Solved

Transitioning from exchange 2007 to 2010

Posted on 2014-11-21
29
90 Views
Last Modified: 2014-12-04
I am transitioning from exchange 2007 ( server 2008) to exchange 2010 ( server 2008r2)  I wanted to make OWA the same name to be able to use the same SSL, but when I move users over to the new server, they are getting an error stating that the name on the security certificate is invalid or does not match the name of the site.. Do you want to proceed. clicking yes or installing allows them in, but it keeps popping back up.  I was hoping to move users over slowly then move all the smartphone users last that are using the owa address to get mail on their phones. Then just change the IP of the new server to be the same as the old. Is that not possible to keep the same address for OWA or am I doing something wrong?
0
Comment
Question by:jtano
  • 15
  • 12
  • 2
29 Comments
 
LVL 2

Expert Comment

by:kittuskattus
Comment Utility
In the error box that appears for the users, what is the name of the site that it is trying to validate?

There are a few things that can cause this:

1. Check that you have the correct autodiscover.yourdomain.com A records in your internal and external DNS.
2. Also, the clients may be trying to connect to the internal DNS name server.yourdomain.local which you don't want to have on your SSL cert.  You should make sure that the server responds to internal and external requests with the public DNS name server.domain.com. In EMC go to Server Configuration -> Client Access -> Outlook Web Access and check that the values for Internal URL and External URL are the same : https://server.domain.com/owa
0
 
LVL 2

Expert Comment

by:kittuskattus
Comment Utility
A good tool provided by MS for testing can be found at http://www.testexchangeconnectivity.com and will give you exact details of where the problems are occurring
0
 
LVL 16

Expert Comment

by:Rajitha Chimmani
Comment Utility
You need to make sure all URLs are included in the certificate and corresponding A records are in place and for Exchange 2007 to 2010 co-existence you need to include legacy.domain.com in your certificates.
0
 

Author Comment

by:jtano
Comment Utility
So can I make all the url's  on the new server the same as the old server of which both are up and functioning as I need them to both be working while I move users mailboxes over? Is that going to cause any problems on the old server?
0
 
LVL 16

Accepted Solution

by:
Rajitha Chimmani earned 500 total points
Comment Utility
You need to modify the URLs on Exchange 2007 to legacy.domain.com and the actual URLs must be updated on Exchange 2010 servers. If you have not used legacy.domain.com anywhere, then you are not prepared for migration yet. That is the most important to facilitate CAS redirection from Exchange 2010 to Exchange 2007.

https://www.simple-talk.com/sysadmin/exchange/upgrade-from-exchange-2007-to-exchange-2010---part-1/
0
 

Author Comment

by:jtano
Comment Utility
So if I just want to move all users from 2007 to the new 2010 server over night and change the ip of the new server to the old so the firewall is pointing to the right place and make all the URL's the same as the old 2007 then I don't have to change the name on the ssl cert and don't have to create anymore A records, etc. I can just decommission the old 2007 server and be done, but if I want to move users over a period of several days I have to set up the legacy.domain.com cert and add A records etc. to have them coexist even if only for a week. Is that correct?  I didn't have these issues when transitioning from 2003 to 2007 and I didn't see it in any of the articles I read for 07 to 10, so I just want to make sure and now I am finding the articles with the legacy info.  Thanks
0
 
LVL 16

Expert Comment

by:Rajitha Chimmani
Comment Utility
Yes, you are right. You need to include legacy.domain.com to support co-existence. If you complete the migration at one go you dont have to play with certs and URLs
0
 

Author Comment

by:jtano
Comment Utility
Sorry, I was away for a few days.  I added legacy to the ucc ssl and installed on new servers, working on other servers, but you said to change the URL's on 2007 exchange to be legacy.domain.com, but our smartphone users use webmail.domain.com to get email on their phones. ( they are on the 2007 server) If I change that then they won't be able to get email on their phones?  So they really can't coexist without issues?
0
 
LVL 16

Expert Comment

by:Rajitha Chimmani
Comment Utility
If they are using activesync then you got to check the activesync URL. Webmail.domain.com URL would be pointing to 2010 CAS now. So, any client trying to use this URL will first get connected to Exchange 2010 and then redirected to 2007 or 2010 servers based on their mailbox location.

http://port25guy.com/2010/09/28/migrating-exchange-2007-activesync-to-exchange-2010-and-why-your-android-may-work-but-your-apple-iphone-ipad-may-not/
0
 

Author Comment

by:jtano
Comment Utility
Thanks for all the info. Sorry to be a pain. I changed all the urls on the cas 2007 to be legacy.domain.com and the cas 2010 is the mail.domain.com. I created dns a records pointing to the new server and added legacy.domain.com to external dns. I have no problems moving a mailbox to the new server and email works fine, but email on the phone is still not working and when I put the external ip address in for email on digicert web site. All tests come out okay except it says ceritifcate does not match name. I went to go daddy and redid the cert to include the new legacy.domain.com and it appears to be installed correctly. Am I just not giving it enough time to propagate? I did this at 2:00 today.
0
 
LVL 16

Expert Comment

by:Rajitha Chimmani
Comment Utility
Have you installed those new certs on all CAS servers, 2007 and 2010? One installed, you need to assign the IIS services to that cert.
0
 

Author Comment

by:jtano
Comment Utility
Yes, I did. I just went in and deleted the old one as I forgot to do that, but still no luck,,unless it takes time to propagate.
There are self signed certs in there, but I didn't touch those. When I type in the owa address it converts to the legacy so that seems to be working.  I don't understand why the digicert page where you put in your external email address in their tools,,comes up with "certificate does not match"
0
 

Author Comment

by:jtano
Comment Utility
I just looked at the external dns and there are entries for mail.domain.com, legacy.domain.con and autodiscover.domain.com all pointing to the same external email. Would that affect it?
0
 

Author Comment

by:jtano
Comment Utility
So it seems I'm down to this issue and I have checked the article about making sure " include inheritable permissions from this object's parent is checked?

"A Web exception occurred because an HTTP 451 - 451 response was received from Unknown.
HTTP Response Headers:
Transfer-Encoding: chunked
X-MS-Location: https://mail.domain.com/Microsoft-Server-ActiveSync
Cache-Control: private
Content-Type: text/html
Date: Thu, 04 Dec 2014 19:01:07 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Elapsed Time: 354 ms.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:Rajitha Chimmani
Comment Utility
What is the internal and external URL you specified for activesync virtual directory? Do you see the problem with users on Exchange 2010 or both?
0
 

Author Comment

by:jtano
Comment Utility
I do not have any problems with the 2007 users. I am testing to move over to the new 2010 server. Email and owa works fine, but I can't get the mobile phone part to work. My goal is to not have to change anything on outlook settings or mobile settings when I move them over to 2010 exchange.

Server                        : 2007exchange server
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
InternalUrl                   : https://legacy.domain.com/Microsoft-Server-Activesync
ExternalUrl                   : https://legacy.domain.com/Microsoft-Server-Activesync
ActiveSync

Server                        : New 2010 exchange server
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
InternalUrl                   : https://mail.domain.com/Microsoft-Server-ActiveSync
ExternalUrl                   : https://mail.domain.com/Microsoft-Server-ActiveSync
0
 
LVL 16

Expert Comment

by:Rajitha Chimmani
Comment Utility
Do you have multiple 2010 CAS servers and in separate AD sites? Then, you might want to check the below article for appropriate settings.

http://technet.microsoft.com/en-us/library/dd439372(v=exchg.80).aspx

Also, have you tried checking the IIS (w3svc) logs for exact http error code?
0
 

Author Comment

by:jtano
Comment Utility
I did find that and it led me to a few other articles , so I am currently working on that. If only users would stop calling me. To answer your question,,,yes  I have 2 other 2010 cas servers that have been running fine in other facilities all on the same domain connected through vpn tunnels. They are all under the same domain but in separate sites.  My main site has the main 2007 exchange server that I am trying to transition to a new 2010 exch, but keep them both running so I can slowly move users over.
0
 
LVL 16

Expert Comment

by:Rajitha Chimmani
Comment Utility
So, your mobile users connect to the mail site first? If so, you should have started with exchange server upgrade on the main site.
0
 

Author Comment

by:jtano
Comment Utility
This looks promising to do, but I don't know how to set autodiscover to null and can't seem to find out how anywhere?

I have solved my problem after reviewing the IIS7 log files located in C:\inetpub\logs\logfiles\W3SVC1.  

My CAS servers that are internet facing are in a different physical and AD site (We will call this Site1) than the Exchange 2007 mailbox that I was using for the test.  I had to configure my CAS servers in Site2 with autodiscover enabled and set to NULL.  Once I enabled this setting I ran the test again and recieved an authentication error with IIS7 which then was resovled Enabling Windows Authentication on the Microsot-Server-ActiveSync virtual directory in IIS7 on the Site2 CAS servers.

So essentially Site1 CAS ActiveSync was setup correctly and needed to configure Site2 CAS ActiveSync.
0
 

Author Comment

by:jtano
Comment Utility
I know but we bought facilities quickly and I was told to buy a server and install exch 2010 for the new sites. They are growing too quickly. So are you saying I am screwed?
0
 
LVL 16

Expert Comment

by:Rajitha Chimmani
Comment Utility
If your mobile users connect to internet facing CAS with Exchange 2007 version then the redirection will not work from Exchange 2007 to Exchange 2010.
0
 

Author Comment

by:jtano
Comment Utility
So we have to move all the cell phone users over at the same time and manually change their phones...is that what you are saying?
0
 

Author Comment

by:jtano
Comment Utility
So if we didn't have the other 2 exch 2010 servers, you are saying this would work transitioning from 2007 to 2010
0
 
LVL 16

Expert Comment

by:Rajitha Chimmani
Comment Utility
Yes, you got to move all the cell phone users after upgrading the internet facing CAS to 2010. Its up to you if you want to do them at the same time or in batches.
0
 

Author Comment

by:jtano
Comment Utility
Well I guess I will have to get some sort of help because the url's that they use to connect with the cell phone is the mail.domain.com and that is now what the new 2010 server's url's are.  Do I have to switch them back and make the new server legacy.domain.com and put the mail.domain.com back on exch 2007. ( to save on redoing ssl) I feel like I'm back at square one.
0
 
LVL 16

Expert Comment

by:Rajitha Chimmani
Comment Utility
That will not help. You say the cell phone users were hitting internet facing CAS which is on 2007 version. Is that not so?

What is the version of cell phone user mailbox? You need to remove external URL on all intranet site CAS servers as you already have it set on internet facing CAS
0
 

Author Comment

by:jtano
Comment Utility
Yes cell users mailboxes are on exch 07 and they are hitting cad 07. Except for users at other sites. Their MB are on their exch 2010  servers and they are using their own url to get mail
0
 
LVL 16

Expert Comment

by:Rajitha Chimmani
Comment Utility
All users must hit CAS 2010 if your main URL is pointing to that server. You cannot have the main URL pointing to both 2007 and 2010 servers. I dont know how you have setup to have 2007 users hits 2007 CAS. legacy.domain.com is only for internal redirection. You cannot use it for accessing the mailboxes. I suggest you go through few migration documentation on best practices.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now