Exchange 2010 - New Exchange Certificate / Legacy Exchange Server

Current production server is Exchange 2003 SP2 (v6.5 Build 7638.2) on Windows 2003 SP 2 Standard. New host has installed Windows 2008 R2 SP 1 with Exchange 2010 SP1 and custom installation of CAS. The plan is run a Transition Method from Exchange 2003 to Exchange 2010 moving mailboxes over time. OWA and OAB are currently in prodction using SSL (owa.contoso.com). I plan to use the same FQDN for the Exchange 2010 in support of OWA and OAB. I am not clear on the "New Exchange Certificate" option for "Legacy Exchange Server". I have purchased a new SSL for Exchange 2010 server. My plan was to use the same FQDN (owa.contoso.com).

My questions: Do I select "Use Legacy Domains" and can I use owa.contoso.com  in the "Domain name to use for legacy servers"? Can I have OWA and OAB running on both Exchange 2003 and Exchange 2010 with same FQDN? What happens when I start migrating mailboxes?
mark-grantAsked:
Who is Participating?
 
tigermattConnect With a Mentor Commented:

>> Can I have OWA and OAB running on both Exchange 2003 and Exchange 2010 with same FQDN

No, you can't.

Exchange 2010 will not proxy requests for a 2003 mailbox to the 2003 back-end servers. You have to explicitly tell Exchange that if it encounters a user logging in whose mailbox is still on an Exchange 2003 server, that it should redirect them to a particular URL.

Therefore, to co-exist Exchange 2003 and 2010 client access, you need to expose two URLs to the Internet:
owa.domain.com, which points to the public IP of the Exchange 2010 server
legacy.domain.com, which points to the public IP of the Exchange 2003 server
On the Exchange 2010 server, you must also configure the OWA virtual directory with the Exchange2003Url. This is performed using Exchange Management Shell thus:
Get-OWAVirtualDirectory | Set-OWAVirtualDirectory -Exchange2003Url https://legacy.domain.com/exchange

Open in new window

The principle here is to flip your current DNS name, owa.domain.com, over to the 2010 CAS box so users still log in as usual. However, if a mailbox has been migrated to Exchange 2010, the user will log in and the Exchange 2010 CAS will directly access their mailbox from the 2010 mailbox server (which can be the same machine). These users will see the new, improved OWA 2010 experience.

However, users still on 2003 go to the same URL and log in as usual. However, the CAS will determine that their mailbox is still on the 2003 system, and therefore redirect them to the legacy URL. They will see the old (Exchange 2003) style OWA interface.

So... with that said, your SSL certificate will require a minimum of 3 names:
owa.domain.com
autodiscover.domain.com
legacy.domain.com
...plus any internal server names such as Exchange2010Server.domain.local

-Matt
0
 
mark-grantAuthor Commented:
Understood. When I did the CAS install I used "Configure Client Acess Server External Domain" owa.domain.com. This FQDN would be the legacy FQDN on the Exchange 2003 server. I would now need to correct this. Can you explain how I would change this to?

Alternately can I leave owa.domain.com in the CAS "Configure Client Acess Server External Domain" and do not select to support owa.domain.com (2003 Exchange OWA/OAB) in "Use Legacy Domains" in Exchange 2010? The idea here would be to not have a new host for OWA/OAB on Exchange 2010 in the end. There are too many smartphones and users to touch.
0
 
tigermattConnect With a Mentor Commented:

>> I would now need to correct this. Can you explain how I would change this to?

Yep - you'll need to go through all the virtual directories and update their External URL properties to some other URL, say mail.domain.com or ex2010.domain.com. But this isn't the right thing for you to do. The Exchange 2010 should still be exposed on owa.domain.com, and the Exchange 2003 should be the one that changes its access URL (that doesn't affect the external CAS domain property on the 2010 box) -- see below.

>> do not select to support owa.domain.com (2003 Exchange OWA/OAB) in "Use Legacy Domains" in Exchange 2010

Really, to be honest, the wizard isn't actually doing anything special, so it doesn't matter what you punch in on that page. That first page is just collecting a bunch of information in an attempt to guess what URLs you do and don't need. You get to refine those settings on the next page. So just enable whatever you think is right, hit Next, and then you can actually customise the SAN names from the certificate request at your leisure. I usually just pick one option to bypass that first "wizard" page and then add/remove the names manually.

>> The idea here would be to not have a new host for OWA/OAB on Exchange 2010 in the end

Really, the best course of action for you is as defined in my first post.

Configure the firewall to point owa.domain.com to the Exchange 2010 box. Add a legacy.domain.com with port 443 open direct to the 2003 server.

Configure the Exchange2003Url property on the Exchange 2010 OWA Virtual Directory, so it knows where to send OWA logon requests for Exchange 2003 mailboxes.

With the proper configuration, Activesync requests go to the Exchange 2010 CAS on owa.domain.com, which proxies the requests to the proper Exchange 2003 back-end servers. Outlook Anywhere also gets proxied correctly. Any OWA traffic is redirected to the legacy URL you configured.

You don't need to touch anything, and users still log in to OWA at exactly the same URL as they are used to.

The only difference is Exchange 2010 now serves up the logon page, which will be the new Exchange 2010 format. It then decides where to send an OWA request after the user authenticates: it either services itself for an Exchange 2010 mailbox user or redirects to the legacy URL for an Exchange 2003 user.

That is the optimum configuration, and allows for co-existence without the users ever having to be told something different. It also means there are no configuration changes after their mailbox is migrated. Everything goes through the 2010 CAS and continues to do so before and after the mailbox is moved.

You might want to refer to the following posts, then let me know if you have further questions. Everything should be fairly straight forward. However I fully appreciate that at first it can be difficult at first to fully understand what Exchange is doing.

http://technet.microsoft.com/en-us/library/ee332348.aspx
http://blogs.technet.com/b/exchange/archive/2009/12/08/3408985.aspx

-Matt
0
All Courses

From novice to tech pro — start learning today.