Exchange Server Forums
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Exch07 and 03 coexistance
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
 Limited time MSExchange.org offer! -- 1.Sep.2008 1:00:00 PM
|
|
TechGenix and SolarWinds have partnered to provide free copies of SolarWinds Exchange Monitor to all visitors who join the MSExchange.org Forums. SolarWinds Exchange Monitor is a handy desktop dashboard that continuously monitors Microsoft Exchange to deliver real-time insight into Exchange services, mail queue sizes, and host server health. Learn more about Exchange Monitor and the free offer!
|
Exch07 and 03 coexistance - 17.Feb.2008 9:24:42 AM
|
|
|
skipdog77
Posts: 35
Joined: 30.Sep.2003
From: Germantown, MD
Status: offline
|
Need some design help:
I've been reading about stategies to allow 03 and 07 to coexist. The issue that is stumping me is the question during the install that sets up the routing group that allows message flow to occur. It seems that you need to create a routing group to an existing bridgehead server in the 2003 system. This is fine, but then the documentation goes on to say once you have the CAS role running, you should decommision the front-end 2003 server. This is fine, except that in our instance, the front-end server is the bridgehead. Would it make better sense when setting up the first 07 server to NOT use the frontend server? Could a backend server be used instead? I would like to get rid of the front end server (2003) -- but if its going to be responsible for message flow between 2003 and 2007 then that is not good.
Would the solution be to use a backend 2003 server, and make it the bridgehead server? I would appreciate it if anyone has any information on this design question.
Skip
< Message edited by skipdog77 -- 17.Feb.2008 9:26:54 AM >
|
|
|
|
|
RE: Exch07 and 03 coexistance - 17.Feb.2008 12:40:11 PM
|
|
|
Elan Shudnow
Posts: 580
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
|
If your FE is also your bridgehead, then make sure you deploy both a CAS and HUB role before you decomission your FE. So in your situation, do the following:
1. Install CAS
2. Install HUB and specify either your FE or BE as the bridgehead target. This depends on if you want to get rid of the FE or not. If you do, specify the BE so you can decomission your FE.
3. Create necessary modifications on your HUB and Organization settings to allow outbound mail flow and inbound mail from on HUB
4. Configure the CAS for certificates, InternalURL, ExternalURL, Autodiscover, Outlook Anywhere, Etc....
5. Modify host record for client access to hit the CAS server. For instance, if you use mail.domain.com for OWA, RPC/.HTTP, and ActiveSync, you would change this A record in DNS to point to the CAS. Read the note below for a caveat to doing this.
Note: If you will be co-existing for some time, ensure the CAS is not on the same server as the Mailbox role. This is because once you change your DNS records for client access (OWA, Outlook anywhere (RPC/HTTP), and Activesync to hit the CAS instead of the FE, the CAS will not be able to proxy the 2003 clients to the 2003 BE if the CAS is also on a server with the Mailbox role. If you plan on migrating all users in one fel swoop, then it's fine to combine the roles if you can deal with a short time of 2003 clients not being able to obtian these services.
In regards to the whole routing group issue, when you install the HUB and specify the target bridgehead, the connectors as well as routing groups that are necessary are all done for you. All you have to do is just install Exchange 2007, specify the target bridgehead, and the rest is done behind the scenes.
_____________________________
Elan Shudnow
http://www.shudnow.net
|
|
|
|
|
RE: Exch07 and 03 coexistance - 17.Feb.2008 12:44:57 PM
|
|
|
skipdog77
Posts: 35
Joined: 30.Sep.2003
From: Germantown, MD
Status: offline
|
Thanks for the quick reply. So I just want to make sure I understand you regarding the specification of the bridgehead server. Can I indeed point the installation to a back-end server as opposed to the front end server? I guess i'm tempted to go ahead and use the 03 front-end server and then decomission it when i've got the last mailbox off 2003. This sounds like it may be easier.
I realize that the HUB/CAS should not be located on the same server as the MB role -- we will need to provide both 03 / 07 OWA experience and i'm hoping the CAS/HUB server will be to do both ..
Skip
|
|
|
|
|
RE: Exch07 and 03 coexistance - 17.Feb.2008 12:50:16 PM
|
|
|
Elan Shudnow
Posts: 580
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
|
All it needs is a server that can accept SMTP. And of course, a BE will accept SMTP so that can be used. Your FE is only a bridgehead for your Internet SMTP traffic I presume or perhaps for other routing groups. That doesn't mean another server cannot be a bridgehead for a connector between a different routing group. So yes, you can choose your BE as a bridgehead for the new connector that will be created that goes to the Exchange 2007 routing group.
If you do choose your FE and decide to decomission it after your mailboxes are moved over, ensure that your MX records are going to your Exchange 2007 box and leave it like that for a couple days to ensure that DNS servers across the internet have flushed their cache so you don't have inbound mail issues from stale DNS.
And yes, HUB/CAS on the same server will work fine if you want to proxy to both Excange 2003 BE and Exchange 2007 Mailbox. Just as long as the CAS is not on the Mailbox Server, you're good to go.
Hope that helps.
_____________________________
Elan Shudnow
http://www.shudnow.net
|
|
|
|
|
RE: Exch07 and 03 coexistance - 17.Feb.2008 1:41:50 PM
|
|
|
skipdog77
Posts: 35
Joined: 30.Sep.2003
From: Germantown, MD
Status: offline
|
Elan,
Yes this really helps a lot. If I intend to create the connection to a BE server, I understand from what you wrote this will work.
Question: In ESM on the 2003 side, do I need to add the BE server as a bridgehead, or is this really only as you say for receiving SMTP internet mail.. ?
Skip
|
|
|
|
|
RE: Exch07 and 03 coexistance - 17.Feb.2008 1:53:53 PM
|
|
|
Elan Shudnow
Posts: 580
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
|
Just install Exchange 2007, choose what server you will use as a bridgehead, and it'll do everything for you. I think you're getting the Routing Group Master which keeps track of link-state updates and keeps all members of the routing group notified of link state changes.
A bridgehead server is essentially a server specified in a connector that says all mail to another routing group or the internet will physically be routed through that specific server or several servers.
So when you install Exchange 2007 and specify the Exchange 2003 bridgehead that will be used, a couple things occur:
1. A routing group is created for Exchange 2007 that is visible through the ESM
2. A routing group connector is created on Exchange 2007 that tells tells it to route all mail from the HUB(s) to the Exchange 2003 server that you specified during installation.
3. A routing group connector is created for Exchange 2003 that specifies that all mail should be routed to the Exchange 2007 HUB(s) from the bridgehead server you specified during the Exchange 2007 install.
_____________________________
Elan Shudnow
http://www.shudnow.net
|
|
|
|
|
RE: Exch07 and 03 coexistance - 17.Feb.2008 3:41:40 PM
|
|
|
skipdog77
Posts: 35
Joined: 30.Sep.2003
From: Germantown, MD
Status: offline
|
Elan,
Thanks. It is also paramount that message flow internally/externally remain unaffected, and I think it will be fine by just introducing the first CAS/HUB. I will then bring online a MB server on a different server. I will create a user on the new MB server and begin testing of message flow.
Thanks so much for your time today.
Skip
|
|
|
|
|
RE: Exch07 and 03 coexistance - 17.Feb.2008 8:49:33 PM
|
|
|
skipdog77
Posts: 35
Joined: 30.Sep.2003
From: Germantown, MD
Status: offline
|
Elan,
Everything went OK. I have a couple unresolved issues. Some of this stuff is probably covered in the articles/tutorials section:
1) I need a single URL for folks to login and have the system direct them to either 2003 OWA or 2007 OWA. When I use https://server/owa, I can successfully login to OWA 2007, but I get a nice error when I try to login to a mailbox centered on a 2003 BE server.
2) Is there a way to assign different certificates for different purposes. I need a cert for OWA folks, that should be an existing Verisign cert we have. However, the internal cert, should come from our enterprise CA (Active Directory) .. I will read some more about this one.
I think I was able to replicate the important folders:
a) Schedule Free/Busy
b) OAB
Using a test account in OWA 2007 I was able to look at users free busy on 2003. I think this would prove success? Also I guess I need to check OAB.
Thanks again for everything!
Skip
|
|
|
|
|
RE: Exch07 and 03 coexistance - 17.Feb.2008 9:29:16 PM
|
|
|
Elan Shudnow
Posts: 580
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
|
You'll want to have everyone use /exchange when co-existing. Exchange 2007 users can use both /owa or /exchange while Exchange 2003 users can use only /exchange. Once users are all on 2007, start using /owa.
As for using multiple certificates, yes, you can. You can split all the CAS websites up to different websites if you want. So have multiple ip addresses on your CAS, then split all the subdirectories in the Default Website to their own default website with its own dedicated website, and assign certificates to each one. Then create the A records for each ip address.
You'd use commands such as:
Set-OABVirtualDirectory, Set-UMVirtualDirectory, Set-OWAVirtualDirectory, Set-WebServicesVirtualDirectory, etc... Google those commands and you'll get some more information on what to do.
I'd personally recommend against this and just get a UC Certificate that will contain all the Subject Alternative Names you want.
_____________________________
Elan Shudnow
http://www.shudnow.net
|
|
|
|
|
RE: Exch07 and 03 coexistance - 17.Feb.2008 10:09:08 PM
|
|
|
skipdog77
Posts: 35
Joined: 30.Sep.2003
From: Germantown, MD
Status: offline
|
Elan,
Success! Both 03 and 07 clients can access OWA through the /exchange URL. I generated a real certificate for the HUB and assigned it to the default web site. I then need to replace the OWA website with our Verisign cert.
Can you point me to any information that might explain in depth your explanation about subdividing the certs -- or as you say just using a UC ? I have a 1000 page book here and it doesn't talk about it at all.
Thanks so much -- with your help the migration is almost ready!
Skip
|
|
|
|
|
RE: Exch07 and 03 coexistance - 18.Feb.2008 4:21:39 PM
|
|
|
skipdog77
Posts: 35
Joined: 30.Sep.2003
From: Germantown, MD
Status: offline
|
Elan,
Made some good progress today. I was able to generate a cert from our enterprise CA that has the alternate subject names. This works great! We have a verisign cert, I guess we will need to contact them and ask if we can get it re-issued with the alternate subject names.
One problem I continue to have is finding a document that spells out EXACTLY how external DNS needs to be configured in order to get autodiscovery to work. I will review the links you sent - as I suspect they are in there!
Skip
edit: Internal autodiscovery works perfectly.
|
|
|
|
|
RE: Exch07 and 03 coexistance - 18.Feb.2008 4:40:12 PM
|
|
|
Elan Shudnow
Posts: 580
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
|
Verisign doesn't support SANs.
Internal Autodiscover works fine because clients that are domain joined get the information from Active Directory. Clients who are not domain-joined will query dns by autodiscover.smtpdomain.com.
So you'll want to have an A record autodiscover that maps to the ip address of the default website of your autodiscover.
So let's say your Exchange server is authoritative for smtpdomain1.com and smtpdomain2.com. You'll need to have 2 external dns zones for smtpdomain1.com and smtpdomain2.com and create an A record in each for autodiscover.smtpdomain1.com and autodiscover.smtpdomain2.com which a UC/SAN Cert that contains both the SAN names autodiscover.smtpdomain2com and autodiscover.smtpdomain2.com. You'll want to do the same on internal DNS for non-domain joined clients if needed.
I recommend Entrust for your CA of choice. Clients on the internet won't trust your internal signed CA. So I recommend reading those links I provided, build a certificate request, submit it to Entrust, assign it to Exchange, and configure all your services as necessary. The reason I say Entrust is because they sign with their root certificate authority and you won't have to install the Intermediate Certificate on mobile devices that don't support certificate chaining.
When you get into multi-site configurations, this can get tricky as you'll have to do proxying/re-direct. If you do have multi-site (Exchange in multiple sites), then read more here: http://msexchangeteam.com/archive/2007/09/04/446918.aspx
_____________________________
Elan Shudnow
http://www.shudnow.net
|
|
|
|
|
RE: Exch07 and 03 coexistance - 18.Feb.2008 5:18:34 PM
|
|
|
skipdog77
Posts: 35
Joined: 30.Sep.2003
From: Germantown, MD
Status: offline
|
Elan,
Is it best to use a CNAME instead? Or an "A" record that points to the IP address? I haven't had much luck with the "A" record pointing to the IP. The client seems to choke after challenging me for domain credentials. I put in my domain credentials for the mailbox server, but they never work. It seems like its not passing through the credentials correctly to the domain.
Skip
|
|
|
|
|
RE: Exch07 and 03 coexistance - 18.Feb.2008 5:21:38 PM
|
|
|
Elan Shudnow
Posts: 580
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
|
Either or. Depends on how you want to manage. If your mail.domain.com points to the ip that you'll use, just use a CNAME.
As for credentials not being accepted, might sound like a simple thing, but make sure you're logging into the domain, not the local account.
_____________________________
Elan Shudnow
http://www.shudnow.net
|
|
|
|
|
RE: Exch07 and 03 coexistance - 18.Feb.2008 5:27:24 PM
|
|
|
skipdog77
Posts: 35
Joined: 30.Sep.2003
From: Germantown, MD
Status: offline
|
Elan,
I havent done ANY work in IIS -- is it necessary to go into any of the IIS directories (i.e. autodiscovery, owa, exchange, etc) and into security and add our domain name, or change from basic to integrated etc? I remember with 2003 Outlook, some interesting things needed to be done to get OWA to work - some involving making sure your domain was put in certain places.
Skip
edit: Also, on the mailbox server, do I need to install a cert from our CA? It looks like no cert is configured on the IIS site. This may be normal and fine to leave alone. Also, I agree with you about going to a UC cert for external access -- very good idea.
< Message edited by skipdog77 -- 18.Feb.2008 5:30:40 PM >
|
|
|
|
|
RE: Exch07 and 03 coexistance - 18.Feb.2008 5:32:47 PM
|
|
|
skipdog77
Posts: 35
Joined: 30.Sep.2003
From: Germantown, MD
Status: offline
|
Elan,
Quick question on a different topic:
Do you know if I move a user that currently uses a mobile 6 device to the 07 side... Will the 2003 side be able to pass the mobile device through to the 07 mailbox server to retrieve its data? I'm thinking NO. My guess is we will need to switch to our CAS/HUB for those folks on the 07 side.
Skip
|
|
|
|
|
RE: Exch07 and 03 coexistance - 18.Feb.2008 5:47:43 PM
|
|
|
Elan Shudnow
Posts: 580
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
|
Mailbox doesn't need a certificate assigned to the IIS website.
If you want a user to use Active Sync for a 2007 Mailbox Server, they will need to go through the 2007 CAS box.
< Message edited by Elan Shudnow -- 18.Feb.2008 5:49:02 PM >
_____________________________
Elan Shudnow
http://www.shudnow.net
|
|
|
|
|
RE: Exch07 and 03 coexistance - 19.Feb.2008 3:29:35 PM
|
|
|
skipdog77
Posts: 35
Joined: 30.Sep.2003
From: Germantown, MD
Status: offline
|
Elan,
Getting ready to apply for the UC cert.. I need to compile a list of SANs that will need to be attached to the cert.
I'm not sure if entrust will allow us to *fix* a cert by adding SANs after it is issued, so I want to try to get it right the first time.
Obviously we need:
OWA external = owa.domain.com
server name internal = server.domain.local
Do we need autodiscover.domain.com added as well? Any others that you generally recommend?
Skip
|
|
|
|
|
RE: Exch07 and 03 coexistance - 19.Feb.2008 3:42:41 PM
|
|
|
Elan Shudnow
Posts: 580
Joined: 4.Jan.2007
From: Chicago, IL
Status: offline
|
You will want to do the following, at least for my recommendations:
Have the friendly name/common name the same name as you will be using for OWA
Have the first name after -domainname be the same as the common name.
Have autodiscover.domain.com for every smtp domain you'll be accepting mail from. So for example, if I have an accepted domain for shudnow.net and shudnow2.net, you'll want an autodiscover SAN for autodiscover.shudnow.net and autodiscover.shudnow2.net. If you want to be able to get to owa by using http://netbiosofcas/owa, you can also have the netbios name of your cas in there.
Here's my digitcert creation:
http://www.shudnow.net/images/csr_request.jpg
Oh and Entrust is really cool about re-generating certificates. When I was first learning about the CSR requests for Autodiscover, I had to regenerate my request with Entrust like 3 times and it was no problem.
< Message edited by Elan Shudnow -- 19.Feb.2008 3:45:11 PM >
_____________________________
Elan Shudnow
http://www.shudnow.net
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
