Search WWW Search

Monday, April 30, 2012

Exchange 2003 Migration to Exchange 2010 Coexistence OWA ActiveSync Real Life Tips

When migrating from Exchange 2003 to 2010, it may be imperative to set up coexistenance during the migration to ensure smooth transition during the period when you have both your Exchange 2003 and Exchange 2010 environments running. This is the idea situation if you have many users\servers and can't perform an day or weekend cutover of moving all your mailboxes to the Exchange 2010 server. To set up coexistenance here are some tips I've encountered:

1. If you are using as the DNS name for your Exchange 2003 Outlook Mapi, OWA, and Activesync then perform the following.

In external DNS update the DNS record to the IP of the Exchange 2010 server. Create another record and point that to the IP of the Exchange 2003. In internal DNS create with the IP of the Exchange 2003 server. Do not change the internal DNS, leave that as is because your Exchange 2003 Outlook users are still using, if you change the internal record, your Outlook 2003 users will not work since it will be pointing to the Exchange 2010 server and it can't proxy rpc back to 2003. Before making DNS changes, set the TTL to something like 5 minutes 24 hours before you create these record,  this ensures when you change the records, you're not waiting for an hour or more for the DNS cache to timeout and hamper your testing and\or toubleshooting.

2. Go to the Exchange 2010 EMC and add the externalURL

Set-OwaVirtualDirectory -Identity "exchange2010cas01\owa (Default Web Site)" -Exchange2003Url

3. Set the same for the activesync virtual directory

Set-ActiveSyncVirtualDirectory \Microsoft-Server-ActiveSync* -ExternalURL

Supposedly you don't necessarily need to set the legacy against the activesync virtual directory for 2003-2010 coexistenence because Exchange 2010 will directly proxy to the 2003 activesync. I have found this did not work and required you to set the activesyncvirtualdirectory and let it redirect. At this point you should be able to open a browser outside the network and be able to perform the following.

A. Go to from outside the network and access a mailbox for a 2010 user and a 2003 user

B. Go to  from outside the network and access a 2003 user

C. On your activesync phone you should be able to access your 2003 user without changing any settings on your phone and still set to (some troubleshooting steps below if you can't)

D. On your activesync phone you can also set the mail server to and access your 2003 server.

You also need to ensure the following are set. On your Exchange 2003 front end, make sure you enable integrated authentication for the activesync directory as well as Basic. Also DISABLE the require SSL on the activesync vdir as well. You also need to DISABLE require SSL on the exchange virtual directory on your 2003 FE. I set this directly from IIS and not ESM and didnt run into DS2MB re-writing.

In addition if you are doing http to https redirect on your Exchange 2003 OWA you need to turn this off whether you were performing this using the http custom error file or some other method.

If you experience activesync slowness its because you didnt disable the require SSL on the Exchange virdir on your 2003. I also didnt need to disable the RPC\HTTP nor disable forms based on the 2003 to have it work.

Another tip: You dont want to set up the HTTP to HTTPS redirect on your 2010 just yet. Because if you're using for everything, outlook, activesync, owa and you're in this split brain DNS setup then it can break services. This is because when a 2010 user logs into OWA using say just it goes to the 2010 CAS and CAS will do a redirect to to but your CAS will use the internal DNS and internally will go to your Exchange 2003 which your 2010 user doesnt reside. This will render a redirect loop in the browser.

This is just one of the limitations of coexistence if you use a single namespace for all your services. Another limitation is internal 2010 users after they are migrated will not be able to use OWA or activesync on the internal wifi because they will be pointed to which of course points to 2003 internally. Of course you can go with alternate solutions such as using a new namespace for your 2010 users but that would mean you would have to re-home their devices and outlook anywhere after they are migrated so not seamless.

Once complete you want to enable your Exchange 2010 cas Outlook Anywhere to allow for both NTLM and Basic authentication since it's possible you may have Outlook Anywhere clients that may be set to either NTML or Basic already. I ended up requiring to set all 3, just setting the -defaultauthentication method for ntlm and basic did not work.

Set-OutlookAnywhere -Name Server01 -DefaultAuthenticationMethod ntlm, basic

Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod ntlm, basic

 Set-OutlookAnywhere -Name Server01 -ClientAuthenticationMethod ntlm, basic

James Chong
Security+, Project+, ITIL
xml:lang="en" lang="en"> MS Exchange Tips: April 2012