Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Exchange 2003/2010 Transition - Question about Certificate Changes for co-existence

Posted on 2011-09-14
12
Medium Priority
?
930 Views
Last Modified: 2012-05-12
Our organization is about to begin the transition to Exchange 2010 SP1 from Exchange 2003 SP2. All prerequisites have been met, and I’m ready to prep the schema, AD and domains.
 
Existing Organization:
Site 1:       1 Exchange 2003 Front-end server
                 1 Exchange 2003 MB server

Site 2:       1 Exchange 2003 MB server

All Users in the forest currently use the single front-end server for OWA and ActiveSync. External DNS for that server would be similar to “mail.contoso.com.”
 
The existing 2003 front-end will receive a new DNS entry of “legacy.contoso.com” and the new 2010 server hosting the CAS role will have a SAN-capable certificate with the following entries:

mail.contoso.com       (common name)
autodiscover.contoso.com
legacy.contoso.com
EX01.contoso.com     (generic internal host name)
Contoso.com

My question is about re-arranging DNS and SSL certificates for coexistence between 2003 and 2010. Can I install Exchange 2010 before making the changes above without any repercussions? Then, generate the certificate request for the Exchange 2010 server?

From the way I see it, we’re going to incur a decent amount of downtime for OWA and ActiveSync since I’ll need to remove the existing certificate on Exchange 2003 front-end, generate a new request for “legacy.contoso.com,” retrieve the new certificate from the CA, and change external DNS. Then I have to do the same thing for the new Exchange 2010 CAS server.

Does this sound right? Is there a way to generate the new certs without having to remove the existing one on the front-end server so the switch can be made relatively quickly?
0
Comment
Question by:JeremyThomas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
  • 4
12 Comments
 
LVL 4

Accepted Solution

by:
ctc1900 earned 2000 total points
ID: 36538717
Do you have Outlook 2007/2010 installed on your environment?  If you do, you might run into the Outlook certificate prompts until you sort out your certificate setup.

Regarding ActiveSync/OWA, the Exchange 2010 CAS role installation should not cause any problems as long as you keep your ActiveSync/OWA connecting through your Exchange 2003, but you'd need to sort out the certificate setup before cutting over ActiveSync/OWA access through Exchange 2010.

See

http://milindn.files.wordpress.com/2010/01/rapid-transition-guide-from-exchange-2003-to-exchange-2010.pdf

http://www.simple-talk.com/sysadmin/exchange/upgrade-exchange-2003-to-exchange-2010/

0
 

Author Comment

by:JeremyThomas
ID: 36538806
The vast majority of our Users are running Outlook 2010, but unfortunately we do have a number of them running Outlook 2003 as well.

The Users (with Outlook 2010) wouldn't receive any certificate errors until I moved their mailbox over to the 2010 server, correct? As long as all the Users' mailboxes are on the 2003 server, and I don't make any initial changes to existing DNS, the Exchange 2003 organization should function as it is in it's current state then?

My ideal scenario is to install Exchange 2010 into the environment so I can configure policies, transport rules and address lists 'behind the scenes.' Once that's finished, I would make the DNS and SSL changes to point external services to the new exchange 2010 server before I begin moving mailboxes.
0
 
LVL 4

Expert Comment

by:ctc1900
ID: 36538872
Yes, the certificate warnings might show up for unproperly configured CAS for Exchange 2007 or Exchange 2010 Outlook 2007/2010 users.  

You should be OK with installing the Exchange 2010 CAS role and begin setting it up
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 36540269
Hello,

You shouldn't have any downtime at all. Assuming your Exchange 2003 certificate is using the DNS name mail.contoso.com, you would order a new UCC certificate with the names:

mail.contoso.com       (common name)
autodiscover.contoso.com
EX01.contoso.com     (generic internal host name)
Contoso.com

You would then setup your Exchange 2010 CAS server and go through the proper steps to configure that server to proxy request to the Exchange 2003 mailbox server. Use Host file entries to test that everything works correctly. Once you have completed testing, simply change the DNS entry for mail.contoso.com so that it point to your Exchange 2010 CAS server. All your client trafric will then run through the CAS server. You can then setup your other 2010 roles then start migrating mailboxes to the 2010 mailbox server.

JJ
0
 

Author Comment

by:JeremyThomas
ID: 36542471
Once you have completed testing, simply change the DNS entry for mail.contoso.com so that it point to your Exchange 2010 CAS server.

So I can go ahead and order the new UCC certificate with those names while the existing exchange 2003 front-end continues to use the existing 'mail.contoso.com' DNS entry? Then the only downtime I would see at that point would be the changeover for the 2003 server from 'mail.contoso.com' to 'legacy.contoso.com,' correct?
0
 

Author Comment

by:JeremyThomas
ID: 36542519
Wouldn't I also need to have 'legacy.contoso.com' added to the UCC certificate as well?

Thanks
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 36542525
Yes, you can go ahead and order the certificate. You would not change the 2003 server to legacy.contoso.com. Once you make the DNS change, all your client traffic would use the 2010 CAS server and you would decomission the 2003 FE.

This makes the transition almost completely transparent to the end users. With activesync devices, they will be prompted to accept the security policy from the 2010 CAS server but Outlook and OWA users won't even be aware of the change until it is time to move their mailbox to the 2010 Mailbox server. You can schedule the mailbox moves after hours and there should be almost no impact.

JJ
0
 
LVL 4

Expert Comment

by:ctc1900
ID: 36542531
Yes, legacy would be needed (assuming you are planning to use that name for the Exchange2003URL attribute)
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 36542553
No, legacy is not needed as clients are no longer connecting to the Exchange 2003 FE.

JJ
0
 

Author Comment

by:JeremyThomas
ID: 36542618
I was under the assumption that Users with mailboxes still residing on the Exchange 2003 BE would still be accessing the Exchange 2003 FE for OWA and activesync, just not directly. The 2010 CAS server would proxy those users over to the 2003 FE by use of the 'legacy' DNS name.

When the 2010 CAS server proxies requests back to the Exchange 2003 FE, is everything handled internally then? So I could have an internal DNS entry for 'legacy.contoso.com' so the 2010 CAS server knows where to point, but I wouldn't need the same DNS name to be available externally (and also wouldn't need to order another SSL certificate for the 2003 FE)?
0
 
LVL 4

Expert Comment

by:ctc1900
ID: 36542648
You need the Exchange 2003 URL externally for OWA/ActiveSync access.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 36542934
Sorry, you are correct, you will need legacy for OWA access to mailboxes still on the 2003 mailbox server as 2010 CAS, unlike 2007 CAS, will not proxy OWA for legacy mailboxes.

So, you should get the two new certificates. Build the CAS server, install the UCC certificate on the CAS server. Now, you will incur minimal downtime as you activate the new certificate on the 2003 FE and change your DNS records.

JJ
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
On September 18, Experts Exchange launched the first installment of the Help Bell, a new feature for Premium Members, Team Accounts, and Qualified Experts. The Help Bell will serve as an additional tool to help teams increase question visibility.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question