client access issues with migrating exchange 2007 to new hardware

Dear experts,

I am in the process of migrating an exchange 2007 server to new hardware. The source server is a single box with all roles and the new server will be performing the same functions after migration is completed.
So far, I have:
- updated the source server to exchange 2007 SP3
- built the new server, joined to domain and installed exchange server 2007 SP3
- enabled outlook anywhere
- exported the cert from the old server and imported it into the new
- enabled the cert with IIS, SMTP, POP and IMAP

All other settings are as it was out-of the-box.

I have moved a mailbox over to the new exchange server and when outlook opens, it detects the move and repoints the outlook account to the new server.  I also setup outlook on a remote site using rpc over http with a mailbox that was still on the old server - no problem, works fine.  I then closed outlook and moved the mailbox to the new server - again, outlook repoints and all is fine.

So at my firewall, I change the port forwarding for 25, 443 and 80 to point to the new server. When I do this all Outlook LAN stations get a cert error message and remote users with outlook setup using rpc over http, jump to disconnected.  Changing the ports back resumes services to normal.

I'm missing something here that I hope you can help me with.

Thanks in advance.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
You need to update your virtual directories on your new CAS server. Also if you are going to keep both CAS servers up and running then you will need to use a Hardware Load Balancer to distribute the load between the 2 CAS servers. You are also going to want to add all of your receive/send connectors to the HUB Transport Role on the new server as well. This will ensure redundancy for both Hub Roles.

tech53Author Commented:
Thanks Will.  Following migration, I intend to remove the old exchange server completely.
I have updated the virtual directory names with the external URLs as follows:

OWA external URL -
ActiveSync external URL -
OAB exnternal URL -
Outlook anywhere external host name -

However, I still have the same issue when I forward the ports to the new exchange server. Not 100% whats not right.  I exported the GoDaddy SSL cert from the old exchange server and imported it on the new one. I'm still using the same name in the cert ie so that should be ok yes?
Will SzymkowskiSenior Solution ArchitectCommented:
Yes that is fine. As long as you are going to use the same FQDN in your virtual directories it will be fine.

You will also need to enable the cert on the Exchange server using the below commands, if you have not done so already.

Get-ExchangeCertificate | ft

Enable-ExchangeCertificate -Thumbprint <XXXXXXXXX> -Services "pop,imap,smtp,iis"

It will then ask you to confirm press Y to proceed.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

tech53Author Commented:
I've already enabled the cert for those services and I'm using the same FQDN as the old exchange server.
Cant put my finger on this at all. It's like when the ports are directed to the new server, it's not responding.  The remote outlook clients disconnect and I've just discovered that when external senders send email in it gets bounced.
Will SzymkowskiSenior Solution ArchitectCommented:
Do you have any firewalls enabled on this Exchange server? You should be able to telnet from port 25 to that Exchange Server. Also making sure that the proper receive and send connectors have been created on the New Server, as well.

Your NAT also need to be configured properly to the new server.

tech53Author Commented:
Thanks Will. I'll try those suggestions tomorrow. I'll need to test it during lunch break.
tech53Author Commented:
When I forward the ports (25, 443 and 80) to the new exchange server, I can telnet to it on port 25.

When I installed exchange server, the default and client receive connectors were already created.  I checked these against the old server and they are identical.

Any other suggestions?

Will SzymkowskiSenior Solution ArchitectCommented:
Can you telnet to your Exchange server or Smarthost from an external source outside of your domain?

tech53Author Commented:
Yes. When I forward the ports to the new exchange server I can telnet on port 25.
Will SzymkowskiSenior Solution ArchitectCommented:
Outlook LAN stations get a cert error message and remote users with outlook setup using rpc over http, jump to disconnected

In your initial statement you said you get a Cert error? What is the cert that is being used? Also did you set your autodiscover URi correctly? Also for Outlook Anywhere did you make sure you enabled this on the new Exchange server with the proper URL as well?

tech53Author Commented:
Will, I should have updated you - I got the cert issue sorted.  Its a SAN SSL cert that has the correct names now.

Autodiscover wasn't being used on the old exchange server and I haven't configured it on the new one either.

Outlook anywhere is enabled on the new server and is configured with the same hostname as the old server ( Its also using NTLM authentication.  

I've performed quite a few SBS migrations before and during the exchange migration, Theres always been a connector linking the old and new exchange boxes. Is that still required?
tech53Author Commented:
I took your comment about the autodiscover uri and followed up with a bit of research.  The old exchange server (lets call it oldexch) and new exchange server (newexch) both have default autodiscover uri set to their respective hostnames.

When I use the command
Get-ClientAccessServer |select name,AutoDiscoverServiceInternalUri
I get the following:

Name                                    AutoDiscoverServiceInternalUri
----                                    ------------------------------
OLDEXCH                                 https://oldexch.domain.local...
NEWEXCH                                 https://newexch.domain.local...

My SAN cert has both the old and the new hostnames added (yes, internal hostnames).
However, I found an article which suggests that I can't have 2 different autodiscover uri's published in the same domain (based on my configuration and deployment plan).  

How can I resolve this?  Change the internal autodiscover uri on both servers to point to the new server?
Currently, when I change ports 25, 80 and 443 on the firewall to point to the new server, rpc over http clients outside the LAN cant access their mailbox using Outlook. Would setting the uri to the new server fix this for me?

Will SzymkowskiSenior Solution ArchitectCommented:
Change the internal autodiscover uri on both servers to point to the new server?
This is correct. You only need 1 autodiscover URL. Autodiscover is for service availability. You only need to have 1 entry point where the autodiscover URL will point you to the services and where they are located.

tech53Author Commented:
Ok Will. Embarrassingly, I discovered that I didn't have the Windows server feature rpc-http proxy installed.  I missed this completely and would have assumed that Exchange server would have requested it to be installed as a pre-requisite.  However, I'm sure that the other suggestions that you made helped me along the way as without all of those it wouldn't have worked either.  As a wise man once said to me "It's always better to check with someone before you hose down your server"

To other readers:  the rpc over http proxy service is a Windows feature - not an exchange service. Make sure this is installed on your server along with the other pre-requisites.  to install this feature:
- open server manager
- click features and then add features
- check the box next to RPC over HTTP proxy (you may be asked to install additional required Role services)

Thanks to Will for knowledge share.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.