iamuser
asked on
2003 to 2010 migration massive confusion
Every time I think I figure something out something new pops up and I end up wondering where it fits. Hopefully this will be the final time that I have to ask for help on this and thanks for all those who did help in the past.
in.acme.com= internal domain
acme.com= external domain
inmail.in.acme.com = FQDN internal exchange server
2 external owa servers in dmz
outmail1.acme.com = FQDN 1st owa server
outmail2.acme.com = FQDN 2nd owa server
mail.in.acme.com = FQDN of 1st 2010 exchange server
owa.acme.com = internet facing name of 1st 2010 exchange server
Will have second cas server, will be using cas array.
Situation:
Migrating from 2003 to 2010. Not all mailboxes are going to be migrated at once so i will need 2003 running at the same time that 2010 is running. Existing legacy OWA/active sync will be running until all mailboxes have been migrated unless there's a way for 2010 OWA/active sync to take over with mailboxes still in 2003.
Setup will be 2 exchange 2010 servers running cas/hub/mailbox roles in a DAG. The cas array IP will point to the DAG IP. This setup will giving us no load balancing but will give us HA for both the Cas and the Mailbox DB. No DNS round robin. Â
San certificate:
Should the cas array name on the SAN be the internal FQDN that I have in our internal DNS server, such as: clients.in.acme.com
Since we need 2003, we'll need Legacy.domain.com. Should it be: Legacy.acme.com or legacy.in.acme.com
on the SAN
Should autodiscover.com be: autodiscover.in.acme.com or autodiscover.acme.com?
According to MS here: http://technet.microsoft.com/en-us/exdeploy2010/default.aspx#DeploymentCheckList/ee721975/2003
the root domain should be included in the SAN. Is this necessary? If it is which root domain? my internal FQDN in.acme.com or the external: acme.com?
in.acme.com= internal domain
acme.com= external domain
inmail.in.acme.com = FQDN internal exchange server
2 external owa servers in dmz
outmail1.acme.com = FQDN 1st owa server
outmail2.acme.com = FQDN 2nd owa server
mail.in.acme.com = FQDN of 1st 2010 exchange server
owa.acme.com = internet facing name of 1st 2010 exchange server
Will have second cas server, will be using cas array.
Situation:
Migrating from 2003 to 2010. Not all mailboxes are going to be migrated at once so i will need 2003 running at the same time that 2010 is running. Existing legacy OWA/active sync will be running until all mailboxes have been migrated unless there's a way for 2010 OWA/active sync to take over with mailboxes still in 2003.
Setup will be 2 exchange 2010 servers running cas/hub/mailbox roles in a DAG. The cas array IP will point to the DAG IP. This setup will giving us no load balancing but will give us HA for both the Cas and the Mailbox DB. No DNS round robin. Â
San certificate:
Should the cas array name on the SAN be the internal FQDN that I have in our internal DNS server, such as: clients.in.acme.com
Since we need 2003, we'll need Legacy.domain.com. Should it be: Legacy.acme.com or legacy.in.acme.com
on the SAN
Should autodiscover.com be: autodiscover.in.acme.com or autodiscover.acme.com?
According to MS here: http://technet.microsoft.com/en-us/exdeploy2010/default.aspx#DeploymentCheckList/ee721975/2003
the root domain should be included in the SAN. Is this necessary? If it is which root domain? my internal FQDN in.acme.com or the external: acme.com?
ASKER
So the cas array name on the san would not be the internal fqdn but the external fqdn
ASKER
I sort of understand the first 3 being external address
owa.acme.com
autodiscover.acme.com
legacy.acme.com
but last one, the cas array? Do I have to have the Cas array in both my internal DNS as well as my external DNS?
We are using a spam/filter appliance for public incoming/outgoing email. Only mail that's routed by exchange are internal emails to internal users. Anything incoming from outside or leaving to go out is handled by the email appliance. The (acme.com) MX records in our external DNS server points to the email appliance and not our internal exchange server.
My assumption would be that email would still go to the spam/fiilter email appliance, inside is a smart host field which would then point to the Cas array IP.
owa.acme.com
autodiscover.acme.com
legacy.acme.com
but last one, the cas array? Do I have to have the Cas array in both my internal DNS as well as my external DNS?
We are using a spam/filter appliance for public incoming/outgoing email. Only mail that's routed by exchange are internal emails to internal users. Anything incoming from outside or leaving to go out is handled by the email appliance. The (acme.com) MX records in our external DNS server points to the email appliance and not our internal exchange server.
My assumption would be that email would still go to the spam/fiilter email appliance, inside is a smart host field which would then point to the Cas array IP.
the cas array is your choice it could be both doesnt matter
the cas array is your choice it could be both doesnt matter
the cas array is your choice it could be both doesnt matter
ASKER
I thnk the part I'm really confused on is why the cas array name on the SAN is cas.acme.com instead of cas.in.acme.com?
It can be anything it could be owa.acme.com if you want it is juat a name
ASKER
okay, so it's the same reason applies to why it is autodiscover.acme.com instead of autodiscover.in.acme.com
because the way autodiscover works your email addresses are @ acme.com and not @in.acme.com so outlook will look for autodiscover.acme.com.
Furthermore autodicover.in.acme.com wouldnt be resolvable from the internet and this is where you will need autodiscover
Furthermore autodicover.in.acme.com wouldnt be resolvable from the internet and this is where you will need autodiscover
ASKER
because all these names seem to point to the external domain, Do any of the names that I add to the SAN
owa.acme.com
autodiscover.acme.com
legacy.acme.com
cas.acme.com
need to be in my external DNS server? Furthermore would I need the above names in my internal dns?
owa.acme.com
autodiscover.acme.com
legacy.acme.com
cas.acme.com
need to be in my external DNS server? Furthermore would I need the above names in my internal dns?
ASKER
nm you answered the cas array question for me arleady
ASKER
regarding, Â Autodiscover.domain.com:
-AutoDiscoverServiceIntern alUri: <Internal URL>, this FQDN must match the URL included in the certificate.
If you cannot use autodiscover.domain.com internally (you have a domain name of domain.local and you must use it), you will get a certificate miss match error, you will have to include the internal name in the certificate if you purchase an external certificate.
-AutoDiscoverServiceIntern
If you cannot use autodiscover.domain.com internally (you have a domain name of domain.local and you must use it), you will get a certificate miss match error, you will have to include the internal name in the certificate if you purchase an external certificate.
excuse me can you come again with the question ? I think I got lost somewhere
ASKER
okay I was asking about the autodiscover.domain.com (autodiscover.acme.com in my case) on the SAN
I asked if the autodiscover.domain.com should be the internal or external FQDN, autodiscover.in.acme.com or autodiscover.acme.com. The answer I received was autodiscover.acme.com
but then I found the below regarding autodiscover:
I asked if the autodiscover.domain.com should be the internal or external FQDN, autodiscover.in.acme.com or autodiscover.acme.com. The answer I received was autodiscover.acme.com
but then I found the below regarding autodiscover:
-AutoDiscoverServiceInternFrom that it sounds like i can't use autodiscover.domain.com since internally my domain is in.acme.com. it'll cause a certificate miss match error. So I'll have to add both? internal and external address for autodiscover?alUri: <Internal URL>, this FQDN must match the URL included in the certificate.
If you cannot use autodiscover.domain.com internally (you have a domain name of domain.local and you must use it), you will get a certificate miss match error, you will have to include the internal name in the certificate if you purchase an external certificate.
ASKER
My SAN is consider a external certificate isn't it?
1. I don't know where you read this but this is not entirely correct
2. Autodiscover works in 2 parts
  Part 1: Clients that are joined to the domain will use what we call SCP to get their autodiscover URL and this is what we are talking about here so this doesnt need to be autodiscover.domain.com (although it can be) it could be casarray.domain.com. it is where outlook will connect to to pick up the infromation from
  Part 2: Clients that are NOT joined to the domain. outlook will simply try to reach autodiscover.domain.com where domain.com is the part after the @ in the user's email address since they do not have an SCP to connect contact. and for these clients you HAVE TO create autodiscover.domain.com there is no option on this one believe me
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
you forgot cas.domain,com
nop I told you to call your cas array owa.acme.com :)
ASKER
yeah you're right. Okay so I figure out how to do a few of the steps that you listed above. We don't host our own external DNS server. We have a service that does it for us.
- remove the public 2003 owa server ip from owa.acme.com in external dns server
- create new DNS entry for legacy.acme.com in external dns
- assign 2003 owa server ip to legacy.acme.com
add new public ip to owa.acme.com and port forward the public ip  to the inside address of the cas array
create a entry called autodiscover and add in the same ip that i used for owa.acme.com (which points to cas array public address). Basically I'll have 2 different DNS entry pointing to the same public ip address
As for the 3 below, the only way I can think of resolving those internally is with  split brain DNS since my internal domain is in.acme.com. Is there another option? something simpler?
"make legacy.acme.com resolvable from outside to the public IP of you 2k3 server"
- remove the public 2003 owa server ip from owa.acme.com in external dns server
- create new DNS entry for legacy.acme.com in external dns
- assign 2003 owa server ip to legacy.acme.com
"make owa.acme.com resolvable from outside to the public IP of your CAS array (the one you have port 443 forwarded to the internal CAS array)"
add new public ip to owa.acme.com and port forward the public ip  to the inside address of the cas array
"make autodiscover.acme.com resolvable from outside to the public IP of your CAS array"
create a entry called autodiscover and add in the same ip that i used for owa.acme.com (which points to cas array public address). Basically I'll have 2 different DNS entry pointing to the same public ip address
As for the 3 below, the only way I can think of resolving those internally is with  split brain DNS since my internal domain is in.acme.com. Is there another option? something simpler?
"make legacy.acme.com resolvable from inside to the private ip of your 2k3 server"
make autodiscover.acme.com resolvable from inside to the private IP of your CAS array
make owa.acme.com resolvable from inside to the private IP of your CAS array
I have to say you lost me !
1. I thought you said that ActiveSync was working
2. in all your config you have given me above where did you set the "require certificates" part ? how are you using these client certificates ? in your config all the virtual direcotries have the client certificate set to ignore
3. testexchangeconnectivity is failing oon which step and what is the error
1. I thought you said that ActiveSync was working
2. in all your config you have given me above where did you set the "require certificates" part ? how are you using these client certificates ? in your config all the virtual direcotries have the client certificate set to ignore
3. testexchangeconnectivity is failing oon which step and what is the error
Excuses me ignor my last comment it was for another question
you got it all right perfectly correct the last 3 has to be split DNS. the issue in your case is the legacy entry that doesn't have an internal and external url so, as per my first post, you have to go for split DNS
What is so hard with split dns anyway ?
you got it all right perfectly correct the last 3 has to be split DNS. the issue in your case is the legacy entry that doesn't have an internal and external url so, as per my first post, you have to go for split DNS
What is so hard with split dns anyway ?
ASKER
You're the amazing Akhater,
okay everything is much clearer now. I didn't see that we needed split-dns. I only have 1 or 2 final things that I just need to understand.
I've include 2 images, first image (A) is what we have now. Image 2 (B) is to get at least 1 exchange 2010 server running full time. Then we'll add the additional exchange servers later
Considering:
- Internal hosts are going to use SCP to connect to Cas server/array. They are using outlook 2010 / 2003
- no internal hosts in internally (within AD) would use owa.acme.com to check mail. Only external hosts. External Users with mailboxes on Exchange 2003 will still go to owa.acme.com url but then get redirect to the legacy.acme.com. And this redirection is not internal it's external.
- Active sync is coming in from the outside to our internal cas server/ array. And owa.acme.com will be pointed to our internal cas server/array.
- Autodiscover is used for external clients.
- Legacy.acme.com is for external clients
Why do we need to have autodiscover.acme.com, owa.acme.com &Â legacy.acme.com resolvable internally?
well simply because some people do use owa from the internal network :)
maybe you are just passing by the office and you need to check your email and you don't have your latptop with you you want to be able to access owa
Maybe I missunderstood the quesiton
maybe you are just passing by the office and you need to check your email and you don't have your latptop with you you want to be able to access owa
Maybe I missunderstood the quesiton
ASKER
And even if we had internal clients that wanted to go to "owa.92y.org" they would end up on the internet and it would resolve correctly If I'm not mistaken
ASKER
Our internal DNS would forward to our ISP dns..
you mean it being resolved to your external IP ?
simply because most firewalls will not let you go out and back in from the same interface
simply because most firewalls will not let you go out and back in from the same interface
ASKER
okay I got it. Makes sense now
"simply because most firewalls will not let you go out and back in from the same interface"
I think we are allowed because we can go to owa.acme.com internally. But looking at our internal DNS all I see is the FQDN of the FE exchange 2003 server. The IP though is a public IP and not an internal IP. I don't see any sub-domains for owa,acme.com.
The external DNS has the owa.acme.com record, Â has the same public IP that's was in our internal DNS system
So they must have allowed that IP to go in and out of the firewall
"simply because most firewalls will not let you go out and back in from the same interface"
I think we are allowed because we can go to owa.acme.com internally. But looking at our internal DNS all I see is the FQDN of the FE exchange 2003 server. The IP though is a public IP and not an internal IP. I don't see any sub-domains for owa,acme.com.
The external DNS has the owa.acme.com record, Â has the same public IP that's was in our internal DNS system
So they must have allowed that IP to go in and out of the firewall
if your firewall allows it then i have nothing to add to this just double check on this
ASKER
you're a savior man
ASKER
thanks for all help. If the firewall doesn't work I'll set the split dns
ASKER
awesome
Glad I'm able to shed some light
well since you have 2k3 coexistance you will need to stick to your external name and make it resolvable from the itnernal network
your external fqdn is mandatory so do you san
owa.acme.com
autodiscover.acme.com
legacy.acme.com
clients.acme.com
and let these dns entries to be resolved from your internal network to your cas array ip