Link to home
Start Free TrialLog in
Avatar of jtano
jtanoFlag for United States of America

asked on

Transitioning from exchange 2007 to 2010

I am transitioning from exchange 2007 ( server 2008) to exchange 2010 ( server 2008r2)  I wanted to make OWA the same name to be able to use the same SSL, but when I move users over to the new server, they are getting an error stating that the name on the security certificate is invalid or does not match the name of the site.. Do you want to proceed. clicking yes or installing allows them in, but it keeps popping back up.  I was hoping to move users over slowly then move all the smartphone users last that are using the owa address to get mail on their phones. Then just change the IP of the new server to be the same as the old. Is that not possible to keep the same address for OWA or am I doing something wrong?
Avatar of kittuskattus
kittuskattus
Flag of United Kingdom of Great Britain and Northern Ireland image

In the error box that appears for the users, what is the name of the site that it is trying to validate?

There are a few things that can cause this:

1. Check that you have the correct autodiscover.yourdomain.com A records in your internal and external DNS.
2. Also, the clients may be trying to connect to the internal DNS name server.yourdomain.local which you don't want to have on your SSL cert.  You should make sure that the server responds to internal and external requests with the public DNS name server.domain.com. In EMC go to Server Configuration -> Client Access -> Outlook Web Access and check that the values for Internal URL and External URL are the same : https://server.domain.com/owa
A good tool provided by MS for testing can be found at http://www.testexchangeconnectivity.com and will give you exact details of where the problems are occurring
Avatar of Rajitha Chimmani
You need to make sure all URLs are included in the certificate and corresponding A records are in place and for Exchange 2007 to 2010 co-existence you need to include legacy.domain.com in your certificates.
Avatar of jtano

ASKER

So can I make all the url's  on the new server the same as the old server of which both are up and functioning as I need them to both be working while I move users mailboxes over? Is that going to cause any problems on the old server?
ASKER CERTIFIED SOLUTION
Avatar of Rajitha Chimmani
Rajitha Chimmani
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jtano

ASKER

So if I just want to move all users from 2007 to the new 2010 server over night and change the ip of the new server to the old so the firewall is pointing to the right place and make all the URL's the same as the old 2007 then I don't have to change the name on the ssl cert and don't have to create anymore A records, etc. I can just decommission the old 2007 server and be done, but if I want to move users over a period of several days I have to set up the legacy.domain.com cert and add A records etc. to have them coexist even if only for a week. Is that correct?  I didn't have these issues when transitioning from 2003 to 2007 and I didn't see it in any of the articles I read for 07 to 10, so I just want to make sure and now I am finding the articles with the legacy info.  Thanks
Yes, you are right. You need to include legacy.domain.com to support co-existence. If you complete the migration at one go you dont have to play with certs and URLs
Avatar of jtano

ASKER

Sorry, I was away for a few days.  I added legacy to the ucc ssl and installed on new servers, working on other servers, but you said to change the URL's on 2007 exchange to be legacy.domain.com, but our smartphone users use webmail.domain.com to get email on their phones. ( they are on the 2007 server) If I change that then they won't be able to get email on their phones?  So they really can't coexist without issues?
If they are using activesync then you got to check the activesync URL. Webmail.domain.com URL would be pointing to 2010 CAS now. So, any client trying to use this URL will first get connected to Exchange 2010 and then redirected to 2007 or 2010 servers based on their mailbox location.

http://port25guy.com/2010/09/28/migrating-exchange-2007-activesync-to-exchange-2010-and-why-your-android-may-work-but-your-apple-iphone-ipad-may-not/
Avatar of jtano

ASKER

Thanks for all the info. Sorry to be a pain. I changed all the urls on the cas 2007 to be legacy.domain.com and the cas 2010 is the mail.domain.com. I created dns a records pointing to the new server and added legacy.domain.com to external dns. I have no problems moving a mailbox to the new server and email works fine, but email on the phone is still not working and when I put the external ip address in for email on digicert web site. All tests come out okay except it says ceritifcate does not match name. I went to go daddy and redid the cert to include the new legacy.domain.com and it appears to be installed correctly. Am I just not giving it enough time to propagate? I did this at 2:00 today.
Have you installed those new certs on all CAS servers, 2007 and 2010? One installed, you need to assign the IIS services to that cert.
Avatar of jtano

ASKER

Yes, I did. I just went in and deleted the old one as I forgot to do that, but still no luck,,unless it takes time to propagate.
There are self signed certs in there, but I didn't touch those. When I type in the owa address it converts to the legacy so that seems to be working.  I don't understand why the digicert page where you put in your external email address in their tools,,comes up with "certificate does not match"
Avatar of jtano

ASKER

I just looked at the external dns and there are entries for mail.domain.com, legacy.domain.con and autodiscover.domain.com all pointing to the same external email. Would that affect it?
Avatar of jtano

ASKER

So it seems I'm down to this issue and I have checked the article about making sure " include inheritable permissions from this object's parent is checked?

"A Web exception occurred because an HTTP 451 - 451 response was received from Unknown.
HTTP Response Headers:
Transfer-Encoding: chunked
X-MS-Location: https://mail.domain.com/Microsoft-Server-ActiveSync
Cache-Control: private
Content-Type: text/html
Date: Thu, 04 Dec 2014 19:01:07 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Elapsed Time: 354 ms.
What is the internal and external URL you specified for activesync virtual directory? Do you see the problem with users on Exchange 2010 or both?
Avatar of jtano

ASKER

I do not have any problems with the 2007 users. I am testing to move over to the new 2010 server. Email and owa works fine, but I can't get the mobile phone part to work. My goal is to not have to change anything on outlook settings or mobile settings when I move them over to 2010 exchange.

Server                        : 2007exchange server
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
InternalUrl                   : https://legacy.domain.com/Microsoft-Server-Activesync
ExternalUrl                   : https://legacy.domain.com/Microsoft-Server-Activesync
ActiveSync

Server                        : New 2010 exchange server
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
InternalUrl                   : https://mail.domain.com/Microsoft-Server-ActiveSync
ExternalUrl                   : https://mail.domain.com/Microsoft-Server-ActiveSync
Do you have multiple 2010 CAS servers and in separate AD sites? Then, you might want to check the below article for appropriate settings.

http://technet.microsoft.com/en-us/library/dd439372(v=exchg.80).aspx

Also, have you tried checking the IIS (w3svc) logs for exact http error code?
Avatar of jtano

ASKER

I did find that and it led me to a few other articles , so I am currently working on that. If only users would stop calling me. To answer your question,,,yes  I have 2 other 2010 cas servers that have been running fine in other facilities all on the same domain connected through vpn tunnels. They are all under the same domain but in separate sites.  My main site has the main 2007 exchange server that I am trying to transition to a new 2010 exch, but keep them both running so I can slowly move users over.
So, your mobile users connect to the mail site first? If so, you should have started with exchange server upgrade on the main site.
Avatar of jtano

ASKER

This looks promising to do, but I don't know how to set autodiscover to null and can't seem to find out how anywhere?

I have solved my problem after reviewing the IIS7 log files located in C:\inetpub\logs\logfiles\W3SVC1.  

My CAS servers that are internet facing are in a different physical and AD site (We will call this Site1) than the Exchange 2007 mailbox that I was using for the test.  I had to configure my CAS servers in Site2 with autodiscover enabled and set to NULL.  Once I enabled this setting I ran the test again and recieved an authentication error with IIS7 which then was resovled Enabling Windows Authentication on the Microsot-Server-ActiveSync virtual directory in IIS7 on the Site2 CAS servers.

So essentially Site1 CAS ActiveSync was setup correctly and needed to configure Site2 CAS ActiveSync.
Avatar of jtano

ASKER

I know but we bought facilities quickly and I was told to buy a server and install exch 2010 for the new sites. They are growing too quickly. So are you saying I am screwed?
If your mobile users connect to internet facing CAS with Exchange 2007 version then the redirection will not work from Exchange 2007 to Exchange 2010.
Avatar of jtano

ASKER

So we have to move all the cell phone users over at the same time and manually change their phones...is that what you are saying?
Avatar of jtano

ASKER

So if we didn't have the other 2 exch 2010 servers, you are saying this would work transitioning from 2007 to 2010
Yes, you got to move all the cell phone users after upgrading the internet facing CAS to 2010. Its up to you if you want to do them at the same time or in batches.
Avatar of jtano

ASKER

Well I guess I will have to get some sort of help because the url's that they use to connect with the cell phone is the mail.domain.com and that is now what the new 2010 server's url's are.  Do I have to switch them back and make the new server legacy.domain.com and put the mail.domain.com back on exch 2007. ( to save on redoing ssl) I feel like I'm back at square one.
That will not help. You say the cell phone users were hitting internet facing CAS which is on 2007 version. Is that not so?

What is the version of cell phone user mailbox? You need to remove external URL on all intranet site CAS servers as you already have it set on internet facing CAS
Avatar of jtano

ASKER

Yes cell users mailboxes are on exch 07 and they are hitting cad 07. Except for users at other sites. Their MB are on their exch 2010  servers and they are using their own url to get mail
All users must hit CAS 2010 if your main URL is pointing to that server. You cannot have the main URL pointing to both 2007 and 2010 servers. I dont know how you have setup to have 2007 users hits 2007 CAS. legacy.domain.com is only for internal redirection. You cannot use it for accessing the mailboxes. I suggest you go through few migration documentation on best practices.