Exchange 2007 to Exchange 2010 - Is it possible to do without using a Legacy Host Name?

Posted on 2011-03-22
Last Modified: 2012-05-11
This may be a bit long winded so apologies in advance.
We are currently in the process of migrating from Exchange 2007 to Exchange 2010 but we're facing some issues with setting up a legacy host name for coexistence.
Here's our current setup:

One internet facing Exch2007 CAS server behind a firewall (with port secured obviously).
One Exch2007 Hub Transport/Mailbox server (approx. 1200 large-ish mailboxes).
SSL UC cert with 5 names (maxed out) currently in use on 2007 CAS server.
FQDN of OWA ( resolves to one of our ISP assigned public IP addresses.
Firewall has DNAT rule setup to redirect incoming traffic for to the Exch2007 CAS server IP address.
Firewall has SNAT rule to stamp all outbound SMTP traffic with same public IP address mentioned above.

For reasons I won't go into here, we were unable to include any of our internal domain FQDNs on our UC cert. To work around this issue with autodiscover and internal Outlook clients, we've had to implement a second internal DNS forward look-up zone for our external domain and create one A record there for our external FQDN ( and give it the IP address of our Exch2007 CAS server.

Our Exchange 2010 setup will be basically the same as our Exch2007 setup above.

MS claim that for coexistence (after installing and configuring new Exch2010 CAS server), you must create additional A records in internal and external DNS zones for a legacy host name which will point to the IP address of the Exch2007 CAS server. Because of our unique (and ham-fisted) setup, we'd like to avoid doing this as it presents complications (we've only a few public IP addresses left which are to be allocated to MOSS and we've used up all of the names on our UC cert which is still valid for another 2 years and we plan to export it to the new Exch2010 CAS server so we don't want to have to get an additional one).
Is it possible to simply install the new Exch2010 CAS server (and export the current UC cert to it), give it the name, change the firewall DNAT rule to redirect to its IP address and then decommission the Exch2007 CAS server? If so, how would the new 2010 CAS server know how to redirect to Exch2007 for those users with mailboxes still on that server?
Thanks in advance for any help.
Question by:stedwardsitdept
  • 4
  • 3
LVL 74

Accepted Solution

Glen Knight earned 500 total points
ID: 35189623
only if you don't want to provide remote access to both servers during the migration.

The legacy host name is so that the Exchange 2010 CAS server can redirect client requests to the 2007 CAS server.  if you are not worried about this or don't use external access then it is not required.

Author Comment

ID: 35191516
Unfortunately, we will want to have remote access available during the move so it looks like we'll have to go with the legacy host name option.
I understand that we'll have to create a A record in our external DNS zone for "legacy" that directs to the Exch2007 CAS server IP, but is it necessary to create same record for our internal DNS? Outlook 2007 uses autodiscover to look for SCP AD object which points to our Exch2007 CAS currently. Would the intstallation of the 2010 CAS server alter that record so that it points to 2010 CAS?
LVL 74

Expert Comment

by:Glen Knight
ID: 35191527
You don't need to do it for internal users, it's only for external access.

You will also need 2 public IP addresses, the legacy URL will point to 1 and the other will be for Exchange 2010
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.


Author Comment

ID: 35197481
Thanks for your help and swift responses on this.
Perhaps you can help clarify the redirection process a bit for me.
I understand that we will need to create the external DNS record for legacy and assign it a public IP address. I also understand that we will need to give the 2010 CAS server the original OWA FQDN ( Further, I know that we will need to obtain another UC cert for the 2010 CAS server that lists the legacy FQDN. My confusion comes in at how the 2010 CAS actually goes about performing the redirection. I've read that it sends requests for users still on Exch2007 back outside the organisation to look for that legacy record, but I'm unclear on how this is done. I've read that you must "publish" the legacy address, but this brings to mind technology used by Forefront, ISA, TMG, none of which we are using. Our CAS servers are internet facing and simply sit behind a firewall. I'm aware that we will need to configure the DNAT rules to send incoming connections for "legacy" to the 2007 CAS server and redirect connections for the original to the new 2010 CAS server. Can you enlighten me?
LVL 74

Expert Comment

by:Glen Knight
ID: 35197484
OK, basically when a client makes a request to the 2010 server, it will redirect the client to their 2007 CAS server using the LegacyURL option.

The redirection is then done silently and the client will request (for example) and get logged in.  This is why both URL's need to be available externally and why they need their own IP address because you cannot port forward the same port from a single external IP to 2 different destinations.

You don't need FTMG or ISA to achieve this.

Author Comment

ID: 35198771
Yes, I understand that much of it. I'm more enquiring about the details of what the 2010 CAS server is doing to the request it receives from Exch2007 users in order to redirect them to the new legacy URL. In other words, is it altering the request by stripping out the original URL, replacing it with the legacy URL, then pushing the request back out of the firewall/organisation so that it does a "u-turn" to look for that legacy FQDN? And what of the Set-OwaVirtualDirectory -Exchange2003URL cmdlet? Is that a necessary part of the process? I've read that it must be run in order for redirection to work.
LVL 74

Expert Comment

by:Glen Knight
ID: 35198822
>>In other words, is it altering the request by stripping out the original URL, replacing it with the legacy URL, then pushing the request back out of the firewall/organisation so that it does a "u-turn" to look for that legacy FQDN

Basically, yes.

>>And what of the Set-OwaVirtualDirectory -Exchange2003URL cmdlet? Is that a necessary part of the process?
You only need to use this if you still have Exchange 2003 servers.

Have a look at:

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now