Will installing the 1st Exchange 2010 server cause instant Certificate errors for users?

Getting ready to install Exchange 2010 and do a transition from Exchange 2003.  I've purchased a transition guide, and one of the things that it mentions is:

"Now that the Exchange Server 2010 Client Access server has been installed, you may encounter certificate warnings for Outlook 2007 and Outlook 2010 users"

Does this mean as soon as the install is finished, all my internal Outlook 2007 users will begin to get certificate warnings??

I will be buying a SAN cert for the new server, but I need some time to generate the request(which can only be done after Exchange 2010 has already been installed), place the order and receive the new cert....

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

tenoverAuthor Commented:
And I'm assuming I have to replace the current cert on the existing 2003 Exchange server with the new cert as well, right?
No, they will not get certificate errors right away.
First, if they are domain members, the certificate that will be created will be signed with the domain certificate, so internal domain members *should* never get a certificate prompt.

Even so, it isn't until you actually move the individual user mailbox from 2003 to 2010 that the user will start accessing the new exchange server.  When a mailbox is moved, it updates the information in Active Directory on where to find their their mailbox and its associated exchange server, and directs it accordingly.

Hope that helps.

Joel Helgeson
Adam BrownSr Solutions ArchitectCommented:
That means that once your users start going to the Exchange 2010 CAS server they'll get a certificate error when they run the autodiscover process. To resolve it you have to get the SAN cert installed. Only Outlook 2007 and 2010 use Autodiscover so those clients are the ones that will get the cert errors.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

tenoverAuthor Commented:
Thanks Joel-
So if I understand correctly, I should basically be able to go through the entire install and configuration without any issues to users on the existing Exchange 200 server.  It won't be until I change my NAT policy to point to the new EX2010 server that I will have to deal with any issues at all. when is the appropriate time in the installation/configuration to point the MX record to the new server instead of the old one?  
tenoverAuthor Commented:
acbrown- so I can install EX2010 and go through all the configuration, and as long as I install the new cert on both servers BEFORE modifying the MX record, I should be good to go with NO cert errors, correct?
Adam BrownSr Solutions ArchitectCommented:
Well, there are two parts. Client access and mail flow. Mail flow is handled by Hub Transport role, Client access by the Client Access Server role (obviously :D). If you plan to have your users continue communicating with the Exchange 2003 Front end for exchange access until all users are migrated and everything works right on the Exchange 2010 server, you won't get certificate errors. However, if you migrate users' Outlook settings so they point to the 2010 CAS server before you have the SAN cert installed, they can get certificate errors on autodiscover while that is still at its default settings.
tenoverAuthor Commented:
Hmmm.....you lost me.  I was planning on leaving all users on 2003 until I could configure 2010 as much as possible with certs, etc....THEN moving user mailboxes over once new certs were installed on both servers, OWA verified, etc....
tenoverAuthor Commented:
Very simple setup.  Single Exchange 2003 server transitioning to a single 2010 server.....sometimes I think I'm making this more difficult than it will actually be, but my users tend to have anxiety attacks at the slightest hint that something has changed.....
Adam BrownSr Solutions ArchitectCommented:
Heh. Yeah, Exchange 2003 to 2010 is a little weird. I'm not sure what your transition documentation is telling you to do, so it's a little difficult to explain the process. I'll try to clarify. Exchange 2010 has 3 basic parts to it: Client access (Used to allow users to access their mailbox through Outlook, OWA, Activesync, etc), Hub Transport (governs Mail Flow), and Mailbox Database (Holds the mailboxes). In a larger migration, you would have more than one Exchange server going at a time. In this situation, the first thing you would do is install an Exchange Client Access Server and configure your outlook clients to use that  The CAS would allow users to connect to an Exchange 2010 server and that would then read the Exchange 2003 Mailbox Database to preset their mail to them. The next step would then be to set up a Hub Transport Server and Mailbox Database server. Once that's done, you would flip the MX records or other configuration to point to the Hub Transport server, then move the mailboxes from the 2003 server to the 2010 server. That's an abbreviated version of the Exchange 2003 to 2010 migration process.

If you have everything for Exchange 2010 on a single server, you could do what you're trying, which is to set up the new server and get it configured, then switch everything over in one shot. This has a little more chance of failure because you have a lot of things going on. The piece by piece migration is a little easier because it let's you get each piece of the system working properly before moving to the next.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tenoverAuthor Commented:
Thanks.  My finger is on the "Install" button but I'm scared!!

After the install of Ex2010, since everyone is on Exchange 2003, and my MX record still points to the Exchange 2003 server, there should be no mailflow issues or cert issues, right? Ex2003 users should still be able to send/receive from internal and external addresses and even to Exchange 2010 if I move a test user over there, right?
Adam BrownSr Solutions ArchitectCommented:
*Should*. I haven't done that type of migration in the same forest before, though, so I can't say for certain.
tenoverAuthor Commented:
Installation of mailbox roll failed with:

Summary: 11 item(s). 9 succeeded, 1 failed.
Elapsed time: 00:05:14

Preparing Setup

Elapsed Time: 00:00:00

Stopping Services

Elapsed Time: 00:00:00

Copy Exchange Files

Elapsed Time: 00:00:23

Language Files

Elapsed Time: 00:00:02

Restoring services

Elapsed Time: 00:00:00


Elapsed Time: 00:00:00

Management Tools

Elapsed Time: 00:00:06

Hub Transport Role

Elapsed Time: 00:02:26

Client Access Role

Elapsed Time: 00:01:24

Mailbox Role

The following error was generated when "$error.Clear(); $arbUsers = @(get-user -Filter {lastname -eq "MSExchApproval 1f05a927-3be2-4fb9-aa03-b59fe3b56f4c"} -IgnoreDefaultScope -ResultSize 1); if ($arbUsers.Length -ne 0) { $mbxname = $arbUsers[0].name; $mbxs = @( get-mailbox -arbitration -Filter {name -eq $mbxname} -IgnoreDefaultScope -resultSize 1 ); if ( $mbxs.length -eq 0) { $dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController); if ($dbs.Length -ne 0) { enable-mailbox -Arbitration -identity $arbUsers[0] -database $dbs[0].Identity; } } }" was run: "No provisioning handler is installed.".

No provisioning handler is installed.

Elapsed Time: 00:00:48

Finalizing Setup

ideas? suggestions?
Did you do the ADprep with the /PrepareLegacy switch?

Something wrong with your prereqs?

Here  are the steps I follow when upgrading 2003 to 2010 - taken straight from my notes:
Launch command prompt
Change Directory to E:\ (exchange install CD)
  SETUP.com /PL [or /PrepareLegacyExchangePermissions]
  SETUP.com /PS [or /PrepareSchema]
  SETUP.com /P [or /PrepareAD]
  SETUP.com /PD [or /PrepareDomain]
From Exchange Server - Download the "Set-Exchange2010Prereqs.ps1" and "Set-Exchange2010FilterConfig20.ps1"
Right-click the script, and click 'unblock' to unblock it.
From powershell:
  set-executionpolicy remotesigned
  .\Set-Exchange2010Prereqs.ps1 (Run option 11)

Do NOT run the following from Powershell - run it from a regular command prompt
  SETUP.COM /mode:install /ROLES:HT,CA,MB,MT /EnableLegacyOutlook /LegacyRoutingServer:Exch2003.domain.local /ExternalCASServerDomain:mail.domain.com /InstallWindowsComponents /Mdbname:"Exchange Maiboxes" /DbFilePath:"E:\db\Mailbox\Exchange Mailboxes.edb" /LogFolderPath:"E:\db\Logs"

Log back in
Launch Exhcange Powershell
  set-exchangeserver -identity MAIL -ProductKey GVMTV-GMXWH-C234M-8FMWP-TFPFP

Restart information store service from command prompt:
  net stop msexchangeis && net start msexchangeis

Launch Exchange PowerShell
Run the following
	Select option #3, then tell it yes to restart the service
	Select #5 to exit

- You will now have exchange installed.

Open in new window

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.