Solved

Exchange 2003/2010 Transition - Question about Certificate Changes for co-existence

Posted on 2011-09-14
12
922 Views
Last Modified: 2012-05-12
Our organization is about to begin the transition to Exchange 2010 SP1 from Exchange 2003 SP2. All prerequisites have been met, and I’m ready to prep the schema, AD and domains.
 
Existing Organization:
Site 1:       1 Exchange 2003 Front-end server
                 1 Exchange 2003 MB server

Site 2:       1 Exchange 2003 MB server

All Users in the forest currently use the single front-end server for OWA and ActiveSync. External DNS for that server would be similar to “mail.contoso.com.”
 
The existing 2003 front-end will receive a new DNS entry of “legacy.contoso.com” and the new 2010 server hosting the CAS role will have a SAN-capable certificate with the following entries:

mail.contoso.com       (common name)
autodiscover.contoso.com
legacy.contoso.com
EX01.contoso.com     (generic internal host name)
Contoso.com

My question is about re-arranging DNS and SSL certificates for coexistence between 2003 and 2010. Can I install Exchange 2010 before making the changes above without any repercussions? Then, generate the certificate request for the Exchange 2010 server?

From the way I see it, we’re going to incur a decent amount of downtime for OWA and ActiveSync since I’ll need to remove the existing certificate on Exchange 2003 front-end, generate a new request for “legacy.contoso.com,” retrieve the new certificate from the CA, and change external DNS. Then I have to do the same thing for the new Exchange 2010 CAS server.

Does this sound right? Is there a way to generate the new certs without having to remove the existing one on the front-end server so the switch can be made relatively quickly?
0
Comment
Question by:JeremyThomas
  • 4
  • 4
  • 4
12 Comments
 
LVL 4

Accepted Solution

by:
ctc1900 earned 500 total points
ID: 36538717
Do you have Outlook 2007/2010 installed on your environment?  If you do, you might run into the Outlook certificate prompts until you sort out your certificate setup.

Regarding ActiveSync/OWA, the Exchange 2010 CAS role installation should not cause any problems as long as you keep your ActiveSync/OWA connecting through your Exchange 2003, but you'd need to sort out the certificate setup before cutting over ActiveSync/OWA access through Exchange 2010.

See

http://milindn.files.wordpress.com/2010/01/rapid-transition-guide-from-exchange-2003-to-exchange-2010.pdf

http://www.simple-talk.com/sysadmin/exchange/upgrade-exchange-2003-to-exchange-2010/

0
 

Author Comment

by:JeremyThomas
ID: 36538806
The vast majority of our Users are running Outlook 2010, but unfortunately we do have a number of them running Outlook 2003 as well.

The Users (with Outlook 2010) wouldn't receive any certificate errors until I moved their mailbox over to the 2010 server, correct? As long as all the Users' mailboxes are on the 2003 server, and I don't make any initial changes to existing DNS, the Exchange 2003 organization should function as it is in it's current state then?

My ideal scenario is to install Exchange 2010 into the environment so I can configure policies, transport rules and address lists 'behind the scenes.' Once that's finished, I would make the DNS and SSL changes to point external services to the new exchange 2010 server before I begin moving mailboxes.
0
 
LVL 4

Expert Comment

by:ctc1900
ID: 36538872
Yes, the certificate warnings might show up for unproperly configured CAS for Exchange 2007 or Exchange 2010 Outlook 2007/2010 users.  

You should be OK with installing the Exchange 2010 CAS role and begin setting it up
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 36540269
Hello,

You shouldn't have any downtime at all. Assuming your Exchange 2003 certificate is using the DNS name mail.contoso.com, you would order a new UCC certificate with the names:

mail.contoso.com       (common name)
autodiscover.contoso.com
EX01.contoso.com     (generic internal host name)
Contoso.com

You would then setup your Exchange 2010 CAS server and go through the proper steps to configure that server to proxy request to the Exchange 2003 mailbox server. Use Host file entries to test that everything works correctly. Once you have completed testing, simply change the DNS entry for mail.contoso.com so that it point to your Exchange 2010 CAS server. All your client trafric will then run through the CAS server. You can then setup your other 2010 roles then start migrating mailboxes to the 2010 mailbox server.

JJ
0
 

Author Comment

by:JeremyThomas
ID: 36542471
Once you have completed testing, simply change the DNS entry for mail.contoso.com so that it point to your Exchange 2010 CAS server.

So I can go ahead and order the new UCC certificate with those names while the existing exchange 2003 front-end continues to use the existing 'mail.contoso.com' DNS entry? Then the only downtime I would see at that point would be the changeover for the 2003 server from 'mail.contoso.com' to 'legacy.contoso.com,' correct?
0
 

Author Comment

by:JeremyThomas
ID: 36542519
Wouldn't I also need to have 'legacy.contoso.com' added to the UCC certificate as well?

Thanks
0
Free book by J.Peter Bruzzese, Microsoft MVP

Are you using Office 365? Trying to set up email signatures but you’re struggling with transport rules and connectors? Let renowned Microsoft MVP J.Peter Bruzzese show you how in this exclusive e-book on Office 365 email signatures. Better yet, it’s free!

 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 36542525
Yes, you can go ahead and order the certificate. You would not change the 2003 server to legacy.contoso.com. Once you make the DNS change, all your client traffic would use the 2010 CAS server and you would decomission the 2003 FE.

This makes the transition almost completely transparent to the end users. With activesync devices, they will be prompted to accept the security policy from the 2010 CAS server but Outlook and OWA users won't even be aware of the change until it is time to move their mailbox to the 2010 Mailbox server. You can schedule the mailbox moves after hours and there should be almost no impact.

JJ
0
 
LVL 4

Expert Comment

by:ctc1900
ID: 36542531
Yes, legacy would be needed (assuming you are planning to use that name for the Exchange2003URL attribute)
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 36542553
No, legacy is not needed as clients are no longer connecting to the Exchange 2003 FE.

JJ
0
 

Author Comment

by:JeremyThomas
ID: 36542618
I was under the assumption that Users with mailboxes still residing on the Exchange 2003 BE would still be accessing the Exchange 2003 FE for OWA and activesync, just not directly. The 2010 CAS server would proxy those users over to the 2003 FE by use of the 'legacy' DNS name.

When the 2010 CAS server proxies requests back to the Exchange 2003 FE, is everything handled internally then? So I could have an internal DNS entry for 'legacy.contoso.com' so the 2010 CAS server knows where to point, but I wouldn't need the same DNS name to be available externally (and also wouldn't need to order another SSL certificate for the 2003 FE)?
0
 
LVL 4

Expert Comment

by:ctc1900
ID: 36542648
You need the Exchange 2003 URL externally for OWA/ActiveSync access.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 36542934
Sorry, you are correct, you will need legacy for OWA access to mailboxes still on the 2003 mailbox server as 2010 CAS, unlike 2007 CAS, will not proxy OWA for legacy mailboxes.

So, you should get the two new certificates. Build the CAS server, install the UCC certificate on the CAS server. Now, you will incur minimal downtime as you activate the new certificate on the 2003 FE and change your DNS records.

JJ
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now