Will installing the 1st Exchange 2010 server cause instant Certificate errors for users?

Getting ready to install Exchange 2010 and do a transition from Exchange 2003.  I've purchased a transition guide, and one of the things that it mentions is:

"Now that the Exchange Server 2010 Client Access server has been installed, you may encounter certificate warnings for Outlook 2007 and Outlook 2010 users"

Does this mean as soon as the install is finished, all my internal Outlook 2007 users will begin to get certificate warnings??

I will be buying a SAN cert for the new server, but I need some time to generate the request(which can only be done after Exchange 2010 has already been installed), place the order and receive the new cert....

tenoverAsked:
Who is Participating?
 
Adam BrownConnect With a Mentor Sr Solutions ArchitectCommented:
Heh. Yeah, Exchange 2003 to 2010 is a little weird. I'm not sure what your transition documentation is telling you to do, so it's a little difficult to explain the process. I'll try to clarify. Exchange 2010 has 3 basic parts to it: Client access (Used to allow users to access their mailbox through Outlook, OWA, Activesync, etc), Hub Transport (governs Mail Flow), and Mailbox Database (Holds the mailboxes). In a larger migration, you would have more than one Exchange server going at a time. In this situation, the first thing you would do is install an Exchange Client Access Server and configure your outlook clients to use that  The CAS would allow users to connect to an Exchange 2010 server and that would then read the Exchange 2003 Mailbox Database to preset their mail to them. The next step would then be to set up a Hub Transport Server and Mailbox Database server. Once that's done, you would flip the MX records or other configuration to point to the Hub Transport server, then move the mailboxes from the 2003 server to the 2010 server. That's an abbreviated version of the Exchange 2003 to 2010 migration process.

If you have everything for Exchange 2010 on a single server, you could do what you're trying, which is to set up the new server and get it configured, then switch everything over in one shot. This has a little more chance of failure because you have a lot of things going on. The piece by piece migration is a little easier because it let's you get each piece of the system working properly before moving to the next.
0
 
tenoverAuthor Commented:
And I'm assuming I have to replace the current cert on the existing 2003 Exchange server with the new cert as well, right?
0
 
jrhelgesonCommented:
No, they will not get certificate errors right away.
First, if they are domain members, the certificate that will be created will be signed with the domain certificate, so internal domain members *should* never get a certificate prompt.

Even so, it isn't until you actually move the individual user mailbox from 2003 to 2010 that the user will start accessing the new exchange server.  When a mailbox is moved, it updates the information in Active Directory on where to find their their mailbox and its associated exchange server, and directs it accordingly.

Hope that helps.

Joel Helgeson
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Adam BrownSr Solutions ArchitectCommented:
That means that once your users start going to the Exchange 2010 CAS server they'll get a certificate error when they run the autodiscover process. To resolve it you have to get the SAN cert installed. Only Outlook 2007 and 2010 use Autodiscover so those clients are the ones that will get the cert errors.
0
 
tenoverAuthor Commented:
Thanks Joel-
So if I understand correctly, I should basically be able to go through the entire install and configuration without any issues to users on the existing Exchange 200 server.  It won't be until I change my NAT policy to point to the new EX2010 server that I will have to deal with any issues at all. when is the appropriate time in the installation/configuration to point the MX record to the new server instead of the old one?  
0
 
tenoverAuthor Commented:
acbrown- so I can install EX2010 and go through all the configuration, and as long as I install the new cert on both servers BEFORE modifying the MX record, I should be good to go with NO cert errors, correct?
0
 
Adam BrownSr Solutions ArchitectCommented:
Well, there are two parts. Client access and mail flow. Mail flow is handled by Hub Transport role, Client access by the Client Access Server role (obviously :D). If you plan to have your users continue communicating with the Exchange 2003 Front end for exchange access until all users are migrated and everything works right on the Exchange 2010 server, you won't get certificate errors. However, if you migrate users' Outlook settings so they point to the 2010 CAS server before you have the SAN cert installed, they can get certificate errors on autodiscover while that is still at its default settings.
0
 
tenoverAuthor Commented:
Hmmm.....you lost me.  I was planning on leaving all users on 2003 until I could configure 2010 as much as possible with certs, etc....THEN moving user mailboxes over once new certs were installed on both servers, OWA verified, etc....
0
 
tenoverAuthor Commented:
Very simple setup.  Single Exchange 2003 server transitioning to a single 2010 server.....sometimes I think I'm making this more difficult than it will actually be, but my users tend to have anxiety attacks at the slightest hint that something has changed.....
0
 
tenoverAuthor Commented:
Thanks.  My finger is on the "Install" button but I'm scared!!

After the install of Ex2010, since everyone is on Exchange 2003, and my MX record still points to the Exchange 2003 server, there should be no mailflow issues or cert issues, right? Ex2003 users should still be able to send/receive from internal and external addresses and even to Exchange 2010 if I move a test user over there, right?
0
 
Adam BrownSr Solutions ArchitectCommented:
*Should*. I haven't done that type of migration in the same forest before, though, so I can't say for certain.
0
 
tenoverAuthor Commented:
Installation of mailbox roll failed with:

Summary: 11 item(s). 9 succeeded, 1 failed.
Elapsed time: 00:05:14


Preparing Setup
Completed

Elapsed Time: 00:00:00


Stopping Services
Completed

Elapsed Time: 00:00:00


Copy Exchange Files
Completed

Elapsed Time: 00:00:23


Language Files
Completed

Elapsed Time: 00:00:02


Restoring services
Completed

Elapsed Time: 00:00:00


Languages
Completed

Elapsed Time: 00:00:00


Management Tools
Completed

Elapsed Time: 00:00:06


Hub Transport Role
Completed

Elapsed Time: 00:02:26


Client Access Role
Completed

Elapsed Time: 00:01:24


Mailbox Role
Failed

Error:
The following error was generated when "$error.Clear(); $arbUsers = @(get-user -Filter {lastname -eq "MSExchApproval 1f05a927-3be2-4fb9-aa03-b59fe3b56f4c"} -IgnoreDefaultScope -ResultSize 1); if ($arbUsers.Length -ne 0) { $mbxname = $arbUsers[0].name; $mbxs = @( get-mailbox -arbitration -Filter {name -eq $mbxname} -IgnoreDefaultScope -resultSize 1 ); if ( $mbxs.length -eq 0) { $dbs = @(get-MailboxDatabase -Server:$RoleFqdnOrName -DomainController $RoleDomainController); if ($dbs.Length -ne 0) { enable-mailbox -Arbitration -identity $arbUsers[0] -database $dbs[0].Identity; } } }" was run: "No provisioning handler is installed.".

No provisioning handler is installed.

Elapsed Time: 00:00:48


Finalizing Setup
Cancelled



ideas? suggestions?
0
 
jrhelgesonCommented:
Did you do the ADprep with the /PrepareLegacy switch?

Something wrong with your prereqs?

Here  are the steps I follow when upgrading 2003 to 2010 - taken straight from my notes:
 
Launch command prompt
Change Directory to E:\ (exchange install CD)
  SETUP.com /PL [or /PrepareLegacyExchangePermissions]
  SETUP.com /PS [or /PrepareSchema]
  SETUP.com /P [or /PrepareAD]
  SETUP.com /PD [or /PrepareDomain]
 
From Exchange Server - Download the "Set-Exchange2010Prereqs.ps1" and "Set-Exchange2010FilterConfig20.ps1"
http://www.ehloworld.com/188
http://www.ucblogs.net/files/folders/powershell/entry125.aspx
Right-click the script, and click 'unblock' to unblock it.
From powershell:
  get-executionpolicy
  set-executionpolicy remotesigned
  .\Set-Exchange2010Prereqs.ps1 (Run option 11)

Do NOT run the following from Powershell - run it from a regular command prompt
  SETUP.COM /mode:install /ROLES:HT,CA,MB,MT /EnableLegacyOutlook /LegacyRoutingServer:Exch2003.domain.local /ExternalCASServerDomain:mail.domain.com /InstallWindowsComponents /Mdbname:"Exchange Maiboxes" /DbFilePath:"E:\db\Mailbox\Exchange Mailboxes.edb" /LogFolderPath:"E:\db\Logs"

*****REBOOT*****
Log back in
Launch Exhcange Powershell
  get-exchangeserver
  set-exchangeserver -identity MAIL -ProductKey GVMTV-GMXWH-C234M-8FMWP-TFPFP

Restart information store service from command prompt:
  net stop msexchangeis && net start msexchangeis

Launch Exchange PowerShell
Run the following
  .\Set-Exchange2010FilterConfig20.ps1
	Select option #3, then tell it yes to restart the service
	Select #5 to exit

- You will now have exchange installed.

Open in new window

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.