We help IT Professionals succeed at work.

Exchange 2010 -> Exchange 2013 Migration - Final environment setup questions

Jer
Jer asked
on
49 Views
Last Modified: 2020-09-29
Exchange 2010 -> Exchange 2013 Migration - Final environment setup questions

Greetings,

I'm migrating my onsite Exchange 2010 Servers to Exchange 2013 (because we already own the licenses and it is a necessary step as we ultimately transition to cloud email in 2022).  I did a full test run in my DEV environment and everything went well except for Public Folders.  Still needing to figure out what I'm going to do with that.  However, my concern with this inquiry is more about the actual Exchange 2013 server (and cert) setup before and after the migration.  So, here we go...

Right now, I have 2 Exchange 2010 SP3 servers, with one being the primary Mailbox server (A) with all the roles and the other being used exclusively for the Exchange online archive mailboxes and Public Folder replication (B).  Initially, my 2 Exchange 2013 servers are setup the same way, with both having the Mailbox and Client Access roles.  One is hosting all mailboxes (C) and the other is holding the Archive mailboxes (D).  I had an initial issue with autodiscovery, which seems to be a known issue.  OWA worked flawlessly, but Outlook required me to delete/rename the Outlook folder within C:\Users\<username>\AppData\Local\Microsoft.  Annoying, but able to be worked around for now.  So, I currently have 2 Exchange 2010 and 2 Exchange 2013 servers all active.  As expected, the Exchange 2010 servers don't see the Exchange 2013 servers, but the Exchange 2013 server see all servers.  Right now, A is the primary server, meaning that all incoming email traffic is routed to it (mail.<domain>.com).  C is currently using newmail.<domain>.com.  The certificate on C and D newmail.<domain>.com, autodiscover.<domain>.com, mail.<domain>.com, C.<domain>.com and D.<domain>.com.  Yeah, I don't like having the server names in the cert, but I wanted to avoid initial warnings during setup and testing.  I'll update the cert once I've changed all the virtual directories to point at mail.<domain>.com.  Which gets me to my primary questions.  So, in 2 weeks, it is my plan to make C (2013) be the primary server.  I change the NAT setup and current TXT records and that is done.  However, I then have A (2010) with mail.<domain>.com as the external access to all virtual directories and A.<domain>.com for all internal access.  As I will still have the vast majority of my users still on A, as I do a gradual mailbox move from A to C, I want to minimize any interruption/actions required of the users.  In a preferred Exchange setup, what should the virtual directories be pointing to internally and externally?  If C is in place as the primary, can I just have mail.<domain>.com everywhere and rely on autodiscovery?

I appreciate and assistance that anyone can provide.

Thank you,

Jeremy
Comment
Watch Question

EE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION
AmitIT Architect
CERTIFIED EXPERT
Distinguished Expert 2017

Commented:
I advise you to use Exchange deployment tool. It will give you steps needed. Just provide the right inputs. Here is the link: https://docs.microsoft.com/en-us/exchange/exchange-deployment-assistant?view=exchserver-2019

In short, You can keep your Exchange 2010 as primary, start moving the mailboxes to 2013. Once all mailboxes moved to 2013, then you can perform DNS and URL changes.
Jer

Author

Commented:
Greetings,

Thank you for the responses.  Got hung up on a couple items last week and am finally getting back to this.  I had previously gone through the vast majority of these steps in my test environment, although the Exchange deployment tool seems different/updated.  I had already completed everything up to the point that it said to migrate the arbitration mailboxes.  I definitely had not done that.  As I look through my mailboxes, the 5 accounts are not listed.  As I look at my AD, they are all disabled.  Is this normal?  The command "Set-ADServerSettings -ViewEntireForest $true; Get-Mailbox -Arbitration | Format-Table Name,DisplayName" does display them.  If I start the creation of a New Migration Batch, I can select all the mailboxes.  That said, it does show that one SystemMailbox is already on the new server, while the other 2 SystemMailbox objects are still on the Exchange 2010 server.  It appears that I only need to migrate SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}, initially?  Does migrating it break anything in Exchange 2010?  I have my manager still on Exchange 2010 and he does have the ability to do eDiscoveries and such.

Regarding OAB, I have 2 (Default Offline Address Book and Default Offline Address Book (Exch2013)).  All the Exchange 2010 MDBs are using Default Offline Address Book, while the 2 Exchange 2013 MDBs are using Default Offline Address Book (Exch2013).  Is that normal, or should I have all MDBs point at the same one?

Regarding keeping the Exchange 2010 Server as the primary, that was my original plan, but mail.<domain>.com didn't work when assigned to the new Exchange 2013 server.  It tried to switch me to C.<domain>.com and Outlook never connected.  Perhaps I bailed on it too soon?  It seems like with autodiscover in place, I should be able to have mail.<domain>.com everywhere and it should find my mailboxes (primary and archive).  Anyhow, when that didn't happen, I went to the newmail.<domain>.com approach so I could work (myself) and keep testing without risk of impacting the Exchange 2010 environment.  My preference is to get the new Exchange 2013 server (C) as the primary, as it is Server 2012 R@, while the primary Exchange 2010 server (A) is Server 2008 R2.  With it EOL, I'm looking to reduce the public exposure for the more vulnerable server.

Thoughts?

Thanks again for the assistance.

Jeremy
AmitIT Architect
CERTIFIED EXPERT
Distinguished Expert 2017

Commented:
Did you checked Exchange deployment assistant tool? If not, please check it. It will provide you all steps.
MASEE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017

Commented:
-->Is that normal
Yes that is created when you install Exchange 2013.

-->Or should I have all MDBs point at the same one?
It is recommended to keep new one pointed.
Offline addressbook is reengineered in Exchange 2013.
Before it was distributed through FDS. Now it is distributed through system mailbox.


You can test outlook with a test mailbox I have clearly explained above.

-->I'm looking to reduce the public exposure for the more vulnerable server.
You can have some server/appliance in the middle. e.g. WAP (Web Application Proxy),
Jer

Author

Commented:
Amit, I paused at the deployment tool step with the arbitration mailbox move, as I wanted to confirm that there was no impact to the Exchange 2010 functionality.  My only concern is the apparent lack of 2-way communication between Exchange 2010 and 2013 in some areas.  That said, I did move past it and the next step was the enabling/configuring of Outlook Anywhere.  I definitely never did those commands in my DEV or production environment, so that seems like an obvious issue.

MAS, I had already moved a mailbox (mine) and tested before I ever created this ticket.  I used Practical365 a lot during original testing.  Part of the problem is that my test environment is not an exact duplicate of my production environment, and when things didn't work the same, I put on the brakes a little and retraced my steps.  When I couldn't see obvious errors or confirmation of my setup, I created the ticket.  Regarding the web proxy solution, I do need to look more into that.  I have never had that in my environment, but it seems that Exchange 2013 requires it or you will get Event ID 3025 and 3018 errors every hour.

So, I will continue with the steps in the deployment tool this evening, but I wanted to confirm that I should have no concerns with having mail.<domain>.com on all virtual directories, internal and external AND Exchange 2010 and 2013 and have no issues, correct?  It always seemed like that is how it should (and frankly needs to) work, as this is why autodiscover exists.  I then just have to confirm that my internal and external DNS entries for mail.<domain>.com are always pointing at the same (primary) server (initially server A (Exchange 2010) and then Server C (Exchange 2013)).

Thanks again for your assistance.  It always helps to have to someone who has been there, done that.

Jeremy

 
AmitIT Architect
CERTIFIED EXPERT
Distinguished Expert 2017

Commented:
follow the deployment guide for arbitration mailbox move,, it won't impact.
Jer

Author

Commented:
I didn't get to start working on this until late in the evening tonight, so I didn't get too aggressive when I ran into problems.

Going through the Exchange Deployment Assistant, I moved the arbitration mailbox without issue.  I then changed the Outlook Anywhere settings from newmail.<domain>.com to mail.<domain>.com on both of my Exchange 2013 servers (primary and archive) for both internal and external access.  While Outlook (2016) and our secure mobile email application (MaaS360) continued to work, without issue, OWA is not working.  If I enter mail.<domain>.com/owa, it takes me to the Exchange 2010 web page (which doesn't surprise me).  However, when I enter my credentials (for my Exchange 2013 mailbox), I get an exception stating Microsoft.Exchange.Clients.Owa.Core.WrongCASServerBecauseOfOutOfDateDNSCacheException.

Is this because I didn't run the Outlook Anywhere commands and the Configure service connection point step?  Like I said, I didn't want to have an issue at midnight with my email and have to troubleshoot to get it going ASAP.  That said, I did have questions.  In my Exchange 2010 environment, my primary server (A) has Outlook Anywhere enabled, while B does not.  It has basic for client and IIS authentication.  The commands look to change the authentication to NTLM for client and NTLM and basic for IIS.  It says to apply the Exchange 2013 Host Name, which is mail.<domain>.com.  This is the same as the Exchange 2010 Host Name.  Is that OK?  If so, it seems like the commands below are just updating the authentication method.  Or am i missing something?  I just don't want to break Exchange 2010.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 14*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $True} | ForEach {Set-OutlookAnywhere "$_\RPC (Default Web Site)" -ClientAuthenticationMethod NTLM -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic}

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 14*") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Where {$_.OutlookAnywhereEnabled -Eq $False} | Enable-OutlookAnywhere -ClientAuthenticationMethod NTLM -SSLOffloading $False -ExternalHostName $Exchange2013HostName -IISAuthenticationMethods NTLM, Basic

I have a similar question about the SCP object config step.  The autodiscover Host Name is the same for both Exchange 2010 and Exchange 2013 servers, namely autodiscover.<domain>.com.  As such, I'm not understanding what the following commands do.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 14*") -And ($_.ServerRole -Like "*ClientAccess*")} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 15*") -And ($_.ServerRole -Like "*ClientAccess*")} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverHostName/Autodiscover/Autodiscover.xml

How does autodiscover.<domain>.com distinguish between the servers?  What am I missing?  Is the autodiscover Host Name supposed to be the actual server name?  If I do the following:

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 15*(or 14*)") -And ($_.ServerRole -Like "*ClientAccess*")} | Get-ClientAccessServer | Format-Table Name, AutoDiscoverServiceInternalUri -Auto

It returns the server names, such as https://serverA.<domain>.com/autodiscover/autodiscover.xml and https://serverB.<domain>.com/autodiscover/autodiscover.xml for Exchange 2010 and https://serverC.<domain>.com/autodiscover/autodiscover.xml and https://serverD.<domain>.com/autodiscover/autodiscover.xml for Exchange 2013.  What should be returned?

I plan to start much earlier on Wednesday, so I'll be able to complete the Deployment assistant.  I'm likely overthinking it, but I just wanted to make sure that I could complete the steps without an interruption to Exchange 2010 users.

Again, thanks for all your help.

Jeremy




MASEE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017

Commented:
Your Outlook Anywhere (common name)  and autodiscover (autodiscover.email.com) should have same name in both servers.

-->Is the autodiscover Host Name supposed to be the actual server name?  
For example if your email address is jeremy@microsoft.com autodiscover should "autodiscover.microsoft.com".
I have explained in my article
Jer

Author

Commented:
Hello MAS,

I've read through the article again and everything but the autodiscover has already been done.  Your article only addresses changing a single CAS server (while) I have 4.  So, tonight, I'll change all the CAS servers autodiscover host name to same setting, correct?  As the internal and external settings are for mail.<domain>.com, I should do the following, correct?

Set-ClientAccessServer -Identity server(A,B,C,D) -AutoDiscoverServiceInternalUri "https://mail.<domain>.com/autodiscover/autodiscover.xml"  

or I could do:

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like "Version 14*(or 15*)") -And ($_.ServerRole -Like "*ClientAccess*")} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri "https://mail.<domain>.com/Autodiscover/Autodiscover.xml"

However, this is where I'm getting confused.  Your article example says to use "mail:<domain>.com", while your comment and the Exchange Deployment Assistant show "autodiscover.<domain>.com".

Since both mail.<domain>.com and autodiscover.<domain>.com point at the same server (primary Exchange 2010 server), it probably doesn't matter.  I have both listed on my certificate.  I'm just trying to confirm that I'm not making an incorrect assumption.  Right now, my assumption is that I can change all 4 server (A,B,C,D) to the same autodiscover host name, while leaving the DNS entries for autodiscover and mail pointing at server A (Exchange 2010) for now and no users on either Exchange environment will notice a change, except that it will now work correctly for both Exchange 2010 and Exchange 2013.  Is that a correct assumption?

As able, please advise.

Thank you,

Jeremy
Jer

Author

Commented:
Actually, as part of the SCP process, it looks like I need to point the autodiscover host name at the new Exchange 2013 server (Server C), to improve the discovery process.  In that case, would I have mail.<domain>.com continue to point at the Exchange 2010 server (A) until all mailboxes are moved, while having autodiscover.<domain>.com pointing at the new primary Exchange 2013 CAS server (C)?  Or would I have everything point at server C?

Thanks,

Jeremy 
Jer

Author

Commented:
Alright, I moved forward with completing the Exchange Deployment Assistant steps this weekend.  Everything generally went well, once I pointed mail.<domain>.com and autodiscover.<domain>.com to the Exchange 2013 server (C).  There are a few Event IDs that I will be working to clean up, but nothing too significant.  However, I did have one issue that I have yet to resolve.  Previously, OWA was accessed on the Exchange 2010 server by going to https://mail.<domain>.com/exchange (which was redirected to /owa).  Now that everything is pointing at the new Exchange 2013 server, https://mail.<domain>.com/owa works great for Exchange 2010 and 2013 users.  However, if they try to us the previous https://mail:<domain>.com/exchange, they get a "Something went wrong" error with "refresh the page" at the bottom.  Upon clicking on "refresh the page", it completes the loading of https://mail.<domain>.com/owa and the user gets to their email on the Exchange 2010 page without an issue.  Searches have suggest IIS authentication and web.config errors, but I have not had any luck so far. One of the authentication errors says "Configuration section not allowed to be set below application" with the particular line being "<authentication mode="Windows" />".

Any ideas?  I appreciate it.  

Thank you,

Jeremy
AmitIT Architect
CERTIFIED EXPERT
Distinguished Expert 2017

Commented:
Are you getting error for internal and external both?

Generally, you can assign legacy DNS name to the old server and webmail equivalent address to the new servers, the web services will direct you to the correct OWA servers.
Jer

Author

Commented:
It is happening for for both.  However, externally, I get the error before getting the login prompt, while internally, I get the error after the login prompt sometimes, while before it most times.  The "refresh" always lets the login complete.  I'll look into the legacy DNS option, but I'm not sure how it would be applied, as everything in my Exchange environment is pointing at either mail.<domain>.com or autodiscover.<domain>.com, whichare both pointing at my primary Exchange 2013 CAS server.  I would think that this has to be within IIS, isn't it?

Thanks,

Jeremy
AmitIT Architect
CERTIFIED EXPERT
Distinguished Expert 2017

Commented:
Are you running disjoint namespace?
AmitIT Architect
CERTIFIED EXPERT
Distinguished Expert 2017

Commented:
In Exchange deployment tool check the section

Configure DNS records                                 


For OWA you need to create cname:
           External
owa.contoso.comCNAMEMail.contoso.com

           Internal
owa.contoso.comCNAMEEx2013CAS.corp.contoso.com

Jer

Author

Commented:
Nope.  We're about as basic of a network setup as you can get.  Single forest, single site, single domain, and <domain>.com for both AD and DNS.  In hindsight, there are lots of things that I would have changed about my network when I built it in the 90's, but that is another matter.  ;-)

Technically, if this is the only issue that we have, I'd likely just plan on issuing instructions out to all users stating to use /owa versus /exchange.  My company just isn't a fan of change, and it seems like it is so close, that perhaps other were familiar with this issue.  Is it not telling that if I go into IIS on my Exchange 2010 server, open the Exchange folder, and try to open Authentication that I get the error about \owa\web.config and get the same error on the Exchange 2013 server (within Exchange Back End) has the same error "<authentication mode="Windows" />".  I understand that the Exchange Back End is referencing the Exchange 2010 IIS virtual directories, but considering that there are 2 different files on 2 different servers both referencing authentication, isn't authentication something I need to look at?  After all, it is getting to the right destination, just not smoothly.

Thanks,

Jeremy 
MASEE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017

Commented:
/exchange is used in Exchange 2003 since Exchange 2007 all are using /owa. i.e. https://mail.domain.com/owa.
You will have to send an email to all users to use /owa
or you can redirect traffic to /owa
i.e. if someone type https://mail.domain.com or simply type mail.domain.com it will redirect to https://mail.domain.com/owa.
https://docs.microsoft.com/en-us/exchange/clients/outlook-on-the-web/http-to-https-redirection?view=exchserver-2019

owa.contoso.com      CNAME      Ex2013CAS.domain.com
If you create above CNAMe you will have to add Ex2013CAS.domain.com in your certificate else you will have certificate warnings in OWA
Instead please follow this article and make it same on both.
https://www.experts-exchange.com/articles/29657/Exchange-2010-Fix-for-an-Invalid-certificate-and-related-issues.html
https://www.experts-exchange.com/articles/29662/Exchange-2013-Fix-for-an-Invalid-certificate-and-related-issues.html
AmitIT Architect
CERTIFIED EXPERT
Distinguished Expert 2017

Commented:
Follow @MAS articles. It explains everything in detail.
Jer

Author

Commented:
Thanks for all your help.  Yeah, we kept /exchange, as our users (and management) are not big fans of change.  That said, it is not worth trying to make this work, if even possible.  So, while we may consider redirection in the future, I think we'll just stay with instructing the users to use /owa for now.  We're migrating to the cloud within 2 years anyhow.

I did have one last related item that I'm wondering if you could provide any insight on.  Within Virtual Directories, there is the PowerShell (Default Web Site).  I left it alone, as it wasn't address in the migration tool or any other documentation (or at least I didn't see it).  By default, it has an Internal URL of http://<server>.<domain>.com/powershell and no External URL.  Is this supposed to be updated to https://mail.<domain>.com/powershell?  In searches, I'm just not finding any specifics on this.  It seems like this should remain pointing at the specific server, without need for external access, but I was wondering if you knew otherwise?

Again, thanks for all your help with this.

Jeremy
MASEE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017

Commented:
-->By default, it has an Internal URL of http://<server>.<domain>.com/powershell and no External URL.
Please do not make changes on that. Let it be same as it is.
MASEE Solution Guide - Technical Dept Head
CERTIFIED EXPERT
Most Valuable Expert 2017

Commented:
I have explained everything what is required for the asker.
AmitIT Architect
CERTIFIED EXPERT
Distinguished Expert 2017

Commented:
I don't see a reason to delete this question, lot of details are provided by @MAS an me together.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.