MSExchangeGuru.com

Learn Exchange the Guru way !!!

 

Transitioning Exchange 2007 Client Access servers to Exchange 2010

First step in deploying Exchange 2010 is implementing the CAS server infrastructure in production. Lately I have been working with one of my customers to cut over their Exchange 2007 SP2 infrastructure to Exchange 2010 SP2. They had specific requirement that I had to really do my homework to make the necessary changes because we wanted minimum or “NO” downtime for users.

In a snapshot, this is the requirement the customer told me:

“We want to change our internet facing CAS server infrastructure from New York to Boston and change the owa URL from owa.old.com to owa.new.com”

Sounds pretty simple – right? Well, it aint no rocket science, but if not planned and executed properly, may leave you hanging on a cliff!

Now I had to document this properly, so here we go:

Scenario as follows:

==============================

Old OWA url        – owa.old.com

New OWA url    – owa.new.com

New EAS url        – mobile.new.com    

 

Current internet CAS AD Site    : New York

New internet CAS AD Site    : Boston

Remote Site with Exchange    : India

All user mailboxes on Exchange 2007 SP2 in New York, Boston and India.

Note: This action plan can also be used in the event you want to cut over you existing URL to Exchange 2010. Example, you current OWA/EAS URL is owa.domain.com which will continue functioning on Exchange 2010 SP2.

End result expected:

==============================

Old URL should keep servicing users on Exchange 2007 SP2 for OWA and EAS requests.

Users wouldn’t need to update any settings on their mobile devices.

Challenges and possible issues:

==============================

1. We identified about 600 users with old mobile devices with Exchange ActiveSync version 12.1 or below. These devices do not support Autodiscover, so we will have to manually update their mobile devices to update the new OWA URL.

To do this, refer to:

                              Exchange 2007 ActiveSync reporting: https://msexchangeguru.com/2010/05/20/e2k7-activesync-reporting/

2. Users may see certificate prompts in Outlook.

Overview of steps to perform:

==============================

  • Install Exchange 2010 SP2 CAS servers to the existing Exchange environment
  • Install new SSL certificates on all Exchange 2010 CAS servers
  • Ensure all DNS settings are in place prior to the change
  • Switch the internet facing CAS server infrastructure from New York location and make the new Exchange 2010 CAS servers internet facing with the help of hardware load balancers in Boston datacenter location
  • Define proper authentication settings on all CAS servers – internet facing, non-internet facing CAS in internet facing site, non-internet facing CAS in non-internet facing site
  • Change the current OWA/EAS url from owa.old.com to owa.new.com
  • Ensure the old URL owa.old.com continue servicing OWA and EAS requests with the help of “proxy” mechanism and not “re-direct” for legacy Exchange 2007 mailboxes, mailboxes moved from Exchange 2007 to Exchange 2010 and new mailboxes provisioned on Exchange 2010
  • Ensure older mobile devices who do not support Autodiscover 12.0 or below continue functioning without interruption
  • Outlook anywhere servers to be installed in Boston location and internal certificate to be installed to oa.new.com
  • Identify all MAC users in the organization and have an action plan for them

Backup all Vdir settings:

================================================

Oh yeah – you need this the most. So let’s backup settings from all servers

Get-ClientAccessServer |fl Name, AutoDiscoverServiceInternalUri

Get-ClientAccessServer | Get-ActiveSyncvirtualDirectory | fl Server, BasicAuthentication, WindowsAuthentication, InternalAuthenticationMethods, ExternalAuthenticationMethods, InternalURL, ExternalURL

Get-ClientAccessServer | Get-OABVirtualDirectory | fl Server, BasicAuthentication, WindowsAuthentication, InternalAuthenticationMethods, ExternalAuthenticationMethods, InternalURL, ExternalURL

Get-OwaVirtualDirectory | fl Server, BasicAuthentication, WindowsAuthentication, InternalAuthenticationMethods, ExternalAuthenticationMethods, InternalURL, ExternalURL

Get-ClientAccessServer | Get-WebServicesVirtualDirectory | fl Server, BasicAuthentication, WindowsAuthentication, InternalAuthenticationMethods, ExternalAuthenticationMethods, InternalURL, ExternalURL

URL’s to be added in certificate:

==================================

owa.old.com

owa.new.com

autodiscover.old.com

autodiscover.new.com

legacy.new.com

DNS entries:

=============

Create these Prior to the change and ensure F5 is listening to all those servers
External Internal  
Public ip of load balancer

Internal ip of load balancer

owa.new.com
autodiscover.new.com
mobile.new.com
 
Public ip of load balancer

Internal ip of load balancer

legacy.new.com
 
During the time of cutover. Set TTL values for this to 5 minutes
     
Public ip of load balancer

Internal ip of load balancer

oa.new.com (outlook anywhere)
 
Public ip of load balancer

Internal ip of load balancer

owa.old.com
autodiscover.old.com

The following DNS entries will point to F5 load balancer which points to the Exchange 2010 CAS servers:

owa.old.com

owa.new.com

autodiscover.old.com

autodiscover.new.com

legacy.new.com will point to F5 load balancer which points to E2K7 servers in the same internet facing site as of E2010

Understanding the relevance of legacy URL in Exchange 2010 – Exchange 2007 co-existence:

The relevance of a legacy URL is very critical in an Exchange 2007 – Exchange 2010 co-existence environment. First of all know that legacy URL will point to one/several Exchange 2007 CAS servers and NOT to Exchange 2010 CAS servers. In this case, legacy.new.com will point to an F5 load balancer which points to 4 E2K7 SP2 servers in the same internet facing site as of E2010.

Now the reason for this, is when an Exchange 2007 user request for OWA/EAS hits the Exchange 2010 CAS server, Exchange 2010 is intelligent enough to know that this user resides on an Exchange 2007 server and the request will be proxied to the Exchange 2007 server where the External URL property on the respective Virtual directory will be set to LEGACY which in turn is pointing to an array of Exchange 2007 servers.

Introduce Exchange 2010 SP2 CAS servers to the existing Exchange environment

======================================================

Exchange 2010 Prerequisites: technet.microsoft.com/en-us/library/bb691354.aspx
Install Exchange 2010 Using the Custom Installation Type: http://technet.microsoft.com/en-us/library/bb125143.aspx

Apply the latest Roll up – Exchange 2010 SP2 RU4 at the time I installed

Ensure that you use the same service account you used install the old server to perform this new installation or it could cause permissions issues and OWA login page issues.

  1. On the CAS2010 server(s), they establish a connection to the CAS2007 server’s drive that contains the Exchange binaries and navigate to the \Client Access\OWA directory (e.g. \\cas2007nonIFAD\c$\Program Files\Microsoft\Exchange Server\Client Access\Owa).
  2. They then copy the highest version folder (e.g. today my SP2 build is 8.3.215.0) from the CAS2007 server to the CAS2010 Exchange binaries \Client Access\OWA directory (e.g. C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa).
  3. Perform IISreset /noforce
if you dont perform this step, thats when you get the infamous error:
“The mailbox you’re trying to access isn’t currently available. If the problem continues, contact your helpdesk.”
Remember: Every time you patch or update the rollup on your existing Exchange 2007 servers, ensure you copy the Rollup update folder created to the Exchange 2010 servers or Exchange 2007 users wont be able to access OWA. Perform an IISReset.

Install new SSL certificates on all Exchange 2010 CAS servers

======================================================

I am not going to be descriptive here, you can refer:

Install an SSL Certificate on a Client Access Server: technet.microsoft.com/en-us/library/bb310769.aspx

Create a new CSR request from the Exchange Management console

Submit it to your certificate authority service (GoDaddy) and have them create a certificate for you.

The certificate to be issued to – owa.new.com

Have them include these Subject Alternative Names in the certificate:

owa.new.com

owa.old.com

autodiscover.old.com

autodiscover.new.com

legacy.new.com

Once you have the Cert.CER file with you, import it to the personal store by navigating to the Exchange Management Console.

Now, complete the pending request and ensure the certificate is valid on the Exchange 2010 server.

Now assign IIS, IMAP and POP services to that certificate.

Perform IISReset

 

I have given an overview here:

Install SSL certificate on EDGE Transport server role for TLS: https://msexchangeguru.com/2012/07/24/edge-server-tls/

Now, navigate to https://serverfqdn and make sure the new certificate is shown,

If the new certificate is not showing up after assigning the IIS service to it and doing an IISreset, the certificate may not be assigned properly

  1. Navigate to inetmgr
  2. Check binding in Default website and make sure the new certificate is selected underneath


Now, it is important for us to set the HTTP re-direct on all the new exchange 2010 CAS servers:


 

NOTE: When you install the new Exchange 2010 servers, do it off business hours or users may start receiving certificate not trusted warning messages.

To bypass this, you may stop the IIS Admin services and the default website in IIS respectively.

 

DO NOT Forget this step – Install this public certificate on all the non-internet facing Exchange 2007 servers in the internet facing site.

 

 

Authentication, Internal URL and External URL settings:

========================================

Before you proceed, please make a note that I have separated AD sites in this co-existence into 3:

  1. Internet Facing E2010 SP2 CAS Servers
  2. E2K7 SP2 in same site as of E2010
  3. E2K7 SP2 in a different site as of E2010 (Remote Site)

HAVE THESE CMDlets READY in a notepad PRIOR to the change or you will waste lot of time (like I did).

Internet Facing E2010 SP2 CAS Servers

Internal URL       – owa.new.com

External URL      – owa.new.com

These are the cmdlets you need to run to change the virtual directory settings on the E2010 internet facing servers.

Set-OwaVirtualDirectory -identity “E2010_CAS_NAME\OWA (Default Web Site)” –internalUrl https://owa.new.com/owa –ExternalUrl https://owa.new.com/owa -FormsAuthentication $True -BasicAuthentication $True

Set-ECPVirtualDirectory -Identity “E2010_CAS_NAME\ECP (Default Web Site)” -InternalURL https://owa.new.com/ecp -ExternalURL https://owa.new.com/ecp -FormsAuthentication $True -BasicAuthentication $True

Set-Webservicesvirtualdirectory -identity “E2010_CAS_NAME\EWS (Default Web Site)” -InternalURL https://owa.new.com/ews/exchange.asmx -externalUrl https://owa.new.com/ews/exchange.asmx -WindowsAuthentication $True -BasicAuthentication $True

Set-Activesyncvirtualdirectory -identity “E2010_CAS_NAME\Microsoft-server-activesync (Default Web Site)” -InternalURL https://owa.new.com/Microsoft-server-activesync -externalUrl https://owa.new.com/Microsoft-server-activesync -BasicAuthEnabled $True

Set-OABVirtualDirectory -Identity “E2010_CAS_NAME\OAB (Default Web Site)” -InternalURL https://owa.new.com/oab -ExternalURL https://owa.new.com/oab -WindowsAuthentication $True -BasicAuthentication $True -RequireSSL $True

Set-ClientAccessServer -Identity E2010_CAS_NAME -AutoDiscoverServiceInternalUri https://owa.new.com/Autodiscover/Autodiscover.xml

E2K7 in same site as of E2010

Internal URL       – legacy.new.com (doesn’t matter really)

External URL      – legacy.new.com & $NULL

Set-OwaVirtualDirectory -Identity “E2K7_SameADSite_Name\OWA (Default Web Site)” -InternalURL https://legacy.new.com/owa -ExternalURL https://legacy.new.com/owa -FormsAuthentication $True -BasicAuthentication $True

Set-Webservicesvirtualdirectory -identity “E2K7_SameADSite_Name\EWS (Default Web Site)” -internalUrl https://legacy.new.com/ews/exchange.asmx -externalUrl https://legacy.new.com/ews/exchange.asmx -WindowsAuthentication $TRUE -BasicAuthentication $True

Set-Activesyncvirtualdirectory -identity “E2K7_SameADSite_Name\Microsoft-server-activesync (Default Web Site)” -internalUrl https://legacy.new.com/Microsoft-Server-ActiveSync -ExternalUrl $NULL -BasicAuthEnabled $TRUE -WindowsAuthEnabled $TRUE

Set-OABVirtualDirectory -Identity “E2K7_SameADSite_Name\OAB (Default Web Site)” -InternalURL https://legacy.new.com/oab -ExternalURL https://legacy.new.com/oab -WindowsAuthentication $True -BasicAuthentication $True -RequireSSL $True

Set-ClientAccessServer -Identity E2K7_SameADSite_Name -AutoDiscoverServiceInternalUri https://legacy.new.com/Autodiscover/Autodiscover.xml

E2K7 in different site as of E2010

Internal URL       – CAS Server FQDN

External URL      – $NULL

Set-OwaVirtualDirectory -Identity “E2K7_remoteADSite_FQDN\OWA (Default Web Site)” –InternalURL https://E2K7_remoteADSite_FQDN/owa -ExternalURL $Null –FormsAuthentication $False –WindowsAuthentication $true

Set-Webservicesvirtualdirectory -identity “E2K7_remoteADSite_FQDN\EWS (Default Web Site)” –InternalURL https://E2K7_remoteADSite_FQDN/ews/exchange.asmx -ExternalUrl:$NULL –WindowsAuthentication:$TRUE

Set-Activesyncvirtualdirectory -identity “E2K7_remoteADSite_FQDN\Microsoft-server-activesync (Default Web Site)” –InternalURL https://E2K7_remoteADSite_FQDN/Microsoft-Server-ActiveSync -ExternalUrl $NULL -WindowsAuthEnabled: $TRUE

Set-OABVirtualDirectory -Identity “E2K7_remoteADSite_FQDN\OAB (Default Web Site)” –InternalURL https://E2K7_remoteADSite_FQDN/oab -ExternalURL https://owa.new.com/oab -WindowsAuthentication $True -BasicAuthentication $True

Set-ClientAccessServer -Identity E2K7_remoteADSite_FQDN -AutoDiscoverServiceInternalUri https://E2K7_remoteADSite_FQDN/Autodiscover/Autodiscover.xml

What to do at the time of cut over?

===============================================

Have your DNS admin change the public and internal DNS entry to point to the new load balancer ip in your new BOSTON data center location

Important – MUST READ Section:

===============================================

Add all new E2010 to OAB distribution point

For the E2K7 in different site as of E2010, we set the Internal URL to CAS Server FQDN. You don’t need the FQDN to be added in the cert because CAS-CAS proxying won’t look for the public cert. So, have an internal cert installed with the server FQDN value in it on the server and also assign the IIS service to that internal certificate.

We specify $NULL to ensure proper proxying for mobile devices which do not support re-direction (Autodiscover version < 12.1). Explanation for this as follows:

As per:
http://technet.microsoft.com/en-us/library/bb310763.aspx

“”””””””””””If the user’s mailbox is on an Exchange 2007 Mailbox server, E2010 CAS locates an Exchange 2007 Client Access server in the same Active Directory site as the user’s Mailbox server. This may be the same Active Directory site as E2010. E2010 determines whether the Exchange 2007 Client Access server has the ExternalURL property configured on the Exchange ActiveSync virtual directory (legacy.new.com in our case). If so, E2010 issues the client an HTTP error code 451 that contains the ExternalURL value and instructs the client to redirect to the location specified in the ExternalURL property (Old devices wouldn’t update itself to legacy.new.com and therefore will fail to sync). If no ExternalURL value is set, the connection will be proxied to the Client Access server using the FQDN specified by the InternalURL property (legacy.new.com in our case) which points to Exchange 2007 F5 load balancer), specifically to the /Proxy virtual directory, This virtual directory is located beneath the Exchange ActiveSync virtual directory in IIS and, by default, has Integrated Windows authentication enabled on it.””””””””””””

I hope it is now clear as to why I highlighted the $NULL value for external URL property on the MSAS Vdir for the non-internet facing E2K7 servers in the internet facing site. If we set the External URL property to legacy.new.com, mobile devices which do not support autodiscover will try to resolve to owa.old.com and fail. Since it’s set to $NULL, Exchange 2010 is intelligent enough to proxy connections to Exchange 2007 mailboxes in the internet facing and non-internet facing site.

No need to worry about the Exchange and ExchWeb Virtual directories as only Exchange 2003 would need them.

Take a backup – ********** Take a backup – **********

Ensure that you use the same service account you used install the old exchange server to perform this new installation or it could cause permissions issues and OWA login page issues.

Test steps to ensure everything is working as expected

========================================

  • Run http://testexchangeconnectivity.com for OA, Autodiscover, EWS, Exchange ActiveSync
  • Run diagnostics tests to analyze CAS server performance using perfmon
  • Run diagnostics steps to ensure all CAS servers are functioning properly
  • Ensure Exchange 2007 RPC/HTTP feature works
  • Test telepresence rooms (if you have any) using the Exchange 2007 CAS servers

Ratish Nair
MVP Exchange
Team@ MSExchangeGuru

3 Responses to “Transitioning Exchange 2007 Client Access servers to Exchange 2010”

  1. Prabhat Says:

    Super…

  2. anita Says:

    Well explained

  3. Goran Says:

    Excellent article, much appreciated!

Leave a Reply

Categories

Archives

MSExchangeGuru.com