Avatar of simlip
simlip
 asked on

Migration from exchange 2003 to 2010

Hi,

I have a domain controller with windows 2003 server and exchange 2003.

If I want to do a migration from exchange 2003 to 2010, I need an internal certificat authory.

Step by step:
-      Join new server (windows 2008) on domain
-      Install pre requisites exchange 2010
-      Install Exchange 2010

But, when and where I must install the autory certificate ? DC under windows 2003 ? new server ?

Thanks,

Regards,

Sim
Exchange

Avatar of undefined
Last Comment
Carol Chisholm

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Carol Chisholm

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
simlip

ASKER
Hi
Thank for your reply
As budget is stricted, I can not buy a certificate from a professionnal authority.
That's why i need an internal pki
Thanks
Regards,
sim
Carol Chisholm

Yes but you will have to pay more for an internal PKI server than for a cert. They are $89.99 or thereabouts at Godaddy (per year)
A Windows server licence is more than that, and the risks and administrative hassle are just not worth it if you are a beginner in PKI.
If you have iPhones and so on to connect, and need to do Outlook anywhere, publish SharePoint securely, you really need to know what you are doing.

Really it is worth getting $100 per year added to your budget for the time ands sleep you will save.
SOLUTION
Chris

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
simlip

ASKER
Thank all for yours reply
According an another forum, some people say me that i need one intern PKI and external PKI as I have a disjoint domain. Is it true ?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Carol Chisholm

You can also change the URLs of your internal servers so they are identical to the external ones then you only need one PKI, and one certificate.

http://nathanwinters.co.uk/2010/05/30/script-to-set-internalurl-and-externalurl-for-all-exchange-2010-virtual-directories/
Chris

but thats only helpful if you have one external Certificate. If you use an internal one not only do you publish internal information out but you will get issues with browsers and devices supporting/trusting it
simlip

ASKER
YEs I have a split DNS i.e. domain.internal on the inside and domain.com on the outside
I am not sure to understand ... does I need  one external and internal PKI ?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Carol Chisholm

The certificate you need contains the URLs needed to access the servers:

owa.contoso.com is a typical external URL (public certificate)
the internal one might be something like EX01.contoso.local (could be private certificate)

You can't put the internal URL in an external public certificate because it cannot be validated.
But you can change the URL (not the server name) of the virtual directory used internally as in the link I posted.

So internally you use owa.contoso.com and you can use the external certificate to encrypt both internal and external stuff. You have to add a DNS entry internally for the external URL pointing to the internal server.

Then you only need one public certificate for everything.
simlip

ASKER
ok thanks,
Chris

if you are running on planning on running Unified messaging it will need a separate certificate - usually internal as it won't need external access.

If you are planning on following the advice to change the URL's then be warned you will still need to add quite a few names into the certificate which will end up being costly

Thats where having an internal cert to do the inside stuff like autodiscover and containing both netbios and internal FQDN's of the servers on and only use an external cert for anything that needs access externally i.e. OWA
Your help has saved me hundreds of hours of internet surfing.
fblack61
Carol Chisholm

As I said at the beginning a 5 server SAN at Godaddy is $89 per year.