Solved

Exchange 2007 to Exchange 2010 - Is it possible to do without using a Legacy Host Name?

Posted on 2011-03-22
7
1,167 Views
Last Modified: 2012-05-11
This may be a bit long winded so apologies in advance.
We are currently in the process of migrating from Exchange 2007 to Exchange 2010 but we're facing some issues with setting up a legacy host name for coexistence.
Here's our current setup:

One internet facing Exch2007 CAS server behind a firewall (with port secured obviously).
One Exch2007 Hub Transport/Mailbox server (approx. 1200 large-ish mailboxes).
SSL UC cert with 5 names (maxed out) currently in use on 2007 CAS server.
FQDN of OWA (mail.externaldomain.com) resolves to one of our ISP assigned public IP addresses.
Firewall has DNAT rule setup to redirect incoming traffic for mail.externaldomain.com to the Exch2007 CAS server IP address.
Firewall has SNAT rule to stamp all outbound SMTP traffic with same public IP address mentioned above.

For reasons I won't go into here, we were unable to include any of our internal domain FQDNs on our UC cert. To work around this issue with autodiscover and internal Outlook clients, we've had to implement a second internal DNS forward look-up zone for our external domain and create one A record there for our external FQDN (mail.externaldomain.com) and give it the IP address of our Exch2007 CAS server.

Our Exchange 2010 setup will be basically the same as our Exch2007 setup above.

MS claim that for coexistence (after installing and configuring new Exch2010 CAS server), you must create additional A records in internal and external DNS zones for a legacy host name which will point to the IP address of the Exch2007 CAS server. Because of our unique (and ham-fisted) setup, we'd like to avoid doing this as it presents complications (we've only a few public IP addresses left which are to be allocated to MOSS and we've used up all of the names on our UC cert which is still valid for another 2 years and we plan to export it to the new Exch2010 CAS server so we don't want to have to get an additional one).
Is it possible to simply install the new Exch2010 CAS server (and export the current UC cert to it), give it the mail.externaldomain.com name, change the firewall DNAT rule to redirect mail.externaldomain.com to its IP address and then decommission the Exch2007 CAS server? If so, how would the new 2010 CAS server know how to redirect to Exch2007 for those users with mailboxes still on that server?
Thanks in advance for any help.
0
Comment
Question by:stedwardsitdept
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
ID: 35189623
only if you don't want to provide remote access to both servers during the migration.

The legacy host name is so that the Exchange 2010 CAS server can redirect client requests to the 2007 CAS server.  if you are not worried about this or don't use external access then it is not required.
0
 

Author Comment

by:stedwardsitdept
ID: 35191516
@demazter
Unfortunately, we will want to have remote access available during the move so it looks like we'll have to go with the legacy host name option.
I understand that we'll have to create a A record in our external DNS zone for "legacy" that directs to the Exch2007 CAS server IP, but is it necessary to create same record for our internal DNS? Outlook 2007 uses autodiscover to look for SCP AD object which points to our Exch2007 CAS currently. Would the intstallation of the 2010 CAS server alter that record so that it points to 2010 CAS?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35191527
You don't need to do it for internal users, it's only for external access.

You will also need 2 public IP addresses, the legacy URL will point to 1 and the other will be for Exchange 2010
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:stedwardsitdept
ID: 35197481
@demazter
Thanks for your help and swift responses on this.
Perhaps you can help clarify the redirection process a bit for me.
I understand that we will need to create the external DNS record for legacy and assign it a public IP address. I also understand that we will need to give the 2010 CAS server the original OWA FQDN (mail.externaldomain.com). Further, I know that we will need to obtain another UC cert for the 2010 CAS server that lists the legacy FQDN. My confusion comes in at how the 2010 CAS actually goes about performing the redirection. I've read that it sends requests for users still on Exch2007 back outside the organisation to look for that legacy record, but I'm unclear on how this is done. I've read that you must "publish" the legacy address, but this brings to mind technology used by Forefront, ISA, TMG, none of which we are using. Our CAS servers are internet facing and simply sit behind a firewall. I'm aware that we will need to configure the DNAT rules to send incoming connections for "legacy" to the 2007 CAS server and redirect connections for the original mail.external.com to the new 2010 CAS server. Can you enlighten me?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35197484
OK, basically when a client makes a request to the 2010 server, it will redirect the client to their 2007 CAS server using the LegacyURL option.

The redirection is then done silently and the client will request legacy.domain.com (for example) and get logged in.  This is why both URL's need to be available externally and why they need their own IP address because you cannot port forward the same port from a single external IP to 2 different destinations.

You don't need FTMG or ISA to achieve this.
0
 

Author Comment

by:stedwardsitdept
ID: 35198771
@demazter
Yes, I understand that much of it. I'm more enquiring about the details of what the 2010 CAS server is doing to the request it receives from Exch2007 users in order to redirect them to the new legacy URL. In other words, is it altering the request by stripping out the original URL, replacing it with the legacy URL, then pushing the request back out of the firewall/organisation so that it does a "u-turn" to look for that legacy FQDN? And what of the Set-OwaVirtualDirectory -Exchange2003URL cmdlet? Is that a necessary part of the process? I've read that it must be run in order for redirection to work.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35198822
>>In other words, is it altering the request by stripping out the original URL, replacing it with the legacy URL, then pushing the request back out of the firewall/organisation so that it does a "u-turn" to look for that legacy FQDN

Basically, yes.

>>And what of the Set-OwaVirtualDirectory -Exchange2003URL cmdlet? Is that a necessary part of the process?
You only need to use this if you still have Exchange 2003 servers.

Have a look at: http://blogs.technet.com/b/exchange/archive/2009/11/20/3408856.aspx
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question