Good morning and welcome back! Today I am going to do some updates on coverage for the current Exchange Server 2010 “Swing Migration” from Exchange Server 2003.
Initially this weekends maintenance was going to cover four main items:
- Replicate Public Folders
- Install SSL Certificate for OWA
- Redirect the Domain FQDN for Exchange
- Swap the IP Addresses from Exchange 2003 to Exchange 2010
- Verify Mail Flow between servers
I will take a bit of time to explain how these items came about and the steps needed to proceed. In the original instructions some of these items were not mentioned or taken into account.
Replicating Public Folders:
On the Exchange 2003 Server, open Exchange System Manager > Locate the Public folders > If you cannot see your public folders, change the view to “View Public Folders”.
Select each one of your public folders, go to its properties and add in the New Exchange 2010 Server as a replication partner.
|
Note: If you have a lot of “Nested Public folders” then this can take ages, see this article here on Public Folder Migration from Exchange 2003 to Exchange 2010.
Note: If mail cannot flow from 2003 to 2010 then the public folders will NEVERreplicate make sure that works before expecting the folders to replicate OK.
|
In order to verify if the replication is working you can click “Details” on the properties screen to find the Sync status. I have found it will show one of two status messages. “In Sync” or “Local Modified”. So far as I can tell both mean the folders are syncing as this seems to be a quirk with Exchange 2003 not showing correct status reports. I recommend testing thoroughly before assuming it is working.
Install SSL Certificate for OWA:
One of the things that I also found we needed to facilitate was purchasing a SSL certificate in order to make sure OWA worked correctly. Our current setup did not use a certificate which is not secure but is easier to setup on the new server than to transfer.
My suggestion, GET YOUR CERTIFICATE AHEAD OF TIME!!!
Hosting solutions can take up to 4 days I have found to complete this process. Make sure you know your domain names ahead of time and the requirements needed to request a certificate. Here’s what I learned:
- Exchange requires a specific SSL Certificate called a UCC. Unified Communications Certificate.
- Each service or domain name you use will count as a single domain on the certificate. Example:
- Autodiscover.domain.com
- webmail.domain.com
- domain.com
- internal.domain.com
- This all means you would need 4 seats on the certificate. Certificate come in 5, 10, and higher flavors.
- Shop around for prices!! They are not all built the same.
I will add instructions on installing Exchange certificates in another post, but every major hosting service also supplies support and instructions on them.
**Important note: When applying for your certificate make sure you have a (1) Signed letter of Intent, and a (2) Proof that you can operate under the name being certified or (3) Federal Tax information. The hosting company will ask for these items to verify your claim to certificate.
Redirect the Domain FQDN for Exchange
Ok this one came out of left field and hit me when I was applying for my SSL Certificate.
Problem: My internal domain name does not match my external webmail domain. On top of that I do not own the external equivalent of my internal domain name. Therefore no authority can be given to the hosting certificate to provide SSL for it.
Answer: You need to redirect your internal domain on the new Exchange server to see the external one. How do I do this?
To reconfigure your domain to use only the external domain name you have a couple of options. If you are using Active Directory you can migrate an internal Active Directory domain to a registered External name. This will change the internal FQDN of your Exchange Servers so they will become a valid subdomain of your registered domain (e.g. change from CASServer01.yourcompany.internal to CASServer01.yourcompany.com) allowing you to use a SAN certificate or a Wildcard to secure these names. Alternatively, you can redirect the internal names to use the external mail URL, but this method will not allow access to mail using the Outlook Anywhere service so users connecting over a VPN would have connection problems.
Redirecting your Exchange Server to use the External DNS Name
To update your Exchange 2007 or Exchange 2010 server you will need to run the following commands from the Exchange Management Shell and replace the Server running the Client Access Role with your external domain name. These commands update the URL for the Autodiscover service, Exchange Web Services (EWS) and the OWA Web-based Offline Address book respectively.
Before running these commands you will just need to check make sure a DNS record exists mapping the IP Address to the Exchange Client Access (CAS) server.
Note: Each of these commands below should be run on a single line in the Exchange Management Console (EMC):
Set-ClientAccessServer -Identity HostName -AutodiscoverServiceInternalUri https://mail.yourdomain.com/autodiscover/autodiscover.xml
Set-WebServicesVirtualDirectory -Identity “HostName\EWS (Default Web Site)” -InternalUrl https://mail.yourdomain.com/ews/exchange.asmx
Set-OABVirtualDirectory -Identity “HostName\oab (Default Web Site)” -InternalUrl https://mail.yourdomain.com/oab
Recycle the IIS Application Pools
Next to make these commands take effect you have to tell IIS to push these changes by recycling the application pools.
1. Open IIS Manager by clicking Start, then enter inetmgr.
2. Expand the server and expand Application Pools, then right-click on MSExchangeAutodiscoverAppPool, and select Recycle.
This is about as far as I went on my Saturday maintenance. I had to wait on a SSL certificate that seemed to take forever and even if I did switch it I would have to recycle 40 cellphones that are not currently set up to use SSL.
Know when to call it quits. I verified that mail would flow back and forth and left it be for my next two week testing period.
Lessons learned.
I have yet to hear anyone else’s nightmare stories but I am sure they are out there!!! Lets hear them!
Resources:
http://www.digicert.com/ssl-support/redirect-internal-exchange-san-names.htm
http://www.petenetlive.com/KB/Article/0000234.htm