Exchange 2007 to Exchange 2010 CAS Migration

I am using this page as a primary resource for setting up a new Exchange 2010 CAS server in my Exchange 2007 environment:  http://technet.microsoft.com/en-us/library/dd351133.aspx

This is a single-AD domain environment running two Exchange 2007 servers (1 Mailbox, 1 CA/HT).

I have the following servers:

PRODMAIL2                                Exchange 2007 Mailbox Server
PRODMAIL3                                Exchange 2007 CA/HT Server
PRODMAIL                                  Exchange 2010 CA Server (will eventually be HT/MBX server as well)

I have the following Internet DNS records:

mail.company.com                      (IP of PRODMAIL3)
legacy.company.com                 (IP of PRODMAIL3)
exchange.company.com            (IP of PRODMAIL - this record was primarily created for testing)

I have Exchange 2010 CAS server running successfully and accepting OWA connections.  I understand from Microsoft that a 2010 CAS can't access 2007 Mailboxes directly (correct?).  However, the 2010 CAS should redirect me to the 2007 CAS, which will in turn give me access to my 2007 mailbox.  Internally, this works (with a certificate error) as the redirect tries to go to prodmail3.internal.company.com.  However, that same redirect obviously does not work from outside of the company.

I've seen other questions answered on EE that seem to indicate (similar to the 2003-2007 migration) that I do NOT need an Exchange 2007 CAS after my 2010 CAS is running.  If this is true, life sure would be easier.

I've also found various pages online mentioning the -Exchange2003URL command, but I don't believe that applies as I have no Exch 2003 in my environment.

So my question, in brief, which I cannot find concisely answered on the Internet:  How do I migrate my CAS from 2007 to 2010 so that it's largely transparent to the end users?

LVL 6
jaustin1Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AkhaterCommented:
Yes you are right exchange 2010 cannot talk to 2007 mailbox and yes 2010 will redirect to 2007 CAS and you DO NOT need the exchange2003url

to save myself a lot of rewrite please read this http://www.zerohoursleep.com/2010/02/installing-your-first-exchange-2010-cas-part-2/ it should answer all the questions you have just asked, and do get back if anything remains not clear.
0
jaustin1Author Commented:
Thanks, Akhater.  I have already come across that page in my searches, however it's a bit sparse on actual details.  This part seems to apply to me:

"If ExternalURL is set on your exchange 2007 CAS the user will be directly redirected to it"

However, there's no information there on how I should set that parameter if that, in fact, is what I need to do.  Also, should I be making use of MS's recommended "legacy.company.com" FQDN when setting this parameter?  Or can I just go to my 2007 CAS and enter:

set-owavirtualdirectory -externalurl mail.company.com

?

0
AkhaterCommented:
legacy.company.com is just an example you can set it to anything you want mail.company.com  would work just fine.


if you issue a get-owavirtualdirectory PRODMAIL3 | fl *url* what is the result ?


0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

AkhaterCommented:
and to answer your question yes to set the external URL just issue a

set-owavirtualdirectory PRODMAIL3 -externalurl mail.company.com
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jaustin1Author Commented:
Interesting...

Get-OwaVirtualDirectory : The operation could not be performed because object 'PRODMAIL3' could not be found on domain controller 'internal.company.com'
.
At line:1 char:24
+ get-owavirtualdirectory <<<< PRODMAIL3 | fl *url*

(PRODDC-V is one of our domain controllers, and PRODMAIL3 is most certainly found on that DC.)
0
AkhaterCommented:
yes sorry my bad

get-owavirtualdirectory "PRODMAIL3\Exchange (Default Web Site)" | fl *url*

if all is as per default or just run

get-owavirtualdirectory | fl name,*url*
0
jaustin1Author Commented:
URL, InternalURL, and ExternalURL all come up blank.

The command:

set-owavirtualdirectory PRODMAIL3 -externalurl mail.company.com

returns a similar error referencing the DC.  Should it actually be:

set-owavirtualdirectory "PRODMAIL3\Exchange (Default Web Site)" -externalurl mail.company.com

?
0
AkhaterCommented:
I am really really sorry i shld go sleep :D


get-owavirtualdirectory "PRODMAIL3\OWA (Default Web Site)" | fl *url*

it is owa not exchange , exchange is for 2003 compatibility sorry again for the mess
0
jaustin1Author Commented:
Ok, in that case, I get:

URL:  {}
InternalUrl:  https://prodmail3.internal.company.com
ExternalUrl:  

So I entered set-owavirtualdirectory "PRODMAIL3\OWA (Default Web Site)" -externalurl https://mail.company.com/owa

Now, when I hit https://exchange.company.com/owa from outside, I'm presented with a certificate error (no cert on the new 2010 CAS yet), followed by the 2010 OWA screen.  When I login there, I then am redirected to https://mail.company.com/owa (yay!), where I have to provide my credentials again.  Shouldn't the credentials be passed through?
0
AkhaterCommented:
pass through will happen only if Form Based Authentication is enabled on the OWA virtual directory on the 2007 CAS

0
jaustin1Author Commented:
That makes sense.

Well that has the redirect portion working for OWA, but there's still a lot of confusion (for me, at least) around completing this CAS migration.

I don't want to piggyback questions, but even with your help I'm left a long way from completing just the CAS portion of this Exchange 2010.

I realize my initial question of, "How do I migrate my CAS from 2007 to 2010 so that it's largely transparent to the end users?" is very open, and I don't want to breach the rules/etiquette of EE, but do you have any good resources for completing the switchover (DNS issues, ActiveSync redirect, do I REALLY need a SAN certificate (I didn't in Exchange 2007), etc.)?

0
AkhaterCommented:
OK let's try to break the question down

The main idea is to let all traffic hit your 2010 CAS first
1. For OWA access we have pretty much covered it
2. For activesync there is no redirection the 2010 cas will proxy the 2007 one provided the latter has SP2 installed on it
3. For the SAN you will need it if you want to use Autodiscover feature you don't need it for any other reason.

Let's say all your users are configured to use mail.company.com for OWA/RPC-HTTPS/activesync etc...

1. Create say legacy.domain.com and you point it to the real IP of your 2k7 cas server (PRODMAIL3)
2. you change the ip of mail.domain.com and point it to the real IP of you 2k10 cas server (PRODMAIL)
3. make sure you create the virtual directories of owa/activesync to be correct both internalurl and externalurl on both 2k10 and 2k7 cas

honestly that's all you have to do apart of making sure the certificates are working fine etc...

Please do ask questions maybe I am oversimplifying the process
0
jaustin1Author Commented:
Legacy.domain.com does point to the external IP of my 2k7 CAS server (PRODMAIL3).  Mail.domain.com (my MX record) also points to the same IP.  So I have to be careful not to change the IP that mail.domain.com points to until I have HT up and running on PRODMAIL.

I *think* what I need to do now is get my certificate working correctly on PRODMAIL.  And since SSO won't work, I guess I'll either have to prepare my users for having to login twice, or perhaps schedule most of the work for a weekend downtime (I don't like that option, as I was expecting a more seamless transition from 2007-2010 based on what I'd learned beforehand).
0
AkhaterCommented:
Let's get the certificate up and running and we will carry it over from here
0
jaustin1Author Commented:
I spent most of the day yesterday on the phone with MS (we're a Gold Partner and have some tech support incidents to burn).  After he broke our certificates and cut off all of our Outlook Anywhere users, and just before he had me make some mail-traffic breaking changes to our firewall, he finally decided he should refund the support incident back to me.  I would have to buy a second cert. in order to do a slow migration according to his plan, which I cannot do.  So I'm kind of on my own (well, with help from Akhater.. :) ).

As of this morning, I have a mailbox on Exchange 2010 successfully sending/receiving internally and externally, and that mailbox works via Outlook Anywhere going through the SSL Cert on the 2007 server.  So I think I'm well on my way.

I'm sure I'll come up with more questions as I proceed, but I think it's fair to say that you answered my initial ones and guided me on my way down the right path.

Thank you!
0
jaustin1Author Commented:
Just some syntax was left out, but it was very helpful.
0
AkhaterCommented:
If you need anything I, and others, will be just around the corner :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.