Exchange Upgrade (2007 to 2013 to 2106)

Can I install Exchange 2013 in a Exchange 2007 SP3 (2008 DFL/FFL) environment, if I set the virtual directories properly?  I'd like that to be the first step and then install Exchange 2013 and configure mail to flow through there the next day.  I understand the DNS and Cert (legacy, mail, autodiscover) requirements.  Plan is to set the DNS up, all pointing to 07, then the next day install and setup 13.  Then setup the virtual directories and DNS to allow for 13 to proxy to 07.  Would that work out smoothly with no impact to my users (local/remote)?
ZeeIT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Adam BrownSenior Systems AdminCommented:
2013 can proxy to Exchange 2010 and 2013. 2007 requires redirect, and it will (by default) use legacy.domain.com as the CAS redirect address. You will need to have two public IPs assigned, one to 2007 and one to 2013. an A record for legacy.domain.com will be set to go to the 2007 server, autodiscover.domain.com and mail.domain.com will need to point to 2013. MX will point to 2013. You will need to recreate your SSL certificate to include legacy.domain.com as well as the usual DNS names you have already, unless you have a wildcard certificate. The redirect happens automatically, so users on 2007 will get redirected to legacy.domain.com without issues if they connect to the 2013 server's autodiscover/owa address (you will need to make sure the VDirs are set properly, the 2007 VDirs need to be reconfigured with the legacy.domain.com address).
ZeeIT ManagerAuthor Commented:
I understand that.  I wanted to do the DNS, Virtual Directories, and Cert before installing Exchange 2013.  Sorry if I wasn't clear.  I have to work on this overnight and already have public/private DNS (legacy, mail) all set except for autodiscover.  Adding autodiscover to public DNS causes problems unless you have that in the cert, which made sense after the fact, lol.  I wanted to get everything setup related to DNS before hand, but pointed to 07.  I'm asking if doing this will do anything to affect my users.  Can I setup what I specified and stay on my 07 server without any problems?  I also have the 2 IPs ready in public DNS.  I'm trying to do this in a way where no one knows it's happening.  I know, projects like this are planned, and should be known by staff.  I had a problem a few months ago that took more hours than I want to remember to recover from.  That was something done with notice...  This, I've read almost everything there is about and am ready to proceed, just trying to break the work up.
Adam BrownSenior Systems AdminCommented:
I'm asking if doing this will do anything to affect my users.

It shouldn't (In theory...reality often differs).

Can I setup what I specified and stay on my 07 server without any problems?

You can install server 2013 and continue pointing to 2007 for all Client access functions without any issues at all, as long as you make sure the Autodiscover SCP is set properly on the new server (Users will get certificate errors if you don't, since CAS selection is random for Exchange servers in the same AD Site).
Your Guide to Achieving IT Business Success

The IT Service Excellence Tool Kit has best practices to keep your clients happy and business booming. Inside, you’ll find everything you need to increase client satisfaction and retention, become more competitive, and increase your overall success.

ZeeIT ManagerAuthor Commented:
I have completed the steps below and would like to know if I missed anything.  I'd like to install Exchange 2013 without affecting mail flow and then flip the switch to proxy through 2013 when I am ready.  Can someone please confirm I am good to go?  Also, is it a problem that I didn't have a ecp or powershell virtual directory?

Exchange 2013 prerequisites all installed on SERVERMAIL13

New certificate installed and active
 -Question around this, I have the 3rd party cert set for IIS,IMAP,POP, and SMTP
 -I have to recreate my self-signed cert because it expired so will do that and assign to SMTP
 -Where does UM go?  Right now I have 39 goofy self-signed certs on the Exchange 07 server all just assigned to UM...  Is that right?  Can I remove all and just use one self (SMTP,UM) and one 3rd party (IIS,IMAP,POP,SMTP)?  Would that be the correct setup?

Virtual Directories listed below have been changed

Internal & External DNS added for autodiscover and legacy

Mail flows and all names resolve (internal & external) to SERVERMAIL (mail, legacy, autodiscover)

Done
Set-OutlookAnywhere -Identity "SERVERMAIL\RPC (Default Web Site)" -IISAuthenticationMethods Basic,NTLM

Done
Set-ClientAccessServer -Identity SERVERMAIL -AutoDiscoverServiceInternalURI https://autodiscover.SERVERDOMAIN.org/autodiscover/autodiscover.xml

Done
Set-ActiveSyncVirtualDirectory -Identity "Microsoft-Server-ActiveSync (Default Web Site)" -InternalURL https://mail.SERVERDOMAIN.org/Microsoft-Server-ActiveSync -ExternalURL $null

Done
Set-AutodiscoverVirtualDirectory -Identity "Autodiscover (Default Web Site)" -InternalURL https://mail.SERVERDOMAIN.org/W3SVC/1/ROOT/Autodiscover -ExternalURL https://mail.SERVERDOMAIN.org/W3SVC/1/ROOT/Autodiscover

ECP doesn't exist

Done
Set-OABVirtualDirectory -Identity "OAB (Default Web Site)" -InternalURL https://legacy.SERVERDOMAIN.org/oab -ExternalURL https://legacy.SERVERDOMAIN.org/oab

Done
Set-OWAVirtualDirectory -Identity "owa (Default Web Site)* -InternalURL https://legacy.SERVERDOMAIN.org/owa -ExternalURL https://legacy.SERVERDOMAIN.org/owa

Doesn't exist as cmdlet
Set-PowershellVirtualDirectory -Identity "SERVERMAIL\powershell* -InternalURL https://legacy.SERVERDOMAIN.org/Powershell -ExternalURL https://legacy.SERVERDOMAIN.org/Powershell

Done
Set-WebServicesVirtualDirectory -Identity "EWS (Default Web Site)* -InternalURL https://mail.SERVERDOMAIN.org/ews/exchange.asmx -ExternalURL https://mail.SERVERDOMAIN.org/ews/exchange.asmx
Adam BrownSenior Systems AdminCommented:
https://acbrownit.com/2019/01/07/configuring-exchange-virtual-directories/ should help you set things on 2013 when you're ready (change mapi to rpc where you see it, though)

UM is a bit of a red headed step child, which is part of why it's been removed in Exchange 2019. That said, UM relies on EWS and will follow that vdir's settings, so you will want to assign third party cert to that as well in 2013.

I never worked with UM in 2007, so I can't say with confidence that you can remove any self-signed cert, so I'd follow the "if it ain't broke" rules of server deployment. Your ultimate goal is to ditch 2007, so I wouldn't burn more time fixing it than is absolutely necessary.

Everything else looks fight for 2007 settings, so you should be ready to pull the trigger.
ZeeIT ManagerAuthor Commented:
Thank you Adam, I appreciate your input.  I'll leave the UM certs alone for now.  Coincidentally, I am getting a error about the self-signed cert for my server's fqdn being expired but doesn't give me the thumbprint.  No local users have reported any problems with Outlook.

Event 12016: There is no valid SMTP Transport Layer Security (TLS) certificate for the FQDN of server.domain.local. The existing certificate for that FQDN has expired. The continued use of that FQDN will cause mail flow problems. A new certificate that contains the FQDN of server.domain.local should be installed on this server as soon as possible. You can create a new certificate by using the New-ExchangeCertificate task.

So I added a new cert and was trying to assign it to SMTP but can't because I have the SMTP service already assigned to my 3rd party cert.  So I left it alone for now but still need to figure that out.

Since my DNS changes, I have a remote user reporting a sign-on screen when using Outlook 2010.  My Outlook Anywhere works from what I can tell, but after this user reported the problem I ran the Outlook auto-config test (from my home computer) and it returned the attached results.  I don't have any problem with a repeating sign-on in Outlook.  Although the test is not great because I'm using 2013 and the user with the problem is using 2010.  I'll get these same results from them when I connect with them later today. My results show a few errors in connections and I'm not sure what the problem is.  Would somebody be so kind as to take a look at my attached results?  These were done using Outlook 2013 outside of my network.
AutoConfigOutlook.txt
Adam BrownSenior Systems AdminCommented:
The remote user is likely set to use negotiate authentication, which 2007 doesn't support. They'll need to set for either basic or ntlm. The change to the auth mechanism on the rpc vdir probably caused the prompt to start. Outlook 2010 can cause issues with that.

 You should be able to remove the old self signed cert and set the new one for smtp. However, smtp will work fine with the expired cert. It will still encrypt email.
ZeeIT ManagerAuthor Commented:
Thanks, I been working on autodiscover all day.  Now another remote user reported getting a password prompt in Outlook.  I'm looking at IIS right now and all I have is Basic and Windows Authentication enabled for RPC and Autodiscover VDs.  When I run Microsoft's remote connectivity analyzer I see Active Directory currently not available in the Autodiscover POST request section at the bottom of the report.  Seems like it is authentication method but on what?  

I found an article that mentioned I should remove the port 80 binding on my Default website in IIS...  Not sure why it's there because I have the 443 setup for mail.domain.org.  80 isn't setup to anything nor is my firewall allowing that traffic to the mail server.

I also found an article saying to recreate the autodiscover VD.  Any opinion on that one way or the other?

Another article from a microsoft forum had someone changing permissions on the ClientAccess directory to allow authenticated users to read, execute, list folder contents.

I have an account I'm using now on a freshly setup Windows 10 Pro laptop with Office 2010.  Outlook anywhere setup jjust fine except there were more password prompts than expected.  Now, on that laptop, when I first open Outlook I get the password window.  Weird thing is it says connect to username@domain.com.  I enter the credentials as DOMAIN\User and the password.  The window doesn't come back for me unless I close and reopen outlook.  When I test the AutoConfiguration on this laptop's Outlook it runs fine.

Run's fine, but one section looks weird...  Is the info below normal?

Protocol: Exchange RPC
Server: MAIL.DOMAIN.LOCAL

Protocol: Exchange HTTP
Server : MAIL.DOMAIN.ORG

Running the same test on PCs inside and out return the same results and both are using NTLM for HTTP but unspecified for RPC...  Is that the problem?
Adam BrownSenior Systems AdminCommented:
You need to make sure IIS is using the defaults for things to work. IIS settings shouldn't be used to configure things. Exchange needs the permissions at default so it can properly apply its own settings.

You can shut down port 80 if you like, but I doubt that will help any. Does the pop-up return if you check the option to save creds on the pop-up? If it does, there's a problem. If not, you're fine.
Adam BrownSenior Systems AdminCommented:
Rpc can us domain.local without too much issue. That is what gets used inside that network. HTTPS is used outside the network.
ZeeIT ManagerAuthor Commented:
Thanks Adam, yeah I might have to redo the authentication setup in IIS on the VDirs...  I was adjusting authentication via IIS and lost track.  But if I do it now it'll just mess up my Exchange 2013 setup, so I may wait and check it out after I get 2013 online...?  I thought I had it resolved on a couple of Outlook Anywhere laptops, but then I just setup another fresh laptop today and started Outlook, Outlook Anywhere worked like a charm, but the damn login window comes up once every time I open Outlook.  Then for some odd reason it takes like 5 clicks to get a check in the box to Remember credentials and 3 clicks to OK.  If it's not one thing it's another.  I think I'm good on this question.  I'll open a more specific question during my 2013 install if I run into any speed bumps.  If you have any more ideas on the login box in Outlook, let me know.  Other wise, I'll just close the topic and mark your next post as the answer for all of your helpful info throughout the post.  Would you happen to have the correct setup of IIS authentication for 2007 in a 2007-2013?  That way I can confirm after the install that the 2007 IIS and VDirs have the correct authentication...
Adam BrownSenior Systems AdminCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ZeeIT ManagerAuthor Commented:
That'll do it.  I'll go through and make sure everything is where it needs to be in 2007 when I get my 2013 Exchange server online.  Then confirm VDir Authentications are where they need to be via EMS.  Gonna be messy at this point but I should be able to get back on track, lol.
ZeeIT ManagerAuthor Commented:
Actually my IIS authentication setup matches that spiceworks article now.  We'll see what happens when 2013 comes online.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.