Migrate mobile users from SBS2003 to new Exchange 2010 server automatically

Update the activesync NAT and DNS.

This doesn't seem to be a choice because I have mailboxes on both servers still.  I'm trying to proxy from 2010 to 2003 for mailboxes on 2003.   I'm seeing something about Set-OWAVirtualDirectory but I want to see this in the ESM.  I can't find it yet.

Even Exchange 2010 is ancient. I don't have an Exchange 2010 test lab. But it should be under Server -> Virtual Directories.

Yes, I know it's ancient.  I need it as a stepping stone.  I haven't done this before and it's very challenging.

I found something here:  https://practical365.com/exchange-server/exchange-2003-2010-coexistence/

And I ran this command (with my server info):  Set-OwaVirtualDirectory -Identity "esp-ho-ex2010aowa (Default Web Site)" -Exchange2003Url https://legacy.exchangeserverpro.net/exchange

but external users don't get to the 2003 server.

Did you update the IIS settings on the 2003 server for NTLM?

It took me awhile to find the KB download as the original web page was gone.  So I finally installed it last night and changed the permissions and it still didn't work.

You may follow below article for more help in Exchange 2003 -Exchange 2010 Active sync issue.

https://blogs.technet.microsoft.com/exchange/2009/12/08/upgrading-exchange-activesync-to-exchange-2010/

Also if this could help.

https://alanhardisty.wordpress.com/2010/02/28/exchange-2003-and-activesync-configuration-and-troubleshooting/

Saif,  I have been following the first link, but the second is of no help as activesync is working fine on the Small Business Server 2003 when I forward https to it.  But when I forward https to the new 2010 server, user mailboxes on the 2003 server cannot get to their email.

I did this.  To no avail.  :(

How many users do you have in exchange 2003.

It's an Small Business Server 2003.  It's about 75, with an average of about 600 MB per user.

Check the IIS logs and see what error you get..

IIS log on 2010 server where redirect request for active sync will fail or succeed.

Please find the first part of the article for more information:

https://blogs.technet.microsoft.com/exchange/2009/11/20/transitioning-client-access-to-exchange-server-2010/

My cert does not have legacy.contoso.com.  I have used sbs2003.domainname.com so I added that to mail.domainname.com for the cert.  I applied the cert to the sbs2003 server a couple days ago (old cert had expired).

In this situation, I do not understand how I can add legacy.domainname.com, when sbs2003.domainname.com is already there.

Something is weird with my IIS logs...  I only have 6 under Event Viewer > Custom Views > Server Roles > Web Server (IIS).  None of the logs are recent.  Am I looking in the correct place?

It's under C:\inetpub folder on the exchange 2010 server.

Can you paste the certificate URL's in here.

My SAN=
DNS Name=mail.domainname.com
DNS Name=outlook.domainname.com
DNS Name=autodiscover.domainname.com
DNS Name=sbs2003.domainname.com

CN=mail.domainname.com

I'm still looking at the logs.  I am going to rename today's, change the https in the firewall to point back to Exch2010 and test again to see what the logs say.

Do you have a legacy host record (sbs2003.domainname.com) in your external DNS infrastructure and associated to E2k3 server infrastructure public IP.

Make sure you run below command on 2010 server.

For environments without Exchange 2003: Set-OWAVirtualDirectory \OWA* -ExternalURL https://mail.contoso.com/OWA
For environments with Exchange 2003 mailbox servers: Set-OWAVirtualDirectory \OWA* -ExternalURL https://mail.contoso.com/OWA -Exchange2003URL https://legacy.contoso.com/exchange

So basically if utilizing a reverse proxy infrastructure, you will publish the legacy namespace to the E2003 infrastructure so that at this point the E2003 infrastructure can be accessed either via mail.contoso.com or legacy.contoso.com (sbs2003.domainname.com) namespaces.

Saif, first I appreciate all of your help!  Wanted to say that...

I only have one IP address.  So MX records are set up for sbs2003.domainname.com and mail.domainname.com.

For environments with Exchange 2003 mailbox servers: Set-OWAVirtualDirectory \OWA* -ExternalURL https://mail.contoso.com/OWA -Exchange2003URL https://legacy.contoso.com/exchange

I attempted to to this, but do not know how to tell if it's right.  Here's what I used:

CONFIGURING THE OWA VIRTUAL DIRECTORY FOR LEGACY REDIRECTION
The OWA Virtual Directory on the internet-facing Client Access server must be configured with the legacy URL to redirect users to.
Open the Exchange Management Shell and run the Set-OWAVirtualDirectory cmdlet with the following parameters:
• -Identity is the name of the OWA Virtual Directory being modified
• -Exchange2003URL is the legacy URL to redirect Exchange 2003 mailbox users to
Set-OwaVirtualDirectory -Identity "esp-ho-ex2010a\owa (Default Web Site)"
-Exchange2003Url https://legacy.exchangeserverpro.net/exchange

How can I see if that worked?

If the command has succeed then try to open OWA with either mail.contoso.com or legacy.contoso.com

This is the only test for the command which we executed, I mean OWA can be accessed by both the URL's.

Ok, some interesting stuff now:

Without VPN, when I tried to get to https://sbs2003.domainname.com/exchange I'm getting the following error:

404 - File or directory not found.
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Without VPN, when i tried to get to https://mail.domainname.com/owa i got rerouted to https://sbs2003.domainname.com/exchange with the same 404 error.

However, if I do VPN in, and go to https://sbs2003.domainname.com/exchange, I get into the mailbox.  And if I try mail.domainname.com/owa, I do get forwarded to the mailbox.

Could this have something to do with my NAT?  The NAT can only go to one server (mail or sbs2003).

If the NAT is set to go to the https://mail.domainname.com/owa a user on that server can get to it.
If the NAT is set to go ti the https://sbs2003.domainname.com/exchange a user on that server can get to it.

Some other thoughts:
MX records are set equally at 10 for mail., sbs2003., etc.
We have a smart host set up because we are using barracuda spam filtering.  Also, all the major roles are installed on Exch 2010 -- hub, transport, CAS.  Does this help in any way?

I found something else.  If I turn off Forms Based Authentication on the SBS2003 Exchange Virtual Server, it WORKS!

I honestly do not understand if this is a good idea or not, as there is a security issue I read about.

Exchange 2003 has a snazzy new feature called Forms-based Authentication, which I'll refer to as FBA. FBA is the new logon security feature for Outlook Web Access (OWA) which is disabled by default in Exchange 2003.

Reference Article: https://hellomate.typepad.com/exchange/2003/11/formsbased_auth.html

I turned it off.  Users can now get to email on the SBS2003 server even though NAT is pointing to Exchange 2010 server.  So pass through is working now.

I do have one user, who I migrated yesterday who cannot get to their active-sync email now on the 2010 server.  Is it possible that the mailbox came over but the activesync didn't migrate.  The user could not connect/autheticate prior to the FBA feature being turned off.  But now they can -- but there's no mail there.  I think their device is expecting mail on the SBS2003 server.

For which piece to work, Michael?  Please be specific.  If I knew how all this stuff worked, I wouldn't be asking.  

Your NTLM response really didn't tell me anything I could use.  It didn't say anything about which server, where the settings were, what to check etc.

Well, my information was wrong.  I think I had the NAT pointed to the old SBS2003 server when I did the tests.

To review:
With the NAT set to forward https/http to to the 2010 server:  mail.domainname.com

With VPN:
For a migrated user I can access https://mail.domainname.com/owa, log in and it works
For a non-migrated user I can access https://sbs2003.domainname.com/exchange and it works.
For a non-migrated user I CANNOT access https://mail.domainname.com/owa as I get a response from https://sbs2003.domainname.com/exchweb/bin/auth/owaauth.dll, an HTTP500 server error.
For a non-migrated user I CANNOT access https://sbs2003.domainname.com/exchange directly.  I get an error https://sbs2003.domainname.com/exchweb/bin/auth/owaauth.dll, however if I use the https://sbs2003.domain.local/exchange it allows me to log in.


Without VPN:
For a migrated user I can access https://mail.domainname.com/owa, log in and it works
For a non-migrated user when I access https://mail.domainname.com/owa and try to log in, it forwards to https://sbs2003.domainname.com/exchweb/bin/auth/owaauth.dll, but this time the error is 404 - File or directory not found.
For a non-migrated user when I access https://sbs2003.domainname.com/exchange I get the same 404 - File or directory not found.

I am going to be surprised if you can access both the old and new server externally at the same time with just 1 IP address. The reason being is that they will both need access to the same port. I suggest contacting ISP to get more IP addresses (even temporarily, though it may require more/different equipment), or just cut over everything on a weekend, or build a reverse proxy server. A reverse proxy server is a web server that is specially configured to look at the URLs being accessed, and then forward the requests to the correct internal server.
https://docs.microsoft.com/en-us/iis/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

A reverse proxy with SNI support would work for OWA, but outlook and activesync clients are a different issue.

However I would question if you're trying to solve the wrong problem.

I would suggest keeping the existing 2k3 server on the public address with the normal ports, and configure NAT rules to the 2k10 server on different ports, then with a test mailbox, test that you can migrate and access OWA and public folders etc, thatfree busy works, and the rest of normal operation, you can also test Outlook by specifying the port to use when connecting.

Then when you are happy that everything is working correctly, set a maintenance window when everyones mailbox will be migrated.

Even if the SBS server is on 100Mb Ethernet, you should be able to run the migration >10GB per hour, so 45 GB  (75 mailboxes at ~600MB each) should take less than 4 1/2 hours.

If you haven;t done a 2k3 to 2k10 migration before, it might be helpful to spin up a backup of the SBS server in different network (with no way of connecting to the live network) and practice the migration in a functionally offline environment.

Thank you for these comments @ArneLovius @kevinhsieh.  I have not been able to get back to this yet, so everything is status quo.

What I've been doing to test is to change the NAT rules on my ASA5510 to forward http/https to either server as needed for testing.  So far I've created a new user on the Exch2010 server, and they can get to their mobile email.  

However, a migrated user from SBS2003 to Exch2010 can get their email on their local computer, but I'm getting "Unable to verify account information" when I try their account on my phone.  Even using the Administrator credentials does not work.  How do I troubleshoot this?

Also, https://testconnectivity.microsoft.com passed although there were a couple of warnings.

Yesterday, on a whim, I borrowed an Android phone and my user connected with no issue.  The problem is the iphone.  I verified this with the user -- he has an iPhone as well.

Any thoughts why an iPhone couldn't connect but an Android can?