This continuation from the earlier post of the same name will take us through the second phase of the 2003 to 2010 Exchange migration I performed for a past student of mine.

Quick recap of what we’ve done up to now…

  • Prepared the environment for the new Exch 2010 server (prepareAD schema and domain)
  • Installed (2) VM’s. server names Ex10 & Windows Server 2008 R2, patched the OS. Installed all Exch 2010 pre-req’s. Installed Exch 2010 into the new VM’s. Also installed the latest Roll-up.

So we have the platform ready, but all inbound and outbound mail is still routing through the old mailbox servers. Let’s start by getting all inbound mail into the new 2010 CAS role first. The company in question was using a “” hostname for the Exchange 2003 OWA environment which they planned on retaining. This is fine but the DNS configuration they were using would require us to get a new certificate for the new 2010 boxes (see Understanding Digital Certificates and SSL)

To cover all bases I recommended to get a new UCC / SAN certificate with the following names…

Why so many names?? well again, this particular environment had an external namespace with a normal DNS namespace ( but their internal AD domain was a single label domain name (company). The certificate they purchased (  was a “multiple domains – UCC” type with up to 10 domains. this allowed us to have the luxury of having any and every name (single label or not) to be resolvable internally or externally. Some may argue this is overkill. This admin inherited this environment and was in the position to make changes to get it into Microsoft recommended shape prior to the upgrade, so this was the easiest solution for him.

Now that we have this new cert installed on both new boxes as well as the old cert from the old 2003 box imported into the new ex10 & ex11 machines we are ready to start moving mail through the new machine.

He made changes to his Sonic wall rules and had all port 25 SMTP, 80 HTTP and 443 HTTPS traffic get redirected to the new ex10 CAS 2010 box. All client MAPI/ RPC / OA / OWA and EAS connections will now hit this box first. he also created a new public A record resolving to the old public IP he was using before. Last but not least he created another new A record for pointing to a NEW public IP he had available. This is for co-existence OWA purposes.

At this point all mailboxes are still on the 2k3 side. Before we even thought of moving a single mailbox, let’s test mail flow both in and out with the new 2010 HUB roles being the point of entry and exit. We did some quick tests from internal and external mailboxes from and to internal and external mail organizations. Success. Next we created a new 2010 mailbox. We created one called “Jay Cutler” since this admin was a Chicago Bears fan. Since we installed 2010 into the 2003 organization it automatically created a connector between the 2003 routing group to the new 2010 based one. Let’s login to this new mailbox (via MAPI and OWA) and send mail messages back and forth. Success. This also confirms 2010 CAS is functioning correctly. 2010 CAS servers automatically register a SCP (Service connection point) in AD for this!

So transport internal and external is confirmed and even between 2003 and 2010. Let’s turn our focus to client access. We used the Microsoft Exchange remote connectivity analyzer 

image <— click me Smile

to aid us in this. Using some credentials from AD, we could simulate and tell which types of remote connectivity works! RPC over HTTPS (outlook anywhere), OWA and even Exchange Active Sync are all testable here. After some tweaks to his sonic wall this worked great. This tool is IMMENSELY helpful since it not only tells you when something isn’t working, but gives suggestion on possible resolutions.

One of the big headaches many admins will have is the OWA co-existence. The new 2010 CAS cannot provide a 2003 OWA experience if the target mailbox is still on a 2003 back-end server. So during this phase it has to refer the OWA request back to the 2003 Front-end “legacy” server. See what we did there? this is the legacy A DNS record we made earlier. This new public IP address goes directly to the IP address internally of the old 2003 Exchange server. So the process works like this. You hit the new OWA 2010 login page using the old URL (Http:// you are automatically redirected to the actual URL of (Http:// The user enters their credentials. If the lookup shows the target mailbox is still on the 2003 box it’s redirected to a URL we set earlier using the Exchange Management Shell. (Http:// Now to support this some settings had to be modified on the front end server and a patch had to be installed to support this new change.

Once this was working well and EAS was also hitting the 2003 server correctly we moved a few mailboxes both guinea pig and fake dummy mailboxes.

In part 3 I’ll cover the mailbox moves, DAG configuration and how to handle failover if one of the servers becomes unavailable.


« »