Issues with 2016/2010 Exchange Coexistance.

KHSIT
KHSIT used Ask the Experts™
on
I had this question after viewing Issues with Exchange 2016/2010 Coexistence.

We are having issues getting our 2010 and 2016 exchange OWA site to work.  The question above is the original question.  Here is some info.

HTTP Proxy Log

Browser Image
 
VirDir Report

We have verified that the authentication is correct on the servers.  When we check the proxy logs it states that it's HttpProxyException=Microsoft.Exchange.HttpProxy.HttpProxyException: Unable to find proper back end service for Sid~S-1-5-21-527237240-261478967-725345543-4688 in site CN Default-First-Site-Name CN Sites CN Configuration DC DOMAIN DC local. ---> Microsoft.Exchange.HttpProxy.NoAvailableDownLevelBackEndException: Unable to find proper back end service for Sid~S-1-5-21-527237240-261478967-725345543-4688 in site CN Default-First-Site-Name CN Sites CN Configuration DC DOMAIN DC local.

We have the 2016 running our sync for devices and everything else seems to work fine.  Just OWA that won't work.  We've spent 4 days working on this issue and we believe it's time to get some more help on it.  Anything you can suggest would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Nathan HawkinsTechnical Lead - Network Security

Commented:
Well...to be clear...coexistence is never easy... Firstly, I would never split services between the 2 systems. You need clear divisions of work either 2010 is going to field the services or 2016 is. So what this means is that when you are ready to cut the new services over to 2016 you do it all at once and test to see if they work, if they do not then you backout and figure out what wasnt working. That some services work and some dont at this point is not surprising. You cant just use the Exchange GUI. There are a lot of settings in Exchange and AD that need to be changed in order to go from 2010 to 2016. Usually in a coexistence setup the plan is to migrate to one or the other usually to the newer one.

Please explain what the environment consists of currently and what the end goal is.

Author

Commented:
We are migrating from 2010 to 2016.  Prep ad/schema/domain were all run.  The server was installed using this document: http://techgenix.com/migrating-small-organization-exchange-2010-exchange-2016-part1/  Everything is running off of the 2016 server.  Mail is flowing through it to the 2010.  Everything works EXCEPT OWA.  When a user that has an account on the 2010 tries to log into the 2016 OWA site, the site prompts for username and password.  User enters it, then site goes to
IEError
We have verified that everything is set up correctly per the virtual directory output as posted above.  The error that shows is stating in the HTTPProxyLog that the server cannot find the 2010 server.  That is where we are stuck at.
Nathan HawkinsTechnical Lead - Network Security

Commented:
What CU is 2016 at?
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
5

Author

Commented:
And RU17 on 2010
Nathan HawkinsTechnical Lead - Network Security

Commented:
Where are the user mailboxes located?

Author

Commented:
Most on 2010.  I have created/moved 1 mailbox each and those two users can log into OWA through 2016 fine.  It's when a 2010 user tries to log into the 2016 OWA site that we have the problem.  When they do, the error in the first image above is what we see.

Author

Commented:
Here is the latest Virtual Directory Report

VirDir Report
Nathan HawkinsTechnical Lead - Network Security

Commented:
Ok. Yeah... well there you go. This is the quintessential issue when "co-exisitng". You have services split up and are trying to get them all to work while everything is split up. It is my experience that when you are in that situation, some things will work for users and some things wont until you get ALL services to one system or the other. The way you avoid this situation is by not splitting services. So you have mailbox services split. If it were me, and my project. You would have test users that you would create and place on 2016 and they would be exactly that. No one gets migrated to 2016 until you get everything working out on the 2016 servers. So with that said. It kind of sounds like thats where you are at. If everything is working for the users that are located on 2016, then you start moving ALL of the 2010 users to 2016. Yeah...its probably a lot of work in the waiting, but welcome to IT.

Trying to get services to work on BOTH systems at the same time is a HUGE nightmare and usually is far more work than it is worth. So please verify that users on 2016 are fine and its the users on 2010 with the issues?

Author

Commented:
I migrated the exchange server (from a prior CIO) from 2003 to this 2010 server with no problem.   Just can't figure out why the error in the HTTPProxy log is coming up.  When I look at ADSIEdit, it shows the 2010 server as an exchange server so not sure why it can't find it.
Nathan HawkinsTechnical Lead - Network Security

Commented:
Theres a couple of places in AD (gotta look for them on a DC and I forget where they are all located) where Exchange servers are configured. I assume DNS is configured correctly for ALL exchange servers in all forward lookup zones? Under AD users and computers theres a "Microsoft Exchange Security Groups" object - under members should be ALL of your Exchange servers.

Author

Commented:
Yes to all.  I looked through the deployment assistant that I found and found this.  I need to run this command

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 14*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Set-OutlookAnywhere "$_\RPC (Default Web Site)" -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName $Exchange2016HostName -IISAuthenticationMethods NTLM, Basic}

but when I do, the 2016 server states that "A parameter cannot be found that matches parameter name 'ClientAuthenticationMethod'  Not sure what else I'm supposed to use though.

Not sure if you'll be able to see this but here is the link:  https://technet.microsoft.com/en-us/exdeploy2013/Checklist?state=3227-W-EgAEAAAAQAAAAAEAAAAAABA0CAAAwAMAEAA%7e Page 20 when printed.  "Configure Outlook Anywhere"  Apparently this is supposed to configure 2010 to accept connections from the 2016 server.
Nathan HawkinsTechnical Lead - Network Security

Commented:
That article states that those commands are supposed to be run on the 2010 servers... Please do so.

Author

Commented:
I did.  I also found an issue with the RPC entry in ADSIEdit.  Resolved it also.  Still isn't working.
K B

Commented:
Why don't you stage the migrations  get 95% staged then cutover on a weekend

Why do you need ow/ 2010 if you are decommissioning 2010
Nathan HawkinsTechnical Lead - Network Security

Commented:
Well, Im not sure exactly if there is a better answer beyond what was already given. Get the users over to 2016 and I believe they will be all set. Please do so.

Author

Commented:
The reason I was trying to set up the OWA was because we are a 24 hour business.  We always have someone here.  My plan is to migrate them a department at a time, stopping to make sure that everyone is up and going before going to the next department.  Because of this, it could take a month to do.  Having OWA down for the users on the 2010 server from the outside world is getting a lot of complaints.  I guess I'll figure something out.
K B

Commented:
You could have 2 external owa

2 ip addresses needed.
Mail.contoso.com (2010)
Outlook.contoso.com (2016)
Or however you want to name them
K B

Commented:
And internal for that matter.
Nathan HawkinsTechnical Lead - Network Security

Commented:
In a co-existence environment, having DNS point at separate Exchange systems via differing URLs doesnt work, because AD ties it all together and makes it so it goes one way or another depending on how its configured. The best answer is to swing the users over to 2016. Trying to get OWA working in both versions is going to be a nightmare and not worth the amount of work required. I'm pretty sure even if you opened up Microsoft support tickets it would still take weeks to get this working correctly and you are just going to eliminate 2010 anyway. In that time you could swing all users over to 2016 and fix the ones who are having issues.
K B

Commented:
Not sure what you mean it wouldn't work because of Active Directory.  
you would just set internal and external OWA URLs.

2010 would be the way it was
2016 would be the new vdir urls
Nathan HawkinsTechnical Lead - Network Security

Commented:
AD ties exchange systems together, thats mainly the reason why hes having issues is because of the coexistence. Pretty sure 2010 worked just fine before 2016 was installed. Setting up separate URLs will accomplish nothing more than what is currently going on.
K B

Commented:
EDIT: Not sure what you mean it wouldn't work because of Active Directory.  
you would just set internal and external OWA URLs.

2010 would be the way it was
2016 would be the new vdir urls
or better yet reverse that so folks can keep what they are used to...

the users on 2010 would use the "stop-gap" of outlook.contoso.com (which is better than the server name)
and it would work from the outside too (with 2 IPs)


actually it would solve what will be a month long problem of not having OWA externally.

If the user uses the correct URLs when migrated no ill effects will occur. the alternative is it doesnt work anyway.

He said it is going to take a month and there is no way around that.
Nathan HawkinsTechnical Lead - Network Security

Commented:
A) Theres always a way, make it work through scheduling and time. This whole weekend went by and could have been accomplished in that time frame. Ive been a part of a 3000+ employee migration that occurred over a single weekend. Its not that hard...and depending on the horsepower of your exchange system/s, your network connectivity and how large these mailboxes are. It can be accomplished pretty quickly.
B) Look... Im not going to argue. What I stated are facts. It wont work.
K B

Commented:
apologies if you thought I was arguing.  This is a discussion forum and it elicits debate for the good of the community.

I am in no way saying you are 100% incorrect.  

I am asking for the presentation of documentation to back up your facts.  This is for the good of the @OP and the community at large.

Author

Commented:
I found out yesterday that our current backup software has some limitations on exchange 2016 restores so I will have to put off moving our users until I either find a different backup solution or until our current software is updated to allow what we need to be able to do.  Speaking to them yesterday, it sounds like a fix could be coming soon.  Setting up two different IPs for client access is not acceptable, our users are medical staff and don't like to have to go multiple places to "test" if they can get in.  The Exchange software is set up to coexist so why can't it find my 2010 server.  I have also found that it is the error in the http logs that is causing the issue.  For some reason, my 2016 server can't communicate with the 2010 using AD to find it.  Not sure what is causing it though.  Moving the users over in a single weekend also won't work.  We have 2 people supporting all of our users which spurred the comment above "My plan is to migrate them a department at a time, stopping to make sure that everyone is up and going before going to the next department.  Because of this, it could take a month to do."   I'm almost to the point of running Prep AD/Domain/Schema from the 2010 server, then running it from the 2016 server to see if it makes any difference.
Nathan HawkinsTechnical Lead - Network Security

Commented:
The answer is it can, as I have stated multiple times. It will just take inconceivable hours to find the right commands to make the coexistence work correctly. I wish you luck.
K B

Commented:
I would recommend recreating the OWA virtual directory on the Exchange 2010 Server.

However, before you do, open a ticket with Microsoft, it is clearly worth the money.
Network Manager
Commented:
My issue with the 500 error turned out to be this setting on exchange 2010.  Mine was set to blocked and I needed to change it to unrestricted.

Set-MailboxServer -Identity EXServerName -DatabaseCopyAutoActivationPolicy Unrestricted
PberSolutions Architect

Commented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: Tim Lewis (https:#a42150112)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

Pber
Experts-Exchange Cleanup Volunteer

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start Today