Transitioning an Exchange 2007 environment to Exchange 2010

When you are ready to begin transitioning your organization to Exchange 2010, you must transition the "Internet Facing AD Site" that is associated with your external Autodiscover record, then regional Internet facing AD Sites, and then transition your internal Active Directory sites. It is not supported to transition an internal Active Directory site before all your Internet-accessible sites have been transitioned.

The steps for introducing Exchange 2010 into the environment are:

Note: These steps do not discuss how to set up your CAS2010 servers in a load balancing array. Please review your load balancing solution's instructions for how to properly create and join your CAS2010 servers in a load balancing array.

1. In order to support external client coexistence with CAS2010 and legacy Exchange in your "Internet Facing AD Site", you will (potentially) need to acquire a new commercial certificate.  As a best practice, Microsoft recommends utilizing a certificate that supports Subject Alternative Names; however, you can utilize a wildcard certificate as well.

This commercial certificate that will be leveraged by external clients will contain at a minimum three SAN values (note that other scenarios may require you to add additional values):

  1. mail.contoso.com (your primary OWA/EAS/OA access URL)
  2. autodiscover.contoso.com
  3. legacy.contoso.com (your OWA/EAS namespace for legacy mailbox access)

Prior to Windows Vista SP1, the Windows RPC/HTTP client-side component required that the Subject Name (aka Common Name) on the certificate match the "Certificate Principal Name" configured for the Outlook Anywhere connection in the Outlook profile. Therefore, as a best practice, you should ensure that mail.contoso.com is listed as the Subject Name in your certificate unless you plan on changing the configuration which can be achieved by using the Set-OutlookProvider cmdlet with the -EXPR parameter as described in http://msexchangeteam.com/archive/2008/09/29/449921.aspx.

2. Ensure all Exchange 2007 CAS within the organization are at Service Pack 2, all Exchange 2003 servers (if they exist) are at Service Pack 2, and that all Exchange 2007 Mailbox, Hub Transport, and Unified Messaging servers are at Service Pack 2 in the "Internet Facing AD Site". Also, ensure you meet all the forest/domain pre-requisites.

3. Install CAS2010 and configure it accordingly:

  • During the installation of CAS2010 you have the option to enter the external namespace that will be used for the virtual directories. You can enter this value in both the graphical user interface or the command-line setup:
    • For the graphical user interface setup experience of CAS2010 you are asked to configure a Client Access external domain. At this point you canter the domain name of mail.contoso.com.
    • If installing via the command line, you can utilize the setup property /ExternalCASServerDomain and specify mail.contoso.com
  • If you haven't already done so, install the RPC over HTTP proxy component.  You can do this utilizing the ServerManagerCmd tool: ServerManagerCmd.exe -i RPC-over-HTTP-proxy
  • Configure your OWA settings appropriately (e.g. forms based authentication vs. basic authentication). For the purpose of this document, the default OWA settings are assumed.
  • Configure your EAS authentication settings appropriately (e.g. Basic vs. certificate authentication). For the purposes of this document, the default authentication mechanism, basic authentication, is assumed.
  • Enable Outlook Anywhere (for the purposes of this document, the default authentication settings are assumed): Enable-OutlookAnywhere -Server: -ExternalHostName:mail.contoso.com -SSLOffloading $false

4. If you chose to not specify the external domain name for CAS during setup, you will need to enable the following ExternalURLs to ensure that clients that leverage Autodiscover function correctly:

5. To ensure that Outlook Web Access functions correctly, you will need to enable the following URLs:

6. If you have Exchange 2007 deployed in "Non-Internet Facing AD Sites" then you must copy the Exchange 2007 OWA binaries to CAS2010:

  • On the CAS2010 server(s), establish a connection to the CAS2007 server's drive that contains the Exchange binaries and navigate to the \Client Access\OWA directory (e.g. \\cas2007\c$\Program Files\Microsoft\Exchange Server\Client Access\Owa).
  • Copy the highest version folder (e.g. 8.2.140.0) from the CAS2007 to CAS2010 Exchange binaries \Client Access\OWA directory (e.g. C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa).
  • Execute IISReset on all the CAS2010 machines.

7. For your Outlook clients, you can configure CAS2010 to participate in an RPC Client Access Service array:

  • Create a load balancing array for CAS2010, if one has not already been created.
  • Create a DNS entry in your internal DNS infrastructure that resolves to the Virtual IP Address (VIP) of the CAS load balancing array. The DNS entry, for example, could be outlook.contoso.com.
  • Configure your load balancing array to load balance the MAPI RPC ports:
    • TCP 135
    • UDP/TCP 1024-65535
  • Run the following cmdlet to create the Client Access Service array: New-ClientAccessArray -Name outlook.contoso.com -FQDN outlook.contoso.com -Site "Internet Facing AD Site"

8. Install the HT2010 and MBX2010 server roles into the "Internet Facing AD Site" and configure accordingly.

  • You can change the Offline Address Book generation server and enable web distribution on CAS2010 by performing the following steps:
    • To move the Offline Address Book: Move-OfflineAddressBook "Default Offline Address List" -Server
    • To add CAS2010 as a web distribution point:
      • $OABVDir=Get-OABVirtualDirectory -Server
      • $OAB=Get-OfflineAddressBook "Default Offline Address List"
      • $OAB.VirtualDirectories += $OABVdir.DistinguishedName
      • Set-OfflineAddressBook "Default Offline Address List" -VirtualDirectories $OAB.VirtualDirectories

9. Create legacy host record (legacy.contoso.com) in your external DNS infrastructure and associate it either with the CAS2007 infrastructure (less likely) or your proxy infrastructure (more likely).

10. If utilizing a reverse proxy infrastructure, you will publish the legacy namespace to the CAS2007 infrastructure so that at this point the CAS2007 infrastructure can be accessed either via mail.contoso.com or legacy.contoso.com namespaces.

11. You will then schedule Internet protocol client downtime (please note that this downtime window should be relatively small - enough time for you to make the change and validate that everything works as desired) and perform the following steps:

  • You will re-configure your CAS2007 URLs in the "Internet Facing AD Site". This ensures that clients that leverage Autodiscover function correctly and that legacy mailboxes can be redirected to Outlook Web Access:
  • If you have Exchange 2003 mailbox servers in your environment, then users with mailboxes on an Exchange 2003 server who try to use Exchange ActiveSync through an Exchange 2010 Client Access server will receive an error and be unable to synchronize unless Integrated Windows authentication is enabled on the Microsoft-Server-ActiveSync virtual directory on the Exchange 2003 server. This allows the Exchange 2010 Client Access Server and the Exchange 2003 back end server to communicate using Kerberos authentication.

To enable this authentication change on Exchange 2003 you need to either:

Note: It is important that you do not use IIS Manager to change the authentication setting on the Microsoft-Server-ActiveSync virtual directory as the DS2MB process within the System Attendant will overwrite the settings that are stored in Active Directory.

  • Disable Outlook Anywhere on your Exchange 2007 CAS infrastructure in the "Internet Facing AD Site" by utilizing the cmdlet, Disable-OutlookAnywhere -Server . Optionally, you can also remove the RPC over HTTP proxy component (refer to your Windows Server documentation for more information).

Important: This requires an up-front investment in CAS2010 architecture as all Outlook Anywhere clients will utilize CAS2010 once you transition the Outlook Anywhere endpoint. Be sure to follow all proper scalability planning documentation when deploying CAS2010 to ensure that you do not create a bottleneck in your CAS infrastructure due to Outlook Anywhere clients.

  • You will reconfigure External DNS and/or your reverse proxy infrastructure's publishing rules to have the autodiscover.contoso.com and mail.contoso.com namespaces point to CAS2010.
  • Test all client scenarios and ensure they function correctly.

12. Complete downtime and enable Internet protocol client usage.

As a result of following these steps, the environment would look similar to this diagram:

So why the additional namespace?

To understand why we are introducing a new namespace for the legacy Exchange environment, it is important to understand what the Internet client behavior will be by introducing Exchange 2010.

  • For Outlook Web Access, Exchange 2010 CAS does not support rendering mailbox data from legacy versions of Exchange.  Exchange 2010 CAS does one of four scenarios depending on the target mailbox's version and/or location:
    • If the Exchange 2007 mailbox is in the same AD Site as CAS2010, CAS2010 will silently redirect the session to the Exchange 2007 CAS.
    • If the Exchange 2007 mailbox is in another Internet facing AD Site, CAS2010 will manually redirect the user to the Exchange 2007 CAS.
    • If the Exchange 2007 mailbox is in a non-Internet facing AD site, CAS2010 will proxy the connection to the Exchange 2007 CAS.
    • If the mailbox is Exchange 2003, CAS2010 will silently redirect the session to a pre-defined URL.
  • For Exchange ActiveSync, Exchange 2010 CAS does not support rendering mailbox data from legacy versions of Exchange.  Exchange 2010 CAS does one of four scenarios depending on the target mailbox's version and/or location, and device capabilities:
    • If the Exchange 2007 mailbox is in the same AD Site as CAS2010 and the device supports Autodiscover, CAS2010 will notify the device to synchronize with CAS2007.
    • If the Exchange 2007 mailbox is in the same AD Site as CAS2010 and the device does not support Autodiscover, CAS2010 will proxy the connection to CAS2007.
    • If the Exchange 2007 mailbox is in a non-Internet facing AD site, CAS2010 will proxy the connection to the Exchange 2007 CAS.
    • If the mailbox is Exchange 2003, CAS2010 will proxy the connection to the Exchange 2003 mailbox server.
  • For Outlook Anywhere, you are going to move the Outlook Anywhere endpoint from the Exchange 2003 Front-End or Exchange 2007 CAS to the Exchange 2010 CAS.  Exchange 2010 CAS will always proxy the Outlook MAPI RPC data that is embedded in the RPC-HTTPS packet to the target legacy mailbox server (regardless of AD site or version) or to the appropriate Exchange 2010 CAS.

Important: This requires an up-front investment in CAS2010 architecture as all Outlook Anywhere clients will utilize CAS2010 once you transition the Outlook Anywhere endpoint. Be sure to follow all proper scalability planning documentation when deploying CAS2010 to ensure that you do not create a bottleneck in your CAS infrastructure due to Outlook Anywhere clients.

This was taken, also, from :

You Had Me At EHLO... : Transitioning Client Access to Exchange Server 2010
http://msexchangeteam.com/archive/2009/11/20/453272.aspx