Exchange 2010 CAS Cutover

I am currently in the process of doing a Mircosoft Exchange cutover as suggested by my MS PFE.  I have gone through and configured two CAS/HUB/MB servers behind a Barracuda NLB.  I have moved one of my mailboxes to the 2010 server and internally I am able to get to it.  
What my PFE has suggested is that before I change the MIP on my firewall is that I perform all the steps I have and everything should work (she called this our CAS cutover).  After testing this for a week we should then do the Mailflow cutover.
Well, I feel like I have gone through every setting 10 times and although when I am logged into my computer at the office i am able to get my email.  Also, I am can go to OWA and get my email (from internal), however I can't get email to come through to my phone, and I am unable to figure out what I am missing.  Sorry if this is a jumbled mess, but I have been up the Majority of the night working on this.
Here is my setup:

Exchange 2007 Environment
1 Exchange 2007 Edge Transport Server
1 Exchange 2007 Server

Exchange 2010 Environment:
2 Barracuda 340 Load Balancers
2 Exchange 2010 SP1 Edge Transport servers

2 Barracuda 340 Load Balancers w/SSL Offloading enabled
2 Exchange 2010 SP1 CAS/HUB/MB servers

I have created the certificate with our email domain and all subject alternative names, as well as created the internal DNS record for and pointed that at our 2007 Exchange Server.
I have named the cas array and put the DNS records in place for that.

I have imported the certificate to my server, and enabled it for IIS and SMTP.

I have pointed all my external URL's on the URL.
I have updated my internal DNS so that points to 2007 Exchange and points to 2010 Exchange.

Now, externally when I go to I get the 2007 box still which makes sense as I haven't changed the firewall settings yet, however shouldn't 2007 be aware of 2010 and redirect accordingly.  Also, ActiveSync is not working for me now either since I am on 2010 and supposedly that should be working as well.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jessie Gill, CISSPTechnical ArchitectCommented:
You need to hit the 2010 cas servers for active sync to work for you.   The 2010 cas servers have the ability to do active sync proxying and redirection, but the 2007 cas servers do not.  

Same for owa redirection. When the 2010 cas detects what mailbox version you are it will either connect to the 2010 mailbox or send your request to and that should point to your 2007 CAS at which point the 2007 cas will do the rest.  The system is not very smart but it only works when the 2010 CAS servers are getting hit with the requests.  All the proxying and redirection only goes from 2010 to 2007. Except for hubs which send mail back and for to each other using smtp depending on which version of exchange you are on.

When I did my migration

I did a cas and hub cut over first the moved mailboxes once I knew coexistence was working.

What you can do is if you want to test active sync a bit is you can run the exchange connectivity tool and make another DNA alias like and publish that to the external DNA and then on your firewall point that to your cas array.  When you run the tool online use the alias and ignore SSL option and test if it passes you are most likely fine and can do a cas cutover.

One thing when you are doing your cas cut over make sure you leave the internal and external urls for the 2007 cas in the active sync section empty.  Many phones such as iPhone cane do redirection so you need the 2010 cas to proxy the active sync

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Svet PaperovIT ManagerCommented:
About getting the mail on the phone: I presume, it’s an ActiveSync compatible phone and, I also presume, you are testing it with your enterprise/domain admin account, right? In Exchange 2010, it doesn’t work by design. It also fails when you do ActiveSync test on with domain admin account.

Here is why:

So, the solution is to enable Include inheritable permissions from this object's parent for the user account as explained in the previous link. Then you will be able to synchronize the phone with the server. After synchronizing, you can disable again the inheritance or just leave it like that; the system will disable it in about an hour later. For more information about the AdminSDHolder, Protected Groups and SDPROP please follow the link
malarkieAuthor Commented:
Again, thanks for the great information.  I was able to find that the previous administrator had made a few webconfig changes that was interferring with one of the CAS servers working as expected.  Once I resolved this ActiveSync started working ... well kind of.

Great information as well.  On my acount, I had to set the "Include inheritable permissions from this objects parents" and that is what got me throught the rest of my issue.

thank you both.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.