Solved

2003 to 2010 migration massive confusion

Posted on 2011-03-08
34
543 Views
Last Modified: 2012-05-11
Every time I think I figure something out something new pops up and I end up wondering where it fits. Hopefully this will be the final time that I have to ask for help on this and thanks for all those who did help in the past.

in.acme.com= internal domain
acme.com= external domain

inmail.in.acme.com = FQDN internal exchange server

2 external owa servers in dmz

outmail1.acme.com = FQDN 1st owa server
outmail2.acme.com = FQDN 2nd owa server

mail.in.acme.com = FQDN of 1st 2010 exchange server

owa.acme.com = internet facing name of 1st 2010 exchange server

Will have second cas server, will be using cas array.

Situation:

Migrating from 2003 to 2010. Not all mailboxes are going to be migrated at once so i will need 2003 running at the same time that 2010 is running. Existing legacy OWA/active sync will be running until all mailboxes have been migrated unless there's a way for 2010 OWA/active sync to take over with mailboxes still in 2003.

Setup will be 2 exchange 2010 servers running cas/hub/mailbox roles in a DAG. The cas array IP will point to the DAG IP. This setup will giving us no load balancing but will give us HA for both the Cas and the Mailbox DB. No DNS round robin.  

San certificate:

Should the cas array name on the SAN be the internal FQDN that I have in our internal DNS server, such as: clients.in.acme.com

Since we need 2003, we'll need Legacy.domain.com. Should it be: Legacy.acme.com or legacy.in.acme.com
on the SAN

Should autodiscover.com be: autodiscover.in.acme.com or autodiscover.acme.com?

According to MS here: http://technet.microsoft.com/en-us/exdeploy2010/default.aspx#DeploymentCheckList/ee721975/2003

the root domain should be included in the SAN. Is this necessary? If it is which root domain? my internal FQDN in.acme.com or the external: acme.com?

0
Comment
Question by:iamuser
  • 18
  • 16
34 Comments
 
LVL 49

Expert Comment

by:Akhater
ID: 35079312
i see you have made some progress that is great

well since you have 2k3 coexistance you will need to stick to your external name and make it resolvable from the itnernal network

your external fqdn is mandatory so do you san

owa.acme.com
autodiscover.acme.com
legacy.acme.com
clients.acme.com

and let these dns entries to be resolved from your internal network to your cas array ip
0
 

Author Comment

by:iamuser
ID: 35082052
So the cas array name on the san would not be the internal fqdn but the external fqdn
0
 

Author Comment

by:iamuser
ID: 35083638
I sort of understand the first 3 being external address

owa.acme.com
autodiscover.acme.com
legacy.acme.com


but last one, the cas array? Do I have to have the Cas array in both my internal DNS as well as my external DNS?

We are using a spam/filter appliance for public incoming/outgoing email. Only mail that's routed by exchange are internal emails to internal users. Anything incoming from outside or leaving to go out is handled by the email appliance. The (acme.com) MX records in our external DNS server points to the email appliance and not our internal exchange server.

My assumption would be that email would still go to the spam/fiilter email appliance, inside is a smart host field which would then point to the Cas array IP.




0
 
LVL 49

Expert Comment

by:Akhater
ID: 35083948
the cas array is your choice it could be both doesnt matter
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35083977
the cas array is your choice it could be both doesnt matter
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35083978
the cas array is your choice it could be both doesnt matter
0
 

Author Comment

by:iamuser
ID: 35084170
I thnk the part I'm really confused on is why the cas array name on the SAN is cas.acme.com instead of cas.in.acme.com?



0
 
LVL 49

Expert Comment

by:Akhater
ID: 35085036
It can be anything it could be owa.acme.com if you want it is juat a name
0
 

Author Comment

by:iamuser
ID: 35087728
okay, so it's the same reason applies to why it is autodiscover.acme.com instead of autodiscover.in.acme.com
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35091851
because the way autodiscover works your email addresses are @ acme.com and not @in.acme.com so outlook will look for autodiscover.acme.com.

Furthermore autodicover.in.acme.com wouldnt be resolvable from the internet and this is where you will need autodiscover
0
 

Author Comment

by:iamuser
ID: 35097304
because all these names seem to point to the external domain, Do any of the names that I add to the SAN

owa.acme.com
autodiscover.acme.com
legacy.acme.com
cas.acme.com

need to be in my external DNS server? Furthermore would I need the above names in my internal dns?
0
 

Author Comment

by:iamuser
ID: 35098874
nm you answered the cas array question for me arleady
0
 

Author Comment

by:iamuser
ID: 35098915
regarding,  Autodiscover.domain.com:

-AutoDiscoverServiceInternalUri: <Internal URL>, this FQDN must match the URL included in the certificate.

If you cannot use autodiscover.domain.com internally (you have a domain name of domain.local and you must use it), you will get a certificate miss match error, you will have to include the internal name in the certificate if you purchase an external certificate.

0
 
LVL 49

Expert Comment

by:Akhater
ID: 35099997
excuse me can you come again with the question ? I think I got lost somewhere

0
 

Author Comment

by:iamuser
ID: 35100467
okay I was asking about the autodiscover.domain.com (autodiscover.acme.com in my case) on the SAN


I asked if the autodiscover.domain.com should be the internal or external FQDN, autodiscover.in.acme.com or autodiscover.acme.com. The answer I received was autodiscover.acme.com

but then I found the below regarding autodiscover:

-AutoDiscoverServiceInternalUri: <Internal URL>, this FQDN must match the URL included in the certificate.

If you cannot use autodiscover.domain.com internally (you have a domain name of domain.local and you must use it), you will get a certificate miss match error, you will have to include the internal name in the certificate if you purchase an external certificate.
From that it sounds like i can't use autodiscover.domain.com since internally my domain is in.acme.com. it'll cause a certificate miss match error. So I'll have to add both? internal and external address for autodiscover?

0
 

Author Comment

by:iamuser
ID: 35100475
My SAN is consider a external certificate isn't it?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35100724

1. I don't know where you read this but this is not entirely correct
2. Autodiscover works in 2 parts
   Part 1: Clients that are joined to the domain will use what we call SCP to get their autodiscover URL and this is what we are talking about here so this doesnt need to be autodiscover.domain.com (although it can be) it could be casarray.domain.com. it is where outlook will connect to to pick up the infromation from


   Part 2: Clients that are NOT joined to the domain. outlook will simply try to reach autodiscover.domain.com where domain.com is the part after the @ in the user's email address since they do not have an SCP to connect contact. and for these clients you HAVE TO create autodiscover.domain.com there is no option on this one believe me

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 49

Accepted Solution

by:
Akhater earned 500 total points
ID: 35100764
in summary what I am telling you to do is get your certificate with the following SAN

owa.acme.com
autodiscover.acme.com
legacy.acme.com


make owa.acme.com resolvable from outside to the public IP of your CAS array (the one you have port 443 forwarded to the internal CAS array)
make owa.acme.com resolvable from inside to the private IP of your CAS array
make autodiscover.acme.com resolvable from outside to the public IP of your CAS array
make autodiscover.acme.com resolvable from inside to the private IP of your CAS array
make legacy.acme.com resolvable from outside to the public IP of you 2k3 server
make legacy.acme.com resolvable from inside to the private ip of your 2k3 server

configure your cas array with the name owa.acme.com
configure all your internal and external urls to be owa.acme.com
configure you AutoDiscoverServiceInternalUri to be autodiscover.acme.com
configure your rpcclientaccesserver to be owa.acme.com

and you shall have no problems
0
 

Author Comment

by:iamuser
ID: 35101254
you forgot cas.domain,com
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35101276
nop I told you to call your cas array owa.acme.com :)

0
 

Author Comment

by:iamuser
ID: 35103894
yeah you're right. Okay so I figure out how to do a few of the steps that you listed above. We don't host our own external DNS server. We have a service that does it for us.

"make legacy.acme.com resolvable from outside to the public IP of you 2k3 server"

- remove the public 2003 owa server ip from owa.acme.com in external dns server
- create new DNS entry for legacy.acme.com in external dns
- assign 2003 owa server ip to legacy.acme.com

"make owa.acme.com resolvable from outside to the public IP of your CAS array (the one you have port 443 forwarded to the internal CAS array)"

add new public ip to owa.acme.com and port forward the public ip  to the inside address of the cas array

"make autodiscover.acme.com resolvable from outside to the public IP of your CAS array"

create a entry called autodiscover and add in the same ip that i used for owa.acme.com (which points to cas array public address). Basically I'll have 2 different DNS entry pointing to the same public ip address

As for the 3 below, the only way I can think of resolving those internally is with  split brain DNS since my internal domain is in.acme.com. Is there another option? something simpler?

"make legacy.acme.com resolvable from inside to the private ip of your 2k3 server"
make autodiscover.acme.com resolvable from inside to the private IP of your CAS array
make owa.acme.com resolvable from inside to the private IP of your CAS array






0
 
LVL 49

Expert Comment

by:Akhater
ID: 35106045
I have to say you lost me !

1. I thought you said that ActiveSync was working
2. in all your config you have given me above where did you set the "require certificates" part ? how are you using these client certificates ? in your config all the virtual direcotries have the client certificate set to ignore
3. testexchangeconnectivity is failing oon which step and what is the error
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35106052
Excuses me ignor my last comment it was for another question


you got it all right perfectly correct the last 3 has to be split DNS. the issue in your case is the legacy entry that doesn't have an internal and external url so, as per my first post, you have to go for split DNS

What is so hard with split dns anyway ?
0
 

Author Comment

by:iamuser
ID: 35110086

You're the amazing Akhater,

okay everything is much clearer now. I didn't see that we needed split-dns. I only have 1 or 2 final things that I just need to understand.

I've include 2 images, first image (A) is what we have now. Image 2 (B) is to get at least 1 exchange 2010 server running full time. Then we'll add the additional exchange servers later

Considering:

- Internal hosts are going to use SCP to connect to Cas server/array. They are using outlook 2010 / 2003

- no internal hosts in internally (within AD) would use owa.acme.com to check mail. Only external hosts. External Users with mailboxes on Exchange 2003 will still go to owa.acme.com url but then get redirect to the legacy.acme.com. And this redirection is not internal it's external.

- Active sync is coming in from the outside to our internal cas server/ array. And owa.acme.com will be pointed to our internal cas server/array.

- Autodiscover is used for external clients.

- Legacy.acme.com is for external clients

Why do we need to have autodiscover.acme.com, owa.acme.com & legacy.acme.com resolvable internally?

Current structure Single Exchange 2010
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35110141
well simply because some people do use owa from the internal network :)

maybe you are just passing by the office and you need to check your email and you don't have your latptop with you you want to be able to access owa

Maybe I missunderstood the quesiton
0
 

Author Comment

by:iamuser
ID: 35110227
And even if we had internal clients that wanted to go to "owa.92y.org" they would end up on the internet and it would resolve correctly If I'm not mistaken
0
 

Author Comment

by:iamuser
ID: 35110239
Our internal DNS would forward to our ISP dns..
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35110290
you mean it being resolved to your external IP ?

simply because most firewalls will not let you go out and back in from the same interface
0
 

Author Comment

by:iamuser
ID: 35110549
okay I got it. Makes sense now

"simply because most firewalls will not let you go out and back in from the same interface"

I think we are allowed because we can go to owa.acme.com internally. But looking at our internal DNS all I see is the FQDN of the FE exchange 2003 server. The IP though is a public IP and not an internal IP. I don't see any sub-domains for owa,acme.com.

The external DNS has the owa.acme.com record,  has the same public IP that's was in our internal DNS system

So they must have allowed that IP to go in and out of the firewall
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35110587
if your firewall allows it then i have nothing to add to this just double check on this
0
 

Author Comment

by:iamuser
ID: 35110613
you're a savior man
0
 

Author Comment

by:iamuser
ID: 35110626
thanks for all help. If the firewall doesn't work I'll set the split dns
0
 

Author Closing Comment

by:iamuser
ID: 35110639
awesome
0
 
LVL 49

Expert Comment

by:Akhater
ID: 35110671
Glad I'm able to shed some light
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now