Re: Adding EXCH2007 SP1 box to existing EXCH2003 SP2 Org

Good evening, Ed!

Okay...now I get what you were saying....

No, it is not going to be an OWA proxy.....We are going to move all mailboxes from EXCH2003 to EXCH2007 immediately (this Friday and over the weekend) and will handle the redirection (moving from the /exchange to the /owa). The EXCH2003 box will stick around (God willing) for a week or two (tops) and then we will remove it completely (after making sure (A) that everything is homed on the EXCH2007 box and (B) that everything is completly replicated over).....This EXCH2003 box is a Dell PowerEdge 2600 and is some six years old and starting to be worse for the wear. We will probably turn it off and keep it off for a day or two (or three) before completely removing it from the environment.

I am sorry. I should have made that clear. I know that in a lot of environments the two co-exist for a long time....Not in this case.

And, please do not misunderstand my previous comment...that is just my stupid sense of humor (which does not always work.....written or spoken!).

Anyway, I do appreciate your help on this. Our Exchange person - whose last day is actually that Friday and was not slated to help - has offered to provide assistance to me on the two or three (thousand) points that are not crystal clear to me. I will be in good hands.


"Ed Crowley [MVP]" <curspice@xxxxxxxxxx> wrote in message news:e%23MtW4aBKHA.1248@xxxxxxxxxxxxxxxxxxxxxxx
Well, if the Exchange 2007 has the mailbox server role it will not act as an OWA proxy (or a proxy of anything else) for the Exchange 2003 servers. If you're depending on it doing that, and I'm not sure that you aren't from your responses, then you'd better redesign your plan. If you're not planning to support coexistence of that function during the migration period, then it's a non-issue.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
.

"Cary Shultz" <cshultz@xxxxxxxxxxxxxxx> wrote in message news:OWB8pnRBKHA.528@xxxxxxxxxxxxxxxxxxxxxxx
Ed,

Comments in-line as well!


"Ed Crowley [MVP]" <curspice@xxxxxxxxxx> wrote in message news:OJPCAVPBKHA.780@xxxxxxxxxxxxxxxxxxxxxxx
Comments inline below.
--
Ed Crowley MVP
"There are seldom good technological solutions to behavioral problems."
.

"Cary Shultz" <cshultz@xxxxxxxxxxxxxxx> wrote in message news:OrL4$ZNBKHA.528@xxxxxxxxxxxxxxxxxxxxxxx
Good evening!

Okay, normally this is a really simple process for me (have done it some eight or nine times). However, have something coming up this weekend where I have a few questions:

1) Certificates - going to be using a SAN Certificate like I have many times before. However, in this case the client has a somewhat different set up. For OWA Access they use one URL (https://mail.clientname.com) while for RPC over HTTPS/Outlook Anywhere they use a different URL (https://mobile.clientname.com) and, finally, for OMA/ActiveSynch they use yet a third URL (https://synch.clientname.com). Changing this is not a battle we are going to start this coming weekend. The client is simply not going to change this. Additionally, each URL points to a different Public IP Address: (x.x.x.99 for OWA, x.x.x.109 for Outlook Anywhere and x.x.x.103 for Active Synch). So, for the Certificate what do I need? Here is what I think:

-clientexternaldomainname.com (mydomain.com)

I don't see how this is necessary.


I have always included it in the past. Now, that does not make it correct! Just always have......



-autodiscover.clientexternaldomainname.com (autodiscover.mydomain.com)
-mail.clientexternaldomainname.com (mail.mydomain.com)

If this is the OWA URL, you might add "mail" without the mydomain.com if users will type that shortcut into IE.


I believe that they enter the entire URL...https://mail.mydomain.com....



-mobile.clientexternaldomainname.com (mobile.mydomain.com)
-synch.clientexternaldomainname.com (synch.mydomain.com)
-internalservername (02MAIL)
-internalservername.clientinternaldomainname.local (02MAIL.mydomain.local)

I *think* that should cover it.......

Looks like it except as noted.

2) In the public DNS the various HOST Records will be pointed to the appropriate Public IP Address ("mail" points to x.x.x.99; "mobile" points to x.x.x.109: "synch" points to x.x.x.103). That should be easy enought...it is already in place. We should not need to change anything (outside of adding the 'autodiscover' HOST Record)

Looks complete.

3) In the NATting.....the EXCH2003 box is going to stick around for a little bit (two weeks more or so, God willing). We will need to point everything to the internal IP Address of the EXCH2007 box, correct?

If the Exchange 2007 box is hosting mailboxes, it won't work as a front-end equivalent. If it's just a CAS or CAS+HUB, then it can serve as a front-end for the Exchange 2003 server. I fear that you might have overlooked this and you're not going to have a happy weekend.


Ed, I have not overlooked anything! Now, I say that only as I am not the one planning this! So, in that sense... ;-)

Since the person planning this has put together a project plan (with a ticket associated for each task) and I have all of the tickets I *think* that I am in for a long weekend as well. I just noticed (looking at the two existing Exchange 2003 Servers right now...) a few other things for which I will have additional questions. But, back to this!

There are two existing EXCH2003 boxes right now in this environment. Essentially, there is the one that does everything (really old hardware that is now displaying its age) and then there is the second one [supposedly the client installed EXCH2003 on this much newer box with the intention of moving everything to it but decided - I am told - against doing that (do not know the reasoning behind this)]. I am in the process of removing EXCH2003 from that (newer) box as this is the hardware that is going to host EXCH2007. We are making this a virtual server (someone is going on-site on Thursday to install VMWare (which will kill everything on this box) and WIN2008 Server SP1 x64 and then I will install EXCH2007 SP1. So, we want to make sure that everything is removed from that box prior to Thursday!

Anyway - sorry for the digression - the EXCH2007 box (and I guess that this is *my plan*..if we can call it a plan....I just became involved Tuesday afternoon) is going to hold all the following roles: HUB, MAILBOX, CAS. I am pretty sure that we are not installing UC (I will ask later 'today'.....like I stated, I just became involved Tuesday evening!!!!). I have done this in some eight environments (well, none of these environments were nearly as 'involved' as this one) without issue. But, as mentioned - ISA was not involved in any of those eight environments....

My thought process is that we install EXCH2007 SP1 (with the three roles listed above) into the existing EXCH2003 org, move all of the mailboxes from EXCH2003 to EXCH2007, install the SAN Cert (as mentioned earlier) on the EXCH2007 box (I am told that I will have to import this to the ISA Server.....oh, boy!), move everything over to the EXCH2007 box (Public Folders, et al) and away we go. I think that the devil is going to be in the detail...and that I am missing one or more details! ;-)



4) Here is the big question - they have ISA.....I have never touched ISA. What do I need to know for ISA?

ISA may throw a monkey wrench into your plans if you are going to use ISA's forms-based authentication, because that may complicate your plans on your internal server.

You might consider buying a public certificate for ISA and using an internal enterprise CA for the Exchange CAS role server. Then you can easily change the internal certificate as needed without having to go to an external authority and possibly paying. Also, your public certificate needs only the SANs that are specifically addressed from the Internet, which would likely be limited to mail.mydomain.com, mobile.mydomain.com and synch.mydomain.com, and that's quite a bit simpler to submit to your authority.

ISA is probably going to be an "ape wrench"....not a monkey wrench. I have never touched ISA before so that is going to be completely foreign to me.

They do have an internal enterprise CA which is currently handling the certificates (or so I am told....I will look at this later 'today'). I asked about this (what do we do about the certs?) and specifically about the SAN Cert. I was informed that we do need the SAN Cert. Anyway, looks like I have a bit of "homework" to do. I have three more hours until my wife and children wake up.....well, minus the time that I am going to spend uninstalling EXCH2003 from that "second, newer" server....That ought to give me a nice start!

I do have two more questions....but let's get through this first!




Thanks all!

Cary







.

Loading