Exchange 2007 and 2010 coexisting

What is the Service pack and RU level on all Exchange 2010 Servers. Make sure all 2010 servers are running at same Service pack and RU.

They are. They are all vs 14.3 build 123.4 ( so sp3) is on all 3 exch 10 servers. exch 2007 sp3 as well.

Lets confirm it by running this command
GCM exsetup |%{$_.Fileversioninfo}

Run it on all 3 Exchange 2010 servers and post it here.

ProductVersion   FileVersion      FileName
--------------   -----------      --------
14.03.0210.002   14.03.0210.002   E:\Program Files\Exchange\bin\ExSetup.exe

--------------   -----------      --------
14.03.0210.002   14.03.0210.002   E:\Program Files (x86)\Microsoft\Exchange Server\V14\bin\ExSetup.exe

14.03.0210.002   14.03.0210.002   E:\Program Files\Exchange\bin\ExSetup.exe

Everything is working fine for users on all 4 servers except random users are getting prompted for id and pass

This is often a sign of a certificate error. Did you reissue the cert? Or is it a new cert? Does it have all the names on it. mail.yourdomain.com, autodiscover.yourdomain.com, legacy.yourdomain.com, etc?

Also, did you load the certificate on both 2010 servers (assuming they are both CAS servers). If they are both CAS servers what are you doing for load balancing? If you have a load balancer (for example a HNLB like a Kemp, or, a software NLB like TMG) did you install the certificate on the load balancer as well?

Also, DNS wise. Are you using split-brain DNS? How are you internal URLs and external URLs configured? Did you configure all 7 internal and external URLs on 2010?

and outlook anywhere doesn't seem to work anymore.

Have you enabled Outlook Anywhere in 2010?

Check out my 2010 namespace article here. It covers all certificate, DNS and URL requirements for Exchange 2010.
https://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/

1. Redid the cert and reinstalled on all servers. mail.domain.com (new exch 10), mai2.domain. com, (exch10  sver2)legacy.domain.com ( exch 07), autodiscover.domain.com (new exch10) and mail3.domain.com (exch 10 server3).
2. Did nothing for load balancing - where do they teach this stuff?
3.  DNS - yes split - Main AD site - Internal urls mail and autodiscover.domain.com point to internal ip of new 2010, legacy.domain.com points to internal ip of 07
 External dns hosting - mail and autodiscover.domain.como - point to external ip of new 2010, different external ip points to legacy.domain.com of exch 07
Remote sites (2) internal ip of mail2.domain.com points to 2010 server #2. Also has external ip address pointing to mail2.domain.com
Remote site (3) internal ip of mail3.domain.com points to 2010 server #2. Also has external A record ip pointing to same
QUESTION: I just read that you should also have external ip in internal dns. So Am I to make another entry in same zone for mail.domain.com - A record 192.18.0.1 mail.domain.com and another A record of 24.52.53.2 also for mail.domain.com?

3. Yes, I enabled outlook anywhere in new 2010 only ( not other 2010) It Is also enabled in 2007. I read I am to turn that off?  I am reading your article now.

QUESTION: I just read that you should also have external ip in internal dns. So Am I to make another entry in same zone for mail.domain.com - A record 192.18.0.1 mail.domain.com and another A record of 24.52.53.2 also for mail.domain.com?

What was the reference you saw this in? Typically this won't work as most firewalls will block this kind of behavior. For example, an internal client queries the internal DNS, receives the external IP address. It will then try to go out the firewall, just to then come back in. Most firewalls won't allow that.

Do you get any errors if you run the autodiscover test from www.exrca.com?

1. https://www.simple-talk.com/sysadmin/exchange/upgrade-from-exchange-2007-to-exchange-2010---part-1/
Figure 2. The internal DNS zone for the split DNS implementation

All external IP addresses for inframan.nl must be stored in the internal DNS zone. If you forget to, for example, include the Address record of the external webserver, then internal clients cannot resolve its IP address, and accessing the site via an internet browser will fail!

This setup has been working successfully for a couple of years now, but since Inframan needs to upgrade their hardware, it was decided to upgrade to Exchange Server 2010 SP1 at the same time. MAYBE I AM MISUNDERSTANDING THIS??
2.  Auodiscover outlook tests successful with warning. This is for a user on both exch 07 and new exch 10  
Warnings are: autodiscover url://domain.org:443/autodiscover/aurtodiscover.xml FAILED and Testing tcp port 443 on host domain.org  port is either blocked, not listening  or prodcing expected response

2.  Auodiscover outlook tests successful with warning. This is for a user on both exch 07 and new exch 10  
 Warnings are: autodiscover url://domain.org:443/autodiscover/aurtodiscover.xml FAILED and Testing tcp port 443 on host domain.org  port is either blocked, not listening  or prodcing expected response

That's fine. EXRCA just tests multiple routes to get to your autodiscover service. So you can disregard that warning.

1. https://www.simple-talk.com/sysadmin/exchange/upgrade-from-exchange-2007-to-exchange-2010---part-1/
 Figure 2. The internal DNS zone for the split DNS implementation

Well I can't argue against Jaap (author) as he is a multiple time MVP for Exchange! :)

No what Jaap is getting at is when you do a split-brain DNS configuration you need to make sure that any resources that still exist out there on the internet. For example, your companies website, will need a WWW record pointing to the external IP of your web hosting provider. Otherwise internal clients wont be able to access your website.

If you check his screenshot he has autodiscover and mail going to internal IPs. And then www (for his website) going to the external IP.

So the internal DNS zone only needs internal IPs of Exchange (not externals)

So it sounds like all 3 of these servers are multi-role servers (they are all doing CAS, HUB and MBX). And you mentioned the login prompt was random. So, do all users experience it at some point. Or is it just certain users in a specific site?

Do you have Active Directory configured with separate sites?

okay. I just added those tonight so I will take them out. I did see that but wasn't sure and didn't think it would hurt.  
 I have a 2nd laptop connected only to my Wi-Fi not connected to domain that is now getting connected to email, I have been working on exchange so maybe outlook anywhere is working now.  I may have had to manually change some of the outlook settings to be ntlm, etc. in order to work. It seems when I changed some of the users that were having the credential pop up problem that it would switch them back. Is this normal. Is there a way to globally change the outlook setting for: proxy authentication settings?

Outlook should pick up automatically any changes you make to Outlook Anywhere. Although it will likely require Outlook to be restarted to take effect.

I thought disabling outlook anywhere on exchange 2007 would cause the mailboxes still on that legacy server not to work in outlook since they all connect using outlook anywhere using http exchange proxy settings?  It seems to be working, but we have users in remote sites that connect back to our exchange.I guess I will find out tomorrow.   One more question. We don't use public folders. Do I need them in 2010 for anything? Thanks for your help!