Upgrade from Exchange 2007 to Exchange 2010 – Part II

Having walked us through the initial steps of the migration from Exchange Server 2007 to 2010, Jaap now discusses the next stage of the process - Configuring External access to your Exchange environment, and setting up your new Exchange 2010 Mailbox Server.

In my previous article, I showed you how to implement a coexistence scenario with Exchange Server 2007 and Exchange Server 2010, and how to change the SMTP message flow. In this article, we’ll continue the migration process and examine what steps we need to take with the Exchange 2010 Client Access Server and Exchange 2010 Mailbox Server. Specifically, we’ll need to modify how external clients can access our Exchange environment to take the temporary coexistence into account, and then we’ll be able to configure the Exchange 2010 Mailbox Server. Let’s take a look at those two processes now.

Change the External Client Access

In a coexistence scenario there are three Fully Qualified Domain Names (FQDN):

  • Webmail.inframan.nl – this points to the external-facing Client Access Server, which is used for all services (OWA, ActiveSync, Outlook Anywhere etc.). This is the current Exchange 2007 CAS Server, but will soon be changed to the new Exchange 2010 CAS Server;
  • Autodiscover.inframan.nl – this points to the external-facing Exchange 2007 CAS Server and, after the change, it will point to the new Exchange 2010 CAS Server. Outlook 2007 (and higher) clients are able to retrieve autodiscover information, even when their mailbox is still on Exchange 2007;
  • Legacy.inframan.nl – this points to the old Exchange 2007 CAS Server after the switch to the Exchange 2010 CAS Server. It is used for when OWA clients are redirected to the Exchange 2007 CAS server because the user’s mailbox is still on Exchange 2007.

Just to make sure we’re all absolutely clear on this, the webmail.inframan.nl FQDN will give access to the Exchange 2010 Client Access Server while the legacy.inframan.nl FQDN will give access to the old Exchange 2007 Client Access Server. Outlook Web Access for mailboxes still on Exchange Server 2007 will be redirected to the legacy FQDN.

To prepare for the upcoming changes, we have to follow these steps, which we’ll cover in more detail in a moment:

  • Request a new SSL Certificate for the Exchange 2010 Client Access Server;
  • Create a new rule on the TMG Server called “Legacy Inframan“, and publish OWA for Exchange 2007 using this publishing rule;
  • Enable Outlook Anywhere on the Exchange 2010 Client Access Server;
  • Move the Offline Address Book (OAB) and enable web-based distribution;
  • Disable Outlook Anywhere on your Exchange 2007 Client Access Server;
  • Reconfigure external DNS, and update the Publishing Rules on TMG.

An SSL certificate on the Client Access Server should contain the Common Name webmail.inframan.n‘ and the autodiscover.inframan.nl hostname in its Subject Alternatives Name field. The easiest thing to do at this stage is to use only one SSL certificate, using the legacy.inframan.nl hostname as well:

  1. Logon to the Exchange 2010 Client Access Server and open the Exchange Management Console. Navigate to the Server Configuration and, in the navigation pane (the left pane), select Client Access. In the actions pane (the right pane), select Request New Certificate;
  2. Follow the New Certificate Wizard to create a new certificate request, using the three hostnames I mentioned earlier.
  3. A new request file is created, and should be submitted to the Certificate Authority. I always recommend one of the supported certificate vendors (check Microsoft knowledge base article KB929395 for this), but an internal Windows 2008 CA can be used as well;
  4. After the certificate is returned from the CA, save the certificate file on the local disk of the Exchange 2010 Client Access Server, and finish the certificate wizard;
  5. When you’re finished, use the Enable Exchange Services option in the actions pane. In the inframan scenario, only the IIS service is used by the new certificate.

Bear in mind that, in Exchange Server 2010, usage of a wildcard SSL certificate is also fully supported. When the certificate is configured and working on the Exchange 2010 Client Access Server, the certificate is exported to a file on the local hard disk. This is a different file from the one we created in step 4 above; this is a backup file of the Exchange certificate. It is then imported to the Exchange 2007 Client Access Server and the TMG Server (which, if you recall, the company has upgraded to from an ISA Server, as mentioned in part 1). As mentioned earlier, one SSL certificate can be used on all servers. You should also bear in mind that, while changing the certificate on the Exchange 2007 Client Access Server and the TMG server is a small update, it will cause a small outage in the messaging service.

The next step is creating a new rule to publish Exchange 2007 OWA using the legacy.inframan.nl hostname, b ut this shouldn’t be too difficult, so I won’t go into detail. However, I will go into detail regarding How to enable Outlook Anywhere on the Exchange 2010 Client Access Server:

  1. Logon to the Exchange 2010 Client Access Server and open the Exchange Management Console. Navigate to Server Configuration and select the Exchange 2010 Client Access Server;
  2. In the Actions Pane, click on Enable Outlook Anywhere. The wizard to enable Outlook Anywhere will start, and you should enter the external hostname (i.e. webmail.inframan.nl)here. Select the appropriate authentication mechanism, which in this example will be Basic Authentication.
  3. Click on Enable to continue the wizard, and a warning message will be displayed saying Outlook Anywhere will be enabled in approximately 15 minutes. Click on Finish to end the wizard.

While the Exchange Management Console is still open, we can get started with moving the Offline Address Book and enabling web-based distribution on the Exchange 2010 Client Access Server:

  1. Navigate to the Organization Configuration and click on Mailbox. In the results pane, select the Offline Address Book tab;
  2. Right-click on the Default Offline Address Book and select Move, using the Browse button to select the Exchange 2010 Mailbox Server. Click on Move again to continue. A warning message is displayed, informing you that the files are copied to the new target server, at which point you can click on Finish to end the wizard.
  3. Right-click on the Default Offline Address Book again; select the property sheet, and then select the Distribution tab, where the 2007 Client Access Server is still listed. Remove the old server, and then click Add to add the Exchange 2010 Client Access Server as a distribution point. Finally, click on OK to apply the changes and close the wizard.

The Offline Address Book is only generated once a day, by default at 4:00 am. So, when you are creating new mailboxes, you have to be careful as they might not show up in this OAB until the next day! On the other hand, the Client Access Server polls the Mailbox Server for updates on the OAB once every 480 minutes (8 hours). Be aware of these issues when troubleshooting OAB issues.

Next, we need to disable Outlook Anywhere on the Exchange 2007 Server:

  1. Logon to the Exchange 2007 Client Access Server, navigate to the Server Configuration, and select Client Access Server. Select the 2007CASHUB Server and, in the Actions Pane, select Disable Outlook Anywhere;
  2. Follow the wizard to disable Outlook Anywhere;
  3. It is also possible to use the Exchange Management Shell to complete this action by entering the following command:

At this stage, the Exchange 2007 Client Access Server needs to be reconfigured, so that legacy mailboxes on Exchange 2007 are still connected to the appropriate URL during the coexistence phase. To do this, logon to the Exchange 2007 Client Access Server, open the Exchange Management Shell, and enter the following commands:

The last step is to reconfigure the TMG web publishing rules for OWA, Autodiscover and ActiveSync, so that they all point to the new Exchange 2010 Client Access Server, and also to add the legacy host name to the external DNS, and point it to the external interface of the TMG Server. An important step here is to change the web listener, as it needs to provide the single sign-on mechanism that enables the seamless redirection from the Exchange 2010 Client Access Server to the Exchange 2007 Client Access Server.

1202-Jaap1.jpg

Figure 1. Configure the Single Sign On to provide a seamless sing on experience

Right now we have the following scenario:

  • When a browser goes to the Exchange 2010 Client Access Server using https://webmail.inframan.nl/owa to open an OWA session, the client is redirected to the Exchange 2007 Client Access Server for as long as the mailbox is still on the Exchange 2007 Mailbox Server. The https://legacy.inframan.nl/owa URL is used for redirection;
  • When an Outlook Anywhere client connects to the Exchange 2010 Client Access Server, this server connects to the Exchange 2007 Mailbox Server to retrieve the mailbox data. The RPC protocol is used for this;
  • Autodiscover information and the Offline Address Book are downloaded by Outlook 2007 and Outlook 2010 clients from the Exchange 2010 Client Access Server;
  • An ActiveSync client connects to the Exchange 2010 Client Access Server, and this server retrieves the mailbox data from the Exchange 2007 Mailbox Server using the RPC protocol.

The Remote Connectivity Analyzer (RCA) can be used to test the Exchange configuration, and can be found on http://www.testexchangeconnectivity.com.

If all goes well, then the Outlook Anywhere clients will never notice that something has changed, nor will the Windows Mobile clients. Only OWA clients will be redirected from the webmail.inframan.nl URL to the legacy.inframan.nl URL, and this is clearly visible when using OWA after the redirection:

1202-Jaap2.jpg

Figure 2. OWA is redirected to the legacy FQDN while the mailbox is still on Exchange 2007.

Configuring the Exchange 2010 Mailbox Server

After installing the Exchange 2010 Mailbox Server, there’s some configuration that needs to be done. The first step is to change the default location of the Mailbox Database from the standard location (C:\Program Files\Microsoft\Exchange Server\v14\Mailbox )to a separate disk, which is not difficult.

Since Inframan is using Public Folders, a new Public Folder Database needs to be created on the Exchange 2010 Mailbox Server:

  1. Logon to the Exchange 2010 Mailbox Server as an administrator and open the Exchange Management Console. Navigate to Organization Configuration and select the Database Management Tab;
  2. In the Actions Pane, click on New Public Folder Database… and follow the wizard. Enter a new name for the Public Folder Database and select a server. Note that you can only choose an Exchange 2010 Mailbox Server role, even if we are in a coexistence scenario. This is because it is not possible to manage an Exchange 2007 object from an Exchange 2010 Management Console (or Shell);
  3. Select a location where the Public Folder database and its accompanying log files will be stored. By default, the C:\Program Files\Microsoft\Exchange Server\v14\Mailbox directory is selected, but it’s a best practice to use another disk. Enter the new location and click New to create the Public Folder database and mount it.
  4. Now we need to configure the mailbox database on Exchange Server 2010 to use the newly created Public Folder database. To do so, select the mailbox database and open its properties. In the properties window, select the Client Settings tab. Select the 2010 Public Folder Database (the default is the 2007 Public Folder database) and select the default Offline Address Book.

1202-Jaap3.jpg

Figure 3. Set the default Exchange 2010 Public Folder database on the Exchange 2010 Mailbox Database. Don’t forget the OAB!

Since all Public Folder information is still stored in the Public Folders, we have to setup replication between both Public Folder databases, both for the system folders (i.e., for free/busy information and the Offline Address Book) as well as the regular user folders;

  1. Logon to the Exchange Server 2007 Mailbox Server role, open the Exchange Management Console and, in the Tools section, open the Public Folder Management tool;
  2. To add the Exchange 2010 Public Folder database to the list of replicas, select a public folder’s properties and select the Replication tab. Add the Public Folder Database on the Exchange 2010 Server and click OK. Repeat this for all System Folders that are available on the Exchange 2007 Server (i.e. Free/Busy and Offline Address Book folders).

    1202-Jaap4.jpg

    Figure 4. Set the Exchange 2010 Public Folder database as replication partner. Repeat this for all System Public Folders

  3. The user Public Folders then need to be replicated to the Exchange 2010 Public Folder database as well. It is possible to manually configure all Public Folders with a new replication partner, but it’s better to use PowerShell scripts that Microsoft delivers with Exchange Server 2010. Open the Exchange Management Shell and navigate to the Scripts directory by entering the CD $ExScripts command, and execute the following script:

  4. This will add the Exchange 2010 public folder database as a replication partner on all public folders that are beneath the root folder. Public Folder replication is not the fastest mechanism in Exchange Server so, depending on the number of Public Folders and the size of the database, it can several hours (or, indeed, days) to complete.

When the Public Folder statistics are checked after the replication has started running, it will be obvious that there’s data in the Public Folders on the Exchange Server 2010 Mailbox Server:

1202-Jaap5.jpg

Figure 5. The Exchange 2010 Public Folder database contains replicated data

Conclusion

At this point, we still have a combined Exchange 2007 / Exchange 2010 environment, although the SMTP mail flow is now going through the Exchange 2010 Hub Transport Server, and all clients connect to the Exchange Server 2010 Client Access Server. However, since all mailboxes are still on Exchange Server 2007, the requests are either redirected to the Exchange 2007 Client Access Server (for OWA), or the Exchange 2010 Client Access Server is talking directly to the Exchange 2007 Mailbox Server.

In the next (and last) article in this series, I will discuss moving the mailboxes to Exchange Server 2010, and how to finally decommission Exchange Server 2007.

This article was commissioned by Red Gate Software, engineers of ingeniously simple tools for optimizing your Exchange email environment. Find out more.