Search WWW Search

Monday, April 30, 2012

Exchange 2003 Migration to Exchange 2010 Coexistence OWA ActiveSync Real Life Tips

When migrating from Exchange 2003 to 2010, it may be imperative to set up coexistenance during the migration to ensure smooth transition during the period when you have both your Exchange 2003 and Exchange 2010 environments running. This is the idea situation if you have many users\servers and can't perform an day or weekend cutover of moving all your mailboxes to the Exchange 2010 server. To set up coexistenance here are some tips I've encountered:

1. If you are using as the DNS name for your Exchange 2003 Outlook Mapi, OWA, and Activesync then perform the following.

In external DNS update the DNS record to the IP of the Exchange 2010 server. Create another record and point that to the IP of the Exchange 2003. In internal DNS create with the IP of the Exchange 2003 server. Do not change the internal DNS, leave that as is because your Exchange 2003 Outlook users are still using, if you change the internal record, your Outlook 2003 users will not work since it will be pointing to the Exchange 2010 server and it can't proxy rpc back to 2003. Before making DNS changes, set the TTL to something like 5 minutes 24 hours before you create these record,  this ensures when you change the records, you're not waiting for an hour or more for the DNS cache to timeout and hamper your testing and\or toubleshooting.

2. Go to the Exchange 2010 EMC and add the externalURL

Set-OwaVirtualDirectory -Identity "exchange2010cas01\owa (Default Web Site)" -Exchange2003Url

3. Set the same for the activesync virtual directory

Set-ActiveSyncVirtualDirectory \Microsoft-Server-ActiveSync* -ExternalURL

Supposedly you don't necessarily need to set the legacy against the activesync virtual directory for 2003-2010 coexistenence because Exchange 2010 will directly proxy to the 2003 activesync. I have found this did not work and required you to set the activesyncvirtualdirectory and let it redirect. At this point you should be able to open a browser outside the network and be able to perform the following.

A. Go to from outside the network and access a mailbox for a 2010 user and a 2003 user

B. Go to  from outside the network and access a 2003 user

C. On your activesync phone you should be able to access your 2003 user without changing any settings on your phone and still set to (some troubleshooting steps below if you can't)

D. On your activesync phone you can also set the mail server to and access your 2003 server.

You also need to ensure the following are set. On your Exchange 2003 front end, make sure you enable integrated authentication for the activesync directory as well as Basic. Also DISABLE the require SSL on the activesync vdir as well. You also need to DISABLE require SSL on the exchange virtual directory on your 2003 FE. I set this directly from IIS and not ESM and didnt run into DS2MB re-writing.

In addition if you are doing http to https redirect on your Exchange 2003 OWA you need to turn this off whether you were performing this using the http custom error file or some other method.

If you experience activesync slowness its because you didnt disable the require SSL on the Exchange virdir on your 2003. I also didnt need to disable the RPC\HTTP nor disable forms based on the 2003 to have it work.

Another tip: You dont want to set up the HTTP to HTTPS redirect on your 2010 just yet. Because if you're using for everything, outlook, activesync, owa and you're in this split brain DNS setup then it can break services. This is because when a 2010 user logs into OWA using say just it goes to the 2010 CAS and CAS will do a redirect to to but your CAS will use the internal DNS and internally will go to your Exchange 2003 which your 2010 user doesnt reside. This will render a redirect loop in the browser.

This is just one of the limitations of coexistence if you use a single namespace for all your services. Another limitation is internal 2010 users after they are migrated will not be able to use OWA or activesync on the internal wifi because they will be pointed to which of course points to 2003 internally. Of course you can go with alternate solutions such as using a new namespace for your 2010 users but that would mean you would have to re-home their devices and outlook anywhere after they are migrated so not seamless.

Once complete you want to enable your Exchange 2010 cas Outlook Anywhere to allow for both NTLM and Basic authentication since it's possible you may have Outlook Anywhere clients that may be set to either NTML or Basic already. I ended up requiring to set all 3, just setting the -defaultauthentication method for ntlm and basic did not work.

Set-OutlookAnywhere -Name Server01 -DefaultAuthenticationMethod ntlm, basic

Set-OutlookAnywhere -Name Server01 -IISAuthenticationMethod ntlm, basic

 Set-OutlookAnywhere -Name Server01 -ClientAuthenticationMethod ntlm, basic

James Chong
Security+, Project+, ITIL


Blogger Kevin Knaul said...

Thanks for the article...good stuff.

We have an issue on OWA 2010 that is only affected a handful of users who have been migrated from 2003 (coexistence still in place). The user's receive a "Calendar has become corrupted" message when attempting to access their calendar in OWA. It is accessible in Outlook, but in OWA it never allows access to their calendar.

This issue is not affecting all users, but it is concerning as we are still migrating accounts. Would you have any ideas or recommendations in what to investigate on this issue? Any assistance would be appreciated.


1:50 PM  
Blogger banlin mithra said...

Good, informative post.Helpful tips.
Exchange Migration

3:14 AM  
Blogger Rachel Burr said...

All the contents you mentioned in post is too good and very useful. I will keep it in mind, thanks for sharing the information keep updating, looking forward for more posts. cheap wildcard ssl

4:52 AM  
Blogger mogali said...

Cheap Wildcard SSL - Cheap SSL certificates (including wildcard and multi-domain (SAN) SSL certificates) from Comodo, GeoTrust, Thawte and Symantec (VeriSign)

11:41 PM  
Blogger Tom said...

Thanks for this posting. We ran in to the slowness problem with active sync. None of the articles i used mentioned you have to disable the ssl on the exchange dir as well as the active sync dir.

Again thank you!

4:25 AM  

Post a Comment

<< Home

xml:lang="en" lang="en"> MS Exchange Tips: Exchange 2003 Migration to Exchange 2010 Coexistence OWA ActiveSync Real Life Tips