• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 119
  • Last Modified:

Exchange 2010 to Exchange 2016 migration

I have

Exchange 2010 SP3 on Windows 2008r2 -  4 servers (2 CASHUB + 2 MBX).
Internal clients are using NLB called excasarray.domain.com pointing to DAG
Domain name has other DNS records internally referring to the excasarray.domain.com.  

As we added Exchange 2016 servers (RYEX01 & RYEX02) on the existing organization and migrated few pilot users for testing.  The issue is purely for the internal outlook users. After we migrate the users are getting certificate prompt of new exchange server which has only exchange server hostname and fqdn in the certificate. Hence it is throwing certificate prompt for all users stating the new certificate does not match with the other SAN names. We have added new DNS A record for autodiscover and webmail.domain.com. For external users access owa has no issue. But for the outlook users it is prompting for certificate. What i am missing here. Here are the output from virtual directories.  We want a solution to avoid certificate prompt for the user before we migrate the mailbox. Also we have public certificate applied on the old server and exported pfx file and iimported to the new server. Appreciate your help on the same.

[PS] C:\>Get-ActiveSyncVirtualDirectory -ADPropertiesOnly | fl Identity, *lurl*, *method*
Identity                      : RYCASHUB01\Microsoft-Server-ActiveSync (Default Web Site)
InternalUrl                   : https://rycashub01.domain.com/Microsoft-Server-ActiveSync
ExternalUrl                   : https://webmail.domain.com/Microsoft-Server-ActiveSync
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}

Identity                      : RYCASHUB02\Microsoft-Server-ActiveSync (Default Web Site)
InternalUrl                   : https://rycashub02.domain.com/Microsoft-Server-ActiveSync
ExternalUrl                   : https://webmail.domain.com/Microsoft-Server-ActiveSync
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}

Identity                      : RYEX02\Microsoft-Server-ActiveSync (Default Web Site)
InternalUrl                   : https://webmail.domain.com/Microsoft-Server-ActiveSync
ExternalUrl                   : https://webmail.domain.com/Microsoft-Server-ActiveSync
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}

Identity                      : RYEX01\Microsoft-Server-ActiveSync (Default Web Site)
InternalUrl                   : https://webmail.domain.com/Microsoft-Server-ActiveSync
ExternalUrl                   : https://webmail.domain.com/Microsoft-Server-ActiveSync
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}


[PS] C:\>Get-ECPVirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*
Identity                      : RYCASHUB01\ecp (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Fba}
InternalUrl                   : https://rycashub01.domain.com/ecp
ExternalUrl                   : https://webmail.domain.com/ecp

Identity                      : RYCASHUB02\ecp (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Fba}
InternalUrl                   : https://rycashub02.domain.com/ecp
ExternalUrl                   : https://webmail.domain.com/ecp

Identity                      : RYEX02\ecp (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
ExternalAuthenticationMethods : {Fba}
InternalUrl                   : https://webmail.domain.com/ecp
ExternalUrl                   : https://webmail.domain.com/ecp

Identity                      : RYEX01\ecp (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
ExternalAuthenticationMethods : {Fba}
InternalUrl                   : https://webmail.domain.com/ecp
ExternalUrl                   : https://webmail.domain.com/ecp

[PS] C:\>
[PS] C:\>Get-OWAVirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*
Identity                      : RYCASHUB01\owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Fba}
InternalUrl                   : https://rycashub01.domain.com/owa
ExternalUrl                   : https://webmail.domain.com/owa

Identity                      : RYCASHUB02\owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Fba}
InternalUrl                   : https://rycashub02.domain.com/owa
ExternalUrl                   : https://webmail.domain.com/owa

Identity                      : RYEX02\owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
ExternalAuthenticationMethods : {Fba}
InternalUrl                   : https://webmail.domain.com/owa
ExternalUrl                   : https://webmail.domain.com/owa

Identity                      : RYEX01\owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
ExternalAuthenticationMethods : {Fba}
InternalUrl                   : https://webmail.domain.com/owa
ExternalUrl                   : https://webmail.domain.com/owa

[PS] C:\>
[PS] C:\>Get-WebservicesvirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*
Identity                      : RYCASHUB01\EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
InternalUrl                   : https://rycasarray.domain.com/EWS/Exchange.asmx
ExternalUrl                   : https://webmail.domain.com/ews/exchange.asmx

Identity                      : RYCASHUB02\EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
InternalUrl                   : https://rycasarray.domain.com/EWS/Exchange.asmx
ExternalUrl                   : https://webmail.domain.com/ews/exchange.asmx

Identity                      : RYEX02\EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
InternalUrl                   : https://webmail.domain.com/EWS/Exchange.asmx
ExternalUrl                   : https://webmail.domain.com/EWS/Exchange.asmx

Identity                      : RYEX01\EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
InternalUrl                   : https://webmail.domain.com/EWS/Exchange.asmx
ExternalUrl                   : https://webmail.domain.com/EWS/Exchange.asmx



[PS] C:\>
[PS] C:\>Get-OABvirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*


Identity                      : RYCASHUB01\OAB (Default Web Site)
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalAuthenticationMethods : {WindowsIntegrated}
InternalUrl                   : https://rycasarray.domain.com/OAB
ExternalUrl                   : https://webmail.domain.com/OAB

Identity                      : RYCASHUB02\OAB (Default Web Site)
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalAuthenticationMethods : {WindowsIntegrated}
InternalUrl                   : https://rycasarray.domain.com/OAB
ExternalUrl                   : https://webmail.domain.com/OAB

Identity                      : RYEX02\OAB (Default Web Site)
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}
InternalUrl                   : https://webmail.domain.com/oab
ExternalUrl                   : https://webmail.domain.com/oab

Identity                      : RYEX01\OAB (Default Web Site)
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}
InternalUrl                   : https://webmail.domain.com/oab
ExternalUrl                   : https://webmail.domain.com/oab

[PS] C:\>
[PS] C:\>Get-ClientAccessServer | fl Name, *uri*
WARNING:  The Get-ClientAccessServer cmdlet will be removed in a future version of Exchange. Use the
Get-ClientAccessService cmdlet instead. If you have any scripts that use the Get-ClientAccessServer cmdlet, update them
 to use the Get-ClientAccessService cmdlet.  For more information, see http://go.microsoft.com/fwlink/p/?LinkId=254711.
Name                           : RYCASHUB01
AutoDiscoverServiceInternalUri : https://webmail.domain.com/autodiscover/autodiscover.xml

Name                           : RYCASHUB02
AutoDiscoverServiceInternalUri : https://rycasarray.domain.com/Autodiscover/Autodiscover.xml

Name                           : RYEX02
AutoDiscoverServiceInternalUri : https://autodiscover.domain.com/Autodiscover/Autodiscover.xml

Name                           : RYEX01
AutoDiscoverServiceInternalUri : https://autodiscover.domain.com/Autodiscover/Autodiscover.xml


[PS] C:\>Get-OutlookAnywhere -ADPropertiesOnly | fl Identity, *method*, *lurl*, *hostname*​


Identity                           : RYCASHUB01\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic}

Identity                           : RYCASHUB02\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic}

Identity                           : RYEX02\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}

Identity                           : RYEX01\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}



[PS] C:\>
[PS] C:\>Get-MailboxServer | Get-MailboxDatabase | ft Name, *rpc* -AutoSize

Name                        RpcClientAccessServer
----                        ---------------------
Mailbox Database 0515681726 rycasarray.domain.com
DB02-VIPUsers               rycasarray.domain.com
Mailbox Database 1403761627 rycasarray.domain.com
 

[PS] C:\>
[PS] C:\>Get-ClientAccessArray | ft Name, fqdn, Members -AutoSize

Name       Fqdn                   Members
----       ----                   -------
rycasarray rycasarray.domain.com {RYCASHUB01, RYCASHUB02}

Open in new window

0
Ganesh Kumar A
Asked:
Ganesh Kumar A
2 Solutions
 
RoninCommented:
If you could change the output of the commands to CODE, it would be easier to read, thanks.
0
 
RoninCommented:
Basically you need either:
1. Deploy a cert that includes autodiscover.domain.com on the Exchange 2016 servers and bind it to the default web site ONLY, don't touch the backend.
2. Change the ClientAccessServer to the FQDN for the cert that's installed on Exchange 2016.

Since all your connectivity should now go through Exchange 2016, the change perhaps should be the one that you would NOT have to re-do in the future. However it's not mandatory.
0
 
Ganesh Kumar ASr Infrastructure SpecialistAuthor Commented:
I have doubt on that point 1. Already the public certificate is done. Are you asking about private certificate for Exchange 2016?  If it is public certificate then it is already binded only for the default website. 2nd point i do not understand. How to avoid certificate prompt for end users?

Any DNS settings i should do for certificate error?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
Marshal HubsEmail ConsultantCommented:
Stellar EDB to PST Converter allows user to migrate mailboxes from Exchange 2010 to Exchange 2016. Download the free demo version from the website: https://www.stellarinfo.com/email-repair/edb-pst-converter.php and select edb file & then select office365 option for migrating mailboxes.
0
 
Sandeep KumarAssociate ConsultantCommented:
You can check Link 1 , Link 2 or Link 3 for Microsoft Exchange Server Deployment Assistant for the queries.

For an automated solution to migrate Exchange server 2010 to Exchange 2016, you can use Kernel Migrator for Exchange tool. It support migration from Exchange to Exchange, Office 365, cross forest, on premises and Hosted Exchange servers.
Visit https://www.nucleustechnologies.com/exchange-migration/ to know more about the software.
0
 
Ganesh Kumar ASr Infrastructure SpecialistAuthor Commented:
I am not interested on 3rd part utils, but this certificate error still pops up. Meanwhile we continued to migrate and with no solution we are going to perform the cutoff from Exchange 2010 and then point Exchange 2016 directly to send and mail through smart host. The mailbox migration is not an issue, it works perfectly. I dont know how to get rid of the certificate issue.
0
 
RoninCommented:
Sorry I was away.
In order to get rid of the certificate error you need to adjust the virtual directories on the servers to the correct FQDN.
In order to help you further please post the following info (format as CODE), run the following on the Exchange 2013 EMS:
Get-ExchangeServer | fl *version*
Get-OrganizationConfig | fl *mapi*
Get-MapiVirtualDirectory | fl server, Name,ExternalURL,InternalURL, *auth*
Get-ExchangeCertificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*

Open in new window


Exchange 2010 EMS:
Get-OutlookProvider
Get-Command Exsetup.exe | ForEach-Object {$_.FileVersionInfo}
Get-ExchangeCertificate | fl FriendlyName, Subject, CertificateDomains, Thumbprint, Services, Issuer, *not*

Open in new window

0
 
Ganesh Kumar ASr Infrastructure SpecialistAuthor Commented:
Here is the result attached
ex2013.txt
EX2010.txt
0
 
RoninCommented:
So, your Exchange 2010 is on Update Rollup 17, your Exchange 2016 is on CU7, it's not critical how you might want to update them to the latest versions:
https://technet.microsoft.com/en-us/library/hh135098(v=exchg.150).aspx

You should perform the following changes:
1.  Create an INTERNAL AD-integrated DNS zone by the name of webmail.domain.com.ae, create two empty A records and specify IP address of each of the Exchange 2016 servers.
2. Validate webmail.domain.com.ae certificate (with thumbprint of C4DF3AC5139E5F8406103E8BCF6F8E0795BB0391) installed on both Exchange 2016 servers and bind the certificate to the "Default Web Site" in IIS.
3. In Exchange 2016 ECP -> SERVERS -> CERTIFICATES. Choose to use the above certificate for SMTP, IIS, IMAP and POP3.
4. Adjust the virtual directory names for the (RYCASHUB01 and RYCASHUB02) servers according to the below:
Set-ActiveSyncVirtualDirectory –Identity "RYCASHUB01\Microsoft-Server-ActiveSync (default web site)" -ExternalURL https://webmail.domain.com.ae/Microsoft-Server-ActiveSync -InternalURL https://webmail.domain.com.ae/Microsoft-Server-ActiveSync
Set-ActiveSyncVirtualDirectory –Identity "RYCASHUB02\Microsoft-Server-ActiveSync (default web site)" -ExternalURL https://webmail.domain.com.ae/Microsoft-Server-ActiveSync -InternalURL https://webmail.domain.com.ae/Microsoft-Server-ActiveSync

Set-ECPVirtualDirectory –Identity "RYCASHUB01\ECP (default web site)" -ExternalURL https://webmail.domain.com.ae/ECP -InternalURL https://webmail.domain.com.ae/ECP
Set-ECPVirtualDirectory –Identity "RYCASHUB02\ECP (default web site)" -ExternalURL https://webmail.domain.com.ae/ECP -InternalURL https://webmail.domain.com.ae/ECP

Set-OWAVirtualDirectory –Identity "RYCASHUB01\OWA (default web site)" -ExternalURL https://webmail.domain.com.ae/OWA -InternalURL https://webmail.domain.com.ae/OWA
Set-OWAVirtualDirectory –Identity "RYCASHUB02\OWA (default web site)" -ExternalURL https://webmail.domain.com.ae/OWA -InternalURL https://webmail.domain.com.ae/OWA


Set-WebServicesVirtualDirectory –Identity "RYCASHUB01\EWS (default web site)" -ExternalUrl https://webmail.domain.com.ae/ews/exchange.asmx -InternalURL https://webmail.domain.com.ae/ews/exchange.asmx
Set-WebServicesVirtualDirectory –Identity "RYCASHUB02\EWS (default web site)" -ExternalUrl https://webmail.domain.com.ae/ews/exchange.asmx -InternalURL https://webmail.domain.com.ae/ews/exchange.asmx

Set-OABVirtualDirectory –Identity "RYCASHUB01\OAB (default web site)" -ExternalURL https://webmail.domain.com.ae/OAB -InternalURL https://webmail.domain.com.ae/OAB.
Set-OABVirtualDirectory –Identity "RYCASHUB02\OAB (default web site)" -ExternalURL https://webmail.domain.com.ae/OAB -InternalURL https://webmail.domain.com.ae/OAB

Set-ClientAccessServer -Identity RYCASHUB01 -AutoDiscoverServiceInternalUri https://webmail.domain.com.ae/Autodiscover/Autodiscover.xml
Set-ClientAccessServer -Identity RYCASHUB02 -AutoDiscoverServiceInternalUri https://webmail.domain.com.ae/Autodiscover/Autodiscover.xml

Set-OutlookAnywhere -Identity RYCASHUB01\Rpc (Default Web Site)" -InternalHostname "webmail.domain.com.ae" -ExternalHostname "webmail.domain.com.ae" -ExternalClientsRequireSsl:$true -ExternalClientAuthenticationMethod Negotiate -InternalClientsRequireSsl:$true
Set-OutlookAnywhere -Identity RYCASHUB02\Rpc (Default Web Site)" -InternalHostname "webmail.domain.com.ae" -ExternalHostname "webmail.domain.com.ae" -ExternalClientsRequireSsl:$true -ExternalClientAuthenticationMethod Negotiate -InternalClientsRequireSsl:$true

Open in new window


Restart IIS on both Exchange 2016 servers -> IISRESET / RESTART.

Also you need to make sure that clients that are connecting to Exchange 2016 are at least Outlook 2010 with SP2, ideally patched as much as possible.
1
 
Ganesh Kumar ASr Infrastructure SpecialistAuthor Commented:
I did not try the said step since the mailbox migration completed and there is no left over in the old server. We did post implementation and discarded the old server and pointed everything to new server. Now there is no issue with the Outlook Thanks for your help!
0
 
Ganesh Kumar ASr Infrastructure SpecialistAuthor Commented:
Cancelling the close request as the last solution seems better, so full points only to  Ronin
0
 
Ganesh Kumar ASr Infrastructure SpecialistAuthor Commented:
Thanks for your help!
0
 
RoninCommented:
Thank you. Glad I was able to help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now