Exchange 2003/2010 Transition - Question about Certificate Changes for co-existence
Posted on 2011-09-14
Our organization is about to begin the transition to Exchange 2010 SP1 from Exchange 2003 SP2. All prerequisites have been met, and I’m ready to prep the schema, AD and domains.
Site 1: 1 Exchange 2003 Front-end server
1 Exchange 2003 MB server
Site 2: 1 Exchange 2003 MB server
All Users in the forest currently use the single front-end server for OWA and ActiveSync. External DNS for that server would be similar to “mail.contoso.com.”
The existing 2003 front-end will receive a new DNS entry of “legacy.contoso.com” and the new 2010 server hosting the CAS role will have a SAN-capable certificate with the following entries:
mail.contoso.com (common name)
EX01.contoso.com (generic internal host name)
My question is about re-arranging DNS and SSL certificates for coexistence between 2003 and 2010. Can I install Exchange 2010 before making the changes above without any repercussions? Then, generate the certificate request for the Exchange 2010 server?
From the way I see it, we’re going to incur a decent amount of downtime for OWA and ActiveSync since I’ll need to remove the existing certificate on Exchange 2003 front-end, generate a new request for “legacy.contoso.com,” retrieve the new certificate from the CA, and change external DNS. Then I have to do the same thing for the new Exchange 2010 CAS server.
Does this sound right? Is there a way to generate the new certs without having to remove the existing one on the front-end server so the switch can be made relatively quickly?