So the Techstravaganza 2012 was a great success, a lot of awesome speakers and even more awesome participants. Thank you all for showing up. Attached are the slides from my presentation but I wanted to elaborate a little more on these slides, especially based off the questions I was asked.
Do you need another forest to actually migrate to a new Exchange 2010 build?
Nah – too complicated. You could create a new forest, but as long as you are running Exchange 2003 SP2 or Exchange 2007 SP2 then you can do coexistence within the same forest. You can do two separate forests; just get ready to either do 1) linked mailboxes or 2) AD Migration from one forest to another. There are other ways to accomplishing a migration with two forests, but it’s usually more complicated than expected. Don’t do it if you don’t need to.
What are the virtualization requirements?
That can be found here: http://technet.microsoft.com/en-us/library/aa996719.aspx
It’s long, but let me help explain a few things about hypervisors:
1) Microsoft will support Exchange that runs on Hyper V and other 3rd party hypervisors that are a part of the “Windows Server Virtualization Validation Program”
2) Stuff like VMWare Player and Virtual PC are nice for a lab, but I would highly recommend against using them anywhere near a product server due to limitations.
We also do not support NAS/SMB/NFS – why? Because its file level storage and not block level, which is required for Exchange 2010 to function properly. Even if the storage is introduced via iSCSI as block level, it is not supportable.
Now how do I achieve single sign on for users in the old Exchange environment (2003 or 2007) if my Exchange 2010 CAS is the primary internet facing server?
Before I actually get into SSO between a 2010 CAS and a 2003 FE or 2007 CAS, I want to discuss what proxy is and what is redirection…
Redirection: When a user is connecting into the 2010 CAS (I am going to assume for this scenario that you already cut over from your 2003 FE or 2007 CAS) the 2010 CAS will send a request to the GCS local within the site for the following information…
1) The exchange version that the mailbox is held on
2) The mailbox location (homeMDB attribute) (e.g – the database that the mailbox sits on)
Lets say this user is on a 2007 exchange server, and it is within the same site and is also internet facing but with the legacy URL from our namespace planning (e.g – the ExternalURL is set to something like legacy.contoso.com). Since the ExternalURL property exists it will do redirection for both OWA and ActiveSync. POP3/IMAP and EWS all use proxy technology to send its requests over to the other CAS/FE server.
When a redirection happens basically the original form filled out (the login page) will be sent from the original OWA IIS vDirectory (in this case, 2010 CAS) to the appropriate internet facing site. Once this occurs the user will be returned to a page with a link, and once this happens they will either be asked to reauthenticate or if single sign on is setup properly, then you can simply access your mailbox.
With Exchange 2010 SP2, we create a new “silent redirection” which will automate the redirection process. No more users having to click on stuff to get to the right OWA URL.
Note: if your mailbox is also within a separate 2010 site that has an ExternalURL, you will also be redirected to the proper URL.
Proxy: In the event that you connect to a 2010 CAS, and the mailbox is within a legacy organization at a different site that is NOT internet facing, or your mailbox is within a different Exchange 2010 site that is not internet facing you will use the proxy request. Proxy requests also apply to POP3/IMAP4/EWS. The reason the mailbox is going to proxy instead of redirection is because the ExternalURL is set to nothing ($NULL) and there is an internalURL set (e.g: http://contosocas/owa). The 2010 CAS will send the proxy cookie to the appropriate IIS vDirectorie’s /PROXY directory and if it responds your request is proxied over.
Now for the actual single sign on stuff..
If you want to achieve single sign on for your 2010 CAS to your legacy organization you would do the following:
1) OWA/ECP will use FBA (form based authentication) on both the 2010 CAS and the 2007 CAS / 2003 FE server(s)
2) EWS/POP3/IMAP4/EAS will need to have WIA (Windows Integrated Authentication) turned on both the 2010 CAS and the receiving 2007 CAS / 2003 FE server(s).
When should I move my OAB?
I would move the OAB when you start migrating users from 200X to 2010. This makes it available to both your 200X users and your 2010 users. The reason for this is because MailTips will not work until the OAB has been moved over, and until the GAL is also moved over from the legacy environment to the Exchange 2010 Environment.
As also discussed the tool ExDeploy is awesome. Check it out (http://tinyurl.com/exdeploy)
Thanks again for everyone who decided to read this, although it is pretty long and to all the participants and speakers that were at the Techstravaganza 2012 event. It was def. an experience.
- Adam F