We value your feedback.
Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!
COURSE of the MONTH
8 days, 1 hour left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Migration from exchange 2003 to 2010
Posted on 2013-01-01
Hi,
I have a domain controller with windows 2003 server and exchange 2003.
If I want to do a migration from exchange 2003 to 2010, I need an internal certificat authory.
Step by step:
- Join new server (windows 2008) on domain
- Install pre requisites exchange 2010
- Install Exchange 2010
But, when and where I must install the autory certificate ? DC under windows 2003 ? new server ?
Thanks,
Regards,
Sim
I have a domain controller with windows 2003 server and exchange 2003.
If I want to do a migration from exchange 2003 to 2010, I need an internal certificat authory.
Step by step:
- Join new server (windows 2008) on domain
- Install pre requisites exchange 2010
- Install Exchange 2010
But, when and where I must install the autory certificate ? DC under windows 2003 ? new server ?
Thanks,
Regards,
Sim
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
5
4-
4
- +1
14 Comments
Active 2 days ago
Certainly don't put a CA (certificate authority) on your DC.
Probably you're best to buy a certificate from a professional authority (Digicert, Godaddy) if you don't want to do internal PKI.
It is much safer to than doing your own and much less hassle.
You need a SAN cert.
Probably you're best to buy a certificate from a professional authority (Digicert, Godaddy) if you don't want to do internal PKI.
It is much safer to than doing your own and much less hassle.
You need a SAN cert.
Hi
Thank for your reply
As budget is stricted, I can not buy a certificate from a professionnal authority.
That's why i need an internal pki
Thanks
Regards,
sim
Thank for your reply
As budget is stricted, I can not buy a certificate from a professionnal authority.
That's why i need an internal pki
Thanks
Regards,
sim
Active 2 days ago
Yes but you will have to pay more for an internal PKI server than for a cert. They are $89.99 or thereabouts at Godaddy (per year)
A Windows server licence is more than that, and the risks and administrative hassle are just not worth it if you are a beginner in PKI.
If you have iPhones and so on to connect, and need to do Outlook anywhere, publish SharePoint securely, you really need to know what you are doing.
Really it is worth getting $100 per year added to your budget for the time ands sleep you will save.
A Windows server licence is more than that, and the risks and administrative hassle are just not worth it if you are a beginner in PKI.
If you have iPhones and so on to connect, and need to do Outlook anywhere, publish SharePoint securely, you really need to know what you are doing.
Really it is worth getting $100 per year added to your budget for the time ands sleep you will save.
Active today
do you need to do anthing externally i.e. active sync, outlook webaccess as this would force your bosses to reconsider
if you want to set up internal PKI you would be best off with 2 servers running 2K8R2 perferablly VM's as they don't need much resources
Make the first one a install a standalone root CA onto the first one use this one to sign the certificate for an Enterprise CA
Make the second server a member server and install a sub-ordinate enterprise CA
http://blog.ittoby.com/2012/04/creating-two-tier-pki-windows-2008r2.html - this should be a good guide
if you want to set up internal PKI you would be best off with 2 servers running 2K8R2 perferablly VM's as they don't need much resources
Make the first one a install a standalone root CA onto the first one use this one to sign the certificate for an Enterprise CA
Make the second server a member server and install a sub-ordinate enterprise CA
http://blog.ittoby.com/2012/04/creating-two-tier-pki-windows-2008r2.html - this should be a good guide
Hi,
While migrating you have to take care of these steps also:
1) Administrative Rights
2) Active Directory Permission for the new users creation (if you are creating)
3) While you are migrating you should also need to take care of things like Special Identification of each users when you are moving from the existing Exchange to the new Exchange
4) Even after migration (Whether it will be using a tool or manually), you need to create every user profile manually and it will ask for the outlook version.
I think that you should go in for the certificate.
For more you can follow this link
Thanks
While migrating you have to take care of these steps also:
1) Administrative Rights
2) Active Directory Permission for the new users creation (if you are creating)
3) While you are migrating you should also need to take care of things like Special Identification of each users when you are moving from the existing Exchange to the new Exchange
4) Even after migration (Whether it will be using a tool or manually), you need to create every user profile manually and it will ask for the outlook version.
I think that you should go in for the certificate.
For more you can follow this link
Thanks
Thank all for yours reply
According an another forum, some people say me that i need one intern PKI and external PKI as I have a disjoint domain. Is it true ?
According an another forum, some people say me that i need one intern PKI and external PKI as I have a disjoint domain. Is it true ?
Active today
by disjointed do you mean split DNS i.e. domain.internal on the inside and domain.com on the outside
if you want to use external domain names you won't be able to sign it from an internal PKI.
if you need to use OWA, active sync or outlook anywhere then you need to use an external
certificate
OWA would work without a valid certificate but you will get "certificate untrusted" errors from all browsers.
Active sync is unlikely to work as it won't trust the cert and most implementations of active sync requires this
if you want to use external domain names you won't be able to sign it from an internal PKI.
if you need to use OWA, active sync or outlook anywhere then you need to use an external
certificate
OWA would work without a valid certificate but you will get "certificate untrusted" errors from all browsers.
Active sync is unlikely to work as it won't trust the cert and most implementations of active sync requires this
Active 2 days ago
You can also change the URLs of your internal servers so they are identical to the external ones then you only need one PKI, and one certificate.
http://nathanwinters.co.uk/2010/05/30/script-to-set-internalurl-and-externalurl-for-all-exchange-2010-virtual-directories/
http://nathanwinters.co.uk/2010/05/30/script-to-set-internalurl-and-externalurl-for-all-exchange-2010-virtual-directories/
Active today
but thats only helpful if you have one external Certificate. If you use an internal one not only do you publish internal information out but you will get issues with browsers and devices supporting/trusting it
YEs I have a split DNS i.e. domain.internal on the inside and domain.com on the outside
I am not sure to understand ... does I need one external and internal PKI ?
I am not sure to understand ... does I need one external and internal PKI ?
Active 2 days ago
The certificate you need contains the URLs needed to access the servers:
owa.contoso.com is a typical external URL (public certificate)
the internal one might be something like EX01.contoso.local (could be private certificate)
You can't put the internal URL in an external public certificate because it cannot be validated.
But you can change the URL (not the server name) of the virtual directory used internally as in the link I posted.
So internally you use owa.contoso.com and you can use the external certificate to encrypt both internal and external stuff. You have to add a DNS entry internally for the external URL pointing to the internal server.
Then you only need one public certificate for everything.
owa.contoso.com is a typical external URL (public certificate)
the internal one might be something like EX01.contoso.local (could be private certificate)
You can't put the internal URL in an external public certificate because it cannot be validated.
But you can change the URL (not the server name) of the virtual directory used internally as in the link I posted.
So internally you use owa.contoso.com and you can use the external certificate to encrypt both internal and external stuff. You have to add a DNS entry internally for the external URL pointing to the internal server.
Then you only need one public certificate for everything.
Active today
if you are running on planning on running Unified messaging it will need a separate certificate - usually internal as it won't need external access.
If you are planning on following the advice to change the URL's then be warned you will still need to add quite a few names into the certificate which will end up being costly
Thats where having an internal cert to do the inside stuff like autodiscover and containing both netbios and internal FQDN's of the servers on and only use an external cert for anything that needs access externally i.e. OWA
If you are planning on following the advice to change the URL's then be warned you will still need to add quite a few names into the certificate which will end up being costly
Thats where having an internal cert to do the inside stuff like autodiscover and containing both netbios and internal FQDN's of the servers on and only use an external cert for anything that needs access externally i.e. OWA
Featured Post
Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies. Only from Platform Scholar.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
This article aims to explain the working of CircularLogArchiver. This tool was designed to solve the buildup of log file in cases where systems do not support circular logging or where circular logging is not enabled
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.:
Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center.
Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center.
Navigate to the Servers >> Certificates…
Suggested Courses
Course of the Month8 days, 1 hour left to enroll
765 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.