Transitioning from exchange 2007 to 2010

I am transitioning from exchange 2007 ( server 2008) to exchange 2010 ( server 2008r2)  I wanted to make OWA the same name to be able to use the same SSL, but when I move users over to the new server, they are getting an error stating that the name on the security certificate is invalid or does not match the name of the site.. Do you want to proceed. clicking yes or installing allows them in, but it keeps popping back up.  I was hoping to move users over slowly then move all the smartphone users last that are using the owa address to get mail on their phones. Then just change the IP of the new server to be the same as the old. Is that not possible to keep the same address for OWA or am I doing something wrong?
jtanoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kittuskattusCommented:
In the error box that appears for the users, what is the name of the site that it is trying to validate?

There are a few things that can cause this:

1. Check that you have the correct autodiscover.yourdomain.com A records in your internal and external DNS.
2. Also, the clients may be trying to connect to the internal DNS name server.yourdomain.local which you don't want to have on your SSL cert.  You should make sure that the server responds to internal and external requests with the public DNS name server.domain.com. In EMC go to Server Configuration -> Client Access -> Outlook Web Access and check that the values for Internal URL and External URL are the same : https://server.domain.com/owa
0
kittuskattusCommented:
A good tool provided by MS for testing can be found at http://www.testexchangeconnectivity.com and will give you exact details of where the problems are occurring
0
Rajitha ChimmaniCommented:
You need to make sure all URLs are included in the certificate and corresponding A records are in place and for Exchange 2007 to 2010 co-existence you need to include legacy.domain.com in your certificates.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

jtanoAuthor Commented:
So can I make all the url's  on the new server the same as the old server of which both are up and functioning as I need them to both be working while I move users mailboxes over? Is that going to cause any problems on the old server?
0
Rajitha ChimmaniCommented:
You need to modify the URLs on Exchange 2007 to legacy.domain.com and the actual URLs must be updated on Exchange 2010 servers. If you have not used legacy.domain.com anywhere, then you are not prepared for migration yet. That is the most important to facilitate CAS redirection from Exchange 2010 to Exchange 2007.

https://www.simple-talk.com/sysadmin/exchange/upgrade-from-exchange-2007-to-exchange-2010---part-1/
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jtanoAuthor Commented:
So if I just want to move all users from 2007 to the new 2010 server over night and change the ip of the new server to the old so the firewall is pointing to the right place and make all the URL's the same as the old 2007 then I don't have to change the name on the ssl cert and don't have to create anymore A records, etc. I can just decommission the old 2007 server and be done, but if I want to move users over a period of several days I have to set up the legacy.domain.com cert and add A records etc. to have them coexist even if only for a week. Is that correct?  I didn't have these issues when transitioning from 2003 to 2007 and I didn't see it in any of the articles I read for 07 to 10, so I just want to make sure and now I am finding the articles with the legacy info.  Thanks
0
Rajitha ChimmaniCommented:
Yes, you are right. You need to include legacy.domain.com to support co-existence. If you complete the migration at one go you dont have to play with certs and URLs
0
jtanoAuthor Commented:
Sorry, I was away for a few days.  I added legacy to the ucc ssl and installed on new servers, working on other servers, but you said to change the URL's on 2007 exchange to be legacy.domain.com, but our smartphone users use webmail.domain.com to get email on their phones. ( they are on the 2007 server) If I change that then they won't be able to get email on their phones?  So they really can't coexist without issues?
0
Rajitha ChimmaniCommented:
If they are using activesync then you got to check the activesync URL. Webmail.domain.com URL would be pointing to 2010 CAS now. So, any client trying to use this URL will first get connected to Exchange 2010 and then redirected to 2007 or 2010 servers based on their mailbox location.

http://port25guy.com/2010/09/28/migrating-exchange-2007-activesync-to-exchange-2010-and-why-your-android-may-work-but-your-apple-iphone-ipad-may-not/
0
jtanoAuthor Commented:
Thanks for all the info. Sorry to be a pain. I changed all the urls on the cas 2007 to be legacy.domain.com and the cas 2010 is the mail.domain.com. I created dns a records pointing to the new server and added legacy.domain.com to external dns. I have no problems moving a mailbox to the new server and email works fine, but email on the phone is still not working and when I put the external ip address in for email on digicert web site. All tests come out okay except it says ceritifcate does not match name. I went to go daddy and redid the cert to include the new legacy.domain.com and it appears to be installed correctly. Am I just not giving it enough time to propagate? I did this at 2:00 today.
0
Rajitha ChimmaniCommented:
Have you installed those new certs on all CAS servers, 2007 and 2010? One installed, you need to assign the IIS services to that cert.
0
jtanoAuthor Commented:
Yes, I did. I just went in and deleted the old one as I forgot to do that, but still no luck,,unless it takes time to propagate.
There are self signed certs in there, but I didn't touch those. When I type in the owa address it converts to the legacy so that seems to be working.  I don't understand why the digicert page where you put in your external email address in their tools,,comes up with "certificate does not match"
0
jtanoAuthor Commented:
I just looked at the external dns and there are entries for mail.domain.com, legacy.domain.con and autodiscover.domain.com all pointing to the same external email. Would that affect it?
0
jtanoAuthor Commented:
So it seems I'm down to this issue and I have checked the article about making sure " include inheritable permissions from this object's parent is checked?

"A Web exception occurred because an HTTP 451 - 451 response was received from Unknown.
HTTP Response Headers:
Transfer-Encoding: chunked
X-MS-Location: https://mail.domain.com/Microsoft-Server-ActiveSync
Cache-Control: private
Content-Type: text/html
Date: Thu, 04 Dec 2014 19:01:07 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Elapsed Time: 354 ms.
0
Rajitha ChimmaniCommented:
What is the internal and external URL you specified for activesync virtual directory? Do you see the problem with users on Exchange 2010 or both?
0
jtanoAuthor Commented:
I do not have any problems with the 2007 users. I am testing to move over to the new 2010 server. Email and owa works fine, but I can't get the mobile phone part to work. My goal is to not have to change anything on outlook settings or mobile settings when I move them over to 2010 exchange.

Server                        : 2007exchange server
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
InternalUrl                   : https://legacy.domain.com/Microsoft-Server-Activesync
ExternalUrl                   : https://legacy.domain.com/Microsoft-Server-Activesync
ActiveSync

Server                        : New 2010 exchange server
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
InternalUrl                   : https://mail.domain.com/Microsoft-Server-ActiveSync
ExternalUrl                   : https://mail.domain.com/Microsoft-Server-ActiveSync
0
Rajitha ChimmaniCommented:
Do you have multiple 2010 CAS servers and in separate AD sites? Then, you might want to check the below article for appropriate settings.

http://technet.microsoft.com/en-us/library/dd439372(v=exchg.80).aspx

Also, have you tried checking the IIS (w3svc) logs for exact http error code?
0
jtanoAuthor Commented:
I did find that and it led me to a few other articles , so I am currently working on that. If only users would stop calling me. To answer your question,,,yes  I have 2 other 2010 cas servers that have been running fine in other facilities all on the same domain connected through vpn tunnels. They are all under the same domain but in separate sites.  My main site has the main 2007 exchange server that I am trying to transition to a new 2010 exch, but keep them both running so I can slowly move users over.
0
Rajitha ChimmaniCommented:
So, your mobile users connect to the mail site first? If so, you should have started with exchange server upgrade on the main site.
0
jtanoAuthor Commented:
This looks promising to do, but I don't know how to set autodiscover to null and can't seem to find out how anywhere?

I have solved my problem after reviewing the IIS7 log files located in C:\inetpub\logs\logfiles\W3SVC1.  

My CAS servers that are internet facing are in a different physical and AD site (We will call this Site1) than the Exchange 2007 mailbox that I was using for the test.  I had to configure my CAS servers in Site2 with autodiscover enabled and set to NULL.  Once I enabled this setting I ran the test again and recieved an authentication error with IIS7 which then was resovled Enabling Windows Authentication on the Microsot-Server-ActiveSync virtual directory in IIS7 on the Site2 CAS servers.

So essentially Site1 CAS ActiveSync was setup correctly and needed to configure Site2 CAS ActiveSync.
0
jtanoAuthor Commented:
I know but we bought facilities quickly and I was told to buy a server and install exch 2010 for the new sites. They are growing too quickly. So are you saying I am screwed?
0
Rajitha ChimmaniCommented:
If your mobile users connect to internet facing CAS with Exchange 2007 version then the redirection will not work from Exchange 2007 to Exchange 2010.
0
jtanoAuthor Commented:
So we have to move all the cell phone users over at the same time and manually change their phones...is that what you are saying?
0
jtanoAuthor Commented:
So if we didn't have the other 2 exch 2010 servers, you are saying this would work transitioning from 2007 to 2010
0
Rajitha ChimmaniCommented:
Yes, you got to move all the cell phone users after upgrading the internet facing CAS to 2010. Its up to you if you want to do them at the same time or in batches.
0
jtanoAuthor Commented:
Well I guess I will have to get some sort of help because the url's that they use to connect with the cell phone is the mail.domain.com and that is now what the new 2010 server's url's are.  Do I have to switch them back and make the new server legacy.domain.com and put the mail.domain.com back on exch 2007. ( to save on redoing ssl) I feel like I'm back at square one.
0
Rajitha ChimmaniCommented:
That will not help. You say the cell phone users were hitting internet facing CAS which is on 2007 version. Is that not so?

What is the version of cell phone user mailbox? You need to remove external URL on all intranet site CAS servers as you already have it set on internet facing CAS
0
jtanoAuthor Commented:
Yes cell users mailboxes are on exch 07 and they are hitting cad 07. Except for users at other sites. Their MB are on their exch 2010  servers and they are using their own url to get mail
0
Rajitha ChimmaniCommented:
All users must hit CAS 2010 if your main URL is pointing to that server. You cannot have the main URL pointing to both 2007 and 2010 servers. I dont know how you have setup to have 2007 users hits 2007 CAS. legacy.domain.com is only for internal redirection. You cannot use it for accessing the mailboxes. I suggest you go through few migration documentation on best practices.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.