Workshop Agenda

Module 1 - Overview of Exchange 2010

Module 2 - Exchange Server 2010 Prerequisites
Module 3 - Exchange Deployment Guidelines
Module 4 - Upgrading Exchange roles
Module 5 - Additional Upgrade Tasks

1
 Public and System Folder Migration
E2007  E2010

Create Public Folder Replicas

• Replace server in the replication list with new E2010 server:
ReplaceReplicaOnPFRecursive.ps1
• EXFolders
Move the OAL Generation Server to E2010
• EMC or Shell: move-OfflineAddressBook
E2010 still needs local Mailbox Store for OAB Gen

2
 Public and System Folder Migration
E2003  E2010

Create Public Folder Replicas

• User the “Move all Replica” function in 2003 ESM
Move the OAL Generation Server to E2010
• EMC or Shell: move-OfflineAddressBook
Move Public Folder Hierarchy to Exchange 2010
Administrative Group (2003 only)
E2010 still needs local Mailbox Store for OAB Gen
Setup of Exchange 2010 creates new PDN
• Causes PDN issue for OAB Version2 and OAB Version3
• Causes OL2003 SP1 (and earlier) a full OAB download

4
 Mailbox Manager Policies & Managed Folders

Mailbox Manager Policies (E2003) replaced by Retention

Tags
• No Migration Path
• Delete in E2003 and Re-Create in E2010
Managed Folders (E2007) replaced by Retention Tags
• Managed Folders still available in E2007/E2010 mixed env.
• Work after move mailbox to E2010
• Deploy Retention Tags to replace Managed Folders over time

8
 Additional Tasks

Exchange 2003 only

• E2003 Recipient Policies replaced by Exchange 2010
Email Address Policies
• All Ldap Filters needs to be upgraded/rewritten to
OPATH style (Email Address Policy Filters,Address
Lists, Dynamic DL’s, etc.)
o LDAP to OPATH filter conversion script available
http://msexchangeteam.com/archive/2007/03/12/436983.aspx

9
 Permissions

Exchange 2010 introduces role based concept (RBAC):

• Management roles based on administrative tasks
• Customized roles
• Role can be scoped
• Organizational wide enforcement
• Access control at the task level
Affect on E2003/E2007 permission:
• Manual set ACLs wont be overwritten
• E2007 groups available in E2010, but not as “powerful” (now
scoped)

10
 Permissions

Organization Admin in E2010 has not all Roles by default

• e.g. export-mailbox is part of “Mailbox Import Export”
Management Role
Outlook Group Administration moved to new RBAC Role
• User must have MyDistributionGroups Role assigned
o Allows to join, manage, create and remove groups
o Can be enabled/disabled using script:
http://msexchangeteam.com/archive/2009/11/18/453251.aspx

11
 Lab 7: Additional Transition Tasks

Description
This lab contains the main additional
transition tasks which needs to be fulfilled
for a successful migration

12
 Questions?

13
 Appendix

14
 Appendix – OWA Transition (1)

15
 Appendix – OWA Transition (2)

16
 Appendix – OWA Transition (3)

17
 Namespaces and URLs
E2003
mail.contoso.com
Outlook Web Access:
/exchange, /exchweb, /public
Exchange ActiveSync:
/microsoft-server-activesync
Outlook Anywhere:
/rpc
POP/IMAP
Outlook Mobile Access:
/oma
smtp.contoso.com
Clients / SMTP servers
18
E2007 updates E2010 updates
mail.contoso.com mail.contoso.com
Outlook Web Access: Outlook Web Access
/owa Outlook Web App
Exchange Web Services: Exchange Control
/ews Panel:
/ecp
Offline Address Book: Unified Messaging
/oab /unifiedmessaging
Unified Messaging: Note: the legacy vdirs will
/unifiedmessaging provide a 301 redirect
experience to /owa
Outlook Mobile Access
/oma
autodiscover.contoso.com legacy.contoso.com
Autodiscover: E2003/E2007 services
/autodiscover
 Upgrade in a Nutshell

Upgrade Internet
facing sites first 2
Deploy E2010 servers
CAS first; MBX last
• Start with a few Upgrade Internal
4 Internet facing AD Site sites second
• Gradually add more servers
Move
• Internet hostnames to CAS2010 as you move mailboxes
• UM phone number to UM2010
Internal AD Site
• SMTP end point to HUB2010
so .com CAS-CAS
r . c onto .com proxy
e
di scov ontoso
uto /mail.c CAS, HUB, UM, 5
Internet

:/ / a
s tps:/
ht t p Move Mailboxes
ht MBX 2010
http
s://l
ega CAS, HUB,
cy.c
onto
so.c
UM, MBX
3 om

‘Legacy’ hostname for old FE/CAS 1

• SSL cert purchase Upgrade existing
• End Users don’t see this hostname FE, BE, CAS, HUB, UM, servers to SP2
• Used when Autodiscover and MBX 2003 or 2007 6
redirection from CAS2010 tell Decommission old
clients to talk to FE2003/CAS2007 servers
for MBX2003/MBX2007 access
19
 Switching to CAS 2010 – Preparation (1)
E2003/E2007  E2010

1. Obtain and deploy a new certificate that includes the

required host name values
a. mail.contoso.com
b. autodiscover.contoso.com
c. legacy.contoso.com
2. Upgrade all Exchange servers to Service Pack 2
a. Enable Integrated Windows Authentication on Exchange 2003
MSAS virtual directory (KB 937031)
3. Install and configure CAS2010 servers
a. Configure InternalURLs and ExternalURLs
b. Enable Outlook Anywhere
c. Configure the Exchange2003URL parameter to be
https://legacy.contoso.com/exchange
20
 Switching to CAS 2010 – Preparation (2)
E2003/E2007  E2010

4. Join CAS2010 to a load balanced array

a. Create CAS2010 RPC Client Access Service array
b. Ensure MAPI RPC and HTTPS ports are load balanced
5. Install HUB2010 and MBX2010 servers
a. Configure routing coexistence
b. Configure OAB web-based distribution
6. Create Legacy record in DNS (internal/external)
7. Create Legacy publishing rules in your reverse
proxy/firewall solution pointed to FE2003 / CAS2007 array
8. Use ExRCA to verify connectivity for Legacy namespace

21
 Switching to CAS2010 – The Switchover
E2003/E2007  E2010
The switchover involves a minor service autodiscover…
interruption legacy…
mail…

1. Update internal DNS and have Mail and

Autodiscover point to CAS2010 array
2. Update/Create Autodiscover publishing ISA
2 1
rule and point to CAS2010 array
3. Update Mail publishing rules and point to
CAS2010 array
a. Remember to update paths with new Exchange 2
2010 specific virtual directories
E2010
4. Reconfigure CAS2007 URLs to now utilize E200x SP2
CAS+HUB+MBX
Legacy namespace
5. Disable Outlook Anywhere on legacy Clients access E2010 through
1
Exchange Autodiscover… and mail…

6. Test that CAS2010 is redirecting/proxying Redirection (legacy…), proxying and

2
to CAS2007 (externally and internally) direct access to E2003/E2007

22
 E2003/E2007  E2010

Clients access CAS2010 first CAS2010

Service
E2003/E2007 mailbox treatment

Four different things happen
for E2003/E2007 mailboxes
1. Autodiscover tells clients
to talk to CAS2007
OWA • E2003: Single Sign-On FBA Redirect
• E2007 Same AD Site: SSO FBA
Redirect
• E2007 Externally Facing AD Site: Manual
Redirect
• E2007 Internally Facing AD Site: Proxy

2. HTTP redirect to FE2003 EAS • E2007: Autodiscover & redirect (WM6.1

and newer), Proxying (WM6 and older,
or CAS2007 all non-Microsoft)
• E2003: Direct CAS2010 support.
3. Proxying of requests from • Clients which use new EAS2010 features
CAS2010 to CAS2007 need to re-sync
Outlook Direct CAS2010 support
4. Direct CAS2010 support Anywhere &
for the service against OAB
BE2003 and MBX2007 Autodiscover Direct CAS2010 support
EWS Autodiscover
POP/IMAP E2007:Proxy
E2003: Direct CAS2010 support

23
 Transitioning EAS in an Exchange 2003 Environment to
Exchange 2010
E2003  E2010

WM 6.1+ WM5/6 WM5/6/6.1+

(E2K3 User4) (E2K3 User5) (E2K3 User6)

HTTPS

Non-Internet Facing AD Site

HTTPS

HTTP
Internet Facing AD Site

FE2003 SP2
CAS2010 MBX
Encrypted RPC 2003 User4
HTTP (MAPI)
HTTP

MBX MBX
2003 User3 2010

EAS ExternalURL:
https://mail.contoso.com

24
 Transitioning EAS in an Exchange 2007 Environment to
Exchange 2010
E2007  E2010

WM 6.1+ WM5/6 WM5/6/6.1+

(E2K7 User3) (E2K7 User1) (E2K7 User2)

HTTPS

Non-Internet Facing AD Site

HTTPS

Encrypted RPC
HTTPS (MAPI)
Internet Facing AD Site

HTTPS

CAS2007 SP2 MBX

CAS2010
CAS2007 SP2 2007 User2
Encrypted RPC
(MAPI)
Encrypted RPC
(MAPI)

MBX
MBX 2010
2007 User1

EAS ExternalURL: EAS ExternalURL:

EAS ExternalURL: $null
https://legacy.contoso.com https://mail.contoso.com

25
 What happens when mailbox is moved to E2010?

For the Autodiscover case:

• User3’s device is already configured to use the namespace legacy.contoso.com.
• User3’s device attempts to synchronize.
• CAS2007 will authenticate the user and access Active Directory and retrieve the following
information:
o User’s mailbox version
o User’s mailbox location (AD Site)
o The EAS virtual directory ExternalURL of the Client Access Server(s) that matches the mailbox
version, located within the mailbox’s AD site
• Since the user’s mailbox version is now greater than the CAS2007 version, CAS2007 must
either respond with a 403 or 451 response code. Since the ActiveSync protocol version of
User3’s device is 12.1 or later, the device supports Autodiscover. Therefore, CAS2007 will
return a response (HTTP error code 451) indicating that the device should use
mail.contoso.com namespace for all synchronization events.
• The device updates its profile to use mail.contoso.com and attempts to synchronize with
mail.contoso.com.
• CAS2010 will authenticate the user and retrieve and render the mailbox data from the
Exchange 2010 mailbox server and will provide the rendered data back to the device

26
 What happens when mailbox is moved to E2010?

For the legacy device case:

• User1’s device is already configured to use the namespace mail.contoso.com.
• User1’s device attempts to synchronize.
• CAS2010 will authenticate the user and access Active Directory and retrieve the
following information:
o User’s mailbox version
o User’s mailbox location (AD Site)
o The EAS virtual directory ExternalURL of the Client Access Server(s) that matches the
mailbox version, located within the mailbox’s AD site
o The EAS virtual directory InternalURL of the Client Access Server(s) that matches the
mailbox version, located within the mailbox’s AD site
• Because the device does not support Autodiscover (protocol version is less than
12.1), prior to the mailbox move, CAS2010 simply proxies the ActiveSync traffic to
CAS2007. Now that the mailbox is moved, CAS2010 simply retrieves and
renders the mailbox data from the Exchange 2010 mailbox server.
• CAS2010 will expose the data to the end user.

27
 Forcing Full Sync on EAS Protocol Upgrades

Full Sync after Move-Mailbox depends on Version

Final Protocol Version
2.1 2.5 12.0 12.1 14.0
2.0 Seamless Seamless Force SK0 Force SK0 Force SK0
Previous Protocol Version

2.1 N/A Seamless Force SK0 Force SK0 Force SK0

2.5 N/A N/A Force SK0 Force SK0 Force SK0
12.0 N/A N/A N/A Seamless Force SK0
12.1 N/A N/A N/A N/A Force SK0

28
 Terms of Use

© 2010 Microsoft Corporation. All rights reserved.

Information in this document, including URL and other Internet Web site references, is subject to change without notice.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain
name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright
laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced,
stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
For more information see Microsoft Copyright Permissions at http://www.microsoft.com/permission
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject
matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this
document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The Microsoft company name and Microsoft products mentioned herein may be either registered trademarks or trademarks of
Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned
herein may be the trademarks of their respective owners.
THIS DOCUMENT IS FOR INFORMATIONAL AND TRAINING PURPOSES ONLY AND IS PROVIDED "AS IS" WITHOUT
WARRANTY OF ANY KIND, WHETHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT.

29