exchange 2003/2010 coexitence Design

I would like to get some guidelines from an expert who have practically designed  and configured coexisting exchange2003/2010, especially in areas of  DNS /OWA /Front end server, and NATting.

for instance what Public DNS records need to be at the Registrar?
What needs to be NAtted?
what needs to be configured at the CAS server, in order to the CAS server to be able to determine if the access requested is to be redirected to Front End server or to Exchange 2010 mailboxes.

I have read some articles online , but they are not really clear about that

Thank you
Who is Participating?
Malli BoppeConnect With a Mentor Commented:
You probably would already had a pointing to exchange 2003.
You need to the following records in the public  dns. when exchange 2010 and exchange 2003 servers are in co-existance  pointing to exchange2010 CAS pointing the exchange 2010 CAS pointing to exchange 2003  frontend server.

Once these records are created you need to make the NAT changes on your firewall .

You need to have 2 Public IP addresses for the above configuration to work.
Also you need a SAN certificate   with the following domain names for the exchange 2010
jskfanAuthor Commented:
<<<  pointing to exchange2010 CAS pointing the exchange 2010 CAS pointing to exchange 2003  front end server.>>>

which of the records will be in both public and internal DNS?

when a user that has mailbox in 2003 tries to access it from OWA, how does he get directed to exchange 2003 instead of exchange 2010 and vice versa ? can you please describe the route process ?
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Malli BoppeConnect With a Mentor Commented:
You need to have the above records in both internal and external DNS .
Also you need to have a SSL certificate for

You have run the powershell commands on the Exchange 2010 for the OWA redirection to work
Below link guide about how to redirect the OWA for exchange 2003
jskfanAuthor Commented:
The dark spot is, how does CAS server know the user trying to access the email has mailbox in Exchange2003 or Exchange 2010 ?

I guess the following are the steps, correct me where I am wrong:

- users type  on the browser....
-external DNS will know that is an Exchange server as it has MX record
- they hit the firewall , and the NAT will translate traffic coming on port 25 to the IP address of CAS array...(Virtual IP address of multiple CAS server)
-From CAS onwards, I am not sure how it will know, if it will redirect the request to the Front end server if user has mailbox in exchange 2003 or directly to Exchange 2010 mailbox
jskfanAuthor Commented:
I guess this link explains it a bit better:
jskfanAuthor Commented:
on this line:
<<<4--Since the user's mailbox is located on Exchange 2003, CAS2010 will then silently redirect the user's browser session to >>>

I wonder if they mean that the request will be redirected to the external DNS again ?
jskfanAuthor Commented:
I did some reading on the link I posted above, What I understood regarding OWA was :

-when users type,then username and password.
 their request will be redirected to the Firewall,
-firewall will see that it is an SMTP traffic, it will NAT the IP to CAS server IP, the CAS will query the Active Directory for user mailbox location, if it is in Exchange 2003 then the request will be redirected to that is pointing to Front End server...
The front end server will know which of the exchange 2003 servers the user mailbox is on, and will redirect the user to that server mailbox.

Even If I am understanding it right, it is still a big loop to me.

---To me as long as CAS can query AD and determine where the user mailbox is, why should not just redirect the user request to that server mailbox as it does with users that have their mailboxes in 2010, instead of sending them back to,
at least it should send them to (Not the URL), in internal DNS should be pointing to the IP of FE..

Any expert out there to clear up the confusion??

Malli BoppeConnect With a Mentor Commented:
Exchange 2010 CAS servers are not able to communicate with exchange 2003 backed servers. This is by design. So any request for exchange 2003 mailboxes would be redirected to exchange 2003 frontend server and they would send the request the relevant mailbox servers.
jskfanAuthor Commented:
when is the record: in internal or external DNS comes into play ?
Malli BoppeConnect With a Mentor Commented:
External  is never used unless someone wants to use the webmail directly for a exchange 2003 mailbox from internet. like htps:// /exchange

But when using to access the  exchange 2003 mailbox, it always the internal that is used. But you still a SSL certifcate for when using from internet.
jskfanAuthor Commented:
I see what you are saying, but the DNS configuration needs some clarification.
for instance:

External DNS:

Internal DNS: (IP address of the CAS internet facing) (IP address of Exchange 2003 Front End Server)

What you are saying is :
when user types on the browser , they will hit one of the public IP address of the firewall, the firewall will NAT it to (IP of the CAS server), the CAS will query Active directory and determine the location of the user mailbox, if it is on exchange 2003 it will redirect the query to the host record in Internal DNS which will be resolved to, which redirects the query to exchange 2003 FE.

so the on the external DNS will never be used...which does not make sense, since Microsoft recommends that the legacy record needs to be ALSO in external DNS...

another record that I do not see the purpose of its usage  is the in the internal DNS, seeing that OWA users when they type, it will always hit the external DNS which redirected the request to then will be NATted to (CAS server) and will take the route as I described it previously....

Can you please just , explain each record on the external and internal DNS usage with respect to the OWA road map ?

jskfanAuthor Commented:
I guess the confusion is when users (that have mailboxes in Exchange 2003)use OWA while they are inside the Network and while outside is different.

While they are outside (internet), they type (, they make it all the way to the CAS server and CAS will always send them back to the public IP address of (, and they will come back to Exchange2003 FE(, after getting Natted.
it sounds odd though, instead of CAS redirecting them to the internal DNS record that has the FE ip address at the first place...(Short distance)

While they are inside the Network, they type, it will use the internal DNS record ( and CAS will redirect them to FE( this time it will redirect them to FE not the first time when they come in from internet...

This is just my could be totally wrong guess
AmitConnect With a Mentor IT ArchitectCommented:
What is your confusion? Would you put it again here. Which area you need clarification.
jskfanAuthor Commented:

The confusion is on the record on the Public DNS...Why it is there while we have the same record in the Internal DNS ? As I described the route of the OWA access below, the in the Public DNS will never be used....

when a user is inside the network and wants to use OWA,  they will type, then type user name and password, they reach the CAS sever, which in turns looks for the user mailbox location, if it is in Exchange 2003 , it will redirect the request to as specified in the INTERNAL DNS record.
the record points to Front End exchange 2003 server...
Correct ??

if a user is outside the network and wants to use OWA, they will type :, then type user name and password, the request will be redirected to Public DNS then to the public IP of, as the protocol is 25 (SMTP) the firewall will redirect the request to the internal IP address of CAS server, which in turns looks for the user mailbox location, IF IT IS IN EXCHANGE 2003, Would the request be redirected to the External IP address of (located in the public DNS record ) OR to the Internal IP address of (located in the internal DNS record).??
If it will be redirected to the Internal DNS to resolve, it means that the external will never be used....
if it will be redirected to the external DNS  to resolve, it means that it does not make sense, while the request made it all the way to the internal network , then it should make sense to use the internal DNS to resolve the inh stead of being redirected to the external DNS record

To my understanding the in the public DNS, is of No Use....

please let me know if my confusion is not understood
jskfanAuthor Commented:
can you please, just paste the needed part ?
I cannot find what I was looking for
jskfanAuthor Commented:
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.