We help IT Professionals succeed at work.

Exchange 2003 and 2010 co existence and certificate help needed

wpstech
wpstech asked
on
I need some clarification on the names needed for the UCC/SAN certificate for an Exchange 2010 transition.  I have the following: 1 front end Ex2003, 1 back end Ex2003, 2 new Ex 2010 with CAS, HT and Mailbox on both boxes.  These boxes will have a CAS array w/ no load balancing and they will have DAG.

What names will the new cert need?  if it needs the legacy.domain.com name, do i physically need to change the 2003 server names to legacy?  if so, which one front end or back end?  when i create the cert request, which new Ex2010 box do i do it from?  does this cert need fqdn's of both new servers?  do i need to create a new certificate for the legacy box that changes its name to legacy?  I need a lot of clarification on all of this naming convention changes and the naming needed for the certificate(s).  thanks in advance
Comment
Watch Question

Commented:
When you created a SAN certificate you need to include all the server names and the DNS records that are pointing to the server for example server.domain.com, domain.com, autodiscover.domain.com etc. as well for internal FQDN, as well as external FQDN. You can do it from one of the both Exchange 2010 machines the generation of the cert request and than create the certificate through the certification authority web enrollment on the server that holds the certification authority role.
Madan SharmaConsultant

Commented:
you need a multiple SAN name certificate for exchange 2010 which must include the following SAN names
autodiscover.yourdomainname.com
owa.yourdomainname.com
you cas FQDN or yourcasarry name if your are using CAS array
legacy.yourdomain.com

you can use this single certificate on both exchange 2010 and exchange 2003
check this link how to configure your exchange 2010 and 2003 to work on this certificate:-
http://exchangeserverpro.com/exchange-2003-2010-coexistence

Note:- if you receive the error in accessing the owa 2003 after done the above configuration then please make sure you have enabled form based authentication on exchange 2003
check this link:- http://exchangeserverpro.com/exchange-2010-owa-legacy-url-redirection-http-500-error

hope above information will be helpful to you.
Breaking down your question

Environment:
========
1 front end Ex2003, 1 back end Ex2003, 2 new Ex 2010 with CAS, HT and Mailbox on both boxes.  These boxes will have a CAS array w/ no load balancing and they will have DAG.

Questions and Answers:
===============
What names will the new cert need?  
It needs all the names that is accessible from the external world.Like
OWA.domian.com
autodiscover.domain.com
legacy.domain.com
(You can also have the 2 CAS servers FQDN if thats possible)


If it needs the legacy.domain.com name, do i physically need to change the 2003 server names to legacy?  if so, which one front end or back end?  
Yes it needs legacy.domain.com and this should be pointed to exchange 2003 fe server


when i create the cert request, which new Ex2010 box do i do it from?  does this cert need fqdn's of both new servers?  do i need to create a new certificate for the legacy box that changes its name to legacy?  
You caan create it from either of the 2 CAS servers, only thing you need to keep in mind is to import it on that server first when u get that certificate. for the rest of the question check first answer

Author

Commented:
thanks for the input, for further clarification...

-do i need to add the fqdn (internal network name) of both 2010 boxes as well as the cas array name (i will have a cas array) to the SAN cert?
-do i have to physically change the name of one of the 2003 FE server to legacy.domain.com, or do I simply assign the current 2003 FE server name as the 2003 legacy url when i define that property on Ex2010 shell?
-does this new SAN cert get imported to both 2003 servers (FE and Mailbox)?  if so, does it replace the existing/current cert or is it added in addition?
Madan SharmaConsultant
Commented:
you just need to have only CAS array name

no need to change the name of physically server legacy.domain.com will be address to access exchange 2k3 owa

you can import the certificate on both but importing it on FE I believe is enough. It will add in you cert store you can also assign the old certificate if ever needed.

Author

Commented:
sorry, but other documentation i'm reading leads me to believe that I do not need the CAS ARRAY name on the cert, since it is only used for MAPI (internal) connection and I wouldn't want that name resolvable on the public Internet anyway...

next, do i actually use "legacy.domain.com" or do i use the actual server name of the 2003 FE server?