Ganesh Anand
asked on
Exchange 2010 to Exchange 2016 migration
I have
Exchange 2010 SP3 on Windows 2008r2 - 4 servers (2 CASHUB + 2 MBX).
Internal clients are using NLB called excasarray.domain.com pointing to DAG
Domain name has other DNS records internally referring to the excasarray.domain.com.
As we added Exchange 2016 servers (RYEX01 & RYEX02) on the existing organization and migrated few pilot users for testing. The issue is purely for the internal outlook users. After we migrate the users are getting certificate prompt of new exchange server which has only exchange server hostname and fqdn in the certificate. Hence it is throwing certificate prompt for all users stating the new certificate does not match with the other SAN names. We have added new DNS A record for autodiscover and webmail.domain.com. For external users access owa has no issue. But for the outlook users it is prompting for certificate. What i am missing here. Here are the output from virtual directories. We want a solution to avoid certificate prompt for the user before we migrate the mailbox. Also we have public certificate applied on the old server and exported pfx file and iimported to the new server. Appreciate your help on the same.
Exchange 2010 SP3 on Windows 2008r2 - 4 servers (2 CASHUB + 2 MBX).
Internal clients are using NLB called excasarray.domain.com pointing to DAG
Domain name has other DNS records internally referring to the excasarray.domain.com.
As we added Exchange 2016 servers (RYEX01 & RYEX02) on the existing organization and migrated few pilot users for testing. The issue is purely for the internal outlook users. After we migrate the users are getting certificate prompt of new exchange server which has only exchange server hostname and fqdn in the certificate. Hence it is throwing certificate prompt for all users stating the new certificate does not match with the other SAN names. We have added new DNS A record for autodiscover and webmail.domain.com. For external users access owa has no issue. But for the outlook users it is prompting for certificate. What i am missing here. Here are the output from virtual directories. We want a solution to avoid certificate prompt for the user before we migrate the mailbox. Also we have public certificate applied on the old server and exported pfx file and iimported to the new server. Appreciate your help on the same.
[PS] C:\>Get-ActiveSyncVirtualDirectory -ADPropertiesOnly | fl Identity, *lurl*, *method*
Identity : RYCASHUB01\Microsoft-Server-ActiveSync (Default Web Site)
InternalUrl : https://rycashub01.domain.com/Microsoft-Server-ActiveSync
ExternalUrl : https://webmail.domain.com/Microsoft-Server-ActiveSync
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
Identity : RYCASHUB02\Microsoft-Server-ActiveSync (Default Web Site)
InternalUrl : https://rycashub02.domain.com/Microsoft-Server-ActiveSync
ExternalUrl : https://webmail.domain.com/Microsoft-Server-ActiveSync
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
Identity : RYEX02\Microsoft-Server-ActiveSync (Default Web Site)
InternalUrl : https://webmail.domain.com/Microsoft-Server-ActiveSync
ExternalUrl : https://webmail.domain.com/Microsoft-Server-ActiveSync
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
Identity : RYEX01\Microsoft-Server-ActiveSync (Default Web Site)
InternalUrl : https://webmail.domain.com/Microsoft-Server-ActiveSync
ExternalUrl : https://webmail.domain.com/Microsoft-Server-ActiveSync
InternalAuthenticationMethods : {}
ExternalAuthenticationMethods : {}
[PS] C:\>Get-ECPVirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*
Identity : RYCASHUB01\ecp (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Fba}
InternalUrl : https://rycashub01.domain.com/ecp
ExternalUrl : https://webmail.domain.com/ecp
Identity : RYCASHUB02\ecp (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Fba}
InternalUrl : https://rycashub02.domain.com/ecp
ExternalUrl : https://webmail.domain.com/ecp
Identity : RYEX02\ecp (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
ExternalAuthenticationMethods : {Fba}
InternalUrl : https://webmail.domain.com/ecp
ExternalUrl : https://webmail.domain.com/ecp
Identity : RYEX01\ecp (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
ExternalAuthenticationMethods : {Fba}
InternalUrl : https://webmail.domain.com/ecp
ExternalUrl : https://webmail.domain.com/ecp
[PS] C:\>
[PS] C:\>Get-OWAVirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*
Identity : RYCASHUB01\owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Fba}
InternalUrl : https://rycashub01.domain.com/owa
ExternalUrl : https://webmail.domain.com/owa
Identity : RYCASHUB02\owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Fba}
InternalUrl : https://rycashub02.domain.com/owa
ExternalUrl : https://webmail.domain.com/owa
Identity : RYEX02\owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
ExternalAuthenticationMethods : {Fba}
InternalUrl : https://webmail.domain.com/owa
ExternalUrl : https://webmail.domain.com/owa
Identity : RYEX01\owa (Default Web Site)
InternalAuthenticationMethods : {Basic, Fba}
ExternalAuthenticationMethods : {Fba}
InternalUrl : https://webmail.domain.com/owa
ExternalUrl : https://webmail.domain.com/owa
[PS] C:\>
[PS] C:\>Get-WebservicesvirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*
Identity : RYCASHUB01\EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
InternalUrl : https://rycasarray.domain.com/EWS/Exchange.asmx
ExternalUrl : https://webmail.domain.com/ews/exchange.asmx
Identity : RYCASHUB02\EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
InternalUrl : https://rycasarray.domain.com/EWS/Exchange.asmx
ExternalUrl : https://webmail.domain.com/ews/exchange.asmx
Identity : RYEX02\EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
InternalUrl : https://webmail.domain.com/EWS/Exchange.asmx
ExternalUrl : https://webmail.domain.com/EWS/Exchange.asmx
Identity : RYEX01\EWS (Default Web Site)
InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity, OAuth}
InternalUrl : https://webmail.domain.com/EWS/Exchange.asmx
ExternalUrl : https://webmail.domain.com/EWS/Exchange.asmx
[PS] C:\>
[PS] C:\>Get-OABvirtualDirectory -ADPropertiesOnly | fl Identity, *method*, *lurl*
Identity : RYCASHUB01\OAB (Default Web Site)
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalAuthenticationMethods : {WindowsIntegrated}
InternalUrl : https://rycasarray.domain.com/OAB
ExternalUrl : https://webmail.domain.com/OAB
Identity : RYCASHUB02\OAB (Default Web Site)
InternalAuthenticationMethods : {WindowsIntegrated}
ExternalAuthenticationMethods : {WindowsIntegrated}
InternalUrl : https://rycasarray.domain.com/OAB
ExternalUrl : https://webmail.domain.com/OAB
Identity : RYEX02\OAB (Default Web Site)
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}
InternalUrl : https://webmail.domain.com/oab
ExternalUrl : https://webmail.domain.com/oab
Identity : RYEX01\OAB (Default Web Site)
InternalAuthenticationMethods : {WindowsIntegrated, OAuth}
ExternalAuthenticationMethods : {WindowsIntegrated, OAuth}
InternalUrl : https://webmail.domain.com/oab
ExternalUrl : https://webmail.domain.com/oab
[PS] C:\>
[PS] C:\>Get-ClientAccessServer | fl Name, *uri*
WARNING: The Get-ClientAccessServer cmdlet will be removed in a future version of Exchange. Use the
Get-ClientAccessService cmdlet instead. If you have any scripts that use the Get-ClientAccessServer cmdlet, update them
to use the Get-ClientAccessService cmdlet. For more information, see http://go.microsoft.com/fwlink/p/?LinkId=254711.
Name : RYCASHUB01
AutoDiscoverServiceInternalUri : https://webmail.domain.com/autodiscover/autodiscover.xml
Name : RYCASHUB02
AutoDiscoverServiceInternalUri : https://rycasarray.domain.com/Autodiscover/Autodiscover.xml
Name : RYEX02
AutoDiscoverServiceInternalUri : https://autodiscover.domain.com/Autodiscover/Autodiscover.xml
Name : RYEX01
AutoDiscoverServiceInternalUri : https://autodiscover.domain.com/Autodiscover/Autodiscover.xml
[PS] C:\>Get-OutlookAnywhere -ADPropertiesOnly | fl Identity, *method*, *lurl*, *hostname*
Identity : RYCASHUB01\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic}
Identity : RYCASHUB02\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic}
Identity : RYEX02\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
Identity : RYEX01\Rpc (Default Web Site)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
[PS] C:\>
[PS] C:\>Get-MailboxServer | Get-MailboxDatabase | ft Name, *rpc* -AutoSize
Name RpcClientAccessServer
---- ---------------------
Mailbox Database 0515681726 rycasarray.domain.com
DB02-VIPUsers rycasarray.domain.com
Mailbox Database 1403761627 rycasarray.domain.com
[PS] C:\>
[PS] C:\>Get-ClientAccessArray | ft Name, fqdn, Members -AutoSize
Name Fqdn Members
---- ---- -------
rycasarray rycasarray.domain.com {RYCASHUB01, RYCASHUB02}
If you could change the output of the commands to CODE, it would be easier to read, thanks.
Basically you need either:
1. Deploy a cert that includes autodiscover.domain.com on the Exchange 2016 servers and bind it to the default web site ONLY, don't touch the backend.
2. Change the ClientAccessServer to the FQDN for the cert that's installed on Exchange 2016.
Since all your connectivity should now go through Exchange 2016, the change perhaps should be the one that you would NOT have to re-do in the future. However it's not mandatory.
1. Deploy a cert that includes autodiscover.domain.com on the Exchange 2016 servers and bind it to the default web site ONLY, don't touch the backend.
2. Change the ClientAccessServer to the FQDN for the cert that's installed on Exchange 2016.
Since all your connectivity should now go through Exchange 2016, the change perhaps should be the one that you would NOT have to re-do in the future. However it's not mandatory.
ASKER
I have doubt on that point 1. Already the public certificate is done. Are you asking about private certificate for Exchange 2016? If it is public certificate then it is already binded only for the default website. 2nd point i do not understand. How to avoid certificate prompt for end users?
Any DNS settings i should do for certificate error?
Any DNS settings i should do for certificate error?
Stellar EDB to PST Converter allows user to migrate mailboxes from Exchange 2010 to Exchange 2016. Download the free demo version from the website: https://www.stellarinfo.com/email-repair/edb-pst-converter.php and select edb file & then select office365 option for migrating mailboxes.
You can check Link 1 , Link 2 or Link 3 for Microsoft Exchange Server Deployment Assistant for the queries.
For an automated solution to migrate Exchange server 2010 to Exchange 2016, you can use Kernel Migrator for Exchange tool. It support migration from Exchange to Exchange, Office 365, cross forest, on premises and Hosted Exchange servers.
Visit https://www.nucleustechnologies.com/exchange-migration/ to know more about the software.
For an automated solution to migrate Exchange server 2010 to Exchange 2016, you can use Kernel Migrator for Exchange tool. It support migration from Exchange to Exchange, Office 365, cross forest, on premises and Hosted Exchange servers.
Visit https://www.nucleustechnologies.com/exchange-migration/ to know more about the software.
ASKER
I am not interested on 3rd part utils, but this certificate error still pops up. Meanwhile we continued to migrate and with no solution we are going to perform the cutoff from Exchange 2010 and then point Exchange 2016 directly to send and mail through smart host. The mailbox migration is not an issue, it works perfectly. I dont know how to get rid of the certificate issue.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I did not try the said step since the mailbox migration completed and there is no left over in the old server. We did post implementation and discarded the old server and pointed everything to new server. Now there is no issue with the Outlook Thanks for your help!
ASKER
Cancelling the close request as the last solution seems better, so full points only to Ronin
ASKER
Thanks for your help!
Thank you. Glad I was able to help.