostName:mail.contoso.com -SSLOffloading $false

4. If you chose to not specify the external domain name for CAS during setup, you will need to enable the following ExternalURLs to ensure that clients that leverage Autodiscover function correctly:

5. To ensure that Outlook Web Access functions correctly, you will need to enable the following URLs:

6. If you have Exchange 2007 deployed in “Non-Internet Facing AD Sites” then you must copy the Exchange 2007 OWA binaries to CAS2010:

  • On the CAS2010 server(s), establish a connection to the CAS2007 server’s drive that contains the Exchange binaries and navigate to the \Client Access\OWA directory (e.g. \\cas2007\c$\Program Files\Microsoft\Exchange Server\Client Access\Owa).
  • Copy the highest version folder (e.g. 8.2.140.0) from the CAS2007 to CAS2010 Exchange binaries \Client Access\OWA directory (e.g. C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa).
  • Execute IISReset on all the CAS2010 machines.

7. For your Outlook clients, you can configure CAS2010 to participate in an RPC Client Access Service array:

  • Create a load balancing array for CAS2010, if one has not already been created.
  • Create a DNS entry in your internal DNS infrastructure that resolves to the Virtual IP Address (VIP) of the CAS load balancing array. The DNS entry, for example, could be outlook.contoso.com.
  • Configure your load balancing array to load balance the MAPI RPC ports:
    • TCP 135
    • TCP 1024-65535
  • Run the following cmdlet to create the Client Access Service array: New-ClientAccessArray -Name outlook.contoso.com -FQDN outlook.contoso.com -Site “Internet Facing AD Site”

8. Install the HT2010 and MBX2010 server roles into the “Internet Facing AD Site” and configure accordingly.

  • You can change the Offline Address Book generation server and enable web distribution on CAS2010 by performing the following steps:
    • To move the Offline Address Book: Move-OfflineAddressBook “Default Offline Address List” -Server
    • To add CAS2010 as a web distribution point:
      • $OABVDir=Get-OABVirtualDirectory -Server
      • $OAB=Get-OfflineAddressBook “Default Offline Address List”
      • $OAB.VirtualDirectories += $OABVdir.DistinguishedName
      • Set-OfflineAddressBook “Default Offline Address List” -VirtualDirectories $OAB.VirtualDirectories

9. Create legacy host record (legacy.contoso.com) in your external DNS infrastructure and associate it either with the CAS2007 infrastructure (less likely) or your proxy infrastructure (more likely).

10. If utilizing a reverse proxy infrastructure, you will publish the legacy namespace to the CAS2007 infrastructure so that at this point the CAS2007 infrastructure can be accessed either via mail.contoso.com or legacy.contoso.com namespaces.

11. You will then schedule Internet protocol client downtime (please note that this downtime window should be relatively small – enough time for you to make the change and validate that everything works as desired) and perform the following steps:

  • You will re-configure your CAS2007 URLs in the “Internet Facing AD Site”. This ensures that clients that leverage Autodiscover function correctly and that legacy mailboxes can be redirected to Outlook Web Access:
  • If you have Exchange 2003 mailbox servers in your environment, then users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2010 Client Access Server and the Exchange 2003 back end server to communicate using Kerberos authentication.

To enable this authentication change on Exchange 2003 you need to either:

Note: It is important that you do not use IIS Manager to change the authentication setting on the Microsoft-Server-ActiveSync virtual directory as the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.

  • Disable Outlook Anywhere on your Exchange 2007 CAS infrastructure in the “Internet Facing AD Site” by utilizing the cmdlet, Disable-OutlookAnywhere -Server . Optionally, you can also remove the RPC over HTTP proxy component (refer to your Windows Server documentation for more information).

Important: This requires an up-front investment in CAS2010 architecture as all Outlook Anywhere clients will utilize CAS2010 once you transition the Outlook Anywhere endpoint. Be sure to follow all proper scalability planning documentation when deploying CAS2010 to ensure that you do not create a bottleneck in your CAS infrastructure due to Outlook Anywhere clients.

  • You will reconfigure External DNS and/or your reverse proxy infrastructure’s publishing rules to have the autodiscover.contoso.com and mail.contoso.com namespaces point to CAS2010.
  • Test all client scenarios and ensure they function correctly.

12. Complete downtime and enable Internet protocol client usage.

As a result of following these steps, the environment would look similar to this diagram:

So why the additional namespace?

To understand why we are introducing a new namespace for the legacy Exchange environment, it is important to understand what the Internet client behavior will be by introducing Exchange 2010.

  • For Outlook Web Access, Exchange 2010 CAS does not support rendering mailbox data from legacy versions of Exchange.  Exchange 2010 CAS does one of four scenarios depending on the target mailbox’s version and/or location:
    • If the Exchange 2007 mailbox is in the same AD Site as CAS2010, CAS2010 will silently redirect the session to the Exchange 2007 CAS.
    • If the Exchange 2007 mailbox is in another Internet facing AD Site, CAS2010 will manually redirect the user to the Exchange 2007 CAS.
    • If the Exchange 2007 mailbox is in a non-Internet facing AD site, CAS2010 will proxy the connection to the Exchange 2007 CAS.
    • If the mailbox is Exchange 2003, CAS2010 will silently redirect the session to a pre-defined URL.
  • For Exchange ActiveSync, Exchange 2010 CAS does not support rendering mailbox data from legacy versions of Exchange.  Exchange 2010 CAS does one of four scenarios depending on the target mailbox’s version and/or location, and device capabilities:
    • If the Exchange 2007 mailbox is in the same AD Site as CAS2010 and the device supports Autodiscover, CAS2010 will notify the device to synchronize with CAS2007.
    • If the Exchange 2007 mailbox is in the same AD Site as CAS2010 and the device does not support Autodiscover, CAS2010 will proxy the connection to CAS2007.
    • If the Exchange 2007 mailbox is in a non-Internet facing AD site, CAS2010 will proxy the connection to the Exchange 2007 CAS.
    • If the mailbox is Exchange 2003, CAS2010 will proxy the connection to the Exchange 2003 mailbox server.
  • For Outlook Anywhere, you are going to move the Outlook Anywhere endpoint from the Exchange 2003 Front-End or Exchange 2007 CAS to the Exchange 2010 CAS.  Exchange 2010 CAS will always proxy the Outlook MAPI RPC data that is embedded in the RPC-HTTPS packet to the target legacy mailbox server (regardless of AD site or version) or to the appropriate Exchange 2010 CAS.

Important: This requires an up-front investment in CAS2010 architecture as all Outlook Anywhere clients will utilize CAS2010 once you transition the Outlook Anywhere endpoint. Be sure to follow all proper scalability planning documentation when deploying CAS2010 to ensure that you do not create a bottleneck in your CAS infrastructure due to Outlook Anywhere clients.

Conclusion

Hopefully this information improves your understanding of client access coexistence with legacy versions of Exchange while transitioning to Exchange Server 2010.  Please let us know if you have any questions.

Ross Smith IV


Comments (32)
  1. Mracket says:

    Great article. Just one question so far. I know i need a new certificate which contains legacy.domain.com for the new exchange 2010 cas, but what about the certificate for the exchange 2007 cas, can i export the one from cas2010 and use the same on both?

  2. Stephan says:

    Warning: If you have iphones connecting doing activesyncthey should manual be changed to the legacy exchange server.

    http://social.technet.microsoft.com/Forums/en-US/exchange2010/thread/2cfe2729-77ea-44d7-9880-71d50127be35

  3. Mracket – yes you can use the same certificate, provided that when you created teh certificate, you ensured that the private key is exportable.

    Stephan – Yes there have been reports of several third party ActiveSync devices that do not handle the 451 redirect that is available in the ActiveSync protocol v12.1 and later.  Best to contact the third-party and validate their support or plans for fixing the issue.  You can resolve this by one of two ways:

    1.  Manually update the URLs on the devices.

    2.  Remove the MSAS externalURL from CAS2007 and thus for CAS2010 to proxy EAS connections to CAS2007.

    Ross

  4. Norm says:

    Those diagrams are awesome. Do you have them in a higher resolution? I’d like to print them out on a plotter.

  5. Keosaki says:

    Ross, Thanks for this very very informative article also written in a superb way.

    Thanks again

  6. Mike says:

    This is great!

    How do the above steps change if you have ISA 2006 as the internet facing server for OWA? Will ISA 2006 support OWA 2010? Do I still need to update my certificates for the legacy.domain.com or can I just update my ISA rule to point to Exchange 2010?

    Thanks,

    Mike

  7. Exchange says:

    Norm – You can download the Visio of the diagrams here – http://msexchangeteam.com/files/12/attachments/entry453297.aspx.

    Mike – The last post in the series will discuss how to integrate ISA 2006 SP1 with E2010.  Essentially, yes, you will have two namespaces exposed, with separate rules, with a single web listener.  ISA 2006 SP1 Exchange rule wizard doesn’t know about E2010, so you will have to do some manual configuration (e.g. add /ECP vdir).

    Ross

  8. Josh Maher says:

    Good post, this was definitely problematic in the past during the 2003 to 2007 upgrades.

    I can see the value in getting the product out the door for not supporting the display of legacy versions on the CAS, but will this disjointed legacy upgrade procedure continue into wave 15? It would be great to present a much more streamlined procedure where the end user doesn’t have to juggle as much…

  9. Exchange says:

    Josh – the beauty of this approach is that the end user doesn’t have to juggle anything.  Prior to deploying E2010, the user knew  a single URL – mail.contoso.com.  After deploying E2010, the user continues using the same URL, mail.contoso.com, regardless of their mailbox version/location.  The user doesn’t have to learn a new URL, or type in that URL ever (with the exception of third-party ActiveSync devices that do not honor the redirect, see prior comment post).  

    Ross

  10. Norm says:

    Thank you so much!!!

  11. HK-Brad says:

    Great post!  Thanks for your continued effort to spoon feed us through this blog.  :)

    Down to business…

    From my first Exchange 2010 deployment to the end of your blog post, I’m still not clear on the need for this second namespace and the difficulties it brings me.

    I’m using expensive VeriSign Extended Validation certificates and training my users to ensure they see the green bar before logging in.  Your secondary name space gives me two (2) options.  Either buy a second set of ridiculously expensive certificates or educate
    my users to expect a missing ‘Green Bar’ temporarily until they are upgraded to 2010 (I’d still have to buy some cheap cert for the legacy.mycompany.com FQDN).

    For me, neither option seems like a good one.  I can’t justify the expense of duplicate certificates and I can’t convince myself to go out and reverse-educate users counter to all of our ‘Green Bar’ hammering over the past few years.

    One last note, all of my users are external, as I’ve deployed my Exchange 2007 and 2010 in a data centre that’s always remote to my entire user base.  I’m using ISA 2006 SP1 and TMG 2010 with Forms Based Authentication (FBA) in front of everything.

    So here’s what I’m thinking.   From your post, you confirm that Ex2010 CAS is happy to help me to proxy OAS, EAS, and “WS” – which I think means Exchange Web Service (EWS).   To me this means only OWA is going to be left without proxy, from the 2010CAS to the
    2007CAS, thereby needing that separate external URL.  Since you’ve conveniently dropped the ‘Office’ from the name ‘Outlook Web App’ in Exchange 2010, and ‘Office Outlook Web Access’ just goes better with a /OOWA URL anyway, why not use ISA/TMG to publish
    https://mycompany.com/OWA (Outlook Web App) and /ECP (Exchange Control Panel) to the Ex2010 CAS and leave
    https://mycompany.com/OOWA (Office Outlook Web Access) where it belongs on the Ex2007 CAS.

    We already know some legacy devices don’t like redirection on EAS, so let’s just remove the External URL for EAS from the Ex2007 CAS and let Ex2010 CAS do the proxying for that and for Outlook Anywhere.

    I’ve done this already in my production environment and have yet to uncover anything that’s not working, but it’s only been running since the Friday after your WW release, so there’s still a chance some user will discover something before me.  Anything I need
    to watch out for?

  12. Lindsay_Morgan says:

    Thanks for the great info. Great help!

  13. Turp says:

    Great article!

    I do have one question, in step one you stated we can use a wild-card certificate; I thought Windows Mobile devices had issues with wild-card certificates for ActiveSync.  Has this changed, if so what version of WM?

    I would prefer to use the wild-card cert, but have stayed away due to the EAS issues.  We are still migrating our WM5 devices to WM6 ROMS.

  14. mike says:

    nice article

    what about if I will deploy all exchange 2010 server roles on one server and make it the Internet facing server , can i use only one IP and one record like "mail.contoso.com" and it will use the casproxy or i will need to make another record like "legacy.contoso.com"

  15. Exchange says:

    Hi Mike,

    So it depends. :)

    If you can do the upgrade in one step (i.e. move all mailboxes during a single downtime period), then no, you do not need the legacy namespace.

    If you have to deal with a coexistence period:

    1. If Exchange 2003, then yes you need the legacy namespace if you provide access to OWA for the E2003 users.

    2.  If Exchange 2007, and you don’t want to place E2010 in a separate AD site, then yes you need the legacy namespace.

    Ross

  16. Exchange says:

    Turp – Only Windows Mobile 5 devices do not support wildcard certificates.

    Ross

  17. Satn says:

    I see that you’ve reccomended that a SAN certificate should have atleast 3 urls. Doesnt 2010 face issues like the one mentioned in kb 940726 for exchange  2007 ?

  18. merter says:

    Is there a deployment guide for 2003 to 2010 scenarios where there is no 2007 in the mix? Thanks.

  19. mspelt says:

    hi Ross, good article about and important subject in the migration path.

    I have one question however, i’m planning to migrate a customer from exchange 03 to 2010 cross-forest, so we are transitioning from the old forest to a new forest with tmg and 2010. Can i get the redirection functional with this setup somehow? we also would like a more seamless migration and planning to connect the two environments with ilm, but the problem is still there regaring the webaccess url form the outside.

    Regards,

    martijn

  20. Jummiet says:

    Hi Ross, a great article there.

    I am clear on the mail.contoso.com and autodiscover.contoso.com names that should be in my SAN cert but i am a little bit confused on the legacy namespace. The first time i came across the legacy namespace, i assumed that it was the FQDN of my Exchange 2007 server, so my SAN cert contains the following namespace – mail.contoso.com, autodiscover.contoso.com and FQDNofE2k7.mydomain.com. If what you are saying now is that the legacy namespace is not the FQDN of my E2K7 server that it should actually be "Legacy" as in Legacy.contoso.com, then will i need to tie  a public ip address to legacy.contoso.com as i have for mail.contoso.com.

    Please i will appreciate the clarifications

  21. Marcin says:

    Hi,

    I’m starting reading this series, as I plan on upgrading 2007 to 2010. Since my installation is quite small – about 100 users, one site, one HT/CAS server and two Mailbox servers in CCR – I would expect this upgrade can be done during one weekend. Should I even bother with setting up legacy namespace? I do realize I might miss some newsletter emails during saturday night, but that is acceptable for me.

  22. Marcin,

    If you can schedule an outage window and complete the entire upgrade within a weekend, then no, you do not need the legacy namespace.  Simply install the E2010 server(s), configure your routing, configure your client access, move the mailboxes, and uninstall the E2007 servers.

    Ross

  23. Jummiet – your legacy namespace can be anything you want it to be.  If you have multiple E2007 CAS that will coexist with your E2010 infrastructure, then I would suggest using something other than a server name since you will most likely be load balancing the E2007 requests all the E2007 CAS.

    Ross

  24. MSPELT – No redirection doesn’t work cross-forest.

    Ross

  25. Satn – Yes you need to ensure you have the proper namespaces on the certificate and have your AutodiscoverInternalURI, InternalURL, and ExternalURL values configured correctly.

    Ross

  26. Robert says:

    I can’t seem to find a definitive answer – is it possible to get an Outlook 2000 (all the available updates) client to connect to Exchange 2010?  I just need this scenario for testing.

    I can get Outlook 2002 to connect, but 2000 fails with "Unable to open your default e-mail folders…."

  27. Exchange says:

    Robert, Outlook 2000 (and Outlook 2002) are not supported against Exchange 2010.

    Ross

  28. Sathish says:

    Hi Ross,

    While upgrading E2k7 -> E14 , what is the purpose of Step#10. Pls explain me, that will be helpful.

    Thanks

    Sathish

  29. Hi Sathish,

    Exchange 2010 CAS does not service legacy mailboxes for OWA.  Instead, E2010 CAS redirects legacy mailboxes to a legacy CAS/FE server.  The legacy CAS/FE server is the one that provides OWA connectivity.   This requires an additional namespace (legacy).

    Ross

  30. Jaxone says:

    Nice article and helped me to understand how I should configure everything for the coexistence but I still have a thing that I don’t understand…

    I am planning an upgrade of our Exchange 2003 environment to 2010. I have 5 Exchange 2003 mailbox servers spanned across 5 locations and 1 front end OWA server with 1000 users.

    As I will not be able to migrate them all at once I will need 2003 exchange coexistence.

    What I want to do is to replace the old 2003 front end with a new 2010 CAS server.

    Let’s say my 2003 frontend is called : webmail.contoso.com
    What I want to do is to remove exchange from it , install a new machine with CAS 2010 and call it webmail.contoso.com and give it the same IP as the old one as I don’t want to use 2 different names for the OWA being to much hassle to reconfigure 500 mobile
    devices.

    According to the Msexchangeteam blog
    http://msexchangeteam.com/archive/2009/11/20/453272.aspx , I will have to buy a new wildcard certificate with the names :

    webmail.contoso.com
    autodiscover.contoso.com
    legacy.contoso.com
    and set up the specific URL’s for my 2010 and 2003 owa.

    Now , according to the article , OWA will work just fine but how will the moail enabled mobile devices act to this ?

    I have about 500 users using Nokia mail for exchange and MS ActiveSync with the mail server specified as : webmail.contoso.com

    Will I have a problem here or will the new CAS server redirect the requests to the correct mailbox server ?

    Can I use the path I want to keep the old name webmail.contoso.com and just configure the web access like :

    Set-OWAVirtualDirectory OWA* -ExternalURL
    https://webmail.contoso.com/OWA -Exchange2003URL
    https://webmail.contoso.com/exchange

    Thank you in advance.

  31. Liuxiang says:

    Double confirm: so, during transition, we should point the legacy.contoso.com to Exchange 2003 FE or Exchange 2007 CAS, and we should configure two publish rules, one is for Exchange 2010 (mail.contoso.com,autodiscover.contoso.com) and another is for legacy.contoso.com, am I right?

Comments are closed.