• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 79
  • Last Modified:

Exchange 2007 to 2013

I planning to Migrate exchange 2007 to 2013 with coexistence. I am thinking about buying new certificate for new exchange 2013 and also create zone for public DNS domain, as required by new certificate.
The old certificate applied on exchange works for domain.local and valid for couple of months. I would like to leave it running and migrate non-critical mailboxes first and test their access and gradually move high profile users with big mailboxes.
Would there be any issues with existing certificate activesyc, autodiscover or owa, if I create zone for public DNS? Or it will continue to work without any issue.
Also, i have spam filtering solution from securence and MX on DNS point to securence mail server and securence has IP address of mailserver. How to I approach about creating legacy DNS entry for co-existence? Do I create that in DNS or in securence?
0
pchettri
Asked:
pchettri
  • 4
  • 2
  • 2
2 Solutions
 
Simon Butler (Sembee)ConsultantCommented:
The legacy namespace has nothing to do with email delivery.
Therefore if you have a host name setup with an external spam filtering service, then you can continue to use that, just point it at the Exchange 2013 server.

The usual method here is to purchase a new SSL certificate for both tasks.
This certificate would contain the following names:
host.example.com  - this is your current public name, as used by ActiveSync, OWA, Outlook Anywhere etc.
Autodiscover.example.com
legacy.example.com - this is a new name, applied to Exchange 2007.

All traffic would then be directed to the Exchange 2013 server using your existing name, with the Exchange 2007 server reconfigured to use the legacy host name.

However, if you have internal users used to using the internal name of the server and the certificate you have does not expire after November 2015, then you could get it rekeyed to include the legacy host name.
Reconfigure your environment to use a split DNS so that the external names resolve internally as well. Reconfigure Exchange with the external host name for both internal and external URLs. That would catch all of the traffic and direct it to the correct place.

Simon.
0
 
it_saigeDeveloperCommented:
@Simon - one thing that always bothers me about the Exchange 2007/2013 co-existence model is the requirement for a legacy record (I understand the reasons for it).  Just to complete my understanding, does this imply that you would need at least two external IPs for routing the external traffic as the 2013 server would redirect the traffic to the legacy record or would split dns handle this internally?

-saige-
0
 
Simon Butler (Sembee)ConsultantCommented:
You need two addresses because Exchange 2013 cannot proxy OWA traffic to Exchange 2007.
Split DNS wouldn't do anything for it, other than allowing you to use the same two addresses internally.

Simon.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
it_saigeDeveloperCommented:
Thanks Simon.  That was my understanding.  I just find that the understanding is more implied than explicitly defined.

-saige-
0
 
pchettriIT DirectorAuthor Commented:
Do you mean I only need to apply certificate to legacy.example.com and I do not need to create any DNS record for legacy?
Also,I will have to create internal zone with public namespace to to apply new certificate I would be buying for exchange 2013 but in 2007 I would continue to use certificate for domain.local. Would it work, if leave both local and public dns zone in internal DNS
0
 
Simon Butler (Sembee)ConsultantCommented:
You need a DNS entry for the legacy host name.
Ideally I would switch everyone to use the public host name.
Internally it depends what they are using. If it is the server's real name, then you would need to test it with regards to an internal user on the later version of Exchange authenticating with an older version. It isn't something I have looked at for a long time, but usually Exchange doesn't upgrade very well. All of the documentation for coexistence says to get users to authenticate against the highest version of Exchange, and let Exchange downgrade if required.

Simon.
0
 
pchettriIT DirectorAuthor Commented:
Hi Simon,

The article shows the co-existence scenario in Part 14 by enabling proxy. In this scenario they have used TMG, while I used securence as inbound filter.

Do you thing this would be appropriate solution for co-existence? Or should I go ahead and do a migration without co-existence when I only have 30 users? I could not find good article for migration without co-existence? Even deployment tool does not give an option for one without co-existence like they way it used to offer for 2010
0
 
Simon Butler (Sembee)ConsultantCommented:
30 users is hardly worth going through the headache of a coexistence period. Simply kick them out of email on a Friday night, setup the move mailbox and leave it to get on with it. Unless they all have very large (10gb or more) mailboxes, you should be easily done by late Saturday, when you can make the NAT changes on the firewall etc and be prepared for Monday.

Leave the old server running for at least a week, then remove it using add/remove programs.

Simon.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now